ITRM20110046A1 - METHOD FOR THE SAFE PROCESSING OF DATA ON COMPUTERS, AND ELECTRONIC PROCESSOR WHICH IMPLEMENTS THIS METHOD. - Google Patents

Description

Method for the secure processing of data on computers, and electronic processor that implements this method

The present invention relates to a method for the secure processing of data on a computer, and a computer that implements this method.

More precisely, the present invention relates to a method that allows you to work on a computer by processing data without an accessible trace of the same remains on the same computer or even no trace remains. In particular, a mass memory device can be used, on which a Unix-like or Unix-based operating system, such as Linux (in any distribution and / or derivative), runs, which can be connected to any computer of which, unlike a common external peripheral (which in any case depends on the operating system for its operation and, for the creation of temporary memories, on the hard disks of the PC) it modifies the operating scheme by associating its "core" (BIOS, motherboard, CPU , RAM memory) directly to the mass memory device, excluding any intervention by the operating system and fixed storage devices of the host computer (in essence, the computer is used as a terminal with respect to the process of temporary storage and archiving of data , which is managed only by the external device). This allows to process the data residing on the same mass memory device without the traces remaining on the computer, deriving from even temporary storage of data even if destined to be stored in the same mass memory device. From the persistence of such data and from the relative difficulty of complete cancellation derive the greatest risks for the effective confidentiality of one's data with the devices of the known art.

The mass memory device according to the invention can be external or internal to the computer (for example external HDDs, memory cards, simple flash drives or writable CD / DVD-Roms). Furthermore, you can choose the way to use this mass memory device with different and progressive levels of security.

The recent rules on the security of personal data legally subjected to processing, introduced in recent years throughout Europe, the United States, Latin America and various countries, even outside the strictly "Western" context (for example, Morocco and Tunisia) they often oblige to implement the security measures to be applied to the computer systems in use by private individuals (entrepreneurs and professionals) who carry out the processing of data in any capacity permitted by law. In particular, the problem of the security of the processing of personal data is addressed, at the level of European Union legislation, by article 17 of DIRECTIVE 95/46 / EC. The standard tends to fully safeguard the area of possible risks to which personal data are subjected, both from the point of view of confidentiality (logical security) and from the point of view of support (physical security). As can be seen, the law does not directly indicate encryption or particular forms of data protection as a technique that can be used to pursue the purposes referred to in paragraph 1 of article 17, leaving discretion to individual Member States in this regard, providing in general terms that: "These measures must ensure, taking into account the current knowledge on the subject and the costs of the application, an appropriate level of security with respect to the risks presented by the processing and the nature of the data to be protected". Nor is any distinction between "ordinary" personal data and sensitive data contemplated with regard to the security techniques to be adopted. This distinction is specific only to some legislations, such as the Italian one.

Art. 22, paragraph 6 of the Italian Privacy Code, establishes that sensitive and judicial data contained in lists, registers or databases, kept with the aid of electronic instruments, must be processed with encryption techniques or through the use of codes identifiers or other solutions which, given the number and nature of the data processed, make them temporarily unintelligible even to those authorized to access them and allow the data subjects to be identified only in case of need.

Pursuant to art. 4, paragraph e) of the same Code, the "judicial data" are those personal data suitable for disclosing the provisions referred to in article 3 paragraph 1, letters from a) to o) and from r) to u), of the Presidential Decree November 14, 2002, n. 313, in the matter of criminal records, the registry of administrative sanctions depending on the crime and related pending charges, or the status of accused or suspected person pursuant to articles 60 and 61 of the criminal procedure code.

The legislation correlates the obligation to the qualification of "public entity", which is not expressly defined in art. 4. However, in this regard, the reading of art. 18, paragraph 4 of the Code, which states that "except as provided in Part II for health professions and public health organizations, public entities must not request the consent of the interested party".

This clarifies that a public subject must be understood as any subject, even if not framed in an organic or service relationship with public entities and provided that they do not act in the name or on behalf of public economic entities (exclusion expressly provided for by paragraph 1 of the aforementioned article 18), whose intervention in certain acts, including those of a private negotiating nature, is imposed and prescribed by law and which, therefore, have at least the qualification of "operating a service of public necessity" which differentiates their legal position from that of a simple subject private individual acting solely on the basis of determinations of a negotiating nature.

This definition can therefore apply not only to doctors ("public officials" when they provide attestations by means of a report) but also to lawyers (qualified by the Court of Cassation as "exercising a service of public necessity") and to any person who is invested by law of the power / duty to form or externalize acts of will, even private, which private individuals must necessarily make use of (including notaries).

The legislative situation of the countries of the Americas regarding the protection and security of personal data is extremely varied, and the differences do not always depend on the difference between North and South (for example, Argentine legislation is one of the most severe, that of Canada one of the more deficient). It should be noted in any case, with regard to Central and South America, that most of the states have not yet adopted an organic law for the protection of personal data: among these countries also Brazil, where the parliamentary debate this law has been in progress for some time. The regulatory models that are adopted as a model, where organic laws exist, are mainly European ones, except the United States (where the legislation varies greatly from state to state), which follows original models, and Canada, which remains in the wake of "old" (and negative, as regards the adoption of adequate legislative measures) British tradition.

The situation has thus been substantially defined in the last decade and is rapidly evolving, with a trend towards the protection of electronic data, which are now becoming more important and pervasive than paper data.

This very rapid evolution of the legislation is likely to determine a vast area of inadequacy and obsolescence of the IT tools used by private entrepreneurs and professionals to whom the data security rules apply, given that on the one hand, if they do not have autonomous security needs and confidentiality, these subjects often use basic IT equipment not designed with the native adoption of security measures on the data created and used (if not, and to a limited extent, to prevent the risks deriving from the use of the Internet and other communication), on the other hand, it is very common that the IT "machine park" is not replaced or adjusted frequently, and finally the use of portable IT devices such as laptops, IPADs and similar tablet PCs has become increasingly widespread, sometimes even smartphones, which require continuous data synchronization operations.

The rules were promulgated in response to the rampant problem of IT security under the particular and delicate profile of the processing of personal data, given that, if on the one hand it has become essential for companies and professionals to process data electronically, on the other hand the possible unsafe storage of such data, making the possibility of data theft or leaks current, jeopardizes the very foundation of the legislation on the protection of personal data, which is the principle by which citizens have the right to maintain full control over their own data and the ways and purposes in which and for which they are used.

The problem of data security on computers is therefore a very important problem today and, although there are solutions available, to the knowledge of the owner these solutions require important and difficult to manage interventions, often non-linear for the user of computer systems with knowledge of basic, such as to import the expensive and not always safe recourse to external consultancy and technical services.

Hardware enhancements have included packages that restrict access to data, such as retinal or fingerprint recognition systems. Banks have adopted hardware solutions to limit the data that is copied, including purchasing dedicated computers without USB ports or optical disc drives. Other software solutions ensure secure access to data.

It is clear, however, that such expensive devices and systems do not guarantee the protection of the data of a professional who wants to use a terminal or PC that does not belong to him, and at the same time wants to be sure that on this terminal or PC there is no data that does not exist. intends to disclose, and in any case they may have a significant economic impact on the activities, such as to discourage the adoption of the most effective measures where they are not strictly prescribed by law.

Furthermore, in some cases it is also the user's obligation to securely delete the data on the memory device, and this is not yet contemplated by the known art together with encryption.

The need is therefore felt for a technical solution that allows you to avoid costly customization of your IT tools, or the purchase of additional hardware, guaranteeing security in all conditions of consultation or modification of secret data.

A known solution to the problem is to create nested partitions on a physical volume, starting from the outermost one relating to the operating system (and possibly hidden as protection from user errors) to the second-order one encrypted but visible, to finally arrive at that hidden and encrypted.

There are several programs that make these nested partitions. TrueCrypt ™ is one of these programs (other current programs are: dm-crypt, LUKS, freeOFTE, ecryptfs, encfs, loopaes, cfs, GPG, cryptofs, cryptoloop, bestcrypt), which runs in the basic version on both Windows and Linux. It supports a concept called "plausible deniability", allowing you to create a hidden volume within another volume. In addition, the Windows version of TrueCrypt ™ has the ability to create and run a hidden and encrypted operating system whose existence can be denied, meaning a user who does not know it exists cannot even detect it.

This last feature is absent from the Linux version and in general from Unix-type systems, despite their growing diffusion especially in expert user environments, due to the different structure of these operating systems and the consequent objective difficulty of implementation. This fact is important, because Linux has the ability to reside on removable and non-removable storage devices, a possibility that is not available with Windows (all operating systems can work on "flash" memories and are doing so, modern notebooks are adopting more and more SSDs instead of HDDs; the difference lies in the type of connection: Linux, unlike Windows, allows execution via the USB BUS, while Windows does not allow it either technically or legally).

Also, under Linux, TrueCrypt ™ is opened after the operating system boot process, you select the partition and a volume on which to mount the partition. Now you can work on the partition once you have provided your credentials.

This is also what happens in Windows systems, where there is a loss of security, since it has been shown that key logger processes can steal credentials.

In all cases, this procedure is not at all intuitive for the user, who consequently tends not to use it. Finally, TrueCrypt ™ only allows you to save files, and not applications related to the use of a particular partition (the applications in fact reside on the persistence file contained within the TrueCrypt ™ volume).

The object of the present invention is to provide a method for the secure processing of data on a computer, which solves the problems and overcomes the drawbacks of the prior art.

A further object of the present invention is an electronic mass memory device to be used by connecting it to a computer, which carries out the method which is the object of the present invention.

A further object of the present invention is an electronic computer using the mass memory device which is the object of the invention.

A further object of the present invention is other means for implementing the method which is the object of the invention.

The object of the present invention is a method for the secure processing of data on a computer, comprising the use of a mass memory different from the boot mass memory unit preset in the computer and connected to said computer, and characterized in that :

- on said different mass memory there are a first and a second volume, on the first volume there is an operating system of the Unix type, in particular Linux, and optionally one or more utility applications;

said Unix-like operating system is started from the first volume of said different mass memory;

- occurs if this is the first use of said different mass memory, and if so, the following steps are carried out:

Al. Request to the computer user for one or more passwords and relative acquisition;

B1. verification of the existence of a persistence folder in the first volume and, if not, creation of a persistence folder;

THERE . editing of the second volume;

FROM. formatting, by means of an appropriate application, of the second volume, and modification of said second volume into a visible and encrypted volume to which a first password of said one or more passwords is associated;

El. Creation of the folder and persistence file encrypted on the second volume as modified in phase DI, and subsequent disassembly of said second volume;

- if instead it is not the first use of said different mass memory, the following steps are carried out:

A2. request for a password from the computer user and relative acquisition;

B2. if said password is identical to said first password, boot of said Unix-like operating system on the corresponding volume to which said password is associated.

Preferably according to the invention, said one or more passwords are at least two passwords, and from the fact that, after step El, the following further steps are carried out:

FI. assembly of said second volume;

Gl. creation, by means of an appropriate application, of a third hidden and encrypted volume, inside the second volume as modified in phase DI, to which a second password of said two or more passwords is associated; editing and formatting of said second volume;

HI. creation of the folder and persistence file encrypted on the third volume created in phase HI, and disassembly of said second visible and encrypted volume of phase DI and of the third volume;

and step B2 is replaced by the following step:

B2 '. if said password is identical to one between said first and second passwords, starting said Unix-like operating system on the volume to which said password is associated. Preferably according to the invention, said one or more passwords are three passwords, said first password, said second password and a third password, and by carrying out, after step A1, the following further step:

BO. creation of a file, inside the first volume, which contains the third password encrypted by hash;

and at the time of a subsequent start, during phase B2, it is verified that said password is one of said first, said second password and said third password, and in the case of said third password, an operating system failure is simulated , all memory for all volumes is erased and overwritten.

Preferably according to the invention, the erasing of the memory relating to all the volumes takes place by overwriting by executing the Gutmann algorithm and a low-level formatting of all said different mass memory.

Preferably according to the invention, the startup of said Unix-type operating system is authorized by the user in correspondence with the boot of the computer BIOS or by the bootmanager of the computer operating system.

A further object of the present invention is a computer program characterized in that it comprises code means suitable for executing, when operating on a computer, the steps A1 to El, as well as A2 and B2 of the method object of the invention.

A further object of the present invention is a computer program characterized in that it comprises code means suitable for executing, when operating on a computer, steps A1 to Hi, as well as A2 and B2 of the method object of the invention.

A further object of the present invention is a memory medium that can be read by a computer, having a program memorized on it, characterized in that the program is the computer program object of the invention.

A further object of the present invention is a mass memory device connectable to a computer, characterized in that there are present on it:

- a first and a second volume, on the first volume there is a Unix type operating system, in particular Linux, and optionally one or more utility applications;

- the computer program object of the invention.

Preferably according to the invention, the mass memory device is a mass memory connectable to the computer via USB connection.

A further object of the present invention is an electronic data processing unit, comprising a mass memory device, characterized in that the mass memory device is that of the invention.

The invention will now be described for illustrative but not limitative purposes, with particular reference to the drawings of the attached figures, in which:

figure 1a shows the first part of a first flow diagram relating to the use of the device according to the invention;

Figure 1b shows the second part of a first flow diagram relating to the use of the device according to the invention;

- figure 1a shows the third part of a first flow diagram relating to the use of the device according to the invention;

figure 2a shows the first part of a second flow chart illustrating the method according to the present invention;

figure 2b shows the second part of a second flow chart illustrating the method according to the present invention;

figure 2c shows the third part of a second flow chart illustrating the method according to the present invention;

figure 2d shows the fourth part of a second flow chart illustrating the method according to the present invention;

figure 2e shows the fifth part of a second flow chart illustrating the method according to the present invention;

Figure 2f shows the sixth part of a second flow chart illustrating the method according to the present invention.

In the following, reference will be made to the use of a mass memory device, which may consist of a USB or eSata, FireWire or similar key, connected to a computer, but it must be clear from now that the method according to the The invention is applicable to any disk or memory device internal or external to a computer (eg rewritable CD / DVD / BlueRay).

By computer (to which the mass memory device according to the invention is connected internally or externally) we mean any electronic processing unit equipped with at least a CPU and RAM, as well as an operating system and a man-machine interface . A "computer" according to the present invention can therefore be, for example, a PC or a laptop, rather than a mobile phone or a palmtop computer.

Furthermore, for the sake of simplification, reference will be made to the Linux operating system as the operating system of the method and of the relative mass memory device according to the invention, but the method according to the invention is equally applicable more generally to any operating system of Unix type, or derived from it, or in any case to operating systems that allow the execution of the essential steps of the method.

Finally, reference will be made to the TrueCrypt ™ program, but any other program for creating partitions (with plausible deniability or without) can be used according to the method of the present invention. It should be immediately specified here that, although an embodiment which specifically names the partitions is illustrated, the method of the present invention is generally applicable to "volumes". In fact, the term volume has a much wider spectrum of meanings than "partition" and extends to any area on the device capable of storing data. In particular, it can be associated with physical partitions on the disk, with logical volumes (also called LVM, a sort of virtual partitions configurable within an actual partition), with loop devices (single files seen as virtual disks), with RAID volumes. (multiple memories connected together which are seen as a single virtual disk), and to any area in the mass memory where data can be stored. In particular, the loop device is feasible on Linux and contains a real filesystem within a single file (residing in the partition that contains the operating system). In this way what in the following explanation will be the encrypted partition would live inside a regular file, without the need to use two real partitions. This is certainly achievable using the aforementioned dm-crypt program.

Before describing in detail the logical steps of a preferred embodiment of the invention, we will briefly describe in the following the use of the mass memory device for secure data processing according to the invention, with reference to figures from la to le .

The bootstrap of an operating system on any PC includes basic hardware initialization (epu, ram, video), recognition and activation of PnP peripherals (keyboard, mouse, lan), and starting the operating system from an available support (hard disks, cdrom, floppy, usb, lan). Normally the BIOS boots the OS from the first hard drive that contains one.

In the case of the present invention, in a first embodiment, user intervention is required at this stage (in the BIOS Setup) to give priority to USB memories (such as that relating to the preferred embodiment of the present invention and connected to a guest PC).

In a second embodiment, a "boot manager" has been developed which, by modifying that of the eventual resident system (Windows or Linux or MacOS or other), allows the device according to the invention to be booted from the same disk that takes care of it. time to boot from an external device, without changing the BIOS settings, unless the user expressly wishes.

In both cases, the baton is passed between BIOS and Unix Kernel (Linux) on the USB memory according to the invention, followed by the unpacking of the filesystem compressed by the USB memory, the loading of the "Initial RamDisk" into the RAM of the Guest Computer: the entire tree of directories, system files, basic drivers, a sort of small operating system, are copied to the Guest PC's RAM.

At this point the RamDisk takes care of the system boot (at the first start a minimum system is started for the initialization procedure).

The hardware is detected and initialized, the video card, the language is set, the keyboard is mapped and the time zone is initialized. A first system user is created (only at first startup, unless subsequent creation, at the express will of the user of the device according to the invention, of further users who will enjoy the same cryptographic protection as the default system user), and passwords for loading encrypted partitions.

At this point we set up the encrypted persistence file. We remind here that persistence is a special file containing all the changes made by the user while using the system according to the invention, in particular it contains any changes to the configuration files, the files created by the user, and any additional software installed. . During startup, the persistence file is mounted and consequently these changes are integrated into the main filesystem loaded in RAM (of the host PC), thus determining the persistence of data between one boot and another. This particular file is at the origin of the great portability of the device according to the invention, the files created and modified by the user during use are thus saved in the key and also by moving it to different guest computers the entire environment will be transferred via persistence from one computer to another. The persistence file is saved in the encrypted area of the key and can only be accessed via the key itself by entering an appropriate password during start-up.

This point is important because there are Live versions of Linux and derivatives executable from CD rom or USB stick, which allow you to run the operating system on the host machine but, without persistence, any modification, file, installation, is lost on reboot, reboot , of the car.

At this point, higher level system components are initialized:

- start up of the components for the management of energy saving;

- start of the network subsystem (NetworkManager) for advanced management of network functions;

- start of the bluetooth subsystem for the management of bluetooth devices;

- start of the audio subsystem for the management of sound cards and sound events;

- starting the graphical subsystem and the GDM login manager (Gnome Display Manager)

- start of the GDM / key graphical environment.

At this point the entire system according to the invention is loaded on the RAM of the host computer. The system according to the invention thus relies on the CPU of the host system and on the set of peripherals available (mouse, keyboard, video card, display, audio, bluetooth, any printers, additional USB ports). The system according to the invention has a large number of pre-installed drivers which allow the immediate use of most of the peripherals.

An entire desktop environment is also made available to the user, complete with the most common SOHO software (word processing, spreadsheet, presentation, photo editing, internet browsing, pim, etc.). The files are created and modified on the filesystem loaded in RAM and subsequently stored in the persistence file in the encrypted area of the key. The user can, at his discretion, read and write files from the hard disks of the host computer or from any external disks, in which case the files are stored in clear text.

Once the use of the host computer is finished, it is turned off, the RAM and the CPU cache are emptied, but user data and customizations are kept persistent and will be available again for each new use on any host computer.

More in detail, with reference to figures 2a-2f, the method according to the invention starts the operating system inside the key and distinguishes between the first start-up procedure and the subsequent start-up procedure.

A first and a second partition are already present on the key. Linux runs on the first partition, two additional nested partitions will be created on the second.

It is here to specify that this is only the preferred embodiment, since it is possible to start with a single partition and create an encrypted partition in this.

With the first boot procedure, an encrypted and visible partition is produced, and an encrypted and hidden partition is created.

In the following starts (right branch of the flow chart in figure 2a) it will be possible to simply access an encrypted but not hidden partition by entering a first password. Or, you can access the encrypted and hidden partition (ie not detectable by any user thanks to plausible deniability), by entering a second password.

The system also gives the possibility to perform the secure deletion of data, using a function accessible by entering a third password. The security of data erasing is guaranteed through a memory writing algorithm which writes a pseudo-random sequence of bits. This pseudorandom sequence is achieved with overwriting by executing the Gutmann algorithm and low-level formatting of the entire medium, for at least 25 steps.

The two encryption features related to the two nested partitions mentioned above already allow you to avoid leaving files on the computer to which the key is connected. The additional functionality of data deletion ensures the total security of data processing, which in the case of a stick is processing that has the advantage of mobility.

It is observed that the insertion of the password that selects the mode of use does not take place once some application has been launched, but when the system is started. Consequently, the use of the system is absolutely intuitive for the user: it is as if the user had access to two different operating systems in the case of the first two passwords, and in fact the operating systems can be different in these two cases. As for the case of the third password, it is not used to boot the system, but simulates a system failure and clears all memory.

We now describe the procedure carried out at the first start of the system, which creates the conditions for the use of the functions described above.

At first startup, a first initialization script (checkinit.sh) is run and first use occurs.

Next, the three passwords above are required (or just two if you do not want to implement the third secure data erasing feature).

Having verified the consistency of the passwords, a script called Init2.sh is executed, which creates the above partitions.

Referring to Figure 2c, you can then unmount all TrueCrypt ™ partitions, an optional step to make sure that no TrueCrypt ™ mounted partitions are left on the stick.

At this point in the root of the memory of the key (for example flash or SSD), the existence of the "persistence" folder is verified, and if it is not present it is created.

The environment variables of the script are initialized, that is the three passwords mentioned above.

Now, using a routine called "Search_crypto", the partition on which the script is to act is identified, a partition that already exists on the key.

In fact, on the stick there are already two partitions from the beginning (Linux installation), the first is the one dedicated to the operating system.

Since at startup the operating system acts on the first partition, to make it act on the second, the second partition must be mounted. This can be done by "mounting" the second partition on the first (on the persistence folder); more correctly, what you do is mount the second partition on the filesystem, where the filesystem is a virtual entity with no physical counterpart on the mass memory, on which the first partition has already been "mounted".

At this point, for excess of zeal you can optionally unmount all partitions previously mounted by TrueCrypt ™ again.

We are now ready to create the nested partitions mentioned above, using the "prepare_crypto" routine, which we describe with reference to figure 2d.

This routine first checks the credentials for the first encrypted partition (that is, the first password). This partition is then also created on the basis of predefined partition parameters, mounted and formatted. You then create the persistence file on the newly formatted partition, and unmount the partition.

A similar routine is performed for creating the encrypted and hidden partition, after verifying the second password.

Finally, the third password is verified (in the diagram in figure 2b it would be the fifth taking into account the password confirmations) to continue or not with the creation of a file within the first partition that contains the encrypted password (hash), possibly forcing writing even if the password is not entered (however, there is an initialization application called "initialize" of passwords which in this case sends an error message and still requires the password to go on).

Finally, we proceed to reboot the system, which will then be ready for current use (right branch of the flow chart in figure 2a).

An important point of the method just described is the creation of folder and persistence files in the different partitions, an operation that Linux does not normally perform because it would use what it finds already present in the first partition.

With the method of the present invention, just illustrated in a preferred embodiment thereof, the volume on which the operating system acts is made part of the same operating system. The TrueCrypt ™ application itself is started as part of the operating system, ie the user does not have to deliberately start it after the operating system has started. This in turn allows to use different operating systems for different partitions, since several virtual operating systems can be stored on the device according to the invention.

Even the secure data deletion feature is activated at the boot level, which is certainly not present today or logical in the Linux or Unix architecture.

Moreover, unlike the embodiment just illustrated, according to the invention only two partitions can be provided, one visible and not encrypted and the other visible and encrypted, without the third hidden and encrypted partition. This results in the loss of plausible deniability, but all the other advantages and peculiar characteristics of the present invention are maintained.

In the tests carried out so far, in particular, three different versions of the method according to the invention were considered, namely:

1) three passwords, 2 levels of encryption and secure data deletion;

2) three passwords, no encryption and secure data deletion;

3) two passwords, system access password (no encryption) and secure data deletion.

Furthermore, the logical steps illustrated above for the realization of the method according to the invention can be implemented in the "init" script (the one that dictates the startup sequence of the various scripts that "help" and "streamline" the loading of the Operating System) of Linux (embodiment illustrated above) or as a separate program that is called by the init script itself, which in this case no longer performs operations but lets that program perform them. This program will eventually create appropriate scripts at runtime to execute the same logic illustrated above. The choice of the separate program is a choice that can be very appropriate in some cases, in which you do not want to intervene on the system scripts, but to recall programs to then be able to update them quickly and automatically, as well as commercial reasons. The essential steps of the method are carried out correctly also by program.

One of the advantages of the method of the present invention is the application of the concept of "plausible deniability" to the Linux / Unix world. Having at your disposal a double environment whose existence cannot be demonstrated brings with it countless advantages in various fields of application.

But the greatest advantage of the product is that you have a "computer on a key", wherever you go you can always have access to your system / environment (with all the software you need for your professional activity or not) without having to carry a PC with you, without having to install software on a guest PC, without the possibility of contracting viruses present on machines where the storage device according to the invention is inserted. In fact, there is no input / output exchange between the device of the invention and the PC (unless the user voluntarily goes to save, delete or copy on the disk of the host PC), and therefore cannot get virus (even if present on the host computer and the device according to the invention uses a hidden FAT32).

Another notable advantage is the independence of the device according to the invention from the host hardware. In fact, it is as if the device itself works as a computer as it acts directly as an operating system and mass storage memory (I / O) and will continue to be the same system even when changing host machines. In any case, the host machine and device according to the invention as a whole constitutes a computer (and in fact the device according to the invention can also be a hard disk supplied together with the host machine).

With regard to this last point, reference is still made to figures la-lc to summarize again the flow of use of the key by the user. Essentially, when the PC is turned on, the BIOS is changed so that it boots from the external mass memory (key according to the invention). Once the operating system is started, it will manage every operation with the system architecture consisting of CPU + RAM of the PC and mass memory of the key, avoiding other internal or external disks to the PC. Naturally, a mixed system can also be provided, ie one which also allows the use of the latter discs under particular conditions, again using the method of the present invention.

In the foregoing the preferred embodiments have been described and variants of the present invention have been suggested, but it is to be understood that those skilled in the art will be able to make modifications and changes without thereby departing from the relative scope of protection, as defined by claims attached.

Claims (11)

CLAIMS 1. Method for the secure processing of data on a computer, comprising the use of a mass memory different from the boot mass memory unit pre-set in the computer and connected to said computer, and characterized in that: - on said different mass memory there are a first and a second volume, on the first volume there is an operating system of the Unix type, in particular Linux, and optionally one or more utility applications; the Unix-like operating system is started from the first volume of said different mass memory; - occurs if this is the first use of said different mass memory, and if so, the following steps are carried out: Al. Request to the computer user for one or more passwords and relative acquisition; B1. verification of the existence of a persistence folder in the first volume and, if not, creation of a persistence folder; There. editing of the second volume; FROM. formatting, by means of an appropriate application, of the second volume, and modification of said second volume into a visible and encrypted volume to which a first password of said one or more passwords is associated; El. Creation of the encrypted folder and persistence file on the second volume as modified in phase DI, and subsequent disassembly of said second volume; if instead it is not the first use of said different mass memory, the following steps are carried out: A2 request for a password from the computer user and relative acquisition; B2 if said password is identical to said first password, boot of said Unix-like operating system on the corresponding volume to which said password is associated. 2. Method according to claim 1, characterized by the fact that said one or more passwords are at least two passwords, and by the fact that, after step El, the following further steps are carried out: FI. assembly of said second volume; Gl. creation, by means of an appropriate application, of a third hidden and encrypted volume, inside the second volume as modified in phase DI, to which a second password of said two or more passwords is associated; editing and formatting of said second volume; HI creation of the folder and persistence file encrypted on the third volume created in phase HI, and dismounting of said second visible and encrypted volume of phase DI and of the third volume; and step B2 is replaced by the following step: B2 '. if said password is identical to one between said first and second passwords, starting said Unix-like operating system on the volume to which said password is associated. Method according to claim 2, characterized by the fact that said one or more passwords are three passwords, said first password, said second password and a third password, and by carrying out, after step A1, the following further step: BO. creation of a file, inside the first volume, which contains the third password encrypted by hash; and at the moment of a subsequent start, during phase B2, it is verified that said password is one of said first, said second password and said third password, and in the case of said third password, an operating system failure is simulated , all memory for all volumes is erased and overwritten. 4. Method according to claim 3, characterized in that the deletion of the memory relating to all the volumes occurs by overwriting by executing the Gutmann algorithm and a low-level formatting of all said different mass memory. Method according to any one of claims 1 to 4, characterized in that the startup of said Unix-like operating system is authorized by the user at the boot of the computer's BIOS or by the bootmanager of the computer's operating system. 6. Computer program characterized in that it comprises code means suitable for executing, when operating on a computer, steps A1 to El, as well as A2 and B2 of the method according to any one of claims 1 to 5. 7. Computer program characterized in that it comprises code means suitable for executing, when operating on a computer, steps A1 to HI, as well as A2 and B2 of the method according to any one of claims 2 to 6. 8. A computer readable memory medium having a program stored thereon, characterized in that the program is the computer program according to claim 6 or 7. 9. Mass storage device connectable to a computer, characterized by the fact that the following are present on it: - a first and a second volume, on the first volume there is a Unix type operating system, in particular Linux, and optionally one or more utility applications; - the computer program of claim 6 or 7. 10. Device according to claim 9, characterized in that it is a mass memory connectable to the computer via USB connection. 11. Electronic data processing unit comprising a mass memory device, characterized in that the mass memory device is that according to claim 9 or 10.