CN112054892A - Data storage device, method and system - Google Patents

Data storage device, method and system Download PDF

Info

Publication number
CN112054892A
CN112054892A CN202010783513.XA CN202010783513A CN112054892A CN 112054892 A CN112054892 A CN 112054892A CN 202010783513 A CN202010783513 A CN 202010783513A CN 112054892 A CN112054892 A CN 112054892A
Authority
CN
China
Prior art keywords
data
mobile device
user
security system
data security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010783513.XA
Other languages
Chinese (zh)
Inventor
莱夫·M·博洛廷
亚历克斯·莱姆莱夫
马克·辛格
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Clevx LLC
Original Assignee
Clevx LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US14/987,749 external-priority patent/US10181055B2/en
Application filed by Clevx LLC filed Critical Clevx LLC
Publication of CN112054892A publication Critical patent/CN112054892A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Abstract

The present disclosure relates to data storage devices, methods, and systems. A method, comprising: detecting a connection with a data storage device having a locked data channel, the data storage device further comprising an interface controller for communication over the data channel, a memory, an authentication subsystem having authentication information and an encryption key, an encryption engine, and a wireless transceiver for radio frequency communication outside the data channel; receiving a user authentication input via the wireless transceiver while a data channel through the interface controller is locked; unlocking a data channel of the data storage device based on the received user authentication input and authentication information of the authentication subsystem; and when the data channel is unlocked: encrypting data received over the data channel with an encryption key prior to storing the data in the memory; and decrypting the data read from the memory using the encryption key before transmitting the data read from the memory through the data channel.

Description

Data storage device, method and system
The application is a divisional application of an invention patent application with the application date of 2017, 1, 3 and the application number of 201780005638.6 and the name of 'data security system with encryption'.
Cross Reference to Related Applications
This application claims priority to U.S. patent application No. 14/987,749 filed on month 4 of 2016, U.S. patent application No. 14/987,749 is a continuation-in-part application of co-pending U.S. patent application No. 12/680,742 filed on month 29 of 2010, which is a national phase of international application No. PCT/US2008/077766 filed on month 26 of 2008, 9, 2008/077766, which claims the benefit of U.S. provisional patent application serial No. 60/975,814 filed on month 27 of 2007, and the subject matter of which is incorporated herein by reference.
This application contains subject matter related to the concurrently filed U.S. patent application entitled "DATA SECURITY SYSTEM WITH ENCRYPTION" by Lev m.boletin and Simon b.johnson. This related application is assigned to ClevX, LLC and identified by docket number 502-. The subject matter of which is incorporated herein by reference thereto.
Technical Field
The present invention relates generally to electronic devices, and more particularly to memory devices.
Background
Security is a key issue in almost all aspects of computer use. Storage media, such as hard disk drives attached to computers, contain valuable information that is subject to data theft. A great deal of capital and effort is being applied to protect personal, corporate, and government security information.
As portable memory storage devices become smaller, more easily lost, more ubiquitous, cheaper, and larger in storage capacity, they have begun to pose significant security concerns. A large amount of information can now be downloaded privately into portable memory storage devices such as universal serial bus flash memory and microdrives, mobile phones, camcorders, digital cameras, ipods, MP3/MP4 players, smart phones, palm and laptop computers, gaming devices, authenticators, tokens (including memory), etc. -typically Mass Storage Devices (MSDs).
More specifically, there are millions of MSDs used for backup storage, transfer storage, intermediate storage, and primary storage into which information can be easily downloaded from a computer and taken away. The primary purpose of any MSD is to store and retrieve "portable content," which is data and information bound to a particular owner rather than a particular computer.
The most common means of providing storage security is to authenticate the user using a computer entered password. The password will be verified against the MSD storage value. If a match occurs, the drive will turn on. Alternatively, the cipher itself is used as an encryption key to encrypt/decrypt data stored to the MSD.
For drives that support on-the-fly encryption, the encryption key is typically stored on the media in encrypted form. Since the encryption key is stored on the media, it becomes readily available to those who want to read the media directly, bypassing the standard interface. Therefore, the password is used as a key for encrypting the encryption key.
For self-authenticating drives, its authentication subsystem is responsible for maintaining security. There is no dependency on the host computer to which it is connected. Thus, a password cannot (or need not) be sent from the host to unlock the MSD. In fact, the encryption key no longer needs to be stored on the medium. The authentication subsystem becomes a means of managing encryption keys.
Therefore, there is still a need to improve safety. In view of the increasing commercial competitive pressures and the growing consumer expectations and the diminishing opportunities for meaningful product differentiation in the marketplace, finding answers to these problems is of paramount importance. Furthermore, reducing costs, improving efficiency and performance, and addressing the demands of competitive pressures, the critical necessity to find answers to these questions adds even greater urgency.
Solutions to these problems have been sought for a long time, but the prior art developments have not taught or suggested any solutions and, therefore, solutions to these problems have long eluded those skilled in the art.
Disclosure of Invention
The invention provides a method, comprising the following steps: detecting a connection with a data storage device having a locked data channel, the data storage device further comprising an interface controller for communication over the data channel, a memory, an authentication subsystem having authentication information and an encryption key, an encryption engine, and a wireless transceiver for radio frequency communication outside the data channel; receiving a user authentication input via the wireless transceiver while a data channel through the interface controller is locked; unlocking a data channel of the data storage device based on the received user authentication input and authentication information of the authentication subsystem; and when the data channel is unlocked: encrypting data received over the data channel with an encryption key prior to storing the data in the memory; and decrypting the data read from the memory using the encryption key before transmitting the data read from the memory through the data channel.
The present invention also provides a data storage device, comprising: a memory; an interface controller for communication over a data channel, the data channel being locked until a user is authenticated; a wireless transceiver for radio frequency communication outside of the data channel, the wireless transceiver configured to receive a user authentication input; an authentication subsystem having authentication information and an encryption key, the authentication subsystem unlocking a data channel of the data storage device based on the received user authentication input and the authentication information; and an encryption engine for encrypting the data received through the data channel with an encryption key before storing the data in the memory, and for decrypting the data read from the memory with the encryption key before transmitting the data read from the memory through the data channel.
The present invention also provides a system comprising: one or more computer processors; a data channel connected to one or more computer processors; and a self-encrypting device connected to the data channel, the self-encrypting device comprising: an authentication subsystem comprising an authentication processor; an encryption engine; a storage medium storing encrypted data encrypted with an encryption key provided by an authentication subsystem; a Radio Frequency (RF) transceiver for communication outside of a data channel; and a data interface of the interface controller coupled to the data channel, the data interface locked from sending and receiving data until the self-encrypting device is unlocked by the authentication subsystem using user authentication information received via the RF transceiver.
The invention also provides a method comprising: providing a self-encrypting device in a host computer system, the host computer system also having one or more processors and a data channel connected to the one or more processors and to the self-encrypting device; establishing a communication channel between a data interface of the self-encrypting device and a data channel, the communication channel being locked until the self-encrypting device is authenticated; receiving user authentication information via a Radio Frequency (RF) transceiver of a self-encrypting device for communication outside of a data channel; unlocking, by an authentication subsystem of the self-encrypting device, the communication channel based on the user authentication information; encrypting data received by the self-encrypting device over the data interface with an encryption key provided by an authentication subsystem of the self-encrypting device; and storing the encrypted data in a storage subsystem of the self-encrypting device.
Certain embodiments of the present invention have other aspects in addition to or in place of those described above. These aspects will become apparent to those skilled in the art from a reading of the following detailed description when taken with reference to the accompanying drawings.
Drawings
FIG. 1 is a schematic diagram of a data security system according to an embodiment of the present invention;
FIG. 2 is a diagrammatic illustration of an authenticated key delivery method for use with a data security system;
FIG. 3 is a diagram of different systems in which a user interacts with a data security system;
FIG. 4 is an illustration of how a user may interact with a data security system using a host computer system; and
FIG. 5 is a data security method employing user authentication for a data security system.
Fig. 6 is an exemplary data secure communication system.
Fig. 7 is an administrator sequencing diagram showing the sequence of operations between a mobile device and a data security system.
Fig. 8 is an unlocking sequence diagram in which the mobile device is the authentication factor.
Fig. 9 is an unlocking sequence diagram showing unlocking using PIN entry from the mobile device.
Fig. 10 is an unlocking sequence diagram showing unlocking using PIN entry and user ID/location/time verification via server/console.
Fig. 11 is a reset sequence diagram showing resetting of the data security system using a server/console.
Fig. 12 is an unlocking sequence diagram illustrating unlocking of the data security system using the server/console.
Fig. 13 is a sequence diagram of changing a user's password using a server/console.
Best mode for carrying out the invention
The following embodiments are described in sufficient detail to enable those skilled in the art to make and use the invention. It is to be understood that other embodiments will be evident based on the present disclosure, and that system, process, or mechanical changes may be made without departing from the scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, that the present invention may be practiced without these specific details. In order to avoid obscuring the present invention, some well-known circuits, system configurations, and process steps are not disclosed in detail.
Similarly, the drawings showing embodiments of the system are semi-diagrammatic and not to scale and, particularly, some of the dimensions are for the clarity of presentation and are shown exaggerated in the drawing figs. Where multiple embodiments are disclosed and described having some features in common, for clarity and ease of illustration, description, and comprehension thereof, similar and like features one to another will ordinarily be described with like or identical reference numerals. Similarly, although the views in the drawings for ease of description generally show similar orientations, this description in the drawings is arbitrary in most cases. In general, the present invention can operate in any orientation.
The term "system" as used herein refers to and is defined as the method and apparatus of the present invention, depending on the context in which the term is used. The term "method" as used herein refers to and is defined as the operational steps of an apparatus.
For convenience, and not by way of limitation, the term "data" is defined as information capable of being generated by or stored in a computer. The term "data security system" is defined to mean any portable memory device that contains a storage medium. The term "storage medium" as used herein refers to and is defined as any solid state NAND flash memory and/or magnetic data recording system. The term "locked" refers to the data security system when the storage medium is inaccessible, and the term "unlocked" refers to the data security system when the storage medium is accessible.
Generally, there are two ways to make a storage device tamper-resistant:
1. applying epoxy to the components-epoxy applied to the printed circuit board can make it difficult to disassemble the storage device without damaging the storage media.
2. Encrypted memory data-data is encrypted when it is written to the storage medium and requires an encryption key to decrypt the data.
Referring now to FIG. 1, there is shown a schematic diagram of a data security system 100 in accordance with an embodiment of the present invention. The data security system 100 is comprised of an external communication channel 102, an authentication subsystem 104, and a storage subsystem 106.
Storage subsystem 106 is an electronic circuit that includes interface controller 108, encryption engine 110, and storage media 112. Storage medium 112 may be an internal or external hard disk drive, USB flash drive, solid state drive, hybrid drive, memory card, tape cartridge, and optical media including optical disks (e.g., blu-ray, digital versatile, or DVD, and compact disks or CDs). Storage media 112 may include data protection devices, archival storage systems, and cloud-based data storage systems. The cloud storage system may be accessed using a plug-in application or "plug-in" extension software that is installed in a browser application or on a host computer or on another system coupled to the host computer via a wired or wireless network, such as RF or optical, or through the world wide web.
The interface controller 108 includes electronic components such as a microcontroller with a software or hardware encryption engine 110, although the encryption engine 110 may be in a separate controller in the storage subsystem 106.
Authentication subsystem 104 is an electronic circuit that includes an authentication controller 114, such as a microcontroller, and authentication controller 114 may have its own non-volatile memory, such as electrically erasable programmable read-only memory (EEPROM).
The external communication channel 102 provides a means for exchanging data with the host computer system 120. The Universal Serial Bus (USB) is one of the most common means of connecting the data security system 100 to the host computer system 120. Other examples of external communication channels 102 include Firewire, wireless USB, serial ata (sata), high-definition multimedia interface (HDMI), recommended standard 232(RS-232), and radio frequency wireless networks.
The interface controller 108 is capable of converting USB packet data into data that can be written to a storage medium 112 in a USB flash drive.
The encryption engine 110 is implemented as part of the interface controller 108 and obtains plaintext and/or data (information) from the host computer system 120 and converts it into an encrypted form that is written to the MSD or storage medium 112. The encryption engine 110 also converts encrypted information from the storage medium 112 and decrypts it into plaintext information for use by the host computer system 120. The encryption engine 110 may also be a dual controller subsystem with an encryption controller having encryption capabilities to encrypt/decrypt data on the fly and to manage communication protocols, memory, and other operating conditions, and a communication/security controller to handle communications, encryption key management, and communications with the encryption controller.
The encryption engine 110 needs an encryption key 116 to encrypt/decrypt the information. The encryption key 116 is used in an algorithm (e.g., 256 bit Advanced Encryption Standard (AES) encryption) that encrypts/decrypts data by an encryption algorithm to render the data unreadable or readable, respectively. The encryption key 116 may be stored internally or externally to the authentication controller 114.
Once user 122, having an identification number or key, has been verified against authentication key 118, encryption key 116 is communicated by authentication subsystem 104 to encryption engine 110.
It has been found that by employing the authentication key 118 and the encryption key 116, the portable memory storage device of various embodiments of the present invention can provide a very high level of security not previously available in such devices.
When the data security system 100 is locked, the authentication key 118 remains within the authentication subsystem 104 and cannot be read externally. One way to hide the authentication key 118 is to store it in the authentication controller 114 in the authentication subsystem 104. The security fuse (fuse) of the authentication controller 114 is set so that the authentication key 118 is not accessible unless the authentication controller 114 allows retrieval once the user 122 has been verified. Many microcontrollers began to be equipped with a security fuse that prevents access to any internal memory when blown. This is a well known and widely used security feature. Such a microcontroller may be used to authenticate the controller 114. The authentication controller 114 may be a microcontroller or microprocessor.
The authentication key 118 may serve as:
1. an encryption key 116 as direct encryption/decryption information.
2. As a key to recover the encryption key 116 stored in the data security system 100 that is accessible by the interface controller 108.
3. For direct comparison by the interface controller 108 to activate the external communication channel 102.
Referring now to fig. 2, there is shown a pictorial representation of an authenticated key delivery method for use with the data security system 100. In this illustration, the authentication key 118 and the encryption key 116 are the same and identical. The encryption engine 110 employs an authentication key 118 as the encryption key 116.
User 122 must interact with authentication subsystem 104 by providing authentication subsystem 104 with user identification 202, a number, or a key. Authentication subsystem 104 authenticates user 122 against authentication key 118. The authentication subsystem 104 then transmits the authentication key 118 to the interface controller 108 as the encryption key 116.
The encryption engine 110 in the interface controller 108 uses the authentication key 118 to convert the plaintext information into encrypted information along the channel 206 and to convert the encrypted information into plaintext information. Any attempt to read encrypted information from the storage medium 112 without the encryption key 116 would typically result in information that is unusable by any computer.
Referring now to FIG. 3, there is shown a pictorial representation of the different systems with which user 122 interacts with data security system 300. Interaction may be through a communication combination 301, which communication combination 301 may be through physical contact, wired connection, or wireless connection from a mobile phone, smart watch, wearable device, or other wireless device.
In one authentication system, a mobile transceiver 302 is employed to communicate a user identification 304 to a data security transceiver 306 in an authentication subsystem 310. For exemplary purposes, a transceiver is employed for bi-directional communication flexibility, but a transmitter-receiver combination for unidirectional communication may also be used. The authentication subsystem 310 includes an authentication controller 114 connected to the interface controller 108 in the storage subsystem 106. The user identification 304 is provided to the data security transceiver 306 within the authentication subsystem 310 from outside the storage subsystem 106 of the data security system 300 through the mobile transceiver 302. The wireless communication may include wireless fidelity (WiFi), Bluetooth (BT), bluetooth smart, Near Field Communication (NFC), Global Positioning System (GPS), optical, cellular communication (e.g., Long Term Evolution (LTE), long term evolution advanced (LTE-a)), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Universal Mobile Telecommunications System (UMTS), wireless broadband (WiBro), or global system for mobile communications (GSM), etc.).
Authentication subsystem 310 authenticates user 122 against authentication key 118 by the code sent from mobile transceiver 302 being authenticated against authentication key 118. The authentication subsystem 310 then communicates the encryption key 116 across the communication assembly 301 to the interface controller 108.
The encryption engine 110 then converts the plaintext information into encrypted information along the channel 206 using the encryption key 116 and converts the encrypted information into plaintext information. Any attempt to read encrypted information from the storage medium 112 without the encryption key 116 would result in information that is unusable by the host computer system 120.
In an optional second authentication mechanism, authentication subsystem 310 authenticates user 122 against authentication key 118 by having user 122 employ biometric sensor 320 to provide biometric input 322 to authenticate his/her identity as an authorized user. Types of biometric identifiers include fingerprints, iris scans, voice traces, and the like.
In an optional third authentication mechanism, authentication subsystem 310 verifies user 122 against authentication key 118 by having user 122 employ electromechanical input mechanism 330 to provide unique code 332 to verify his/her identity as an authorized user. The unique code 332 may include a numeric code, an alphanumeric code, or an alphabetic code, such as a PIN. Electromechanical input mechanism 330 is within authentication subsystem 310. The electromechanical input mechanism 330 receives a unique code 332 from the user 122 from outside the data security system 300. The unique code 332 is provided to the electromechanical input mechanism 330 within the authentication subsystem 310 from outside the storage subsystem 106 of the data security system 300.
Regardless of the method used to authenticate user 122, authentication key 118 and encryption key 116 remain hidden until user 122 is authenticated.
Referring now to FIG. 4, there is shown a pictorial illustration of how a user 122 may employ the host computer system 120 to interact with the data security system 400.
The host computer system 120 is provided with a host application 402. The host application 402 is software or firmware that communicates over the external communication channel 102 of the data security system 400.
The host application 402 passes a host identifier 406 associated with its environment, such as an internal component serial number (e.g., hard drive), a Media Access Control (MAC) address of a network card, a login name of a user, a network Internet Protocol (IP) address, an ID created by the data security system and saved to the host, an ID created by the data security system and saved to the network, and so forth. Host identifier 406 is employed by authentication subsystem 408 in data security system 400.
When authentication subsystem 408 authenticates user 122 to authentication key 118 by verifying host identifier 406, data security system 400 will unlock.
For example, the user 122 connects to the data security system 400 that is locked to the host computer system 120. The host application 402 sends the MAC address of its network card to the data security system 400. Data security system 400 recognizes the MAC address as legitimate and unlocks without user 122 of fig. 1 having to enter a user identification. This implementation does not require any interaction with user 122. In this case, it is the host computer system 120 and its associated environment that is being verified.
The data security system 400 includes: providing an authentication key 118 stored in the authentication subsystem 104; providing verification of the host computer system 120 by the authentication subsystem 104; presenting the encryption key 116 to the storage subsystem 106 through the authentication subsystem 104; and providing access to the storage media 112 through the storage subsystem 106 via decryption of the storage media content.
The data security system also includes an authentication subsystem 104 for interpreting biometric input and verifying the user 122.
The data security system also includes the direct use of an authentication key 118 as an encryption key 116.
The data security system also includes an encryption key 116 that uses the authentication key 118 to decrypt and retrieve the content for decryption.
The data security system also includes an authentication subsystem 104 for interpreting the signal input and verifying the transmitting unit.
The data security system also includes an authentication subsystem 104 for interpreting manually entered input and verifying the user 122.
The data security system also includes an authentication subsystem 104 for interpreting input sent by the host-resident software application for authenticating the host computer system 120.
The data security system also includes an encryption engine 110, the encryption engine 110 being external to the interface controller 108, but connected to the external communication channel 102 for the purpose of converting plaintext data into encrypted data to unlock the data security system 100.
Referring now to fig. 5, a data security method 500 employing user authentication for the data security system 100 is shown. The data security method 500 includes: authenticating the user for the authentication key in block 502; employing the authentication key for retrieving the encryption key in block 504; and employing the encryption key in block 506 to allow unencrypted communication between the host computer system and the storage media through the storage subsystem.
Referring now to fig. 6, an exemplary data secure communication system 600 is shown. The exemplary data security communication system 600 includes a mobile device 610, a data security system 620, a host computer 630, and a server/console 640. The mobile device 610 and the server/console 640 are connected by a wired or wireless connection via the cloud 650, which may be an internet cloud. The mobile device 610 and the data security system 620 are connected through the communication suite 301.
The communication combination 301 in the exemplary data security communication system 600 includes a mobile transceiver 612 in a mobile device 610, where an antenna 614 wirelessly communicates with an antenna 622 of a data security transceiver 624 in a data security system 620.
The mobile device 610 in one embodiment may be a smartphone. In the mobile device 610, a mobile transceiver 612 may connect to conventional mobile device components and to a data security system application 618, the data security system application 618 providing information to be used with a data security system 620.
The data security transceiver 624 connects to a security controller 626, which security controller 626 may contain identification, passwords, configuration files (profiles) or information including information of different mobile devices that may access the data security system 620. The security controller 626 is connected to subsystems similar to the authentication subsystem 310, the storage subsystem 106 (which may have encryption in some embodiments to encrypt data), and the external communication channel 102.
The external communication channel 102 may be connected to a host computer 630 to allow access to data in the storage subsystem 106 under specified circumstances.
One implementation of the data security system 620 may eliminate the biometric sensor 320 and the electromechanical input mechanism 330 of fig. 3, with only a wireless link with the mobile device 610, such as a smartphone. It has been found that this implementation makes the data security system 620 more secure and useful.
The data security system application 618 allows the mobile device 610 to discover all data security systems in the vicinity of the mobile device 610 and display their status (locked/unlocked/blank, paired/unmated peer).
The data security system application 618 allows the mobile device 610 to connect/pair, lock, unlock, change name and password, and reset all data on the data security system 620.
The data security system application 618 allows the mobile device 610 to set an inactive automatic lock, so the data security system 620 will automatically lock after a predetermined period of inactivity; or a near automatic lock is set so that the data security system 620 will be locked when the mobile device 610 is not within a predetermined proximity during a predetermined period of time (to improve reliability and avoid signal debounce).
The data security system application 618 allows the mobile device 610 to remember passwords, using TouchID and Apple Watch (both mentioned here as examples only, and many other wearable devices and mobile devices with biometric sensors that can be used in similar modes), so the data security system 620 can be unlocked without having to enter a re-entered password on the mobile device.
The data security system application 618 allows the mobile device 610 to be set to operate only with certain mobile devices, such as the mobile device 610, so the data security system 620 cannot be unlocked with other mobile devices (1 Phone).
The data security system application 618 allows the mobile device 610 to set the data security system 620 as read-only.
The data security system application 618 allows the mobile device 610 to operate in a user mode or an administrator mode (administrator's mode overrides the user's settings) and allows the mobile device 610 to use the server/console 640. Server/console 640 is a combination of a computer and a console for entering information into the computer.
The server/console 640 contains a user management database 642, the user management database 642 containing additional information that can be transmitted to the mobile device 610 through the cloud 650 to provide additional functionality to the mobile device 610.
The user management database 642 allows the server/console 640 to use the UserID (username and password) to create and identify the user, and to prevent/allow unlocking of the data security system 620 and to provide remote assistance.
The user administration database 642 allows the server/console 640 to remotely reset or unlock the data security system 620.
The user administration database 642 allows the server/console 640 to remotely change the PIN of the user of the data security system.
The user administration database 642 allows the server/console 640 to restrict/allow unlocking of the data security system 620 from a particular location (through the use of geo-fencing).
The user administration database 642 allows the server/console 640 to restrict/allow unlocking of the data security system 620 for specified time periods and different time zones.
The user administration database 642 allows the server/console 640 to unlock the data security system 620 restricted from outside of a specified group/organization/network, etc.
Referring now to fig. 7, therein is shown an administrator sequencing diagram illustrating a sequence of operations between a mobile device 610 and a data security system 620.
The connection 700 between the data security system 620 and the mobile device 610 is first established by: discover other devices or systems from each other; pairing a device and a system; and connecting devices and systems. The connection 700 is secured using a shared secret, which is then used to secure (encrypt) communications between the data security system 620 and the mobile device 610 for all future communication sessions. The standard encryption algorithm is selected to both run efficiently on the data security system 620 and be approved by global security standards.
The connection 700 is maintained by the data security system application 618 or the security controller 628, or by both operating together, as long as the data security system 620 and the mobile device 610 are within a predetermined distance of each other. Further, if the predetermined distance is exceeded, the connection 700 is maintained for a predetermined period of time after which the data security system 620 is locked.
After the mobile device 610 and the data security system 620 are connected, a data security system administrator application launch operation 702 occurs in the mobile device 610. The administrator then sets the password in administrator password operation 704. Further, after the mobile device 610 and the data security system 620 are connected, the data security system 620 connects to the host computer 630 of FIG. 6 to be powered up by the host computer 630 and discoverable by the host computer 630 in the data security system connected, powered and discoverable operation 706.
After the administrator password operation 704, the mobile device 610 sends a set administrator password and unlock signal 708 to the data security system 620. Setting the administrator password and unlock signal 708 causes an administrator password setting and data security system unlock operation 716 to occur in the data security system 620.
When the administrator password setting and data security system unlock operation 716 is complete, "confirm: a data security system unlock signal 712 is sent to the mobile device 610, confirming in the mobile device 610: the data security system unlock operates as an administrator operation 714. The "confirmation: data security system unlock as an administrator "operation 714 allows set other restrictions operation 716 to be performed using the mobile device 610. The set other limits operation 716 causes a set administrator limits signal 718 to be sent to the data security system 620 where the administrator limits are set and "confirm: a limit set signal 720 is returned to the mobile device 610. Thereafter, the mobile device 610 and the data security system 620 are in full operational communication.
Because communication with the data security system 620 can occur without physical contact with the data security system 620, it is desirable that significant interaction with the data security system 620 be accompanied by a data security system unique identifier that is either printed on the data security system 620 itself or supplied with the data security system 620 package and readily available to the owner of the data security system 620.
The unique identifier (unique ID) is required when a request is made that may affect the user data, such as unlocking or resetting the data security system 620. Attempts to perform these operations without the correct identifier will be ignored and made harmless. The unique identifier is used to identify the data security system 620 to the mobile device 610 in a manner that requires the user to have physical control over the data security system 620 and verify an authorized connection 700 established between the previously paired device and the system, e.g., the mobile device 610 and the data security system 620. Once the devices are paired, the shared secret will be used to secret the communication.
Pairing means a unique and defined relationship that the mobile device and the data security system have established and persisted at some time in the past.
The unique identifier enables the user to be given some control over the data security system when the user has physical control over the data security system.
To improve the security of communications with the data security system 620 in the case where the mobile device 610 is a smartphone, the user may choose to enable a feature such as the feature referred to herein as 1 Phone. This feature limits important user interaction with the data security system 620 to one and only one mobile device 610. This is accomplished by replacing the data security system unique identifier with a random identifier that is securely shared between the data security system 620 and the mobile device 610. Thus, for example, when a user unlocks the data security system 620, instead of presenting the data security system unique identifier, a 1Phone identifier must instead be given. In effect, this makes the user's mobile device 610 a second authentication factor for using the data security system 620 in addition to the PIN or password. As an example, a paired user Phone selected as "1 Phone" may be used without a PIN, and may be used as a single factor for user authentication and/or in combination with any other user authentication factor. If such a feature (1Phone) is selected, the data security system 620 cannot be opened with any other Phone unless the administrator's unlocking was previously enabled.
It will be appreciated that other embodiments may be made to require the administrator's password on the data security system 620 in order to use the 1Phone feature. Further embodiments may require that the server/console 640 be able to recover the data security system 620 in the event that 1Phone data is lost on the mobile device 610.
The user may enable the proximity auto-lock feature for the data security system 620. During the communication session, the data security transceiver 624 of fig. 6 reports signal strength measurements for the mobile device 610 to the data security system 620. The data security system application 618 on the mobile device 610 sends both the originating signal power level and the proximity threshold to the data security system 620.
Since signal strength varies due to environmental conditions around the transceiver, the data security system 620 mathematically smoothes the signal strength measurements to reduce the possibility of false positives (false positives). When the data security system 620 detects that the received signal power falls below a defined threshold for a predetermined period of time, it will immediately lock the data security system 620 and prevent access to the storage subsystem 106 of FIG. 6.
The data security system 620 can be used in three different modes: a user mode in which the functionality of the data security system 620 is determined by the user; an administrator mode in which an administrator may set an administrator password and impose some restrictions on the data security system 620 (e.g., auto-lock after a predetermined period of inactivity, read-only, 1Phone), and in which restrictions cannot be removed by the user; and a server mode in which an administrator role is set, wherein the server/console 640 can remotely reset the data security system 620, change a user password, or simply unlock the data security system 620.
Referring now to fig. 8, therein is shown an unlock sequence diagram in which the mobile device 610 is the authentication factor. This figure illustrates an automatic unlocking process of the data security system 620 initiated by the data security system application 618 from a particular mobile device, namely the mobile device 610. The user may use only one mobile device that was initially paired with the data security system 620. If the paired mobile device 610 is lost, the data security system 620 cannot be unlocked (unless the administrator password was previously set as shown in FIG. 7).
Although similar to fig. 7, the data security system application launch operation 800 occurs after the connection 700 is established. After the data security system is connected, powered and discoverable operation 706, an unlock request signal 802 is sent from the mobile device 610 to the data security system 620 with the mobile device ID. A data security system unlock operation 804 occurs and "confirm: a data security system unlock signal 712 is sent from the data security system 620. After "confirmation: after the data security system unlock operation 806, the mobile device 610 and the data security system 620 are in full operational communication.
If no PIN (personal identification number) is set, the paired mobile device is used as a 1 authentication factor.
Referring now to fig. 9, therein is shown an unlock sequence diagram illustrating unlocking using PIN entry from the mobile device 610. The figure shows the process of unlocking the data security system 620 by entering a PIN in the data security system application 618 in the mobile device 610. The data security system 620 cannot be unlocked without entering the correct PIN.
Although similar to fig. 7 and 8, the enter username/password operation 900 occurs after the data security system application launch operation 800. After entering the username/password operation 900, the mobile device 610 sends an authenticated user ID signal 902 to the server/console 640. The server/console 640 then makes a username/password valid determination 904.
When the username/password validity determination 904 authenticates the user, a valid user signal 906 is sent to the mobile device 610 to enter the correct PIN by the user in an enter PIN operation 908 in the mobile device 610. The mobile device 610 then sends a verification unlock signal 910 to the server/console 640 to determine if the correct PIN has been entered.
Server/console 640 makes user authorization determination 912 and determines whether the user is authorized to use the particular data security system for which the PIN is authorized, such as data security system 620. If authorized, an unlock signal 914 is allowed to be sent to the mobile device 610, and the mobile device 610 passes an unlock request signal 916 to the data security system 620.
The data security system unlock operation 804 is performed and the "confirm: the data security system unlock signal 712 is sent to the mobile device 610, which performs a "confirm: data security system unlock operation 806.
Referring now to fig. 10, there is shown an unlock sequence diagram illustrating unlocking using PIN entry and user ID/location/time verification via server/console 640. The figure shows the most secure process of unlocking the data security system 620 by entering a PIN from the mobile device 610 in the data security system application 618, authenticating in the server/console 640 server using a UserID (username/password), and verifying the geofence permission to unlock the data security system 620 at a particular location and over a range of time. The data security system 620 cannot be unlocked without entering a PIN, username, and password, and having the mobile device 610 appear at a particular (predefined) location and for a certain (predefined) time.
Although similar to fig. 7-9, at the server/console 640, an unlock-specified-data-security-system operation 1000 is performed to allow a desired condition to be set under which a specified data security system, such as the data security system 620, will operate. For example, the condition may be within a particular geographic area and/or a particular time range.
At the mobile device 610, a current condition determination is made, for example, in an acquire location and/or current time operation 1002. This operation is performed to determine where the mobile device 610 is located, or what the current time is at the location where the mobile device 610 is located. Other current conditions around the mobile device 610 may also be determined and sent to the server/console 640 by verifying the unlock signal 1004, with a conditional satisfaction determination 1006 made in the server/console 640.
When the desired conditions are met, an unlock allowed signal 1008 is sent to the mobile device 610 to perform the enter PIN operation 908. After entering the PIN, a verification unlock signal 1010 is sent with the PIN and the identification of the data security system 620 within operational proximity to the mobile device 610. The server/console 640 receives the verification unlock signal 1010 and makes an allow data security system determination 1012 to determine that the specified data security system is allowed to be unlocked by an authorized user. The server/console 640 verifies that the "particular" user is authorized to use the specified data security system.
Upon determining that the correct information is provided, the server/console 640 will provide an unlock allowed signal 914 to the mobile device 610, which the mobile device 610 will provide an unlock request signal 916. The unlock request signal 916 causes the data security system 620 to operate.
Referring now to fig. 11, a reset sequence diagram illustrating the use of a server/console 640 to reset the data security system 620 is shown. The figure illustrates the ability to remotely reset the data security system 620 via the server/console 640. The data security system 620 may receive commands only from the mobile device 610 through a wireless connection. However, by setting a "reset" flag on the server/console 640 for a particular data security system (using its S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests in the user administration database 642. When the user connects to the data security system 620, the data security system application 618 on the mobile device 610 will execute a wait for "reset" command. After a successful reset (all user data and credentials disappear), the server/console 640 will remove the reset flag, so the reset flag will not be executed the next time the mobile device 610 connects to a particular data security system.
Although similar to fig. 7-10, the mobile device 610 is responsive to the valid user signal 906 to send any command wait signal 1100 to the server/console 640 to make the reset command determination 1102. When there is a reset command, an execute reset signal 1104 will be sent to the mobile device 610.
The mobile device 610 will send a reset security system signal 1106 to the data security system 620 to initiate a data security system reset operation 1108. After the data security system reset operation 1108 is complete, the data security system 620 will send an "acknowledgement: data security system resets signal 1110 to acknowledge: data security system reset operation 1112 sets into operation. Thereafter, the mobile device 610 and the data security system 620 are in full operational communication with the reset data security system 620.
Referring now to FIG. 12, an unlock sequencing diagram is shown illustrating unlocking of the data security system 620 using the server/console 640. The figure illustrates the ability to remotely unlock the data security system 620 via the server/console 640. The data security system 620 may receive commands only from the mobile device 610 through a wireless connection. However, by setting an "administrator unlock" flag on the server/console 640 console for a particular data security system (using its S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests. When the user connects to the data security system 620, the data security system application 618 on the mobile device 610 will execute a wait for "administrator unlock" command. After a successful administrator unlock, the user's data is untouched, but the user's password is removed (data security system 620 cannot be unlocked by the user). The server/console 640 will remove the reset flag for the data security system 620 so the reset flag will not be executed the next time the mobile device 610 connects to the data security system 620.
Although similar to fig. 7-11, after receiving any command wait signal 1100, the server/console 640 performs the unlock 1200 when there is a command to unlock with the administrator's password. An unlock with administrator password signal 1202 is sent to the mobile device 610, and the mobile device 610 provides an unlock with administrator password signal 1204 to the data security system 620 to initiate a data security system unlock operation 804. Thereafter, the mobile device 610 and the data security system 620 are in full operational communication.
Referring now to FIG. 13, there is shown a sequence diagram for changing a user's password using server/console 640. The figure illustrates the ability to remotely change a user password for the data security system 620 via the server/console 640. Even though the data security system 620 may only receive commands from the mobile device 610 over a wireless connection, by setting a "change user password" flag on the server/console 640 console for the particular data security system (using its S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests. When the user will connect to his data security system 620, the data security system application 618 on the mobile device 610 will execute a wait to change user password command. After a successful unlock and change of password, the user's data is untouched and the data security system 620 may unlock using the new user password. The server/console 640 will remove the "change user password" flag for that data security system 620, so the "change user password" flag will not be executed the next time the mobile device 610 connects to a particular data security system.
Although similar to fig. 7-12, server/console 640 waits for signal 1100 in response to any command by making change password determination 1300. When there has been a password change at the server/console 640, a change user password signal 1302 is sent to the mobile device 610, which mobile device 610 sends a change user password signal 1304 to the data security system 620. Thereafter, the mobile device 610 and the data security system 620 are in fully active communication with the new password.
A method of operating a data security system, comprising: providing a mobile device having a data security system application to connect with a data security system; starting a data security system application; and maintaining the connection of the data security system with the mobile device.
The method as described above, wherein maintaining the connection maintains the connection when the data security system is within a predetermined proximity to the mobile device.
The method as described above, wherein maintaining the connection maintains the connection when the data security system is within a predetermined proximity to the mobile device during a predetermined period of time.
The method as above, wherein establishing the connection comprises: two-way communication is used between the data security system and the mobile device.
The method as above, wherein establishing the connection comprises: one-way communication is used between the data security system and the mobile device.
The method as described above, further comprising: communication between a mobile device having a data security system application and a server containing a user management database.
The method as described above, further comprising: security information is provided in a security controller in a data security system.
The method as described above, further comprising: providing an identification of the designated data security system to the server; providing a particular identification to the data security system; unlocking the data security system when the identity of the designated data security system is the same as the particular identity of the data security system.
The method as described above, wherein the providing the mobile device with the data security system application provides an application for a data security system administrator, and the method further comprises: setting a password of an administrator in the mobile device; transmitting the administrator's password from the mobile device to the data security system; and setting a password of an administrator in the data security system and unlocking the data security system.
The method as described above, further comprising: providing, from the mobile device, an unlock request and a mobile device identification to the data security system; and receiving an unlock request in the data security system and unlocking the data security system.
The method as described above, further comprising: inputting a user name or password in the mobile device; determining, in a server, when a username or password is valid after receiving the username or password from a mobile device; when the user name or the password is valid, communicating from the server to the mobile device; and communicating from the mobile device to the data security system to unlock the data security system when the username or password is valid.
The method as described above, further comprising: inputting a user name or password in the mobile device; determining, in a server, when a username or password is valid after receiving the username or password from a mobile device; when the user name or the password is valid, communicating from the server to the mobile device; determining, in the server, when the identification number is valid after receiving the identification number from the mobile device; and unlocking, by the mobile device, the data security system when the server determines that the identification number is valid.
The method as described above, further comprising: providing the server with an effective location of the mobile device; determining in the server when the mobile device is in a valid location; and unlocking, by the mobile device, the data security system when the server determines that the mobile device is in the valid location.
The method as described above, further comprising: providing, to a server, a current time of operation at a mobile device for a data security system; determining in the server when the mobile device is within a current time; and unlocking, by the mobile device, the data security system when the server determines that the mobile device has the current time.
The method as described above, further comprising: providing a command in a server; providing a command from the server to the mobile device in response to a command wait signal from the mobile device; and executing the command in the data security system by the mobile device when the command is provided from the server.
The method as described above, further comprising: providing a change password command in the server; providing a change password command from the server to the mobile device in response to a change password signal from the mobile device; and unlocking the data security system with the changed password in the data security system.
The method as described above, further comprising: the data security system is connected to the host computer to be powered and discoverable by the host computer.
A data security system comprising: a data security transceiver or receiver; an authentication subsystem operatively connected to the data security transceiver or receiver; and a storage subsystem connected to the authentication subsystem.
The system as described above, further comprising a security controller connected to the data security transceiver or receiver and to the authentication subsystem.
The system as described above, further comprising a mobile device having a data security system application operating with the security controller to remain connected when the data security system is within a predetermined proximity to the mobile device.
The system as described above, further comprising a mobile device having a data security system application operative with the security controller to remain connected when the data security system is within a predetermined proximity to the mobile device during a predetermined period of time.
The system as described above, further comprising a mobile device having a mobile transceiver or receiver for maintaining a connection, the maintaining of the connection comprising using two-way communication between the data security system and the mobile device.
The system as described above, further comprising a mobile device having a mobile transceiver or receiver for maintaining a connection, the maintaining of the connection comprising using one-way communication between the data security system and the mobile device.
The system as described above, further comprising wired or wireless connection communication between the mobile device having the data security system application and a server containing the user management database.
The system as described above, wherein the data security system comprises an external communication channel for connecting to the host computer.
While the invention has been described in conjunction with a specific preferred embodiment, it is to be understood that many alternatives, modifications, and variations will be apparent to those skilled in the art in light of the aforegoing description. Accordingly, it is intended to embrace all such alternatives, modifications, and variations that fall within the scope of the included claims. All matters hithertofore set forth herein or shown in the accompanying drawings are to be interpreted in an illustrative and non-limiting sense.

Claims (29)

1. A method, comprising:
detecting a connection with a data storage device having a locked data channel, the data storage device further comprising an interface controller for communication over the data channel, a memory, an authentication subsystem having authentication information and an encryption key, an encryption engine, and a wireless transceiver for radio frequency communication outside of the data channel;
receiving a user authentication input via the wireless transceiver while the data channel through the interface controller is locked;
unlocking a data channel of the data storage device based on the received user authentication input and authentication information of the authentication subsystem; and
when the data channel is unlocked:
encrypting data received over the data channel with the encryption key prior to storing the data received over the data channel in the memory; and
decrypting the data read from the memory using the encryption key before transmitting the data read from the memory over the data channel.
2. The method of claim 1, further comprising:
communicating the encryption key from the authentication subsystem to the encryption engine based on the unlocking, wherein the encryption key is not stored in a memory of the data storage device, wherein the encryption key is not accessible from outside the data storage device.
3. The method of claim 1, wherein receiving the user authentication input further comprises:
communicating with an application in a mobile device via the wireless transceiver; and
receiving the user authentication input from the mobile device.
4. The method of claim 1, wherein receiving the user authentication input further comprises:
communicating with an application in a mobile device via the wireless transceiver, wherein the application comprises a user interface for entry of the user authentication input by a user, and the remote server sends an acknowledgement to the application when the user authentication input is verified by the remote server; and
receiving, by the data storage device, the user authentication input from the mobile device via the wireless transceiver after the user is verified by the remote server.
5. The method of claim 4, further comprising:
after the application in the mobile device receives the command to change the authentication information from the remote server, receiving a command to change the authentication information from the application in the mobile device.
6. The method of claim 4, wherein an application in the mobile device allows the mobile device to lock a data channel of the data storage device, unlock a data channel of the data storage device, change a user name, change the authentication information, and reset the data storage device.
7. The method of claim 4, wherein an application in the mobile device enables the remote server to reset the data storage device and unlock the data storage device.
8. The method of claim 4, wherein an application in the mobile device enables the remote server to use a geofence to limit use of the data storage device to a particular location by determining that the mobile device is present within the geofence.
9. The method of claim 4, wherein an application in the mobile device enables the remote server to limit use of the data storage device to a particular time zone and time period.
10. The method of claim 1, wherein the data channel is a computer bus interface.
11. The method of claim 1, wherein the radio frequency communication is one of wireless fidelity (WiFi), Bluetooth (BT), bluetooth smart (BLE), Near Field Communication (NFC), or cellular communication.
12. A data storage device, comprising:
a memory;
an interface controller for communication over a data channel, the data channel being locked until a user is authenticated;
a wireless transceiver for radio frequency communication outside of the data channel, the wireless transceiver configured to receive a user authentication input;
an authentication subsystem having authentication information and an encryption key, the authentication subsystem unlocking a data channel of the data storage device based on a received user authentication input and the authentication information; and
an encryption engine to encrypt data received over the data channel with the encryption key before storing the data in the memory, and to decrypt data read from the memory with the encryption key before sending the data read from the memory over the data channel.
13. The data storage device of claim 12, wherein the authentication subsystem communicates the encryption key to the encryption engine based on the unlocking, wherein the encryption key is not stored in a memory of the data storage device, wherein the encryption key is not accessible from outside the data storage device.
14. The data storage device of claim 12, wherein receiving the user authentication input further comprises:
communicating with an application in a mobile device via the wireless transceiver; and
receiving the user authentication input from the mobile device via the wireless transceiver.
15. The data storage device of claim 12, wherein receiving the user authentication input further comprises:
communicating with an application in a mobile device via the wireless transceiver, wherein the application comprises a user interface for entry of the user authentication input by a user, and the remote server sends an acknowledgement to the application when the user authentication input is verified by the remote server; and
receiving, by the data storage device, the user authentication input from the mobile device after the user is verified by the remote server.
16. The data storage device of claim 15, wherein the authentication subsystem is configured to receive a command from the application in the mobile device to change the authentication information after the application in the mobile device receives a command from the remote server to change the authentication information.
17. A system, comprising:
one or more computer processors;
a data channel connected to the one or more computer processors; and
a self-encrypting device connected to the data channel, the self-encrypting device comprising:
an authentication subsystem comprising an authentication processor;
an encryption engine;
a storage medium storing encrypted data encrypted with an encryption key provided by the authentication subsystem;
a Radio Frequency (RF) transceiver for communication outside of the data channel; and
a data interface of an interface controller coupled with the data channel, the data interface locked from sending and receiving data until the self-encrypting device is unlocked by the authentication subsystem using user authentication information received via the RF transceiver.
18. The system of claim 17, wherein the RF transceiver is configured to receive the user authentication information from a mobile device separate from the one or more computer processors, wherein the self-encrypting device is configured to unlock the data interface in response to receiving the user authentication information from the mobile device.
19. The system of claim 18, wherein the RF transceiver is configured to use independent encryption in RF communications with the mobile device, the independent encryption being separate from encryption provided by a communication protocol used for the RF communications.
20. The system of claim 18, wherein an application in the mobile device authenticates a user by authenticating the user with a management server, wherein the mobile device sends an unlock command to the self-encrypting device in response to the management server authenticating the user.
21. The system of claim 17, further comprising:
an encryption engine, wherein the authentication subsystem stores an encryption key and the authentication subsystem transmits the encryption key to the encryption engine when a user is successfully authenticated.
22. The system of claim 17, wherein the self-encrypting device initializes a timer when a shutdown of the system is detected, wherein the self-encrypting device initializes in an unlocked state if the system is restarted before the timer expires, wherein the self-encrypting device initializes in a locked state if the system is restarted after the timer expires.
23. The system of claim 17, wherein data is communicated between the data interface and the data channel in clear text.
24. The system of claim 17, wherein the system is one of a laptop computer, a personal computer, a kitchen appliance, a printer, a scanner, a server, a tablet device, a medical device, a door unlocking system, a secure access system, an access control device, a home automation device, a home appliance, a mobile phone, a vehicle, or a smart television.
25. A method, comprising:
providing a self-encrypting device in a host computer system, the host computer system also having one or more processors and a data channel connected to the one or more processors and to the self-encrypting device;
establishing a communication channel between a data interface of the self-encrypting device and the data channel, the communication channel being locked until the self-encrypting device is authenticated;
receiving user authentication information via a Radio Frequency (RF) transceiver of the self-encrypting device for communication outside the data channel;
unlocking, by an authentication subsystem of the self-encrypting device, the communication channel based on the user authentication information;
encrypting data received by the self-encrypting device through the data interface with an encryption key provided by an authentication subsystem of the self-encrypting device; and
storing the encrypted data in a storage subsystem of the self-encrypting device.
26. The method of claim 25, wherein the self-encrypting device authenticates a user without using the one or more processors of the host computer system.
27. The method of claim 25, further comprising:
receiving the user authentication information from a mobile device via the RF transceiver; and
unlocking the self-encrypting device in response to receiving the user authentication information via the RF transceiver.
28. The method of claim 27, wherein an application in the mobile device authenticates a user by verifying the user with a management server, the method further comprising:
receiving an unlock command from the mobile device in response to the management server authenticating the user.
29. The method of claim 25, wherein the self-encrypting device initializes a timer when a shutdown of the host computer system is detected, wherein the self-encrypting device initializes in an unlocked state if the host computer system is restarted before the timer expires, wherein the self-encrypting device initializes in a locked state if the host computer system is restarted after the timer expires.
CN202010783513.XA 2016-01-04 2017-01-03 Data storage device, method and system Pending CN112054892A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US14/987,749 US10181055B2 (en) 2007-09-27 2016-01-04 Data security system with encryption
US14/987,749 2016-01-04
CN201780005638.6A CN108604982B (en) 2016-01-04 2017-01-03 Method for operating a data security system and data security system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201780005638.6A Division CN108604982B (en) 2016-01-04 2017-01-03 Method for operating a data security system and data security system

Publications (1)

Publication Number Publication Date
CN112054892A true CN112054892A (en) 2020-12-08

Family

ID=59311569

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201780005638.6A Active CN108604982B (en) 2016-01-04 2017-01-03 Method for operating a data security system and data security system
CN202010783513.XA Pending CN112054892A (en) 2016-01-04 2017-01-03 Data storage device, method and system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201780005638.6A Active CN108604982B (en) 2016-01-04 2017-01-03 Method for operating a data security system and data security system

Country Status (6)

Country Link
JP (3) JP6633228B2 (en)
KR (2) KR102054711B1 (en)
CN (2) CN108604982B (en)
GB (2) GB2580549B (en)
TW (2) TWI692704B (en)
WO (1) WO2017123433A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11151231B2 (en) 2007-09-27 2021-10-19 Clevx, Llc Secure access device with dual authentication
US11190936B2 (en) 2007-09-27 2021-11-30 Clevx, Llc Wireless authentication system
US11233630B2 (en) 2007-09-27 2022-01-25 Clevx, Llc Module with embedded wireless user authentication
CN114598461A (en) * 2022-02-24 2022-06-07 广东天波信息技术股份有限公司 Online unlocking method of terminal equipment, terminal equipment and readable storage medium

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10783232B2 (en) 2007-09-27 2020-09-22 Clevx, Llc Management system for self-encrypting managed devices with embedded wireless user authentication
TWI651626B (en) * 2017-11-30 2019-02-21 大陸商北京集創北方科技股份有限公司 Biometric data encryption method and information processing device using same
US11475107B2 (en) * 2018-03-12 2022-10-18 Hewlett-Packard Development Company, L.P. Hardware security
GB2607846B (en) * 2018-06-06 2023-06-14 Istorage Ltd Dongle for ciphering data
EP3788538A1 (en) * 2018-08-16 2021-03-10 Clevx, LLC Self-encrypting module with embedded wireless user authentication
CN110225515B (en) * 2019-06-24 2022-08-23 喀斯玛(北京)科技有限公司 Authentication management system, method and device
JP2022050899A (en) 2020-09-18 2022-03-31 キオクシア株式会社 Memory system
TWI788936B (en) * 2021-08-02 2023-01-01 民傑資科股份有限公司 Flash drive locked with wireless communication manner
KR102540669B1 (en) * 2021-12-17 2023-06-08 주식회사 그리다에너지 System for Job history authentication using encrypted and non-editable job data

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1183817A2 (en) * 1999-05-20 2002-03-06 Storage Technology Corporation Information encryption system and method
US20060085847A1 (en) * 2004-10-15 2006-04-20 Citizen Watch Co., Ltd. Locking system and locking method
CN101140605A (en) * 2007-10-24 2008-03-12 北京飞天诚信科技有限公司 Data safety reading method and safety storage apparatus thereof
US20100174913A1 (en) * 2009-01-03 2010-07-08 Johnson Simon B Multi-factor authentication system for encryption key storage and method of operation therefor
US20100287373A1 (en) * 2007-09-27 2010-11-11 Clevx, Llc Data security system with encryption
US20140149742A1 (en) * 2012-11-28 2014-05-29 Arnold Yau Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors
US20150312233A1 (en) * 2010-04-30 2015-10-29 T-Central, Inc. System and Method to Enable PKI- and PMI- Based Distributed Locking of Content and Distributed Unlocking of Protected Content and/or Scoring of Users and/or Scoring of End-Entity Access Means - Added
CN105210073A (en) * 2012-11-28 2015-12-30 豪沃克有限公司 A method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors

Family Cites Families (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10340231A (en) * 1997-06-05 1998-12-22 Kokusai Electric Co Ltd Ic card
US6529949B1 (en) * 2000-02-07 2003-03-04 Interactual Technologies, Inc. System, method and article of manufacture for remote unlocking of local content located on a client device
EP1228433A1 (en) * 1999-09-17 2002-08-07 Fingloq AB Security arrangement
US8677505B2 (en) * 2000-11-13 2014-03-18 Digital Doors, Inc. Security system with extraction, reconstruction and secure recovery and storage of data
US7099663B2 (en) * 2001-05-31 2006-08-29 Qualcomm Inc. Safe application distribution and execution in a wireless environment
TW583568B (en) * 2001-08-27 2004-04-11 Dataplay Inc A secure access method and system
US20030109218A1 (en) * 2001-10-18 2003-06-12 Azalea Microelectronics Corporation Portable wireless storage unit
US7561691B2 (en) * 2001-11-12 2009-07-14 Palm, Inc. System and method for providing secured access to mobile devices
US7198571B2 (en) * 2002-03-15 2007-04-03 Igt Room key based in-room player tracking
JP2004326763A (en) * 2003-04-10 2004-11-18 Matsushita Electric Ind Co Ltd Password change system
WO2004090738A1 (en) 2003-04-10 2004-10-21 Matsushita Electric Industrial Co., Ltd. Password change system
JP2006025249A (en) * 2004-07-08 2006-01-26 Fujitsu Ltd Terminal device, data backup system thereof, data backup method thereof, and data backup program thereof
US20080098134A1 (en) * 2004-09-06 2008-04-24 Koninklijke Philips Electronics, N.V. Portable Storage Device and Method For Exchanging Data
US20060075230A1 (en) * 2004-10-05 2006-04-06 Baird Leemon C Iii Apparatus and method for authenticating access to a network resource using multiple shared devices
US20060129829A1 (en) * 2004-12-13 2006-06-15 Aaron Jeffrey A Methods, systems, and computer program products for accessing data with a plurality of devices based on a security policy
US20060176146A1 (en) * 2005-02-09 2006-08-10 Baldev Krishan Wireless universal serial bus memory key with fingerprint authentication
JP4781692B2 (en) * 2005-03-08 2011-09-28 インターナショナル・ビジネス・マシーンズ・コーポレーション Method, program, and system for restricting client I / O access
US8335920B2 (en) * 2005-07-14 2012-12-18 Imation Corp. Recovery of data access for a locked secure storage device
TWI288553B (en) * 2005-10-04 2007-10-11 Carry Computer Eng Co Ltd Portable storage device having main identification information and method of setting main identification information thereof
EP1982262A4 (en) * 2006-01-24 2010-04-21 Clevx Llc Data security system
US20070248232A1 (en) * 2006-04-10 2007-10-25 Honeywell International Inc. Cryptographic key sharing method
EP2122900A4 (en) * 2007-01-22 2014-07-23 Spyrus Inc Portable data encryption device with configurable security functionality and method for file encryption
US20080303631A1 (en) * 2007-06-05 2008-12-11 Beekley John S Mass Storage Device With Locking Mechanism
US20100293374A1 (en) * 2008-07-30 2010-11-18 Bushby Donald P Secure Portable Memory Storage Device
JP2010102617A (en) * 2008-10-27 2010-05-06 Dainippon Printing Co Ltd System, device, method and program of access management of external storage, apparatus and recording medium
US9286493B2 (en) * 2009-01-07 2016-03-15 Clevx, Llc Encryption bridge system and method of operation thereof
US8112066B2 (en) * 2009-06-22 2012-02-07 Mourad Ben Ayed System for NFC authentication based on BLUETOOTH proximity
US20110154023A1 (en) * 2009-12-21 2011-06-23 Smith Ned M Protected device management
JP5837208B2 (en) * 2011-09-28 2015-12-24 ヒューレット−パッカード デベロップメント カンパニー エル.ピー.Hewlett‐Packard Development Company, L.P. Unlock storage device
DE112012004804T5 (en) * 2011-11-19 2014-07-31 International Business Machines Corporation storage unit
US8972728B2 (en) * 2012-10-15 2015-03-03 At&T Intellectual Property I, L.P. Method and apparatus for providing subscriber identity module-based data encryption and remote management of portable storage devices
US9215250B2 (en) * 2013-08-20 2015-12-15 Janus Technologies, Inc. System and method for remotely managing security and configuration of compute devices
US20150161587A1 (en) * 2013-12-06 2015-06-11 Apple Inc. Provisioning and authenticating credentials on an electronic device
CN105450400B (en) * 2014-06-03 2019-12-13 阿里巴巴集团控股有限公司 Identity verification method, client, server and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1183817A2 (en) * 1999-05-20 2002-03-06 Storage Technology Corporation Information encryption system and method
US20060085847A1 (en) * 2004-10-15 2006-04-20 Citizen Watch Co., Ltd. Locking system and locking method
US20100287373A1 (en) * 2007-09-27 2010-11-11 Clevx, Llc Data security system with encryption
CN101140605A (en) * 2007-10-24 2008-03-12 北京飞天诚信科技有限公司 Data safety reading method and safety storage apparatus thereof
US20100174913A1 (en) * 2009-01-03 2010-07-08 Johnson Simon B Multi-factor authentication system for encryption key storage and method of operation therefor
US20150312233A1 (en) * 2010-04-30 2015-10-29 T-Central, Inc. System and Method to Enable PKI- and PMI- Based Distributed Locking of Content and Distributed Unlocking of Protected Content and/or Scoring of Users and/or Scoring of End-Entity Access Means - Added
US20140149742A1 (en) * 2012-11-28 2014-05-29 Arnold Yau Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors
CN105210073A (en) * 2012-11-28 2015-12-30 豪沃克有限公司 A method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
RANJIT KAUR等: "Enhanced cloud computing security and integrity verification via novel encryption techniques", 《2014 INTERNATIONAL CONFERENCE ON ADVANCES IN COMPUTING, COMMUNICATIONS AND INFORMATICS (ICACCI)》, 1 December 2014 (2014-12-01) *
吴保伦等: "安全存储认证子系统的研究与实现", 《计算机应用研究》, 10 December 2005 (2005-12-10) *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11151231B2 (en) 2007-09-27 2021-10-19 Clevx, Llc Secure access device with dual authentication
US11190936B2 (en) 2007-09-27 2021-11-30 Clevx, Llc Wireless authentication system
US11233630B2 (en) 2007-09-27 2022-01-25 Clevx, Llc Module with embedded wireless user authentication
CN114598461A (en) * 2022-02-24 2022-06-07 广东天波信息技术股份有限公司 Online unlocking method of terminal equipment, terminal equipment and readable storage medium
CN114598461B (en) * 2022-02-24 2023-10-31 广东天波信息技术股份有限公司 Online unlocking method of terminal equipment, terminal equipment and readable storage medium

Also Published As

Publication number Publication date
KR102054711B1 (en) 2019-12-11
TWI727717B (en) 2021-05-11
CN108604982A (en) 2018-09-28
TW201737151A (en) 2017-10-16
GB201919421D0 (en) 2020-02-12
JP2021192265A (en) 2021-12-16
JP2020057412A (en) 2020-04-09
JP6633228B2 (en) 2020-01-22
JP7248754B2 (en) 2023-03-29
KR102201093B1 (en) 2021-01-08
GB2580549A (en) 2020-07-22
TW202029042A (en) 2020-08-01
KR20180107775A (en) 2018-10-02
JP2019511791A (en) 2019-04-25
CN108604982B (en) 2020-09-04
GB2562923A (en) 2018-11-28
KR20190137960A (en) 2019-12-11
GB2562923B (en) 2020-02-12
JP6938602B2 (en) 2021-09-22
GB2580549B (en) 2020-12-23
TWI692704B (en) 2020-05-01
WO2017123433A1 (en) 2017-07-20
GB201811137D0 (en) 2018-08-22

Similar Documents

Publication Publication Date Title
US11151231B2 (en) Secure access device with dual authentication
CN108604982B (en) Method for operating a data security system and data security system
US10985909B2 (en) Door lock control with wireless user authentication
US10783232B2 (en) Management system for self-encrypting managed devices with embedded wireless user authentication
US9813416B2 (en) Data security system with encryption
US11190936B2 (en) Wireless authentication system
US10362483B2 (en) System, methods and devices for secure data storage with wireless authentication
EP4242902A2 (en) Self-encrypting module with embedded wireless user authentication
US20150020180A1 (en) Wireless two-factor authentication, authorization and audit system with close proximity between mass storage device and communication device
EP2104054A2 (en) Separated storage of data and key necessary to access the data
KR20140007627A (en) Ic chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination