TW201737151A - Data security system with encryption - Google Patents

Abstract

A data security system, and a method of operation thereof, includes a data security transceiver or receiver; an authentication subsystem operatively connected to the data security transceiver or receiver; and a storage subsystem connected to the authentication subsystem.

Description

Encrypted data security system Cross-references to related applications

This case is a partial continuation of the pending US Patent Application No. 12/680,742 filed on March 29, 2010. This case is the national phase of the international application number PCT/US2008/077766 filed on September 26, 2008. The U.S. Provisional Patent Application Serial No. 60/975,814, filed on Sep. 27, 2007, which is incorporated herein by reference.

This patent application contains the subject matter of the U.S. Patent Application Serial No., the entire disclosure of which is incorporated herein by reference. This related application is assigned to ClevX, LLC and is identified by the docket number 502-018P-PCT-US.C1. The subject matter of this U.S. Patent Application is incorporated herein by reference.

The present invention generally relates to electronic devices, and more particularly to memory devices.

Preservation is a critical issue in the use of computers in almost all aspects. Storage media (such as hard drives connected to a computer) contain valuable information that is vulnerable to data theft. A lot of money and effort is the application Protecting personal, corporate and government preservation information.

When portable memory storage devices have become smaller, more prone to loss, more ubiquitous, cheaper, and larger memory capacity, they also pose significant security issues. It is now possible to secretly download large amounts of information into portable memory storage devices, such as Universal Serial Bus (USB), flash and mini flash drives, mobile phones, camcorders, digital cameras, iPODs, MP3/ 4 players, smart phones, palm and laptop computers, gaming devices, authenticators, tokens (with memory), etc. - usually, mass storage devices (MSD).

Specifically, millions of MSDs are used in backup, transfer, intermediate storage, and primary storage for information to be easily downloaded and taken away by computers. The primary purpose of any MSD is to store and extract "portable content", which is information and information that is limited to specific owners and not to specific computers.

The most common way to provide storage security is to authenticate the user with a password entered by the computer. The password is valid against the value stored by the MSD. If a match occurs, the drive will turn on. Alternatively, the password itself is used as an encryption key to encrypt/decrypt data stored in the MSD.

For drives that support dynamic encryption, the encryption key is typically stored on the medium in encrypted form. Since the encryption key is stored on the medium, it will be easy for those who directly read the medium to intentionally circumvent the standard interface. Therefore, the password is used as the key to encrypt the encryption key.

For self-certified drives, the own authentication subsystem is responsible for maintaining the security. It does not need to rely on the host computer to which the drive is connected. Therefore, the password cannot be (or is not required to be) sent by the host to unlock the MSD. In fact, the encryption key no longer needs to be stored on the medium. This authentication subsystem becomes a tool for managing encryption keys.

Therefore, there is still a need for improved security. Given the ever-increasing commercial competitive pressures, combined with growing consumer expectations and this gradual reduction in product differentiation that is meaningful in the marketplace, the key is to find answers to these questions. In addition, the need to reduce costs, improve efficiency and effectiveness, and meet competitive pressures has even increased the urgency of finding the answers to these questions.

It is well known that those in the field have long sought solutions to these problems, but previous developments have not taught or suggested any solutions, and therefore those skilled in the art have long been unable to deal with these problems.

The present invention provides a method of operating a data security system, comprising: providing a mobile device having a data security system application for connecting to the data security system; initiating the data security system application; and maintaining the data security system and the The connection of the mobile device.

The present invention provides a data security system comprising: a data security transceiver or receiver; an authentication subsystem, operatively coupled to the data security transceiver or receiver; and a storage subsystem coupled to the authentication subsystem.

Specific embodiments of the invention have other objects in addition to or in place of the above-mentioned objects. This will be apparent to those skilled in the art of reading this detailed description.

100‧‧‧Data Security System

102‧‧‧External communication channel

104‧‧‧Certified sub-system

106‧‧‧Storage subsystem

108‧‧‧Interface controller

110‧‧‧Cryptographic engine

112‧‧‧Storage medium

114‧‧‧Authentication Controller

116‧‧‧Encryption Key

118‧‧‧Certificate key

120‧‧‧Host computer system

122‧‧‧Users

202‧‧‧User identification

206‧‧‧ channel

300‧‧‧Data Security System

301‧‧‧Communication portfolio

302‧‧‧Mobile transceiver

304‧‧‧User identification

306‧‧‧Data Security Transceiver

310‧‧‧Certified Subsystem

320‧‧‧Biometric sensor

322‧‧‧Biometric input

330‧‧‧Motor input mechanism

332‧‧‧ unique code

400‧‧‧Data Security System

402‧‧‧Host application

406‧‧‧Host ID

408‧‧‧Certified sub-system

500‧‧‧Data preservation method

502‧‧‧Steps

504‧‧‧Steps

506‧‧‧Steps

600‧‧‧Data Security Communication System

610‧‧‧ mobile device

612‧‧‧Mobile transceiver

614‧‧‧Antenna

618‧‧‧Data Security System Application

620‧‧‧Data Security System

622‧‧‧Antenna

624‧‧‧Data Security Transceiver

626‧‧‧Security controller

630‧‧‧Host computer

640‧‧‧Server/Console

642‧‧‧User Management Database

650‧‧‧Cloud

700‧‧‧Connect

706‧‧‧Data security system connection, startup and discovery operations

712‧‧‧Confirmation: Data Security System Unlocking Signal

714‧‧‧Manager operations

716‧‧‧Set other restrictions

800‧‧‧Data Security System Application Startup Operation

802‧‧‧Mobile device ID unlock signal

804‧‧‧Data Security System Unlocking Operation

806‧‧‧Confirmation: Data Security System Unlocking Operation

900‧‧‧Enter username/password operation

902‧‧‧Confirm user ID signal

904‧‧‧User name/password valid judgment

906‧‧‧Active User Signal

908‧‧‧Enter PIN operation

910‧‧‧Check the unlock signal

912‧‧‧User authorization decision

914‧‧‧Unlock the allowed signal

916‧‧‧Unlock request signal

1000‧‧‧Unlock specific data security system operation

1002‧‧‧Location and/or current time operation

1004‧‧‧ Confirm unlock signal

1006‧‧‧ conditions meet the judgment

1008‧‧‧Unlock the allowed signal

1010‧‧‧Check the unlock signal

1012‧‧‧Data security system allows for judgment

1100‧‧‧ Any instruction waiting signal

1102‧‧‧Reset command determination

1104‧‧‧Reset the reset signal

1106‧‧‧Reset the security signal

1108‧‧‧Data Security System Reset Operation

1110‧‧‧Confirmation: Data Security System Reset Signal

1112‧‧‧Confirmation: Data Security System Reset Operation

1200‧‧‧Unlock

1202‧‧‧Administrator's password unlocking signal

1204‧‧‧Manager's password unlock signal

1300‧‧‧Change password judgment

1302‧‧‧Change User Password Signal

1304‧‧‧Change user password signal

1 is a schematic diagram of a data security system according to an embodiment of the present invention; FIG. 2 is a description of a method for delivering a certification key using the data security system; and FIG. 3 is a diagram for the user and the data security system. Description of the different systems of interaction; Figure 4 is a description of how the user can use the host computer system to interact with the data security system; and Figure 5 is a data retention method for user confirmation using the data security system .

Figure 6 is an exemplary data security communication system.

Figure 7 is a manager ranking diagram showing the sequence of operations between the mobile device and the data security system.

Figure 8 is an unlocked sequence diagram of the mobile device as an authentication factor.

Figure 9 is an unlocking sequence diagram showing the unlocking by the mobile device using the PIN input.

Figure 10 is an unlocking sequence diagram of unlocking via the server/console using PIN input and user ID/position/time confirmation.

Figure 11 is a diagram showing the reset sequence of resetting the data security system using the server/console.

Figure 12 is a diagram showing the unlocking sequence of unlocking the data security system using the server/console.

Figure 13 is a sequence diagram of the password change user using the server/console.

The following examples are described in sufficient detail to enable those skilled in the art to make and use the invention. It will be appreciated that other embodiments will be apparent in light of the present disclosure, and that changes may be made to the system, process or mechanism without departing from the scope of the invention.

In the following description, numerous specific details are set forth to provide a complete understanding of the invention. However, it will be apparent that the invention may be practiced without these specific details. In order to avoid obscuring the present invention, certain known circuits, system configurations, and process steps have not been disclosed in detail.

Also, the drawings of the system are shown in the drawings and are not to scale, and in particular, some of the dimensions are shown for clarity and exaggeration. Features of the various embodiments that are similar and similar are generally described with the same or similar elements. Similarly, although the views in this figure generally show similar directions for ease of explanation, the description in the drawings is mostly for The number is in any direction. Generally, the invention can be carried out in any orientation.

The term "system" as used herein is used to mean and define the method and apparatus of the present invention in accordance with the context in which the term is used. The term "method" as used herein is intended to mean and define the operational steps of the device.

For convenience and non-restrictive purposes, the term "data" is defined as information that can be generated by a computer or stored on a computer. The term "data security system" is defined as any portable memory device that is meant to be a combined storage medium. The term "storage medium" as used herein means and is defined as any solid state, anti-gate flash and/or magnetic data recording system. The term "locked" means the data security system when the storage medium is inaccessible and the term "unlocked" means the data security system when the storage medium is accessible.

There are usually two ways to prevent storage device tampering:

1. Coating Epoxy on the Assembly - The epoxy applied to the printed circuit board can make it difficult to disassemble the storage device without damaging the storage medium.

2. Encrypted Memory Data - Encrypts the data as it is written to the storage medium and the data requires an encryption key to be decrypted.

Referring now to Figure 1, a schematic diagram of a data security system 100 is shown in accordance with an embodiment of the present invention. The data security system 100 is comprised of an external communication channel 102, an authentication subsystem 104, and a storage subsystem 106.

The storage subsystem 106 is configured to include an interface controller 108, Encryption engine 110 and electronic circuitry of storage medium 112. The storage medium 112 can be an internal or external hard drive, a USB flash drive, a solid state drive, a composite drive, a memory card, a cassette, and a compact disc (eg, a Blu-ray disc, a digital versatile disc or a DVD). Optical media for compact discs or CDs. The storage medium 112 can include a data protection application, an archive storage system, and a cloud data storage system. The cloud data storage system can be accessed using a plug-in or "plugin" application or an extension software installed in the browser, either on the host computer or via a wired or wireless network (such as a radio frequency or Optical), or connected to another system on the host computer via the World Wide Web.

The interface controller 108 includes electronic components, such as a microcontroller with a software or hardware encryption engine 110, but the encryption engine 110 may also be within a different controller in the storage subsystem 106.

The authentication subsystem 104 is an electronic circuit including an authentication controller 114 (such as a microcontroller), which may have its own non-volatile memory, such as an electronic erasable programmable read-only memory ( EEPROM, Electrically Erasable Programmable Read-Only Memory).

The external communication channel 102 provides a means of exchanging data with the host computer system 120. The Universal Serial Bus (USB) is one of the most common tools for connecting the data security system 100 to the host computer system 120. Other examples of the external communication channel 102 include Firewire, Wireless USB, Serial ATA (SATA), High Definition Multimedia Interface (HDMI), Push Recommended standard 232 (RS-232, Recommended Standard 232) and RF wireless network.

The interface controller 108 is capable of translating USB packet data into the storage medium 112 that can be written to the USB flash drive.

The encryption engine 110 is implemented as part of the interface controller 108 and retrieves explicit text and/or data (information) from the host computer system 120 and then converts the text and/or data into the MSD or the storage medium 112. The form of encryption. The encryption engine 110 also converts and decrypts the encrypted information from the storage medium 112 into explicit information to the host computer system 120. The encryption engine 110 can also be a dual controller subsystem with an encryption controller having dynamic encryption/decryption data along with encryption capabilities for managing communication protocols, memory and other operating conditions, and a communication/security controller. Processing the communication, encryption key management and communication with the encryption controller.

The encryption engine 110 requires an encryption key 116 to encrypt/decrypt information. The encryption key 116 is used in an algorithm (for example, 256-bit Advanced Encryption Standard (AES) encryption), which encrypts/decrypts data separately by an encryption algorithm to make the data impossible. Read or readable. The encryption key 116 can be stored internal or external to the authentication controller 114.

Once the user 122 with the identification number or key has confirmed against the authentication key 118, the encryption key 116 is transmitted to the encryption engine 110 by the authentication subsystem 104.

It has been discovered that by using the authentication key 118 and the encryption key 116, the portable memory storage devices of various embodiments of the present invention can provide a very high degree of security that was previously unavailable in such devices.

When the data security system 100 is locked, the authentication key 118 is still internal to the authentication subsystem 104 and cannot be read externally. One method of hiding the authentication key 118 is to store the authentication key 118 in the authentication controller 114 within the authentication subsystem 104. The authentication controller 114 sets a security fuse such that the authentication key 118 cannot be accessed unless the user 122 has been confirmed that the authentication controller 114 allows extraction. Many microcontrollers are equipped with a safety fuse that avoids accessing any internal memory when blown. This is a well-known and widely used security feature. Such a microcontroller can be used with the authentication controller 114. The authentication controller 114 can be a microcontroller or a microprocessor.

The authentication key 118 can be used in several functional forms:

1. As the encryption key 116, it is used to directly encrypt/decrypt the information.

2. As a key, to reply to the encryption key 116 stored in the data security system 100 that is accessible by the interface controller 108.

3. Used for direct comparison by the interface controller 108 to activate the external communication channel 102.

Referring now to Figure 2, there is shown a description of the authentication key delivery method used in conjunction with the data security system 100. In this illustration, the authentication key 118 and the encryption key 116 are combined and identical. The encryption engine 110 uses the authentication key 118 as the encryption key 116.

The user 122 must interact with the authentication subsystem 104 by providing a user identity 202, number or key to the authentication subsystem 104. The authentication subsystem 104 verifies the user 122 against the authentication key 118. The authentication subsystem 104 then transmits the authentication key 118 as the encryption key 116 to the interface controller 108.

The encryption engine 110 in the interface controller 108 uses the authentication key 118 to convert explicit information along the channel 206 into encrypted information and to convert the encrypted information into explicit information. In the absence of the encryption key 116, any attempt to read encrypted information from the storage medium 112 will typically result in information that is not available to any computer.

Referring now to Figure 3, there is shown a different system for the user 122 to interact with the data security system 300. The interaction may be through a communication combination 301, which may be an entity contact, wired connection, or wireless connection with a mobile phone, smart phone, smart watch, wearable application, or other wireless device.

In one of the authentication systems, the mobile transceiver 302 is configured to transmit the user identity 304 to the data security transceiver 306 located in the authentication subsystem 310. For illustrative purposes, the transceiver is flexible for two-way communication, but a one-way transmitter-receiver combination can also be used. The authentication subsystem 310 includes the authentication controller 114 that is coupled to the interface controller 108 located in the storage subsystem 106. The user identity 304 is provided to the data security transceiver 306 within the authentication subsystem 310 by the mobile transceiver 302 from outside the storage subsystem 106 of the data security system 300. The wireless communication can include Wireless Fidelity (WiFi), Bluetooth (Broadcast), Bluetooth Smart, Near Field Communication (NFC), Global Positioning System (GPS), optical , mobile communications (for example, Long-Term Evolution (LTE), Long-Term Evolution Advanced (LTE-A), CDMA (Code Division Multiple Access), broadband WCDMA (Wideband Code Division Multiple Access), Universal Mobile Telecommunications System (UMTS), Wireless Broadband (WiBro) or Global System for Mobile Communications (GSM) And similar technologies.

The authentication subsystem 310 verifies the user 122 against the authentication key 118 by the code transmitted by the mobile transceiver 302 that is verified against the authentication key 118. The authentication subsystem 310 then transmits the encryption key 116 to the interface controller 108 across the communication combination 301.

The encryption engine 110 then uses the encryption key 116 along the channel 206 to convert the unambiguous information into encrypted information and to convert the encrypted information into explicit information. In the absence of the encryption key 116, any attempt to read encrypted information from the storage medium 112 will result in information that is not available to the host computer system 120.

In the second authentication mechanism as needed, the user 122 is provided with the biometric input 322 using the biometric sensor 320. Acknowledging that his/her identity is an authorized user, the authentication subsystem 310 can verify the user 122 against the authentication key 118. Types of biometrics include fingerprints, iris scans, voiceprints, and more.

In the third authentication mechanism as needed, by having the user 122 provide the unique code 332 using the motor input mechanism 330 to confirm that his/her identity is an authorized user, the authentication subsystem 310 can compare the authentication. The key 118 verifies the user 122. The unique code 331 may contain a code consisting of a digital code, a letter and a number, or a letter code, such as a PIN. The motor input mechanism 330 is located within the authentication subsystem 310. The motor input mechanism 330 receives a unique code 332 from the user 122 from outside the data security system 300. The unique code 332 is the motor input mechanism 330 provided to the authentication subsystem 310 external to the storage subsystem 106 of the data security system 300.

Regardless of which method is used to authenticate the user 122, the authentication key 118 and the encryption key 116 remain hidden until the user is authorized.

Referring now to Figure 4, there is shown a description of how the user 122 can use the host computer system 120 to interact with the data security system 400.

The host computer system 120 is provided with a host application 402. The host application 402 is a software or firmware, and communicates through the external communication channel 102 of the data security system 400.

The host application 402 delivers a host identification code 406 associated with its environment, such as internal component serial numbers (eg, hard drives), networks The media access control (MAC) address of the card, the login name of the user, the Internet Protocol (IP) address, the ID established by the data security system and stored to the host, The ID established by the data security system and stored to the network, and the like. The host identification code 406 is used by the authentication subsystem 408 located in the data security system 400.

When the authentication subsystem 408 verifies the user 122 against the authentication key 118 by validating the host identification code 406, the data security system 400 will be unlocked.

For example, user 122 connects the locked data security system 400 to host computer system 120. The host application 402 sends the MAC address of its own network card to the data security system 400. The data security system 400 recognizes that the MAC address is legitimate and unlocks the user 122 that does not require the first picture to enter the user identity. This implementation does not require any interaction with the user 122. In this example, the host computer system 120 and the environment associated therewith are verified.

The data security system 400 includes: providing the authentication key 118 stored in the authentication subsystem 104; providing the confirmation of the host computer system 120 by the authentication subsystem 104; and submitting the encryption by the authentication subsystem 104 The key 116 is provided to the storage subsystem 106; and the storage medium 112 is accessed by the storage subsystem 106 to decrypt the storage medium.

The data security system further includes the authentication subsystem 104 for interpreting the biometric input and confirming the user 122.

The data security system further includes directly using the authentication key 118 as the encryption key 116.

The data security system further includes the use of the authentication key 118 to decrypt and extract the encryption key 116 for decoding internal content.

The data security system further includes the authentication subsystem 104 for interpreting the signal input and confirming the transmitting unit.

The data security system further includes an authentication sub-system 104 for interpreting the input of the manual input and confirming the user 122.

The data security system further includes the authentication subsystem 104 for interpreting the input sent by the host resident software application to confirm the host computer system 120.

The data security system is further included in the encryption engine 110 external to the interface controller 108 but connected to the external communication channel 102 for converting explicit data into encrypted data for unlocking the data security system 100.

Referring now to Figure 5, there is shown a data security method 500 for user confirmation of the data security system 100. The data preservation method 500 includes: confirming the user against the authentication key in step 502; using the authentication key in step 504 for extracting the encryption key; and using the encryption key in step 506 Unencrypted communication is allowed through the secondary system of storage between the host computer system and the storage medium.

Referring now to Figure 6, an exemplary data security communication system 600 is shown. An exemplary data security communication system 600 contains actions The device 610, the data security system 620, the host computer 630, and the server/console 640. The mobile device 610 and the server/console 640 are connected by wire or wirelessly through the cloud 650, and the cloud 650 can be an internet cloud. The mobile device 610 and the data security system 620 are connected by the communication combination 301.

In the exemplary data security communication system 600, the communication assembly 301 includes a mobile transceiver 612 located in the mobile device 610 having an antenna 614 and a data security transceiver 624 located in the data security system 620. Antenna 622 communicates wirelessly.

In one of the embodiments, the mobile device 610 can be a smart phone. In the mobile device 610, the mobile transceiver 612 can be coupled to a conventional mobile device component and to a data security system application 618 that provides information to the data security system 620 for use.

The data security transceiver 624 is coupled to the security controller 626, which may contain identification, passwords, personal data, or information including different mobile devices that can access the data security system 620. The security controller 626 is coupled to a system similar to the authentication subsystem 310, the storage subsystem 106 (in some embodiments, the storage subsystem 106 can have encryption to encrypt data) and the external communication channel 102.

The external communication channel 102 can be coupled to the host computer 630 to allow access to data in the storage subsystem 106 in a particular environment.

One of the embodiments of the data security system 620 can utilize wireless connection to the mobile device 610, such as a smart phone, thereby eliminating the biometric sensor 320 of FIG. 3 and the motor input mechanism 330. It has been found that this implementation makes the data security system 620 more secure and useful.

The data security system application 618 allows the mobile device 610 to find all data security systems located near the mobile device 610 and display their status (locked/unlocked/blank, paired/unpaired, etc.).

The data security system application 618 allows the mobile device 610 to connect/pair, lock, unlock, change names and passwords, and reset all data located on the data security system 620.

The data security system application 618 allows the mobile device 610 to set an inactivity auto-lock to automatically lock the data security system 620 after a predetermined idle time period, or to set the induction auto-lock (proximity) Auto-lock) such that when the mobile device 610 is not within the predetermined sensing distance for a predetermined period of time, the data security system 620 will be locked (to improve reliability and avoid signal bounce).

The data security system application 618 allows the mobile device 610 to remember passwords, use TouchIDs, and Apple watches (both the TouchID and Apple watches mentioned herein are merely examples, and there are many biometrics that can be used in a similar mode. The detector and other mobile devices of the wearable device) so that the data security system 620 can be unlocked without the need for Enter the re-entered password on the mobile device.

The data security system application 618 allows the mobile device 610 to be configured to cause operations only with a particular mobile device, such as the mobile device 610, such that the data security system 620 cannot be unlocked (1Phone) with other mobile devices.

The data security system application 618 allows the mobile device 610 to set the data security system 620 to be read only.

The data security system application 618 allows the mobile device 610 to operate and use the server/console 640 in a user mode or an administrator mode (the mode of the administrator overrides the settings of the user). The server/console 640 is a combination of a computer and a console for entering information into the computer.

The server/console 640 includes a user management repository 642 that contains additional information that can be transmitted to the mobile device 610 via the cloud 650 to provide additional functionality to the mobile device 610.

The user management repository 642 allows the server/console 640 to establish and confirm users who use the UserID (username and password) and block/allow to unlock the data security system 620 and provide remote assistance.

The user management repository 642 allows the server/console 640 to remotely reset or unlock the data security system 620.

The user management repository 642 allows the server/console 640 to remotely change the PIN of the data security system user.

The user management repository 642 allows the server/console 640 to restrict/allow unlocking the data security system 620 from a particular location (by using a geofence).

The user management repository 642 allows the server/console 640 to restrict/allow the data security system 620 to be unlocked during a particular time period and in different time zones.

The user management repository 642 allows the server/console 640 to restrict unlocking of the data security system 620 external to a particular team/organization/network or the like.

Referring now to Figure 7, there is shown a manager ranking diagram of the operational sequence presented between the mobile device 610 and the data security system 620.

The connection 700 between the data security system 620 and the mobile device 610 is first established and discovered with other devices or systems, paired with the device and system, and connected to the device and system. The connection 700 is secured using a shared secret and then used to secure (encrypt) communication between the data security system 620 and the mobile device 610 for all future communication conversations. The standard encryption algorithm is selected to be both validly executed on the data security system 620 and approved by global security standards.

As long as the data security system 620 and the mobile device 610 are within a predetermined distance of each other, the connection 700 is maintained by the data security system application 618 or the security controller 628 or both. Furthermore, if the predetermined distance is exceeded, the connection 700 will remain scheduled. The time period after which the data security system 620 is locked.

After the mobile device 610 and the data security system 620 are connected, a data security system manager application launch operation 702 is generated in the mobile device 610. The administrator then sets the password in the administrator password operation 704. Moreover, after the mobile device 610 is connected to the data security system 620, the data security system 620 is connected to the host computer 630 of FIG. 6 and activated by the host computer 630 in the data security system connection, startup and discovery operation 706. And found.

After the administrator password operation 704, the mobile device 610 sends a setup manager password and an unlock signal 708 to the data security system 620. The set manager password and unlock signal 708 causes the administrator password setting and data security system unlocking operation 716 to be generated in the data security system 620.

When the administrator password setting and data security system unlocking operation 716 is completed, it is confirmed that the data security system unlocking signal 712 is sent to the mobile device 610, and in the mobile device 610, it is confirmed that the data security system is unlocked as the administrator operation 714. operating. The confirmation: data security system unlocking as manager operation 714 allows setting other restriction operations 716 to be performed using the mobile device 610. The set other limit operation 716 causes the set manager limit signal 718 to be sent to the data security system 620, wherein the manager limit is set and confirmed: the limit set signal 720 is returned to the mobile device 610. Thereafter, the mobile device 610 and the data security system 620 are in fully operational communication.

Because the data security system 620 can communicate with the data security system 620 without physical contact with the data security system 620, a large amount of interaction with the data security system 620 is required to have a data security system unique identification code to complete the system. The unique identification code is printed on the data security system 620 or attached to the data security system 620 package and is readily available to the data security system 620 owner.

This unique ID is required when making a request that may affect the user's profile, such as unlocking or resetting the data security system 620. Attempts to perform such an operation without the correct identification code will be ignored and will not cause harm. The unique identifier is used to identify the data security system 620 to the mobile device 610 in a manner that requires the user to have physical control of the data security system 620, and to confirm that the connection 700 is established on an authorized, previously Between the paired devices and systems, such as the mobile device 610 and the data security system 620. Once these devices are paired, the shared secret can be used to encrypt the communication.

Pairing means that the mobile device and the data security system have a unique and defined relationship that has been established and persisted at some time in the past.

When the user has physical control of the data security system, the unique identification code can give the user some control over the data security system.

In the case where the mobile device 610 is a smart phone, in order to increase the security of communication with the data security system 620, the user may select an enable function, such as the function referred to herein as 1Phone. This feature will limit the interaction with a large number of users of the Data Security System 620 to one and only one action. Device 610. This is accomplished by replacing the data security system unique identification code described above with a random identification code that is securely shared between the data security system 620 and the mobile device 610. Thus, for example, when the user unlocks the data security system 620, the 1Phone identification code must be given instead of presenting the data security system unique identification code. In effect, in addition to the PIN or password, this approach causes the user's mobile device 610 to become the second authentication factor for use of the data security system 620. For example, a paired user handset selected as "1Phone" can be used without a PIN and as a single factor for user authentication and/or in combination with any other user authentication factor. If such a function (1Phone) is selected, the data security system 620 cannot be turned on with any other mobile phone except that the previous administrator's unlocking is enabled.

It will be appreciated that other embodiments may require an administrator's password on the data security system 620 to facilitate use of the 1Phone function. Another embodiment may require the server/console 640 to reply to the data security system 620 in the event that the 1Phone data on the mobile device 610 is lost.

The user can enable the induction auto-lock function for the data security system 620. During the communication session, the data security transceiver 624 of FIG. 6 reports to the data security system 620 for signal strength measurements of the mobile device 610. The data security system application 618 on the mobile device 610 sends the data security system 620 both the initial signal power level and the threshold for sensing.

Because the signal strength will be due to the environment around the transceiver. The conditions vary, so the data security system 620 mathematically smoothes the signal strength measurements to reduce the likelihood of false positives. When the data security system 620 detects that the received signal power has dropped below a predetermined threshold for a predetermined period of time, the data security system 620 is immediately locked and the storage subsystem of FIG. 6 is avoided. 106.

The data security system 620 can be used in three different modes: user mode, wherein the functionality of the data security system 620 is determined by the user; the manager mode, where the administrator can set the administrator password and enforce certain Restricted to the data security system 620 (eg, automatically locked, read only, 1Phone after a predetermined period of inactivity) and the restriction cannot be removed by the user; and the server mode in which the manager role is set, the servo The console/console 640 can remotely reset the data security system 620, change the user password, or simply unlock the data security system 620.

Referring now to Figure 8, there is shown the mobile device 610 as an unlocked sequence diagram of authentication factors. The figure shows the automatic unlocking procedure of the data security system 620 initialized by the data security system application 618 from a particular mobile device (the mobile device 610). The user can use only one of the mobile devices initially paired with the data security system 620. If the paired mobile device 610 is lost, the data security system 620 may not be able to unlock (unless the administrator password as shown in FIG. 7 is previously set).

Similar to Figure 7, after the connection 700 is established, the data security system application launch operation 800 is generated. Data security system After the connect, start, and discover operations 706, the mobile device ID unlock signal 802 is required to be transmitted from the mobile device 610 to the data security system 620. The data security system unlock operation 804 is generated and then sent an acknowledgment from the data security system 620: the data security system unlock signal 712. After the confirmation: data security system unlock operation 806, the mobile device 610 and the data security system 620 are in fully operational communication.

If the personal identification number (PIN) is not set, the paired mobile device is used as a single authentication factor (1-authentication factor).

Referring now to Figure 9, there is shown an unlocked sequence diagram presenting unlocking from the mobile device 610 using a PIN entry. The figure shows the flow of unlocking the data security system 620 by entering a PIN into the data security system application 618 in the mobile device 610.

Although similar to Figures 7 and 8, the input username/password operation 900 is generated after the data security system application launch operation 800. After the user claim/password operation 900 is entered, the mobile device 610 sends a confirmation user ID signal 902 to the server/console 640. The server/console 640 then makes a username/password validity decision 904.

When the username/password validity determination 904 confirms the user, the active user signal 906 is sent to the mobile device 610 for the user to enter the correct PIN in the input PIN operation 908 in the mobile device 610. The mobile device 610 then sends a confirmation unlock signal 910 to determine if the correct PIN has been entered into the server/console 640.

The server/console 640 makes a user authorization decision 912 to determine if the user is authorized to use the particular data security system to which the PIN is authorized, such as the data security system 620. If authorized, the unlock enable signal 914 is sent to the mobile device 610, and the mobile device 610 transmits an unlock request signal 916 to the data security system 620.

The data security system unlock operation 804 will proceed and send a confirmation: data security system unlock signal 712 to the mobile device 610 that will confirm: data security system unlock operation 806.

Referring now to Figure 10, there is shown an unlocked sequence diagram showing the unlocking via the server/console 640 using PIN entry and user ID/location/time confirmation. The figure is authenticated in the server/console 640 server using the UserID (username/password) by entering the PIN from the mobile device 610 in the data security system application 618 and by confirming the geofence permit. Unlocking the data security system 620 at a particular location and for a particular time frame displays the most secure process for unlocking the data security system 620. The data security system 620 cannot be unlocked without entering a PIN, username and password, and having the mobile device 610 at a particular (predetermined) location and a specific (scheduled) time.

Although similar to Figures 7-9, at the server/console 640, an unlock specific data security system operation 1000 will be performed to allow for the setting of required conditions under which the particular data security system will be operated, For example, the data security system 620,. For example, the condition can be within a particular geographic area and/or within a particular time frame.

At the mobile device 610, the current condition will be judged For example, the obtained location and/or current time operation 1002. This operation will be performed to determine where the mobile device 610 is located or the current time at which the mobile device 610 is located. Other current conditions for the mobile device 610 may also be determined and sent to the server/console 640 that made the conditional compliance decision 1006 by confirming the unlock signal 1004.

When the required conditions are met, an unlock enable signal 1008 is sent to the mobile device 610 for performing an input PIN operation 908. After entering the PIN, the confirmation unlock signal 1010 is sent along with the PIN and the identity of the data security system 620 that is operationally sensing the mobile device 610. The confirmation unlock signal 1010 is received by the server/console 640 and a data security system permission decision 1012 is made to determine that the particular data security system is allowed to be unlocked by an authorized user. The server/console 640 confirms that the "specific" user is authorized to use the particular data security system.

After determining that the correct information has been provided, the server/console 640 will provide an unlock enable signal 914 to the mobile device 610, which will provide an unlock request signal 916. The unlock request signal 916 causes the data security system 620 to operate.

Referring now to Figure 11, there is shown a reset sequence diagram for resetting the data security system 620 using the server/console 640. This figure shows the ability to remotely reset the data security system 620 via the server/console 640. The data security system 620 can receive instructions only from the mobile device 610 via a wireless connection. However, by setting a "reset" flag on the server/console 640 for a specific data security system (using The serial number (S/N) itself, the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flag/pending in the user management repository 642. Request. When the user connects to the data security system 620, the data security system application 618 on the mobile device 610 will execute a wait for "reset" command. After a successful reset (all user profiles and credentials disappear), the server/console 640 will remove the reset flag so that when the mobile device 610 is connected to the particular data security system, the reset is under It will not be executed once.

Although similar to Figures 7-11, the mobile device 610 responds to the active user signal 906 to send any command pending signal 1100 to the server/console 640 to make a reset command decision 1102. When the reset command occurs, the execution reset signal 1104 will be sent to the mobile device 610.

The mobile device 610 will send a reset security signal 1106 to the data security system 620 to begin a data security system reset operation 1108. Once the data security system reset operation 1108 is completed, the data security system 620 will send an acknowledgment: the data security system reset signal 1110 to the mobile device 610 to set the acknowledgment: data security system reset operation 1112 to enter operation. Thereafter, the mobile device 610 and the data security system 620 are reset to the data security system 620 in a fully operational communication state.

Referring now to Figure 12, there is shown an unlocking sequence diagram for unlocking the data security system 620 using the server/console 640. This figure shows remotely unlocking the data security system via the server/console 640 620's ability. The data security system 620 can receive instructions only from the mobile device 610 via a wireless connection. However, by setting the "Manager Unlock" flag on the server/console 640 console for the specific data security system (using its own serial number (S/N)), the mobile device 610 is running on the mobile device 610. The data security system application 618 will query the server/console 640 for any flag/pending requests. When the user connects to the data security system 620, the data security system application 618 on the mobile device 610 will execute a wait "manager unlock" command. After the successful manager is unlocked, the user's profile remains unchanged, but the user's password is removed (the data security system 620 cannot be unlocked by the user). The server/console 640 will remove the reset flag for the data security system 620, so when the mobile device 610 is connected to the data security system 620, the reset will not be performed next time.

Although similar to Figures 7-11, after receiving any command wait signal 1100, the server/console 640 performs an unlock 1200 when there is an instruction to unlock with the administrator's password. The password unlocking signal 1202 is sent to the mobile device 610. The mobile device 610 provides the administrator's password unlocking signal 1204 to the data security system 620 to begin the data security system unlocking operation 804. Thereafter, the mobile device 610 and the data security system 620 are in a fully operational communication state.

Referring now to Figure 13, there is shown a ranking diagram of the changed user password using the server/console 640. This figure shows the ability to remotely change the user password for the data security system 620 via the server/console 640. Even the data security system 620 can be connected via wireless The command is only received from the mobile device 610, but is set on the server/console 640 console for a specific data security system by setting a "change user password" flag (using its own serial number (S/N). The data security system application 618 running on the mobile device 610 will query the server/console 640 for any flag/pending requests. When the user will connect his data security system 620, the data security system application 618 on the mobile device 610 will execute a "wait to change user password" command. After successful unlocking and changing the password, the user's profile remains unchanged and the data security system 620 can be unlocked with the new user password. The server/console 640 will remove the "change user password" flag for the data security system 620, so when the mobile device 610 is connected to the particular data security system, the user password flag is changed. The mark will not be executed next time.

Although similar to Figures 7-12, the server/console 640 responds to any command pending signal 1100 by making a change password decision 1300. When a password change has been made at the server/console 640, the change user password signal 1302 is sent to the mobile device 610, and the mobile device 610 sends a change user password signal 1304 to the data security system 620. Thereafter, the mobile device 610 and the data security system 620 are in a fully operational communication state with a new password.

The method of operating the data security system includes: providing a mobile device having a data security system application for connecting to the data security system; starting the data security system application; and maintaining the connection of the data security system to the mobile device.

As with the method described above, maintaining the connection is to maintain the connection when the data security system is within a predetermined sensing distance of the mobile device.

As with the method described above, wherein the connection is maintained, the connection is maintained when the data security system continues for a predetermined period of time within the predetermined sensing distance of the mobile device.

As in the method described above, establishing the connection includes using two-way communication between the data security system and the mobile device.

As with the method described above, establishing the connection includes using one-way communication between the data security system and the mobile device.

As described above, the method further includes communication between the mobile device having the data security system application and a server having a user management database.

As with the method described above, it further includes providing security information in the security controller in the data security system.

And the method as described above, further comprising: providing a server having a specific data security system identification; providing the data security system with a specific identity; and when the identification of the specific data security system is the same as the The data security system is unlocked when the specific identity of the data security system is identified.

As described above, wherein the mobile device having the data security system application is provided to provide data security system management The application of the user further includes: setting a password of the administrator in the mobile device; transmitting the password of the manager from the mobile device to the data security system; and setting the password of the administrator in the data security system and unlocking This data is secured by the system.

As with the method described above, the method further includes: providing an unlock request in conjunction with the identification of the mobile device from the mobile device to the data security system; and receiving the unlock request in the data security system and unlocking the data security system.

The method as described above, further comprising: inputting a username or password in the mobile device; after receiving the username or password by the mobile device, determining when the username or password is in the server Valid; when the username or password is valid, the server generates communication to the mobile device; and when the username or password is valid to unlock the data security system, the mobile device to the data security system Generate communication.

The method as described above further includes: inputting a username or password in the mobile device; determining, when the username or password is received by the mobile device, when the username or password is valid in the server When the username or password is valid, the server generates communication with the mobile device; after receiving the identification number from the mobile device, determining when the identification number is valid in the server; And when the server determines that the identification number is valid, the data security system is unlocked by the mobile device.

As described above, it also includes: providing the line Determining an effective position of the mobile device to the server; determining when the mobile device is in the valid position in the server; and unlocking the data through the mobile device when the server determines that the mobile device is in the active position Security system.

And the method as described above, further comprising: providing a current time for the operation of the data security system at the mobile device to the server; determining when the mobile device is within the current time in the server; When the server determines that the mobile device has the current time, the data security system is unlocked by the mobile device.

And the method as described above, further comprising: providing an instruction in the server; providing the instruction to the mobile device by the server to respond to an instruction waiting signal from the mobile device; and when the command is by the server When provided, the instructions are executed by the mobile device in the data security system.

The method as described above, further comprising: a change password instruction provided in the server; the server provides the change password command to the mobile device in response to the change password signal from the mobile device; and is used in the The change password in the data security system unlocks the data security system.

As with the method described above, the method further includes connecting the data security system to the host computer for booting and being discoverable by the host computer.

The data security system includes: a data security transceiver or receiver; an authentication subsystem operatively coupled to the data security transceiver or receiver; and a storage subsystem coupled to the authentication subsystem.

The system, as described above, further includes a security controller coupled to the data security transceiver or the receiver and to the authentication subsystem.

The system as described above further includes a mobile device having a data security system application that operates with the security controller for maintaining a connection when the data security system is within a predetermined sensing distance of the mobile device.

The system, as described above, further includes a mobile device having a data security system application for operating with the security controller when the data security system is within a predetermined sensing distance of the mobile device for a predetermined period of time To maintain the connection.

The system, as described above, further includes a mobile device having a mobile transceiver or receiver for maintaining connectivity, including the use of two-way communication between the data security system and the mobile device.

The system, as described above, further includes a mobile device having a mobile transceiver or receiver for maintaining connectivity, including the use of one-way communication between the data security system and the mobile device.

As described above, the system further includes wired or wireless connection communication between a mobile device having a data security system application and a server having a user management database.

As in the system described above, the data security system includes an external communication channel for connecting to a host computer.

Although the invention has been described in connection with specific preferred modes, it should be understood that many alternatives, modifications, and variations are The person will be obvious based on the previous description. Accordingly, the present invention is intended to embrace all such alternatives, modifications, and variations in the scope of the invention. All matters raised or shown in this additional drawings are to be interpreted as illustrative and limiting.

100‧‧‧Data Security System

102‧‧‧External communication channel

104‧‧‧Certified sub-system

106‧‧‧Storage subsystem

108‧‧‧Interface controller

110‧‧‧Cryptographic engine

112‧‧‧Storage medium

114‧‧‧Authentication Controller

116‧‧‧Encryption Key

118‧‧‧Certificate key

120‧‧‧Host computer system

122‧‧‧Users

Claims (25)

A method of operating a data security system, comprising: providing a mobile device having a data security system application for connecting to the data security system; starting the data security system application; and maintaining the data security system and the mobile device connection. The method of claim 1, wherein maintaining the connection is to maintain the connection when the data security system is within a predetermined sensing distance of the mobile device. The method of claim 1, wherein maintaining the connection is to maintain the connection when the data security system continues within a predetermined sensing distance of the mobile device for a predetermined period of time. The method of claim 1, wherein establishing the connection comprises using two-way communication between the data security system and the mobile device. The method of claim 1, wherein establishing the connection comprises using one-way communication between the data security system and the mobile device. The method of claim 1, further comprising communicating between the mobile device having the data security system application and a server having a user management database. The method of claim 1, further comprising providing security information in a security controller in the data security system. For example, the method described in claim 1 of the patent scope further includes: Providing the server with the identification of the specific data security system; providing the data security system with a specific identity; and unlocking the data security when the identity of the specific data security system is the same as the specific identity of the data security system system. The method of claim 1, wherein the mobile device having the data security system application is provided with an application for providing a data security system administrator, and further comprising: setting a password of the administrator in the mobile device; The mobile device transmits the administrator's password to the data security system; and sets the administrator's password in the data security system and unlocks the data security system. The method of claim 1, further comprising: providing an unlock request and identifying the mobile device from the mobile device to the data security system; and receiving the unlock request and unlocking the data security in the data security system system. The method of claim 1, further comprising: inputting a user name or password in the mobile device; determining the user name or password after receiving the user name or password from the mobile device Valid in the server; when the username or password is valid, the server communicates to The mobile device; and when the user name or password is valid to unlock the data security system, the mobile device communicates to the data security system. The method of claim 1, further comprising: inputting a user name or password in the mobile device; determining the user name or password after receiving the user name or password from the mobile device Valid in the server; when the username or password is valid, the server communicates to the mobile device; after receiving the identification number from the mobile device, determining when the identification number is on the server Medium is valid; and when the server determines that the identification number is valid, the data security system is unlocked by the mobile device. The method of claim 1, further comprising: providing an effective location of the mobile device to the server; determining, in the server, when the mobile device is in the valid location; and when the server determines that When the mobile device is in the active position, the data security system is unlocked by the mobile device. The method of claim 1, further comprising: providing a current time for the operation of the data security system at the mobile device to the server; determining when the mobile device is at the current server Time And when the server determines that the mobile device has the current time, unlocking the data security system through the mobile device. The method of claim 1, further comprising: providing an instruction in the server; the server provides the instruction to the mobile device to respond to an instruction waiting signal from the mobile device; and when the instruction is When the server is provided by the server, the instruction in the data security system is executed by the mobile device. The method of claim 1, further comprising: a change password instruction provided in the server; the server provides the change password command to the mobile device in response to the change password signal from the mobile device; And unlocking the data security system using the change password in the data security system. The method of claim 1, further comprising connecting the data security system to the host computer for booting and being discoverable by the host computer. A data security system comprising: a data security transceiver or receiver; an authentication subsystem operatively coupled to the data security transceiver or receiver; and a storage subsystem coupled to the authentication subsystem. The system of claim 18, further comprising a security controller connected to the data security transceiver or the receiver and connected to the identification Certificate system. The system of claim 18, further comprising a mobile device having a data security system application, the operation having the security control for maintaining the connection when the data security system is within a predetermined sensing distance of the mobile device Device. The system of claim 18, further comprising a mobile device having a data security system application, wherein the data security system is maintained for a predetermined time period within a predetermined sensing distance of the mobile device Connect the security controller. The system of claim 18, further comprising a mobile device having a mobile transceiver or receiver for maintaining connectivity, comprising using two-way communication between the data security system and the mobile device. The system of claim 18, further comprising a mobile device having a mobile transceiver or receiver for maintaining connectivity, comprising using one-way communication between the data security system and the mobile device. The system of claim 18, further comprising wired or wireless connection communication between the mobile device having the data security system application and the server containing the user management database. The system of claim 18, wherein the data security system includes an external communication channel for connecting to a host computer.