US20100169672A1 - Encryption program operation management system and program - Google Patents

Encryption program operation management system and program Download PDF

Info

Publication number
US20100169672A1
US20100169672A1 US12/610,139 US61013909A US2010169672A1 US 20100169672 A1 US20100169672 A1 US 20100169672A1 US 61013909 A US61013909 A US 61013909A US 2010169672 A1 US2010169672 A1 US 2010169672A1
Authority
US
United States
Prior art keywords
encryption
program
computer
encryption key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/610,139
Inventor
Jun Takeda
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Corp
Original Assignee
Toshiba Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Corp filed Critical Toshiba Corp
Assigned to KABUSHIKI KAISHA TOSHIBA reassignment KABUSHIKI KAISHA TOSHIBA ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TAKEDA, JUN
Publication of US20100169672A1 publication Critical patent/US20100169672A1/en
Priority to US13/096,726 priority Critical patent/US8352751B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • One embodiment of the invention relates to the technique for managing an encryption key in a case where hard disk encryption software is distributed and installed to prevent important data from being leaked from a computer which, for example, an employee uses in doing work.
  • Hard disk encryption software is a data encryption program which encrypts data using an encryption key in writing data into the hard disk and decrypts the encrypted data in reading the data from the hard disk.
  • the hard disk encryption software is distributed to the employees to cause them to install it into the individual computers, this is achieved by either the on-line installation method or the off-line installation method.
  • the client side sets an encryption key arbitrarily and informs the operation management server on the management side of the encryption key.
  • the management side sets an encryption key respectively in creating an installation package for installing hard disk encryption software and distributes the encryption key to the client in a top-down method.
  • the administrator manages the encryption key reported by the client.
  • the administrator manages the self-set encryption key in creating an installation package to be distributed to the clients.
  • the encryption key managed by the administrator is used for a so-called recovery process to extract encrypted data in the hard disk and decrypt the extracted data when the computer of a client cannot be activated, for example.
  • Various methods of managing encryption keys have been proposed (e.g., refer to Jpn. Pat. Appln. KOKAI Publication No. 2006-319861).
  • each client may set an encryption key arbitrarily, enhancing security, a network environment and an operation management server are needed, making the size of the system larger. This leads to a disadvantage in that a certain amount of cost rise cannot be avoided.
  • FIG. 1 is an exemplary diagram showing a system configuration of a personal computer used in an encryption program operation management system according to an embodiment of the invention
  • FIG. 2 is an exemplary conceptual diagram to explain the way an installation package is created in the encryption program operation management system of the embodiment
  • FIG. 3 is an exemplary conceptual diagram to explain a state where hard disk encryption software is installed in the encryption program operation management system of the embodiment
  • FIG. 4 is an exemplary conceptual diagram to explain the principle of a hard disk encryption process in the encryption program operation management system of the embodiment
  • FIG. 5 is an exemplary conceptual diagram to explain the principle of a hard disk recovery process in the encryption program operation management system of the embodiment
  • FIG. 6 is an exemplary flowchart showing the procedure for creating an installation package for operation management software running on the management-side computer in the encryption program operation management system of the embodiment;
  • FIG. 7 is an exemplary flowchart showing the procedure for operating an installer in a case where hard disk encryption software is installed in the client-side computer in the encryption program operation management system of the embodiment.
  • FIG. 8 is an exemplary flowchart showing the procedure for operating the operation management software in a case where the management-side computer is used to carry out the process of recovering the client hard disk in the encryption program operation management system of the embodiment.
  • an encryption program operation management system includes an encryption key table creation module which creates encryption keys and creates an encryption key table including encrypted versions of the encryption keys and items of plaintext index information for recognizing the encryption keys, and an installation package creation module which creates an installation package including an encryption program, the encryption key table, and an installation program for installing the encryption program into a computer.
  • the installation program causes the computer to carry out an operation of selecting one of the encrypted version of encryption keys and an operation of creating and storing encryption key information including the selected one of the encrypted version of encryption key and one of the items of plaintext index information associated with the selected one of the encrypted version of encryption keys.
  • FIG. 1 is an exemplary diagram showing a system configuration of a personal computer used in an encryption program operation management system according to an embodiment of the invention.
  • the encryption program operation management system of the embodiment which is for encrypting the data in the hard disk drive (HDD) of a personal computer given to each employee (or client) in an office or the like, is constructed of a personal computer for an administrator and a plurality of personal computers for clients.
  • HDD hard disk drive
  • the personal computer of the administrator and the personal computers for the clients are notebook personal computers of the same type which have the system configuration of FIG. 1 .
  • the embodiment will be explained using a system for encrypting the data in the HDD as an example, the invention is not limited to this. The invention may be applied to any system, provided that the system uses an encryption key for encrypting data.
  • the computer includes a CPU 11 , a north bridge 12 , a main memory 13 , a display controller 14 , a video memory (VRAM) 14 A, a liquid-crystal display (LCD) 15 , a south bridge 16 , a sound controller 17 , a speaker 18 , a BIOS-ROM 19 , a LAN controller 20 , a hard disk drive (HDD) 21 , an optical disc drive (ODD) 22 , a wireless LAN controller 23 , a USB controller 24 , an embedded controller/keyboard controller (EC/KBC) 25 , a keyboard (KB) 26 , and a pointing device 27 .
  • the CPU 11 is a processor for controlling the operation of the computer, and executes an operating system (OS) and various application programs that operate under the control of the OS loaded from the HDD 21 or ODD 22 into the main memory 13 . Moreover, the CPU 11 executes a basic input/output system (BIOS) stored in the BIOS-ROM 19 .
  • BIOS is a program for controlling hardware.
  • the north bridge 12 is a bridge device which connects the local bus of the CPU 11 and the south bridge 16 .
  • the north bridge 12 includes a memory controller which provides access control of the main memory 13 .
  • the north bridge 12 also includes the function of communicating with the display controller 14 .
  • the display controller 14 is a device which controls the LCD 15 used as a display monitor of the computer.
  • the display controller 14 generates a display signal and sends the signal to the LCD 15 .
  • the south bridge 16 controls the individual devices on a peripheral component interconnect (PCI) bus and a low pin count (LPC) bus.
  • the south bridge 16 includes an integrated drive electronics (IDE) controller for controlling the HDD 21 and ODD 22 and a memory controller for providing access control of the BIOS-ROM 19 .
  • IDE integrated drive electronics
  • the south bridge 16 also includes the function of communicating with the sound controller 17 and LAN controller 20 .
  • the sound controller 17 is a sound source device, and outputs audio data to be reproduced to the speaker 18 .
  • the LAN controller 20 is a wire communication device which performs wire communication complying with, for example, the Ethernet (registered trademark) standard.
  • the wireless LAN controller 23 is a wireless communication device which performs wireless communication conforming to, for example, the IEEE 802.11 standard.
  • the USB controller 24 controls an USB device externally connected via, for example, a cable complying with the USB 2.0 standard.
  • the EC/KBC 25 is a one-chip microcomputer in which an embedded controller for power management and a keyboard controller for controlling the KB 26 and pointing device 27 are integrated.
  • the EC/KBC 25 includes the function of providing on/off control of the power of the computer according to the user operation.
  • the administrator installs operation management software 120 into his or her own computer using a storage medium M 1 shown in FIG. 2 .
  • the storage medium M 1 is, for example, a compact disc (CD) or a digital versatile disc (DVD).
  • an installer 110 and the operation management software 120 have been stored in the storage medium M 1 .
  • the installer 110 is a program for installing the operation management software 120 .
  • the administrator sets the storage medium Ml in the ODD 22 of his or her own computer and executes the installer 110 , thereby installing the operation management software 120 .
  • the operation management software 120 includes an encryption key table creation module 121 , an installation package creation module 122 , a recovery module 123 , an installer 124 , and hard disk encryption software 125 .
  • the hard disk encryption software 125 is a program which is installed in the individual computers of the clients and encrypts the data in the HDD 21 .
  • the administrator creates an installation package for distributing the hard disk encryption software 125 to the individual clients by using the operation management software 120 .
  • the installation package may be created in the form of a delivery file, provided that the administrator computer and the client computers can communicated with one another.
  • the encryption key table creation module 121 inputs, for example, system time as a parameter to generate random numbers, thereby creating a plurality of encryption keys.
  • the encryption key table creation module 121 encrypts the plurality of encryption keys by using a common key shared by, for example, the administrator and the clients, and creates an encryption key table 201 which holds plaintext index information for identifying the individual encryption keys and the encrypted encryption keys in such a manner the former correspond to the latter. That is, since the administrator creates encryption keys and the clients use the keys, it may be said that the encryption program operation management system employs the off-line installation method as a method of installing the hard disk encryption software 125 in the client computers.
  • the installation package creation module 122 creates an installation package which includes the encryption key table 201 , installer 124 , and hard disk encryption software 125 .
  • the installation package creation module 122 writes the encryption key table 201 , installer 124 , and hard disk encryption software 125 into the storage medium M 2 set in the ODD 22 .
  • the administrator distributes (or circulates) the installation package (or storage medium M 2 ) created in this way to the individual clients. Having received the installation package, each client sets the storage medium M 2 in the ODD 22 of his or her own computer and executes the installer 124 .
  • the installer 124 is a program for installing the hard disk encryption software 125 , and includes an encryption key selection module 1241 .
  • the encryption key selection module 1241 arbitrarily selects one from a plurality of encryption keys held in the encryption key table 201 .
  • the encryption key selection module 1241 decrypts the selected encryption key once using, for example, the common key shared by the administrator and the client and then encrypts the decrypted key using, for example, an encryption key uniquely created by the client.
  • the encryption key selection module 1241 creates an encryption key file 202 including the re-encrypted encryption key and index information (plaintext) on the encryption key and stores the encryption key file 202 into the HDD 21 of the computer in which the software 125 has been installed.
  • the hard disk encryption software 125 installed by the installer 124 encrypts the data in the HDD 21 using the encryption key included in the encryption key file 202 (for example, after the encryption key has been decrypted using the encryption key uniquely created by the client).
  • FIG. 3 is an exemplary schematic diagram of the HDD 21 of the client computer after the hard disk encryption software 125 has installed by the installer 124 .
  • the encryption key file 202 including an encryption key 202 A 2 used to encrypt data by the hard disk encryption software 125 has been stored.
  • the encryption key file 202 includes index information 202 A 1 for identifying the encryption key 202 A 2 in plaintext.
  • FIG. 4 is an exemplary conceptual diagram to explain the principle on which the hard disk encryption software 125 installed in the computer of each client encrypts the data in the HDD 21 .
  • the hard disk encryption software 125 reads the encryption key 202 A 2 included in plaintext in the encryption key file 202 created by the installer 124 and decrypts the encryption key 202 A 2 using the encryption key, for example, uniquely created by the user. After the data to be written into the HDD 21 by each application has been encrypted using the decrypted encryption key 202 A 2 , the decrypted data is written into the HDD 21 . In addition, after the data to be read from the HDD 21 by each application has been read from the HDD 21 and decrypted, the decrypted data is handed over.
  • the encryption program operation management system uses the off-line installation method as a method of installing hard disk encryption software 125 into the client computer. That is, the encryption key created beforehand on the administrator side is used by each client. Although, since the installer 124 selects any one of the plurality of encryption keys at each client who installs the hard disk encryption software 125 using the distributed installation package, the encryption keys differ between clients who have installed the hard disk encryption software 125 using the same installation package. Therefore, the security strength is increased.
  • an encryption key for decrypting the encrypted data is needed when the data in the HDD 21 is read.
  • the encryption key is, of course, encrypted using, for example, the encryption key uniquely created by each client in the HDD 21 to be recovered.
  • the encryption key table creation module 121 creates the encryption key table 201 which holds plaintext index information and an encryption key for ciphertext in such a manner that the former is caused to correspond to the latter.
  • the installer 124 also creates an encryption key file 202 which holds plaintext index information and an encryption key for ciphertext in such a manner that the former and the latter make pairs. That is, in the HDD 21 to be recovered; index information for recognizing the encryption key used by the hard disk encryption software 125 has been stored in plaintext.
  • the recovery module 123 of the operation management software 120 installed in the administrator computer acquires plaintext index information from the encryption key file 202 stored in the HDD 21 to be recovered and then obtains the encryption key caused to correspond to the index information from the encryption key table 201 in the installation package M 2 . Since the encryption key has been encrypted, the recovery module 123 decrypts the key using, for example, the common key shared by the administrator and clients and, using the decrypted encryption key, decrypts various items of encrypted data in the HDD 21 .
  • the encryption program operation management system has a mechanism for holding plaintext index information for recognizing each of the encryption keys and encrypted encryption keys in such a manner that the former are caused to correspond to the latter, which enables the administrator to carry out a recovery process without any problem.
  • FIG. 6 is an exemplary flowchart showing the procedure for creating an installation package for operation management software 120 running on the administrator computer.
  • the encryption key creation module 121 creates a plurality of encryption keys, encrypts the plurality of encryption keys and creates an encryption key table 201 which holds a plurality of items of plaintext index information for recognizing each of the plurality of encryption keys and a plurality of encrypted encryption keys in such a manner that the former are caused to correspond to the latter (block A 1 ).
  • the installation package creation module 122 creates an installation package (or storage medium M 2 ) which includes the encryption key table 201 created by the encryption key table creation module 121 , installer 124 , and hard disk encryption software 125 (block A 2 ).
  • FIG. 7 is an exemplary flowchart showing the procedure for operating the installer 124 in a case where hard disk encryption software 125 is installed in the client computer.
  • the encryption key selection module 1241 selects an arbitrary one of the plurality of encryption keys included in the encryption key table 201 in the installation package (block B 1 ).
  • the encryption key selection module 1241 creates an encryption key file 202 which includes the selected encryption key (ciphertext) and index information (plaintext) for recognizing the encryption key, and stores the file in the HDD 21 of the computer in which the table 201 has been installed (block B 2 ).
  • the installer 124 stores into the HDD 21 of the computer the hard disk encryption software 125 for encrypting the data in the HDD 21 using the encryption key included in the encryption key file 202 (block B 3 ).
  • FIG. 8 is an exemplary flowchart showing the procedure for operating the operation management software 120 in a case where the administrator computer is used to carry out a recovery process of reading the data stored in the HDD 21 of the client computer in which some defect occurred.
  • the recovery module 123 reads plaintext index information from the encryption key file 202 stored in the HDD 21 to be recovered (block C 1 ). Next, the recovery module 123 reads the encryption key caused to correspond to the index information from the encryption key table 210 in the installation package (block C 2 ). Then, the recovery module 123 reads various items of data from the HDD 21 using the read encryption key (block C 3 ).
  • the various modules of the systems described herein can be implemented as software applications, hardware and/or software modules, or components on one or more computers, such as servers. While the various modules are illustrated separately, they may share some or all of the same underlying logic or code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

According to one embodiment, an encryption program operation management system includes an encryption key table creation module which creates encryption keys and creates an encryption key table including encrypted versions of the encryption keys and items of plaintext index information for recognizing the encryption keys, and an installation package creation module which creates an installation package including an encryption program, the encryption key table, and an installation program for installing the encryption program into a computer. The installation program causes the computer to carry out an operation of selecting one of the encrypted versions of encryption keys and an operation of creating and storing encryption key information including the selected one of the encrypted versions of encryption key and one of the items of plaintext index information associated with the selected one of the encrypted versions of encryption keys.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is based upon and claims the benefit of priority from Japanese Patent Application No. 2008-330847, filed Dec. 25, 2008, the entire contents of which are incorporated herein by reference.
    • BACKGROUND
  • 1. Field
  • One embodiment of the invention relates to the technique for managing an encryption key in a case where hard disk encryption software is distributed and installed to prevent important data from being leaked from a computer which, for example, an employee uses in doing work.
  • 2. Description of the Related Art
  • In recent years, many of the office operations have been performed using personal computers, including desktop and notebook computers. Since the notebook computer can be powered by the battery, the user can carry it with him or her whenever going out and work in the car on the road or at an outside location. Thus, the notebook computers are very convenient.
  • Meanwhile, data leakage due to theft has been regarded as a problem. In this connection, the use of hard disk encryption software for encrypting the data in the hard disk has begun to spread. Hard disk encryption software is a data encryption program which encrypts data using an encryption key in writing data into the hard disk and decrypts the encrypted data in reading the data from the hard disk. When the hard disk encryption software is distributed to the employees to cause them to install it into the individual computers, this is achieved by either the on-line installation method or the off-line installation method.
  • In the on-line installation method, the client side sets an encryption key arbitrarily and informs the operation management server on the management side of the encryption key. In the off-line installation method, the management side sets an encryption key respectively in creating an installation package for installing hard disk encryption software and distributes the encryption key to the client in a top-down method.
  • That is, in the on-line installation method, the administrator manages the encryption key reported by the client. In the off-line installation method, the administrator manages the self-set encryption key in creating an installation package to be distributed to the clients. The encryption key managed by the administrator is used for a so-called recovery process to extract encrypted data in the hard disk and decrypt the extracted data when the computer of a client cannot be activated, for example. Various methods of managing encryption keys have been proposed (e.g., refer to Jpn. Pat. Appln. KOKAI Publication No. 2006-319861).
  • In the on-line installation method, although each client may set an encryption key arbitrarily, enhancing security, a network environment and an operation management server are needed, making the size of the system larger. This leads to a disadvantage in that a certain amount of cost rise cannot be avoided.
  • In the off-line installation method, while the computer with which the administrator creates the installation package and the computer in which each client installs hard disk encryption software using the installation package are each allowed to operate on a stand-alone environment, achieving low operating cost, this approach has the following disadvantage: since the encryption keys of the clients who have installed hard disk encryption software using the same installation package are all the same, the strength of security is decreased.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • A general architecture that implements the various feature of the invention will now be described with reference to the drawings. The drawings and the associated descriptions are provided to illustrate embodiments of the invention and not to limit the scope of the invention.
  • FIG. 1 is an exemplary diagram showing a system configuration of a personal computer used in an encryption program operation management system according to an embodiment of the invention;
  • FIG. 2 is an exemplary conceptual diagram to explain the way an installation package is created in the encryption program operation management system of the embodiment;
  • FIG. 3 is an exemplary conceptual diagram to explain a state where hard disk encryption software is installed in the encryption program operation management system of the embodiment;
  • FIG. 4 is an exemplary conceptual diagram to explain the principle of a hard disk encryption process in the encryption program operation management system of the embodiment;
  • FIG. 5 is an exemplary conceptual diagram to explain the principle of a hard disk recovery process in the encryption program operation management system of the embodiment;
  • FIG. 6 is an exemplary flowchart showing the procedure for creating an installation package for operation management software running on the management-side computer in the encryption program operation management system of the embodiment;
  • FIG. 7 is an exemplary flowchart showing the procedure for operating an installer in a case where hard disk encryption software is installed in the client-side computer in the encryption program operation management system of the embodiment; and
  • FIG. 8 is an exemplary flowchart showing the procedure for operating the operation management software in a case where the management-side computer is used to carry out the process of recovering the client hard disk in the encryption program operation management system of the embodiment.
    •  DETAILED DESCRIPTION
  • Various embodiments according to the invention will be described hereinafter with reference to the accompanying drawings. In general, according to one embodiment of the invention, an encryption program operation management system includes an encryption key table creation module which creates encryption keys and creates an encryption key table including encrypted versions of the encryption keys and items of plaintext index information for recognizing the encryption keys, and an installation package creation module which creates an installation package including an encryption program, the encryption key table, and an installation program for installing the encryption program into a computer. The installation program causes the computer to carry out an operation of selecting one of the encrypted version of encryption keys and an operation of creating and storing encryption key information including the selected one of the encrypted version of encryption key and one of the items of plaintext index information associated with the selected one of the encrypted version of encryption keys.
  • FIG. 1 is an exemplary diagram showing a system configuration of a personal computer used in an encryption program operation management system according to an embodiment of the invention. The encryption program operation management system of the embodiment, which is for encrypting the data in the hard disk drive (HDD) of a personal computer given to each employee (or client) in an office or the like, is constructed of a personal computer for an administrator and a plurality of personal computers for clients.
  • Suppose the personal computer of the administrator and the personal computers for the clients are notebook personal computers of the same type which have the system configuration of FIG. 1. Although the embodiment will be explained using a system for encrypting the data in the HDD as an example, the invention is not limited to this. The invention may be applied to any system, provided that the system uses an encryption key for encrypting data.
  • As shown in FIG. 1, the computer includes a CPU 11, a north bridge 12, a main memory 13, a display controller 14, a video memory (VRAM) 14A, a liquid-crystal display (LCD) 15, a south bridge 16, a sound controller 17, a speaker 18, a BIOS-ROM 19, a LAN controller 20, a hard disk drive (HDD) 21, an optical disc drive (ODD) 22, a wireless LAN controller 23, a USB controller 24, an embedded controller/keyboard controller (EC/KBC) 25, a keyboard (KB) 26, and a pointing device 27.
  • The CPU 11 is a processor for controlling the operation of the computer, and executes an operating system (OS) and various application programs that operate under the control of the OS loaded from the HDD 21 or ODD 22 into the main memory 13. Moreover, the CPU 11 executes a basic input/output system (BIOS) stored in the BIOS-ROM 19. The BIOS is a program for controlling hardware.
  • The north bridge 12 is a bridge device which connects the local bus of the CPU 11 and the south bridge 16. The north bridge 12 includes a memory controller which provides access control of the main memory 13. The north bridge 12 also includes the function of communicating with the display controller 14.
  • The display controller 14 is a device which controls the LCD 15 used as a display monitor of the computer. The display controller 14 generates a display signal and sends the signal to the LCD 15.
  • The south bridge 16 controls the individual devices on a peripheral component interconnect (PCI) bus and a low pin count (LPC) bus. The south bridge 16 includes an integrated drive electronics (IDE) controller for controlling the HDD 21 and ODD 22 and a memory controller for providing access control of the BIOS-ROM 19. The south bridge 16 also includes the function of communicating with the sound controller 17 and LAN controller 20.
  • The sound controller 17 is a sound source device, and outputs audio data to be reproduced to the speaker 18.
  • The LAN controller 20 is a wire communication device which performs wire communication complying with, for example, the Ethernet (registered trademark) standard. The wireless LAN controller 23 is a wireless communication device which performs wireless communication conforming to, for example, the IEEE 802.11 standard. The USB controller 24 controls an USB device externally connected via, for example, a cable complying with the USB 2.0 standard.
  • The EC/KBC 25 is a one-chip microcomputer in which an embedded controller for power management and a keyboard controller for controlling the KB 26 and pointing device 27 are integrated. The EC/KBC 25 includes the function of providing on/off control of the power of the computer according to the user operation.
  • When an encryption program operation management system is constructed using the computers configured as described above, the administrator installs operation management software 120 into his or her own computer using a storage medium M1 shown in FIG. 2. The storage medium M1 is, for example, a compact disc (CD) or a digital versatile disc (DVD). In the storage medium M1, an installer 110 and the operation management software 120 have been stored. The installer 110 is a program for installing the operation management software 120. The administrator sets the storage medium Ml in the ODD 22 of his or her own computer and executes the installer 110, thereby installing the operation management software 120.
  • The operation management software 120 includes an encryption key table creation module 121, an installation package creation module 122, a recovery module 123, an installer 124, and hard disk encryption software 125. Of these, the hard disk encryption software 125 is a program which is installed in the individual computers of the clients and encrypts the data in the HDD 21. The administrator creates an installation package for distributing the hard disk encryption software 125 to the individual clients by using the operation management software 120. Although an example of creating the installation package in the form of a storage medium M2 is explained as shown in FIG. 2, the installation package may be created in the form of a delivery file, provided that the administrator computer and the client computers can communicated with one another.
  • When an installation package (storage medium M2) is created by the operation management software 120, first, the encryption key table creation module 121 inputs, for example, system time as a parameter to generate random numbers, thereby creating a plurality of encryption keys. The encryption key table creation module 121 encrypts the plurality of encryption keys by using a common key shared by, for example, the administrator and the clients, and creates an encryption key table 201 which holds plaintext index information for identifying the individual encryption keys and the encrypted encryption keys in such a manner the former correspond to the latter. That is, since the administrator creates encryption keys and the clients use the keys, it may be said that the encryption program operation management system employs the off-line installation method as a method of installing the hard disk encryption software 125 in the client computers.
  • After the encryption key table 201 has been created, the installation package creation module 122 creates an installation package which includes the encryption key table 201, installer 124, and hard disk encryption software 125. Here, the installation package creation module 122 writes the encryption key table 201, installer 124, and hard disk encryption software 125 into the storage medium M2 set in the ODD 22.
  • The administrator distributes (or circulates) the installation package (or storage medium M2) created in this way to the individual clients. Having received the installation package, each client sets the storage medium M2 in the ODD 22 of his or her own computer and executes the installer 124.
  • The installer 124 is a program for installing the hard disk encryption software 125, and includes an encryption key selection module 1241. When installing the hard disk encryption software 125, the encryption key selection module 1241 arbitrarily selects one from a plurality of encryption keys held in the encryption key table 201. The encryption key selection module 1241 decrypts the selected encryption key once using, for example, the common key shared by the administrator and the client and then encrypts the decrypted key using, for example, an encryption key uniquely created by the client. Then, the encryption key selection module 1241 creates an encryption key file 202 including the re-encrypted encryption key and index information (plaintext) on the encryption key and stores the encryption key file 202 into the HDD 21 of the computer in which the software 125 has been installed. The hard disk encryption software 125 installed by the installer 124 encrypts the data in the HDD 21 using the encryption key included in the encryption key file 202 (for example, after the encryption key has been decrypted using the encryption key uniquely created by the client).
  • FIG. 3 is an exemplary schematic diagram of the HDD 21 of the client computer after the hard disk encryption software 125 has installed by the installer 124. As shown in FIG. 3, not only has the hard disk encryption software 125 been installed, but also the encryption key file 202 including an encryption key 202A2 used to encrypt data by the hard disk encryption software 125 has been stored. The encryption key file 202 includes index information 202A1 for identifying the encryption key 202A2 in plaintext.
  • FIG. 4 is an exemplary conceptual diagram to explain the principle on which the hard disk encryption software 125 installed in the computer of each client encrypts the data in the HDD 21.
  • The hard disk encryption software 125 reads the encryption key 202A2 included in plaintext in the encryption key file 202 created by the installer 124 and decrypts the encryption key 202A2 using the encryption key, for example, uniquely created by the user. After the data to be written into the HDD 21 by each application has been encrypted using the decrypted encryption key 202A2, the decrypted data is written into the HDD 21. In addition, after the data to be read from the HDD 21 by each application has been read from the HDD 21 and decrypted, the decrypted data is handed over.
  • As described above, the encryption program operation management system uses the off-line installation method as a method of installing hard disk encryption software 125 into the client computer. That is, the encryption key created beforehand on the administrator side is used by each client. Although, since the installer 124 selects any one of the plurality of encryption keys at each client who installs the hard disk encryption software 125 using the distributed installation package, the encryption keys differ between clients who have installed the hard disk encryption software 125 using the same installation package. Therefore, the security strength is increased.
  • Next, consider a case where the computer of a client has malfunction, for example, cannot activate the operating system. To deal with this malfunction, an encryption key for decrypting the encrypted data is needed when the data in the HDD 21 is read. The encryption key is, of course, encrypted using, for example, the encryption key uniquely created by each client in the HDD 21 to be recovered.
  • Since in the normal off-line installation method, only one encryption key is created for each installation package, the only one encryption key has only to be obtained. As described above, in the encryption program operation management system, a plurality of encryption keys are created for each installation package and any one of the encryption keys is selected arbitrarily for each client to increase security strength. Therefore, it is necessary to determine by any method which one of the encryption keys has been used.
  • To do this, the encryption key table creation module 121 creates the encryption key table 201 which holds plaintext index information and an encryption key for ciphertext in such a manner that the former is caused to correspond to the latter. Similarly, the installer 124 also creates an encryption key file 202 which holds plaintext index information and an encryption key for ciphertext in such a manner that the former and the latter make pairs. That is, in the HDD 21 to be recovered; index information for recognizing the encryption key used by the hard disk encryption software 125 has been stored in plaintext.
  • Therefore, as shown in FIG. 5, the recovery module 123 of the operation management software 120 installed in the administrator computer acquires plaintext index information from the encryption key file 202 stored in the HDD 21 to be recovered and then obtains the encryption key caused to correspond to the index information from the encryption key table 201 in the installation package M2. Since the encryption key has been encrypted, the recovery module 123 decrypts the key using, for example, the common key shared by the administrator and clients and, using the decrypted encryption key, decrypts various items of encrypted data in the HDD 21.
  • As described above, in parallel with the increase of security strength by making the encryption keys differ between the clients who have installed the hard disk encryption software 125 using the same installation package, the encryption program operation management system has a mechanism for holding plaintext index information for recognizing each of the encryption keys and encrypted encryption keys in such a manner that the former are caused to correspond to the latter, which enables the administrator to carry out a recovery process without any problem.
  • FIG. 6 is an exemplary flowchart showing the procedure for creating an installation package for operation management software 120 running on the administrator computer.
  • First, the encryption key creation module 121 creates a plurality of encryption keys, encrypts the plurality of encryption keys and creates an encryption key table 201 which holds a plurality of items of plaintext index information for recognizing each of the plurality of encryption keys and a plurality of encrypted encryption keys in such a manner that the former are caused to correspond to the latter (block A1).
  • Next, the installation package creation module 122 creates an installation package (or storage medium M2) which includes the encryption key table 201 created by the encryption key table creation module 121, installer 124, and hard disk encryption software 125 (block A2).
  • FIG. 7 is an exemplary flowchart showing the procedure for operating the installer 124 in a case where hard disk encryption software 125 is installed in the client computer.
  • The encryption key selection module 1241 selects an arbitrary one of the plurality of encryption keys included in the encryption key table 201 in the installation package (block B1). The encryption key selection module 1241 creates an encryption key file 202 which includes the selected encryption key (ciphertext) and index information (plaintext) for recognizing the encryption key, and stores the file in the HDD 21 of the computer in which the table 201 has been installed (block B2).
  • Then, the installer 124 stores into the HDD 21 of the computer the hard disk encryption software 125 for encrypting the data in the HDD 21 using the encryption key included in the encryption key file 202 (block B3).
  • FIG. 8 is an exemplary flowchart showing the procedure for operating the operation management software 120 in a case where the administrator computer is used to carry out a recovery process of reading the data stored in the HDD 21 of the client computer in which some defect occurred.
  • The recovery module 123 reads plaintext index information from the encryption key file 202 stored in the HDD 21 to be recovered (block C1). Next, the recovery module 123 reads the encryption key caused to correspond to the index information from the encryption key table 210 in the installation package (block C2). Then, the recovery module 123 reads various items of data from the HDD 21 using the read encryption key (block C3).
  • As described above, with the encryption program operation management system of the embodiment, security strength is increased in a case where the encryption program is distributed by the off-line installation method.
  • The various modules of the systems described herein can be implemented as software applications, hardware and/or software modules, or components on one or more computers, such as servers. While the various modules are illustrated separately, they may share some or all of the same underlying logic or code.
  • While certain embodiments of the inventions have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the inventions. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the spirit of the inventions. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the inventions.

Claims (6)

1. An encryption program operation management system comprising:
a computer system comprising computer hardware, the computer system programmed to implement:
an encryption key table generator configured to generate encryption keys and to generate an encryption key table comprising encrypted versions of the encryption keys and items of plain-text index information, the encrypted versions of the encryption keys being associated with the items of index information; and
an installation package comprising an encryption program, the encryption key table, and an installation program configured to cause the computer system to install the encryption program into the computer system;
wherein the installation program is configured to cause the computer system to select one of the encrypted versions of encryption keys in the encryption key table used by the encryption program, and to generate and store encryption key information comprising the selected one of the encrypted versions of encryption keys and one of the items of index information associated with the selected one of the encrypted versions of encryption keys, when the installation program installs the encryption program into the computer.
2. The system of claim 1, wherein the encryption program is configured to cause the computer system to:
encrypt target data and write the encrypted data into a hard disk; and
read the encrypted data from the hard disk and decrypt the encrypted data.
3. The system of claim 1, further comprising a recovery module configured to access the index information from the encryption key information in the computer system, and to read one of the encrypted versions of the encryption keys based at least partly on the index information accessed from the encryption key table, wherein the encrypted version of the encryption keys is configured to be used by the encryption program in the computer system.
4. A computer-readable storage medium comprising computer-executable instructions configured to cause a computer to implement a method of distributing an encryption program to a computer of a user, the method comprising:
generating encryption keys and an encryption key table comprising encrypted versions of the encryption keys and items of plain-text index information, such that the encrypted versions of the encryption keys are associated with the items of index information; and
providing an installation package comprising an encryption program, the encryption key table, and an installation program configured to cause the user computer to install the encryption program into the user computer,
wherein the installation program is configured to cause the user computer to select one of the encrypted versions of encryption keys in the encryption key table used by the encryption program, and to generate and store encryption key information comprising the selected one of the encrypted versions of encryption keys and one of the items of index information associated with the selected one of the encrypted versions of encryption keys, responsive to the installation program installing the encryption program into the user computer.
5. The computer-readable storage medium of claim 4, wherein the encryption program is further configured to:
encrypt target data and write the encrypted data into a hard disk; and
read the encrypted data from the hard disk and decrypt the encrypted data.
6. The computer-readable storage medium of claim 4, wherein the method further comprises causing a computer of an administrator to read the item of index information from the encryption key information installed in the user computer, and to read one of the encrypted versions of the encryption keys based at least partly on the read index information from the encryption key table, such that one of the encrypted versions of the encryption keys is configured to be used by the encryption program in the user computer.
US12/610,139 2008-12-25 2009-10-30 Encryption program operation management system and program Abandoned US20100169672A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/096,726 US8352751B2 (en) 2008-12-25 2011-04-28 Encryption program operation management system and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008330847A JP4496266B1 (en) 2008-12-25 2008-12-25 Encryption program operation management system and program
JP2008-330847 2008-12-25

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/096,726 Continuation US8352751B2 (en) 2008-12-25 2011-04-28 Encryption program operation management system and program

Publications (1)

Publication Number Publication Date
US20100169672A1 true US20100169672A1 (en) 2010-07-01

Family

ID=42286359

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/610,139 Abandoned US20100169672A1 (en) 2008-12-25 2009-10-30 Encryption program operation management system and program
US13/096,726 Active US8352751B2 (en) 2008-12-25 2011-04-28 Encryption program operation management system and program

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/096,726 Active US8352751B2 (en) 2008-12-25 2011-04-28 Encryption program operation management system and program

Country Status (2)

Country Link
US (2) US20100169672A1 (en)
JP (1) JP4496266B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2605131A1 (en) * 2010-08-11 2013-06-19 ZTE Corporation Packing method and device for version upgrade software package
US20130262876A1 (en) * 2010-12-07 2013-10-03 Huawei Device Co., Ltd Method, Apparatus, and System for Performing Authentication on Bound Data Card and Mobile Host
US20160292447A1 (en) * 2015-04-06 2016-10-06 Lawlitt Life Solutions, LLC Multi-layered encryption
CN109992936A (en) * 2017-12-31 2019-07-09 中国移动通信集团河北有限公司 Data source tracing method, device, equipment and medium based on data watermark
US11899814B1 (en) * 2022-08-24 2024-02-13 Arthur Hustad Method and system for providing control over storage of and access to user data

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014048635A (en) * 2012-09-04 2014-03-17 Hitachi Solutions Ltd Hard disk encryption program and hard disk encryption system
US8930698B2 (en) * 2012-12-27 2015-01-06 Dropbox, Inc. Encrypting globally unique identifiers at communication boundaries
US10019603B2 (en) * 2014-04-16 2018-07-10 Synopsys, Inc. Secured memory system and method therefor
WO2015157842A1 (en) * 2014-04-16 2015-10-22 Elliptic Technologies Inc. Secured memory system and method therefor
US9448785B1 (en) * 2015-11-06 2016-09-20 AO Kaspersky Lab System and method updating full disk encryption software
US10592697B1 (en) 2017-12-12 2020-03-17 John Almeida Virus immune computer system and method
US10642970B2 (en) * 2017-12-12 2020-05-05 John Almeida Virus immune computer system and method
US10614254B2 (en) 2017-12-12 2020-04-07 John Almeida Virus immune computer system and method
US10614232B2 (en) * 2018-09-10 2020-04-07 John Almeida Storing and using multipurpose secret data
US10892895B2 (en) * 2018-09-10 2021-01-12 Atense, Inc. Storing and using multipurpose secret data
US11087324B2 (en) * 2019-06-20 2021-08-10 Bank Of America Corporation Pre-authorized secure resource allocation system
CN110502900B (en) * 2019-08-26 2022-07-05 Oppo广东移动通信有限公司 Detection method, terminal, server and computer storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030016827A1 (en) * 2000-04-06 2003-01-23 Tomoyuki Asano Information recording/reproducing apparatus and method
US20080292104A1 (en) * 2005-12-07 2008-11-27 France Telecom Recovery of Expired Decryption Keys

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH09319573A (en) * 1996-05-28 1997-12-12 Nec Corp Charging system for circulation program, charging method and computer readable medium for storing program for charging circulation program
JPH1127253A (en) * 1997-07-07 1999-01-29 Hitachi Ltd Key recovery system, key recovery device, recording medium for storing key recovery program and key recovery method
JPH11308213A (en) * 1998-04-20 1999-11-05 Hitachi Ltd Encryption data recovery method and its system
US7228437B2 (en) * 1998-08-13 2007-06-05 International Business Machines Corporation Method and system for securing local database file of local content stored on end-user system
JP2000115551A (en) * 1998-09-30 2000-04-21 Fuji Photo Film Co Ltd Ciphering method, deciphering method, ciphering device, deciphering device and recording medium
JP2000358022A (en) * 1999-06-15 2000-12-26 Mitsubishi Electric Corp Cipher communication system, cryptographic key determining method and computer readable storage medium recording program for computer to execute the same method
JP2001036518A (en) * 1999-07-19 2001-02-09 Ntt Software Corp Cipher communication equipment
JP2002290396A (en) * 2001-03-23 2002-10-04 Toshiba Corp Encryption key update system and encryption key update method
JP3993989B2 (en) * 2001-04-18 2007-10-17 株式会社パンプキンハウス Encryption system and control method thereof, key management server and client used in encryption system, and control method thereof
JP3803088B2 (en) * 2001-04-18 2006-08-02 株式会社パンプキンハウス Cryptographic system and control method thereof
JP4047573B2 (en) * 2001-11-06 2008-02-13 東芝ソリューション株式会社 Electronic information management apparatus and program
JP4688426B2 (en) * 2004-03-09 2011-05-25 富士通株式会社 Wireless communication system
EP1715616A1 (en) * 2004-03-30 2006-10-25 Matsushita Electric Industrial Co., Ltd. Update system for cipher system
JPWO2006040806A1 (en) * 2004-10-08 2008-08-07 ソフトバンクBb株式会社 Encryption key distribution system
JP2006229279A (en) * 2005-02-15 2006-08-31 Hitachi Software Eng Co Ltd Method and system for transmitting/receiving secret data
JP2006319861A (en) * 2005-05-16 2006-11-24 Matsushita Electric Ind Co Ltd Key information distribution method, system, program and medium
JP4984612B2 (en) * 2006-04-10 2012-07-25 ブラザー工業株式会社 Installer package
JP4879725B2 (en) * 2006-12-28 2012-02-22 キヤノンItソリューションズ株式会社 Content distribution system, control program, and storage medium
US20080219449A1 (en) * 2007-03-09 2008-09-11 Ball Matthew V Cryptographic key management for stored data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030016827A1 (en) * 2000-04-06 2003-01-23 Tomoyuki Asano Information recording/reproducing apparatus and method
US20080292104A1 (en) * 2005-12-07 2008-11-27 France Telecom Recovery of Expired Decryption Keys

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2605131A1 (en) * 2010-08-11 2013-06-19 ZTE Corporation Packing method and device for version upgrade software package
EP2605131A4 (en) * 2010-08-11 2013-11-27 Zte Corp Packing method and device for version upgrade software package
US8726265B2 (en) 2010-08-11 2014-05-13 Zte Corporation Apparatus and method for packing a software package of version upgrade
US20130262876A1 (en) * 2010-12-07 2013-10-03 Huawei Device Co., Ltd Method, Apparatus, and System for Performing Authentication on Bound Data Card and Mobile Host
US20160292447A1 (en) * 2015-04-06 2016-10-06 Lawlitt Life Solutions, LLC Multi-layered encryption
CN109992936A (en) * 2017-12-31 2019-07-09 中国移动通信集团河北有限公司 Data source tracing method, device, equipment and medium based on data watermark
US11899814B1 (en) * 2022-08-24 2024-02-13 Arthur Hustad Method and system for providing control over storage of and access to user data

Also Published As

Publication number Publication date
US8352751B2 (en) 2013-01-08
JP2010154297A (en) 2010-07-08
JP4496266B1 (en) 2010-07-07
US20110219241A1 (en) 2011-09-08

Similar Documents

Publication Publication Date Title
US8352751B2 (en) Encryption program operation management system and program
US11764951B2 (en) Doubly-encrypted secret parts allowing for assembly of a secret using a subset of the doubly-encrypted secret parts
US9998464B2 (en) Storage device security system
CA2536611C (en) Method and system for securing data utilizing redundant secure key storage
JP4648687B2 (en) Method and apparatus for encryption conversion in data storage system
KR101712784B1 (en) System and method for key management for issuer security domain using global platform specifications
US8615666B2 (en) Preventing unauthorized access to information on an information processing apparatus
JP2017126321A (en) Computer program, secret management method, and system
US8181028B1 (en) Method for secure system shutdown
US20120303974A1 (en) Secure Removable Media and Method for Managing the Same
CN103020537A (en) Data encrypting method, data encrypting device, data deciphering method and data deciphering device
US20200004695A1 (en) Locally-stored remote block data integrity
US20100241870A1 (en) Control device, storage device, data leakage preventing method
US20050259458A1 (en) Method and system of encrypting/decrypting data stored in one or more storage devices
US20110246784A1 (en) Systems and methods for disk encryption with two keys
US10929030B2 (en) Computer and control method
US20080263368A1 (en) Computer system, management terminal, storage system and encryption management method
US20220188468A1 (en) System memory information protection with a controller
JP2011197928A (en) Storage device and method for changing encryption key
US11283600B2 (en) Symmetrically encrypt a master passphrase key
JP5539024B2 (en) Data encryption apparatus and control method thereof
JP2012084950A (en) Method for accessing server and access program
WO2014042512A1 (en) Management of storage encryption over network-based elastic block store volume
JP2009216841A (en) Encrypted data storage device, encrypted data management method, data encryption device, and encrypted data management control program
JP2007316887A (en) Data management system and management device, and data management method and program

Legal Events

Date Code Title Description
AS Assignment

Owner name: KABUSHIKI KAISHA TOSHIBA,JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TAKEDA, JUN;REEL/FRAME:023452/0706

Effective date: 20091014

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION