US20210117108A1 - Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host - Google Patents
Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host Download PDFInfo
- Publication number
- US20210117108A1 US20210117108A1 US16/877,377 US202016877377A US2021117108A1 US 20210117108 A1 US20210117108 A1 US 20210117108A1 US 202016877377 A US202016877377 A US 202016877377A US 2021117108 A1 US2021117108 A1 US 2021117108A1
- Authority
- US
- United States
- Prior art keywords
- mode
- storage device
- access code
- secure storage
- privileged
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0622—Securing storage systems in relation to access
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0623—Securing storage systems in relation to content
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0632—Configuration or reconfiguration of storage systems by initialisation or re-initialisation of storage systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0634—Configuration or reconfiguration of storage systems by changing the state or mode of one or more devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0646—Horizontal data movement in storage systems, i.e. moving data in between storage devices or systems
- G06F3/0652—Erasing, e.g. deleting, data cleaning, moving of data to a wastebasket
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0655—Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
- G06F3/0659—Command handling arrangements, e.g. command buffers, queues, command scheduling
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0673—Single storage device
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present description relates in general to computer-based storage devices, and more particularly to, for example, without limitation, a portable storage device with an internal controller that can self-verify access codes and self-convert from a current mode to a renewed mode without communicating with a host and related methods.
- FIG. 1 illustrates an example of architecture for a host and portable secure storage devices.
- FIG. 2 is a block diagram illustrating an example of a host and a portable secure storage device.
- FIG. 3 illustrates an example of modes and operations of a portable secure storage device.
- FIG. 4 illustrates an example of operations performed by a portable secure storage device.
- FIG. 5 illustrates another example of operations performed by a portable secure storage device.
- not all of the depicted components in each figure may be required, and one or more implementations may include additional components not shown in a figure. Variations in the arrangement and type of the components may be made without departing from the scope of the subject disclosure. Additional components, different components, or fewer components may be utilized within the scope of the subject disclosure.
- a portable secure storage device provides a highly secure, flexible, host-free solution.
- a portable secure storage device may include a physical input device (e.g., a keypad), a mass storage memory and a controller.
- the portable secure storage device does not require any host control, software or input for its normal operation or management (e.g., to lock or unlock the device, to authenticate the device, or to encrypt or decrypt data to or from a mass storage memory).
- the portable secure storage device can be self-authenticated as it uses its own input device and its own controller, all of which reside within or on the portable secure storage device itself.
- the portable secure storage device does not need a host for authentication.
- the portable secure storage device rather than a host, receives a security access code from a user via the device's own input device.
- the portable secure storage device can determine whether the security access code matches with an access code securely stored within the device, without using any input, instruction or data from a host.
- the portable secure storage device itself, rather than the host, can receive and process the security access code.
- the security access code is maintained only within the portable secure storage device and is not shared with the host. As there is no host involvement in the encryption key generation/management process or the authentication process, the risk of software hacking can be substantially circumvented.
- the storage device does not contain any access code that can be used for verification to unlock and operate the device in its normal operating mode, and any data previously encrypted and stored in the device cannot be decrypted.
- all configuration profiles, which are not access codes are changed to their default values. This renewed mode may be useful when the access codes are forgotten or misplaced or when it is desirable to erase all data, format and settings so that the device can be redeployed fresh.
- One implementation may permit any user (e.g., a privileged user, a restricted user, or other users) to place the device into a renewed mode without any restriction.
- the disadvantage of this implementation is that any user (even an unauthorized user) can put the device into a renewed mode. Once in a renewed mode, that user can re-configure the device any way he or she desires. For example, if a device belongs to a company and if an unauthorized user places the device into a renewed mode, then he or she can re-configure and use the device in a manner that is against the company's computer security policy.
- this disclosure provides new advantageous methods that can prevent unauthorized conversion of the device into a renewed mode.
- the subject disclosure provides two modes: an exclusive mode and a nonexclusive mode. These modes can be set or changed when a privileged security access code is verified. If the device is in a nonexclusive mode, then the device can be converted from a current mode to a renewed mode without restrictions. If, however, the device is in an exclusive mode, and if a privileged security access code is not verified, then the device is prevented from entering into a renewed mode even if a restricted security access code has been verified.
- the subject technology addresses challenges arising in the realm of computer technology by providing a solution rooted in hardware and firmware, for example, by providing a portable secure storage device with an internal controller that can self-authenticate, self-determine whether a request for conversion has been made, self-determine the modes of the device, and self-convert the device to a renewed mode only when appropriate.
- Each of these operations can be carried out securely, efficiently and promptly without communicating with a host or using the host.
- the portable secure storage device By enabling the portable secure storage device to perform self-authentication, self-determination, and self-conversion in such a manner and not sharing the access codes, instructions or encryption key(s) with the host, the subject technology can greatly enhance security of the portable secure storage device.
- no special software or driver is required, thereby improving the performance of the host by eliminating installation and execution overhead of such extra software.
- FIG. 1 illustrates an example of architecture for a host and secure storage devices suitable for practicing one or more implementations of the disclosure.
- the architecture shown in FIG. 1 is for illustration purposes, and other architecture implementations and methods are within the scope of the disclosure.
- the architecture 100 includes a host 120 and portable secure storage devices 110 connected over a communication bus 130 .
- the host 120 is operable to connect to the portable secure storage devices 110 .
- the host 120 may be a computer with a general-purpose operating system.
- the host 120 may be an embedded system.
- Multiple portable secure storage devices 110 can be connected to the host 120 over a common data terminal (e.g., the communication bus 130 ).
- the host 120 can be, for example, a desktop computer, a personal computer (PC), a server, a mobile computer, a tablet computer (e.g., an e-book reader), a mobile device (e.g., a smartphone or personal digital assistant (PDA)), or any other type of devices or systems having appropriate processor, memory, and communications capabilities for connecting to the portable secure storage device(s) 110 .
- the host 120 may include one or more computing devices.
- the host 120 may include an input device 216 and an output device 214 .
- the host 120 may connect to the portable secure storage devices 110 for reading and writing images, sounds, videos, and other data.
- a portable secure storage device 110 can be a storage device having appropriate processor, memory, and communications capabilities for storing secure data, serving as a secure data back-up, and/or transferring secure data.
- the secure data may be accessible by various computing devices including the host 120 over the communication bus 130 .
- a portable secure storage device may be sometimes referred to as a portable storage device, a storage device, a device, a drive, a memory apparatus or an apparatus.
- a portable secure storage device 110 may represent a portable hard disk drive, a portable solid-state drive, a flash memory key, an encased portable storage device, an encased portable secure storage device, a portable storage device, or another storage device.
- the communication bus 130 can include or can be a part of, for example, any one or more of a universal serial bus (USB), IEEE 1394, Thunderbolt 3, Ethernet, serial advanced technology attachment (ATA), external serial ATA (eSATA) and/or any other type of communication bus, communication interface or communication port.
- a communication bus may be referred to as a communication channel, a communication medium, or vice versa.
- the communication bus 130 can include, but is not limited to, any one or more of the following network topologies, including a bus network, a star network, a ring network, a mesh network, a star-bus network, tree or hierarchical network, or any other suitable type of network.
- FIG. 2 is a block diagram illustrating an example of a system including a portable secure storage device and a host.
- the system shown in FIG. 2 is for illustration purposes, and other systems and methods are within the scope of the disclosure.
- a system 200 may include a host 120 and a portable secure storage device 110 connected over a communication bus 130 via respective communications modules 218 and 238 .
- the communications modules 218 and 238 are configured to interface with the communication bus 130 to send and receive information, such as data, requests, responses, and commands between the host 120 and the portable secure storage device 110 .
- the communications modules 218 and 238 can be, or can be a part of, for example, serial bus connectors or interfaces.
- the communications modules 218 and 238 may be referred to as, or may include, network interfaces or communication interfaces.
- the communications module 218 and the communication bus 130 may be a part of a USB.
- the communications module 238 may be a part of a USB connector
- the communications module 218 and the communication bus 130 may be a part of a USB port(s), and the USB connector may be connected to the USB port.
- each of the communications modules 218 and 238 and the communication bus 130 is a wired communications module or bus.
- each of the communications modules 218 and 238 and the communication bus 130 may be a wireless communications module or bus.
- the communications modules 218 and 238 and the communication bus 130 may include, or be part of, a wireless interface(s), a wireless port(s), a wireless medium/media, and/or a wireless channel(s) to allow wireless communications between a host and a portable secure storage device(s)).
- the host 120 includes a processor 212 and a memory 220 .
- the memory 220 may be a read-and-write memory, a read-only memory, a volatile memory, a non-volatile memory, or a combination of some or all of the foregoing.
- the memory 220 of the host 120 includes an operating system 222 , which may be a general-purpose operating system or an embedded operating system.
- the memory 220 may also include one or more applications, such as a configurator application (not shown), to communicate with the portable secure storage device 110 . From the memory 220 , the processor 212 may retrieve instructions to execute and data to process in order to facilitate some of the processes of the subject disclosure.
- the processor 212 can be a single processor, multiple processors, or a multi-core processor in different implementations.
- the portable secure storage device 110 includes a memory 232 and a controller 258 .
- the portable secure storage device 110 may further include a communications module 238 , an input device 246 , and an output device 244 .
- the input device may be referred to as a physical input device, a physical key input device, or a key input device.
- the output device may be referred to as a physical output device.
- the portable secure storage device 110 includes a casing (e.g., 111 as illustrated in FIG. 1 ) or a housing.
- the casing may be, for example, a metal-based casing (e.g., aluminum) or a hardened plastic material.
- the casing may be made of multiple parts.
- the memory 232 and the controller 258 are disposed within the casing.
- the memory 232 is configured to store secure data (e.g., encrypted data).
- the memory 232 may be, or may include, a read-and-write memory, a read-only memory, a volatile memory, a non-volatile memory, registers, or a combination of some or all of the foregoing.
- the memory 232 is a non-volatile memory unit that stores and retains data even when the portable secure storage device 110 is powered off.
- the memory 232 may include one or more memories.
- the memory 232 may include a flash memory, a hard drive, a solid-state drive, or some combination thereof. In one or more implementations, the memory 232 is a mass storage device.
- the memory 232 may store 2 gigabytes (GB) to 16 terabytes (TB) of user data or more.
- the memory 232 is the largest memory in the portable secure storage device 110 .
- the memory 232 may be communicably coupled to the controller 258 via a bidirectional communication link 254 .
- the link 254 is a high-speed serial advanced technology attachment (SATA) for point-to-point connection between the memory 232 and the controller 258 .
- SATA serial advanced technology attachment
- the physical input device 246 enables a user to communicate information and select commands to the portable secure storage device 110 .
- the physical input device 246 may receive a security access code from a user (e.g., a privileged user or a restricted user) to facilitate unlocking of the portable secure storage device.
- the security access code may also facilitate authentication of the user.
- the physical input device 246 may receive other control input to control the operation of the portable secure storage device.
- the physical input device 246 may receive a control input from a user (e.g., generated by the user pressing a button or a sequence of buttons) to convert a portable secure storage device 110 from a current mode to a renewed mode.
- buttons e.g., a request followed by a valid privileged security access code
- the user can press a second sequence of buttons to request conversion of the portable secure storage device 110 from the privileged mode to a renewed mode.
- the physical input device 246 may include any acoustic, speech, visual, touch, tactile and/or sensory input device, such as a keypad, a switch, a jumper, a pointing device, a dial, a sensor device (e.g., a biometric sensor, a finger sensor, biometric iris recognition sensor), or a touchscreen.
- a keypad may include alphanumeric keys or buttons.
- the keypad may also include keys or buttons with symbols (e.g., a key or button with a lock symbol, a key or button with an unlock symbol).
- the physical input device 246 is disposed on or at the casing (e.g., an outer surface of the casing) so that a user can access the physical input device.
- the physical input device 246 is configured to receive an input provided by a user.
- the input includes one or more keypad entries, a switch setting, a jumper setting, a biometric-based entry, a touch gesture entry, or a combination thereof.
- one or more components of physical input device 246 may be recessed or hidden under a cover.
- the physical output device 244 may be disposed on or at the outer surface of the casing and configured to display an indication of the operation or status of the portable secure storage device 110 . Such indication may be controlled by the controller 258 .
- the output device 244 may enable, for example, the display or output of visual or audible signaling by the controller 258 .
- the indication may include a signal indicating, for example, whether the portable secure storage device 110 is in an exclusive mode, a nonexclusive mode, a renewed mode, an operating mode, a privileged mode, a locked mode, an unlocked mode, a protected mode or another mode, and/or indicating a connection state to the host 120 or an operational state of the device 110 .
- the output device 244 may include any visual, auditory, tactile, and/or sensory output device to allow a user to detect an indication of the operation of the portable secure storage device 110 .
- the output device 244 may include one or more multicolored light emitting diodes (LEDs) or LEDs with color tinted light guides.
- LEDs multicolored light emitting diodes
- One or more implementations may include a device(s) that functions as both an input and output device, such as a touchscreen.
- An input device 246 may be a portion of an input and output device.
- An output device 244 may be a portion of an input and output device.
- the communications module 238 of the portable secure storage device 110 is configured to connect the portable secure storage device 110 to the communication bus 130 external to the casing.
- the communications module 238 may include, or may be a part of a USB (e.g., USB-A, USB-B, USB-C, mini-USB, micro-USB or USB 3 ). These are examples, and the communications module 238 is not limited to these examples.
- the communications module 238 may be, for example, disposed partially within the casing and partially outside the portable secure storage device 110 . In one or more examples, the communications module 238 is coupled to and protrudes from the casing.
- the portable secure storage device 110 includes a battery(ies) (not shown) that may power the portable secure storage device 110 or a portion(s) thereof.
- the battery(ies) may power the controller 258 (or a portion(s) thereof), the physical input device 246 , and/or the physical output device 244 .
- the battery(ies) may be rechargeable, for example, by using bus or line power.
- the portable secure storage device 110 does not include a battery.
- a controller 258 is coupled to the memory 232 , the physical input device 246 , the physical output device 244 , and the communications module 238 .
- the controller 258 may provide instructions to prevent or allow data transfer between the portable secure storage device 110 and an external system (e.g., the host 120 ).
- a controller 258 is a single controller. In another example, a controller 258 includes multiple controllers (e.g., two controllers or more than two controllers).
- a controller may be sometimes referred to as a microcontroller, a multi-core controller, a controller module, a processor, a processor module, a microprocessor, a microprocessor module, or a portion(s) thereof or vice versa.
- a controller(s) within a controller 258 may be sometimes referred to as a microcontroller(s).
- a microcontroller may include one or more microcontrollers.
- each microcontroller may perform different functions, and a microcontroller may be implemented with a different level of security protection (e.g., a high, medium, or low security level).
- a level of security protection e.g., a high, medium, or low security level.
- Such security level may be implemented in hardware, firmware, or a combination thereof.
- a controller 258 may be a single integrated circuit (IC) chip (or a single die) or may include multiple IC chips. Multiple controllers within the controller 258 may be on a single chip. Multiple controllers within the controller 258 may be on separate chips.
- IC integrated circuit
- a controller 258 is not a general purpose processing device.
- a controller 258 includes one or more application-specific digital signal processors or one or more application-specific integrated circuits.
- a controller 258 may include discrete hardware components or other suitable components that can perform the functions described herein.
- a controller 258 (or one or more microcontrollers therein) is implemented in hardware and embedded firmware (without high-level software applications).
- Microcontrollers within the controller 258 may be coupled, directly or indirectly, to each other, using communication links.
- a communication link may be a serial peripheral interface (SPI) bus for synchronous communication between the microcontrollers.
- SPI serial peripheral interface
- a communication link may be a bidirectional communication link.
- a communication link may be an inter-integrated circuit (I 2 C) bus, where one microcontroller is implemented as a master node and another microcontroller is implemented as a slave node, in some examples.
- I 2 C inter-integrated circuit
- Other communication links may include, without limitation, a universal asynchronous receiver-transmitter (UART) interface, a general-purpose input/output (GPIO) interface, a peripheral component interconnect express (PCIe) interface, various SATA interfaces, an embedded multimedia controller (eMMC) interface, or a universal flash storage (UFS) interface.
- UART universal asynchronous receiver-transmitter
- GPIO general-purpose input/output
- PCIe peripheral component interconnect express
- SATA Serial Advanced Technology Attachment
- eMMC embedded multimedia controller
- UFS universal flash storage
- a controller 258 includes a local memory 240 .
- the local memory 240 may be a read-and-write memory, a read-only memory, EEPROM, registers, a volatile memory, a non-volatile memory, or a combination of some or all of the foregoing.
- a local memory 240 may be a single memory or multiple memories.
- a memory may include one or more memories.
- each microcontroller may have its associated local memory(ies). Such local memory(ies) may reside within its corresponding microcontroller. Such local memory(ies) may reside outside its corresponding microcontroller.
- a memory may be implemented with a different level of security protection. The security level may be implemented in hardware, firmware, or a combination thereof.
- the local memory 240 or a memory(ies) therein may be configured to store firmware.
- the local memory 240 or a memory(ies) therein may be configured to store instructions and/or data, including parameters, flags, and/or information to control the operations of the controller 258 or the device 110 .
- the local memory 240 or a memory(ies) therein may store instructions/data that the controller 258 , a microcontroller(s) therein, and/or another component(s) may need at runtime. From the local memory 240 (or a memory(ies) therein), the controller 258 , a microcontroller(s) within the controller 258 , and/or another component(s) may retrieve instructions to execute and data to process in order to execute the processes of the subject disclosure.
- all instructions/data e.g., configuration profiles, other data, indications, keys, instructions, parameters, flags and information
- the portable secure storage device 110 e.g., 240
- some instructions/data e.g., a portion or some of configuration profiles, other data, indications, keys, instructions, parameters, flags and/or information
- the portable secure storage device 110 e.g., 240
- some instructions/data e.g., configuration profiles, other data, indications, keys, instructions, parameters, flags and/or information
- the portable secure storage device 110 e.g., 240
- the user data stored in the memory 232 is encrypted or securely stored.
- the controller 258 may provide instructions to prevent or allow data transfer between the portable secure storage device 110 and an external system (e.g., the host 120 ).
- the controller 258 may prevent the host 120 from accessing and configuring the portable secure storage device 110 when the secure storage device 110 is not in a configuration-ready mode.
- configuration profiles of a portable secure storage device are settable or changeable by a privileged user.
- a privileged user may change configuration profiles such as security information (e.g., access codes) or other configuration settings (e.g., auto-lock, lock-override, or other settings) associated with configuration of the portable secure storage device.
- security information e.g., access codes
- other configuration settings e.g., auto-lock, lock-override, or other settings
- This change can be made by the portable secure storage device, for example, using a physical input device (e.g., 246 ) and a controller (e.g., 258 ) of the portable secure storage device.
- this change to the portable secure storage device may be made when the portable secure storage device is in a configuration-ready mode.
- the configuration profiles of the portable secure storage device may be changed by a configurator application of a host when a portable secure storage device is in a configuration-ready mode.
- the configurator application can also set or change a mode of the portable secure storage device (e.g., to a locked mode or to a privileged mode).
- a mode of the portable secure storage device e.g., to a locked mode or to a privileged mode.
- the device may be permitted to be recognized by a host when the device is connected to or plugged into the host.
- FIG. 3 illustrates an example of modes and operations of a portable secure storage device, such as a device 110 (e.g., a controller 258 ).
- a device 110 e.g., a controller 258 .
- the operations shown in FIG. 3 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided with reference to FIGS. 1, 2 and 3 .
- FIG. 3 illustrates various modes of a portable secure storage device 110 , including a nonexclusive mode 310 A, an exclusive mode 310 B, a privileged mode 320 , a locked mode 330 A, 330 B, a protected mode 340 A, 340 B, a renewed mode 360 , and an end-of-life mode 350 .
- a device 110 is not limited to these modes, and the operations of the device 110 are not limited to the paths shown in FIG. 3 .
- a controller 258 may set a mode of a portable secure storage device 110 to a privileged mode (e.g., 320 ). This may occur, for example, (a) when a request is made to place the device 110 into the privileged mode (e.g., by a privileged user pressing one or more predetermined buttons for such a request on a keypad at an input device 246 ), and (b) when a privileged security access code (e.g., entered by a privileged user via an input device 246 ) is verified against a privileged access code stored in the portable secure storage device 110 (e.g., stored in the controller 258 or the memory 240 ).
- a privileged security access code e.g., entered by a privileged user via an input device 246
- a device 110 may enter a privileged mode when a controller 258 receives a request, which is followed by receipt and verification of a correct privileged security access code.
- the request may be made, for example, by a privileged user pressing an unlock-symbol button, followed by a number-2 button on a keypad, at an input device 246 .
- the controller 258 may self-convert the device 110 to a privileged mode without communicating with a host (e.g., 120 ).
- a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host.
- a self-conversion may occur while the device 110 is connected to the host.
- a self-conversion may occur while the host provides power to the device 110 .
- a self-conversion may occur while the device 110 is disconnected from the host.
- the device 110 can be converted from an exclusive mode 310 B to a nonexclusive mode 310 A and vice versa.
- the device 110 is convertible between the exclusive mode and the nonexclusive mode.
- the stored privileged access code may be changed to a new valid privileged access code.
- the controller 258 may accept a new privileged security access code (e.g., received at the input device 246 ) and store the new privileged security access code as the new valid privileged access code.
- some or all access codes may be newly set or may be changed.
- all other configuration profiles of the device 110 e.g., settings for auto-lock, lock-override, read-only, a minimum length of an access code, and implementing or enabling/disabling various other modes/features) may be set or changed.
- a portable secure storage device may be in a privileged mode while it is in a nonexclusive mode or an exclusive mode.
- a device 110 may enter a privileged mode (a) from a locked mode (e.g., 330 A) via a path 324 A while the device 110 is in a nonexclusive mode or (b) from a locked mode (e.g., 330 B) via a path 324 B while the device 110 is in an exclusive mode.
- a device 110 may enter a privileged mode from a renewed mode (e.g., 360 ).
- a host e.g. 120
- the device is not recognizable by the host even if the device is powered by the host.
- a controller 258 may lock a portable secure storage device 110 so that the device 110 is in a locked mode (e.g., 330 A, 330 B).
- a device 110 may enter into a locked mode when one or more of the following occur:
- a portable secure storage device may be in a locked mode (e.g., 330 A) while it is in a nonexclusive mode, or in a locked mode (e.g., 330 B) while it is in an exclusive mode.
- a portable secure storage device e.g., 110
- the portable secure storage device is not recognizable by a host (e.g., 120 ) even if the portable secure storage device is connected to or plugged into the host.
- a device 110 is in a locked mode, the device is not recognizable by the host even if the device is powered by the host.
- a conversion into a locked mode may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a conversion into a locked mode may occur while the device 110 is connected to the host. In one aspect, a conversion into a locked mode may occur while the host provides power to the device 110 . In one aspect, a conversion into a locked mode may occur while the device 110 is disconnected from the host.
- a controller 258 may set a mode of a portable secure storage device 110 to a protected mode (e.g., 340 A, 340 B). In one aspect, the controller 258 may self-convert the device 110 to a protected mode without communicating with a host (e.g., 120 ). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a self-conversion may occur while the device 110 is connected to the host. In one aspect, a self-conversion may occur while the host provides power to the device 110 . In one aspect, a self-conversion may occur while the device 110 is disconnected from the host.
- a protected mode e.g., 340 A, 340 B
- the controller 258 may self-convert the device 110 to a protected mode without communicating with a host (e.g., 120 ). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In
- a controller 258 may set a mode to a protected mode when the number of unsuccessful security access codes (e.g., incorrect privileged security access codes or incorrect restricted security access codes) entered (e.g., into the input device) exceeds a threshold number.
- unsuccessful security access codes e.g., incorrect privileged security access codes or incorrect restricted security access codes
- a controller 258 When a controller 258 enables a protected mode (e.g., while the device 110 is in a privileged mode prior to entering into a protected mode), a controller 258 may store at least two representations (e.g., two different hash values) of a privileged access code at different locations of the controller 258 (e.g., different locations in a memory 240 ). For example, one representation may be stored at an EEPROM address 0x333, and another representation may be stored at an EEPROM address 0x555.
- the controller 258 may set all access codes stored in the device 110 , except one access code (e.g., one of the at least two representations), to nullified access codes.
- the one access code which is not nullified (e.g., one of the at least two representations) may be usable to verify a privileged security access code to be received (e.g., received at the input device 246 ).
- further descriptions about nullified access codes are provided later with reference to a renewed mode.
- a controller 258 may set an encryption key of the device 110 (e.g., an encryption key existing prior to entering into the protected mode) to a new encryption key.
- an encryption key of the device 110 e.g., an encryption key existing prior to entering into the protected mode
- the device 110 may have encrypted data using the encryption key and may have stored the encrypted data in a memory (e.g., 232 ).
- a memory e.g., 232
- the new encryption key is unusable to decrypt the encrypted data that has been stored in the memory (e.g., 232 ) prior to the device 110 entering into the protected mode. In one aspect, the new encryption key is unusable to decrypt the encrypted data that has been stored in the memory (e.g., 232 ) prior to the new encryption key is created or is set into the device 110 .
- the controller 258 may set all configuration profiles of the device 110 , excluding the nullified access codes, to predetermined values (e.g., default values).
- a device 110 may enter into a protected mode (e.g., 340 A) while the device 110 is in a nonexclusive mode.
- a protected mode e.g., 340 A
- a locked mode e.g., 330 A
- a device 110 may enter into a protected mode (e.g., 340 B) while the device 110 is in an exclusive mode.
- a protected mode e.g., 340 B
- a locked mode e.g., 330 B.
- the device when a device 110 is in a protected mode, the device is not recognizable by a host (e.g., 120 ) even if the device is connected to or plugged into the host.
- a device 110 when a device 110 is in a protected mode, the device is not recognizable by the host even if the host provides power to the device.
- a controller 258 may set a mode of a device 110 to an end-of-life mode (e.g., 350 ). In one aspect, the controller 258 may self-convert the device 110 to an end-of-life mode without communicating with a host (e.g., 120 ). When a device is in an exclusive mode, a controller 258 may change a protected mode (e.g., 340 B) to an end-of-life mode (e.g., 350 ), when the number of unsuccessful privileged security access codes entered (e.g., via an input device 246 ) exceeds a threshold attempt number.
- a protected mode e.g., 340 B
- an end-of-life mode e.g., 350
- a device 110 When a device 110 enters an end-of-life mode, the device 110 is permanently disabled and cannot be redeployed again for use, and the device 110 is not revivable. Even if the device 110 is powered on or plugged into a host 120 , the device 110 (e.g., controller 258 ) does not respond to any input entered at the device 110 or at the host 120 . Any data stored in the device 110 is not recoverable. A device 110 that is in an end-of-life mode cannot change its mode to another mode.
- the device 110 may contain (a) all nullified access codes, (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes).
- An end-of-life mode may be followed by a protected mode, which already has (a) all nullified access codes (except for one access code or one representation thereof), (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes).
- converting into an end-of-life mode may be carried out by nullifying the one access code or the one representation thereof (e.g., by the controller 258 ).
- converting into an end-of-life mode may be carried out by (a) setting all access codes into nullified access codes, (b) generating another new encryption key, and (c) setting all configuration profiles (excluding the access codes) to predetermined values.
- a device 110 when a device 110 is in an end-of-life mode, the device is not recognizable by a host (e.g., 120 ) even if the device is connected to or plugged into the host. In one aspect, when a device 110 is in an end-of-life mode, the device is not recognizable by the host even if the device is powered by the host.
- a host e.g. 120
- the device when a device 110 is in an end-of-life mode, the device is not recognizable by the host even if the device is powered by the host.
- a controller 258 may set a mode of a portable secure storage device 110 to a renewed mode (e.g., 360 ). In one aspect, the controller 258 may self-convert the device 110 to a renewed mode without communicating with a host (e.g., 120 ). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a self-conversion may occur while the device 110 is connected to the host. In one aspect, a self-conversion may occur while the host provides power to the device 110 . In one aspect, a self-conversion may occur while the device 110 is disconnected from the host.
- a privileged access code stored in the controller 258 may be a nullified privileged access code.
- a nullified privileged access code is unusable to verify any privileged security access code or any security access code received (e.g., received at the input device 246 ) while the portable secure storage device contains the nullified privileged access code.
- all access codes stored in the portable secure storage device are nullified access codes.
- at least a portion of each of the nullified access codes is not representable by any input enterable at an input device (e.g., 246 ).
- the input device 246 is a keypad having only alphanumeric keys
- at least a portion of a nullified access code may represent one or more characters, symbols or other items that are not alphanumeric; hence, no security access code entered via the alphanumeric keypad can match any nullified access code in the controller 258 (e.g., the memory 240 ).
- none of the nullified access codes is usable to verify any security access code received (e.g., received at the input device 246 ) while the portable secure storage device contains the nullified access codes and does not contain any valid access code. In one aspect, none of the nullified access codes contains all zeros. In one aspect, nullified access codes are not entered by a user. In one aspect, none of the nullified access codes is a predetermined value. In one aspect, nullified access codes are not usable to unlock a storage device after the storage device is locked. In one aspect, a nullified access code (e.g., a privileged access code or a restricted access code) is not usable to facilitate unlocking the storage device after the storage device is locked.
- a nullified access code e.g., a privileged access code or a restricted access code
- nullified access codes are not usable to operate the storage device during a normal operation (e.g., for an operating mode).
- a nullified recovery access code is not usable to launch a user-forced enrollment or to create a new recovery access code.
- all or a portion of a nullified access code is not enterable via an input device (e.g., 246 ).
- all access codes include all of any privileged access code, any restricted access code, any recovery access code, and any concealed access code stored in the device 110 (e.g., stored in the controller 258 or the memory 240 ).
- an access code or a valid access code is a code stored in the device 110 (e.g., stored in the controller 258 or the memory 240 ) that can be used to verify a security access code entered (e.g., at an input device 246 ) to facilitate unlocking the device 110 (e.g., for reading or writing data), to facilitate placing the device 110 into a privileged mode, or to facilitate placing the device 110 into a mode in which configuration profiles of the device 110 may be set or changed.
- the device 110 in a renewed mode, contains a new encryption key that is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232 ) before the new encryption key is created or is set into the device 110 .
- data may have been encrypted using an encryption key and stored in the memory (e.g., 232 ) prior to the device 110 being in the renewed mode.
- the device 110 When the device 110 is in the renewed mode, the device 110 (e.g., the controller 258 or the memory 240 ) contains a new encryption key that is unusable for decrypting the data stored in the memory before the new encryption key is set into the device 110 (e.g., the controller 258 or the memory 240 ).
- the new encryption key is unusable for decrypting the data stored in the memory prior to the device 110 being in the renewed mode.
- the new encryption key is different from the encryption key (that has existed before the new encryption key is created).
- the new encryption is not entered by a user and is not provided by a host.
- all configuration profiles of the device 110 are predetermined values (e.g., default values). In one aspect, predetermined values of the configuration profiles are not entered by a user.
- converting the device 110 to a renewed mode may include setting the stored privileged access code to a nullified privileged access code, by a controller 258 .
- the controller 258 may also set any stored restricted access code(s) into nullified restricted access code(s). If the device 110 contains any recovery access code(s) and any concealed access code(s), the controller 258 may also set any such stored recovery access code(s) and concealed access code(s) into nullified recovery access code(s) and nullified concealed access code(s).
- the nullified access codes may include nullified privileged access code(s) and nullified restricted access code(s).
- the nullified access codes may also include nullified recovery access code(s) and nullified concealed access code(s).
- converting the device 110 to a renewed mode may include setting, by a controller 258 , an existing encryption key to a new encryption key.
- the new encryption key is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232 ) before the new encryption key is set into the device 110 .
- a controller 258 may set an existing encryption key to a new encryption key that is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232 ) prior to the device 110 being in the renewed mode.
- converting the device 110 to a renewed mode may include setting, by a controller 258 , all configuration profiles of the device 110 , excluding the nullified access codes, to predetermined values (e.g., default values).
- the controller 258 self-determines the current mode of the device 110 .
- the device 110 may already have (a) all nullified access codes (except for one access code or one representation thereof), (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes).
- converting into a renewed mode may be carried out simply by nullifying the one access code or the one representation thereof (e.g., by the controller 258 ).
- converting into a renewed mode may be carried out by performing all conversion activities, including (a) setting all access codes into nullified access codes, (b) generating another new encryption key, and (c) setting all configuration profiles (excluding the access codes) to predetermined values. These conversion activities may be carried out concurrently or sequentially (e.g., from (a) to (c), or in another order).
- a controller 258 may self-convert the device 110 from the current mode to the renewed mode.
- This self-conversion may occur (a) without the device 110 communicating with a host (e.g., 120 ), (b) without requiring the device 110 (or the controller 258 ) to make a determination of whether a privileged security access code is verified (against a privileged access code stored in the memory 240 ), and (c) without requiring the device 110 (or the controller 258 ) to make a determination of whether a restricted security access code is verified (against a restricted access code stored in the memory 240 ).
- a controller 258 may self-convert the device 110 from the current mode to the renewed mode, only when a privileged security access code received (e.g., at an input device 246 ) has been verified or is verified (e.g., against the stored privileged access code). This self-conversion may occur without the device 110 communicating with a host (e.g., 120 ).
- a host e.g., 120
- a controller 258 determines that the current mode is a privileged mode (e.g., 320 ), then the verification of the privileged security access code has already occurred before the device entered the privileged mode (prior to the request being made to convert the device 110 to a renewed mode). Hence, a re-verification of the privileged security access code is not necessary. However, in one aspect, a controller 258 may verify the privileged security access code again after the request is made and before converting the device 110 into the renewed mode.
- a controller 258 may verify the privileged security access code again after the request is made and before converting the device 110 into the renewed mode.
- the controller 258 may verify the privileged security access code before the controller determines that the request (i.e., a request to convert the device to a renewed mode) is made, as such verification would have occurred prior to entering into the privileged mode. In another aspect, if the current mode is a privileged mode, the controller 258 may re-verify the privileged security access code after the controller determines that the request (i.e., a request to convert the device to a renewed mode) is made.
- a controller 258 may verify the privileged security access code, after determining that the conversion request (i.e., a request to convert the device to a renewed mode) is made, but before converting the device 110 into the renewed mode.
- a request (e.g., a request to convert the device 110 into a renewed mode) may be made by pressing one or more predetermined buttons at a keypad (e.g., at the input device) associated with the request.
- a keypad e.g., at the input device
- such one or more predetermined buttons may be the same or different.
- such buttons may include a lock-symbol button, followed by an unlock-symbol button, followed by a number-2 button.
- the current mode is a protected mode 340 B (in an exclusive mode)
- such buttons may include an unlock-symbol button, followed by a number-0 button.
- a privileged user may make a request to transform the device 110 to a renewed mode (e.g., by pressing one or more predetermined buttons) and then enter a correct privileged security access code (e.g., within a predetermined number of attempts).
- a correct privileged security access code e.g., within a predetermined number of attempts.
- the device 110 may enter into the end-of-life mode 350 instead of a renewed mode 360 .
- a controller 258 may first determine whether a request to convert the device 110 to a renewed mode is made. If so, the controller 258 may determine whether the privileged security access code entered matches the stored privileged access code. When it matches, the controller 258 may place the device 110 into the renewed mode.
- a controller 258 may self-convert the device 110 from the current mode to the renewed mode only when the privileged security access code has been verified or is verified. As discussed above, the verification may occur prior to determining that the request is made or after determining that the request is made.
- a device 110 when a device 110 is in a renewed mode, the device is not recognizable by a host (e.g., 120 ) even if the device is connected to or plugged into the host. In one aspect, when a device 110 is in a renewed mode, the device is not recognizable by the host even if the host provides power to the device.
- a host e.g. 120
- the device when a device 110 is in a renewed mode, the device is not recognizable by the host even if the host provides power to the device.
- a device 110 may convert from a privileged mode (e.g., 320 ) to a locked mode (e.g., 330 A, 330 B) via its respective path (e.g., 322 A, 322 B).
- a device 110 may convert from a locked mode (e.g., 330 A, 330 B) to a protected mode (e.g., 340 A, 340 B) via its respective path (e.g., 332 A, 332 B).
- a device 110 may convert from a protected mode (e.g., 340 B) to an end-of-life mode (e.g., 350 ) via its path (e.g., 344 ).
- a device 110 may convert to a renewed mode (e.g., 360 ) from a privileged mode (e.g., 320 ), a locked mode (e.g., 330 A), a protected mode (e.g., 340 A) or a protected mode (e.g., 340 B) via its respective path (e.g., 326 , 334 A, 342 A, 342 B).
- a device 110 may convert to a privileged mode (e.g., 320 ) from a locked mode (e.g., 330 A, 330 B) or a renewed mode (e.g., 360 ) via its respective path (e.g., 324 A, 324 B, 328 ).
- a device 110 may convert from a locked mode 330 A to a renewed mode 360 via a path 334 A, or via paths 332 A and 342 A. These conversions can be performed without entering or verifying a privileged security access code.
- none of the paths 334 A, 332 A and 342 A requires a privileged security access code to be entered (e.g., at an input device 246 ) and verified against a privileged access code stored (e.g., in a memory 240 ).
- a device 110 may convert from a locked mode 330 A to a renewed mode 360 via paths 324 A and 326 .
- This conversion requires a privileged security access code be entered and verified, for example, against a privileged access code stored internally, e.g., in a memory 240 .
- the path 324 A requires an entry and verification of a privileged security access code.
- a device 110 may convert from a locked mode 330 B to a renewed mode 360 via paths 332 B and 342 B, or via paths 324 B and 326 . These conversions require a privileged security access code be entered and verified, for example, against a privileged access code stored internally, e.g., in a memory 240 . In this regard, each of the paths 324 B and 342 B requires an entry and verification of a privileged security access code.
- the particular modes and paths shown in FIG. 3 including the modes and paths for entering into a renewed mode and exiting from a renewed mode provide technical advantages as they may eliminate or minimize conflicts among the modes or operations of the device 110 and allow the device 110 to communicate and operate properly. Furthermore, in one or more aspects, the technical advantages include reducing a probability that the device 110 could become unstable, which may result in damaging the device permanently. In one or more aspects, making a conversion to a renewed mode from an operating mode (e.g., an unlocked mode for reading or writing) is less desirable as such conversion could potentially commence in the middle of an operation such as reading or writing data to a memory 232 and thus could damage the device permanently.
- an operating mode e.g., an unlocked mode for reading or writing
- a device 110 may operate in various other modes or implement, enable or disable other modes or features.
- a device 110 may be implemented with a read only mode. When enabled (e.g., in a privileged mode), data stored in the memory (e.g., 232 ) cannot be modified.
- a device 110 may be implemented with a lock-override mode or feature. When enabled (e.g., in a privileged mode), the device 110 may stay unlocked during a USB re-enumeration procedure.
- the lock override may be enabled during a reboot sequence, and using the device 110 as a boot drive.
- the device 110 may remain unlocked in the lock override state as long as the device 110 remains connected (or plugged) into a USB port of a host.
- a USB connection is lost (e.g., the device 110 is unplugged form the USB port)
- the secure storage device 110 may become locked.
- a device 110 is implemented with a device format feature, then after the device 110 is placed into a renewed mode, the device may be unlocked and reformatted (e.g., reformat the memory 232 ) so that data files can be written into the memory 232 .
- reformatted e.g., reformat the memory 232
- a device 110 may be implemented with a concealed mode.
- a concealed mode when a concealed mode is enabled, an exclusive mode is disabled. Hence, only a nonexclusive mode is permitted when a concealed mode is enabled.
- the device 110 when a concealed mode is disabled, the device 110 may use an exclusive mode or a nonexclusive mode.
- a controller 258 may be configured to determine whether an exclusive mode is enabled if a user attempts to enable a concealed mode, and the controller may provide a notification of conflict to an output device 244 .
- the controller 258 When the device 110 is in the nonexclusive mode, when the concealed mode is enabled, and when a concealed security access code inputted at an input device (e.g., 246 ) is verified (e.g., against a concealed access code stored in the device 110 ), the controller 258 is configured to set an encryption key in the device 110 into a new encryption key.
- the new encryption key is unusable for decrypting data encrypted and stored in the memory (e.g., 232 ) before the new encryption key is set into the device 110 (e.g., 240 ).
- a controller 258 may retain the new encryption key or may generate yet another new encryption key. Such another new encryption key is unusable for decrypting data encrypted and stored in the memory (e.g., 232 ) before such another new encryption key is created or is set into the device 110 .
- the controller 258 When the device 110 is in the nonexclusive mode, when the concealed mode is enabled, and when a concealed security access code inputted at an input device (e.g., 246 ) is verified, the controller 258 is configured to store the concealed security access code into the device 110 (e.g., the controller 258 or the memory 240 ) as a new privileged access code. This new privileged access code is valid and is not null. The new privileged access code becomes usable to verify another privileged security access code that may be entered after the new privileged access code is stored.
- a concealed mode when a concealed mode is enabled, a user can input a concealed security access code into the device 110 .
- This concealed security access code replaces the existing privileged access code stored in the device 110 .
- this concealed security access code becomes a new privileged access code, which is then stored in the device 110 (e.g., a memory 240 ).
- a concealed mode could be used to defeat the purpose of having an exclusive mode because a user who has a concealed security access code could bypass the security measures of an exclusive mode (as the user could store his/her concealed security access code as a new privileged access code) and place a device 110 into a renewed mode.
- disabling a concealed mode provides a technical advantage that can prevent unauthorized conversion of the device into a renewed mode.
- a device 110 may be implemented with an auto-lock mode or feature. When enabled (e.g., in a privileged mode), a controller 258 can set a predefined period of time of inactivity that causes the device 110 to lock. The device 110 , however, does not lock when data is being written into the memory 232 .
- a device 110 may be implemented with a capability to switch the device 110 from a fixed disk to a removable disk and vice versa.
- a device 110 may be implemented to permit a user-forced enrollment mode.
- the device 110 may already have a privileged access code stored and require a restricted user to set up a new restricted access code to access the device 110 .
- the output device 244 may provide one or more visual indications indicating that a new restricted access code needs to be programmed to gain access to the device 110 .
- a device 110 may enter into an operating mode (e.g., reading or writing data into a memory 232 ).
- an operating mode e.g., reading or writing data into a memory 232 .
- a request is made to enter into an operating mode (e.g., an unlocked mode for reading or writing)
- a privileged security access code or a restricted security access code is verified
- the device 110 is connected to a host (e.g., 120 )
- the device 110 e.g., a controller 258
- a controller 258 may perform an enumeration process with the host.
- a controller 258 may transmit enumeration information of the device 110 via a communications module 238 and a communication bus 130 .
- the host 120 and the device 110 may be ready to exchange data (e.g., user data).
- the controller 258 may (a) encrypt data received from the host 120 and write the encrypted data to a memory 232 and (b) decrypt data read from the memory 232 and provide the decrypted data to the host 120 .
- a device 110 may store one or more access codes.
- a security access code received e.g., via an input device 246
- a controller 258 may permit access to the device 110 .
- One type of access code may be a privileged access code.
- a privileged security access code received e.g., received at an input device 246
- the device 110 may be placed into a mode such as a privileged mode or an operating mode.
- a controller 258 may be permitted to set or change the configuration profiles of the device 110 , for example, implementing, enabling or disabling various modes or features described herein or changing the stored access codes.
- Another type of access code is a restricted security access code.
- a restricted security access code received e.g., received at an input device 246
- the device 110 may be placed into a mode such as an operating mode.
- a verified restricted security access code does not place the device 110 into a privileged mode.
- a verified restricted security access code has a less number of privileges than a verified privileged security access code.
- a device 110 may permit a recovery security access code to be received (e.g., at an input device 246 ) and stored as a recovery access code in the device 110 (e.g., 240 ). There may be multiple recovery access codes. After storing the recovery access code, when a next recovery security access code is received and verified against the stored recovery access code, a controller 258 may launch a user-forced enrollment.
- the recovery security access code is not an actual access code that is used to unlock the device 110 for an operating mode, but rather is used to place the device 110 into a state of user-forced enrollment where a new restricted access code may be created and stored.
- a recovery access code may be used to create and store a new privileged access code.
- a recovery access code is useful when a restricted access code and/or a privileged access code are forgotten, and it is necessary to be able to access any data stored in the memory (e.g., 232 ).
- a controller 258 permits a new restricted security access code to be received (e.g., via an input device 246 ) and stores the new restricted security access code as a new restricted access code.
- a controller 258 permits a new privileged security access code to be received (e.g., via an input device 246 ) and stores the new privileged security access code as a new privileged access code.
- Yet another type of access code may be a concealed access code.
- a concealed security access code received at an input device may be verified against a concealed access code stored in the device 110 . After the verification, the verified concealed security access code or the stored concealed access code may be stored as a new privileged access code.
- Converting a device 110 into a renewed mode may nullify all existing access codes stored in the device 110 .
- a controller 258 may retain such nullified access codes and nullify only the other access codes.
- entering into a renewed mode may cause all access codes (whether already nullified or not) to be nullified.
- a device 110 may enter into or exit from the various modes using one or more methods described herein. These methods are provided for illustration purposes, and other methods are within the scope of the disclosure.
- FIG. 4 illustrates an example of operations performed by a portable secure storage device, such as a storage device 110 .
- the operations shown in FIG. 4 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided while referring to FIGS. 1 through 4 .
- a memory (e.g., 232 ) of a storage device may be disposed within a housing (e.g., 111 ) and is configured to store data (e.g., encrypted user data).
- An input device e.g., 246
- the operations described in FIG. 4 may be performed by a controller of a storage device 110 (e.g., the controller 258 , or one or more components within the controller 258 ).
- the controller may perform the operations without communicating with a host (e.g., 120 ).
- the controller 258 or its components may perform the instructions stored in the memory 240 .
- the host is separate and distinct from the storage device.
- the storage device may be connected to the host and may receive power from the host but does not send or receive any instructions, commands or data to or from the host in connection with the operations described below with reference to blocks 411 through 416 of FIG. 4 .
- the storage device is not recognizable by the host even if connected to the host for these operations.
- the storage device is disconnected from the host during some or all of these operations.
- a controller e.g., 258 or one or more components therein may be configured to determine whether a storage device (e.g., 110 ) is in an exclusive mode (e.g., 310 B) or a nonexclusive mode (e.g., 310 A).
- the controller may determine whether the storage device is in a privileged mode (e.g., 320 ), a locked mode (e.g., 330 A or 330 B) or a protected mode (e.g., 340 A or 340 B).
- the controller may determine that a request is made to self-transform the storage device to a renewed mode (e.g., 360 ).
- the blocks 411 , 412 and 413 may be performed sequentially from block 411 to block 413 , in reverse order, or in another order. In another example, some or all of these blocks may be performed concurrently.
- the controller may self-transform the storage device to the renewed mode, regardless of whether the storage device is in the exclusive mode or the nonexclusive mode. This self-transformation may be performed in response to the request (e.g., received via an input device 246 ).
- the controller may self-transform the storage device to the renewed mode (e.g., 360 ).
- This self-transformation may be performed in response to the request.
- this self-transformation is performed when the storage device is in the locked mode (e.g., 330 A) or the protected mode (e.g., 340 A).
- This self-transformation may be performed without requiring communication with the host, without requiring a determination of whether the privileged security access code is verified, and without requiring a determination of whether the restricted security access code is verified.
- the controller may self-transform the storage device to the renewed mode (e.g., 360 ), only when the privileged security access code is verified. In one aspect, this self-transformation is be performed when the storage device is in the protected mode (e.g., 340 B).
- all access codes in the storage device are nullified access codes, none of which is usable to verify any security access code received at the input device (e.g., 246 ) while the storage device contains the nullified access codes.
- the storage device when data is encrypted using an encryption key and stored in the memory (e.g., 232 ) prior to the storage device being transformed into the renewed mode, and when the storage device is thereafter transformed into the renewed mode, the storage device contains a new encryption key that is unusable for decrypting the data stored in the memory (e.g., 232 ) prior to the storage device being transformed into the renewed mode.
- the storage device when the storage device is in the privileged mode, the privileged security access code is verified, and the storage device is convertible between the exclusive mode and the nonexclusive mode.
- the storage device when the storage device is in the locked mode, the storage device is not recognizable by the host even if the storage device is connected to the host.
- the storage device when the storage device is in the protected mode, the storage device contains the new encryption key or another new encryption key, wherein such another new encryption key is unusable for decrypting data encrypted and stored in the memory prior to the storage device being in the protected mode.
- the restricted security access code is different from the privileged security access code.
- the restricted security access code is unusable to convert the storage device from the exclusive mode to the nonexclusive mode and from the nonexclusive mode to the exclusive mode.
- the controller when the storage device is in the exclusive mode, and when the privileged security access code is not verified, the controller is prevented from transforming the storage device to the renewed mode, even if the restricted security access code is verified.
- FIG. 5 illustrates an example of operations performed by a storage device, such as a storage device 110 .
- the operations shown in FIG. 5 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided while referring to FIGS. 1 through 5 .
- a storage device may include a casing.
- a memory e.g., 230
- An input device e.g., 246
- An output device e.g., 244
- the operations described in FIG. 5 may be performed by a controller of a storage device 110 (e.g., the controller 258 , or one or more components within the controller 258 ).
- the controller 258 or its components may perform the instructions stored in the memory 240 .
- the controller may perform the operations described in blocks 511 through 514 of FIG. 5 without communicating with a host (e.g., 120 ).
- the host is separate and distinct from the storage device.
- the storage device may be connected to the host and may receive power from the host but does not send or receive any instructions, commands or data to or from the host in connection with the operations described below with reference to blocks 511 through 514 of FIG. 5 .
- the storage device is not recognizable by the host even if connected to the host for these operations.
- the storage device is disconnected from the host during some or all of these operations.
- a controller (e.g., the controller 258 , or one or more components within the controller 258 ) may be disposed within the casing and coupled to the input device.
- the controller is may be configured to cause: (a) unlocking the storage device based on the privileged security access code or the restricted security access code; and (b) locking the storage device based on a request, a status, an occurrence of a first event, or an omission of a second event.
- the controller may be configured to cause (a) storing a privileged access code in the controller and (b) storing a restricted access code in the controller.
- the controller may receive a first input via the input device (e.g., 246 ). In one aspect, the operations described in this paragraph are performed by the controller without communicating with the host.
- the controller may be configured to cause determining whether a request is made to self-convert the storage device to a renewed mode (e.g., 360 ).
- the determination may be made by the controller by itself in response to the first input.
- the self-conversion may be carried out from a current mode to the renewed mode.
- the current mode is a privileged mode. In another advantage example, the current mode is a locked mode. In another advantage example, the current mode is a protected mode.
- the controller may be configured to cause determining whether the storage device is in an exclusive mode (e.g., 310 B) or a nonexclusive mode (e.g., 310 A).
- the blocks 511 and 512 may be performed sequentially from the block 511 to the block 512 or in reverse order. In another aspect, these blocks may be performed concurrently.
- the controller when the storage device is in the exclusive mode, and when the privileged security access code is verified, the controller may be configured to cause self-converting the storage device to the renewed mode.
- the privileged security access code may have been received at the input device (e.g., 246 ) and may be verified against the stored privileged access code.
- the self-conversion may be carried out when the request is made.
- the self-conversion may be carried out from the current mode to the renewed mode. This self-conversion may be performed without communicating with the host.
- the controller when the storage device is in the nonexclusive mode, the controller may be configured to cause self-converting the storage device to the renewed mode.
- This self-conversion may be carried out when the request is made.
- This self-conversion may be carried out from the current mode to the renewed mode.
- this self-conversion may be performed without communicating with the host, without requiring a determination of whether the privileged security access code is verified, and without requiring a determination of whether the restricted security access code is verified.
- the stored privileged access code is a nullified privileged access code.
- the nullified privileged access code is unusable to verify any privileged security access code or any security access code, which is received at the input device while the storage device contains the nullified privileged access code.
- the storage device when data is encrypted using an encryption key and stored in the memory (e.g., 232 ) prior to the storage device being in the renewed mode, and when the storage device is thereafter in the renewed mode, the storage device contains a new encryption key.
- the new encryption key is unusable for decrypting the data stored in the memory before the new encryption key is set into the storage device.
- the restricted security access code is different from the privileged security access code. In one aspect, the restricted security access code is usable to change a less number of configuration profiles of the storage device than the privileged security access code. In one aspect, the restricted security access code is unusable to convert the storage device from the exclusive mode to the nonexclusive mode and from the nonexclusive mode to the exclusive mode.
- the controller when the storage device is in the exclusive mode, and when the privileged security access code is not verified, the controller is prevented from converting the storage device from the current mode to the renewed mode even if the restricted security access code is verified.
- all access codes in the storage device are nullified access codes, none of which is usable to verify any security access code received at the input device while the portable storage device contains the nullified access codes.
- a controller may accept a request to create a new valid privileged access code.
- the request may be made, for example, by pressing one or more predetermined buttons associated with the request at an input device (e.g., 246 ).
- a new privileged security access code is enterable (e.g., at an input device 246 ).
- the controller (e.g., 258 ) is configured to enable receiving and processing a new privileged security access code entered at an input device (e.g., 246 ) and storing the new privileged security access code as a new privileged access code in a memory (e.g., 240 ).
- this process of storing a new privileged access code is performed without verifying or authenticating the new privileged security access code or its source. This new privileged access code is valid and is not null.
- the controller contains the new privileged access code, the storage device is no longer in the renewed mode.
- the foregoing conversion may occur via a path (e.g., 328 ) from the renewed mode (e.g., 360 ) to a privileged mode (e.g., 320 ).
- a path e.g., 328
- the storage device may be considered to be in a privileged mode (e.g., 320 ).
- the new privileged access code may be used to verify another privileged security access code to be entered at an input device. This may be, for example, to unlock the storage device or to enter into another mode.
- the storage device may facilitate formatting a memory (e.g., 232 ).
- the storage device may enable (a) receiving and processing a new restricted security access code entered at the input device (e.g., 246 ) and (b) storing the new restricted security access code as a new restricted access code.
- This new restricted access code is valid and is not null.
- the new restricted access code may be used to verify another restricted security access code to be entered at an input device. This may be, for example, to unlock the storage device and enter into an operating mode.
- a storage device 110 may be connected to or plugged into a host 120 (e.g., via a USB port or other methods) at various times.
- a storage device 110 may be connected to or plugged into a host 120 prior to any of the operations shown in FIGS. 4 and 5 .
- merely plugging in the device 110 to the host 120 does not allow the device 110 to be recognized by the host 120 .
- the device 110 does not require any special software or special driver on the host 120 , the device 110 needs to perform certain operations by itself prior to the device 110 becomes recognizable by the host 120 . This improves security of the device 110 .
- the storage device 110 is not recognizable or detectable by the host 120 until after a security access code (e.g., received at an input device 246 ) is verified by a controller 258 . In one aspect, the device 110 is not recognizable or detectable by the host 120 until after an enumeration process between the device 110 and the host 120 is initiated. In one or more aspects, an enumeration process does not commence until after a security access code is verified by a controller (e.g., 258 ) of the storage device. In one aspect, the device 110 is not recognizable or detectable by the host 120 until after an enumeration process between the device 110 and the host 120 is completed.
- a security access code e.g., received at an input device 246
- the device 110 is not recognizable or detectable by the host 120 until after an encryption key is retrieved (e.g., from the memory 240 ) and is made available for encrypting user data.
- an encryption key e.g., from the memory 240
- the device 110 is unlocked (e.g., as a result of, in response to or after one or more operations described in this paragraph)
- the device is recognizable by the host 120 .
- enumeration may be a process of having a device attached or connected to or plugged into the host 120 , such as the device 110 , detected and identified.
- enumeration information may include a product identifier, a vendor identifier, a device descriptor, a configuration description, and an interface descriptor.
- enumeration information includes USB enumeration information, which may include, for example, a USB product ID, USB vendor ID, USB device type, USB device class, USB device speed, USB device descriptor, etc.
- enumeration information is not settable or changeable by any user (e.g., any privileged user or any restricted user).
- enumeration information is permanent information describing a device.
- a component of the controller 258 may notify the completion to other components within the controller 258 and/or provide a completion signal to an output device 244 .
- the host 120 and the device 110 may be ready to exchange data (e.g., user data).
- an encryption key when an encryption key is stored in a storage device 110 (e.g., a controller 258 , its component, or a memory 240 ), the encryption key may be stored in various forms (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof).
- an encryption key may refer to one or more encryption keys.
- an encryption key may refer to a form of encryption key (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof).
- an access code e.g., a privileged access code, a restricted access code, a recovery access code, or a concealed access code
- the access code may be stored in various forms (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof).
- an access code may refer to one or more access codes.
- a nullified access code may refer to one or more nullified access codes.
- all access codes may be nullified access codes.
- data stored in the memory 232 is user data.
- user data does not control any operation of a storage device 110 .
- user data does not instruct any controller (e.g., 258 ) of the storage device 110 to perform a function.
- user data does not include any access codes, any configuration profiles, settings, data or parameters, or any encryption key of the storage device.
- user data does not include any data inputted at an input device (e.g., 246 ) of the storage device 110 .
- user data does not include any output produced at an output device (e.g., 244 ) of the storage device 110 .
- user data is received from a host 120 .
- user data is transferred to the memory 232 and retained in the memory 232 when power is off.
- user data is not retained in the controller 258 when power is off.
- an exclusive mode is a feature designed to prevent redeployment of storage devices with unauthorized configuration profiles or settings.
- a storage device e.g., 110
- a controller e.g., 258
- this may occur while a storage device is in a privileged mode. In one aspect, this may be performed by the controller based on a control input and a determination of a privileged user.
- the control input may be received from a physical input device (e.g., a keypad) of the storage device. In alternative examples, the control input may be received from software or other means.
- such ability may be restricted to a privileged user and require authentication via a control signal (e.g., a privileged security access code) to allow the storage device to accept new settings/profiles and operate normally.
- a control signal e.g., a privileged security access code
- this functionality may be configured so the storage device can be reset by a restricted user but only to their default settings.
- implementing an exclusive mode is advantageous as it may address various issues companies may experience with portable secure storage devices.
- One issue may be unauthorized users modifying a company's security policy of storage devices.
- Implementing an exclusive mode would prevent an unauthorized user from resetting and redeploying a portable secure storage device. This would prevent an unauthorized user from modifying a company's existing device security policy that has been placed into the device by a privileged user.
- Such security policy may include, for example, a privileged access code, a restricted access code, a minimum access code length, an auto-lock setting, a lock-override setting, and the allowed number of unsuccessful security access code entry attempts.
- an unauthorized user may be a user who does not have the correct privileged security access code to the storage device.
- an exclusive mode When an exclusive mode is not implemented, once the unauthorized user has the physical possession of a whitelisted storage device, he or she could reset and redeploy the device, setup anew privileged access code and start using the device as his or her own device on a company's secure network.
- the device cannot be reset and redeployed without the control signal (e.g., a valid privileged security access code). This would prevent an unauthorized user, who does not have the control signal, from resetting and redeploying a whitelisted device and starting to use it with different, unauthorized settings or settings that are against a company's security policy.
- Implementing an exclusive mode would make the device whitelisting protection more effective.
- the subject technology may be carried out, for example, by one or more of the following:
- a method comprising one or more methods or operations described herein.
- An apparatus or a portable storage device comprising one or more memories or registers (e.g., 232 , 240 ) and one or more processors (e.g., 258 ) coupled to the one or more memories, the one or more processors configured to cause the apparatus to perform one or more methods or operations described herein.
- a hardware apparatus comprising circuits (e.g., 258 , 246 , 244 ) configured to perform one or more methods, operations, or portions thereof described herein.
- An apparatus or a portable storage device comprising means (e.g., 258 , 246 , 244 ) adapted for performing one or more methods or operations described herein.
- a computer-readable storage medium (e.g., 240 , one or more memories, one or more registers, and/or one or more media) comprising instructions stored therein, the instructions comprising code for performing one or more methods or operations described herein.
- a computer-readable storage medium e.g., 240 , one or more memories, one or more registers, and/or one or more media
- storing instructions that, when executed by one or more processors (e.g., 258 ), cause one or more processors to perform one or more methods, operations or portions thereof described herein.
- An apparatus or a portable storage device comprising means (e.g., 258 , 246 , 244 ) for performing one or more operations described with reference to FIGS. 3, 4 , and/or 5 or one or more operations described herein.
- one or more alternative implementations may utilize other modes, and one or more alternative implementations may utilize other modes, methods and paths to enter into or exit from a mode, such as a renewed mode.
- a method may be an operation, an instruction, or a function and vice versa.
- a clause or a claim may be amended to include some or all of the words (e.g., instructions, operations, functions, or components) recited in one or more sentences, one or more phrases, one or more paragraphs, and/or one or more claims.
- a claim may have multiple dependencies based on any of the other claims.
- An example of the present disclosure may be an article of manufacture in which a non-transitory machine-readable medium (such as microelectronic memory, e.g., 240 ) has stored thereon instructions (e.g., in firmware) which program one or more data processing components (e.g., the controller 258 , or a processor) to perform one or more operations described herein.
- a non-transitory machine-readable medium such as microelectronic memory, e.g., 240
- instructions e.g., in firmware
- data processing components e.g., the controller 258 , or a processor
- some of these operations may be performed by specific hardware components that contain hardwired logic. Those operations may alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components.
- an example of the present disclosure may be an apparatus (e.g., a secure flash storage device) that includes one or more hardware and firmware/software logic structure for performing one or more of the operations described herein.
- the apparatus may include a memory unit, which stores instructions that may be executed by a hardware processor installed in the apparatus.
- the apparatus may also include one or more other hardware or software elements, including a network interface, a display device, etc.
- machine-readable storage medium may refer to any medium or media (e.g., 240 ) that participate in providing instructions to a processor or controller (e.g., 258 ) for execution. Such a medium may take many forms, including, but not limited to, non-volatile media and volatile media. Non-volatile media include, for example, optical or magnetic disks, such as a data storage unit. Volatile media include dynamic memory.
- Non-volatile media include, for example, optical or magnetic disks, such as a data storage unit.
- Volatile media include dynamic memory.
- a controller may refer to one or more controllers.
- An element proceeded by “a,” “an,” “the,” or “said” does not, without further constraints, preclude the existence of additional same elements.
- phrases such as an aspect, the aspect, another aspect, some aspects, one or more aspects, an implementation, the implementation, another implementation, some implementations, one or more implementations, an embodiment, the embodiment, another embodiment, some embodiments, one or more embodiments, a configuration, the configuration, another configuration, some configurations, one or more configurations, the subject technology, the disclosure, the present disclosure, other variations thereof and alike are for convenience and do not imply that a disclosure relating to such phrase(s) is essential to the subject technology or that such disclosure applies to all configurations of the subject technology.
- a disclosure relating to such phrase(s) may apply to all configurations, or one or more configurations.
- a disclosure relating to such phrase(s) may provide one or more examples.
- a phrase such as an aspect or some aspects may refer to one or more aspects and vice versa, and this applies similarly to other foregoing phrases.
- a phrase “at least one of” preceding a series of items, with the terms “and” or “or” to separate any of the items, modifies the list as a whole, rather than each member of the list.
- the phrase “at least one of” does not require selection of at least one item; rather, the phrase allows a meaning that includes at least one of any one of the items, and/or at least one of any combination of the items, and/or at least one of each of the items.
- each of the phrases “at least one of A, B, and C” or “at least one of A, B, or C” refers to only A, only B, or only C; any combination of A, B, and C; and/or at least one of each of A, B, and C.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
- This application is a continuation of application Ser. No. 16/660,770, filed on Oct. 22, 2019, the entirety of which is incorporated herein by reference for all purposes.
- The present description relates in general to computer-based storage devices, and more particularly to, for example, without limitation, a portable storage device with an internal controller that can self-verify access codes and self-convert from a current mode to a renewed mode without communicating with a host and related methods.
- The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embodiments and together with the description serve to explain the principles of the disclosed embodiments. In the drawings:
-
FIG. 1 illustrates an example of architecture for a host and portable secure storage devices. -
FIG. 2 is a block diagram illustrating an example of a host and a portable secure storage device. -
FIG. 3 illustrates an example of modes and operations of a portable secure storage device. -
FIG. 4 illustrates an example of operations performed by a portable secure storage device. -
FIG. 5 illustrates another example of operations performed by a portable secure storage device. - In one or more implementations, not all of the depicted components in each figure may be required, and one or more implementations may include additional components not shown in a figure. Variations in the arrangement and type of the components may be made without departing from the scope of the subject disclosure. Additional components, different components, or fewer components may be utilized within the scope of the subject disclosure.
- The detailed description set forth below is intended as a description of various implementations and is not intended to represent the only implementations in which the subject technology may be practiced. As those skilled in the art would realize, the described implementations may be modified in various different ways, all without departing from the scope of the present disclosure. Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive.
- In one or more advantageous implementations, a portable secure storage device provides a highly secure, flexible, host-free solution. A portable secure storage device may include a physical input device (e.g., a keypad), a mass storage memory and a controller.
- In one or more aspects, the portable secure storage device does not require any host control, software or input for its normal operation or management (e.g., to lock or unlock the device, to authenticate the device, or to encrypt or decrypt data to or from a mass storage memory). The portable secure storage device can be self-authenticated as it uses its own input device and its own controller, all of which reside within or on the portable secure storage device itself. The portable secure storage device does not need a host for authentication. During a normal operational mode, the portable secure storage device, rather than a host, receives a security access code from a user via the device's own input device. The portable secure storage device can determine whether the security access code matches with an access code securely stored within the device, without using any input, instruction or data from a host. Thus, the portable secure storage device itself, rather than the host, can receive and process the security access code. The security access code is maintained only within the portable secure storage device and is not shared with the host. As there is no host involvement in the encryption key generation/management process or the authentication process, the risk of software hacking can be substantially circumvented.
- Besides the normal operating mode (e.g., reading and writing data), there may be times when it is beneficial and advantageous to be able to place the portable secure storage device into a renewed mode. In this mode, the storage device does not contain any access code that can be used for verification to unlock and operate the device in its normal operating mode, and any data previously encrypted and stored in the device cannot be decrypted. Furthermore, all configuration profiles, which are not access codes, are changed to their default values. This renewed mode may be useful when the access codes are forgotten or misplaced or when it is desirable to erase all data, format and settings so that the device can be redeployed fresh.
- One implementation may permit any user (e.g., a privileged user, a restricted user, or other users) to place the device into a renewed mode without any restriction. The disadvantage of this implementation is that any user (even an unauthorized user) can put the device into a renewed mode. Once in a renewed mode, that user can re-configure the device any way he or she desires. For example, if a device belongs to a company and if an unauthorized user places the device into a renewed mode, then he or she can re-configure and use the device in a manner that is against the company's computer security policy.
- In one or more aspects, this disclosure provides new advantageous methods that can prevent unauthorized conversion of the device into a renewed mode. The subject disclosure provides two modes: an exclusive mode and a nonexclusive mode. These modes can be set or changed when a privileged security access code is verified. If the device is in a nonexclusive mode, then the device can be converted from a current mode to a renewed mode without restrictions. If, however, the device is in an exclusive mode, and if a privileged security access code is not verified, then the device is prevented from entering into a renewed mode even if a restricted security access code has been verified.
- The subject technology addresses challenges arising in the realm of computer technology by providing a solution rooted in hardware and firmware, for example, by providing a portable secure storage device with an internal controller that can self-authenticate, self-determine whether a request for conversion has been made, self-determine the modes of the device, and self-convert the device to a renewed mode only when appropriate. Each of these operations can be carried out securely, efficiently and promptly without communicating with a host or using the host. By enabling the portable secure storage device to perform self-authentication, self-determination, and self-conversion in such a manner and not sharing the access codes, instructions or encryption key(s) with the host, the subject technology can greatly enhance security of the portable secure storage device. On the host side, no special software or driver is required, thereby improving the performance of the host by eliminating installation and execution overhead of such extra software.
-
FIG. 1 illustrates an example of architecture for a host and secure storage devices suitable for practicing one or more implementations of the disclosure. The architecture shown inFIG. 1 is for illustration purposes, and other architecture implementations and methods are within the scope of the disclosure. Thearchitecture 100 includes ahost 120 and portablesecure storage devices 110 connected over a communication bus 130. - The
host 120 is operable to connect to the portablesecure storage devices 110. In some aspects of the present technology, thehost 120 may be a computer with a general-purpose operating system. In other aspects of the present technology, thehost 120 may be an embedded system. Multiple portablesecure storage devices 110 can be connected to thehost 120 over a common data terminal (e.g., the communication bus 130). - The
host 120 can be, for example, a desktop computer, a personal computer (PC), a server, a mobile computer, a tablet computer (e.g., an e-book reader), a mobile device (e.g., a smartphone or personal digital assistant (PDA)), or any other type of devices or systems having appropriate processor, memory, and communications capabilities for connecting to the portable secure storage device(s) 110. Thehost 120 may include one or more computing devices. Thehost 120 may include aninput device 216 and anoutput device 214. Thehost 120 may connect to the portablesecure storage devices 110 for reading and writing images, sounds, videos, and other data. - A portable
secure storage device 110 can be a storage device having appropriate processor, memory, and communications capabilities for storing secure data, serving as a secure data back-up, and/or transferring secure data. The secure data may be accessible by various computing devices including thehost 120 over the communication bus 130. A portable secure storage device may be sometimes referred to as a portable storage device, a storage device, a device, a drive, a memory apparatus or an apparatus. For example, a portablesecure storage device 110 may represent a portable hard disk drive, a portable solid-state drive, a flash memory key, an encased portable storage device, an encased portable secure storage device, a portable storage device, or another storage device. - The communication bus 130 can include or can be a part of, for example, any one or more of a universal serial bus (USB), IEEE 1394, Thunderbolt 3, Ethernet, serial advanced technology attachment (ATA), external serial ATA (eSATA) and/or any other type of communication bus, communication interface or communication port. A communication bus may be referred to as a communication channel, a communication medium, or vice versa. Further, the communication bus 130 can include, but is not limited to, any one or more of the following network topologies, including a bus network, a star network, a ring network, a mesh network, a star-bus network, tree or hierarchical network, or any other suitable type of network.
-
FIG. 2 is a block diagram illustrating an example of a system including a portable secure storage device and a host. The system shown inFIG. 2 is for illustration purposes, and other systems and methods are within the scope of the disclosure. Asystem 200 may include ahost 120 and a portablesecure storage device 110 connected over a communication bus 130 viarespective communications modules - The
communications modules host 120 and the portablesecure storage device 110. Thecommunications modules communications modules communications module 218 and the communication bus 130 may be a part of a USB. In one example, thecommunications module 238 may be a part of a USB connector, and thecommunications module 218 and the communication bus 130 may be a part of a USB port(s), and the USB connector may be connected to the USB port. In one example, each of thecommunications modules communications modules communications modules - The
host 120 includes aprocessor 212 and amemory 220. Thememory 220 may be a read-and-write memory, a read-only memory, a volatile memory, a non-volatile memory, or a combination of some or all of the foregoing. Thememory 220 of thehost 120 includes anoperating system 222, which may be a general-purpose operating system or an embedded operating system. Thememory 220 may also include one or more applications, such as a configurator application (not shown), to communicate with the portablesecure storage device 110. From thememory 220, theprocessor 212 may retrieve instructions to execute and data to process in order to facilitate some of the processes of the subject disclosure. Theprocessor 212 can be a single processor, multiple processors, or a multi-core processor in different implementations. - The portable
secure storage device 110 includes amemory 232 and acontroller 258. The portablesecure storage device 110 may further include acommunications module 238, aninput device 246, and anoutput device 244. The input device may be referred to as a physical input device, a physical key input device, or a key input device. The output device may be referred to as a physical output device. - In one or more implementations, the portable
secure storage device 110 includes a casing (e.g., 111 as illustrated inFIG. 1 ) or a housing. The casing may be, for example, a metal-based casing (e.g., aluminum) or a hardened plastic material. The casing may be made of multiple parts. In one or more implementations, thememory 232 and thecontroller 258 are disposed within the casing. - In one aspect, the
memory 232 is configured to store secure data (e.g., encrypted data). Thememory 232 may be, or may include, a read-and-write memory, a read-only memory, a volatile memory, a non-volatile memory, registers, or a combination of some or all of the foregoing. In some aspects, thememory 232 is a non-volatile memory unit that stores and retains data even when the portablesecure storage device 110 is powered off. Thememory 232 may include one or more memories. Thememory 232 may include a flash memory, a hard drive, a solid-state drive, or some combination thereof. In one or more implementations, thememory 232 is a mass storage device. For example, thememory 232 may store 2 gigabytes (GB) to 16 terabytes (TB) of user data or more. In one aspect, thememory 232 is the largest memory in the portablesecure storage device 110. Thememory 232 may be communicably coupled to thecontroller 258 via abidirectional communication link 254. In one or more implementations, thelink 254 is a high-speed serial advanced technology attachment (SATA) for point-to-point connection between thememory 232 and thecontroller 258. - The
physical input device 246 enables a user to communicate information and select commands to the portablesecure storage device 110. For example, thephysical input device 246 may receive a security access code from a user (e.g., a privileged user or a restricted user) to facilitate unlocking of the portable secure storage device. The security access code may also facilitate authentication of the user. Thephysical input device 246 may receive other control input to control the operation of the portable secure storage device. For instance, thephysical input device 246 may receive a control input from a user (e.g., generated by the user pressing a button or a sequence of buttons) to convert a portablesecure storage device 110 from a current mode to a renewed mode. In one example, when a user presses a first sequence of buttons (e.g., a request followed by a valid privileged security access code) which places thedevice 110 into a privileged mode, the user can press a second sequence of buttons to request conversion of the portablesecure storage device 110 from the privileged mode to a renewed mode. - The
physical input device 246 may include any acoustic, speech, visual, touch, tactile and/or sensory input device, such as a keypad, a switch, a jumper, a pointing device, a dial, a sensor device (e.g., a biometric sensor, a finger sensor, biometric iris recognition sensor), or a touchscreen. A keypad may include alphanumeric keys or buttons. The keypad may also include keys or buttons with symbols (e.g., a key or button with a lock symbol, a key or button with an unlock symbol). In one or more implementations, thephysical input device 246 is disposed on or at the casing (e.g., an outer surface of the casing) so that a user can access the physical input device. Having a physical input device on the portable secure storage device itself allows a user to securely access the device or prevent access to the device and to place the portablesecure storage device 110 into a different mode without using an external system, such as a host computer or host software. Thephysical input device 246 is configured to receive an input provided by a user. In one or more implementations, the input includes one or more keypad entries, a switch setting, a jumper setting, a biometric-based entry, a touch gesture entry, or a combination thereof. To prevent accidental inputs, one or more components ofphysical input device 246 may be recessed or hidden under a cover. - The
physical output device 244 may be disposed on or at the outer surface of the casing and configured to display an indication of the operation or status of the portablesecure storage device 110. Such indication may be controlled by thecontroller 258. Theoutput device 244 may enable, for example, the display or output of visual or audible signaling by thecontroller 258. The indication may include a signal indicating, for example, whether the portablesecure storage device 110 is in an exclusive mode, a nonexclusive mode, a renewed mode, an operating mode, a privileged mode, a locked mode, an unlocked mode, a protected mode or another mode, and/or indicating a connection state to thehost 120 or an operational state of thedevice 110. Theoutput device 244 may include any visual, auditory, tactile, and/or sensory output device to allow a user to detect an indication of the operation of the portablesecure storage device 110. For example, theoutput device 244 may include one or more multicolored light emitting diodes (LEDs) or LEDs with color tinted light guides. One or more implementations may include a device(s) that functions as both an input and output device, such as a touchscreen. Aninput device 246 may be a portion of an input and output device. Anoutput device 244 may be a portion of an input and output device. - The
communications module 238 of the portablesecure storage device 110 is configured to connect the portablesecure storage device 110 to the communication bus 130 external to the casing. Thecommunications module 238 may include, or may be a part of a USB (e.g., USB-A, USB-B, USB-C, mini-USB, micro-USB or USB 3). These are examples, and thecommunications module 238 is not limited to these examples. Thecommunications module 238 may be, for example, disposed partially within the casing and partially outside the portablesecure storage device 110. In one or more examples, thecommunications module 238 is coupled to and protrudes from the casing. - In one or more implementations, the portable
secure storage device 110 includes a battery(ies) (not shown) that may power the portablesecure storage device 110 or a portion(s) thereof. In one example, the battery(ies) may power the controller 258 (or a portion(s) thereof), thephysical input device 246, and/or thephysical output device 244. The battery(ies) may be rechargeable, for example, by using bus or line power. In another implementation, the portablesecure storage device 110 does not include a battery. - Still referring to
FIG. 2 , in one or more implementations, acontroller 258 is coupled to thememory 232, thephysical input device 246, thephysical output device 244, and thecommunications module 238. Thecontroller 258 may provide instructions to prevent or allow data transfer between the portablesecure storage device 110 and an external system (e.g., the host 120). - In one example, a
controller 258 is a single controller. In another example, acontroller 258 includes multiple controllers (e.g., two controllers or more than two controllers). A controller may be sometimes referred to as a microcontroller, a multi-core controller, a controller module, a processor, a processor module, a microprocessor, a microprocessor module, or a portion(s) thereof or vice versa. A controller(s) within acontroller 258 may be sometimes referred to as a microcontroller(s). A microcontroller may include one or more microcontrollers. When acontroller 258 has multiple microcontrollers, each microcontroller may perform different functions, and a microcontroller may be implemented with a different level of security protection (e.g., a high, medium, or low security level). Such security level may be implemented in hardware, firmware, or a combination thereof. - A
controller 258 may be a single integrated circuit (IC) chip (or a single die) or may include multiple IC chips. Multiple controllers within thecontroller 258 may be on a single chip. Multiple controllers within thecontroller 258 may be on separate chips. - In one or more implementations, a
controller 258 is not a general purpose processing device. In one or more implementations, acontroller 258 includes one or more application-specific digital signal processors or one or more application-specific integrated circuits. In one or more implementations, acontroller 258 may include discrete hardware components or other suitable components that can perform the functions described herein. In one or more examples, a controller 258 (or one or more microcontrollers therein) is implemented in hardware and embedded firmware (without high-level software applications). - Microcontrollers within the
controller 258 may be coupled, directly or indirectly, to each other, using communication links. A communication link may be a serial peripheral interface (SPI) bus for synchronous communication between the microcontrollers. A communication link may be a bidirectional communication link. A communication link may be an inter-integrated circuit (I2C) bus, where one microcontroller is implemented as a master node and another microcontroller is implemented as a slave node, in some examples. Other communication links may include, without limitation, a universal asynchronous receiver-transmitter (UART) interface, a general-purpose input/output (GPIO) interface, a peripheral component interconnect express (PCIe) interface, various SATA interfaces, an embedded multimedia controller (eMMC) interface, or a universal flash storage (UFS) interface. These are examples, and a communication link is not limited to these examples. - In one or more implementations, a
controller 258 includes alocal memory 240. Thelocal memory 240 may be a read-and-write memory, a read-only memory, EEPROM, registers, a volatile memory, a non-volatile memory, or a combination of some or all of the foregoing. Alocal memory 240 may be a single memory or multiple memories. A memory may include one or more memories. When acontroller 258 includes multiple microcontrollers and multiple memories, each microcontroller may have its associated local memory(ies). Such local memory(ies) may reside within its corresponding microcontroller. Such local memory(ies) may reside outside its corresponding microcontroller. A memory may be implemented with a different level of security protection. The security level may be implemented in hardware, firmware, or a combination thereof. - The
local memory 240 or a memory(ies) therein may be configured to store firmware. Thelocal memory 240 or a memory(ies) therein may be configured to store instructions and/or data, including parameters, flags, and/or information to control the operations of thecontroller 258 or thedevice 110. Thelocal memory 240 or a memory(ies) therein may store instructions/data that thecontroller 258, a microcontroller(s) therein, and/or another component(s) may need at runtime. From the local memory 240 (or a memory(ies) therein), thecontroller 258, a microcontroller(s) within thecontroller 258, and/or another component(s) may retrieve instructions to execute and data to process in order to execute the processes of the subject disclosure. - In one or more implementations, all instructions/data (e.g., configuration profiles, other data, indications, keys, instructions, parameters, flags and information) stored in the portable secure storage device 110 (e.g., 240) is encrypted or securely stored. In one or more other implementations, some instructions/data (e.g., a portion or some of configuration profiles, other data, indications, keys, instructions, parameters, flags and/or information) stored in the portable secure storage device 110 (e.g., 240) is encrypted or securely stored. In one or more yet other implementations, some instructions/data (e.g., configuration profiles, other data, indications, keys, instructions, parameters, flags and/or information) stored in the portable secure storage device 110 (e.g., 240) is not encrypted. In one or more implementations, the user data stored in the
memory 232 is encrypted or securely stored. - The
controller 258 may provide instructions to prevent or allow data transfer between the portablesecure storage device 110 and an external system (e.g., the host 120). Thecontroller 258 may prevent thehost 120 from accessing and configuring the portablesecure storage device 110 when thesecure storage device 110 is not in a configuration-ready mode. - In one or more implementations, configuration profiles of a portable secure storage device are settable or changeable by a privileged user. For example, a privileged user may change configuration profiles such as security information (e.g., access codes) or other configuration settings (e.g., auto-lock, lock-override, or other settings) associated with configuration of the portable secure storage device. This change can be made by the portable secure storage device, for example, using a physical input device (e.g., 246) and a controller (e.g., 258) of the portable secure storage device. In an alternative example, this change to the portable secure storage device may be made when the portable secure storage device is in a configuration-ready mode. Furthermore, the configuration profiles of the portable secure storage device may be changed by a configurator application of a host when a portable secure storage device is in a configuration-ready mode. The configurator application can also set or change a mode of the portable secure storage device (e.g., to a locked mode or to a privileged mode). In one aspect, when a portable secure storage device is in a configuration-ready mode, the device may be permitted to be recognized by a host when the device is connected to or plugged into the host.
-
FIG. 3 illustrates an example of modes and operations of a portable secure storage device, such as a device 110 (e.g., a controller 258). The operations shown inFIG. 3 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided with reference toFIGS. 1, 2 and 3 . - The example in
FIG. 3 illustrates various modes of a portablesecure storage device 110, including anonexclusive mode 310A, anexclusive mode 310B, aprivileged mode 320, a lockedmode mode mode 360, and an end-of-life mode 350. Adevice 110, however, is not limited to these modes, and the operations of thedevice 110 are not limited to the paths shown inFIG. 3 . - Privileged Mode
- In one example, a
controller 258 may set a mode of a portablesecure storage device 110 to a privileged mode (e.g., 320). This may occur, for example, (a) when a request is made to place thedevice 110 into the privileged mode (e.g., by a privileged user pressing one or more predetermined buttons for such a request on a keypad at an input device 246), and (b) when a privileged security access code (e.g., entered by a privileged user via an input device 246) is verified against a privileged access code stored in the portable secure storage device 110 (e.g., stored in thecontroller 258 or the memory 240). - For example, a
device 110 may enter a privileged mode when acontroller 258 receives a request, which is followed by receipt and verification of a correct privileged security access code. The request may be made, for example, by a privileged user pressing an unlock-symbol button, followed by a number-2 button on a keypad, at aninput device 246. In one aspect, thecontroller 258 may self-convert thedevice 110 to a privileged mode without communicating with a host (e.g., 120). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a self-conversion may occur while thedevice 110 is connected to the host. In one aspect, a self-conversion may occur while the host provides power to thedevice 110. In one aspect, a self-conversion may occur while thedevice 110 is disconnected from the host. - In a privileged mode, the
device 110 can be converted from anexclusive mode 310B to anonexclusive mode 310A and vice versa. In a privileged mode, thedevice 110 is convertible between the exclusive mode and the nonexclusive mode. In one aspect, when thedevice 110 is not in the privileged mode, thedevice 110 is prevented from converting between the exclusive mode and the nonexclusive mode. In a privileged mode, the stored privileged access code may be changed to a new valid privileged access code. For example, thecontroller 258 may accept a new privileged security access code (e.g., received at the input device 246) and store the new privileged security access code as the new valid privileged access code. In a privileged mode, some or all access codes (e.g., a privileged access code, a restricted access code, a recovery access code, a concealed access code, and/or a combination thereof) may be newly set or may be changed. In a privileged mode, all other configuration profiles of thedevice 110 that are changeable by a controller 258 (e.g., settings for auto-lock, lock-override, read-only, a minimum length of an access code, and implementing or enabling/disabling various other modes/features) may be set or changed. - A portable secure storage device may be in a privileged mode while it is in a nonexclusive mode or an exclusive mode. A
device 110 may enter a privileged mode (a) from a locked mode (e.g., 330A) via apath 324A while thedevice 110 is in a nonexclusive mode or (b) from a locked mode (e.g., 330B) via apath 324B while thedevice 110 is in an exclusive mode. Adevice 110 may enter a privileged mode from a renewed mode (e.g., 360). In one aspect, when adevice 110 is in a privileged mode, the device is not recognizable by a host (e.g., 120) even if the device is connected to or plugged into the host. In one aspect, when adevice 110 is in a privileged mode, the device is not recognizable by the host even if the device is powered by the host. - Locked Mode
- In one example, a
controller 258 may lock a portablesecure storage device 110 so that thedevice 110 is in a locked mode (e.g., 330A, 330B). Adevice 110 may enter into a locked mode when one or more of the following occur: -
- the input device (e.g., 246) receives a request to lock the portable secure storage device. For example, a request can be made while in a privileged mode (see, e.g.,
path device 110 is in another mode (e.g., an operating mode such as a reading or writing mode) (not shown inFIG. 3 ). If the request is made while thedevice 110 is in an operating mode, then thedevice 110 converts to a locked mode after the device finishes its operation (e.g., reading or writing); - power from a host (e.g., 120) to the portable secure storage device (e.g., 110) is interrupted;
- the portable secure storage device is disconnected or unplugged from the host;
- the portable secure storage device is electrically disengaged from the host, e.g., in response to a request;
- the portable secure storage device idles for a period of time; or
- the portable secure storage device is not connected to or not plugged into the host within a period of time after a security access code received at the input device is verified.
- the input device (e.g., 246) receives a request to lock the portable secure storage device. For example, a request can be made while in a privileged mode (see, e.g.,
- A portable secure storage device may be in a locked mode (e.g., 330A) while it is in a nonexclusive mode, or in a locked mode (e.g., 330B) while it is in an exclusive mode. In one aspect, when a portable secure storage device (e.g., 110) is in a locked mode, the portable secure storage device is not recognizable by a host (e.g., 120) even if the portable secure storage device is connected to or plugged into the host. In one aspect, when a
device 110 is in a locked mode, the device is not recognizable by the host even if the device is powered by the host. - In one aspect, a conversion into a locked mode may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a conversion into a locked mode may occur while the
device 110 is connected to the host. In one aspect, a conversion into a locked mode may occur while the host provides power to thedevice 110. In one aspect, a conversion into a locked mode may occur while thedevice 110 is disconnected from the host. - Protected Mode
- In one example, a
controller 258 may set a mode of a portablesecure storage device 110 to a protected mode (e.g., 340A, 340B). In one aspect, thecontroller 258 may self-convert thedevice 110 to a protected mode without communicating with a host (e.g., 120). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a self-conversion may occur while thedevice 110 is connected to the host. In one aspect, a self-conversion may occur while the host provides power to thedevice 110. In one aspect, a self-conversion may occur while thedevice 110 is disconnected from the host. - A
controller 258 may set a mode to a protected mode when the number of unsuccessful security access codes (e.g., incorrect privileged security access codes or incorrect restricted security access codes) entered (e.g., into the input device) exceeds a threshold number. - When a
controller 258 enables a protected mode (e.g., while thedevice 110 is in a privileged mode prior to entering into a protected mode), acontroller 258 may store at least two representations (e.g., two different hash values) of a privileged access code at different locations of the controller 258 (e.g., different locations in a memory 240). For example, one representation may be stored at an EEPROM address 0x333, and another representation may be stored at an EEPROM address 0x555. - In one example, when the
device 110 enters into a protected mode, thecontroller 258 may set all access codes stored in thedevice 110, except one access code (e.g., one of the at least two representations), to nullified access codes. In this regard, the one access code, which is not nullified (e.g., one of the at least two representations) may be usable to verify a privileged security access code to be received (e.g., received at the input device 246). In one aspect, further descriptions about nullified access codes are provided later with reference to a renewed mode. - In one example, when the
device 110 enters into a protected mode, acontroller 258 may set an encryption key of the device 110 (e.g., an encryption key existing prior to entering into the protected mode) to a new encryption key. In this regard, prior to entering into the protected mode, thedevice 110 may have encrypted data using the encryption key and may have stored the encrypted data in a memory (e.g., 232). In this example, after entering into the protected mode (and thereafter), such encrypted data cannot be decrypted any longer with the encryption key as it is replaced by the new encryption key when the device enters into the protected mode. In one aspect, the new encryption key is unusable to decrypt the encrypted data that has been stored in the memory (e.g., 232) prior to thedevice 110 entering into the protected mode. In one aspect, the new encryption key is unusable to decrypt the encrypted data that has been stored in the memory (e.g., 232) prior to the new encryption key is created or is set into thedevice 110. - In one example, when the
device 110 enters into a protect mode, thecontroller 258 may set all configuration profiles of thedevice 110, excluding the nullified access codes, to predetermined values (e.g., default values). - A
device 110 may enter into a protected mode (e.g., 340A) while thedevice 110 is in a nonexclusive mode. For example, a protected mode (e.g., 340A) is entered from a locked mode (e.g., 330A). Adevice 110 may enter into a protected mode (e.g., 340B) while thedevice 110 is in an exclusive mode. For example, a protected mode (e.g., 340B) is entered from a locked mode (e.g., 330B). In one aspect, when adevice 110 is in a protected mode, the device is not recognizable by a host (e.g., 120) even if the device is connected to or plugged into the host. In one aspect, when adevice 110 is in a protected mode, the device is not recognizable by the host even if the host provides power to the device. - End-of-Life Mode
- In one example, a
controller 258 may set a mode of adevice 110 to an end-of-life mode (e.g., 350). In one aspect, thecontroller 258 may self-convert thedevice 110 to an end-of-life mode without communicating with a host (e.g., 120). When a device is in an exclusive mode, acontroller 258 may change a protected mode (e.g., 340B) to an end-of-life mode (e.g., 350), when the number of unsuccessful privileged security access codes entered (e.g., via an input device 246) exceeds a threshold attempt number. When adevice 110 enters an end-of-life mode, thedevice 110 is permanently disabled and cannot be redeployed again for use, and thedevice 110 is not revivable. Even if thedevice 110 is powered on or plugged into ahost 120, the device 110 (e.g., controller 258) does not respond to any input entered at thedevice 110 or at thehost 120. Any data stored in thedevice 110 is not recoverable. Adevice 110 that is in an end-of-life mode cannot change its mode to another mode. - In an end-of-life mode, the
device 110 may contain (a) all nullified access codes, (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes). An end-of-life mode may be followed by a protected mode, which already has (a) all nullified access codes (except for one access code or one representation thereof), (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes). In this case, converting into an end-of-life mode may be carried out by nullifying the one access code or the one representation thereof (e.g., by the controller 258). However, in another aspect, converting into an end-of-life mode may be carried out by (a) setting all access codes into nullified access codes, (b) generating another new encryption key, and (c) setting all configuration profiles (excluding the access codes) to predetermined values. - In one aspect, when a
device 110 is in an end-of-life mode, the device is not recognizable by a host (e.g., 120) even if the device is connected to or plugged into the host. In one aspect, when adevice 110 is in an end-of-life mode, the device is not recognizable by the host even if the device is powered by the host. - Renewed Mode
- In one example, a
controller 258 may set a mode of a portablesecure storage device 110 to a renewed mode (e.g., 360). In one aspect, thecontroller 258 may self-convert thedevice 110 to a renewed mode without communicating with a host (e.g., 120). In one aspect, a self-conversion may occur without receiving or sending any input, instruction, command or data from or to the host. In one aspect, a self-conversion may occur while thedevice 110 is connected to the host. In one aspect, a self-conversion may occur while the host provides power to thedevice 110. In one aspect, a self-conversion may occur while thedevice 110 is disconnected from the host. - In one aspect, in a renewed mode, a privileged access code stored in the controller 258 (e.g., 240) may be a nullified privileged access code. A nullified privileged access code is unusable to verify any privileged security access code or any security access code received (e.g., received at the input device 246) while the portable secure storage device contains the nullified privileged access code.
- In one aspect, in a renewed mode, all access codes stored in the portable secure storage device (e.g., stored in the
controller 258 or the memory 240) are nullified access codes. In one aspect, at least a portion of each of the nullified access codes is not representable by any input enterable at an input device (e.g., 246). For example, if theinput device 246 is a keypad having only alphanumeric keys, at least a portion of a nullified access code may represent one or more characters, symbols or other items that are not alphanumeric; hence, no security access code entered via the alphanumeric keypad can match any nullified access code in the controller 258 (e.g., the memory 240). - In one aspect, none of the nullified access codes is usable to verify any security access code received (e.g., received at the input device 246) while the portable secure storage device contains the nullified access codes and does not contain any valid access code. In one aspect, none of the nullified access codes contains all zeros. In one aspect, nullified access codes are not entered by a user. In one aspect, none of the nullified access codes is a predetermined value. In one aspect, nullified access codes are not usable to unlock a storage device after the storage device is locked. In one aspect, a nullified access code (e.g., a privileged access code or a restricted access code) is not usable to facilitate unlocking the storage device after the storage device is locked. In one aspect, nullified access codes are not usable to operate the storage device during a normal operation (e.g., for an operating mode). A nullified recovery access code is not usable to launch a user-forced enrollment or to create a new recovery access code. In one aspect, all or a portion of a nullified access code is not enterable via an input device (e.g., 246).
- In one aspect, all access codes include all of any privileged access code, any restricted access code, any recovery access code, and any concealed access code stored in the device 110 (e.g., stored in the
controller 258 or the memory 240). In one aspect, an access code or a valid access code is a code stored in the device 110 (e.g., stored in thecontroller 258 or the memory 240) that can be used to verify a security access code entered (e.g., at an input device 246) to facilitate unlocking the device 110 (e.g., for reading or writing data), to facilitate placing thedevice 110 into a privileged mode, or to facilitate placing thedevice 110 into a mode in which configuration profiles of thedevice 110 may be set or changed. - In one aspect, in a renewed mode, the device 110 (e.g., the
controller 258 or the memory 240) contains a new encryption key that is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232) before the new encryption key is created or is set into thedevice 110. For example, data may have been encrypted using an encryption key and stored in the memory (e.g., 232) prior to thedevice 110 being in the renewed mode. When thedevice 110 is in the renewed mode, the device 110 (e.g., thecontroller 258 or the memory 240) contains a new encryption key that is unusable for decrypting the data stored in the memory before the new encryption key is set into the device 110 (e.g., thecontroller 258 or the memory 240). In one aspect, the new encryption key is unusable for decrypting the data stored in the memory prior to thedevice 110 being in the renewed mode. In one aspect, the new encryption key is different from the encryption key (that has existed before the new encryption key is created). In one aspect, the new encryption is not entered by a user and is not provided by a host. - In one aspect, in a renewed mode, all configuration profiles of the
device 110, excluding the access codes, are predetermined values (e.g., default values). In one aspect, predetermined values of the configuration profiles are not entered by a user. - In one example, converting the
device 110 to a renewed mode may include setting the stored privileged access code to a nullified privileged access code, by acontroller 258. Thecontroller 258 may also set any stored restricted access code(s) into nullified restricted access code(s). If thedevice 110 contains any recovery access code(s) and any concealed access code(s), thecontroller 258 may also set any such stored recovery access code(s) and concealed access code(s) into nullified recovery access code(s) and nullified concealed access code(s). - The nullified access codes may include nullified privileged access code(s) and nullified restricted access code(s). The nullified access codes may also include nullified recovery access code(s) and nullified concealed access code(s).
- In one example, converting the
device 110 to a renewed mode may include setting, by acontroller 258, an existing encryption key to a new encryption key. The new encryption key is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232) before the new encryption key is set into thedevice 110. In one example, for thedevice 110 to enter into a renewed mode, acontroller 258 may set an existing encryption key to a new encryption key that is unusable for decrypting data that has been encrypted and stored in the memory (e.g., 232) prior to thedevice 110 being in the renewed mode. - In one example, converting the
device 110 to a renewed mode may include setting, by acontroller 258, all configuration profiles of thedevice 110, excluding the nullified access codes, to predetermined values (e.g., default values). - In one example, the
controller 258 self-determines the current mode of thedevice 110. - In one aspect, if the current mode is a protected mode (e.g., 340A in a nonexclusive mode or 340B in an exclusive mode), then the device 110 (or the
controller 258 or the memory 240) may already have (a) all nullified access codes (except for one access code or one representation thereof), (b) a new encryption key, and (c) predetermined values for all configuration profiles (excluding the access codes). In this case, converting into a renewed mode may be carried out simply by nullifying the one access code or the one representation thereof (e.g., by the controller 258). However, in another aspect, converting into a renewed mode may be carried out by performing all conversion activities, including (a) setting all access codes into nullified access codes, (b) generating another new encryption key, and (c) setting all configuration profiles (excluding the access codes) to predetermined values. These conversion activities may be carried out concurrently or sequentially (e.g., from (a) to (c), or in another order). - In one aspect, while a
device 110 is in a nonexclusive mode (e.g., 310A), when a request is made to convert thedevice 110 from a current mode (e.g., a lockedmode 330A, a protectedmode 340A, or a privileged mode 320) to a renewed mode, acontroller 258 may self-convert thedevice 110 from the current mode to the renewed mode. This self-conversion may occur (a) without thedevice 110 communicating with a host (e.g., 120), (b) without requiring the device 110 (or the controller 258) to make a determination of whether a privileged security access code is verified (against a privileged access code stored in the memory 240), and (c) without requiring the device 110 (or the controller 258) to make a determination of whether a restricted security access code is verified (against a restricted access code stored in the memory 240). - In one aspect, while a
device 110 is in an exclusive mode (e.g., 310B), when a request is made to convert thedevice 110 from a current mode (e.g., a protectedmode 340B, or a privileged mode 320) to a renewed mode, acontroller 258 may self-convert thedevice 110 from the current mode to the renewed mode, only when a privileged security access code received (e.g., at an input device 246) has been verified or is verified (e.g., against the stored privileged access code). This self-conversion may occur without thedevice 110 communicating with a host (e.g., 120). - If a
controller 258 determines that the current mode is a privileged mode (e.g., 320), then the verification of the privileged security access code has already occurred before the device entered the privileged mode (prior to the request being made to convert thedevice 110 to a renewed mode). Hence, a re-verification of the privileged security access code is not necessary. However, in one aspect, acontroller 258 may verify the privileged security access code again after the request is made and before converting thedevice 110 into the renewed mode. - Consequently, in one aspect, if the current mode is a privileged mode, the
controller 258 may verify the privileged security access code before the controller determines that the request (i.e., a request to convert the device to a renewed mode) is made, as such verification would have occurred prior to entering into the privileged mode. In another aspect, if the current mode is a privileged mode, thecontroller 258 may re-verify the privileged security access code after the controller determines that the request (i.e., a request to convert the device to a renewed mode) is made. - In one aspect, if the current mode is a protected
mode 340B, then acontroller 258 may verify the privileged security access code, after determining that the conversion request (i.e., a request to convert the device to a renewed mode) is made, but before converting thedevice 110 into the renewed mode. - In one example, a request (e.g., a request to convert the
device 110 into a renewed mode) may be made by pressing one or more predetermined buttons at a keypad (e.g., at the input device) associated with the request. Depending on the current mode and depending on whether thedevice 110 is in a nonexclusive mode or an exclusive mode, such one or more predetermined buttons may be the same or different. For example, when the current mode is a lockedmode 330A (in a nonexclusive mode), a protectedmode 340A (in a nonexclusive mode), or a privileged mode 320 (for both nonexclusive and exclusive modes), such buttons may include a lock-symbol button, followed by an unlock-symbol button, followed by a number-2 button. In another example, when the current mode is a protectedmode 340B (in an exclusive mode), such buttons may include an unlock-symbol button, followed by a number-0 button. - In one aspect, if the current mode is a protected
mode 340B, then a privileged user may make a request to transform thedevice 110 to a renewed mode (e.g., by pressing one or more predetermined buttons) and then enter a correct privileged security access code (e.g., within a predetermined number of attempts). When the number of unsuccessful privileged security access codes entered (e.g., into the input device) exceeds a threshold number, thedevice 110 may enter into the end-of-life mode 350 instead of a renewedmode 360. For example, acontroller 258 may first determine whether a request to convert thedevice 110 to a renewed mode is made. If so, thecontroller 258 may determine whether the privileged security access code entered matches the stored privileged access code. When it matches, thecontroller 258 may place thedevice 110 into the renewed mode. - In one aspect, when a
controller 258 determines that a request is made to convert thedevice 110 from a current mode to a renewed mode while the device is in an exclusive mode (e.g., 310B), thecontroller 258 may self-convert thedevice 110 from the current mode to the renewed mode only when the privileged security access code has been verified or is verified. As discussed above, the verification may occur prior to determining that the request is made or after determining that the request is made. - In one aspect, when a
device 110 is in a renewed mode, the device is not recognizable by a host (e.g., 120) even if the device is connected to or plugged into the host. In one aspect, when adevice 110 is in a renewed mode, the device is not recognizable by the host even if the host provides power to the device. - As illustrated in
FIG. 3 , adevice 110 may convert from a privileged mode (e.g., 320) to a locked mode (e.g., 330A, 330B) via its respective path (e.g., 322A, 322B). Adevice 110 may convert from a locked mode (e.g., 330A, 330B) to a protected mode (e.g., 340A, 340B) via its respective path (e.g., 332A, 332B). Adevice 110 may convert from a protected mode (e.g., 340B) to an end-of-life mode (e.g., 350) via its path (e.g., 344). Adevice 110 may convert to a renewed mode (e.g., 360) from a privileged mode (e.g., 320), a locked mode (e.g., 330A), a protected mode (e.g., 340A) or a protected mode (e.g., 340B) via its respective path (e.g., 326, 334A, 342A, 342B). Adevice 110 may convert to a privileged mode (e.g., 320) from a locked mode (e.g., 330A, 330B) or a renewed mode (e.g., 360) via its respective path (e.g., 324A, 324B, 328). - A
device 110 may convert from a lockedmode 330A to a renewedmode 360 via apath 334A, or viapaths paths - A
device 110 may convert from a lockedmode 330A to a renewedmode 360 viapaths memory 240. In this regard, thepath 324A requires an entry and verification of a privileged security access code. - A
device 110 may convert from a lockedmode 330B to a renewedmode 360 viapaths paths memory 240. In this regard, each of thepaths - In one or more aspects, the particular modes and paths shown in
FIG. 3 , including the modes and paths for entering into a renewed mode and exiting from a renewed mode provide technical advantages as they may eliminate or minimize conflicts among the modes or operations of thedevice 110 and allow thedevice 110 to communicate and operate properly. Furthermore, in one or more aspects, the technical advantages include reducing a probability that thedevice 110 could become unstable, which may result in damaging the device permanently. In one or more aspects, making a conversion to a renewed mode from an operating mode (e.g., an unlocked mode for reading or writing) is less desirable as such conversion could potentially commence in the middle of an operation such as reading or writing data to amemory 232 and thus could damage the device permanently. - Other Modes and Features
- In addition to the modes described above, a
device 110 may operate in various other modes or implement, enable or disable other modes or features. - A
device 110 may be implemented with a read only mode. When enabled (e.g., in a privileged mode), data stored in the memory (e.g., 232) cannot be modified. - A
device 110 may be implemented with a lock-override mode or feature. When enabled (e.g., in a privileged mode), thedevice 110 may stay unlocked during a USB re-enumeration procedure. The lock override may be enabled during a reboot sequence, and using thedevice 110 as a boot drive. Thedevice 110 may remain unlocked in the lock override state as long as thedevice 110 remains connected (or plugged) into a USB port of a host. When a USB connection is lost (e.g., thedevice 110 is unplugged form the USB port), thesecure storage device 110 may become locked. - If a
device 110 is implemented with a device format feature, then after thedevice 110 is placed into a renewed mode, the device may be unlocked and reformatted (e.g., reformat the memory 232) so that data files can be written into thememory 232. - A
device 110 may be implemented with a concealed mode. In one aspect, when a concealed mode is enabled, an exclusive mode is disabled. Hence, only a nonexclusive mode is permitted when a concealed mode is enabled. In one aspect, when a concealed mode is disabled, thedevice 110 may use an exclusive mode or a nonexclusive mode. Acontroller 258 may be configured to determine whether an exclusive mode is enabled if a user attempts to enable a concealed mode, and the controller may provide a notification of conflict to anoutput device 244. - When the
device 110 is in the nonexclusive mode, when the concealed mode is enabled, and when a concealed security access code inputted at an input device (e.g., 246) is verified (e.g., against a concealed access code stored in the device 110), thecontroller 258 is configured to set an encryption key in thedevice 110 into a new encryption key. The new encryption key is unusable for decrypting data encrypted and stored in the memory (e.g., 232) before the new encryption key is set into the device 110 (e.g., 240). If thedevice 110 thereafter enters into a protected mode or a renewed mode, acontroller 258 may retain the new encryption key or may generate yet another new encryption key. Such another new encryption key is unusable for decrypting data encrypted and stored in the memory (e.g., 232) before such another new encryption key is created or is set into thedevice 110. - When the
device 110 is in the nonexclusive mode, when the concealed mode is enabled, and when a concealed security access code inputted at an input device (e.g., 246) is verified, thecontroller 258 is configured to store the concealed security access code into the device 110 (e.g., thecontroller 258 or the memory 240) as a new privileged access code. This new privileged access code is valid and is not null. The new privileged access code becomes usable to verify another privileged security access code that may be entered after the new privileged access code is stored. - As described above, when a concealed mode is enabled, a user can input a concealed security access code into the
device 110. This concealed security access code replaces the existing privileged access code stored in thedevice 110. Thus, this concealed security access code becomes a new privileged access code, which is then stored in the device 110 (e.g., a memory 240). Consequently, in one or more aspects, a concealed mode could be used to defeat the purpose of having an exclusive mode because a user who has a concealed security access code could bypass the security measures of an exclusive mode (as the user could store his/her concealed security access code as a new privileged access code) and place adevice 110 into a renewed mode. As such, in one or more aspects, when adevice 110 is in an exclusive mode, disabling a concealed mode provides a technical advantage that can prevent unauthorized conversion of the device into a renewed mode. - A
device 110 may be implemented with an auto-lock mode or feature. When enabled (e.g., in a privileged mode), acontroller 258 can set a predefined period of time of inactivity that causes thedevice 110 to lock. Thedevice 110, however, does not lock when data is being written into thememory 232. - A
device 110 may be implemented with a capability to switch thedevice 110 from a fixed disk to a removable disk and vice versa. - A
device 110 may be implemented to permit a user-forced enrollment mode. In this mode, thedevice 110 may already have a privileged access code stored and require a restricted user to set up a new restricted access code to access thedevice 110. When the user-forced enrollment is activated, theoutput device 244 may provide one or more visual indications indicating that a new restricted access code needs to be programmed to gain access to thedevice 110. - A
device 110 may enter into an operating mode (e.g., reading or writing data into a memory 232). When (a) a request is made to enter into an operating mode (e.g., an unlocked mode for reading or writing), (b) a privileged security access code or a restricted security access code is verified, and (c) thedevice 110 is connected to a host (e.g., 120), the device 110 (e.g., a controller 258) may perform an enumeration process with the host. For example, acontroller 258 may transmit enumeration information of thedevice 110 via acommunications module 238 and a communication bus 130. In one aspect, after the enumeration process is completed, thehost 120 and thedevice 110 may be ready to exchange data (e.g., user data). In an operating mode, thecontroller 258 may (a) encrypt data received from thehost 120 and write the encrypted data to amemory 232 and (b) decrypt data read from thememory 232 and provide the decrypted data to thehost 120. - Access Codes
- A device 110 (or the
controller 258 or the memory 240) may store one or more access codes. When a security access code received (e.g., via an input device 246) is verified against a stored access code, acontroller 258 may permit access to thedevice 110. - One type of access code may be a privileged access code. When a privileged security access code received (e.g., received at an input device 246) is verified against a stored privileged access code, the
device 110 may be placed into a mode such as a privileged mode or an operating mode. In a privileged mode, acontroller 258 may be permitted to set or change the configuration profiles of thedevice 110, for example, implementing, enabling or disabling various modes or features described herein or changing the stored access codes. - Another type of access code is a restricted security access code. When a restricted security access code received (e.g., received at an input device 246) is verified against a stored restricted access code, the
device 110 may be placed into a mode such as an operating mode. A verified restricted security access code does not place thedevice 110 into a privileged mode. Thus, a verified restricted security access code has a less number of privileges than a verified privileged security access code. - Another type of access code may be a recovery access code. A
device 110 may permit a recovery security access code to be received (e.g., at an input device 246) and stored as a recovery access code in the device 110 (e.g., 240). There may be multiple recovery access codes. After storing the recovery access code, when a next recovery security access code is received and verified against the stored recovery access code, acontroller 258 may launch a user-forced enrollment. The recovery security access code is not an actual access code that is used to unlock thedevice 110 for an operating mode, but rather is used to place thedevice 110 into a state of user-forced enrollment where a new restricted access code may be created and stored. In another aspect, a recovery access code may be used to create and store a new privileged access code. Thus, a recovery access code is useful when a restricted access code and/or a privileged access code are forgotten, and it is necessary to be able to access any data stored in the memory (e.g., 232). - For example, after a recovery security access code received is verified against a stored recovery access code, a
controller 258 permits a new restricted security access code to be received (e.g., via an input device 246) and stores the new restricted security access code as a new restricted access code. In another example, after a recovery security access code entered is verified against a stored recovery access code, acontroller 258 permits a new privileged security access code to be received (e.g., via an input device 246) and stores the new privileged security access code as a new privileged access code. - Yet another type of access code may be a concealed access code. When a concealed mode is enabled, a concealed security access code received at an input device may be verified against a concealed access code stored in the
device 110. After the verification, the verified concealed security access code or the stored concealed access code may be stored as a new privileged access code. - Converting a
device 110 into a renewed mode may nullify all existing access codes stored in thedevice 110. Prior to entering into a renewed mode, if some access codes are already nullified, then acontroller 258 may retain such nullified access codes and nullify only the other access codes. Alternatively, entering into a renewed mode may cause all access codes (whether already nullified or not) to be nullified. - A
device 110 may enter into or exit from the various modes using one or more methods described herein. These methods are provided for illustration purposes, and other methods are within the scope of the disclosure. -
FIG. 4 illustrates an example of operations performed by a portable secure storage device, such as astorage device 110. The operations shown inFIG. 4 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided while referring toFIGS. 1 through 4 . - A memory (e.g., 232) of a storage device (e.g., 110) may be disposed within a housing (e.g., 111) and is configured to store data (e.g., encrypted user data). An input device (e.g., 246) may be disposed at the housing and is configured to receive a privileged security access code and is configured to receive a restricted security access code.
- The operations described in
FIG. 4 may be performed by a controller of a storage device 110 (e.g., thecontroller 258, or one or more components within the controller 258). In one aspect, the controller may perform the operations without communicating with a host (e.g., 120). In one aspect, thecontroller 258 or its components may perform the instructions stored in thememory 240. In one aspect, the host is separate and distinct from the storage device. In one aspect, the storage device may be connected to the host and may receive power from the host but does not send or receive any instructions, commands or data to or from the host in connection with the operations described below with reference toblocks 411 through 416 ofFIG. 4 . In one aspect, the storage device is not recognizable by the host even if connected to the host for these operations. In one example, the storage device is disconnected from the host during some or all of these operations. - As illustrated in
block 411 ofFIG. 4 , a controller (e.g., 258 or one or more components therein) may be configured to determine whether a storage device (e.g., 110) is in an exclusive mode (e.g., 310B) or a nonexclusive mode (e.g., 310A). As illustrated inblock 412, the controller may determine whether the storage device is in a privileged mode (e.g., 320), a locked mode (e.g., 330A or 330B) or a protected mode (e.g., 340A or 340B). As illustrated inblock 413, the controller may determine that a request is made to self-transform the storage device to a renewed mode (e.g., 360). In one example, theblocks block 411 to block 413, in reverse order, or in another order. In another example, some or all of these blocks may be performed concurrently. - As illustrated in
block 414, when the request is made and when the storage device is in the privileged mode (e.g., 320), the controller may self-transform the storage device to the renewed mode, regardless of whether the storage device is in the exclusive mode or the nonexclusive mode. This self-transformation may be performed in response to the request (e.g., received via an input device 246). - As illustrated in
block 415, when the request is made and when the storage device is in the nonexclusive mode (e.g., 310A), the controller may self-transform the storage device to the renewed mode (e.g., 360). This self-transformation may be performed in response to the request. In one aspect, this self-transformation is performed when the storage device is in the locked mode (e.g., 330A) or the protected mode (e.g., 340A). This self-transformation may be performed without requiring communication with the host, without requiring a determination of whether the privileged security access code is verified, and without requiring a determination of whether the restricted security access code is verified. - As illustrated in
block 416, when the request is made and when the storage device is in the exclusive mode (e.g., 310B), the controller may self-transform the storage device to the renewed mode (e.g., 360), only when the privileged security access code is verified. In one aspect, this self-transformation is be performed when the storage device is in the protected mode (e.g., 340B). - In one aspect, when the storage device is transformed into the renewed mode, all access codes in the storage device are nullified access codes, none of which is usable to verify any security access code received at the input device (e.g., 246) while the storage device contains the nullified access codes.
- In one aspect, when data is encrypted using an encryption key and stored in the memory (e.g., 232) prior to the storage device being transformed into the renewed mode, and when the storage device is thereafter transformed into the renewed mode, the storage device contains a new encryption key that is unusable for decrypting the data stored in the memory (e.g., 232) prior to the storage device being transformed into the renewed mode.
- In one aspect, when the storage device is in the privileged mode, the privileged security access code is verified, and the storage device is convertible between the exclusive mode and the nonexclusive mode.
- In one aspect, when the storage device is in the locked mode, the storage device is not recognizable by the host even if the storage device is connected to the host.
- In one aspect, when the storage device is in the protected mode, the storage device contains the new encryption key or another new encryption key, wherein such another new encryption key is unusable for decrypting data encrypted and stored in the memory prior to the storage device being in the protected mode.
- In one aspect, the restricted security access code is different from the privileged security access code.
- In one aspect, the restricted security access code is unusable to convert the storage device from the exclusive mode to the nonexclusive mode and from the nonexclusive mode to the exclusive mode.
- In one aspect, when the storage device is in the exclusive mode, and when the privileged security access code is not verified, the controller is prevented from transforming the storage device to the renewed mode, even if the restricted security access code is verified.
-
FIG. 5 illustrates an example of operations performed by a storage device, such as astorage device 110. The operations shown inFIG. 5 are for illustration purposes, and other operations are within the scope of the disclosure. Below descriptions are provided while referring toFIGS. 1 through 5 . - A storage device (e.g., 110) may include a casing. A memory (e.g., 230) may be disposed within the casing and configured to store encrypted data. An input device (e.g., 246) may be disposed at the casing, configured to receive a privileged security access code, and configured to receive a restricted security access code. An output device (e.g., 244) may be disposed at the casing and configured to provide an output.
- The operations described in
FIG. 5 may be performed by a controller of a storage device 110 (e.g., thecontroller 258, or one or more components within the controller 258). In one aspect, thecontroller 258 or its components may perform the instructions stored in thememory 240. In one aspect, the controller may perform the operations described inblocks 511 through 514 ofFIG. 5 without communicating with a host (e.g., 120). In one aspect, the host is separate and distinct from the storage device. In one example, the storage device may be connected to the host and may receive power from the host but does not send or receive any instructions, commands or data to or from the host in connection with the operations described below with reference toblocks 511 through 514 ofFIG. 5 . In one aspect, the storage device is not recognizable by the host even if connected to the host for these operations. In one example, the storage device is disconnected from the host during some or all of these operations. - A controller (e.g., the
controller 258, or one or more components within the controller 258) may be disposed within the casing and coupled to the input device. The controller is may be configured to cause: (a) unlocking the storage device based on the privileged security access code or the restricted security access code; and (b) locking the storage device based on a request, a status, an occurrence of a first event, or an omission of a second event. - The controller may be configured to cause (a) storing a privileged access code in the controller and (b) storing a restricted access code in the controller. The controller may receive a first input via the input device (e.g., 246). In one aspect, the operations described in this paragraph are performed by the controller without communicating with the host.
- As illustrated in
block 511 ofFIG. 5 , the controller may be configured to cause determining whether a request is made to self-convert the storage device to a renewed mode (e.g., 360). The determination may be made by the controller by itself in response to the first input. The self-conversion may be carried out from a current mode to the renewed mode. - In one advantage example, the current mode is a privileged mode. In another advantage example, the current mode is a locked mode. In another advantage example, the current mode is a protected mode.
- As illustrated in
block 512, the controller may be configured to cause determining whether the storage device is in an exclusive mode (e.g., 310B) or a nonexclusive mode (e.g., 310A). In one aspect, theblocks block 511 to theblock 512 or in reverse order. In another aspect, these blocks may be performed concurrently. - As illustrated in
block 513, when the storage device is in the exclusive mode, and when the privileged security access code is verified, the controller may be configured to cause self-converting the storage device to the renewed mode. The privileged security access code may have been received at the input device (e.g., 246) and may be verified against the stored privileged access code. The self-conversion may be carried out when the request is made. The self-conversion may be carried out from the current mode to the renewed mode. This self-conversion may be performed without communicating with the host. - As illustrated in
block 514, when the storage device is in the nonexclusive mode, the controller may be configured to cause self-converting the storage device to the renewed mode. This self-conversion may be carried out when the request is made. This self-conversion may be carried out from the current mode to the renewed mode. In addition, this self-conversion may be performed without communicating with the host, without requiring a determination of whether the privileged security access code is verified, and without requiring a determination of whether the restricted security access code is verified. - In one aspect, when the storage device is in the renewed mode, the stored privileged access code is a nullified privileged access code. The nullified privileged access code is unusable to verify any privileged security access code or any security access code, which is received at the input device while the storage device contains the nullified privileged access code.
- In one aspect, when data is encrypted using an encryption key and stored in the memory (e.g., 232) prior to the storage device being in the renewed mode, and when the storage device is thereafter in the renewed mode, the storage device contains a new encryption key. The new encryption key is unusable for decrypting the data stored in the memory before the new encryption key is set into the storage device.
- In one aspect, the restricted security access code is different from the privileged security access code. In one aspect, the restricted security access code is usable to change a less number of configuration profiles of the storage device than the privileged security access code. In one aspect, the restricted security access code is unusable to convert the storage device from the exclusive mode to the nonexclusive mode and from the nonexclusive mode to the exclusive mode.
- In one aspect, when the storage device is in the exclusive mode, and when the privileged security access code is not verified, the controller is prevented from converting the storage device from the current mode to the renewed mode even if the restricted security access code is verified.
- In one aspect, when the storage device is in the renewed mode, all access codes in the storage device are nullified access codes, none of which is usable to verify any security access code received at the input device while the portable storage device contains the nullified access codes.
- In one aspect, when the storage device is in the renewed mode with the nullified privileged access code and the new encryption key, a controller (e.g., 258) may accept a request to create a new valid privileged access code. The request may be made, for example, by pressing one or more predetermined buttons associated with the request at an input device (e.g., 246). When the controller accepts the request, a new privileged security access code is enterable (e.g., at an input device 246). In the renew mode, the controller (e.g., 258) is configured to enable receiving and processing a new privileged security access code entered at an input device (e.g., 246) and storing the new privileged security access code as a new privileged access code in a memory (e.g., 240). In one aspect, this process of storing a new privileged access code is performed without verifying or authenticating the new privileged security access code or its source. This new privileged access code is valid and is not null. When the controller contains the new privileged access code, the storage device is no longer in the renewed mode. In one aspect, the foregoing conversion may occur via a path (e.g., 328) from the renewed mode (e.g., 360) to a privileged mode (e.g., 320). When the controller contains the new privileged access code, the storage device may be considered to be in a privileged mode (e.g., 320). The new privileged access code may be used to verify another privileged security access code to be entered at an input device. This may be, for example, to unlock the storage device or to enter into another mode.
- In one aspect, after the storage device exits the renewed mode, when a second privileged security access code is inputted at the input device (e.g., 246) and verified against the new privileged access code, the storage device (e.g., controller 258) may facilitate formatting a memory (e.g., 232).
- In one aspect, after the storage device exits the renewed mode, when a second privileged security access code is inputted at the input device (e.g., 246) and verified against the new privileged access code, the storage device may enable (a) receiving and processing a new restricted security access code entered at the input device (e.g., 246) and (b) storing the new restricted security access code as a new restricted access code. This new restricted access code is valid and is not null. The new restricted access code may be used to verify another restricted security access code to be entered at an input device. This may be, for example, to unlock the storage device and enter into an operating mode.
- In one or more implementations, a
storage device 110 may be connected to or plugged into a host 120 (e.g., via a USB port or other methods) at various times. For example, astorage device 110 may be connected to or plugged into ahost 120 prior to any of the operations shown inFIGS. 4 and 5 . However, merely plugging in thedevice 110 to thehost 120 does not allow thedevice 110 to be recognized by thehost 120. Even though thedevice 110 does not require any special software or special driver on thehost 120, thedevice 110 needs to perform certain operations by itself prior to thedevice 110 becomes recognizable by thehost 120. This improves security of thedevice 110. Thestorage device 110 is not recognizable or detectable by thehost 120 until after a security access code (e.g., received at an input device 246) is verified by acontroller 258. In one aspect, thedevice 110 is not recognizable or detectable by thehost 120 until after an enumeration process between thedevice 110 and thehost 120 is initiated. In one or more aspects, an enumeration process does not commence until after a security access code is verified by a controller (e.g., 258) of the storage device. In one aspect, thedevice 110 is not recognizable or detectable by thehost 120 until after an enumeration process between thedevice 110 and thehost 120 is completed. In one aspect, thedevice 110 is not recognizable or detectable by thehost 120 until after an encryption key is retrieved (e.g., from the memory 240) and is made available for encrypting user data. When thedevice 110 is unlocked (e.g., as a result of, in response to or after one or more operations described in this paragraph), the device is recognizable by thehost 120. - In one or more aspects, enumeration may be a process of having a device attached or connected to or plugged into the
host 120, such as thedevice 110, detected and identified. In one or more implementations, enumeration information may include a product identifier, a vendor identifier, a device descriptor, a configuration description, and an interface descriptor. In one example, enumeration information includes USB enumeration information, which may include, for example, a USB product ID, USB vendor ID, USB device type, USB device class, USB device speed, USB device descriptor, etc. In one or more implementations, enumeration information is not settable or changeable by any user (e.g., any privileged user or any restricted user). In one or more implementations, enumeration information is permanent information describing a device. - After an enumeration process with the
host 120 is completed, a component of thecontroller 258 may notify the completion to other components within thecontroller 258 and/or provide a completion signal to anoutput device 244. In one aspect, after the enumeration process is completed, thehost 120 and thedevice 110 may be ready to exchange data (e.g., user data). - In one or more implementations, when an encryption key is stored in a storage device 110 (e.g., a
controller 258, its component, or a memory 240), the encryption key may be stored in various forms (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof). In one example, an encryption key may refer to one or more encryption keys. In one example, when an encryption key is set to, or replaced by, a new encryption key, and if astorage device 110 contains more than one encryption key, then all encryption keys in the storage device are set to, or replaced by new encryption keys. In one example, if astorage device 110 is described as containing a new encryption key, and the storage device contains multiple encryption keys, then all encryption keys in the storage device are new encryption keys. In one aspect, an encryption key may refer to a form of encryption key (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof). - In one or more implementations, when an access code (e.g., a privileged access code, a restricted access code, a recovery access code, or a concealed access code) is stored in the storage device 110 (e.g., a
controller 258 or a memory 240), the access code may be stored in various forms (e.g., a hash value, an encrypted value, a representation, or an exact copy thereof). In one example, an access code may refer to one or more access codes. In one example, a nullified access code may refer to one or more nullified access codes. In one example, when a storage device contains a nullified access code, all access codes may be nullified access codes. - In one aspect, data stored in the
memory 232 is user data. In one aspect, user data does not control any operation of astorage device 110. In one aspect, user data does not instruct any controller (e.g., 258) of thestorage device 110 to perform a function. In one aspect, user data does not include any access codes, any configuration profiles, settings, data or parameters, or any encryption key of the storage device. In one aspect, user data does not include any data inputted at an input device (e.g., 246) of thestorage device 110. In one aspect, user data does not include any output produced at an output device (e.g., 244) of thestorage device 110. In one aspect, user data is received from ahost 120. In one aspect, user data is transferred to thememory 232 and retained in thememory 232 when power is off. In one aspect, user data is not retained in thecontroller 258 when power is off. - Additional descriptions and advantages are provided below with respect to an exclusive mode, a nonexclusive modes and a renewed mode.
- In one aspect, an exclusive mode is a feature designed to prevent redeployment of storage devices with unauthorized configuration profiles or settings. A storage device (e.g., 110) may include a physical input device, a memory, and a controller and may include programmable settings that may be managed by a user. However, there may be configuration profiles only available to a privileged user due to data security or other reasons. For example, such profiles may be set or changed only when a privileged security access code is verified or only when a storage device is in a privileged mode. A controller (e.g., 258) may set a storage device to an exclusive mode or a nonexclusive mode or may change an exclusive mode to a nonexclusive mode and vice versa. In one aspect, this may occur while a storage device is in a privileged mode. In one aspect, this may be performed by the controller based on a control input and a determination of a privileged user. In one advantageous implementation, the control input may be received from a physical input device (e.g., a keypad) of the storage device. In alternative examples, the control input may be received from software or other means. When a storage device is in an exclusive mode, the ability to reset and redeploy the storage device (with unauthorized settings or settings that are against a company's security policy) is restricted. For example, such ability may be restricted to a privileged user and require authentication via a control signal (e.g., a privileged security access code) to allow the storage device to accept new settings/profiles and operate normally. In alternative examples, this functionality may be configured so the storage device can be reset by a restricted user but only to their default settings.
- In one or more aspects, implementing an exclusive mode is advantageous as it may address various issues companies may experience with portable secure storage devices.
- One issue may be unauthorized users modifying a company's security policy of storage devices. Implementing an exclusive mode would prevent an unauthorized user from resetting and redeploying a portable secure storage device. This would prevent an unauthorized user from modifying a company's existing device security policy that has been placed into the device by a privileged user. Such security policy may include, for example, a privileged access code, a restricted access code, a minimum access code length, an auto-lock setting, a lock-override setting, and the allowed number of unsuccessful security access code entry attempts. In one aspect, an unauthorized user may be a user who does not have the correct privileged security access code to the storage device.
- Another issue may be the effectiveness of device whitelisting. When an exclusive mode is not implemented, once the unauthorized user has the physical possession of a whitelisted storage device, he or she could reset and redeploy the device, setup anew privileged access code and start using the device as his or her own device on a company's secure network. When an exclusive mode is implemented on a storage device, the device cannot be reset and redeployed without the control signal (e.g., a valid privileged security access code). This would prevent an unauthorized user, who does not have the control signal, from resetting and redeploying a whitelisted device and starting to use it with different, unauthorized settings or settings that are against a company's security policy. Implementing an exclusive mode would make the device whitelisting protection more effective.
- In one or more aspects, the subject technology may be carried out, for example, by one or more of the following:
- A method comprising one or more methods or operations described herein.
- An apparatus or a portable storage device comprising one or more memories or registers (e.g., 232, 240) and one or more processors (e.g., 258) coupled to the one or more memories, the one or more processors configured to cause the apparatus to perform one or more methods or operations described herein.
- A hardware apparatus comprising circuits (e.g., 258, 246, 244) configured to perform one or more methods, operations, or portions thereof described herein.
- An apparatus or a portable storage device comprising means (e.g., 258, 246, 244) adapted for performing one or more methods or operations described herein.
- A computer-readable storage medium (e.g., 240, one or more memories, one or more registers, and/or one or more media) comprising instructions stored therein, the instructions comprising code for performing one or more methods or operations described herein.
- A computer-readable storage medium (e.g., 240, one or more memories, one or more registers, and/or one or more media) storing instructions that, when executed by one or more processors (e.g., 258), cause one or more processors to perform one or more methods, operations or portions thereof described herein.
- An apparatus or a portable storage device comprising means (e.g., 258, 246, 244) for performing one or more operations described with reference to
FIGS. 3, 4 , and/or 5 or one or more operations described herein. - While detailed description is provided above, one or more alternative implementations may utilize other modes, and one or more alternative implementations may utilize other modes, methods and paths to enter into or exit from a mode, such as a renewed mode.
- In one aspect, a method may be an operation, an instruction, or a function and vice versa. In one aspect, a clause or a claim may be amended to include some or all of the words (e.g., instructions, operations, functions, or components) recited in one or more sentences, one or more phrases, one or more paragraphs, and/or one or more claims. A claim may have multiple dependencies based on any of the other claims.
- An example of the present disclosure may be an article of manufacture in which a non-transitory machine-readable medium (such as microelectronic memory, e.g., 240) has stored thereon instructions (e.g., in firmware) which program one or more data processing components (e.g., the
controller 258, or a processor) to perform one or more operations described herein. In other examples, some of these operations may be performed by specific hardware components that contain hardwired logic. Those operations may alternatively be performed by any combination of programmed data processing components and fixed hardwired circuit components. - In some cases, an example of the present disclosure may be an apparatus (e.g., a secure flash storage device) that includes one or more hardware and firmware/software logic structure for performing one or more of the operations described herein. For example, as described above, the apparatus may include a memory unit, which stores instructions that may be executed by a hardware processor installed in the apparatus. The apparatus may also include one or more other hardware or software elements, including a network interface, a display device, etc.
- The term “machine-readable storage medium,” “computer readable medium” or “medium” may refer to any medium or media (e.g., 240) that participate in providing instructions to a processor or controller (e.g., 258) for execution. Such a medium may take many forms, including, but not limited to, non-volatile media and volatile media. Non-volatile media include, for example, optical or magnetic disks, such as a data storage unit. Volatile media include dynamic memory. To illustrate the interchangeability of hardware, firmware and software, items such as the various illustrative blocks, modules, components, methods, operations, instructions, and algorithms have been described generally in terms of their functionality. Whether such functionality is implemented as hardware, firmware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application.
- A reference to an element in the singular is not intended to mean one and only one unless specifically so stated, but rather one or more. For example, “a” controller may refer to one or more controllers. An element proceeded by “a,” “an,” “the,” or “said” does not, without further constraints, preclude the existence of additional same elements.
- Headings and subheadings, if any, are used for convenience only and do not limit the invention. The word exemplary is used to mean serving as an example or illustration. To the extent that the term include, have, contain or the like is used, such term is intended to be inclusive in a manner similar to the term comprise as comprise is interpreted when employed as a transitional word in a claim. Relational terms such as first and second and the like may be used to distinguish one entity or action from another without necessarily requiring or implying any actual such relationship or order between such entities or actions. The term coupling, connecting, or the like is intended to include direct and indirect coupling and direct and indirect connecting. The term coupled, connected, or the like is intended to include directly and indirectly coupled and directly and indirectly connected.
- Phrases such as an aspect, the aspect, another aspect, some aspects, one or more aspects, an implementation, the implementation, another implementation, some implementations, one or more implementations, an embodiment, the embodiment, another embodiment, some embodiments, one or more embodiments, a configuration, the configuration, another configuration, some configurations, one or more configurations, the subject technology, the disclosure, the present disclosure, other variations thereof and alike are for convenience and do not imply that a disclosure relating to such phrase(s) is essential to the subject technology or that such disclosure applies to all configurations of the subject technology. A disclosure relating to such phrase(s) may apply to all configurations, or one or more configurations. A disclosure relating to such phrase(s) may provide one or more examples. A phrase such as an aspect or some aspects may refer to one or more aspects and vice versa, and this applies similarly to other foregoing phrases.
- A phrase “at least one of” preceding a series of items, with the terms “and” or “or” to separate any of the items, modifies the list as a whole, rather than each member of the list. The phrase “at least one of” does not require selection of at least one item; rather, the phrase allows a meaning that includes at least one of any one of the items, and/or at least one of any combination of the items, and/or at least one of each of the items. By way of example, each of the phrases “at least one of A, B, and C” or “at least one of A, B, or C” refers to only A, only B, or only C; any combination of A, B, and C; and/or at least one of each of A, B, and C.
- It is understood that the specific order or hierarchy of steps, operations, or processes disclosed is an illustration of exemplary approaches. Unless explicitly stated otherwise, it is understood that the specific order or hierarchy of steps, operations, or processes may be performed in different order. Some of the steps, operations, or processes may be performed simultaneously. The accompanying method claims, if any, present elements of the various steps, operations or processes in a sample order, and are not meant to be limited to the specific order or hierarchy presented. Unless explicitly stated otherwise, these may be performed in serial, linearly, in parallel or in different order. It should be understood that the described instructions, operations, and systems can generally be integrated together in a single software/hardware product or packaged into multiple software/hardware products.
- The disclosure is provided to enable any person skilled in the art to practice the various aspects described herein. In some instances, well-known structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject technology. The disclosure provides various examples of the subject technology, and the subject technology is not limited to these examples. Various modifications to these aspects will be readily apparent to those skilled in the art, and the principles described herein may be applied to other aspects.
- All structural and functional equivalents to the elements of the various aspects described throughout the disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. No claim element is to be construed under the provisions of 35 U.S.C. § 112, sixth paragraph, unless the element is expressly recited using a phrase means for or, in the case of a method claim, the element is recited using the phrase step for.
- The entire content of U.S. patent application Ser. No. 15/286,465 is incorporated herein by reference.
- The title, background, brief description of the drawings, abstract, and drawings are hereby incorporated into the disclosure and are provided as illustrative examples of the disclosure, not as restrictive descriptions. It is submitted with the understanding that they will not be used to limit the scope or meaning of the claims. In addition, in the detailed description, it can be seen that the description provides illustrative examples and the various features are grouped together in various implementations for the purpose of streamlining the disclosure. The method of disclosure is not to be interpreted as reflecting an intention that the claimed subject matter requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed configuration or operation. The following claims are hereby incorporated into the detailed description, with each claim standing on its own as a separately claimed subject matter.
- The claims are not intended to be limited to the aspects described herein, but are to be accorded the full scope consistent with the language claims and to encompass all legal equivalents. Notwithstanding, none of the claims are intended to embrace subject matter that fails to satisfy the requirements of the applicable patent law, nor should they be interpreted in such a way.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/877,377 US20210117108A1 (en) | 2019-10-22 | 2020-05-18 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/660,770 US10656854B1 (en) | 2019-10-22 | 2019-10-22 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
US16/877,377 US20210117108A1 (en) | 2019-10-22 | 2020-05-18 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/660,770 Continuation US10656854B1 (en) | 2019-10-22 | 2019-10-22 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210117108A1 true US20210117108A1 (en) | 2021-04-22 |
Family
ID=70736321
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/660,770 Active US10656854B1 (en) | 2019-10-22 | 2019-10-22 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
US16/877,377 Abandoned US20210117108A1 (en) | 2019-10-22 | 2020-05-18 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/660,770 Active US10656854B1 (en) | 2019-10-22 | 2019-10-22 | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host |
Country Status (2)
Country | Link |
---|---|
US (2) | US10656854B1 (en) |
EP (1) | EP3812932B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230098214A1 (en) * | 2021-09-24 | 2023-03-30 | Meir Dahan | Smartphone that Saves Encrypted Photos in External Storage Devices |
US20240176860A1 (en) * | 2022-11-30 | 2024-05-30 | Mediatek Inc. | Dynamic Command Protection Method and Dynamic Command Protection System by Using Time-Vary Salt Data |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102422680B1 (en) * | 2020-12-16 | 2022-07-18 | 조완호 | Flash Storage System Having Embedded Security Program |
Family Cites Families (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5457748A (en) | 1992-11-30 | 1995-10-10 | Motorola, Inc. | Method and apparatus for improved security within encrypted communication devices |
DE69919299T2 (en) * | 1998-11-11 | 2004-12-30 | 02 Micro International Ltd. | Vorurladungssicherheitssteuerungseinheit |
US20020184485A1 (en) | 1999-12-20 | 2002-12-05 | Dray James F. | Method for electronic communication providing self-encrypting and self-verification capabilities |
KR100450080B1 (en) | 2001-11-13 | 2004-10-06 | (주)지에스텔레텍 | Portable storage medium based on Universal Serial Bus standard and Control Method therefor |
JP3673213B2 (en) * | 2001-11-30 | 2005-07-20 | 株式会社東芝 | Disk storage device and data erasing method applied to the same |
DE10214700B4 (en) | 2002-04-03 | 2006-02-23 | Advanced Micro Devices, Inc., Sunnyvale | Combined ATA / SATA controller as integrated circuit chip and associated method of operation |
WO2004086363A2 (en) | 2003-03-27 | 2004-10-07 | M-Systems Flash Disk Pioneers Ltd. | Data storage device with full access by all users |
WO2005050910A1 (en) | 2003-11-21 | 2005-06-02 | Huawei Technologies Co., Ltd. | A method for authenticating the device’s self-validity |
CN101233469B (en) * | 2005-07-21 | 2013-06-05 | 克莱夫公司 | Memory lock system |
WO2007023657A1 (en) | 2005-08-26 | 2007-03-01 | Mitsubishi Electric Corporation | Information storage device, information storage program, verification device and information storage method |
US9177153B1 (en) | 2005-10-07 | 2015-11-03 | Carnegie Mellon University | Verifying integrity and guaranteeing execution of code on untrusted computer platform |
US8756390B2 (en) | 2005-12-05 | 2014-06-17 | International Business Machines Corporation | Methods and apparatuses for protecting data on mass storage devices |
US8266378B1 (en) * | 2005-12-22 | 2012-09-11 | Imation Corp. | Storage device with accessible partitions |
US20070300031A1 (en) * | 2006-06-22 | 2007-12-27 | Ironkey, Inc. | Memory data shredder |
US7957532B2 (en) | 2006-06-23 | 2011-06-07 | Microsoft Corporation | Data protection for a mobile device |
US8250245B2 (en) | 2007-04-05 | 2012-08-21 | Seiko Epson Corporation | Information processing system, with information processing terminal capable of operating in multiple operation modes when connected to a host device |
US8095113B2 (en) | 2007-10-17 | 2012-01-10 | First Data Corporation | Onetime passwords for smart chip cards |
US8479013B2 (en) | 2008-01-18 | 2013-07-02 | Photonic Data Security, Llc | Secure portable data transport and storage system |
US8640226B2 (en) | 2008-06-27 | 2014-01-28 | Novell, Inc. | Mechanisms to secure data on hard reset of device |
WO2010067433A1 (en) | 2008-12-11 | 2010-06-17 | 三菱電機株式会社 | Self-authentication communication device, self-authentication verification communication device, device authentication system, device authentication method for device authentication system, self-authentication communication program, and self-authentication verification communication program |
US8359660B2 (en) | 2009-11-30 | 2013-01-22 | Lps2 | Method and apparatus of securing data in a portable flash memory |
JP5565040B2 (en) | 2010-03-30 | 2014-08-06 | 富士通株式会社 | Storage device, data processing device, registration method, and computer program |
US8442235B2 (en) | 2010-04-14 | 2013-05-14 | Microsoft Corporation | Extensible management of self-encrypting storage devices |
US8938624B2 (en) | 2010-09-15 | 2015-01-20 | Lsi Corporation | Encryption key destruction for secure data erasure |
US20120079289A1 (en) | 2010-09-27 | 2012-03-29 | Skymedi Corporation | Secure erase system for a solid state non-volatile memory device |
EP2437198B1 (en) | 2010-10-01 | 2020-12-30 | HID Global GmbH | Secure PIN reset process |
US20120113779A1 (en) | 2010-11-10 | 2012-05-10 | Oh Daekeun | Method for sending data in optical disc drive capable of changing mode |
JP5640845B2 (en) | 2011-03-18 | 2014-12-17 | 富士通株式会社 | Storage system, storage control device, and storage control method |
US9081911B2 (en) | 2011-05-31 | 2015-07-14 | Architecture Technology Corporation | Mediating communication of a universal serial bus device |
US8473666B2 (en) | 2011-06-27 | 2013-06-25 | Schneider Electric It Corporation | Systems and methods for driverless operation of USB device |
CN103797491B (en) | 2011-09-28 | 2017-06-23 | 惠普发展公司,有限责任合伙企业 | Storage device is unlocked |
CN104040933B (en) | 2011-09-30 | 2017-06-13 | 贝宝公司 | The difference client-side encryption of the information from client |
TW201346617A (en) | 2011-12-27 | 2013-11-16 | Woodrow Lin | Handheld mobile device with USB hard drive and optional biometric scanner, and systems including the same |
US8429409B1 (en) | 2012-04-06 | 2013-04-23 | Google Inc. | Secure reset of personal and service provider information on mobile devices |
EP2747333A1 (en) | 2012-12-19 | 2014-06-25 | Nagravision S.A. | A secure storage system including a virtual safe device and a mobile secure storage device |
US8959615B2 (en) | 2013-02-25 | 2015-02-17 | Kabushiki Kaisha Toshiba | Storage system in which fictitious information is prevented |
JP2015026358A (en) * | 2013-06-20 | 2015-02-05 | 株式会社東芝 | Device, host device, host system, and memory system |
US9043613B2 (en) | 2013-06-28 | 2015-05-26 | International Business Machines Corporation | Multiple volume encryption of storage devices using self encrypting drive (SED) |
US9396359B2 (en) | 2013-09-09 | 2016-07-19 | Whitecanyon Software, Inc. | System and method for encrypted disk drive sanitizing |
US9363085B2 (en) | 2013-11-25 | 2016-06-07 | Seagate Technology Llc | Attestation of data sanitization |
US9626531B2 (en) | 2014-11-18 | 2017-04-18 | Intel Corporation | Secure control of self-encrypting storage devices |
US10142304B2 (en) | 2016-08-23 | 2018-11-27 | Seagate Technology Llc | Encryption key shredding to protect non-persistent data |
US9720700B1 (en) | 2016-10-05 | 2017-08-01 | Apricorn | Secure storage devices, with physical input device, for secure configuration in a configuration-ready mode |
US10387333B2 (en) | 2017-01-05 | 2019-08-20 | Qualcomm Incorporated | Non-volatile random access memory with gated security access |
JP6892361B2 (en) * | 2017-09-21 | 2021-06-23 | キオクシア株式会社 | Storage device |
-
2019
- 2019-10-22 US US16/660,770 patent/US10656854B1/en active Active
-
2020
- 2020-05-18 US US16/877,377 patent/US20210117108A1/en not_active Abandoned
- 2020-10-21 EP EP20202985.6A patent/EP3812932B1/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230098214A1 (en) * | 2021-09-24 | 2023-03-30 | Meir Dahan | Smartphone that Saves Encrypted Photos in External Storage Devices |
US20240176860A1 (en) * | 2022-11-30 | 2024-05-30 | Mediatek Inc. | Dynamic Command Protection Method and Dynamic Command Protection System by Using Time-Vary Salt Data |
Also Published As
Publication number | Publication date |
---|---|
EP3812932A1 (en) | 2021-04-28 |
EP3812932B1 (en) | 2023-01-18 |
US10656854B1 (en) | 2020-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3798875B1 (en) | Portable storage device with internal secure controller that performs self-verification and self-generates encryption key(s) without using host or memory controller and that securely sends encryption key(s) via side channel | |
EP3812932B1 (en) | Method and portable storage device with internal controller that can self-verify the device and self-convert the device from current mode to renewed mode without communicating with host | |
US10521571B2 (en) | Secure storage devices, with physical input device, for secure configuration in a configuration-ready mode | |
KR101607042B1 (en) | System and method for storing a password recovery secret | |
US10599848B1 (en) | Use of security key to enable firmware features | |
US20200363971A1 (en) | Portable storage device that is self-convertible from being a removable disk to a fixed disk and from being a fixed disk to a removable disk | |
US12019907B2 (en) | Storage device including memory controller, and non-volatile memory system including the same and operating method thereof | |
US11947466B2 (en) | Storage device, nonvolatile memory system including memory controller, and operating method of the storage device | |
US20150143512A1 (en) | Iris key, system and method of unlocking electronic device using the iris key | |
US20070181697A1 (en) | Method of a USB interface device with a discrimination function | |
CN101770431A (en) | Storage device capable of certifying and data protection method | |
CN101770556A (en) | Interface management method for computer system and related interface management device thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: APRICORN, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BROWN, PAUL CAMERON;THAI, PHUOC MINH;MCCANDLESS, MICHAEL LEE;SIGNING DATES FROM 20191105 TO 20191106;REEL/FRAME:053272/0008 |
|
AS | Assignment |
Owner name: APRICORN, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SU, YUHSIANG;REEL/FRAME:053412/0913 Effective date: 20191105 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |