WO2012030296A2 - Electronic encryption device and method - Google Patents

Electronic encryption device and method Download PDF

Info

Publication number
WO2012030296A2
WO2012030296A2 PCT/SE2011/051062 SE2011051062W WO2012030296A2 WO 2012030296 A2 WO2012030296 A2 WO 2012030296A2 SE 2011051062 W SE2011051062 W SE 2011051062W WO 2012030296 A2 WO2012030296 A2 WO 2012030296A2
Authority
WO
WIPO (PCT)
Prior art keywords
data files
encryption
electronic
file system
crypto module
Prior art date
Application number
PCT/SE2011/051062
Other languages
French (fr)
Other versions
WO2012030296A3 (en
Inventor
Rolf Andersson
Roger Eriksson
Fredrik Olsson
Original Assignee
Business Security Ol Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Business Security Ol Ab filed Critical Business Security Ol Ab
Publication of WO2012030296A2 publication Critical patent/WO2012030296A2/en
Publication of WO2012030296A3 publication Critical patent/WO2012030296A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Definitions

  • the present invention relates generally to the field of electronic encryption devices, and more particularly, it relates to an electronic encryption device and method for encryption of data files,
  • USB Universal Serial Bus
  • PCs personal computers
  • USB can connect computer peripherals such as mice, keyboards, digital cameras, printers, personal media players, flash drives, and external hard drives.
  • USB was designed for personal computers, it has become commonplace on other devices such as smartphones, PDAs and video game consoles, For many of those devices, USB has become the standard connection method.
  • a USB flash drive consists of a flash memory data storage device integrated with a USB interface, and is typically removable and rewritable.
  • USB flash drives are portable they can also easily be lost or stolen. Therefore, USB flash drives may have their contents encrypted using third party disk encryption software or programs which can use encrypted archives such as ZIP and RAR.
  • the executable files can be stored on the USB drive, together with the encrypted file partition.
  • the encrypted partition can then be accessed on any computer running the correct operating system, although it may require the user to have administrative rights on the host computer to access data.
  • a problem with this is that the encryption software or programs have to be installed on specific PC and doe require specific operating systems,
  • USB flash drives which use hardware based encryption as part of the design, thus removing the need for third-party encryption software.
  • Other flash drives allow the user to configure secure and public partitions of different sizes, and offer hardware encryption.
  • a problem with encrypted partitions is lack of transparency for the host computer. Files cannot be accessed as encrypted file, because they are always decrypted when accessed.
  • the crypto pass-through dangle enables various memory devices with USB interface, such as a flash memory card or a flash memory storage device, to be conveniently inserted into or removed from with encryption/decryption function.
  • a controller with USB interface and data encryption and decryption ability executes the encryption/decryption function to generate an identity code for the flash memory device. If an encrypted flash memory device being directly plugged into the USB port of a host computer that can not recognize the identity code, the computer can not access the data of the encrypted flash memory device, and therefore, the data of the flash memory device can be protected.
  • the controller can recognize the identity code and execute the decrypting function for the data, and therefore, the computer can access the data of the encrypted flash memory device. Even this approach lacks for transparency for the host computer.
  • an electronic encryption device for encryption of data files.
  • the electronic encryption device is characterized by a crypto module configured to read or receive one or more unencrypted data files stored in a first files system on a first external memory device; encrypt the one or more unencrypted data files into one or more encrypted data files; and write the one or more encrypted data files to a second file system on a second external memory device.
  • the device may further comprise a first connector operatively connected to the crypto module via a first file system driver for transferring the one or more unencrypted data files read from the first, external memory device to the crypto module; and a second connector operatively connected to the crypto module via a second file system driver for transferring the one or more encrypted data files encrypted by the crypto module to the second file system on the second external memory device.
  • the crypto module is configured to read the one or more unencrypted data files from a first external USB memory device.
  • the crypto module is configured to write the one or more encrypted data files to the second file system on a second external USB memory device.
  • the crypto module may in some embodiments be configured to read the one or more unencrypted data files from the second file system on a hard disk, a CD-ROM station, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
  • (113) is configured to write the one or more encrypted data files to the second file system on a hard disk, a. CD-ROM station, a. RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
  • a hard disk a. CD-ROM station
  • RAM Random Access Memory
  • ROM Read Only Memory
  • flash memory a flash memory
  • optical storage device or magnetic storage device.
  • the electronic encryption device may in some embodiments further comprise a key interface operatively connected to the crypto module for loading encryption keys for encryption of the one or more unencrypted data files.
  • a key interface operatively connected to the crypto module for loading encryption keys for encryption of the one or more unencrypted data files.
  • the second aspect of the invention may additionally have features identical with or corresponding to an y of the various features as explained above for the first aspect of the invention.
  • a computer program product comprising computer program code means for executing the method according to the second aspect when said computer program code means are run by an electronic device having computer capabilities.
  • a computer readable medium having stored thereon a computer program product comprising computer program code means for executing the method according to the second aspect when said computer program code means are run by an electronic device having computer capabilities.
  • An advantage of some embodiments of the invention is that the encryption device understands the file system of memory devices storing unencrypted as well as encrypted data files, wherein the encryption device is virtually transparent.
  • the electronic encryption device enables unlimited creation/deletion of files and directories, and reading/writing of files on the various memory devices, as well as formatting of any memory- device connected to the electronic encryption device.
  • Another advantage of some embodiments of the invention is that a host computer and the file encryption device may interact by means of file system calls, i.e open, read, write, and close.
  • FIG. 1 A illustrates an electronic file encryption device for encryption and decryption of data files according to some embodiments of the invention
  • FIG. 1 B illustrates a general block diagram of an electronic encryption device in an operating environment according to some embodiments of the invention
  • FIG. 2 illustrates a block diagram of the electronic file encryption device in FIG. 1 according to some embodiments of the invention
  • FIG. 3A illustrates a schematic drawing in a front view of an embodiment of the electronic encryption device
  • FIG. 3B illustrates a schematic drawing in a rear view of an embodiment of the electronic encryption device
  • FIG. 4 is a flow diagram illustrating steps in a method for encryption/ decryption of data files by the electronic encryption device
  • FIG. 5 illustrates a block diagram of an electronic file copy encryption device according to some embodiments of the invention
  • FIG. 6A illustrates an electronic file encryption device for encryption and decryption of data files according to some embodiments of the invention
  • FIG. 6B illustrates a general block diagram of an electronic encryption device in an operating environment according to some embodim ents of the invention
  • FIG. 7 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention.
  • FIG. 8A illustrates a hardware architecture of the file encryption device according to some embodiments of the invention:
  • FIG. 8B illustrates an FPGA block diagram of the file encryption device according to some embodiments of the invention.
  • FIG. 9 illustrates a block diagram of the electronic file encryption device according to some embodiments of the invention.
  • FIG. 10 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention.
  • FIG. 1 A illustrates an electronic file encryption device 100 for encryption and decryption of data files according to one embodiment of the present invention in an operating environment.
  • a general block diagram of the electronic file encryption device 100 is shown in FIG IB, which may comprise a housing 101, a printed circuit board 102, a first connector 103, and a second connector 104, an MMI (Man Machine Interface) 105. and a key interface 106.
  • MMI Man Machine Interface
  • the printed circuit board 102 is disposed within the housing 101 for conveying the first connector 103 for input and output of unencrypted information, and the second connector 104 for input and output of encrypted information.
  • the first and second connectors 103 and 104 may be USB interface slots for connecting various memory devices, including but not limited to USB memory devices, such as USB flash drives.
  • a first USB memory device 107 with a USB interface connector may store unencrypted files for encryption by the electronic crypto device 100, when it is connected to the first connector 103 of the electronic crypto device.
  • a second USB memory device 108 with a USB interface connector may be connected to the second connector 104 for receiving and storing files encrypted by the electronic file encryption device 100.
  • the key interface 106 may be but is not limited to a smart card interface for loading encryption keys to be used in the encryption/decryption of files passing the electronic file encryption device 100.
  • the USB memory devices 107 and 108 may be flash drives, each comprising a small printed circuit board carrying the circuit elements and a USB connector, insulated electrically and protected inside a plastic, metal, or rubberized case.
  • the USB connector may be protected by a removable cap or by retracting into the body of the drive, although it is not likely to be damaged if unprotected.
  • the flash drives may have a standard type- A USB connection allowing plugging into a port on the electronic encryption device or a personal computer.
  • the electronic file encryption device 100 is provided with "RED/BLACK separation", i.e. maintaining distance or installing shielding between circuits and equipment used to handle plaintext classified or sensitive information (RED signals) and normal unsecured circuits and equipment (BL ACK), the latter including those carrying encrypted or cipher text signals (BLACK signals).
  • RED/BLACK separation i.e. maintaining distance or installing shielding between circuits and equipment used to handle plaintext classified or sensitive information (RED signals) and normal unsecured circuits and equipment (BL ACK), the latter including those carrying encrypted or cipher text signals (BLACK signals).
  • the RED/BLACK separation is achieved by means of two separate sets of each module except the crypto module of the electronic encryption device.
  • One example embodiment of the electronic file encryption device 100 is shown in FIG. 2.
  • the printed circuit board 102 has disposed thereon a first USB driver 109 connected to the first connector 103 for handling the communication between the electronic encryption device 100 and the first USB memory device 107 on the "RED side" when it is inserted into the USB interface slot 103.
  • a first FS (file system) driver is disposed thereon a first USB driver 109 connected to the first connector 103 for handling the communication between the electronic encryption device 100 and the first USB memory device 107 on the "RED side" when it is inserted into the USB interface slot 103.
  • 1 10 disposed on a processor on the printed circuit board and operatively connected to the first USB driver 109 is adapted to handle information on a file system level, because it is only the content of the data files which is encrypted.
  • the printed circuit board 102 has a second USB driver
  • a second FS driver 1 12 operatively connected to the second USB driver 111, which is also adapted to handle information on a file system level.
  • a crypto module 113 which has data file encryption and decryption ability and provide authentication control of data files passing the electronic file encryption device 100.
  • the crypto module 1 13 is disposed on the printed circuit board 102 and operatively coupled to the first connector 103 and the second connector 104.
  • the crypto module 113 is a controller configured for receiving plaintext data files from the first connector 103 and executing encryption of the plaintext data files into ciphertext data files for transmission as output on the second connector 104.
  • the crypto module 113 is also configured for receiving ciphertext data files from the second connector 104 and executing decryption of the ciphertext data files into plaintext data files for transmission as output on the first connector 103.
  • Each plaintext data file stored on the first USB memory device 107 may he read and separately encrypted by the crypto module 113 when the USB memory device is inserted into the first USB interface slot 103.
  • Data files of any size may be read by streaming and may be encrypted and output on the second connector 104 and stored as ciphertext files on the second USB memory device 108 when it is inserted into the second USB interface slot 104,
  • the crypto module 113 executes the encryption/decryption function according to, but is not limited to, AES-GCM, which is an authenticated encryption algorithm designed to provide both authentication and privacy.
  • AES-GCM an authenticated encryption algorithm designed to provide both authentication and privacy.
  • FIG. 3 A illustrates a schematic drawing in a front view of an embodiment of the electronic encryption device 102.
  • the MMI 105 may comprise, but is not limited to, a display 105a and a set of keys 105b for controlling the encryption/decryption function and other functions of the device.
  • the MMI 105 may comprise a touch screen display for controlling the functions of the device.
  • FIG. 3B illustrates a schematic drawing in a rear view of an embodiment of the electronic encryption device 102.
  • the electronic encryption device 102 may have a third connector 1 14 for connection to a host computer.
  • the third connector may be, but is not limited to, a USB interface slot.
  • the electronic encryption device 102 may comprise a power connection 115 for main voltage supply.
  • the electronic encryption device 102 may be powered by a host computer connected to the first connector 103 or the third connector 114 if it is provided.
  • FIG. 4 is a flow diagram illustrating steps in a method for encryption/ decryption of data files that are input/output on the two connectors 103 and 104 of the electronic encryption device 102.
  • a first step 200 the electronic encryption device 102 is powered on.
  • the electronic encryption device 102 goes through a boot process and the operating system of the device takes over the control, in step 201.
  • the electronic encryption device 102 has turned into an operational mode to be responsive to commands entered via the MMI 105, and to communicate with any USB memory device plugged into any of the USB interface slots 103 and 104.
  • the USB memory device 107 is plugged into and received by the USB interface slot 103 in step 202 and the USB memory device 108 is plugged into and received by the USB interface slot 104 of the elec tronic encryption device in step 203.
  • a user may plug in the USB memory devices into its respective USB interface slots either at the same time or one after the other in any order.
  • the crypto module 1 13 establishes connection by signalling with the first USB memory device 103 in step 204, accesses information of files stored in an ordinary file system on the USB memory device, and display the information about the files and/or file directories in a file menu on the display 105a
  • the crypto module 113 establishes connection by signalling with the USB memory device 104 in step 205 and if there are any files and/or file directories already stored in an ordinary file system on the USB memory device 104, accesses information of the files and/or file directories, and in that case displays the information about the files and/or file directories in a file menu on the display 105a.
  • a selected encryption/decryption key or set of keys is loaded into the electronic encryption device 102, in response to a user inserting a smarteard 116 into the smarteard interface 106 in step 206 together with an authentication of the user, for example, but not limited to entering in step 207 a PIN (Personal identification Number) code valid for the particular smarteard.
  • the crypto module 113 reads the encryption key from the smart card and authenticate the user with the PIN code in step 208.
  • a user may select through the MMI 105 one or more plaintext or unencrypted files and/or file directories stored on the first USB memory device 103 in step 209 and copy the plaintext files to the second USB memory device 104, for example by, but not limited to, drag and drop on the display 105a in step 210.
  • the crypto module 1 14 in response signals generated in response to the copy of the selected one or more files and/or fil e directories from the first USB memory device 103 to the second USB memory device 104, the crypto module 1 14 enables the encryption function by generating access signals to read the selected one or more files and/or file directories from the first USB memory device 103 in step 211.
  • the one or more selected plaintext files and/or file directories are encrypted into cipher text or encrypted files by the crypto module 1 13 in step 212 by means of the encryption algorithm using the loaded encryption key(s).
  • the crypto module stores the one or more encrypted files in an ordinary file system on the second USB memory device 104.
  • FIG. 5 illustrates a block diagram of another embodiment of a file encryption device 100' for file copy of unencrypted data files, wherein the unencrypted files are read, encrypted, and stored as encrypted data files by the file encryption device 100 'to the second file system on the second memory device 108.
  • the printed circuit board 102 has disposed thereon the first USB driver 109 connected to the first connector 103 for handling the communication between the electronic encryption device 100 and the first USB memory device 107 on the "RED side" when it is inserted into the USB interface slot 103.
  • the first FS (file system) driver 110 disposed on the printed circuit board and operatively connected to the first USB driver 109 is adapted to handle information on a file system level, because it is only the content, of the data files which is encrypted.
  • the printed circuit board 102 has the second USB driver 111 disposed thereon and connected to the second connector 104 for handling the communication between the electronic file encryption device 100 and the second USB memory device 108 for storing encrypted files when it is inserted into the second USB interface slot 104.
  • the second FS driver 112 is operatively connected to the second USB driver 111, which is also adapted to handle information on a file system level.
  • the crypto module comprises two blocks, a file copy application block 120 and a file system encryption block (CRYPTFS) 122.
  • the file copy application block 120 is connected between the first file system driver 110 and the file system encryption block 120 and is configured to read the one or more unencrypted data files from the first external USB memory device 107.
  • the file system crypto block 122 has the data file encryption and decryption ability and provide authentication control of data fi les passing the electronic file encryption device 100',
  • the file system crypto block 122 is connected to the file copy application block 120 and the second file system driver 112.
  • the file system crypto block 120 is a controller configured for receiving plaintext data files from the first connector 103 via the file copy application block 120 and executing encryption of the plaintext data files into eiphertext data files for transmission as output on the second connector 104.
  • the file system crypto block 122 is also configured for receiving eiphertext data files from the second connector 104 and executing decryption of the eiphertext data files into plaintext data files for transmission via the file copy application 120 as output on the first connector 103.
  • Each plaintext data file stored on the first USB memory device 107 may be copied by the file copy application block 120 and separately encrypted by the file system crypto block 120 when the USB memory device is inserted into the first USB interface slot 103.
  • Data files of any size may be read by streaming and may be encrypted and output on the second connector 104 and stored as eiphertext files on the second USB memory device 108 when it is inserted into the second USB interface slot 104.
  • the file system crypto block 122 executes the encryption/decryption function according to, but is not limited to, AES-GCM, which is an authenticated encryption algorithm designed to provide both authentication and privacy.
  • AES-GCM an authenticated encryption algorithm designed to provide both authentication and privacy.
  • FIGs. 6 A and 6B illustrate an electronic file server encryption device 100" for encryption and decryption of data files according to one embodiment of the present invention in an operating environment.
  • the first and second connectors 103 and 104 may be USB interface slots for connecting various memory devices, including but not limited to a general purpose computer 124 and the USB memor ⁇ ' device 108,
  • the electronic encryption device 100" is in this embodiment configured to encrypt one or more data files stored in a file system on the internal or external memory of the computer, into one or more encrypted data files; and write the one or more encrypted data files to the external USB memory device 108.
  • FIG. 7 illustrates a block diagram of the el ectronic file server encryption device 100" according to some embodiments of the invention.
  • An electronic file server encryption device 100" can be implemented with, but is not limited to a Linux based computer.
  • the computer 124 has Windows stack 125 in this embodiment, comprising an application 126, an SMB/CIFS 127 file system implementation, TCP/IP 128, RNDiS Driver 129, and an USB host 130.
  • the file server encryption device 100 comprises, but is not limited to, a USB peripheral 109' for connection and transfer of unencrypted data files to/from the computer 124 with a Windows stack 125.
  • a RNDIS Driver 131 operatively connected to the SMB/CIFS file system module 133 for implementation of the file system.
  • a USB host 1 11' is provided for connection and transfer of encrypted data files to/from the USB memory device 108 via the file system driver 1 12'.
  • the encryption module 122' encrypts/decrypts the unencrypted/encrypted data files on a file system level between the computer 124 and the USB memory device 108.
  • the SMB/CIFS module 133 and the encryption module 122' implements a virtual encrypted file system on top of the physical file system and may thereby transparently encrypt the data files with the encryption key loaded through the key interface 106.
  • the electronic file server encryption device 100" is operated by means of the MMI 105, which is implemented as an application that starts when the device is booted.
  • FIG. 8A illustrates a hardware architecture of the file encryption device according to some embodiments of the invention.
  • the design may be based on, but is not. limited to, an ACME FOX G20 Linux Embedded Single Board Computer, in this embodiment, A daughter board (FED Board) is attached to the computer.
  • the Foxg20 System may be based on an ATMEL
  • AT91SAM9G20 micro controller that may have an ARM926 processor (MCU) with MMU, instruction and data chaches, two USB host ports, a USB device port, a SPI controller, UARTs, a real time clock, fast Ethernet MAC, and features supporting DRAM, power supply, Micro SD FLASH socket.
  • the daughter board (FED Board) may have an FPGA module with clock generator, various buttons, a smartcard interface circuitry, a JTAG, debug connector, and a display module.
  • the Fox board may handle most of the functionality. Communication with the daughter board may be handled by SPI communication for the smartcard controller.
  • RS232 may be used for display and button interfaces.
  • the display may be, but is not limited to OLED.
  • the software within the smart display unit may be customized and/or upgraded.
  • the FPGA may be, but is not limited to, a Lattice XP2 device.
  • the design may be divided into, but is not limited to, two main data paths.
  • the SPi to smartcard path may allow the host MUC to access a smartcard over its SPI interface. It may comprise an SPI slave, control logic with register and a smartcard control block.
  • the SPI slave may basically be, but is not limited to, two eight shift registers, which may be clocked by SPCK.
  • the SPi clock may be asynchronous to the main clock. Hence the ready strobe from the slave may be captured (synchronised) and retimed before data is stored in the SC-Control block.
  • status as well as key data may be shifted in/out, but is not limited to, 8 bits a time.
  • the largest block may be the smartcard controller. It may handel both the smartcard protocol and the NBK card specific details.
  • the MMI path may have a number of keys (buttons). Key inputs are de- bounced and information about key press events and which keys that are pressed, may be sent, to the host serially with UART. LEDs can optionally be turned on, by signalling in the opposite direction.
  • the serial connection from the host to the display may just be routed electrically through the FPGA.
  • the external clock input (33 MHz in this embodiment) is routed to a PLL, which is configured to divide by 3 in order to generate a main clock of 11 MHz in this example embodiment.
  • Other external clock frequencies and main clock frequencies may be used in other embodiments.
  • the SPI slave block may not be driven by the clock.
  • a reset may be generated as an or-not function of the external reset input and the PLL lock signal.
  • FIG. 9 illustrates a block diagram of the electronic file encryption device according to some embodiments of the invention, wherein the crypto module 113"' is a separate hardware module
  • FIG. 10 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention, wherein encryption module 122" is a separate hardware module.
  • the electronic encryption device 100 may comprise a digital electronic computer or computer apparatus and processes performed in a computer apparatus or system.
  • the computer apparatus may comprises a data processing system, including a computer processor including the crypto module 113 for processing data, and storage means connected to the computer processor for storing data on a storage medium.
  • the electronic encryption device may be embodied as an electronic device with tamper protection, i.e involve prevention of access to the electronic circuitry of the crypto device, any information comprised in die electronic circuitry (such as program code or configurations of the circuitry), or any internal signals generated by the electronic circuitry. Additionally or alternatively, tamper protection of the electronic encryption device may involve that attempts to access the electronic circuitry, information, or signals are detected.
  • the present invention may be embodied as a method in a device, device, or system with a computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, or an embodiment combining software and hardware aspects all generally referred to herein as a unit, component or device. Furthermore, the software of the present invention may take the form of a computer program product.
  • the computer program product may be stored on a computer-usable storage medium having computer-usable program code embodied in the medium.
  • the embodiments of the invention described with reference to the drawings comprise a computer apparatus and processes performed in the computer apparatus.
  • the program may be in the form of source code, object code a code suitable for use in the implementation of the method according to the invention.
  • the carrier can be any entity or device capable of carrying the program.
  • the carrier may be a record medium, computer memory, read-only memory or an electrical carrier signal.
  • Embodiments according to the invention may be carried out when the computer program product is loaded and run in a system having computer capabilities.
  • the invention has been described with reference to embodiments configured for USB memory devices, other embodiments of the electronic encryption device may be configured for operating on any suitable computer readable medium including hard disks, CD-ROMs, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage devices, or magnetic storage devices externally connected to the electronic encryption device directly or indirectly via for example a computer apparatus.
  • a computer readable medium including hard disks, CD-ROMs, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage devices, or magnetic storage devices externally connected to the electronic encryption device directly or indirectly via for example a computer apparatus.
  • Embodiments of the present invention have been described herein with reference to flowchart and/or block diagrams. It will be understood that some or all of the illustrated blocks may be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions when executed create means for implementing the functions/acts specified in the flowchart otherwise described.
  • a computer program product may comprise computer program code portions for executing the method, as described in the description and the claims, for providing control data when the computer program code portions are run by an electronic device having computer capabilities.
  • a computer readable medium having stored thereon a computer program product may comprise computer program code portions for executing the method, as described in the description and the claims, for providing control data when the computer program code portions are run by an electronic device having computer capabilities.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

An electronic encryption device and method for encryption of data files, comprising a crypto module (113) configured to read one or more unencrypted data files stored in a first files system on a first external memory device (107); encrypt the one or more unencrypted data files into one or more encrypted data files; and write the one or more encrypted data files to a second file system on a second external memory device (108).

Description

ELECTRONIC ENCRYPTION DEVICE AND METHOD
Technical Field
The present invention relates generally to the field of electronic encryption devices, and more particularly, it relates to an electronic encryption device and method for encryption of data files,
Background
Universal Serial Bus (USB) is a specification to establish communication between devices and a host controller, such as PCs (personal computers),
USB can connect computer peripherals such as mice, keyboards, digital cameras, printers, personal media players, flash drives, and external hard drives.
Although, USB was designed for personal computers, it has become commonplace on other devices such as smartphones, PDAs and video game consoles, For many of those devices, USB has become the standard connection method.
A USB flash drive consists of a flash memory data storage device integrated with a USB interface, and is typically removable and rewritable.
Since USB flash drives are portable they can also easily be lost or stolen. Therefore, USB flash drives may have their contents encrypted using third party disk encryption software or programs which can use encrypted archives such as ZIP and RAR. The executable files can be stored on the USB drive, together with the encrypted file partition. The encrypted partition can then be accessed on any computer running the correct operating system, although it may require the user to have administrative rights on the host computer to access data. A problem with this is that the encryption software or programs have to be installed on specific PC and doe require specific operating systems,
Some vendors have produced USB flash drives which use hardware based encryption as part of the design, thus removing the need for third-party encryption software. Other flash drives allow the user to configure secure and public partitions of different sizes, and offer hardware encryption. However, a problem with encrypted partitions is lack of transparency for the host computer. Files cannot be accessed as encrypted file, because they are always decrypted when accessed.
Another approach to provide encrypted information on portable memory devices, such as USB flash drives, is a crypto pass-through dangle disclosed in US 2007/033320. The crypto pass-through dangle enables various memory devices with USB interface, such as a flash memory card or a flash memory storage device, to be conveniently inserted into or removed from with encryption/decryption function. A controller with USB interface and data encryption and decryption ability executes the encryption/decryption function to generate an identity code for the flash memory device. If an encrypted flash memory device being directly plugged into the USB port of a host computer that can not recognize the identity code, the computer can not access the data of the encrypted flash memory device, and therefore, the data of the flash memory device can be protected. Howe ver, if the encrypted flash memory device being plugged into the crypto pass-through dangle, the controller can recognize the identity code and execute the decrypting function for the data, and therefore, the computer can access the data of the encrypted flash memory device. Even this approach lacks for transparency for the host computer.
Another disadvantage with the prior art approaches is non-existent or unsafe key management.
Therefore, there is a need for improved electronic crypto device,
Summary
It should be emphasized that the term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps, or components, but does not preclude the presence or addition of one or more other features, integers, steps, components, or groups thereof.
It is an object of the invention to obviate at least some of the above
disadvantages and to provide an improved electronic encryption device.
According to a first aspect of the invention, this is achieved by an electronic encryption device for encryption of data files. The electronic encryption device is characterized by a crypto module configured to read or receive one or more unencrypted data files stored in a first files system on a first external memory device; encrypt the one or more unencrypted data files into one or more encrypted data files; and write the one or more encrypted data files to a second file system on a second external memory device.
in some embodiments, the device may further comprise a first connector operatively connected to the crypto module via a first file system driver for transferring the one or more unencrypted data files read from the first, external memory device to the crypto module; and a second connector operatively connected to the crypto module via a second file system driver for transferring the one or more encrypted data files encrypted by the crypto module to the second file system on the second external memory device.
in some embodiments, the crypto module is configured to read the one or more unencrypted data files from a first external USB memory device.
in some embodiments the crypto module is configured to write the one or more encrypted data files to the second file system on a second external USB memory device.
In some embodiments the crypto module is configured to read or receive the one
or more unencrypted data files from the second file system on the second memory device of an external computer.
The crypto module may in some embodiments be configured to read the one or more unencrypted data files from the second file system on a hard disk, a CD-ROM station, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
The electronic encryption device of claims 1 or 2, wherein the crypto modul e
(113) is configured to write the one or more encrypted data files to the second file system on a hard disk, a. CD-ROM station, a. RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
The electronic encryption device may in some embodiments further comprise a key interface operatively connected to the crypto module for loading encryption keys for encryption of the one or more unencrypted data files. According to a second aspect of the in vention, this is achieved by a method of for encryption of data. The method is characterized by the steps of::
reading or receiving one or more unencrypted data files stored in a first files system on a first external memory device;
encrypting the one or more unencrypted data files into one or more encrypted data files; and
writing the one or more encrypted data files to a second file system on a second external memory device.
In some embodiments, the second aspect of the invention may additionally have features identical with or corresponding to an y of the various features as explained above for the first aspect of the invention.
According to a third aspect, a computer program product is provided comprising computer program code means for executing the method according to the second aspect when said computer program code means are run by an electronic device having computer capabilities.
According to a fifth aspect, a computer readable medium is provided having stored thereon a computer program product comprising computer program code means for executing the method according to the second aspect when said computer program code means are run by an electronic device having computer capabilities.
An advantage of some embodiments of the invention is that the encryption device understands the file system of memory devices storing unencrypted as well as encrypted data files, wherein the encryption device is virtually transparent. Thereby, the electronic encryption device enables unlimited creation/deletion of files and directories, and reading/writing of files on the various memory devices, as well as formatting of any memory- device connected to the electronic encryption device.
Another advantage of some embodiments of the invention is that a host computer and the file encryption device may interact by means of file system calls, i.e open, read, write, and close. Brief Description of the Drawings
Further objects, features and advantages of the invention will appear from the following detailed description of embodiments of the invention, with reference being made to the accompanying drawings, in which:
FIG. 1 A illustrates an electronic file encryption device for encryption and decryption of data files according to some embodiments of the invention;
FIG. 1 B illustrates a general block diagram of an electronic encryption device in an operating environment according to some embodiments of the invention;
FIG. 2 illustrates a block diagram of the electronic file encryption device in FIG. 1 according to some embodiments of the invention;
FIG. 3A illustrates a schematic drawing in a front view of an embodiment of the electronic encryption device;
FIG. 3B illustrates a schematic drawing in a rear view of an embodiment of the electronic encryption device;
FIG. 4 is a flow diagram illustrating steps in a method for encryption/ decryption of data files by the electronic encryption device;
FIG. 5 illustrates a block diagram of an electronic file copy encryption device according to some embodiments of the invention;
FIG. 6A illustrates an electronic file encryption device for encryption and decryption of data files according to some embodiments of the invention;
FIG. 6B illustrates a general block diagram of an electronic encryption device in an operating environment according to some embodim ents of the invention;
FIG. 7 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention;
FIG. 8A illustrates a hardware architecture of the file encryption device according to some embodiments of the invention:
FIG. 8B illustrates an FPGA block diagram of the file encryption device according to some embodiments of the invention;
FIG. 9 illustrates a block diagram of the electronic file encryption device according to some embodiments of the invention; and FIG. 10 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention.
Detailed Description
Embodiments of the invention will be described with reference to Figures 1 -10, which all illustrate schematically an example arrangement according to some embodiments of the invention. The same reference signs are used for corresponding features in different figures.
FIG. 1 A illustrates an electronic file encryption device 100 for encryption and decryption of data files according to one embodiment of the present invention in an operating environment. A general block diagram of the electronic file encryption device 100 is shown in FIG IB, which may comprise a housing 101, a printed circuit board 102, a first connector 103, and a second connector 104, an MMI (Man Machine Interface) 105. and a key interface 106.
The printed circuit board 102 is disposed within the housing 101 for conveying the first connector 103 for input and output of unencrypted information, and the second connector 104 for input and output of encrypted information.
The first and second connectors 103 and 104 may be USB interface slots for connecting various memory devices, including but not limited to USB memory devices, such as USB flash drives.
As shown in FIG 1 A, a first USB memory device 107 with a USB interface connector may store unencrypted files for encryption by the electronic crypto device 100, when it is connected to the first connector 103 of the electronic crypto device. A second USB memory device 108 with a USB interface connector may be connected to the second connector 104 for receiving and storing files encrypted by the electronic file encryption device 100.
The key interface 106 may be but is not limited to a smart card interface for loading encryption keys to be used in the encryption/decryption of files passing the electronic file encryption device 100.
The USB memory devices 107 and 108 may be flash drives, each comprising a small printed circuit board carrying the circuit elements and a USB connector, insulated electrically and protected inside a plastic, metal, or rubberized case. The USB connector may be protected by a removable cap or by retracting into the body of the drive, although it is not likely to be damaged if unprotected. The flash drives may have a standard type- A USB connection allowing plugging into a port on the electronic encryption device or a personal computer.
The electronic file encryption device 100 is provided with "RED/BLACK separation", i.e. maintaining distance or installing shielding between circuits and equipment used to handle plaintext classified or sensitive information (RED signals) and normal unsecured circuits and equipment (BL ACK), the latter including those carrying encrypted or cipher text signals (BLACK signals).
The RED/BLACK separation is achieved by means of two separate sets of each module except the crypto module of the electronic encryption device. One example embodiment of the electronic file encryption device 100 is shown in FIG. 2.
The printed circuit board 102 has disposed thereon a first USB driver 109 connected to the first connector 103 for handling the communication between the electronic encryption device 100 and the first USB memory device 107 on the "RED side" when it is inserted into the USB interface slot 103. A first FS (file system) driver
1 10 disposed on a processor on the printed circuit board and operatively connected to the first USB driver 109 is adapted to handle information on a file system level, because it is only the content of the data files which is encrypted.
On the "BLACK side", the printed circuit board 102 has a second USB driver
111 disposed thereon and connected to the second connector 104 for handling the communication between the electronic file encryption device 100 and the second USB memory device 108 for storing encrypted files when it is inserted into the second USB interface slot 104. A second FS driver 1 12 operatively connected to the second USB driver 111, which is also adapted to handle information on a file system level.
A crypto module 113 is provided, which has data file encryption and decryption ability and provide authentication control of data files passing the electronic file encryption device 100.
The crypto module 1 13 is disposed on the printed circuit board 102 and operatively coupled to the first connector 103 and the second connector 104. The crypto module 113 is a controller configured for receiving plaintext data files from the first connector 103 and executing encryption of the plaintext data files into ciphertext data files for transmission as output on the second connector 104.
Similarly, the crypto module 113 is also configured for receiving ciphertext data files from the second connector 104 and executing decryption of the ciphertext data files into plaintext data files for transmission as output on the first connector 103.
Each plaintext data file stored on the first USB memory device 107 may he read and separately encrypted by the crypto module 113 when the USB memory device is inserted into the first USB interface slot 103. Data files of any size may be read by streaming and may be encrypted and output on the second connector 104 and stored as ciphertext files on the second USB memory device 108 when it is inserted into the second USB interface slot 104,
The crypto module 113 executes the encryption/decryption function according to, but is not limited to, AES-GCM, which is an authenticated encryption algorithm designed to provide both authentication and privacy.
FIG. 3 A illustrates a schematic drawing in a front view of an embodiment of the electronic encryption device 102. The MMI 105 may comprise, but is not limited to, a display 105a and a set of keys 105b for controlling the encryption/decryption function and other functions of the device. According to an alternative embodiment the MMI 105 may comprise a touch screen display for controlling the functions of the device.
FIG. 3B illustrates a schematic drawing in a rear view of an embodiment of the electronic encryption device 102. In addition to the first and second connectors 103, and 104, the electronic encryption device 102 may have a third connector 1 14 for connection to a host computer. The third connector may be, but is not limited to, a USB interface slot. Moreover, the electronic encryption device 102 may comprise a power connection 115 for main voltage supply. Alternatively, the electronic encryption device 102 may be powered by a host computer connected to the first connector 103 or the third connector 114 if it is provided.
FIG. 4 is a flow diagram illustrating steps in a method for encryption/ decryption of data files that are input/output on the two connectors 103 and 104 of the electronic encryption device 102. In a first step 200 the electronic encryption device 102 is powered on. The electronic encryption device 102 goes through a boot process and the operating system of the device takes over the control, in step 201. The electronic encryption device 102 has turned into an operational mode to be responsive to commands entered via the MMI 105, and to communicate with any USB memory device plugged into any of the USB interface slots 103 and 104.
The USB memory device 107 is plugged into and received by the USB interface slot 103 in step 202 and the USB memory device 108 is plugged into and received by the USB interface slot 104 of the elec tronic encryption device in step 203. A user may plug in the USB memory devices into its respective USB interface slots either at the same time or one after the other in any order. In response to the USB memory device 103 is plugged in, the crypto module 1 13 establishes connection by signalling with the first USB memory device 103 in step 204, accesses information of files stored in an ordinary file system on the USB memory device, and display the information about the files and/or file directories in a file menu on the display 105a, In response to the USB memory device 104 is plugged in, the crypto module 113 establishes connection by signalling with the USB memory device 104 in step 205 and if there are any files and/or file directories already stored in an ordinary file system on the USB memory device 104, accesses information of the files and/or file directories, and in that case displays the information about the files and/or file directories in a file menu on the display 105a.
A selected encryption/decryption key or set of keys is loaded into the electronic encryption device 102, in response to a user inserting a smarteard 116 into the smarteard interface 106 in step 206 together with an authentication of the user, for example, but not limited to entering in step 207 a PIN (Personal identification Number) code valid for the particular smarteard. The crypto module 113 reads the encryption key from the smart card and authenticate the user with the PIN code in step 208.
A user may select through the MMI 105 one or more plaintext or unencrypted files and/or file directories stored on the first USB memory device 103 in step 209 and copy the plaintext files to the second USB memory device 104, for example by, but not limited to, drag and drop on the display 105a in step 210. in response signals generated in response to the copy of the selected one or more files and/or fil e directories from the first USB memory device 103 to the second USB memory device 104, the crypto module 1 14 enables the encryption function by generating access signals to read the selected one or more files and/or file directories from the first USB memory device 103 in step 211. The one or more selected plaintext files and/or file directories are encrypted into cipher text or encrypted files by the crypto module 1 13 in step 212 by means of the encryption algorithm using the loaded encryption key(s). The crypto module stores the one or more encrypted files in an ordinary file system on the second USB memory device 104.
FIG. 5 illustrates a block diagram of another embodiment of a file encryption device 100' for file copy of unencrypted data files, wherein the unencrypted files are read, encrypted, and stored as encrypted data files by the file encryption device 100 'to the second file system on the second memory device 108.The printed circuit board 102 has disposed thereon the first USB driver 109 connected to the first connector 103 for handling the communication between the electronic encryption device 100 and the first USB memory device 107 on the "RED side" when it is inserted into the USB interface slot 103. The first FS (file system) driver 110 disposed on the printed circuit board and operatively connected to the first USB driver 109 is adapted to handle information on a file system level, because it is only the content, of the data files which is encrypted.
On the "BLACK side", the printed circuit board 102 has the second USB driver 111 disposed thereon and connected to the second connector 104 for handling the communication between the electronic file encryption device 100 and the second USB memory device 108 for storing encrypted files when it is inserted into the second USB interface slot 104. The second FS driver 112 is operatively connected to the second USB driver 111, which is also adapted to handle information on a file system level. The crypto module comprises two blocks, a file copy application block 120 and a file system encryption block (CRYPTFS) 122. The file copy application block 120 is connected between the first file system driver 110 and the file system encryption block 120 and is configured to read the one or more unencrypted data files from the first external USB memory device 107.
The file system crypto block 122 has the data file encryption and decryption ability and provide authentication control of data fi les passing the electronic file encryption device 100', The file system crypto block 122 is connected to the file copy application block 120 and the second file system driver 112.
Both the file copy application block 120 and the file system crypto block are disposed on the printed circuit board 102, The file system crypto block 120 is a controller configured for receiving plaintext data files from the first connector 103 via the file copy application block 120 and executing encryption of the plaintext data files into eiphertext data files for transmission as output on the second connector 104.
Similarly, the file system crypto block 122 is also configured for receiving eiphertext data files from the second connector 104 and executing decryption of the eiphertext data files into plaintext data files for transmission via the file copy application 120 as output on the first connector 103.
Each plaintext data file stored on the first USB memory device 107 may be copied by the file copy application block 120 and separately encrypted by the file system crypto block 120 when the USB memory device is inserted into the first USB interface slot 103. Data files of any size may be read by streaming and may be encrypted and output on the second connector 104 and stored as eiphertext files on the second USB memory device 108 when it is inserted into the second USB interface slot 104.
The file system crypto block 122 executes the encryption/decryption function according to, but is not limited to, AES-GCM, which is an authenticated encryption algorithm designed to provide both authentication and privacy.
FIGs. 6 A and 6B illustrate an electronic file server encryption device 100" for encryption and decryption of data files according to one embodiment of the present invention in an operating environment. The first and second connectors 103 and 104 may be USB interface slots for connecting various memory devices, including but not limited to a general purpose computer 124 and the USB memor}' device 108, The electronic encryption device 100" is in this embodiment configured to encrypt one or more data files stored in a file system on the internal or external memory of the computer, into one or more encrypted data files; and write the one or more encrypted data files to the external USB memory device 108. FIG. 7 illustrates a block diagram of the el ectronic file server encryption device 100" according to some embodiments of the invention. An electronic file server encryption device 100" can be implemented with, but is not limited to a Linux based computer. The computer 124 has Windows stack 125 in this embodiment, comprising an application 126, an SMB/CIFS 127 file system implementation, TCP/IP 128, RNDiS Driver 129, and an USB host 130.
The file server encryption device 100" comprises, but is not limited to, a USB peripheral 109' for connection and transfer of unencrypted data files to/from the computer 124 with a Windows stack 125. a RNDIS Driver 131, a TCP/IP 132 operative ly connected to the SMB/CIFS file system module 133 for implementation of the file system. A USB host 1 11' is provided for connection and transfer of encrypted data files to/from the USB memory device 108 via the file system driver 1 12'. The encryption module 122' encrypts/decrypts the unencrypted/encrypted data files on a file system level between the computer 124 and the USB memory device 108.
Hence, the SMB/CIFS module 133 and the encryption module 122' implements a virtual encrypted file system on top of the physical file system and may thereby transparently encrypt the data files with the encryption key loaded through the key interface 106.
The electronic file server encryption device 100" is operated by means of the MMI 105, which is implemented as an application that starts when the device is booted.
FIG. 8A illustrates a hardware architecture of the file encryption device according to some embodiments of the invention.
The design may be based on, but is not. limited to, an ACME FOX G20 Linux Embedded Single Board Computer, in this embodiment, A daughter board (FED Board) is attached to the computer. The Foxg20 System may be based on an ATMEL
AT91SAM9G20 micro controller, that may have an ARM926 processor (MCU) with MMU, instruction and data chaches, two USB host ports, a USB device port, a SPI controller, UARTs, a real time clock, fast Ethernet MAC, and features supporting DRAM, power supply, Micro SD FLASH socket. The daughter board (FED Board) may have an FPGA module with clock generator, various buttons, a smartcard interface circuitry, a JTAG, debug connector, and a display module.
The Fox board may handle most of the functionality. Communication with the daughter board may be handled by SPI communication for the smartcard controller. RS232 may be used for display and button interfaces. The display may be, but is not limited to OLED. The software within the smart display unit may be customized and/or upgraded.
The FPGA may be, but is not limited to, a Lattice XP2 device. The design may be divided into, but is not limited to, two main data paths. The SPi to smartcard path, and the ΜΜΪ path as shown in FIG. 8B. There are a contextual difference between cryptographic keys and physical keys (buttons) that can be pressed by the user.
The SPi to smartcard path may allow the host MUC to access a smartcard over its SPI interface. It may comprise an SPI slave, control logic with register and a smartcard control block.
The SPI slave may basically be, but is not limited to, two eight shift registers, which may be clocked by SPCK. The SPi clock may be asynchronous to the main clock. Hence the ready strobe from the slave may be captured (synchronised) and retimed before data is stored in the SC-Control block.
In SC-control commands, status as well as key data may be shifted in/out, but is not limited to, 8 bits a time.
The largest block may be the smartcard controller. It may handel both the smartcard protocol and the NBK card specific details.
The MMI path may have a number of keys (buttons). Key inputs are de- bounced and information about key press events and which keys that are pressed, may be sent, to the host serially with UART. LEDs can optionally be turned on, by signalling in the opposite direction.
The serial connection from the host to the display may just be routed electrically through the FPGA. The external clock input (33 MHz in this embodiment) is routed to a PLL, which is configured to divide by 3 in order to generate a main clock of 11 MHz in this example embodiment. Other external clock frequencies and main clock frequencies may be used in other embodiments. The SPI slave block may not be driven by the clock.
A reset may be generated as an or-not function of the external reset input and the PLL lock signal.
FIG. 9 illustrates a block diagram of the electronic file encryption device according to some embodiments of the invention, wherein the crypto module 113"' is a separate hardware module
FIG. 10 illustrates a block diagram of an electronic file server encryption device according to some embodiments of the invention, wherein encryption module 122" is a separate hardware module.
The electronic encryption device 100 may comprise a digital electronic computer or computer apparatus and processes performed in a computer apparatus or system. The computer apparatus may comprises a data processing system, including a computer processor including the crypto module 113 for processing data, and storage means connected to the computer processor for storing data on a storage medium.
The electronic encryption device may be embodied as an electronic device with tamper protection, i.e involve prevention of access to the electronic circuitry of the crypto device, any information comprised in die electronic circuitry (such as program code or configurations of the circuitry), or any internal signals generated by the electronic circuitry. Additionally or alternatively, tamper protection of the electronic encryption device may involve that attempts to access the electronic circuitry, information, or signals are detected.
The invention has been described herein with reference to various
embodiments. However, a person skilled in the art would recognize numerous variations to the described embodiments that would still fall within the scope of the invention. For example, it should be noted that in the description of embodiments of the invention, the partition of functional blocks into particular units is by no means limiting to the invention. Contrarily, these partitions are merely examples. Functional blocks described herein as one unit may be split into two or more units. In the same manner, functional blocks that are described herein as being implemented as two or more units may be implemented as a single unit without departing from the scope of the invention.
Hence, it should be understood that the limitations of the described
embodiments are merely for illustrative purpose and by no means limiting, instead, the scope of the invention is defined by the appended claims rather than by the description, and all variations that fall within the range of the claims are intended to be embraced therein.
The present invention may be embodied as a method in a device, device, or system with a computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, or an embodiment combining software and hardware aspects all generally referred to herein as a unit, component or device. Furthermore, the software of the present invention may take the form of a computer program product. The computer program product may be stored on a computer-usable storage medium having computer-usable program code embodied in the medium. The embodiments of the invention described with reference to the drawings comprise a computer apparatus and processes performed in the computer apparatus. The program may be in the form of source code, object code a code suitable for use in the implementation of the method according to the invention. The carrier can be any entity or device capable of carrying the program. For example the carrier may be a record medium, computer memory, read-only memory or an electrical carrier signal.
Embodiments according to the invention may be carried out when the computer program product is loaded and run in a system having computer capabilities.
Although, the invention has been described with reference to embodiments configured for USB memory devices, other embodiments of the electronic encryption device may be configured for operating on any suitable computer readable medium including hard disks, CD-ROMs, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage devices, or magnetic storage devices externally connected to the electronic encryption device directly or indirectly via for example a computer apparatus.
Embodiments of the present invention have been described herein with reference to flowchart and/or block diagrams. It will be understood that some or all of the illustrated blocks may be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions when executed create means for implementing the functions/acts specified in the flowchart otherwise described.
It is to be understood that the functions/acts noted in the flowchart may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Although some of the diagrams include arrows on communication paths to show a primary direction of communication, it is to be understood that communication may occur in the opposite direction to the depicted arrows.
A computer program product may comprise computer program code portions for executing the method, as described in the description and the claims, for providing control data when the computer program code portions are run by an electronic device having computer capabilities.
A computer readable medium having stored thereon a computer program product may comprise computer program code portions for executing the method, as described in the description and the claims, for providing control data when the computer program code portions are run by an electronic device having computer capabilities.
The many features and advantages of the invention are apparent from the detailed specification, and thus, it is intended by the appended claims to cover ail such features and advantages of the invention, which fall within the scope of the invention. Howe ver, although embodiments of the method and apparatus of the invention has been illustrated in the accompanying drawings and described in the foregoing detailed description, the disclosure is illustrative only and changes, modifications and substitutions may be made without departing from the scope of the invention as set forth and defined by the following claims.
Figure imgf000018_0001
Figure imgf000019_0001

Claims

1. An electronic encryption device (100) for encryption of data files,
characterized by a crypto module (113) configured to read or receive one or more unencrypted data files stored in a first files system on a first external memory device (107); encrypt the one or more unencrypted data files into one or more encrypted data files; and write the one or more encrypted data files to a second file system on a second external memory device (108).
2. The electronic encryption device of claim 1 , comprising:
a first connector (103) operatively connected to the crypto module (113) via a first file system driver (1 10) for transferring the one or more unencrypted data files read from the first external memory device (107) to the crypto module (113); and
a second connector (104) operatively connected to the crypto module (113) via a second file system driver (110) for transferring the one or more encrypted data files encrypted by the crypto module (113) to the second file system on the second external memory device (108).
3. The electronic encryption device of claims 1 or 2, wherein the crypto module (113) is configured to read the one or more unencrypted data files from a first external
USB memory device (107).
4. The electronic encryption device of any of claims 1 through 3, wherein the crypto module (113) is configured to write the one or more encrypted data files to the second file system on a second external USB memory device (107).
5. The electronic encryption device of claims 1 or 2, wherein the crypto module (113) is configured to read or receive the one or more unencrypted data files from the second file system on the second memory device of an external computer (124).
6. The electronic encryption device of claims 1 or 2, wherein the crypto module (1 13) is configured to read the one or more unencrypted data files from the second file system on a hard disk, a CD-ROM station, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
7. The electronic encryption device of claims 1 or 2, wherein the crypto module (113) is configured to write the one or more encrypted data files to the second file system on a hard disk, a CD-ROM station, a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, optical storage device, or magnetic storage device.
8. The electronic encryption device of any of the claims 1 to 7, further comprising a key interface (106) operatively connected to the crypto module (113) for loading encryption keys for encryption of the one or more unencrypted data files.
9. A method of for encryption of data, characterized by the steps of::
reading or receiving one or more unencrypted data files stored in a first files system on a first external memory device (107);
encrypting the one or more unencrypted data files into one or more encrypted data files; and
writing the one or more encrypted data files to a second file system on a second external memory device (108).
10. A computer program product comprising computer program code means for executing the method according to claim 9 when said computer program code means are run by an electronic device (100) having computer capabilities.
11. A computer readable medium having stored thereon a computer program product comprising computer program code means for executing the method according to any of the claims 9 when said computer program code means are run by an electronic device (100) having computer capabilities.
PCT/SE2011/051062 2010-09-02 2011-09-02 Electronic encryption device and method WO2012030296A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SE1050902-4 2010-09-02
SE1050902A SE1050902A1 (en) 2010-09-02 2010-09-02 Electronic encryption device and method
US41864010P 2010-12-01 2010-12-01
US61/418,640 2010-12-01

Publications (2)

Publication Number Publication Date
WO2012030296A2 true WO2012030296A2 (en) 2012-03-08
WO2012030296A3 WO2012030296A3 (en) 2012-04-26

Family

ID=45420932

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2011/051062 WO2012030296A2 (en) 2010-09-02 2011-09-02 Electronic encryption device and method

Country Status (2)

Country Link
SE (1) SE1050902A1 (en)
WO (1) WO2012030296A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220138321A1 (en) * 2020-10-29 2022-05-05 Dell Products L.P. Encryption as a service with request pattern anomaly detection

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070033320A1 (en) 2005-08-05 2007-02-08 Wu Victor C Crypto pass-through dangle

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4734585B2 (en) * 2001-09-28 2011-07-27 ハイ デンスィティ デバイスィズ アクシエセルスカプ Method and apparatus for data encryption / decryption in mass storage device
US7962755B2 (en) * 2006-04-28 2011-06-14 Ceelox, Inc. System and method for biometrically secured, transparent encryption and decryption
US7908476B2 (en) * 2007-01-10 2011-03-15 International Business Machines Corporation Virtualization of file system encryption
GB0808341D0 (en) * 2008-05-08 2008-06-18 Michael John P External storage security and encryption device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070033320A1 (en) 2005-08-05 2007-02-08 Wu Victor C Crypto pass-through dangle

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220138321A1 (en) * 2020-10-29 2022-05-05 Dell Products L.P. Encryption as a service with request pattern anomaly detection
US11574057B2 (en) * 2020-10-29 2023-02-07 Dell Products L.P. Encryption as a service with request pattern anomaly detection

Also Published As

Publication number Publication date
WO2012030296A3 (en) 2012-04-26
SE1050902A1 (en) 2012-03-03

Similar Documents

Publication Publication Date Title
CN111444528B (en) Data security protection method, device and storage medium
CN108701191B (en) Data processing device and method for verifying the integrity of a data processing device
US9904557B2 (en) Provisioning of operating systems to user terminals
US8761402B2 (en) System and methods for digital content distribution
EP3349134B1 (en) Method and apparatus for protecting digital content using device authentication
CN106687985B (en) Method for the safe input mechanism based on privileged mode
EP3776223B1 (en) Secured computer system
WO2015100188A1 (en) Virtual machine assurances
US20050216755A1 (en) Secure portable electronic reference device
CN109155733B (en) Information processing apparatus and information processing system
US20110081015A1 (en) Encryption System And Method
KR20190012093A (en) Ssd based storage media with data protection
CN113449349A (en) Platform security mechanism
KR101043255B1 (en) Usb hub device for providing datasecurity and method for providing datasecurity using the same
Loftus et al. Android 7 file based encryption and the attacks against it
WO2012030296A2 (en) Electronic encryption device and method
US20050044408A1 (en) Low pin count docking architecture for a trusted platform
KR20110050631A (en) Improved input/output control and efficiency in an encrypted file system
WO2013129987A1 (en) Electronic encryption device and method
CN109684852B (en) Guiding device and method for data exchange
WO2012087258A1 (en) Usb memory encryption device
US20220108041A1 (en) External secure and encrypted ssd device and a secure operating system on an external ssd device
Guruprasad BitLocker Full Disk Encryption
Högberg A Cross-platform Picture Transfer Protocol for Linux-based Camera
Team SECURE USB STORAGE

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11802550

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct app. not ent. europ. phase

Ref document number: 11802550

Country of ref document: EP

Kind code of ref document: A2