WO2017123433A1 - Data security system with encryption - Google Patents
Data security system with encryption Download PDFInfo
- Publication number
- WO2017123433A1 WO2017123433A1 PCT/US2017/012060 US2017012060W WO2017123433A1 WO 2017123433 A1 WO2017123433 A1 WO 2017123433A1 US 2017012060 W US2017012060 W US 2017012060W WO 2017123433 A1 WO2017123433 A1 WO 2017123433A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data security
- security system
- mobile device
- server
- password
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0492—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/021—Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present invention relates generally to electronic devices, and more particularly to memory devices.
- MSD mass storage device
- the most common means of providing storage security is to authenticate the user with a computer-entered password.
- a password is validated against a MSD stored value. If a match occurs, the drive will open. Or, the password itself is used as the encryption key to encrypt / decrypt data stored to the MSD.
- the encryption key is often stored on the media in an encrypted form. Since the encryption key is stored on the media, it becomes readily available to those willing to circumvent the standard interface and read the media directly. Thus, a password is used as the key to encrypt the encryption key.
- the present invention provides a method of operation of a data security system including: providing a mobile device with a data security system application for connectivity with the data security system; starting the data security system application; and maintaining connectivity of the data security system with the mobile device.
- the present invention provides a data security system including: a data security transceiver or receiver; an authentication subsystem operatively connected to the data security transceiver or receiver; and a storage subsystem connected to the authentication subsystem.
- FIG. 1 is a schematic of a data security system in accordance with an embodiment of the present invention
- FIG. 2 is an illustration of an authentication key delivery method used with the data security system
- FIG. 3 is an illustration of different systems for the user to interact with the data security system
- FIG. 4 is an illustration of how the user can employ the host computer system to interact with a data security system
- FIG. 5 is a data security method employing user verification for the data security system.
- FIG. 6 is an exemplary data security communication system.
- FIG. 7 is an administrator sequencing diagram showing the sequence of operations between a mobile device and the data security system.
- FIG. 8 is a unlocking sequence diagram where the mobile device is an authentication factor.
- FIG. 9 is an unlock sequencing diagram showing unlocking using a PIN entry from the mobile device.
- FIG. 10 is an unlock sequencing diagram showing unlock using a PIN entry and User ID/location/time verification via the server/console.
- FIG. 11 is a reset sequencing diagram showing resetting the data security system using a server/console.
- FIG. 12 is an unlock sequencing diagram showing unlocking the data security system using the server/console.
- FIG. 13 is a change user's password sequencing diagram using the server/console. BEST MODE FOR CARRYING OUT THE INVENTION
- system refers to and is defined as the method and as the apparatus of the present invention in accordance with the context in which the term is used.
- method refers to and is defined as the operational steps of an apparatus.
- data is defined as information that is capable of being produced by or stored in a computer.
- data security system is defined as meaning any portable memory device incorporating a storage medium.
- storage media refers to and is defined as any solid state, NAND Flash, and/or magnetic data recording system.
- locked refers to the data security system when the storage media is not accessible and the term “unlocked” refers to the data security system when the storage media is accessible.
- the data security system 100 consists of an external communication channel 102, an authentication subsystem 104, and a storage subsystem 106.
- the storage subsystem 106 is electronic circuitry that includes an interface controller 108, an encryption engine 110, and a storage media 112.
- the storage media 112 can be an internal or external hard disk drive, USB flash drive, solid state drive, hybrid drive, memory card, tape cartridge, and optical media including optical disk (e.g., Blu-ray disk, digital versatile disk or DVD, and compact disk or CD).
- the storage media 112 can include a data protection appliance, archival storage system, and cloud-based data storage system.
- the cloud storage system may be accessed utilizing a plug-in (or "plugin") application or extension software installed in a browser application, either on the host computer or on another system coupled to the host computer via a wired or wireless network, such as RF or optical, or over the world wide web.
- the interface controller 108 includes electronic components such as a microcontroller with the encryption engine 110 of software or hardware, although the encryption engine 110 can be in a separate controller in the storage subsystem 106.
- the authentication subsystem 104 is electronic circuitry that includes an authentication controller 114, such as a micro-controller, which may have its own non- volatile memory, such as an electrically erasable programmable read-only memory (EEPROM).
- an authentication controller 114 such as a micro-controller, which may have its own non- volatile memory, such as an electrically erasable programmable read-only memory (EEPROM).
- EEPROM electrically erasable programmable read-only memory
- the external communication channel 102 provides a means of exchanging data with a host computer system 120.
- Universal Serial Bus (USB) is one of the most popular means to connect the data security system 100 to the host computer system 120.
- Other examples of the external communication channel 102 include Firewire, wireless USB, Serial ATA (SAT A), High Definition Multimedia Interface (HDMI), Recommended Standard 232 (RS-232), and radio frequency wireless networks.
- the interface controller 108 is capable of translating USB packet data to data that can be written to the storage media 112 in a USB Flash Drive.
- the encryption engine 110 is implemented as part of the interface controller 108 and takes clear text and/or data (information) from the host computer system 120 and converts it to an encrypted form that is written to the MSD or the storage media 112. The encryption engine 110 also converts encrypted information from the storage media 112 and decrypts it to clear information for the host computer system 120.
- the encryption engine 110 can also be a two controller subsystem with an encryption controller that has the encryption capability to encrypt/decrypt data on the fly along with managing the communication protocol, memory, and other operating conditions and a communication/security controller for handling the communication, encryption key management, and communications with the encryption controller.
- An encryption key 116 is required by the encryption engine 110 to encrypt / decrypt the information.
- the encryption key 116 is used in an algorithm (e.g., a 256 bit Advanced Encryption Standard (AES) encryption) that respectively encrypts / decrypts the data by an encryption algorithm to render data unreadable or readable.
- AES Advanced Encryption Standard
- the encryption key 116 can be stored either internally or externally to the authentication controller 114.
- the encryption key 116 is transmitted to the encryption engine 110 by the authentication subsystem 104 once a user 122, having an identification number or key, has been verified against an authentication key 118.
- the authentication key 118 When the data security system 100 is locked, the authentication key 118 remains inside the authentication subsystem 104 and cannot be read from outside.
- One method of hiding the authentication key 118 is to store it in the authentication controller 114 in the authentication subsystem 104. Setting the security fuse of the authentication controller 114 makes it impossible to access the authentication key 118 unless the authentication controller 114 allows retrieval once the user 122 has been verified.
- Many micro-controllers come equipped with a security fuse that prevents accessing any internal memory when blown. This is a well-known and widely used security feature. Such a micro-controller could be used for the authentication controller 114.
- the authentication controller 114 can be a micro-controller or microprocessor.
- the authentication key 118 can be used as in several capacities:
- FIG. 2 therein is shown an illustration of an authentication key delivery method used with the data security system 100.
- the authentication key 118 and the encryption key 116 are one and the same.
- the encryption engine 110 employs the authentication key 118 as the encryption key 1 16.
- the user 122 must interact with the authentication subsystem 104 by providing user identification 202, a number or key, to the authentication subsystem 104.
- the authentication subsystem 104 validates the user 122 against the authentication key 118.
- the authentication subsystem 104 then transmits the authentication key 118 as the encryption key 116 to the interface controller 108.
- the encryption engine 110 in the interface controller 108 employs the authentication key 118 to convert clear information to encrypted information and encrypted information to clear information along a channel 206. Any attempt to read encrypted information from the storage media 112 without the encryption key 116 will generally result in information that is unusable by any computer.
- FIG. 3 therein is shown an illustration of different systems for the user 122 to interact with a data security system 300.
- the interaction can be by a communication combination 301, which can be by a physical contact, wired connection, or wireless connection from a cell phone, smartphone, smart watch, wearable appliance, or other wireless device.
- a mobile transceiver 302 is employed to transmit user identification 304 to a data security transceiver 306 in an authentication subsystem 310.
- transceivers are employed for bi-directional communication flexibility but a transmitter-receiver combination for uni-directional communication could also be used.
- the authentication subsystem 310 includes the authentication controller 114, which is connected to the interface controller 108 in the storage subsystem 106.
- the user identification 304 is supplied to the data security transceiver 306 within the authentication subsystem 310 by the mobile transceiver 302 from outside the storage subsystem 106 of the data security system 300.
- the wireless communication may include Wireless Fidelity (WiFi), Bluetooth (BT), Bluetooth Smart, Near Field Communication (NFC), Global Positioning System (GPS), optical, cellular communication (for example, Long-Term Evolution (LTE), Long-Term Evolution Advanced (LTE-A)), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Universal Mobile Telecommunications System (UMTS), Wireless Broadband (WiBro), or Global System for Mobile Communications (GSM), and the like).
- WiFi Wireless Fidelity
- BT Bluetooth
- NFC Near Field Communication
- GPS Global Positioning System
- CDMA Code Division Multiple Access
- WCDMA Wideband Code Division Multiple Access
- UMTS Universal Mobile Telecommunications System
- WiBro Wireless Broadband
- GSM Global System for Mobile Communications
- the authentication subsystem 310 validates the user 122 against the authentication key 118 by a code sent from the mobile transceiver 302 being validated against the authentication key 118.
- the authentication subsystem 310 then transmits the encryption key 116 to the interface controller 108 across the communication combination 301.
- the encryption engine 110 then employs the encryption key 116 to convert clear information to encrypted information and encrypted information to clear information along the channel 206. Any attempt to read encrypted information from the storage media 112 without the encryption key 116 will result in information that is unusable by the host computer system 120.
- the authentication subsystem 310 validates the user 122 against the authentication key 118 by having the user 122 employ a biometric sensor 320 to supply a biometric input 322 to verify his/her identity as an authorized user.
- biometric identification include a fingerprint, an iris scan, a voice imprint, etc.
- the authentication subsystem 310 validates the user 122 against the authentication key 118 by having the user 122 employ an electro-mechanical input mechanism 330 to supply a unique code 332 to verify his/her identity as an authorized user.
- the unique code 332 can include a numerical, alphanumeric, or alphabetic code, such as a PIN.
- the electro-mechanical input mechanism 330 is within the authentication subsystem 310.
- the electro-mechanical input mechanism 330 receives the unique code 332 from the user 122 from outside of the data security system 300.
- the unique code 332 is supplied to the electro-mechanical input mechanism 330 within the authentication subsystem 310 from outside the storage subsystem 106 of the data security system 300.
- FIG. 4 shows an illustration of how the user 122 can employ the host computer system 120 to interact with a data security system 400.
- the host computer system 120 is provided with a host application 402.
- the host application 402 is software or firmware, which communicates over the external communication channel 102 of the data security system 400.
- the host application 402 delivers host identifiers 406, such as internal component serial numbers (e.g. hard drive), media access control (MAC) address of a network card, login name of the user, network Internet Protocol (IP) address, an ID created by the data security system and saved to the host, an ID created by the data security system and saved to the network, etc., associated with its environment.
- host identifiers 406 are employed by an authentication subsystem 408 in the data security system 400.
- the authentication subsystem 408 validates the user 122 against the authentication key 118 by verifying the host identifiers 406, the data security system 400 will unlock.
- the user 122 connects the data security system 400 that is locked to the host computer system 120.
- the host application 402 sends the MAC address of its network card to the data security system 400.
- the data security system 400 recognizes this MAC address as legitimate and unlocks without the user 122 of FIG. 1 having to enter user identification.
- This is implementation does not require any interaction with the user 122. In this case, it is the host computer system 120 and its associated environment that are being validated.
- the data security system 400 includes: providing the authentication key 118 stored in the authentication subsystem 104; providing verification of the host computer system 120 by the authentication subsystem 104; presenting the encryption key 116 to the storage subsystem 106 by the authentication subsystem 104; and providing access to the storage media 112 by the storage subsystem 106 by way of decrypting the storage media content.
- the data security system further includes the authentication subsystem 104 for interpretation of biometric input and verification of the user 122.
- the data security system further includes using the authentication key 118 as the encryption key 116 directly.
- the data security system further includes using the authentication key 118 to decrypt and retrieve the encryption key 116 used to decipher internal content.
- the data security system further includes the authentication subsystem 104 for interpretation of signal inputs and verification of sending unit.
- the data security system further includes the authentication subsystem 104 for interpretation of manually entered input and verification of the user 122.
- the data security system further includes the authentication subsystem 104 for interpretation of input sent by a host resident software application for verification of the host computer system 120.
- the data security system as further includes the encryption engine 110 outside the interface controller 108 but connected to the external communication channel 102 for the purpose of converting clear data to encrypted data for unlocking the data security system 100.
- the data security method 500 includes; verifying the user against an authentication key in a block 502; employing the authentication key for retrieving an encryption key in a block 504; and employing the encryption key for allowing unencrypted communication through a storage subsystem between a host computer system and a storage media in a block 506.
- the exemplary data security communication system 600 includes a mobile device 610, a data security system 620, a host computer 630, and a server/console 640.
- the mobile device 610 and the server/console 640 are connected by wired or wireless connections through a cloud 650, which can be an Internet cloud.
- the mobile device 610 and the data security system 620 are connected by the communication combination 301.
- the communication combination 301 in the exemplary data security communication system 600 includes a mobile transceiver 612 in the mobile device 610 with an antenna 614 wirelessly communicating with an antenna 622 of a data security transceiver 624 in the data security system 620.
- the mobile device 610 in one embodiment can be a smartphone.
- the mobile transceiver 612 can be connected to conventional mobile device components and to a data security system application 618, which provides information to be used with the data security system 620.
- the data security transceiver 624 is connected to a security controller 626, which can contain identification, passwords, profiles, or information including that of different mobile devices that can access the data security system 620.
- the security controller 626 is connected to subsystems similar to the authentication subsystem 310, the storage subsystem 106 (which in some embodiments can have encryption to encrypt data), and the external communication channel 102.
- the external communication channel 102 is connectible to the host computer 630 to allow, under specified circumstances, access to data in the storage subsystem 106.
- One implementation of the data security system 620 can eliminate the biometric sensor 320 and the electro-mechanical input mechanism 330 of FIG. 3 with only a wireless link to the mobile device 610, such as a smartphone. It has been found that this implementation makes the data security system 620 more secure and useful.
- the data security system application 618 allows the mobile device 610 to discover all data security systems in the vicinity of the mobile device 610 and show their status (locked/unlocked/blank, paired/unpaired etc.).
- the data security system application 618 allows the mobile device 610 to connect/pair, lock, unlock, change the name and password, and reset all data on the data security system 620.
- the data security system application 618 allows the mobile device 610 to set an inactivity auto-lock so the data security system 620 will automatically lock after a predetermined period of inactivity or to set a proximity auto-lock so the data security system 620 will be locked when the mobile device 610 is not within a predetermined proximity for a predetermined time period (to improve reliability and avoid signal de-bouncing).
- the data security system application 618 allows the mobile device 610 to remember a password, use TouchID, and Apple Watch (both TouchID and Apple Watch mentioned here as examples only, there are many other mobile devices with biometric sensors and wearables that can be used in a similar mode) so data security system 620 could be unlocked without entering re-entering a password on the mobile device
- the data security system application 618 allows the mobile device 610 to be set to operate only with a specific mobile device, such as the mobile device 610, so the data security system 620 cannot be unlocked with other mobile devices (lPhone).
- the data security system application 618 allows the mobile device 610 to set the data security system 620 to Read-Only
- the data security system application 618 allows the mobile device 610 to operated in User Mode or Administrator Mode (administrator's mode overrides user's settings) and use the server/console 640.
- the server/console 640 is a combination of a computer with a console for entering information into the computer.
- the server/console 640 contains a user management database 642, which contains additional information that can be transmitted over the cloud 650 to the mobile device 610 to provide additional functionality to the mobile device 610.
- the user management database 642 allows the server/console 640 to create and identify users using UserlD (username and password) and block/allow unlocking the data security system 620 and provide remote help. [0085] The user management database 642 allows the server/console 640 to remotely reset or unlock the data security system 620.
- the user management database 642 allows the server/console 640 to remotely change the data security system user' s PIN.
- the user management database 642 allows the server/console 640 to restrict/allow unlocking data security system 620 from specific locations (by using geo-fencing)
- the user management database 642 allows the server/console 640 to restrict/allow unlocking data security system 620 in specified time periods and different time zones
- the user management database 642 allows the server/console 640 to restrict unlocking data security system 620 outside of specified team/organization/network etc.
- FIG. 7 therein is shown an administrator sequencing diagram showing the sequence of operations between the mobile device 610 and the data security system 620.
- Connectivity 700 between the data security system 620 and the mobile device 610, is first established with mutual discovery of the other device or system, pairing the device and system, and connection of the device and system.
- the connectivity 700 is secured using a shared secret, which is then used to secure (encrypt) communications between the data security system 620 and the mobile device 610 for all future communication sessions.
- a standard encryption algorithm is selected to be both efficient to run on the data security system 620 and to be approved by world-wide security standards.
- the connectivity 700 is maintained by the data security system application 618 or the security controller 628 or both operating together as long as the data security system 620 and the mobile device 610 are within a predetermined distance of each other. Further, if the predetermined distance is exceeded, the connectivity 700 is maintained for a predetermined period of time after which the data security system 620 is locked.
- a data security system administrator application start operation 702 occurs in the mobile device 610. Then an administrator sets a password in an administrator password operation 704. Also after connection of the mobile device 610 and the data security system 620, the data security system 620 is connected to the host computer 630 of FIG. 6 to be powered up and discoverable by the host computer 630 in a data security system connected, powered and discoverable operation 706. [0094] After the administrator password operation 704, the mobile device 610 sends a set administrator password and unlock signal 708 to the data security system 620. The set administrator password and unlock signal 708 causes an administrator password set and data security system unlocked operation 716 to occur in the data security system 620.
- a confirmation: data security system unlocked signal 712 is sent to the mobile device 610 where a confirmation: data security system unlocked as administrator operation 714 operates.
- the confirmation: data security system unlocked as administrator operation 714 permits a set other restrictions operation 716 to be performed using the mobile device 610.
- the set other restrictions operation 716 causes a set administrator restrictions signal 718 to be sent to the data security system 620 where the administrator restrictions are set and a confirmation: restrictions set signal 720 is returned to the mobile device 610. Thereafter, the mobile device 610 and the data security system 620 are in full operative communication.
- this unique identifier On making requests that could affect user data, such as unlocking or resetting the data security system 620, this unique identifier (unique ID) is required. Attempts to perform these operations without the correct identifier are ignored and made harmless.
- the unique identifier is used to identify the data security system 620 to the mobile device 610 in a way that requires the user to have physical control over the data security system 620 and to verify the connectivity 700 is established between the authorized, previously paired device and system, such as the mobile device 610 and the data security system 620. Once the devices are paired, the shared secret is used to make the communication confidential.
- Pairing connotes that a mobile device and a data security system have a unique and defined relationship established at some time in the past and enduring.
- the unique identifier makes for giving the user some control over the data security system when the user has physical control of the data security system.
- a user may choose to enable a feature, such as a feature called lPhone here.
- This feature restricts significant user interactions with the data security system 620 to one and only one mobile device 610. This is done by replacing the data security system unique identifier described above with a random identifier shared securely between the data security system 620 and the mobile device 610. So, instead of presenting the data security system unique identifier when, for example, the user unlocks the data security system 620, the lPhone identifier must be given instead.
- the paired user phone selected as "lPhone” can be used without a PIN, and as the user-authentication single factor and/or in a combination with any other user-authentication factors. If such feature (lPhone) is selected, the data security system 620 cannot be open with any other phones, except if an administrator's unlock was enabled before.
- the user may enable a proximity auto-lock feature for the data security system 620.
- the data security transceiver 624 of FIG. 6 reports to the data security system 620 a signal strength measurement for the mobile device 610.
- the data security system application 618 on the mobile device 610 sends the data security system 620 both the originating signal power level and the threshold for proximity.
- the data security system 620 mathematically smooths the signal strength measurements to reduce the likelihood of a false positive.
- the data security system 620 detects that the signal power received has dropped below a defined threshold for a predetermined period of time, it will immediately lock the data security system 620 and prevent access to the storage subsystem 106 of FIG. 6.
- the data security system 620 could be used in three different modes: a User Mode where the functionalities of the data security system 620 are determined by the user; an Administrator Mode where an administrator can set an Administrator password and enforce some restrictions on the data security system 620 (e.g., automatic lock after a predetermined period of inactivity, Read-Only, lPhone) and where restrictions cannot be removed by a User; and a Server Mode where an administrator role is set where the server/console 640 can remotely reset the data security system 620, change user passwords, or just unlock the data security system 620.
- a User Mode where the functionalities of the data security system 620 are determined by the user
- an Administrator Mode where an administrator can set an Administrator password and enforce some restrictions on the data security system 620 (e.g., automatic lock after a predetermined period of inactivity, Read-Only, lPhone) and where restrictions cannot be removed by a User
- a Server Mode where an administrator role is set where the server/console 640 can remotely reset the data security system
- FIG. 8 therein is shown a unlocking sequence diagram where the mobile device 610 is an authentication factor.
- This diagram shows auto-unlock process of the data security system 620 initiated by the data security system application 618 from specific mobile device, the mobile device 610.
- a user can use only one mobile device that was initially paired with the data security system 620. If the paired mobile device 610 is lost then the data security system 620 could not be unlocked (unless administrator password was set before as shown in FIG. 7).
- a data security system application started operation 800 occurs after the connectivity 700 is established.
- An unlock required with mobile device ID signal 802 is sent from the mobile device 610 to the data security system 620 after a data security system connected, powered and discoverable operation 706.
- a data security system unlocked operation 804 occurs and a confirmation: data security system unlocked signal 712 is sent from the data security system 620.
- FIG. 9 therein is shown an unlock sequencing diagram showing unlocking using a PIN entry from the mobile device 610.
- This diagram shows process of unlocking the data security system 620 by entering a PIN in the data security system application 618 in the mobile device 610.
- the data security system 620 cannot be unlocked without entering the correct PIN.
- an enter username/password operation 900 occurs after the data security system application started operation 800.
- the mobile device 610 sends a verify user ID signal 902 to the server/console 640.
- the server/console 640 then makes a username/password valid determination 904.
- a valid user signal 906 is sent to the mobile device 610 for the user to enter the correct PIN in an enter PIN operation 908 in the mobile device 610.
- the mobile device 610 then sends a verify unlock signal 910 to determine if the correct PIN has been entered to the server/console 640.
- the server/console 640 makes a user authorized determination 912 and determines if the user is authorized to use the specific data security system, such as the data security system 620, that the PIN is authorized for. If authorized, an unlock allowed signal 914 is sent to the mobile device 610, which passes on an unlock request signal 916 to the data security system 620.
- FIG. 10 therein is shown an unlock sequencing diagram showing unlock using a PIN entry and User ID/location/time verification via the server/console 640.
- This diagram shows the most secure process of unlocking the data security system 620 by entering a PIN in the data security system application 618 from the mobile device 610, authentication in the server/console 640 server using a UserlD (username/password) and by verifying geo-fencing permissions to unlock the data security system 620 at a specific location and at a certain time range.
- the data security system 620 could not be unlocked without entering the PIN, username and password, and having the mobile device 610 be present in specific (predefined) location and certain (predefined) time.
- an unlock specified data security system operation 1000 is performed to allow setting of the desired conditions under which the specified data security system, such as the data security system 620, will operate.
- the conditions could be within a specific geographical area and/or specific time frame.
- a current condition determination is made, such as in an acquire location and/or current time operation 1002. This operation is performed to determine where the mobile device 610 is located and or what the current time is where the mobile device 610 is located. Other current conditions around the mobile device 610 may also be determined and sent by a verify unlock signal 1004 to the server/console 640 where a conditions met determination 1006 is made.
- an unlock allowed signal 1008 is sent to the mobile device 610 for the enter PIN operation 908 to be performed.
- a verify unlock signal 1010 is sent with the PIN and an identification of the data security system 620 that is in operational proximity to the mobile device 610.
- the verify unlock signal 1010 is received by the server/console 640 and a data security system allowed determination 1012 is made to determine that the specified data security system is allowed to unlock by the authorized user.
- the server/console 640 verifies that this "specific" user is authorized to use the specified data security system.
- the server/console 640 will provide an unlock allowed signal 914 to the mobile device 610, which will provide a unlock request signal 916.
- the unlock request signal 916 causes the data security system 620 to operate.
- FIG. 11 therein is shown a reset sequencing diagram showing resetting the data security system 620 using the server/console 640.
- This diagram shows the ability to reset the data security system 620 remotely via the server/console 640.
- the data security system 620 can receive commands only from the mobile device 610 over the wireless connection. However, by setting a "Reset" flag on the server/console 640 for a specific data security system (using it's S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests in the user management database 642. When the user connects the data security system 620, the data security system application 618 on the mobile device 610 will execute a waiting "reset" command. After a successful reset (all user data and credentials are gone), the server/console 640 will remove the Reset flag so it will be not be executed the next time when the mobile device 610 is connected to the specific data security system.
- the mobile device 610 responds to the valid user signal 906 to send an any command waiting signal 1100 to the server/console 640 to make a reset command determination 1102.
- a perform reset signal 1104 will be sent to the mobile device 610.
- the mobile device 610 will send a reset security system signal 1106 to the data security system 620 to start a data security system reset operation 1108.
- the data security system 620 Upon completion of the data security system reset operation 1108, the data security system 620 will send a confirmation: data security system reset signal 1110 to the mobile device 610 to set a confirmation: data security system reset operation 1112 into operation. Thereafter, the mobile device 610 and the data security system 620 are in full operative communication with the data security system 620 reset.
- FIG. 12 therein is shown an unlock sequencing diagram showing unlocking the data security system 620 using the server/console 640.
- This diagram shows ability to unlock the data security system 620 remotely via the server/console 640.
- the data security system 620 can receive commands only from the mobile device 610 over the wireless connection. However by setting an "Administrator Unlock" flag on the server/console 640 console for a specific data security system (using it's S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests. When the user connects the data security system 620, the data security system application 618 on the mobile device 610 will execute a waiting "Administrator Unlock" command.
- the server/console 640 will remove Reset flag for the data security system 620 so it will be not executed next time when the mobile device 610 is connected to the data security system 620.
- the server/console 640 performs an unlock 1200 when there is a command to unlock with an administrator's password.
- An unlock with an administrator's password signal 1202 is sent to the mobile device 610, which provides an unlock with administrator's password signal 1204 to the data security system 620 to start the data security system unlocked operation 804. Thereafter, the mobile device 610 and the data security system 620 are in full operative communication.
- FIG. 13 therein is shown a change user's password sequencing diagram using the server/console 640.
- This diagram shows ability to change User's password for data security system 620 remotely via the server/console 640.
- data security system 620 can receive commands only from the mobile device 610 over the wireless connection, by setting a "Change User's Password" flag on the server/console 640 console for a specific data security system (using it's S/N), the data security system application 618 running on the mobile device 610 will query the server/console 640 for any flags/pending requests.
- the data security system application 618 on the mobile device 610 will execute waiting "Change User' s Password" command.
- the user's data is untouched and the data security system 620 can be unlocked with new user's password.
- the server/console 640 will remove "Change User's Password" flag for this data security system 620 so it will be not executed next time when the mobile device 610 is connected to the specific data security system.
- the server/console 640 responds to the any command waiting signal 1100 by making a change password determination 1300.
- a change user password signal 1302 is sent to the mobile device 610, which sends a change user password signal 1304 to the data security system 620. Thereafter, the mobile device 610 and the data security system 620 are in full operative communication with the new password.
- a method of operation of a data security system comprising: providing a mobile device with a data security system application for connectivity with the data security system; starting the data security system application; and maintaining connectivity of the data security system with the mobile device.
- the method as described above wherein establishing the connectivity includes using bi-directional communication between the data security system and the mobile device.
- the method as described above wherein establishing the connectivity includes using uni-directional communication between the data security system and the mobile device.
- the method as described above further comprising providing security information in a security controller in the data security system.
- the method as described above further comprising: providing a server with identification of a specified data security system; providing the data security system with a specific identification; and unlocking the data security system when the identification of the specified data security system is the same as the specific identification of the data security system.
- providing a mobile device with the data security system application provides a data security system administrator's application and further includes: setting an administrator's password in the mobile device; transmitting the administrator's password from the mobile device to the data security system; and setting the administrator's password in the data security system and unlocking the data security system.
- the method as described above further comprising: providing an unlock request along with a mobile device identification from the mobile device to the data security system; and receiving the unlock request in the data security system and unlocking the data security system.
- the method as described above further comprising: entering a user name or password in the mobile device; determining when the user name or password is valid in a server after receiving the user name or password from the mobile device; communicating from the server to the mobile device when the user name or password is valid; and communicating from the mobile device to the data security system when the user name or password is valid to unlock the data security system.
- the method as described above further comprising: entering a user name or password in the mobile device; determining when the user name or password is valid in a server after receiving the user name or password from the mobile device; communicating from the server to the mobile device when the user name or password is valid; determining when the identification number is valid in the server after receiving identification number from the mobile device; and unlocking the data security system through the mobile device when the server determines the identification number is valid.
- the method as described above further comprising: providing a valid location of the mobile device to a server; determining in the server when the mobile device is in the valid location; and unlocking the data security system through the mobile device when the server determines the mobile device is in the valid location.
- the method as described above further comprising: providing a current time of operation for the data security system at the mobile device to a server; determining in the server when the mobile device is within the current time; and unlocking the data security system through the mobile device when the server determines the mobile device has the current time.
- the method as described above further comprising: providing a command in a server; providing the command to the mobile device from the server in response to a command waiting signal from the mobile device; and performing the command in the data security system through the mobile device when the command is provided from the server.
- the method as described above further comprising: providing a change password command in a server; providing the change password command to the mobile device from the server in response to a change password signal from the mobile device; and unlocking the data security system with the changed password in the data security system.
- the method as described above further comprising connecting the data security system to a host computer for power and to be discoverable by the host computer.
- a data security system comprising: a data security transceiver or receiver; an authentication subsystem operatively connected to the data security transceiver or receiver; and a storage subsystem connected to the authentication subsystem.
- the system as described above further comprising a security controller connected to the data security transceiver or the receiver and to the authentication subsystem.
- the system as described above further comprising a mobile device having a data security system application operating with the security controller for maintaining connectivity when the data security system is within a predetermined proximity to the mobile device.
- the system as described above further comprising a mobile device having a data security system application operating with the security controller for maintaining connectivity when the data security system is within a predetermined proximity to the mobile device for a predetermined period of time.
- the system as described above further comprising a mobile device having a mobile transceiver or receiver for maintaining connectivity includes using bi-directional communication between the data security system and the mobile device.
- the system as described above further comprising a mobile device having a mobile transceiver or receiver for maintaining connectivity includes using uni-directional communication between the data security system and the mobile device.
- the system as described above further comprising a wired or wireless connection communication between a mobile device with a data security system application and a server containing a user management database.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020197035893A KR102201093B1 (en) | 2016-01-04 | 2017-01-03 | Data security system with encryption |
CN201780005638.6A CN108604982B (en) | 2016-01-04 | 2017-01-03 | Method for operating a data security system and data security system |
JP2018553854A JP6633228B2 (en) | 2016-01-04 | 2017-01-03 | Data security system with encryption |
KR1020187022506A KR102054711B1 (en) | 2016-01-04 | 2017-01-03 | Data security system using encryption |
GB1811137.7A GB2562923B (en) | 2016-01-04 | 2017-01-03 | Data security system with encryption |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/987,749 US10181055B2 (en) | 2007-09-27 | 2016-01-04 | Data security system with encryption |
US14/987,749 | 2016-01-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017123433A1 true WO2017123433A1 (en) | 2017-07-20 |
Family
ID=59311569
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2017/012060 WO2017123433A1 (en) | 2016-01-04 | 2017-01-03 | Data security system with encryption |
Country Status (6)
Country | Link |
---|---|
JP (3) | JP6633228B2 (en) |
KR (2) | KR102054711B1 (en) |
CN (2) | CN108604982B (en) |
GB (2) | GB2562923B (en) |
TW (2) | TWI692704B (en) |
WO (1) | WO2017123433A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10181055B2 (en) | 2007-09-27 | 2019-01-15 | Clevx, Llc | Data security system with encryption |
CN110225515A (en) * | 2019-06-24 | 2019-09-10 | 晏保华 | A kind of authentication administrative system, method and device |
WO2020037053A1 (en) * | 2018-08-16 | 2020-02-20 | Clevx, Llc | Self-encrypting module with embedded wireless user authentication |
US10778417B2 (en) | 2007-09-27 | 2020-09-15 | Clevx, Llc | Self-encrypting module with embedded wireless user authentication |
US10783232B2 (en) | 2007-09-27 | 2020-09-22 | Clevx, Llc | Management system for self-encrypting managed devices with embedded wireless user authentication |
US11190936B2 (en) | 2007-09-27 | 2021-11-30 | Clevx, Llc | Wireless authentication system |
GB2574433B (en) * | 2018-06-06 | 2022-11-02 | Istorage Ltd | Dongle for ciphering data |
US11971967B2 (en) | 2021-08-20 | 2024-04-30 | Clevx, Llc | Secure access device with multiple authentication mechanisms |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI651626B (en) * | 2017-11-30 | 2019-02-21 | 大陸商北京集創北方科技股份有限公司 | Biometric data encryption method and information processing device using same |
WO2019177563A1 (en) * | 2018-03-12 | 2019-09-19 | Hewlett-Packard Development Company, L.P. | Hardware security |
JP2022050899A (en) | 2020-09-18 | 2022-03-31 | キオクシア株式会社 | Memory system |
TWI788936B (en) * | 2021-08-02 | 2023-01-01 | 民傑資科股份有限公司 | Flash drive locked with wireless communication manner |
KR102540669B1 (en) * | 2021-12-17 | 2023-06-08 | 주식회사 그리다에너지 | System for Job history authentication using encrypted and non-editable job data |
CN114598461B (en) * | 2022-02-24 | 2023-10-31 | 广东天波信息技术股份有限公司 | Online unlocking method of terminal equipment, terminal equipment and readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030093693A1 (en) * | 2001-11-12 | 2003-05-15 | Palm, Inc. | System and method for providing secured access to mobile devices |
US20100287373A1 (en) * | 2007-09-27 | 2010-11-11 | Clevx, Llc | Data security system with encryption |
US20110313922A1 (en) * | 2009-06-22 | 2011-12-22 | Mourad Ben Ayed | System For NFC Authentication Based on BLUETOOTH Proximity |
US20150058624A1 (en) * | 2013-08-20 | 2015-02-26 | Janus Technologies, Inc. | System and method for remotely managing security and configuration of compute devices |
Family Cites Families (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10340231A (en) * | 1997-06-05 | 1998-12-22 | Kokusai Electric Co Ltd | Ic card |
US6529949B1 (en) * | 2000-02-07 | 2003-03-04 | Interactual Technologies, Inc. | System, method and article of manufacture for remote unlocking of local content located on a client device |
US6708272B1 (en) * | 1999-05-20 | 2004-03-16 | Storage Technology Corporation | Information encryption system and method |
WO2001020463A1 (en) * | 1999-09-17 | 2001-03-22 | Fingloq Ab | Security arrangement |
US8677505B2 (en) * | 2000-11-13 | 2014-03-18 | Digital Doors, Inc. | Security system with extraction, reconstruction and secure recovery and storage of data |
US7099663B2 (en) * | 2001-05-31 | 2006-08-29 | Qualcomm Inc. | Safe application distribution and execution in a wireless environment |
TW583568B (en) * | 2001-08-27 | 2004-04-11 | Dataplay Inc | A secure access method and system |
US20030109218A1 (en) * | 2001-10-18 | 2003-06-12 | Azalea Microelectronics Corporation | Portable wireless storage unit |
US7198571B2 (en) * | 2002-03-15 | 2007-04-03 | Igt | Room key based in-room player tracking |
JP2004326763A (en) * | 2003-04-10 | 2004-11-18 | Matsushita Electric Ind Co Ltd | Password change system |
WO2004090738A1 (en) | 2003-04-10 | 2004-10-21 | Matsushita Electric Industrial Co., Ltd. | Password change system |
JP2006025249A (en) * | 2004-07-08 | 2006-01-26 | Fujitsu Ltd | Terminal device, data backup system thereof, data backup method thereof, and data backup program thereof |
CN101010677A (en) * | 2004-09-06 | 2007-08-01 | 皇家飞利浦电子股份有限公司 | Portable storage device and method for exchanging data |
US20060075230A1 (en) * | 2004-10-05 | 2006-04-06 | Baird Leemon C Iii | Apparatus and method for authenticating access to a network resource using multiple shared devices |
JP2006139757A (en) * | 2004-10-15 | 2006-06-01 | Citizen Watch Co Ltd | Locking system and locking method |
US20060129829A1 (en) * | 2004-12-13 | 2006-06-15 | Aaron Jeffrey A | Methods, systems, and computer program products for accessing data with a plurality of devices based on a security policy |
US20060176146A1 (en) * | 2005-02-09 | 2006-08-10 | Baldev Krishan | Wireless universal serial bus memory key with fingerprint authentication |
JP4781692B2 (en) * | 2005-03-08 | 2011-09-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Method, program, and system for restricting client I / O access |
US8335920B2 (en) * | 2005-07-14 | 2012-12-18 | Imation Corp. | Recovery of data access for a locked secure storage device |
TWI288553B (en) * | 2005-10-04 | 2007-10-11 | Carry Computer Eng Co Ltd | Portable storage device having main identification information and method of setting main identification information thereof |
JP2009524880A (en) * | 2006-01-24 | 2009-07-02 | クレブエックス・リミテッド・ライアビリティ・カンパニー | Data security system |
US20070248232A1 (en) * | 2006-04-10 | 2007-10-25 | Honeywell International Inc. | Cryptographic key sharing method |
WO2008147577A2 (en) * | 2007-01-22 | 2008-12-04 | Spyrus, Inc. | Portable data encryption device with configurable security functionality and method for file encryption |
US20080303631A1 (en) * | 2007-06-05 | 2008-12-11 | Beekley John S | Mass Storage Device With Locking Mechanism |
CN100533459C (en) * | 2007-10-24 | 2009-08-26 | 北京飞天诚信科技有限公司 | Data safety reading method and safety storage apparatus thereof |
US20100293374A1 (en) * | 2008-07-30 | 2010-11-18 | Bushby Donald P | Secure Portable Memory Storage Device |
JP2010102617A (en) * | 2008-10-27 | 2010-05-06 | Dainippon Printing Co Ltd | System, device, method and program of access management of external storage, apparatus and recording medium |
US20100174913A1 (en) * | 2009-01-03 | 2010-07-08 | Johnson Simon B | Multi-factor authentication system for encryption key storage and method of operation therefor |
US9286493B2 (en) * | 2009-01-07 | 2016-03-15 | Clevx, Llc | Encryption bridge system and method of operation thereof |
US20110154023A1 (en) * | 2009-12-21 | 2011-06-23 | Smith Ned M | Protected device management |
US9270663B2 (en) * | 2010-04-30 | 2016-02-23 | T-Central, Inc. | System and method to enable PKI- and PMI-based distributed locking of content and distributed unlocking of protected content and/or scoring of users and/or scoring of end-entity access means—added |
GB2508532B (en) * | 2011-09-28 | 2020-05-06 | Hewlett Packard Development Co | Unlocking a storage device |
WO2013073260A1 (en) * | 2011-11-19 | 2013-05-23 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Storage device |
US8972728B2 (en) * | 2012-10-15 | 2015-03-03 | At&T Intellectual Property I, L.P. | Method and apparatus for providing subscriber identity module-based data encryption and remote management of portable storage devices |
US20140149742A1 (en) * | 2012-11-28 | 2014-05-29 | Arnold Yau | Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors |
GB201221433D0 (en) * | 2012-11-28 | 2013-01-09 | Hoverkey Ltd | A method and system of providing authentication of user access to a computer resource on a mobile device |
US20150161587A1 (en) * | 2013-12-06 | 2015-06-11 | Apple Inc. | Provisioning and authenticating credentials on an electronic device |
CN105450400B (en) * | 2014-06-03 | 2019-12-13 | 阿里巴巴集团控股有限公司 | Identity verification method, client, server and system |
-
2017
- 2017-01-03 CN CN201780005638.6A patent/CN108604982B/en active Active
- 2017-01-03 JP JP2018553854A patent/JP6633228B2/en active Active
- 2017-01-03 GB GB1811137.7A patent/GB2562923B/en active Active
- 2017-01-03 KR KR1020187022506A patent/KR102054711B1/en active IP Right Grant
- 2017-01-03 CN CN202010783513.XA patent/CN112054892A/en active Pending
- 2017-01-03 GB GB1919421.6A patent/GB2580549B/en active Active
- 2017-01-03 KR KR1020197035893A patent/KR102201093B1/en active IP Right Grant
- 2017-01-03 WO PCT/US2017/012060 patent/WO2017123433A1/en active Application Filing
- 2017-01-04 TW TW106100149A patent/TWI692704B/en active
- 2017-01-04 TW TW109109809A patent/TWI727717B/en active
-
2019
- 2019-12-11 JP JP2019223413A patent/JP6938602B2/en active Active
-
2021
- 2021-09-01 JP JP2021142248A patent/JP7248754B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030093693A1 (en) * | 2001-11-12 | 2003-05-15 | Palm, Inc. | System and method for providing secured access to mobile devices |
US20100287373A1 (en) * | 2007-09-27 | 2010-11-11 | Clevx, Llc | Data security system with encryption |
US20110313922A1 (en) * | 2009-06-22 | 2011-12-22 | Mourad Ben Ayed | System For NFC Authentication Based on BLUETOOTH Proximity |
US20150058624A1 (en) * | 2013-08-20 | 2015-02-26 | Janus Technologies, Inc. | System and method for remotely managing security and configuration of compute devices |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11190936B2 (en) | 2007-09-27 | 2021-11-30 | Clevx, Llc | Wireless authentication system |
US10985909B2 (en) | 2007-09-27 | 2021-04-20 | Clevx, Llc | Door lock control with wireless user authentication |
US11233630B2 (en) | 2007-09-27 | 2022-01-25 | Clevx, Llc | Module with embedded wireless user authentication |
US10754992B2 (en) | 2007-09-27 | 2020-08-25 | Clevx, Llc | Self-encrypting drive |
US10181055B2 (en) | 2007-09-27 | 2019-01-15 | Clevx, Llc | Data security system with encryption |
US10783232B2 (en) | 2007-09-27 | 2020-09-22 | Clevx, Llc | Management system for self-encrypting managed devices with embedded wireless user authentication |
US10778417B2 (en) | 2007-09-27 | 2020-09-15 | Clevx, Llc | Self-encrypting module with embedded wireless user authentication |
US11151231B2 (en) | 2007-09-27 | 2021-10-19 | Clevx, Llc | Secure access device with dual authentication |
GB2574433B (en) * | 2018-06-06 | 2022-11-02 | Istorage Ltd | Dongle for ciphering data |
GB2607846A (en) * | 2018-06-06 | 2022-12-14 | Istorage Ltd | Dongle for ciphering data |
GB2607846B (en) * | 2018-06-06 | 2023-06-14 | Istorage Ltd | Dongle for ciphering data |
WO2020037053A1 (en) * | 2018-08-16 | 2020-02-20 | Clevx, Llc | Self-encrypting module with embedded wireless user authentication |
EP4242902A3 (en) * | 2018-08-16 | 2023-09-20 | Clevx, LLC | Self-encrypting module with embedded wireless user authentication |
CN110225515A (en) * | 2019-06-24 | 2019-09-10 | 晏保华 | A kind of authentication administrative system, method and device |
CN110225515B (en) * | 2019-06-24 | 2022-08-23 | 喀斯玛(北京)科技有限公司 | Authentication management system, method and device |
US11971967B2 (en) | 2021-08-20 | 2024-04-30 | Clevx, Llc | Secure access device with multiple authentication mechanisms |
Also Published As
Publication number | Publication date |
---|---|
JP2019511791A (en) | 2019-04-25 |
KR20180107775A (en) | 2018-10-02 |
TW201737151A (en) | 2017-10-16 |
KR20190137960A (en) | 2019-12-11 |
GB2562923B (en) | 2020-02-12 |
GB201919421D0 (en) | 2020-02-12 |
CN108604982A (en) | 2018-09-28 |
GB2580549B (en) | 2020-12-23 |
TWI727717B (en) | 2021-05-11 |
TW202029042A (en) | 2020-08-01 |
JP2021192265A (en) | 2021-12-16 |
CN112054892A (en) | 2020-12-08 |
JP7248754B2 (en) | 2023-03-29 |
GB2580549A (en) | 2020-07-22 |
GB201811137D0 (en) | 2018-08-22 |
JP6633228B2 (en) | 2020-01-22 |
JP2020057412A (en) | 2020-04-09 |
CN108604982B (en) | 2020-09-04 |
TWI692704B (en) | 2020-05-01 |
JP6938602B2 (en) | 2021-09-22 |
KR102201093B1 (en) | 2021-01-08 |
GB2562923A (en) | 2018-11-28 |
KR102054711B1 (en) | 2019-12-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11151231B2 (en) | Secure access device with dual authentication | |
US10985909B2 (en) | Door lock control with wireless user authentication | |
KR102054711B1 (en) | Data security system using encryption | |
US9813416B2 (en) | Data security system with encryption | |
US10783232B2 (en) | Management system for self-encrypting managed devices with embedded wireless user authentication | |
US10362483B2 (en) | System, methods and devices for secure data storage with wireless authentication | |
EP2798565B1 (en) | Secure user authentication for bluetooth enabled computer storage devices | |
US11190936B2 (en) | Wireless authentication system | |
EP4242902A2 (en) | Self-encrypting module with embedded wireless user authentication | |
US11971967B2 (en) | Secure access device with multiple authentication mechanisms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17738741 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018553854 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 201811137 Country of ref document: GB Kind code of ref document: A Free format text: PCT FILING DATE = 20170103 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1811137.7 Country of ref document: GB |
|
ENP | Entry into the national phase |
Ref document number: 20187022506 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020187022506 Country of ref document: KR |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17738741 Country of ref document: EP Kind code of ref document: A1 |