Secure storage device with on-board encryption control

US 10,122,716 B2
Filed: 12/09/2015
Issued: 11/06/2018
Est. Priority Date: 05/23/2008
Status: Active Grant

First Claim

Patent Images

1. A security device for controlling a host device, the host device having a processor, a data storage, and a data storage controller, the security device comprising:

an interface for connecting the security device to the host device to enable the security device to control encryption and decryption of data communication between the processor of the host device and the data storage of the host device;

data storage for storing an encryption key for the encryption and decryption of the data communication;

a security processor, coupled to the interface and to the data storage for controlling the data communication by use of the encryption key; and

a wide area communication interface configured for secure communication with a remote device;

wherein the security processor is configured to control, based on the secure communication, the data communication between the processor of the host device and the data storage of the host device;

wherein the security processor is configured to take control of the host device during a boot sequence of the host device for performing data modification actions on the data storage of the host device; and

wherein the security processor is configured to disable the decryption of the host device data communication between the processor of the host device and the data storage of the host device in certain geographical locations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication and security device for a portable computer having an interface for connecting the security device to a host device to enable the security device to control encryption and decryption of data communication between a processor of the host device and a data storage of the host device. Examples include a security device with data storage for storing an encryption key for the encryption and decryption of the data communication, a security processor coupled to the interface and to the data storage for controlling the data communication by use of the encryption key, and a wide area communication interface configured for secure communication with a remote device. The security processor may be configured to control the data communication between the processor of the host device and the data storage of the host device based on the secure communication.

29 Citations

View as Search Results

19 Claims

1. A security device for controlling a host device, the host device having a processor, a data storage, and a data storage controller, the security device comprising:
- an interface for connecting the security device to the host device to enable the security device to control encryption and decryption of data communication between the processor of the host device and the data storage of the host device;
  
  data storage for storing an encryption key for the encryption and decryption of the data communication;
  
  a security processor, coupled to the interface and to the data storage for controlling the data communication by use of the encryption key; and
  
  a wide area communication interface configured for secure communication with a remote device;
  
  wherein the security processor is configured to control, based on the secure communication, the data communication between the processor of the host device and the data storage of the host device;
  
  wherein the security processor is configured to take control of the host device during a boot sequence of the host device for performing data modification actions on the data storage of the host device; and
  
  wherein the security processor is configured to disable the decryption of the host device data communication between the processor of the host device and the data storage of the host device in certain geographical locations.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The security device of claim 1 wherein the security processor is adapted to provide the data storage controller of the security device for controlling the host device data communication.
  - 3. The security device of claim 1 wherein the secure communication comprises a message having payload data and a header comprising identifier data, wherein the identifier data identifies the remote device.
  - 4. The security device of claim 3 wherein the security processor is configured to implement instructions carried by the payload data only in the event that the identifier data indicates that the remote device is a verified remote device.
  - 5. The security device of claim 1 wherein controlling the host device data communication based on the secure communication comprises at least one of:
    - (i) implementing a security command received via the secure communication;
      
      (ii) performing a security function in the event that the secure communication is discontinued for more than a selected interval.
  - 6. The security device of claim 1 wherein the security processor is configured to perform a security function in response to the secure communication, or a lack of the secure communication for more than a selected interval, wherein the security function comprises at least one of:
    - deleting the encryption key from the security data storage of the security device;
      
      disabling the encryption and decryption of the data communication between the processor of the host device and the data storage of the host device;
      
      overwriting the encryption key in the data storage of the security device;
      
      applying a physically damaging voltage to the data storage of the security device to destroy the encryption key;
      
      sending the remote server the security device'"'"'s location derived from a location tracker;
      
      disabling the encryption and decryption of the host device data communication between the processor of the host device and the data storage of the host device in certain geographical locations;
      
      authenticating a user of the host device and disabling the encryption and decryption of data communication between the processor of the host device and the data storage of the host device if the user is not positively authenticated.

7. A data access control device comprising:
- a chassis having an industry standard form factor for integration of the data access control device with a host device, the host device comprising a processor, a data storage, and a data storage controller; and
  
  a wide area communication interface configured to receive a security message from a remote device, the security message comprising a security command;
  
  wherein the data access control device is configured to control data communication between the processor of the host device and the data storage of the host device based on the security command by controlling the data access controller of the host device;
  
  wherein the processor is configured to take control of the host device during a boot sequence of the host device for performing data modification actions on the data storage of the host devicewherein the processor is configured to disable the decryption of the host device data communication between the processor of the host device and the data storage of the host device in certain geographical locations.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The data access control device of claim 7 wherein the data access control device is configured to control the data communication by controlling decryption of data stored on the data storage of the host device.
  - 9. The data access control device of claim 8 comprising a security processor and a stored encryption key for performing the decryption and encryption.
  - 10. The data access control device of claim 9 wherein the security processor is configured to perform a security function in response to at least one of:
    - the security message; and
      
      the absence of secure communication for a selected time interval, wherein the security function comprises at least one of;
      
      deleting the encryption key from the data storage of the security device;
      
      disabling the encryption and decryption of data communication between the processor of the host device and the data storage of the host device;
      
      overwriting the encryption key in the data storage of the security device;
      
      providing a physically damaging voltage to disable the data storage of the security device;
      
      sending the remote server the security device'"'"'s location derived from a location tracker;
      
      disabling the encryption and decryption of data communication between the processor of the host device and the data storage of the host device in certain geographical locations;
      
      authenticating a user of the host device and disabling the encryption and decryption of data communication between the processor of the host device and the data storage of the host device if the user is not positively authenticated.
  - 11. The data access control device of claim 8 wherein controlling the data communication based on the secure communication comprises at least one of:
    - (i) responding to a security command received via the secure communication;
      
      (ii) performing a security function in the event that the secure communication is discontinued for more than a selected time period.
  - 12. The data access control device of claim 7 wherein the security message comprises a message having payload data and a header comprising identifier data, wherein the identifier data identifies the remote device and the payload data includes the security command.
  - 13. The data access control device of claim 12 wherein the security processor is configured to implement instructions carried by the payload data in the event that the identifier data indicates that the remote device is a verified remote device.

14. A system comprising a host device and a data access control device for controlling the host device,the host device comprising a processor, a data storage, and a data storage controller, the host device having a boot sequence controlled by a BIOS;
- the data access control device comprising a wide area communication interface configured to receive a security message from a remote device, the security message comprising a security command, wherein the data access control device is configured to control data communication between the processor of the host device and the data storage of the host device based on the security command;
  
  wherein the data access control device is further configured to modify the BIOS of the host device so that, during the boot sequence of the host device, the host device passes control of the data storage to the data access control device; and
  
  wherein the processor is configured to disable the decryption of the host device data communication between the processor of the host device and the data storage of the host device in certain geographical locations.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14 wherein the data access and control device is configured to control the data communication by encrypting and decrypting the data communication and wherein the data access control device is configured to halt the decryption and encryption in response to the security command.
  - 16. The system of claim 14 wherein the data access control device is configured to respond to a selected security command by applying a physically damaging voltage to the data storage of the host device.
  - 17. The system of claim 14 wherein the security message comprises a message having payload data including the security command and a header comprising identifier data that identifies the remote device.
  - 18. The system of claim 17, wherein the data access control device stores data identifying at least one authorised remote device, and is configured to parse the header to obtain the identifier data, and to control the data communication based on the security command only in the event that the identifier data identifies one of the at least one authorised remote devices.
  - 19. The system of claim 16 wherein controlling the data communication based on the secure communication comprises at least one of:
    - (i) implementing a security command received via the secure communication;
      
      (ii) performing a security function in the event that the secure communication is discontinued for more than a selected time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exacttrak Limited
Original Assignee
Exacttrak Limited
Inventors
Shaw, Norman, Pragnell, John
Primary Examiner(s)
Rehman, Mohammed

Application Number

US14/963,379
Publication Number

US 20160094526A1
Time in Patent Office

1,063 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/1408   by using cryptography for d...

G06F 21/305   by remotely controlling dev...

G06F 21/34   involving the use of extern...

G06F 21/78   to assure secure storage of...

G06F 21/88   Detecting or preventing the...

G06F 2212/1052   Security improvement

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

H04L 63/0492   by using a location-limited...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

Secure storage device with on-board encryption control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage device with on-board encryption control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links