×

Portable storage device with internal secure controller that performs self-verification and self-generates encryption key(s) without using host or memory controller and that securely sends encryption key(s) via side channel

  • US 10,608,819 B1
  • Filed: 09/24/2019
  • Issued: 03/31/2020
  • Est. Priority Date: 09/24/2019
  • Status: Active Grant
First Claim
Patent Images

1. A portable secure storage device, comprising:

  • a casing;

    a memory disposed within the casing and configured to store encrypted data;

    an input device disposed at the casing and configured to receive a security access code inputted to facilitate unlocking of the portable secure storage device;

    an output device disposed at the casing and configured to provide an output;

    a security controller disposed within the casing and coupled to the input device, wherein the security controller comprises a non-volatile memory and a security interface, and wherein the security controller is configured to cause;

    prior to receipt of the security access code by the input device and prior to communicating with a host, generating, without using the host, a transformation key and a concealed encryption key internally within the security controller, wherein the transformation key is for transforming the concealed encryption key to an operating encryption key, wherein the host is separate and distinct from the portable secure storage device, and wherein the concealed encryption key and the transformation key are not generated or provided by the host, a user, a memory controller or a data transfer controller;

    storing the concealed encryption key in the non-volatile memory of the security controller;

    providing the transformation key via the security interface;

    receiving the security access code inputted at the input device of the portable secure storage device;

    determining, without using the host, whether the inputted security access code matches with an access code stored within the non-volatile memory of the security controller;

    when the inputted security access code is verified against the stored access code, providing an indication that the inputted security access code is verified, fetching the concealed encryption key from the non-volatile memory of the security controller, and providing the concealed encryption key via the security interface; and

    when the portable secure storage device is locked, maintaining the concealed encryption key and the access code stored in the non-volatile memory of the security controller;

    the memory controller disposed within the casing and coupled to the security controller, wherein the memory controller comprises a transformation engine, a non-volatile memory, a volatile memory, a first standard memory interface, and a side memory interface, and wherein the memory controller is configured to cause;

    after the inputted security access code is verified;

    receiving the concealed encryption key via the side memory interface or a side data transfer interface;

    temporarily storing the concealed encryption key in the volatile memory of the memory controller;

    extracting the operating encryption key, based on the concealed encryption key and the transformation key, using the transformation engine;

    temporarily storing the extracted operating encryption key in the volatile memory of the memory controller;

    communicating with the security controller via the side memory interface or the side data transfer interface;

    receiving data from the data transfer controller via the first standard memory interface;

    encrypting, the data received from the data transfer controller, using the operating encryption key, and providing the encrypted data to the memory; and

    decrypting, data received from the memory, using the operating encryption key, and providing the decrypted data to the data transfer controller via the first standard memory interface; and

    when the portable secure storage device is caused to be locked, deleting the concealed encryption key and the operating encryption key temporarily stored in the volatile memory of the memory controller; and

    the data transfer controller disposed within the casing and coupled to the security controller and the memory controller, wherein the data transfer controller comprises a standard communication interface, a second standard memory interface, and the side data transfer interface, and wherein the data transfer controller is configured to cause;

    after the inputted security access code is verified;

    transmitting enumeration information of the portable secure storage device to the host via the standard communication interface of the data transfer controller;

    after an enumeration process with the host is completed, notifying a completion of the enumeration process via the side data transfer interface;

    receiving data compatible with a standard communication interface protocol from the host via the standard communication interface;

    converting the data compatible with the standard communication interface protocol to data compatible with a standard memory interface protocol; and

    providing the data compatible with the standard memory interface protocol to the memory controller, via the second standard memory interface, for encryption and storage in the memory,wherein;

    when the portable secure storage device is locked, the data transfer controller is disengaged from the host,when the portable secure storage device is plugged into the host, the portable secure storage device is unrecognizable by the host before the inputted security access code is verified,the portable secure storage device is removable from the host,the security controller comprises a tamper detection circuit configured to detect security tampering of the security controller, and a security level of the security controller is higher than a security level of the memory controller and a security level of the data transfer controller,the standard communication interface is of a first interface type, the first standard memory interface is of a second interface type, the second standard memory interface is of the second interface type, and the first interface type is different from the second interface type,the side memory interface is of an interface type that is different from the first interface type and the second interface type, andthe side data transfer interface is of an interface type that is different from the first interface type and the second interface type.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×