Method and system to maintain portable computer data secure and authentication token for use therein
First Claim
1. A system to maintain data stored on a portable computer secure, the system comprising:
- an authorization client for use on the portable computer for making requests;
a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;
a communication subsystem for wirelessly communicating the requests and the responses to the server and the client, respectively, within a range; and
a cryptographic subsystem for use on the portable computer for encrypting the data to obtain corresponding encrypted data when the security device is outside the range of the communication subsystem and for decrypting the encrypted data when the security device is back within the range.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system to maintain portable computer data secure and an authentication token for use in the system are provided. The present invention provides for fine-grained authentication and full security of a laptop file system. The laptop disk is encrypted and each time data is fetched from the disk the laptop sends a short message requesting a decryption key from an authentication token worn or associated with the proper laptop user. If the user and his/her token are “present,” then access is allowed. If the user and his/her token are not “present” (i.e., within a predetermined radius), then access is disallowed and all in-memory data is flushed to the disk. The user wears the small authentication token that communicates with the laptop over a short-range, wireless link. Whenever the laptop needs decryption authority, it acquires it from the token; authority is retained only as long as necessary. With careful key management, the invention imposes an overhead of 11% compared to the local disk for representative workloads. Up to 36 MB of cached, decrypted data can be re-encrypted within five seconds of the user'"'"'s departure, and restored in just over five seconds after detecting the user'"'"'s return. This secures the machine before an attacker can gain physical access, but recovers full performance before a returning user resumes work. The invention provides laptop security without substantially impacting performance or requiring changes in user behavior.
-
Citations
20 Claims
-
1. A system to maintain data stored on a portable computer secure, the system comprising:
-
an authorization client for use on the portable computer for making requests;
a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;
a communication subsystem for wirelessly communicating the requests and the responses to the server and the client, respectively, within a range; and
a cryptographic subsystem for use on the portable computer for encrypting the data to obtain corresponding encrypted data when the security device is outside the range of the communication subsystem and for decrypting the encrypted data when the security device is back within the range. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 16, 17, 18, 19, 20)
-
-
12. A method to maintain data stored on a portable computer secure, the method comprising:
-
providing an authorization client for use on the portable computer for making requests;
providing a security device to be associated with an authorized user of the portable computer and including an authorization server for supplying responses to the requests;
wirelessly communicating the requests and the responses to the server and the client, respectively, within a range;
encrypting the data to obtain corresponding encrypted data when the security device is outside the range; and
decrypting the encrypted data when the security device is back within the range.
-
-
15. An authorization token for use in a system to maintain data stored on a portable computer secure, the token comprising:
-
an authorization server for supplying encrypted responses to encrypted requests; and
a transceiver for receiving the requests and transmitting the responses to the portable computer.
-
Specification