Transparent encryption and access control for mass-storage devices

US 20050246778A1
Filed: 04/22/2005
Published: 11/03/2005
Est. Priority Date: 04/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method of securing data on a mass storage device, the method comprising:

obtaining permission for a specified access by a current user to a mass storage device, said mass storage device having one or more blocks of data of a known size stored thereon, each block of data being encrypted with a symmetric cipher that preserves the size of the block;

if permission is obtained, obtaining the encrypted key of the symmetric cipher used for encrypting the blocks on the mass storage device;

obtaining the private key or pass phrase for decrypting the encrypted key of the symmetric cipher;

decrypting the encrypted key using the private key or pass phrase to obtain the key for the symmetric cipher; and

performing a block operation on the mass storage device with the symmetric cipher.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securing data on a mass storage device. A centralized device permission store contains device identifiers for the mass storage devices to be secured along with keys of a symmetric cipher that have been encrypted with public keys or pass phrases of authorized users of the devices. A list of these users also contained in the store. A helper module provides the private key or pass phrase, for imported keys, needed to decrypt the key of the symmetric cipher, which is used to encrypt and decrypt blocks of data stored on the mass storage device. When a read request is made, a protection module intercepts the request, obtains the block from the mass storage device and decrypts the block. When a write request is made, the protection module intercepts the request, encrypts the block and has it stored on the mass storage device.

Citations

14 Claims

1. A method of securing data on a mass storage device, the method comprising:
- obtaining permission for a specified access by a current user to a mass storage device, said mass storage device having one or more blocks of data of a known size stored thereon, each block of data being encrypted with a symmetric cipher that preserves the size of the block;
  
  if permission is obtained, obtaining the encrypted key of the symmetric cipher used for encrypting the blocks on the mass storage device;
  
  obtaining the private key or pass phrase for decrypting the encrypted key of the symmetric cipher;
  
  decrypting the encrypted key using the private key or pass phrase to obtain the key for the symmetric cipher; and
  
  performing a block operation on the mass storage device with the symmetric cipher.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method of securing data on a mass storage device as recited in claim 1, wherein the mass storage device includes a bootstrap block that stores a device id;
    - and wherein the step of obtaining permission for a specified access by a current user to a mass storage device includes reading the bootstrap block in the mass storage device to obtain the device id;
      
      determining whether the read bootstrap block contains a valid device id;
      
      if valid, retrieving protection information based on the device id, wherein the protection information includes a list of authorized users based on the device id; and
      
      obtaining a list of authorized users of the device based on the device id; and
      
      verifying that a current user is on the list of authorized users and obtaining from the list the scope of the authorization for the current user.
  - 3. A method of securing data on a mass storage device as recited in claim 2, wherein the protection information is stored in a centralized permission store.
  - 4. A method of securing data on a mass storage device as recited in claim 1, wherein the step of obtaining permission includes obtaining third party media permission.
  - 5. A method of securing data on a mass storage device as recited in claim 1, wherein a centralized permission store stores the encrypted key for the current user;
    - and wherein the step of obtaining the encrypted key includes accessing the centralized permission store for the encrypted key.
  - 6. A method of securing data on a mass storage device as recited in claim 1, wherein the bootstrap block of the device stores the encrypted key for the current user;
    - and wherein the step of obtaining the encrypted key includes accessing the bootstrap block for the encrypted key.
  - 7. A method of securing data on a mass storage device as recited in claim 1, wherein a file stores the encrypted key for the current user;
    - and wherein the step of obtaining the encrypted key includes accessing the file for the encrypted key.
  - 8. A method of securing data on a mass storage device as recited in claim 1, wherein the encrypted key is stored in a centralized permission store, if the encrypted key is encrypted with a public key, or is stored in a user-supplied file or the bootstrap block of the device, if the encrypted key is imported;
    - wherein the step of obtaining the private key or pass phrase for decrypting the encrypted key of the symmetric cipher includes, retrieving the private key from the centralized permission store, if the key is encrypted with a public key, and retrieving the pass phrase from the current user, if the key is imported.
  - 9. A method of securing data on a mass storage device as recited in claim 1, wherein the step of decrypting the encrypted key using the private key or pass phrase includes using the private key to decrypt the encrypted key, if the key is publicly encrypted, and using a user-supplied pass phrase to decrypted the encrypted key, if the key is imported.
  - 10. A method of securing data on a mass storage device as recited in claim 1, wherein performing a block operation on the mass storage device with the symmetric cipher includes reading an encrypted block from the mass storage device, and decrypting the read block using the key of the symmetric cipher.
  - 11. A method of securing data on a mass storage device as recited in claim 1, wherein performing a block operation on the mass storage device with the symmetric cipher using includes encrypting a block to be written on the mass storage device using the key of the symmetric cipher, and writing the encrypted block on the mass storage device.
  - 12. A method of securing data on a mass storage device as recited in claim 1, wherein the symmetric cipher is a block cipher.
  - 13. A method of securing data on a mass storage device as recited in claim 1, wherein the symmetric cipher is an AES cipher.

14. A system for securing data on a mass storage device, the system comprising:
- a centralized device permission store for storing device identifiers and publicly encrypted keys of a symmetric cipher associated with devices identified by the identifiers, for storing a list of users authorized to use a device identified by an identifier;
  
  an authorization agent in operative communication with the centralized device permission store, configured to initialize new devices and register them with the device permission store, to generate device identifiers and publicly encrypted keys of a symmetric cipher, and to view and modify lists of users authorized to use protected devices;
  
  a helper module for obtaining a private key of an authorized user, the private key for use in decrypting the publicly encrypted key of a symmetric cipher, for obtaining a user pass phrase for use in decrypting an imported encrypted key of a symmetric cipher, and for importing an encrypted key of a symmetric cipher, if it is supplied as a file; and
  
  a protection module in operative communication with the centralized device permission store and the helper module, for intercepting a block to be written to a mass storage device to encrypt the block using a symmetric cipher and for intercepting a block read from the mass storage device to decrypt the block using a symmetric cipher, said symmetric cipher preserving the size of data blocks on the mass storage device

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
Lumension Security, Inc. (Ivanti Software, Inc.)
Inventors
Kolishchak, Andrey, Usov, Viacheslav

Granted Patent

US 7,849,514 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/80   in storage media based on m...

G06F 2221/2107   File encryption

H04L 9/0822   using key encryption key

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

Transparent encryption and access control for mass-storage devices

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent encryption and access control for mass-storage devices

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links