Inline storage protection and key devices

1. In a computing environment containing at least (a1) one or a plurality of storage devices, possibly varying in number and type over time, which may be storage devices controlled by the user of the computing environment or storage devices provided by other parties, and (a2) one or a plurality of usage devices, possibly varying in number and type over time, in which (a3) storage devices and usage devices may be configured in possibly complex and time-variant topologies over one or a plurality of data links, a pair of two devices, one of which is termed an inline storage protection device key and the other of which is termed an inline storage protection device, such that (b1) for every inline storage protection device there is exactly one inline storage protection device key, and (b2) the inline storage protection device key is physically distinct from the inline storage protection device, and where the inline storage protection device key is furnished with physical components including at least (c1) a communications port for communications with the associated inline storage protection device (c2) sufficient computational capacity and data storage, and appropriate programming, to accomplish cryptographically secured authentication between itself and the associated inline storage protection device, using any appropriate cryptographic authentication technique in the art, (c3) optionally, an external communications and data port over which the programming and cryptographic authentication keys for the inline storage protection device key may be dynamically supplied during use, where in operation the inline storage protection device is generally disabled for operation unless specifically enabled by the inline storage protection device key for operation, in such a way that (d1) upon physical presentation by a user to the inline storage protection device, the inline storage protection device key authenticates itself to the inline storage protection device and either through the fact of this authentication or through an explicit message then communicated causes the inline storage protection device to change its state from disabled to enable, or from enabled to disabled, and (d2) after use with the inline storage protection device the inline storage protection device key must be removed from proximity of and communication with the inline storage protection device, and where the inline storage protection device is furnished with at least the following physical components (e1) one or a plurality of communications and data connections, termed upstream ports, to one or a plurality of usage devices, (e2) one or a plurality of communications and data connections, termed downstream ports, to a single storage device, which however may be a composite storage device consisting of many storage devices presenting a unified exterior appearance as a single storage device, as is common in the art, (e3) a communications port for communications with the associated inline storage protection device key (e4) optionally, a single data and communications connection, termed a control port, over which connections to an external service, termed a control facility, may be established, (e5) optionally, a two-position switch the position of which determines operation in read-only mode or in read-write mode as the terms are commonly understood in the art, (e6) optionally for any upstream port, a similar switch, and also is furnished with at least (f1) computational capacity and appropriate programming to implement the encryption of a storage device, using any appropriate cryptographic technique in the art, (f2) computational capacity and appropriate hardware and appropriate programming to implement all necessary protocols for communication and data exchange with usage devices and storage devices, (f2) computational capacity and data storage, and appropriate programming, to accomplish cryptographically secured authentication between itself and the associated inline storage protection device key, using any appropriate cryptographic authentication technique in the art, (f3) computational capacity and appropriate hardware and appropriate programming to implement all necessary protocols over its control port, if that control port is present, (f4) storage capacity sufficient to contain one or more cryptographic keys used to encrypt a storage device, (f5) storage capacity sufficient to contain cryptographic hashes of all data required for encrypting a storage device (f6) computational capacity and appropriate programming to implement usage policy and auditing of data on a storage device, (f7) storage capacity sufficient to maintain such local auditing records as necessary, and optionally also furnished with other hardware including without limit any or all of (g1) a realtime clock, or (g2) a hardware random number generator, or (g3) other computational capacity as appropriate including capacity for selfmonitoring and diagnostic service, which may be deployed such that (h1) the inline storage protection device may be attached via one or a plurality of data and communications media, each generally termed a data link, to any usage device or via data links to any plurality of usage devices, and (h2) the inline storage protection device may be attached via one or a plurality of data and communications media, each generally termed a data link, but not necessarily of the same type as those identified in (h1) above, to a single storage device, which however may be a composite storage device consisting of many storage devices presenting a unified exterior appearance as a single storage device, as is common in the art, (h3) but notwithstanding this, all data links from a particular storage device must initially pass through a single inline storage protection device, and (h4) each inline storage protection device optionally may have a separate communications and data link to an externally maintained service termed a control facility, and (h5) a plurality of inline storage protection devices may be present in series on a data link or plurality of data links, where the inline storage protection device performs cryptographically secured read and write operations on the storage device attached to it subject to a protocol such that (i0) for read operations the following steps are taken, (i1) the inline storage protection device reads a data element of encrypted data from the storage device, (i2) optionally, the inline storage protection device computes an appropriate cryptographic hash of this data element of encrypted data, but if this step is omitted, then step (i4) must occur, (i3) using appropriate cryptographic methods, as common in the art, the inline storage protection device decrypts this data element, (i4) optionally, the inline storage protection device computes an appropriate cryptographic hash of this date element of plaintext data, but if this step is omitted, then step (i2) must have occurred (i5) the inline storage protection device compares either or both of the cryptographic hashes generated in step (i2) or step (i4) against the appropriate cryptographic hash of this ciphertext or plaintext data, as stored previously when the data was written, (i6) if the comparison or comparisons of step (i5) match, then the inline storage protection device delivers the data on the data link, but (i7) if either or both of the comparisons of step (i5) do not match, then the inline storage protection device does not deliver the data, (j0) and for write operations on new data elements the following steps are taken, (j1) optionally, the inline storage protection device computes a cryptographic hash of the plaintext data element and stores this value, but if this step is omitted, then step (j3) must occur, (j2) using appropriate cryptographic methods, as common in the art, the inline storage protection device encrypts this data element, (j3) optionally, the inline storage protection device computes an appropriate cryptographic hash of this data element of ciphertext data and stores this value, but if this step is omitted, then step (j1) must have occurred, (j4) the inline storage protection device writes the data element to the storage device, (k0) for write operations on existing data elements the following is done, (k1) the inline storage protection device first executes a read operation as described at (i0) through (i7) in this claim, and (k2) if this read operation executes without error, then the write proceeds as described in the write operation at (j0) through (j4) in this claim, (k3) otherwise the write fails, wherein the improvement comprises the enforcement by the inline storage protection device of policy for data use or attempted data use, and of auditing of data use or of attempted data use, at the point at which the data is cryptographically protected, such that on each attempted read operation, after the data have been decrypted but before they are presented externally to the inline storage protection device, and on each attempted write operation, before the data have been encrypted for presentation to the storage device, (l1) the inline storage protection device applies a policy determined by one or more computer programs contained within it and all inputs available to these programs to determine whether it will satisfy the read or write request or refuse to satisfy it, (l2) the inline storage protection device may or may not chose to generate auditing data to record the operation, as determined by one or more computer programs contained within it and all input available to these programs, such that (l3) the auditing data thus gathered may be recorded on the inline service protection device itself, and also (l4) if a control port is available on the inline service protection device, the auditing data thus gathered may be delivered through it to the external control facility, and also (l5) if a control port is available on the inline service protection device, the auditing data thus gathered may be delivered through it to a third party as desired, and at all times (l6) if the inline storage protection device contains a control port, the policy and auditing computer programs may be updated by the control facility over that port, whereby (m1) the inline storage protection device secures data in a manner employing not simply encryption but also cryptographic hashing, allowing detection of certain types of attacks on the data, and (m2) the inline storage protection device cryptographically secures data in a conceptually uniform manner over a broader range of storage devices than the prior art, and (m3) the inline storage protection device may be more securely and in an operationally advantageous manner enabled and disabled for operation, and (m4) through the application of policy decisions at the point of cryptographic data protection the inline storage protection device protects data not only against external attackers but also against deliberate or accidental misuse or misappropriation by otherwise legitimate users, and (m5) through the application of auditing recording at the point of cryptographic data protection and also the optional transmission of audit records to a control facility and also the optional transmission of audit records to third party auditors, the inline storage protection device allows detection of and reaction to improper use of data as such use is occurring, and (m6) through the application of auditing recording at the point of cryptoraphic data protection, the inline storage protection device allows forensic analysis of improper use of data.