Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption

US 20130046993A1
Filed: 10/12/2012
Published: 02/21/2013
Est. Priority Date: 01/22/2007
Status: Active Grant

First Claim

Patent Images

1. A portable encryption device with logon access controlled by an encryption key, comprising:

an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable encryption device with logon access controlled by an encryption key, with an on board cryptographic processor for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm, optionally shrouded with external secrets using an invertible transform resistant to quantum computing attacks. Another embodiment provides file decryption controlled by a file encryption key, with the on board cryptographic processor reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code. A method for encryption of a plaintext file by hashing, compressing, and encrypting the plaintext file, hashing the ciphertext, hashing the plaintext hash and the ciphertext hash, and sealing the ciphertext together with the resulting hash. A portable encryption device for performing the method is also disclosed.

35 Citations

View as Search Results

63 Claims

1. A portable encryption device with logon access controlled by an encryption key, comprising:
- an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The device of claim 1, where the secret sharing algorithm comprises a K out of N secret sharing mechanism.
  - 3. The device of claim 2, where the K out of N secret sharing mechanism comprises Shamir'"'"'s Secret-Sharing Algorithm.
  - 4. The device of claim 2, where the K out of N secret sharing mechanism comprises Lagrange interpolation.
  - 5. The device of claim 1, where one or more of the generated secrets have been shrouded with one or more external secrets using an invertible transform, such that any one of the external secrets may be changed without recreation or re-dealing of all of the plurality of generated secrets.
  - 6. The device of claim 5, where the invertible transform is XOR.
  - 7. The device of claim 5, where one or more of the external secrets comprise a user'"'"'s PIN.
  - 8. The device of claim 2.6, where the PIN is a supervisory user'"'"'s PIN.
  - 9. The device of claim 5, where the external secrets comprise a plurality of user'"'"'s PINs, and the transform is invertible with less than all of the plurality of user'"'"'s PINs.
  - 10. The device of claim 5, where one or more of the external secrets comprise a firmware hash.
  - 11. The device of claim 5, where one or more of the external secrets comprise a host authorization code associated with one or more specific host computing devices, binding the portable encryption device to such one or more host computing devices.
  - 12. The device of claim 5, where one or more of the external secrets is generated by a proximity detection mechanism.
  - 13. The device of claim 5, where one or more of the external secrets is a function of multivariate parameters.
  - 14. The device of claim 13, where the multivariate parameters are chosen from the group consisting of a geographic-locus and biometric input.
  - 15. The device of claim 1, further comprising means for communicating the external secrets over a secure channel with a secondary device.
  - 16. The device of claim 15, where the secondary device is a connected host computing device.
  - 17. The device of claim 15, where the secondary device is a remote device.
  - 18. The device of claim 1, where the encryption key is a master key encryption key.
  - 19. The device of claim 1, where the encryption key is an application key encryption key.
  - 20. The device of claim 1, further comprising means for interfacing with a user authentication device.
  - 21. The device of claim 20, where the authentication device comprises a secure PIN entry mechanism.
  - 22. The device of claim 20, where the authentication device comprises a secure biometric input.
  - 23. The device of claim 1, further comprising removable memory configured for data storage.
  - 24. The device of claim 1, further comprising a data communication module.
  - 25. The device of claim 1, where the cryptographic processor is a microprocessor programmed to execute cryptographic functions.
  - 26. The device of claim 1, further comprising a second cryptographic processor within the enclosure.

27. A method for controlling logon access on a portable encryption device having a portable form factor and a cryptographic processor, comprising:
- generating a plurality of secrets by a secret sharing algorithm,configuring the cryptographic processor to reconstitute an encryption key from the plurality of generated secrets, anddetermining logon access as a function of the reconstituted encryption key.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 28. The method of claim 27, where the secret sharing algorithm comprises a K out of N secret sharing mechanism.
  - 29. The method of claim 28, where the K out of N secret sharing mechanism comprises Shamir'"'"'s Secret-Sharing Algorithm.
  - 30. The method of claim 28, where the K out of N secret sharing mechanism comprises Lagrange interpolation.
  - 31. The method of claim 27, further comprising shrouding one or more of the generated secrets with one or more external secrets using an invertible transform, such that any one of the external secrets may be changed without regeneration or re-dealing of all of the plurality of secrets.
  - 32. The method of claim 31, where the invertible transform is XOR.
  - 33. The method of claim 31, where one or more of the external secrets comprise a user'"'"'s PIN.
  - 34. The method of claim 33, where the PIN is a supervisory user'"'"'s PIN.
  - 35. The method of claim 31, where the external secrets comprise a plurality of user'"'"'s PINs, and the transform is invertible with less than all of the plurality of user'"'"'s PINs.
  - 36. The method of claim 31, where one or more of the external secrets comprise a firmware hash.
  - 37. The method of claim 31, where one or more of the external secrets comprise a host authorization code associated with one or more specific host computing device, binding the portable encryption method to such one or more host computing devices.
  - 38. The method of claim 31, where one or more of the external secrets is generated by a proximity detection mechanism.
  - 39. The method of claim 31, where one or more of the external secrets is a function of multivariate parameters.
  - 40. The method of claim 39, where the multivariate parameters are chosen from the group consisting of a geographic-locus and biometric input.
  - 41. The method of claim 27, further comprising communicating the external secrets over a secure channel to a secondary device.
  - 42. The method of claim 41, where the secondary device is a host computing device.
  - 43. The method of claim 41, where the secondary device is a remote device.
  - 44. The method of claim 27, where the encryption key is a master key encryption key.
  - 45. The method of claim 27, where the encryption key is an application key encryption key.
  - 46. The method of claim 27, further comprising receiving input from a user authentication device.
  - 47. The method of claim 46, where the input is received over a secure channel.
  - 48. The method of claim 46, where the input comprises secure biometric data.

49. A portable encryption device with file decryption controlled by a file encryption key, comprising:
- an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code.

50. A method for controlling file decryption with a portable encryption device having a portable form factor and a cryptographic processor, comprising:
- generating a network authorization code,distributing the network authorization code to a community of interest through an out-of-band distribution mechanism,shrouding a file encryption key with the network authorization code using an invertible transform,receiving the network authorization code from a user,causing the cryptographic processor to reconstitute the file encryption key from the received network authorization code, anddetermining file decryption as a function of the reconstituted file encryption key.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The method of claim 50, further comprising decrypting an encrypted file as a function of the reconstituted file encryption key.
  - 52. The method of claim 50, where the invertible transform is XOR.
  - 53. The method of claim 50, where the invertible transform is resistant to quantum computing attacks.
  - 54. The method of claim 50, further comprising encrypting the network authorization code and distributing the code to a recovery agent.

55. A method for file encryption of a plaintext file, comprising the steps of:
- hashing the plaintext file to produce a plaintext hash,compressing the plaintext file,encrypting the compressed plaintext file to create ciphertext,hashing the ciphertext to produce a ciphertext hash,hashing the plaintext hash and the ciphertext hash to produce a result hash, andsealing the ciphertext together with the result hash, to produce the encrypted file.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63)
- - 56. The method of claim 55, further comprising steps for communicating the encrypted file to originator-selected optional recipients.
  - 57. The method of claim 55, further comprising steps for an enforced mandatory recovery agent.
  - 58. The method of claim 55, further comprising steps for breaking the encryption of the encrypted file at a pre-determined date.
  - 59. The method of claim 55, the sealing step further comprising embedding forward error correction within the encrypted file.
  - 60. The method of claim 55, the plaintext file having metadata, further comprising the step of separately encrypting the metadata, and the sealing step comprising sealing the ciphertext together with the result hash and the encrypted metadata.
  - 61. The method of claim 60, further comprising steps for an independent key exchange mechanism to permit decrypting the metadata by catalog agent.
  - 62. The method of claim 55, further comprising use of a portable encryption device having a portable form factor and an on-board cryptographic processor to perform one or more of the steps.
  - 63. A portable encryption device for encryption of a plaintext file, comprising an enclosure for the device providing a portable form factor, and a cryptographic processor within the enclosure configured to perform the steps of claim 55.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spyrus, Inc.
Original Assignee
Spyrus, Inc.
Inventors
JUENEMAN, Robert R., LINSENBARDT, Duane J., YOUNG, John N., CARLISLE, William Reid, TREGUB, Burton George

Granted Patent

US 9,049,010 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/186
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/6218   to a system of files or obj...

G06F 21/72   in cryptographic circuits

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

63 Claims

Specification

Use Cases

Quick Links

Others

Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

63 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others