Providing a protected volume on a data storage device

US 7,380,140 B1
Filed: 03/21/2005
Issued: 05/27/2008
Est. Priority Date: 12/30/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:

monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;

recording an identification of the operating system data accessed during the step of monitoring; and

establishing protected and unprotected regions of the data storage device, the step or establishing further comprising the steps of;

storing a copy of operating system data accessed during the step of monitoring in the unprotected region of the data storage device; and

storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the step of monitoring, and any other data to which it is desired to prevent access without proper authorization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention establishes a protected volume on a data storage device associated with a computational device by allowing an operating system of the computational device to boot up to a point (the volume conversion crossover point) at which predetermined functionality of the operating system becomes available, then establishing the protected volume. A copy of the operating system data (cleartext operating system data) that is accessed during boot up prior to the volume conversion crossover point (which can be known by monitoring and recording access to operating system data during boot-up) is stored in an unprotected region of the data storage device. A copy of the cleartext operating system data is also stored in the protected volume. After the protected volume is established, the computational device is reset, causing the operating system to boot up again. During each boot-up of the operating system after the protected volume has been established, the cleartext operating system data is used until the volume conversion crossover point, at which time operation of the computational device converts to a secure mode (if authorized) in which data stored on the data storage device can be accessed from the protected volume (including the copy of the cleartext operating system data that is stored in the protected volume).

Citations

48 Claims

1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:
- monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  recording an identification of the operating system data accessed during the step of monitoring; and
  
  establishing protected and unprotected regions of the data storage device, the step or establishing further comprising the steps of;
  
  storing a copy of operating system data accessed during the step of monitoring in the unprotected region of the data storage device; and
  
  storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the step of monitoring, and any other data to which it is desired to prevent access without proper authorization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as in claim 1, wherein the step of storing protected data in the protected region of the data storage device comprises storing all data stored on the data storage device, other than the copy of operating system data accessed during the step of monitoring that is stored in the unprotected region of the data storage device, in the protected region of the data storage device.
  - 3. A method as in claim 1, wherein the predetermined functionality comprises enablement of communication with the data storage device.
  - 4. A method as in claim 3, wherein the predetermined functionality comprises enablement of user interface functionality and enablement of token support functionality.
  - 5. A method as in claim 4, wherein the predetermined functionality comprises enablement of specification of one or more data protection parameters.
  - 6. A method as in claim 1, wherein the step of storing protected data in the protected region of the data storage device comprises encrypting data to be stored in the protected region.
  - 7. A method as in claim 1, wherein the step of storing protected data in the protected region of the data storage device is performed by the computational device.
  - 8. A method as in claim 1, wherein the step of storing protected data in the protected region of the data storage device is performed, in part, by a portable cryptographic token operably connected to the computational device to enable communication therewith.
  - 9. A method as in claim 1, wherein the data storage device comprises a removable data storage medium.

10. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the method comprising the steps of:
- maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  establishing protected and unprotected regions of the data storage device, the step of establishing further comprising the steps of;
  
  storing operating system data recorded during the step of maintaining in the unprotected region of the data storage device; and
  
  storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization; and
  
  further comprising the steps of, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device;
  
  until predetermined functionality of the operating system becomes available;
  
  allowing access to operating system data stored in the unprotected region; and
  
  preventing access to protected data stored in the protected region; and
  
  after predetermined functionality of the operating system becomes available;
  
  allowing restricted access to protected data stored in the protected region; and
  
  preventing access to operating system data stored in the unprotected region.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A method as in claim 10, further comprising the step of, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device, evaluating the operating system data stored in the unprotected region to determine whether unauthorized access to the operating system data stored in the unprotected region has occurred.
  - 12. A method as in claim 11, wherein the step of evaluating comprises the steps of:
    - computing a first set of one or more cryptographic hashes on data stored in the unprotected region;
      
      storing the result of the first set of one or more cryptographic hashes in the protected region;
      
      executing a reset of the computational device after the step of storing the result of the first set of one or more cryptographic hashes in the protected region;
      
      computing, after the step of executing a reset of the computational device, a second set of one or more cryptographic hashes on data stored in the unprotected region; and
      
      comparing the first and second sets of one or more cryptographic hashes.
  - 13. A method as in claim 12, wherein the steps of computing first and second sets of one or more cryptographic hashes each comprise:
    - computing a cryptographic hash on files stored in the unprotected region;
      
      computing a cryptographic hash on the boot sector, file allocation tables and root directory stored in the unprotected region; and
      
      computing a cryptographic hash on unused space in the unprotected region.
  - 14. A method as in claim 12, wherein the step of evaluating further comprises the steps of:
    - storing in the protected region, before the step of executing a reset of the computational device, a file image of the data for computing the first set of one or more cryptographic hashes; and
      
      comparing, after the step of executing a reset of the computational device, a file image of the data for computing the second set of one or more cryptographic hashes to the file image of the data for computing the first set of one or more cryptographic hashes.
  - 15. A method as in claim 11, further comprising the step of authenticating a user of the computational device prior to the step of evaluating.
  - 16. A method as in claim 15, wherein if unauthorized access to the operating system data stored in the unprotected region has occurred, the method further comprises the steps of:
    - determining whether the authenticated user is a system administrator; and
      
      if the authenticated user is not a system administrator, terminating operation of the computational device.

17. Apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the apparatus comprising:
- means for monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  means for recording an identification of the operating system data accessed during the monitoring; and
  
  means for establishing protected and unprotected regions of the data storage device, the means for establishing further comprising;
  
  means for storing a copy of operating system data accessed during the monitoring in the unprotected region of the data storage device; and
  
  means for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the monitoring, and any other data to which it is desired to prevent access without proper authorization.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. Apparatus as in claim 17, wherein the means for storing protected data in the protected region of the data storage device comprises means for storing all data stored on the data storage device, other than the copy of operating system data accessed during the monitoring that is stored in the unprotected region of the data storage device, in the protected region of the data storage device.
  - 19. Apparatus as in claim 17, wherein the predetermined functionality comprises enablement of communication with the data storage device.
  - 20. Apparatus as in claim 19, wherein the predetermined functionality comprises enablement of user interface functionality and enablement of token support functionality.
  - 21. Apparatus as in claim 20, wherein the predetermined functionality comprises enablement of specification of one or more data protection parameters.
  - 22. Apparatus as in claim 17, wherein the means for storing protected data in the protected region of the data storage device comprises means for encrypting data to be stored in the protected region.
  - 23. Apparatus as in claim 17, wherein the means for storing protected data in the protected region of the data storage device comprises the computational device.
  - 24. Apparatus as in claim 17, wherein the means for storing protected data in the protected region of the data storage device comprises a portable cryptographic token operably connected to the computational device to enable communication therewith.
  - 25. Apparatus as in claim 17, wherein the data storage device comprises a removable data storage medium.

26. A computer readable medium or media encoded with one or more computer programs and/or data structures for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the one or more computer programs and/or data structures comprising:
- instructions and/or data for monitoring access to operating system data by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  instructions and/or data for recording an identification of the operating system data accessed during the monitoring; and
  
  instructions and/or data for establishing protected and unprotected regions of the data storage device, the instructions and/or data for establishing further comprising;
  
  instructions and/or data for storing a copy of operating system data accessed during the monitoring in the unprotected region of the data storage device; and
  
  instructions and/or data for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data, including a copy of operating system data accessed during the monitoring, and any other data to which it is desired to prevent access without proper authorization.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. A computer readable medium or media as in claim 26, wherein the instructions and/or data for storing protected data in the protected region of the data storage device comprise instructions and/or data for storing all data stored on the data storage device, other than the copy of operating system data accessed during the monitoring that is stored in the unprotected region of the data storage device, in the protected region of the data storage device.
  - 28. A computer readable medium or media as in claim 26 wherein the predetermined functionality comprises enablement of communication with the data storage device.
  - 29. A computer readable medium or media as in claim 28, wherein the predetermined functionality comprises enablement of user interface functionality and enablement of token support functionality.
  - 30. A computer readable medium or media as in claim 29, wherein the predetermined functionality comprises enablement of specification of one or more data protection parameters.
  - 31. A computer readable medium or media as in claim 26, wherein the instructions and/or data for storing protected data in the protected region of the data storage device comprise instructions and/or data for encrypting data to be stored in the protected region.
  - 32. A computer readable medium or media as in claim 26, wherein the instructions and/or data for storing protected data in the protected region of the data storage device are executed and/or used by the computational device.
  - 33. A computer readable medium or media as in claim 26, wherein the instructions and/or data for storing protected data in the protected region of the data storage device are executed and/or used, in part, by a portable cryptographic token operably connected to the computational device to enable communication therewith.
  - 34. A computer readable medium or media as in claim 26, wherein the data storage device comprises a removable data storage medium.

35. Apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the apparatus comprising:
- means for maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  means for establishing protected and unprotected regions of the data storage device, the means for establishing further comprising;
  
  means for storing operating system data recorded by the means for maintaining in the unprotected region of the data storage device; and
  
  means for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization;
  
  means for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and until predetermined functionality of the operating system becomes available, allowing access to operating system data stored in the unprotected region and preventing access to protected data stored in the protected region; and
  
  means for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and after predetermined functionality of the operating system becomes available, allowing restricted access to protected data stored in the protected region and preventing access to operating system data stored in the unprotected region.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. Apparatus as in claim 35, further comprising means for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device, evaluating the operating system data stored in the unprotected region to determine whether unauthorized access to the operating system data stored in the unprotected region has occurred.
  - 37. Apparatus as in claim 36, wherein the means for evaluating comprises:
    - means for computing a first set of one or more cryptographic hashes on data stored in the unprotected region;
      
      means for storing the result of the first set of one or more cryptographic hashes in the protected region;
      
      means for executing a reset of the computational device after storage of the result of the first set of one or more cryptographic hashes in the protected region;
      
      means for computing, after execution of a reset of the computational device, a second set of one or more cryptographic hashes on data stored in the unprotected region; and
      
      means for comparing the first and second sets of one or more cryptographic hashes.
  - 38. Apparatus as in claim 37, wherein the means for computing a first set of one or more cryptographic hashes and the means for computing a second set of one or more cryptographic hashes each comprise:
    - means for computing a cryptographic hash on files stored in the unprotected region;
      
      means for computing a cryptographic hash on the boot sector, file allocation tables and root directory stored in the unprotected region; and
      
      means for computing a cryptographic hash on unused space in the unprotected region.
  - 39. Apparatus as in claim 37, wherein the means for evaluating further comprises:
    - means for storing in the protected region, before execution of a reset of the computational device, a file image of the data for computing the first set of one or more cryptographic hashes; and
      
      means for comparing, after execution of a reset of the computational device, a file image of the data for computing the second set of one or more cryptographic hashes to the file image of the data for computing the first set of one or more cryptographic hashes.
  - 40. Apparatus as in claim 36, further comprising means for authenticating a user of the computational device prior to evaluating the operating system data stored in the unprotected region to determine whether unauthorized access to the operating system data stored in the unprotected region has occurred.
  - 41. Apparatus as in claim 40, further comprising:
    - means for, if unauthorized access to the operating system data stored in the unprotected region has occurred, determining whether the authenticated user is a system administrator; and
      
      means for, if the authenticated user is not a system administrator, terminating operation of the computational device.

42. A computer readable medium or media encoded with one or more computer programs and/or data structures for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, operating system data representing the operating system of the computational device being stored on the data storage device, the one or more computer programs and/or data structures comprising:
- instructions and/or data for maintaining a record of operating system data accessed by the computational device after a reset of the computational device and until predetermined functionality of the operating system becomes available;
  
  instructions and/or data for establishing protected and unprotected regions of the data storage device, the instructions and/or data for establishing further comprising;
  
  instructions and/or data for storing operating system data recorded by the instructions and/or data for maintaining in the unprotected region of the data storage device; and
  
  instructions and/or data for storing protected data in the protected region of the data storage device, wherein the protected data comprises the operating system data and any other data to which it is desired to prevent access without proper authorization;
  
  instructions and/or data for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and until predetermined functionality of the operating system becomes available, allowing access to operating system data stored in the unprotected region and preventing access to protected data stored in the protected region; and
  
  instructions and/or data for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device and after predetermined functionality of the operating system becomes available, allowing restricted access to protected data stored in the protected region and preventing access to operating system data stored in the unprotected region.
- View Dependent Claims (43, 44, 45, 46, 47, 48)
- - 43. A computer readable medium or media as in claim 42, further comprising instructions and/or data for, subsequent to a reset of the computational device after establishment of the protected and unprotected regions of the data storage device, evaluating the operating system data stored in the unprotected region to determine whether unauthorized access to the operating system data stored in the unprotected region has occurred.
  - 44. A computer readable medium or media as in claim 43, wherein the instructions and/or data for evaluating comprise:
    - instructions and/or data for computing a first set of one or more cryptographic hashes on data stored in the unprotected region;
      
      instructions and/or data for storing the result of the first set of one or more cryptographic hashes in the protected region;
      
      instructions and/or data for executing a reset of the computational device after storage of the result of the first set of one or more cryptographic hashes in the protected region;
      
      instructions and/or data for computing, after execution of a reset of the computational device, a second set of one or more cryptographic hashes on data stored in the unprotected region; and
      
      instructions and/or data for comparing the first and second sets of one or more cryptographic hashes.
  - 45. A computer readable medium or media as in claim 44, wherein the instructions and/or data for computing a first set of one or more cryptographic hashes and the instructions and/or data for computing a second set of one or more cryptographic hashes each comprise:
    - instructions and/or data for computing a cryptographic hash on files stored in the unprotected region;
      
      instructions and/or data for computing a cryptographic hash on the boot sector, file allocation tables and root directory stored in the unprotected region; and
      
      instructions and/or data for computing a cryptographic hash on unused space in the unprotected region.
  - 46. A computer readable medium or media as in claim 44, wherein the instructions and/or data for evaluating further comprise:
    - instructions and/or data for storing in the protected region, before execution of a reset of the computational device, a file image of the data for computing the first set of one or more cryptographic hashes; and
      
      instructions and/or data for comparing, after execution of a reset of the computational device, a file image of the data for computing the second set of one or more cryptographic hashes to the file image of the data for computing the first set of one or more cryptographic hashes.
  - 47. A computer readable medium or media as in claim 43, further comprising instructions and/or data for authenticating a user of the computational device prior to evaluating the operating system data stored in the unprotected region to determine whether unauthorized access to the operating system data stored in the unprotected region has occurred.
  - 48. A computer readable medium or media as in claim 47, further comprising:
    - instructions and/or data for, if unauthorized access to the operating system data stored in the unprotected region has occurred, determining whether the authenticated user is a system administrator; and
      
      instructions and/or data for, if the authenticated user is not a system administrator, terminating operation of the computational device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SPEX Technologies, Inc.
Original Assignee
Spyrus, Inc.
Inventors
Guttman, Michael T., Sutherland, Mark J., Zmuda, James E., Dalcher, Gregory W., Hoffmeier, Jay H., Tran, Hon, Weissman, Gregg D.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US11/085,777
Time in Patent Office

1,163 Days
Field of Search

713/193, 713/2, 713/161, 713/189, 711/162, 711/161, 709/213
US Class Current

713/193
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

Providing a protected volume on a data storage device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Providing a protected volume on a data storage device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links