Method and apparatus for in-line serial data encryption
First Claim
1. An encryption system, including:
- an input connection configured to receive, from a first device, serial, plain-text data and associated control information for a second device, said control information including at least one command directed to operation of the second device to store and retrieve data,an output connection configured to connect to the second device;
an encrypt module configured;
(a) to encrypt the data, (b) to filter disallowed control information, and (c) to leave allowed control information unencrypted;
a transmit module configured to transmit the encrypted data and control information to the second device;
wherein the control information is disallowed or allowed based on at least some of the at least one command directed to operation of the second device to store and retrieve data.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for real-time in-line encryption of data transmitted over a serial channel from a source device to a target device. An encryption unit includes logic configured to receive data packets including headers with control information and data on the channel, which may be a fiber channel bus, serial ATA, serial SCSI, USB or the like. The encryption unit encrypts the data and passes the control information to the target device along with the encrypted data. The encryption unit may filter, convert or reject predetermined commands or types of information in the header to prevent covert channel transmissions. There may be one or multiple source devices, e.g. host computers, and one or multiple target devices, e.g. storage systems, configured in a variety of network topologies. The encryption unit also decrypts data and remaps control information transmitted from the target device(s) to the source device(s).
-
Citations
24 Claims
-
1. An encryption system, including:
-
an input connection configured to receive, from a first device, serial, plain-text data and associated control information for a second device, said control information including at least one command directed to operation of the second device to store and retrieve data, an output connection configured to connect to the second device; an encrypt module configured;
(a) to encrypt the data, (b) to filter disallowed control information, and (c) to leave allowed control information unencrypted;a transmit module configured to transmit the encrypted data and control information to the second device; wherein the control information is disallowed or allowed based on at least some of the at least one command directed to operation of the second device to store and retrieve data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An encryption system, including:
-
an input connection configured to receive, from a first device, bits of serial, plain text data and associated control information for a second device, said control information including at least one command directed to operation of the second device to store and retrieve data; an output connection configured to connect to the second device; an encrypt module configured;
(a) to encrypt the data bits, (b) to filter disallowed control information, and (c) to leave allowed control information unencrypted;a control translation module configured to remove at least one command from the received control information and to replace the removed command with an equivalent command; and a transmit module configured to transmit the encrypted data bits and the control information including the equivalent command to the second device wherein the control information is disallowed or allowed based on at least some of the at least one command directed to operation of the second device to store and retrieve data. - View Dependent Claims (7, 8)
-
-
9. A method of encrypting data that is sent from a first device via a serial bus and directed to a second device, including the steps of:
-
receiving the data from the first device along with associated control information for the second device, said control information including a command directed to operation of the second device to store and retrieve data; encrypting at least a portion of the data; filtering disallowed control information, and transmitting the encrypted data with allowed control information to the second device, where the allowed control information is transmitted in an unencrypted form wherein the control information is disallowed or allowed based on at least some of the at least one command directed to operation of the second device to store and retrieve data. - View Dependent Claims (10, 11, 12)
-
-
13. A method of encrypting data that is sent from a first device via a serial bus and directed to a second device, including the steps of:
-
receiving the data along with associated control information, said control information including a command directed to operation of the second device to store and retrieve data; encrypting at least a portion of the data; determining an equivalent command for at least one received command associated with the control information; replacing the received command with the equivalent command; transmitting the encrypted data with the associated control information including the equivalent command to the second device, where the associated control information is transmitted in an unencrypted form; rejecting data associated with a command for which no equivalent is determined.
-
-
14. A method of encrypting data that is sent from a first device via a serial bus and directed to a second device, including the steps of:
-
receiving the data along with associated control information, said control information including a command directed to operation of the second device to store and retrieve data; encrypting at least a portion of the data; determining an equivalent command for at least one received command associated with the control information; replacing the received command with the equivalent command; transmitting the encrypted data with the associated control information including the equivalent command to the second device, where the associated control information is transmitted in an unencrypted form; rejecting data associated with a command that is determined to be one of a predetermined set of disallowed commands.
-
-
15. A data transmission system, including:
-
a computer having a serial communications port; a serial bus coupled to the serial communications port; a recipient device coupled to the serial bus; and an encryption unit connected in-line to the serial bus between the computer and the recipient device, the encryption unit including an encrypt module configured to receive data and associated control information transmitted from the computer via the serial bus and to encrypt the data, said control information including a command directed to operation of the recipient device to store and retrieve data; and a transmit unit configured to read and transmit the control information with the encrypted data to the recipient device; and the transmit unit is configured to block data associated with a command for which no predetermined equivalent command is located. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification