Protected volume on a data storage device with dual operating systems and configurable access and encryption controls

US 7,757,100 B2
Filed: 05/23/2008
Issued: 07/13/2010
Est. Priority Date: 12/30/1998
Status: Active Grant

First Claim

Patent Images

1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, the method comprising the steps of:

providing, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;

monitoring operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;

storing, in the protected region, the monitored operating system data;

providing, in the protected region, a second operating system;

transferring control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;

storing data in the protected region; and

preventing access to the stored data in the protected region without access authorization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method provides a protected region of a data storage device associated with a computational device, where data in the protected region is primarily protected by preventing access without proper access authorization. The method comprises the steps of providing, in an unprotected region of the data storage device, a first operating system and associated operating system data; monitoring operating system data accessed by the computational device until a predetermined functionality becomes available; storing, in the protected region, the monitored operating system data; providing, in the protected region, a second operating system; transferring control of the computational device from the first operating system to the second operating system; storing data in the protected region; and preventing access to the stored data in the protected region without access authorization. In a further embodiment of the method, the second operating system optionally provides a second level of security by preventing decryption of data stored in the protected region without decryption authorization.

Citations

24 Claims

1. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without proper authorization, the method comprising the steps of:
- providing, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitoring operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  storing, in the protected region, the monitored operating system data;
  
  providing, in the protected region, a second operating system;
  
  transferring control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  storing data in the protected region; and
  
  preventing access to the stored data in the protected region without access authorization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the second operating system is different from the first operating system.
  - 3. The method of claim 1, wherein the second operating system prevents unauthorized access to data stored in the unprotected region of the data storage device.
  - 4. The method of claim 1, wherein the second operating system prevents decryption of data stored in the protected region without decryption authorization.
  - 5. The method of claim 1, wherein the step of transferring control of the computational device from the first operating to the second operating system comprises the steps of:
    - checking the operating system data stored in the unprotected region to determine whether the first operating system has been modified; and
      
      preventing unauthorized access to the data in the protected region if the first operating system data has been modified.
  - 6. The method of claim 5, wherein the step of checking operating system data comprises the steps of:
    - hashing operating system data to create a set of one or more hashes of the operating system data;
      
      comparing the set of one or more hashes of the operating system data to a set of one or more reference hashes previously stored in the protected region; and
      
      determining that the first operating system data has been modified if there is a difference in the comparison.
  - 7. The method of claim 6, wherein the set of one or more reference hashes is determined from hashing reference operating system data.
  - 8. The method of claim 6, wherein the set of one or more reference hashes is protected from undetected modification by authenticating one or more digital signatures.
  - 9. The method of claim 1, wherein the step of transferring control of the computational device from the first operating to the second operating system comprises:
    - authenticating a user identity using the first operating system, authenticating the user identity using the second operating system, or authenticating the user identity using both the first operating system and the second operating system.
  - 10. The method of claim 1, wherein the step of preventing access to data in the protected region without access authorization comprises the steps of:
    - receiving an identification of one or more volumes to be protected;
      
      receiving, for each identified volume to be protected, one or more data protection parameters;
      
      associating the one or more data protection parameters with the one or more identified volumes; and
      
      selectively providing access to protected data in the one or more identified volumes as a function of the authorization of a user and the data protection parameters.

11. A method for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be decrypted without authorization, the method comprising the steps of:
- providing, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitoring operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  storing, in the protected region, the monitored operating system data;
  
  providing, in the protected region, a second operating system;
  
  transferring control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  encrypting data to be protected to create encrypted data;
  
  storing the encrypted data in the protected region; and
  
  preventing decryption of the encrypted data in the protected region without decryption authorization.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the second operating system is different from the first operating system.
  - 13. The method of claim 11, wherein the second operating system prevents unauthorized access to data stored in the unprotected region.
  - 14. The method of claim 11, wherein the second operating system prevents access to encrypted data stored in the protected region without access authorization.
  - 15. The method of claim 11, wherein the step of transferring control of the computational device from the first operating to the second operating system comprising the steps of:
    - checking operating system data stored in the unprotected region to determine whether the first operating system has been modified; and
      
      prohibiting unauthorized decryption of the data in the protected region if the first operating system has been modified.
  - 16. The method of claim 15, wherein the step of checking operating system data comprises the steps of:
    - hashing operating system data to create a set of one or more hashes of the operating system data;
      
      comparing the set of one or more hashes of the operating system data to a set of one or more than one reference hash previously stored in the protected region; and
      
      determining that the first operating system data has been modified if there is a difference in the comparison.
  - 17. The method of claim 16, wherein the set of one or more than one reference hash is determined from hashing reference operating system data.
  - 18. The method of claim 16, wherein the set of one or more than one reference hash is protected from undetected modification by authenticating one or more digital signatures.
  - 19. The method of claim 11, the step of transferring control of the computational device from the first operating to the second operating system comprising the step of:
    - authenticating a user identity using the first operating system, authenticating the user identity using the second operating system, or authenticating the user identity using both the first operating system and the second operating system.
  - 20. The method of claim 11, the step of preventing decryption of data in the protected region without decryption authorization comprising the steps of:
    - receiving an identification of one or more volumes to be protected;
      
      receiving, for each identified volume to be protected, one or more data protection parameters;
      
      associating the one or more data protection parameters with the one or more identified volumes; and
      
      selectively providing decryption of data on the one or more identified volumes as a function of the authorization of a user and the data protection parameters.

21. An apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without authorization, the apparatus comprisinga memory,a computational device, andone or more computer-readable instructions stored in the memory, wherein, when said computer-readable instructions in the memory are accessed and executed by the computational device, the apparatus is operative to:
- provide, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitor operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  store, in the protected region, the monitored operating system data;
  
  provide, in the protected region, a second operating system;
  
  transfer control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  store data in the protected region; and
  
  prevent access to the stored data in the protected region without access authorization.

22. An apparatus for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be decrypted without authorization, the apparatus comprisinga memory,a computational device, andone or more computer-readable instructions stored in the memory,wherein, when said computer-readable instructions in the memory are accessed and executed by the computational device, the apparatus is operative to:
- provide, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitor operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  store, in the protected region, the monitored operating system data;
  
  provide, in the protected region, a second operating system;
  
  transfer control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  encrypt data to be protected to create encrypted data;
  
  store the encrypted data in the protected region; and
  
  prevent decryption of the encrypted data in the protected region without decryption authorization.

23. A non-transitory computer readable media for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be accessed without authorization, the computer readable media providing one or more computational device instructions to be stored in a memory, wherein, when said computational device instructions stored in the memory are accessed and executed by the computational device, the instructions are operative to:
- provide, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitor operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  store, in the protected region, the monitored operating system data;
  
  provide, in the protected region, a second operating system;
  
  transfer control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  store data in the protected region; and
  
  prevent access to the stored data in the protected region without access authorization.

24. A non-transitory computer readable media for providing a protected region of a data storage device associated with a computational device, the protected region being a region within which data cannot be decrypted without authorization, the computer readable media providing one or more computational device instructions to be stored in a memory, wherein, when said computational device instructions stored in the memory are accessed and executed by the computational device, the instructions are operative to:
- provide, in an unprotected region of the data storage device, a first operating system and operating system data associated with the first operating system;
  
  monitor operating system data accessed by the computational device until a predetermined functionality of the first operating system becomes available;
  
  store, in the protected region, the monitored operating system data;
  
  provide, in the protected region, a second operating system;
  
  transfer control of the computational device, when the predetermined functionality of the first operating system becomes available, from the first operating system to the second operating system;
  
  encrypt data to be protected to create encrypted data;
  
  store the encrypted data in the protected region; and
  
  prevent decryption of the encrypted data in the protected region without decryption authorization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SPEX Technologies, Inc.
Original Assignee
Spyrus, Inc.
Inventors
Guttman, Michael T., Zmuda, James E., Dalcher, Gregory W., Hoffmeier, Jay H., Tran, Hon, Weissman, Gregg D., Sutherland, Mark J.
Primary Examiner(s)
Chen; Shin-Hon

Application Number

US12/126,759
Publication Number

US 20080263371A1
Time in Patent Office

781 Days
Field of Search

713/2, 713/161, 713/189, 713/193, 709/213, 711/161, 711/162
US Class Current

713/193
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

Protected volume on a data storage device with dual operating systems and configurable access and encryption controls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Protected volume on a data storage device with dual operating systems and configurable access and encryption controls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links