Method and system for securely identifying computer storage devices
First Claim
Patent Images
1. A method for securely controlling access to a device that is capable of storing data, the method comprising:
- obtaining, by a computing device, information related to the device, the information including at least;
parameters P associated with the device,a time variable Time,a name N representing an ascription, anda unique identification value I;
encrypting by a computing device, a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1;
encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of signature S1;
combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identification parameter and storing the identification parameter on the device;
controlling, by a computing device, access to the device by;
extracting identification information from the device,checking the validity of the digital certificate of the device; and
applying a security policy that is based at least in part on the unique identification.
3 Assignments
0 Petitions
Accused Products
Abstract
In a private network setting in which various computers can be attached, the confidential or sensitive data within the various devices on the private network is vulnerable. The ability to copy such confidential or sensitive data to a storage device communicatively coupled to a client computer on the network is governed and controlled. Only devices that include an authentic stamp or digital certificate can be accessed by client computers. If a device does not have a valid stamp or the stamp has been black listed, then the access to the device can be prevented or greatly limited.
16 Citations
31 Claims
-
1. A method for securely controlling access to a device that is capable of storing data, the method comprising:
-
obtaining, by a computing device, information related to the device, the information including at least; parameters P associated with the device, a time variable Time, a name N representing an ascription, and a unique identification value I; encrypting by a computing device, a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1; encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of signature S1; combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identification parameter and storing the identification parameter on the device; controlling, by a computing device, access to the device by; extracting identification information from the device, checking the validity of the digital certificate of the device; and applying a security policy that is based at least in part on the unique identification. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for securely controlling access to memory storage devices existing or introduced into a network setting, the system comprising:
-
a server housing a security manager module; a plurality of client devices coupled to the server through a network; wherein the security manager module is operable to; obtain parameters P associated with a device; obtain a name N representing an ascription; obtain a unique identification value I; obtain a time variable Time, encrypt a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1; encrypt the symmetric key K with a shared key to generate a second portion of a signature S1; combine the first and second portions along with the value of N, I and Time into a unique identification parameter and store the unique identification parameter on the device; and control access to the each of the plurality of client devices contingent at least in part upon said client device being associated with a client agent; and
, wherein said client agent is operable to;extract information from the memory storage device, validate the identification information that uniquely identifies the memory storage device, and apply a security policy related to accessing the storage device based at least in part on the identification parameter. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for protecting transferring of data between one or more client computers and one or more external devices, wherein the one or more client computers are clients of a private network that includes a security server, the method comprising the steps of:
-
obtaining parameters P associated with an external device; obtaining a name N representing an ascription; obtaining a unique identification value I; obtaining a time variable Time, encrypting a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature; encrypting the symmetric key K with a shared key to generate a second portion of a signature; combining the first and second portions along with the value of N, I and Time into a digital certificate and storing the digital certificate on the external device; connecting the external device to one of the one or more client computers; searching for a digital certificate that was previously written on the external device and was generated by the security server;
if the digital certificate was not found, then limiting the transfer of data to or from the external device;processing the digital certificate and determining what type of data transferring is allowed between the external device and the client computer; and controlling the data transfer according to the processed decision.
-
-
25. A method of controlling access to storage devices the method comprising:
-
obtaining, by a computing device, information related to a storage device, the information including at least; parameters P associated with an external device, a name N representing an ascription, and obtaining a unique identification value I; a time variable Time, encrypting, by a computing device, a function a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature; encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of the signature; combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identifier and storing the unique identifier on the storage device; extracting identification information from the storage device; validating the identification information; and determining, by a computing device, a level of access to the storage device based on a security policy, said security policy based at least in part on a unique identifier extracted from said storage device. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
Specification