Method and system for securely identifying computer storage devices

US 8,271,790 B2
Filed: 12/21/2005
Issued: 09/18/2012
Est. Priority Date: 12/30/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for securely controlling access to a device that is capable of storing data, the method comprising:

obtaining, by a computing device, information related to the device, the information including at least;

parameters P associated with the device,a time variable Time,a name N representing an ascription, anda unique identification value I;

encrypting by a computing device, a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1;

encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of signature S1;

combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identification parameter and storing the identification parameter on the device;

controlling, by a computing device, access to the device by;

extracting identification information from the device,checking the validity of the digital certificate of the device; and

applying a security policy that is based at least in part on the unique identification.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a private network setting in which various computers can be attached, the confidential or sensitive data within the various devices on the private network is vulnerable. The ability to copy such confidential or sensitive data to a storage device communicatively coupled to a client computer on the network is governed and controlled. Only devices that include an authentic stamp or digital certificate can be accessed by client computers. If a device does not have a valid stamp or the stamp has been black listed, then the access to the device can be prevented or greatly limited.

16 Citations

View as Search Results

31 Claims

1. A method for securely controlling access to a device that is capable of storing data, the method comprising:
- obtaining, by a computing device, information related to the device, the information including at least;
  
  parameters P associated with the device,a time variable Time,a name N representing an ascription, anda unique identification value I;
  
  encrypting by a computing device, a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1;
  
  encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of signature S1;
  
  combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identification parameter and storing the identification parameter on the device;
  
  controlling, by a computing device, access to the device by;
  
  extracting identification information from the device,checking the validity of the digital certificate of the device; and
  
  applying a security policy that is based at least in part on the unique identification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, comprising uniquely identifying the device utilizing a unique digital certificate.
  - 3. The method of claim 2, wherein the step of uniquely identifying the device is performed within a network setting.
  - 4. The method of claim 1, wherein the device is associated with a client device that includes a client agent, and the client device is associated with a server running a security manager module, and wherein controlling access to the device comprises the client agent extracting identification information from the device and providing the identifying information to the security manager module.
  - 5. The method of claim 1, wherein the step of applying the security policy comprises performing one or more of the following actions:
    - blocking access to the device;
      
      enabling access to the device;
      
      disabling all writing operations to the device; and
      
      logging that the device was introduced to the client agent.
  - 6. The method of claim 1, further comprising generating a second signature S2.
  - 7. The method of claim 6, wherein generating a second signature S2 comprises the steps of:
    - obtaining a sequence number Q;
      
      obtaining a date D; and
      
      encrypting the values of Q and D using the symmetric key K to obtain the signature S2.
  - 8. The method of claim 3, further comprising:
    - sending a log to a server, said log including information on a usage of the device.
  - 9. The method of claim 8, wherein the information on the usage of the device includes at least one parameter selected from the group consisting of date and time of usage, the identification value I, and a sequence number Q.
  - 10. The method of claim 8, wherein the server is adapted to analyze the information on the usage of the device and determine whether the device is a forged device.
  - 11. The method of claim 4, wherein the step of providing at least a portion of a value related to or derived from the digital certificate to the security manager module comprises the steps of:
    - decrypting the second portion of the signature S1 to obtain the symmetric key K;
      
      decrypting the first portion of the signature S1 with the symmetric key K to obtain a first value function of the P, N, I, and Time values;
      
      extracting parameters P′
      
      from the device;
      
      generating a value represented by a second value function of P′
      
      , N, I, and Time;
      
      if the first value function and the second value function are equivalent, applying an appropriate security policy.
  - 12. The method of claim 11, wherein if the first value function and the second value function are not equivalent, applying a default security policy.
  - 13. The method of claim 7, further comprising the step of updating the value of S2 upon accessing the device.
  - 14. The method of claim 1, further comprising the step of maintaining a log of usage of the device.

15. A system for securely controlling access to memory storage devices existing or introduced into a network setting, the system comprising:
- a server housing a security manager module;
  
  a plurality of client devices coupled to the server through a network;
  
  wherein the security manager module is operable to;
  
  obtain parameters P associated with a device;
  
  obtain a name N representing an ascription;
  
  obtain a unique identification value I;
  
  obtain a time variable Time,encrypt a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature S1;
  
  encrypt the symmetric key K with a shared key to generate a second portion of a signature S1;
  
  combine the first and second portions along with the value of N, I and Time into a unique identification parameter and store the unique identification parameter on the device; and
  
  control access to the each of the plurality of client devices contingent at least in part upon said client device being associated with a client agent; and
  
  , wherein said client agent is operable to;
  
  extract information from the memory storage device,validate the identification information that uniquely identifies the memory storage device, andapply a security policy related to accessing the storage device based at least in part on the identification parameter.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The system of claim 15, wherein the client agent is operable to:
    - detect a memory storage device communicatively coupled to the client device.
  - 17. The system of claim 16, wherein the client agent is further operable to provide the information to the security manager module.
  - 18. The system of claim 16, wherein the security policy can be used to determine one or more actions selected from the group consisting of:
    - blocking access to the memory storage device;
      
      enabling access to the memory storage device;
      
      disabling all writing operations to the memory storage device; and
      
      logging that the specific memory storage device was introduced to the client agent.
  - 19. The system of claim 15, wherein the security policy can be used to perform one or more actions comprising the actions of:
    - blocking access to the memory storage device;
      
      enabling access to the memory storage device;
      
      disabling all writing operations to the memory storage device; and
      
      logging that the specific memory storage device was introduced to the client agent.
  - 20. The system of claim 19, wherein the client agent is software embedded within the client device.
  - 21. The system of claim 19, wherein the client agent is hardware embedded within the client device.
  - 22. The system of claim 15, wherein the server includes a stamping module, the stamping module being operable to:
    - detect the connection of the memory storage device to the server;
      
      obtain one or more parameters from the storage device;
      
      generate a digital certificate based at least in part on the one or more parameters; and
      
      store the digital certificate within the memory storage device.
  - 23. The system of claim 22, wherein the stamping module is further operable to receive additional data and is operable to generate the digital certificate based at least in part on the additional data.

24. A method for protecting transferring of data between one or more client computers and one or more external devices, wherein the one or more client computers are clients of a private network that includes a security server, the method comprising the steps of:
- obtaining parameters P associated with an external device;
  
  obtaining a name N representing an ascription;
  
  obtaining a unique identification value I;
  
  obtaining a time variable Time,encrypting a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature;
  
  encrypting the symmetric key K with a shared key to generate a second portion of a signature;
  
  combining the first and second portions along with the value of N, I and Time into a digital certificate and storing the digital certificate on the external device;
  
  connecting the external device to one of the one or more client computers;
  
  searching for a digital certificate that was previously written on the external device and was generated by the security server;
  
  if the digital certificate was not found, then limiting the transfer of data to or from the external device;
  
  processing the digital certificate and determining what type of data transferring is allowed between the external device and the client computer; and
  
  controlling the data transfer according to the processed decision.

25. A method of controlling access to storage devices the method comprising:
- obtaining, by a computing device, information related to a storage device, the information including at least;
  
  parameters P associated with an external device,a name N representing an ascription, andobtaining a unique identification value I;
  
  a time variable Time,encrypting, by a computing device, a function a function of the P, N, I and Time values with a symmetric key K to generate a first portion of an unchangeable signature;
  
  encrypting, by a computing device, the symmetric key K with a shared key to generate a second portion of the signature;
  
  combining, by a computing device, the first and second portions along with the value of N, I and Time into a unique identifier and storing the unique identifier on the storage device;
  
  extracting identification information from the storage device;
  
  validating the identification information; and
  
  determining, by a computing device, a level of access to the storage device based on a security policy, said security policy based at least in part on a unique identifier extracted from said storage device.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The method of claim 25, wherein said unique identifier is stored on said storage device by a security server.
  - 27. The method of claim 26, wherein said security policy is provided to by said security server to a client agent.
  - 28. The method of claim 27, wherein said step of determining a level of access based on said security policy is performed by said client agent.
  - 29. The method of claim 25, wherein determining access comprises enabling or blocking access to said storage device.
  - 30. The method of claim 25, wherein determining access comprises performing an action selected from the list consisting of:
    - blocking access to the storage device;
      
      enabling access to the storage device; and
      
      disabling all writing operations to the storage device.
  - 31. The method of claim 30, further comprising logging the access to the storage device by the client agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Supercom IP LLC
Original Assignee
Safend Ltd.
Inventors
ROSENAN, Avner, GUTTERMAN, Zvi, Hazama, Hay, Gan, Orli
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Wright, Bryan

Application Number

US11/794,577
Publication Number

US 20100071030A1
Time in Patent Office

2,463 Days
Field of Search

726/2
US Class Current

713/176
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/6227   where protection concerns t...

G06F 21/73   by creating or determining ...

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2151   Time stamp

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

Method and system for securely identifying computer storage devices

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Method and system for securely identifying computer storage devices

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others