Remote access control of storage devices

US 8,321,956 B2
Filed: 06/17/2009
Issued: 11/27/2012
Est. Priority Date: 06/17/2009
Status: Active Grant

First Claim

Patent Images

1. An access control device comprising:

at least one communicational interface through which communications with a storage device comprising encrypted data are established;

at least one processing unit;

access control information comprising identifications of entities that are to be allowed by the access control device to access, in an unencrypted form, the encrypted data stored on the storage device;

storage-related cryptographic information that can decrypt the encrypted data of the storage device with which communications are established through the at least one communicational interface, wherein the storage-related cryptographic information comprises;

a first storage-related cryptographic information that can decrypt only a first portion of the encrypted data of the storage device; and

a second storage-related cryptographic information that can decrypt only a second portion of the encrypted data of the storage device, the second portion being different from the first portion; and

a computer-readable medium comprising computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to perform steps comprising;

receiving an identification of an accessing entity, from a computing device to which the storage device is communicationally coupled, the accessing entity seeking to access, in the unencrypted form, the encrypted data stored on the storage device;

comparing the received identification of the accessing entity to the access control information;

providing, in a secured manner, the storage-related cryptographic information to the storage device, thereby enabling the storage device to decrypt the encrypted data, if the comparing reveals that the received identification of the accessing entity matches at least one of the identifications of the entities that comprise the access control information;

wherein the access control device is physically separable from both the storage device and the computing device; and

wherein further the computer-executable instructions that cause the provision of the storage related cryptographic information to the storage device comprises computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to;

provide, to the storage device, only the first storage-related cryptographic information if the accessing entity is associated with the first storage-related cryptographic information; and

provide, to the storage device, only the second storage-related cryptographic information if the accessing entity is associated with the second storage-related cryptographic information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control device can be communicationally coupled to a storage device and can control access thereto. The access control device can comprise information, such as identities of authorized entities, to enable the access control device to independently determine whether to provide access to an associated storage device. Alternatively, the access control device can comprise information to establish a secure connection to an authorization computing device and the access control device can implement the decisions of the authorization computing device. The access control device can control access by instructing a storage device to execute specific firmware instructions to prevent meaningful responses to data storage related requests. The access control device can also comprise storage-related cryptographic information utilized by the storage device to encrypt and decrypt data. In such a case, the access control device can control access by not releasing the storage-related cryptographic information to the storage device.

Citations

11 Claims

1. An access control device comprising:
- at least one communicational interface through which communications with a storage device comprising encrypted data are established;
  
  at least one processing unit;
  
  access control information comprising identifications of entities that are to be allowed by the access control device to access, in an unencrypted form, the encrypted data stored on the storage device;
  
  storage-related cryptographic information that can decrypt the encrypted data of the storage device with which communications are established through the at least one communicational interface, wherein the storage-related cryptographic information comprises;
  
  a first storage-related cryptographic information that can decrypt only a first portion of the encrypted data of the storage device; and
  
  a second storage-related cryptographic information that can decrypt only a second portion of the encrypted data of the storage device, the second portion being different from the first portion; and
  
  a computer-readable medium comprising computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to perform steps comprising;
  
  receiving an identification of an accessing entity, from a computing device to which the storage device is communicationally coupled, the accessing entity seeking to access, in the unencrypted form, the encrypted data stored on the storage device;
  
  comparing the received identification of the accessing entity to the access control information;
  
  providing, in a secured manner, the storage-related cryptographic information to the storage device, thereby enabling the storage device to decrypt the encrypted data, if the comparing reveals that the received identification of the accessing entity matches at least one of the identifications of the entities that comprise the access control information;
  
  wherein the access control device is physically separable from both the storage device and the computing device; and
  
  wherein further the computer-executable instructions that cause the provision of the storage related cryptographic information to the storage device comprises computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to;
  
  provide, to the storage device, only the first storage-related cryptographic information if the accessing entity is associated with the first storage-related cryptographic information; and
  
  provide, to the storage device, only the second storage-related cryptographic information if the accessing entity is associated with the second storage-related cryptographic information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The access control device of claim 1, wherein the access control information further comprises authentication information associated with at least some of the entities that are to be allowed by the access control device to access, in the unencrypted form, the encrypted data stored on the storage device;
    - and wherein further the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to perform further steps comprising;
      
      receiving authentication information from the accessing entity; and
      
      comparing the received authentication information to the access control information.
  - 3. The access control device of claim 1, wherein the access control information further comprises access control cryptographic information for establishing secure communications with an authorization computing device, external to the access control device, from which the access control device receives updated access control information.
  - 4. The access control device of claim 1, wherein the access control information further comprises access control cryptographic information;
    - and wherein further the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to performs further steps comprising;
      
      utilizing the access control cryptographic information to establish a secure communicational tunnel with an authorization computing device through another computing device;
      
      providing, to the authorization computing device, through the secure communicational tunnel, the received identification of the accessing entity; and
      
      providing, in the secured manner, the storage-related cryptographic information to the storage device, thereby enabling the storage device to decrypt the encrypted data, if information received from the authorization computing device in response to the providing the received identification of the accessing entity indicates that the accessing entity is to be granted access.
  - 5. The access control device of claim 1, wherein the communicational interface comprises a physical connector that is connectable to a physical receptor that is part of the storage device, such that the established communications with the storage device are direct communications between the storage device and the access control device.
  - 6. The access control device of claim 1, wherein the established communications with the storage device are indirect communications passing through the computing device to which both the access control device and the storage device are independently communicationally coupled.
  - 7. The access control device of claim 6, wherein the computer-executable instructions causing the at least one processing unit to provide the storage-related cryptographic information to the storage device in the secured manner, further comprise computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to protect the storage-related cryptographic information prior to the providing so as to prevent the storage-related cryptographic information from being deciphered by the computing device.
  - 8. The access control device of claim 1, wherein the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to erase at least some of the storage-related cryptographic information.
  - 9. The access control device of claim 8, wherein the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to determine, independently of external instruction, to execute the computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to erase the at least some of the storage-related cryptographic information.
  - 10. The access control device of claim 8, wherein the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to perform steps comprising:
    - receiving an instruction to delete at least some of the encrypted data stored on the storage device; and
      
      in response to the receiving, erasing the least some of the storage-related cryptographic information.
  - 11. The access control device of claim 1, wherein the computer-readable medium comprises further computer-executable instructions that, when executed by the at least one processing unit, cause the at least one processing unit to provide, to the computing device, a challenge for authentication information associated with the accessing entity if the identification of the accessing entity is received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sadovsky, Vladimir, Olarig, Sompong Paul, Lionetti, Chris, Hamilton, James Robert
Primary Examiner(s)
Reagan, James A
Assistant Examiner(s)
CHEUNG, CALVIN K

Application Number

US12/486,738
Publication Number

US 20100325736A1
Time in Patent Office

1,259 Days
Field of Search

726/27, 726/2, 726/28, 726/29, 726/30, 705/13, 705/18, 713/182
US Class Current

726/27
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/77   in smart cards

G06F 3/0605   by facilitating the interac...

G06F 3/0622   in relation to access

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/80   Wireless

H04L 63/0853   using an additional device,...

H04L 63/101   Access control lists [ACL]

H04L 9/3271   using challenge-response

Remote access control of storage devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Remote access control of storage devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links