Portable data encryption device with configurable security functionality and method for file encryption
First Claim
1. A portable encryption device in which data access is controlled by an encryption key, comprising:
- an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for(i) splitting the encryption key into N shares,(ii) shrouding each of the N shares with one or more external secrets, where one of the external secrets is a network authorization code which has been generated and distributed to a community of interest through an out-of-band distribution mechanism,(iii) designating one or more of the N shares as enabling, provided that at least one of the one or more so designated enabling shares has been shrouded with the network authorization code, and(iv) reconstituting the encryption key from K of the N shares, where K<
N and at least one or more of the K shares is enabling.
1 Assignment
0 Petitions
Accused Products
Abstract
A portable encryption device with logon access controlled by an encryption key, with an on board cryptographic processor for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm, optionally shrouded with external secrets using an invertible transform resistant to quantum computing attacks. Another embodiment provides file decryption controlled by a file encryption key, with the on board cryptographic processor reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code. A method for encryption of a plaintext file by hashing, compressing, and encrypting the plaintext file, hashing the ciphertext, hashing the plaintext hash and the ciphertext hash, and sealing the ciphertext together with the resulting hash. A portable encryption device for performing the method is also disclosed.
-
Citations
42 Claims
-
1. A portable encryption device in which data access is controlled by an encryption key, comprising:
-
an enclosure for the device providing a portable form factor, and a cryptographic processor within the enclosure for (i) splitting the encryption key into N shares, (ii) shrouding each of the N shares with one or more external secrets, where one of the external secrets is a network authorization code which has been generated and distributed to a community of interest through an out-of-band distribution mechanism, (iii) designating one or more of the N shares as enabling, provided that at least one of the one or more so designated enabling shares has been shrouded with the network authorization code, and (iv) reconstituting the encryption key from K of the N shares, where K<
N and at least one or more of the K shares is enabling. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for controlling data access on a portable encryption device having a portable form factor and a cryptographic processor, comprising:
-
generating a first plurality of secrets by a secret sharing algorithm operating upon an encryption key, shrouding each of the first plurality of secrets with external secrets, provided that a network authorization code has been generated and distributed to a community of interest through an out-of-band distribution mechanism and that at least one of the first plurality of secrets has been shrouded with such code, assigning a class designator to one or more of the shrouded secrets, wherein the class designator indicates that the shrouded secret is required for reconstitution of the encryption key, provided that at least one of the so designated shrouded secrets has been shrouded with the network authorization code, configuring the cryptographic processor to reconstitute the encryption key from a second plurality of the first plurality of generated secrets, wherein the second plurality includes all required shrouded secrets, and determining data access as a function of the reconstituted encryption key. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification