Portable data encryption device with configurable security functionality and method for file encryption

US 9,049,010 B2
Filed: 10/12/2012
Issued: 06/02/2015
Est. Priority Date: 01/22/2007
Status: Active Grant

First Claim

Patent Images

1. A portable encryption device in which data access is controlled by an encryption key, comprising:

an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for(i) splitting the encryption key into N shares,(ii) shrouding each of the N shares with one or more external secrets, where one of the external secrets is a network authorization code which has been generated and distributed to a community of interest through an out-of-band distribution mechanism,(iii) designating one or more of the N shares as enabling, provided that at least one of the one or more so designated enabling shares has been shrouded with the network authorization code, and(iv) reconstituting the encryption key from K of the N shares, where K<

N and at least one or more of the K shares is enabling.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable encryption device with logon access controlled by an encryption key, with an on board cryptographic processor for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm, optionally shrouded with external secrets using an invertible transform resistant to quantum computing attacks. Another embodiment provides file decryption controlled by a file encryption key, with the on board cryptographic processor reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code. A method for encryption of a plaintext file by hashing, compressing, and encrypting the plaintext file, hashing the ciphertext, hashing the plaintext hash and the ciphertext hash, and sealing the ciphertext together with the resulting hash. A portable encryption device for performing the method is also disclosed.

Citations

42 Claims

1. A portable encryption device in which data access is controlled by an encryption key, comprising:
- an enclosure for the device providing a portable form factor, anda cryptographic processor within the enclosure for(i) splitting the encryption key into N shares,(ii) shrouding each of the N shares with one or more external secrets, where one of the external secrets is a network authorization code which has been generated and distributed to a community of interest through an out-of-band distribution mechanism,(iii) designating one or more of the N shares as enabling, provided that at least one of the one or more so designated enabling shares has been shrouded with the network authorization code, and(iv) reconstituting the encryption key from K of the N shares, where K<
  
  N and at least one or more of the K shares is enabling.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The device of claim 1, in which the data access comprises logon access.
  - 3. The device of claim 1, in which the data access comprises file decryption.
  - 4. The device of claim 1, where an external secret shrouding one or more of the shares may be changed without changing the encryption key.
  - 5. The device of claim 4, where the secret to be changed comprises a user'"'"'s PIN.
  - 6. The device of claim 5, where the PIN is a supervisory user'"'"'s PIN.
  - 7. The device of claim 4, where the secret to be changed comprises a firmware hash.
  - 8. The device of claim 4, where the secret to be changed comprises a host authorization code associated with one or more specific host computing devices.
  - 9. The device of claim 4, where the secret to be changed is generated by a proximity detection mechanism.
  - 10. The device of claim 1, further comprising means for communicating the external secrets over a secure channel with a secondary device.
  - 11. The device of claim 10, where the secondary device is a connected host computing device.
  - 12. The device of claim 10, where the secondary device is a remote device.
  - 13. The device of claim 1, where the encryption key is a master key encryption key.
  - 14. The device of claim 1, where the encryption key is an application key encryption key.
  - 15. The device of claim 1, further comprising means for interfacing with a user authentication device.
  - 16. The device of claim 15, where the authentication device comprises a secure PIN entry mechanism.
  - 17. The device of claim 15, where the authentication device comprises a secure biometric input.
  - 18. The device of claim 1, further comprising removable memory configured for data storage.
  - 19. The device of claim 1, further comprising a data communication module.
  - 20. The device of claim 1, where the cryptographic processor is a microprocessor programmed to execute cryptographic functions.
  - 21. The device of claim 1, further comprising a second cryptographic processor within the enclosure.

22. A method for controlling data access on a portable encryption device having a portable form factor and a cryptographic processor, comprising:
- generating a first plurality of secrets by a secret sharing algorithm operating upon an encryption key,shrouding each of the first plurality of secrets with external secrets, provided that a network authorization code has been generated and distributed to a community of interest through an out-of-band distribution mechanism and that at least one of the first plurality of secrets has been shrouded with such code,assigning a class designator to one or more of the shrouded secrets,wherein the class designator indicates that the shrouded secret is required for reconstitution of the encryption key, provided that at least one of the so designated shrouded secrets has been shrouded with the network authorization code,configuring the cryptographic processor to reconstitute the encryption key from a second plurality of the first plurality of generated secrets, wherein the second plurality includes all required shrouded secrets, and determining data access as a function of the reconstituted encryption key.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 23. The method of claim 22, where the data access comprises logon access.
  - 24. The method of claim 22, where the secret sharing algorithm comprises Shamir'"'"'s Secret-Sharing Algorithm.
  - 25. The method of claim 22, where the data access comprises file decryption.
  - 26. The method of claim 22, wherein any one of the external secrets may be changed without regeneration or re-dealing of all of the first plurality of secrets.
  - 27. The method of claim 26, where one or more of the external secrets comprise a user'"'"'s PIN.
  - 28. The method of claim 27, where the PIN is a supervisory user'"'"'s PIN.
  - 29. The method of claim 26, where the external secrets comprise a plurality of user'"'"'s PINS, and the encryption key can be reconstituted with less than all of the plurality of user'"'"'s PINS.
  - 30. The method of claim 26, where one or more of the external secrets comprise a firmware hash.
  - 31. The method of claim 26, where one or more of the external secrets comprise a host authorization code associated with one or more specific host computing device, binding the portable encryption method to such one or more host computing devices.
  - 32. The method of claim 26, where one or more of the external secrets is generated by a proximity detection mechanism.
  - 33. The method of claim 26, where one or more of the external secrets is a function of multivariate parameters.
  - 34. The method of claim 33, where the multivariate parameters are chosen from the group consisting of a geographic-locus and biometric input.
  - 35. The method of claim 22, further comprising communicating the external secrets over a secure channel to a secondary device.
  - 36. The method of claim 35, where the secondary device is a host computing device.
  - 37. The method of claim 35, where the secondary device is a remote device.
  - 38. The method of claim 22, where the encryption key is a master key encryption key.
  - 39. The method of claim 22, where the encryption key is an application key encryption key.
  - 40. The method of claim 22, further comprising receiving input from a user authentication device.
  - 41. The method of claim 40, where the input is received over a secure channel.
  - 42. The method of claim 40, where the input comprises secure biometric data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spyrus, Inc.
Original Assignee
Spyrus, Inc.
Inventors
Jueneman, Robert R., Linsenbardt, Duane J., Young, John N., Carlisle, William Reid, Tregub, Burton George
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US13/650,459
Publication Number

US 20130046993A1
Time in Patent Office

963 Days
Field of Search

380/28, 380/44, 380/277, 713/150
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/6218   to a system of files or obj...

G06F 21/72   in cryptographic circuits

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04L 9/3226   using a predetermined code,...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

Portable data encryption device with configurable security functionality and method for file encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Portable data encryption device with configurable security functionality and method for file encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links