Prevention of cable-swap security attack on storage devices

US 9,870,462 B2
Filed: 09/22/2014
Issued: 01/16/2018
Est. Priority Date: 09/22/2014
Status: Active Grant

First Claim

Patent Images

1. A host system in communication with a storage system, for securing a storage device disposed in said storage system, said host system comprising:

provisioning circuitry to generate a challenge-response verification public/private encryption key-pair and further to provide said key-pair to said storage device to enable said challenge-response verification;

power-up user authentication circuitry to provide an authentication password to said storage device to unlock said storage device;

link error detection circuitry, disposed in said storage system and in said host system, to detect a link error between said host system and said storage device occurring during a standby-connected mode of said storage device, wherein upon detection of said link error said link error detection circuitry in said storage system is to cause said storage system to generate failures on all read/write operations from said host system; and

challenge-response protocol circuitry, disposed in said storage system and in said host system, to initiate, in response to said link-error detection, a verification challenge from said storage device and further to provide a response to said verification challenge based on said key-pair, wherein said verification challenge is to secure said storage device against a cable-swap attack and wherein a successful response to said verification challenge causes said link error detection circuitry in said storage system to discontinue generating said read/write failures.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally, this disclosure provides systems, devices, methods and computer readable media for prevention of cable swap security attacks on storage devices. A host system may include a provisioning module configured to generate a challenge-response verification key-pair and further to provide the key-pair to the storage device to enable the challenge-response verification. The system may also include a link error detection module to detect a link error between the host system and the storage device. The system may further include a challenge-response protocol module configured to initiate, in response to the link-error detection, a verification challenge from the storage system and to provide a response to the verification challenge based on the key-pair.

Citations

19 Claims

1. A host system in communication with a storage system, for securing a storage device disposed in said storage system, said host system comprising:
- provisioning circuitry to generate a challenge-response verification public/private encryption key-pair and further to provide said key-pair to said storage device to enable said challenge-response verification;
  
  power-up user authentication circuitry to provide an authentication password to said storage device to unlock said storage device;
  
  link error detection circuitry, disposed in said storage system and in said host system, to detect a link error between said host system and said storage device occurring during a standby-connected mode of said storage device, wherein upon detection of said link error said link error detection circuitry in said storage system is to cause said storage system to generate failures on all read/write operations from said host system; and
  
  challenge-response protocol circuitry, disposed in said storage system and in said host system, to initiate, in response to said link-error detection, a verification challenge from said storage device and further to provide a response to said verification challenge based on said key-pair, wherein said verification challenge is to secure said storage device against a cable-swap attack and wherein a successful response to said verification challenge causes said link error detection circuitry in said storage system to discontinue generating said read/write failures.
- View Dependent Claims (2, 3, 4)
- - 2. The host system of claim 1, wherein said detected link error is associated with a communication reset of a data cable coupled between said host system and said storage device.
  - 3. The host system of claim 1, wherein said detected link error is associated with a disconnect of a data cable coupled between said host system and said storage device.
  - 4. The host system of claim 1, wherein said storage device is a hard disk drive (HDD) or a solid-state drive (SSD).

5. A storage device disposed in a storage system in communication with a host system, comprising:
- data storage circuitry to store data for access by a host system coupled to said storage device;
  
  power-up user authentication circuitry to verify an authentication password received from said host system and unlock said data storage circuitry in response to success of said verification;
  
  link error detection circuitry, disposed in said storage system and in said host system, to detect a link error between said storage device and said host system occurring during a standby-connected mode of said storage device and further, in response to said link-error detection, to cause said storage device to generate failures on all read/write operations received from said host system while said storage device continues to receive power; and
  
  challenge-response protocol circuitry, disposed in said storage system and in said host system, to, in response to a verification challenge initiation received from said host system, generate a verification challenge and transmit said verification challenge to said host system, wherein said verification challenge is to secure said storage device against a cable-swap attack and wherein a successful response to said verification challenge causes said link error detection circuitry in said storage system to discontinue generating said read/write failures.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The storage device of claim 5, wherein said challenge-response protocol circuitry is further to verify a challenge-response received from said host system.
  - 7. The storage device of claim 6, wherein, said challenge-response protocol circuitry is further to wait for a second verification challenge initiation received from said host system if said verification is unsuccessful.
  - 8. The storage device of claim 5, wherein said detected link error is associated with a communication reset of a data cable coupled between said host system and said storage device.
  - 9. The storage device of claim 5, wherein said detected link error is associated with a disconnect of a data cable coupled between said host system and said storage device.
  - 10. The storage device of claim 5, further comprising encryption circuitry to lock and unlock said data storage circuitry.
  - 11. The storage device of claim 5, wherein said storage device is a hard disk drive (HDD) or a solid-state drive (SSD).

12. At least one non-transitory computer-readable storage medium, disposed in a storage system, said storage system in communication with a host system, wherein link error detection circuitry is disposed in said storage system and in said host system, and wherein challenge-response protocol circuitry is disposed in said in said storage system and in said host system, said at least one non-transitory computer readable storage medium having instructions stored thereon which when executed by a processor result in the following operations for securing a storage device, said operations comprising:
- providing an authentication password to said storage device to unlock said storage device after a power-up of said storage device;
  
  generating a challenge-response verification public/private encryption key-pair;
  
  providing said key-pair to said storage device to enable said challenge-response verification;
  
  detecting a link error between a host system and said storage device occurring during a standby-connected mode of said storage device;
  
  initiating, by said host system, in response to said link-error detection, a verification challenge from said storage device, wherein said verification challenge is to secure said storage device against a cable-swap attack by generating failures on all read/write operations from said host system until a successful response to said verification challenge is received; and
  
  providing a response to said verification challenge based on said key-pair.
- View Dependent Claims (13, 14)
- - 13. The computer-readable storage medium of claim 12, wherein said detected link error is associated with a communication reset of a data cable coupled between said host system and said storage device.
  - 14. The computer-readable storage medium of claim 12, wherein said detected link error is associated with a disconnect of a data cable coupled between said host system and said storage device.

15. At least one non-transitory computer-readable storage medium disposed in a storage system, said storage system in communication with a host system, wherein link error detection circuitry is disposed in said storage system and in said host system, and wherein challenge-response protocol circuitry is disposed in said storage system and in said host system, said at least one non-transitory computer-readable storage medium having instructions stored thereon which when executed by a processor result in the following operations for securing a storage device, said operations comprising:
- verifying a challenge-response received from said host system;
  
  upon success of said challenge-response verification, verifying an authentication password received from said host system;
  
  upon success of said authentication password verification, unlocking data stored on said storage device in response to success of said verification;
  
  detecting a link error between said storage device and a host system occurring during a standby-connected mode of said storage device;
  
  generating failures on all read/write operations from said host system in response to said detection while said storage device continues to receive power;
  
  receiving a verification challenge initiation from said host system;
  
  generating a verification challenge in response to said receiving, wherein said verification challenge is to secure said storage device against a cable-swap attack and wherein a successful response to said verification challenge causes generation of said read/write failures to discontinue; and
  
  transmitting said verification challenge to said host system.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable storage medium of claim 15, further comprising the operation of exiting said read/write failure mode if said verification is successful.
  - 17. The computer-readable storage medium of claim 15, further comprising the operation of waiting for a second verification challenge initiation from said host system if said verification is unsuccessful.
  - 18. The computer-readable storage medium of claim 15, wherein said detected link error is associated with a communication reset of a data cable coupled between said host system and said storage device.
  - 19. The computer-readable storage medium of claim 15, wherein said detected link error is associated with a disconnect of a data cable coupled between said host system and said storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SK Hynix NAND Product Solutions Corporation (SK Hynix Inc.)
Original Assignee
Intel Corporation
Inventors
Trika, Sanjeev N., Cox, Jason, Ramalingam, Anand S.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US14/492,168
Publication Number

US 20160085959A1
Time in Patent Office

1,212 Days
Field of Search

726 7, 726 34- 36, 713193
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/85   interconnection devices, e....

G06F 2221/2103   Challenge-response

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3271   using challenge-response

Prevention of cable-swap security attack on storage devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of cable-swap security attack on storage devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links