Mass storage device memory encryption methods, systems, and apparatus
First Claim
1. A mass storage device for storing data comprisinga communication interface comprising a universal serial bus (USB) connector configured to communicate with a connected host computer;
- a mass-memory storage component;
a secure key storage component configured to securely store a master secret and to cryptographically derive one or more intermediate secrets from the master secret, wherein the secure key storage component is adapted to authenticate a user on the basis of a personal identification number (PIN), a password, or a biometric measurement and wherein accessing the at least one master secret stored on the secure key storage component is subjected by the secure key storage component to access control mechanisms with the secure key storage component granting or denying access to the at least one master secret depending on a user authentication status such that the secure key storage component denies access to the at least one master secret if the user has not been authenticated; and
an encryption-decryption component that is different from the secure key storage component, that is connected to the secure key storage component, the mass-memory storage component, and the USB connector, and that is configured to;
handle the USB protocol with the host computer;
encrypt data received from the host computer via the communication interface using an encryption algorithm and at least one bulk encryption key;
write the encrypted data into and read the encrypted data from the mass-memory storage component,obtain at least one bulk decryption key by accessing the master secret securely stored in the secure key storage component, the security of the at least one bulk decryption key protected using the master secret securely stored in the secure key storage component, wherein the encryption-decryption component accessing the master secret securely stored in the secure key storage component for obtaining the at least one bulk decryption key comprises;
retrieving an intermediate secret from the secure key storage component, wherein the secure key storage component cryptographically derives the intermediate secret from the master secret using a cryptographic algorithm, andderiving the at least one bulk decryption key using the retrieved intermediate secret;
decrypt encrypted data stored in the mass-memory storage component for return to the host computer via the communication interface in response to a read data command from the host computer, whereby said decrypting uses a decryption algorithm and the at least one bulk decryption key; and
discard the intermediate secret after the encrypted data is decrypted.
2 Assignments
0 Petitions
Accused Products
Abstract
Mass storage devices and methods for securely storing data are disclosed. The mass storage device includes a communication interface for communicating with a connected host computer, a mass-memory storage component for storing data, a secure key storage component adapted to securely store at least one master secret, and an encryption-decryption component different from the secure key storage component and connected to the secure key storage component and the mass-memory storage component. The encryption-decryption component may be adapted to encrypt data received from the host computer using an encryption algorithm and at least one encryption key and to write the encrypted data into the mass-memory storage component. The encryption-decryption component may also be adapted to decrypt encrypted data stored in the mass-memory storage component for returning the data to the host computer in response to a read data command from the host computer using a decryption algorithm and at least one decryption key the security of which is protected using a master secret securely stored in the secure key storage component.
20 Citations
5 Claims
-
1. A mass storage device for storing data comprising
a communication interface comprising a universal serial bus (USB) connector configured to communicate with a connected host computer; -
a mass-memory storage component; a secure key storage component configured to securely store a master secret and to cryptographically derive one or more intermediate secrets from the master secret, wherein the secure key storage component is adapted to authenticate a user on the basis of a personal identification number (PIN), a password, or a biometric measurement and wherein accessing the at least one master secret stored on the secure key storage component is subjected by the secure key storage component to access control mechanisms with the secure key storage component granting or denying access to the at least one master secret depending on a user authentication status such that the secure key storage component denies access to the at least one master secret if the user has not been authenticated; and an encryption-decryption component that is different from the secure key storage component, that is connected to the secure key storage component, the mass-memory storage component, and the USB connector, and that is configured to; handle the USB protocol with the host computer; encrypt data received from the host computer via the communication interface using an encryption algorithm and at least one bulk encryption key; write the encrypted data into and read the encrypted data from the mass-memory storage component, obtain at least one bulk decryption key by accessing the master secret securely stored in the secure key storage component, the security of the at least one bulk decryption key protected using the master secret securely stored in the secure key storage component, wherein the encryption-decryption component accessing the master secret securely stored in the secure key storage component for obtaining the at least one bulk decryption key comprises; retrieving an intermediate secret from the secure key storage component, wherein the secure key storage component cryptographically derives the intermediate secret from the master secret using a cryptographic algorithm, and deriving the at least one bulk decryption key using the retrieved intermediate secret; decrypt encrypted data stored in the mass-memory storage component for return to the host computer via the communication interface in response to a read data command from the host computer, whereby said decrypting uses a decryption algorithm and the at least one bulk decryption key; and discard the intermediate secret after the encrypted data is decrypted. - View Dependent Claims (2, 3, 4, 5)
-
Specification