Method and system for controlling access to data stored on a data storage device
First Claim
Patent Images
1. A method (200) for allowing access to a storage device comprising:
- (a) accepting (204) a token device (20) that was plugged into a data port (18) of a computer (10) before booting up;
(b) after booting up, transmitting (206) a puzzle (Sn) read from a hard disk storage device (12) on said computer (10) to the token device (20);
(c) recognizing (208) puzzle (Sn) as a challenge, and using an encryption/decryption program to output a dynamic key (Kn) with a token processor (22) from said puzzle (Sn) in the token device (20);
(d) transmitting (210) the dynamic key (Kn) through the data port (18) to a processor (14) of the computer system;
(e) transmitting (212) an encrypted file key (EFKn) stored on the hard disk storage device (12) to the processor (14);
(f) decrypting (214) the encrypted file key (EFKn) with the processor (14) using the dynamic key (Kn) to generate a clear file key (CFK);
(g) storing (216) the clear file key (CFK) in memory (16) of the computer (10) until it is powered down;
thereafter, using an encryption/decryption program running on the computer processor (14), and the clear file key (CFK) in memory (16), to routinely decrypt data as it is read from hard disk storage device (12) to computer memory (16), and to routinely encrypt data as it is written from computer memory (16) to the hard disk storage device (12);
(h) for a next boot up of computer (10), automatically generating (218) a subsequent puzzle (Sn+1);
(i) storing the subsequent puzzle (Sn+1) both on the hard disk storage device (12) and in the token device (20) so as to overwrite the previous puzzle (Sn);
(j) generating (222) from the subsequent puzzle (Sn+1), a subsequent dynamic key (Kn+1) in the token device (20);
(k) transmitting (224) the clear file key (CFK) and the subsequent dynamic key (Kn+1) to the processor (14) of the computer system;
(l) encrypting (226) the clear file key (CFK) with the subsequent dynamic key to generate a subsequent encrypted file key (EKFn+1); and
(m) storing (228) the subsequent encrypted file key (EKFn+1) on the hard disk storage device (12).
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method of data encryption and decryption for controlling access to a data storage device such as a hard disk drive or optical drive is provided. The invented method utilizes data encryption and decryption techniques, combined with a token device, to control access to data stored on the data storage device.
92 Citations
12 Claims
-
1. A method (200) for allowing access to a storage device comprising:
-
(a) accepting (204) a token device (20) that was plugged into a data port (18) of a computer (10) before booting up; (b) after booting up, transmitting (206) a puzzle (Sn) read from a hard disk storage device (12) on said computer (10) to the token device (20); (c) recognizing (208) puzzle (Sn) as a challenge, and using an encryption/decryption program to output a dynamic key (Kn) with a token processor (22) from said puzzle (Sn) in the token device (20); (d) transmitting (210) the dynamic key (Kn) through the data port (18) to a processor (14) of the computer system; (e) transmitting (212) an encrypted file key (EFKn) stored on the hard disk storage device (12) to the processor (14); (f) decrypting (214) the encrypted file key (EFKn) with the processor (14) using the dynamic key (Kn) to generate a clear file key (CFK); (g) storing (216) the clear file key (CFK) in memory (16) of the computer (10) until it is powered down; thereafter, using an encryption/decryption program running on the computer processor (14), and the clear file key (CFK) in memory (16), to routinely decrypt data as it is read from hard disk storage device (12) to computer memory (16), and to routinely encrypt data as it is written from computer memory (16) to the hard disk storage device (12); (h) for a next boot up of computer (10), automatically generating (218) a subsequent puzzle (Sn+1); (i) storing the subsequent puzzle (Sn+1) both on the hard disk storage device (12) and in the token device (20) so as to overwrite the previous puzzle (Sn); (j) generating (222) from the subsequent puzzle (Sn+1), a subsequent dynamic key (Kn+1) in the token device (20); (k) transmitting (224) the clear file key (CFK) and the subsequent dynamic key (Kn+1) to the processor (14) of the computer system; (l) encrypting (226) the clear file key (CFK) with the subsequent dynamic key to generate a subsequent encrypted file key (EKFn+1); and (m) storing (228) the subsequent encrypted file key (EKFn+1) on the hard disk storage device (12). - View Dependent Claims (2, 3, 4)
-
-
5. An installation method (100) for placing data access controls on a storage device in a computer system, comprising:
-
(a) accepting (104) a token device (20) plugged into a data port (18) of a computer (10); (b) uploading a data storage access control program from either the token device (20) or a removable disk to the computer (10); (c) generating (106) a first dynamic seed and rescue puzzle (Sr) that may thereafter be used to recover encrypted data stored on a data storage device (12) of the computer (10); (d) storing (108) the first dynamic seed and rescue puzzle (Sr) both in a token memory (24A) of the token device (20) and a data storage device (12) of the computer (10); (e) feeding (110) the first dynamic seed and rescue puzzle (Sr) to a token processor (22) in the token device (20); (f) generating (112) with the token processor (22) and a data encryption/decryption program a clear file key (CFK) based on the first dynamic seed and rescue puzzle (Sr) received by token processor (22); (g) transmitting (114) the clear file key (CFK) to the computer (10) and storing it in a memory (16) in the computer system (10) to stay there until it is powered down; (h) generating (116) a subsequent dynamic puzzle (Sn); (i) feeding (118) the subsequent dynamic puzzle (Sn) simultaneously to the token memory (24) and the data storage (12); (j) recognizing (120) by the token processor (22) the subsequent dynamic puzzle (Sn) as a challenge, and using a unique string of information in the token device (20) and a data encryption/decryption program to produce a first dynamic key (Kn) that can function as a one-time password; (k) transmitting (122) the first dynamic key (Kn) to the computer memory (16); (l) feeding (124) both the clear file key (CFK) and the first dynamic key (Kn) to the computer processor (14); (m) generating (126) a first encrypted file key (EKFn) using the clear file key (CFK)as an input and the first dynamic key (Kn) as an encryption key with computer processor (14) and a data encryption/decryption program; (n) storing (128) the first encrypted file key (EKFn) on data storage device (12), wherein such an encrypted file key (EKFn) secrets a true clear file key (CFK); and (o) encrypting (130) data stored on the storage device with the clear file key (CFK) to prevent later unauthorized access of the data stored. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A computer data access system, comprising:
-
a plug-in token device (20) for a computer (10) on a data port (18), and providing for filtering of data flowing between the computer'"'"'s main processor (14), RAM memory (16), and a data storage (12); a token processor (22) disposed within the token device (20), and providing for the execution of a data encryption/decryption program; a token memory (24) included in the token device (20) and including a non-volatile secure memory region (24A); a unique string of information that, in combination with said data encryption/decryption program executing on the token processor (22), enables token (20) to generate data unique to a particular token device; a copy of the unique string of information possessed by an administrator at a remote location and that enables a boot-up of computer (10) if token device (20) is unavailable; a dynamic seed (Sr) disposed within the token memory (24) included in the token device, and for assisting in recovery of any encrypted data stored in said data storage; a dynamic key (Kn); a clear file key (CFK) comprising a non-encrypted, symmetric file key used to encrypt and decrypt data stored on said data storage so as to allow user access while maintaining encrypted data on said data storage; a transmitted copy of the clear file key (CFK) that is sent to a RAM memory in said computer that exists there until said computer is powered down; thereafter, using an encryption/decryption program running on the computer processor (14), and the clear file key (CFK) in memory (16), to routinely decrypt data as it is read from hard disk storage device (12) to computer memory (16), and to routinely encrypt data as it is written from computer memory (16) to the hard disk storage device (12); and a token processor information disposed within the token device and providing for execution of a data encryption/decryption process to generate unique data using the unique string of information.
-
Specification