US2008263363A1PendingUtilityA1

Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption

51
Assignee: SPYRUS INCPriority: Jan 22, 2007Filed: Jan 22, 2008Published: Oct 23, 2008
Est. expiryJan 22, 2027(~0.5 yrs left)· nominal 20-yr term from priority
G06F 21/32H04W 12/63H04W 12/04H04L 9/0877G06F 21/6218G06F 2221/2153H04L 9/3226G06F 2221/2113H04W 12/06H04L 9/085H04L 63/0428H04L 63/061H04L 2209/80H04L 2209/24G06F 21/72H04L 9/0816H04W 12/02H04L 9/0861H04L 9/0822H04L 63/0876
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A portable encryption device with logon access controlled by an encryption key, with an on board cryptographic processor for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm, optionally shrouded with external secrets using an invertible transform resistant to quantum computing attacks. Another embodiment provides file decryption controlled by a file encryption key, with the on board cryptographic processor reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code. A method for encryption of a plaintext file by hashing, compressing, and encrypting the plaintext file, hashing the ciphertext, hashing the plaintext hash and the ciphertext hash, and sealing the ciphertext together with the resulting hash. A portable encryption device for performing the method is also disclosed.

Claims

exact text as granted — not AI-modified
1 . A portable encryption device with logon access controlled by an encryption key, comprising:
 an enclosure for the device providing a portable form factor, and   a cryptographic processor within the enclosure for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm.   
   
   
       2 . The device of  claim 1 , where the secret sharing algorithm comprises a K out of N secret sharing mechanism. 
   
   
       3 . The device of  claim 2 , where the K out of N secret sharing mechanism comprises Shamir's Secret-Sharing Algorithm. 
   
   
       4 . The device of  claim 2 , where the K out of N secret sharing mechanism comprises Lagrange interpolation. 
   
   
       5 . The device of  claim 1 , where one or more of the generated secrets have been shrouded with one or more external secrets using an invertible transform, such that any one of the external secrets may be changed without recreation or re-dealing of all of the plurality of generated secrets. 
   
   
       6 . The device of  claim 5 , where the invertible transform is XOR. 
   
   
       7 . The device of  claim 5 , where one or more of the external secrets comprise a user's PIN. 
   
   
       8 . The device of  claim 2 . 6 , where the PIN is a supervisory user's PIN. 
   
   
       9 . The device of  claim 5 , where the external secrets comprise a plurality of user's PINs, and the transform is invertible with less than all of the plurality of user's PINs. 
   
   
       10 . The device of  claim 5 , where one or more of the external secrets comprise a firmware hash. 
   
   
       11 . The device of  claim 5 , where one or more of the external secrets comprise a host authorization code associated with one or more specific host computing devices, binding the portable encryption device to such one or more host computing devices. 
   
   
       12 . The device of  claim 5 , where one or more of the external secrets is generated by a proximity detection mechanism. 
   
   
       13 . The device of  claim 5 , where one or more of the external secrets is a function of multivariate parameters. 
   
   
       14 . The device of  claim 13 , where the multivariate parameters are chosen from the group consisting of a geographic-locus and biometric input. 
   
   
       15 . The device of  claim 1 , further comprising means for communicating the external secrets over a secure channel with a secondary device. 
   
   
       16 . The device of  claim 15 , where the secondary device is a connected host computing device. 
   
   
       17 . The device of  claim 15 , where the secondary device is a remote device. 
   
   
       18 . The device of  claim 1 , where the encryption key is a master key encryption key. 
   
   
       19 . The device of  claim 1 , where the encryption key is an application key encryption key. 
   
   
       20 . The device of  claim 1 , further comprising means for interfacing with a user authentication device. 
   
   
       21 . The device of  claim 20 , where the authentication device comprises a secure PIN entry mechanism. 
   
   
       22 . The device of  claim 20 , where the authentication device comprises a secure biometric input. 
   
   
       23 . The device of  claim 1 , further comprising removable memory configured for data storage. 
   
   
       24 . The device of  claim 1 , further comprising a data communication module. 
   
   
       25 . The device of  claim 1 , where the cryptographic processor is a microprocessor programmed to execute cryptographic functions. 
   
   
       26 . The device of  claim 1 , further comprising a second cryptographic processor within the enclosure. 
   
   
       27 . A method for controlling logon access on a portable encryption device having a portable form factor and a cryptographic processor, comprising:
 generating a plurality of secrets by a secret sharing algorithm,   configuring the cryptographic processor to reconstitute an encryption key from the plurality of generated secrets, and   determining logon access as a function of the reconstituted encryption key.   
   
   
       28 . The method of  claim 27 , where the secret sharing algorithm comprises a K out of N secret sharing mechanism. 
   
   
       29 . The method of  claim 28 , where the K out of N secret sharing mechanism comprises Shamir's Secret-Sharing Algorithm. 
   
   
       30 . The method of  claim 28 , where the K out of N secret sharing mechanism comprises Lagrange interpolation. 
   
   
       31 . The method of  claim 27 , further comprising shrouding one or more of the generated secrets with one or more external secrets using an invertible transform, such that any one of the external secrets may be changed without regeneration or re-dealing of all of the plurality of secrets. 
   
   
       32 . The method of  claim 31 , where the invertible transform is XOR. 
   
   
       33 . The method of  claim 31 , where one or more of the external secrets comprise a user's PIN. 
   
   
       34 . The method of  claim 33 , where the PIN is a supervisory user's PIN. 
   
   
       35 . The method of  claim 31 , where the external secrets comprise a plurality of user's PINs, and the transform is invertible with less than all of the plurality of user's PINs. 
   
   
       36 . The method of  claim 31 , where one or more of the external secrets comprise a firmware hash. 
   
   
       37 . The method of  claim 31 , where one or more of the external secrets comprise a host authorization code associated with one or more specific host computing device, binding the portable encryption method to such one or more host computing devices. 
   
   
       38 . The method of  claim 31 , where one or more of the external secrets is generated by a proximity detection mechanism. 
   
   
       39 . The method of  claim 31 , where one or more of the external secrets is a function of multivariate parameters. 
   
   
       40 . The method of  claim 39 , where the multivariate parameters are chosen from the group consisting of a geographic-locus and biometric input. 
   
   
       41 . The method of  claim 27 , further comprising communicating the external secrets over a secure channel to a secondary device. 
   
   
       42 . The method of  claim 41 , where the secondary device is a host computing device. 
   
   
       43 . The method of  claim 41 , where the secondary device is a remote device. 
   
   
       44 . The method of  claim 27 , where the encryption key is a master key encryption key. 
   
   
       45 . The method of  claim 27 , where the encryption key is an application key encryption key. 
   
   
       46 . The method of  claim 27 , further comprising receiving input from a user authentication device. 
   
   
       47 . The method of  claim 46 , where the input is received over a secure channel. 
   
   
       48 . The method of  claim 46 , where the input comprises secure biometric data. 
   
   
       49 . A portable encryption device with file decryption controlled by a file encryption key, comprising:
 an enclosure for the device providing a portable form factor, and   a cryptographic processor within the enclosure for reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code.   
   
   
       50 . A method for controlling file decryption with a portable encryption device having a portable form factor and a cryptographic processor, comprising:
 generating a network authorization code,   distributing the network authorization code to a community of interest through an out-of-band distribution mechanism,   shrouding a file encryption key with the network authorization code using an invertible transform,   receiving the network authorization code from a user,   causing the cryptographic processor to reconstitute the file encryption key from the received network authorization code, and   determining file decryption as a function of the reconstituted file encryption key.   
   
   
       51 . The method of  claim 50 , further comprising decrypting an encrypted file as a function of the reconstituted file encryption key. 
   
   
       52 . The method of  claim 50 , where the invertible transform is XOR. 
   
   
       53 . The method of  claim 50 , where the invertible transform is resistant to quantum computing attacks. 
   
   
       54 . The method of  claim 50 , further comprising encrypting the network authorization code and distributing the code to a recovery agent. 
   
   
       55 . A method for file encryption of a plaintext file, comprising the steps of:
 hashing the plaintext file to produce a plaintext hash,   compressing the plaintext file,   encrypting the compressed plaintext file to create ciphertext,   hashing the ciphertext to produce a ciphertext hash,   hashing the plaintext hash and the ciphertext hash to produce a result hash, and   sealing the ciphertext together with the result hash, to produce the encrypted file.   
   
   
       56 . The method of  claim 55 , further comprising steps for communicating the encrypted file to originator-selected optional recipients. 
   
   
       57 . The method of  claim 55 , further comprising steps for an enforced mandatory recovery agent. 
   
   
       58 . The method of  claim 55 , further comprising steps for breaking the encryption of the encrypted file at a pre-determined date. 
   
   
       59 . The method of  claim 55 , the sealing step further comprising embedding forward error correction within the encrypted file. 
   
   
       60 . The method of  claim 55 , the plaintext file having metadata, further comprising the step of separately encrypting the metadata, and the sealing step comprising sealing the ciphertext together with the result hash and the encrypted metadata. 
   
   
       61 . The method of  claim 60 , further comprising steps for an independent key exchange mechanism to permit decrypting the metadata by catalog agent. 
   
   
       62 . The method of  claim 55 , further comprising use of a portable encryption device having a portable form factor and an on-board cryptographic processor to perform one or more of the steps. 
   
   
       63 . A portable encryption device for encryption of a plaintext file, comprising an enclosure for the device providing a portable form factor, and a cryptographic processor within the enclosure configured to perform the steps of  claim 55 .

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.