Data protecting device
An event condition is checked, using a computer and data content of the computer is additionally protected in relation to a normal data protection according to the event condition. The event condition is detecting by the computer a remote command and/or detecting a state according to a policy.
Latest Fujitsu Limited Patents:
- SIGNAL RECEPTION METHOD AND APPARATUS AND SYSTEM
- COMPUTER-READABLE RECORDING MEDIUM STORING SPECIFYING PROGRAM, SPECIFYING METHOD, AND INFORMATION PROCESSING APPARATUS
- COMPUTER-READABLE RECORDING MEDIUM STORING INFORMATION PROCESSING PROGRAM, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING APPARATUS
- COMPUTER-READABLE RECORDING MEDIUM STORING INFORMATION PROCESSING PROGRAM, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING DEVICE
- Terminal device and transmission power control method
The embodiments discussed herein relate to data protection.
BACKGROUNDCurrently, computing devices (computers), and in particular, for example, small portable or mobile computing devices, such as USB memory stick, are widely used to store data, for example, personal and/or company sensitive data. As users move around with these kind of devices, comparing to laptops, these kind of devices is easier to be lost or stolen. When a device is lost or stolen, the data, such as the personal and/or company sensitive data, can be leaked to or accessed by unauthorized parties, which may lead to unnecessary damages for the person and/or the company the person works for.
SUMMARYAccording to the embodiments of the invention, methods, apparatuses and/or computer readable media that are installable or can be implemented or can be caused to be executed in computing devices (hereinafter also referred to as a device) for protecting data from an unauthorized user are described. According to an aspect of an embodiment, the data on a computing device is destructed (for example, data erased, memory destroyed) and/or made inaccessible (for example, encrypted), after certain conditions (e.g. the device is reported lost or stolen) are met. Optionally, a verifiable status report will be sent to a server for a record.
An example embodiment allows a portable computing device (such as USB memory stick) to destruct its data content while certain conditions have been met (such as lost or stolen or being requested by a server, or any combinations thereof). According to another aspect of an embodiment, since in most cases, a device might be out of reach of authorized users, the destruction procedure must be done automatically. An example advantage of an embodiment of the invention is that certain described methods make it very difficult for attackers to prevent protection of the data, for example, to prevent the data from being destructed. Therefore potential data leakage can be substantially avoided. And other described methods can have very low requirements to fulfill the data protection job automatically.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.
According to embodiments of the invention, methods, apparatuses and/or computer readable media that are installable or can be implemented or can be caused to be executed in computing devices (hereinafter also referred to as a device) for protecting data from an unauthorized user are described. According to an aspect of an embodiment, the data is sensitive data, such as personal information, restricted data according to a policy, or any combination thereof. According to an aspect of an embodiment, access to data is controlled, for example, data is protected from unauthorized access or limited to authorized access, depending upon or according to occurrence of one or more event condition. According to an aspect of an embodiment, the data on a computing device is destructed (for example, data erased, memory destroyed) and/or made inaccessible (for example, encrypted) after certain conditions (e.g. the device is reported lost or stolen) are met to meet a data protection or data access policy. A data protection or data access policy can be set by any entity, for example, a company (rules or regulations), a government (e.g., laws, rules/regulations) or a person.
According to an embodiment, as a computing device with data access protection according to an event condition (occurrence of a trigger event), a portable Universal Serial Bus (USB) device, such as a USB memory stick, is described, however, the present invention is not limited to a USB memory stick, but any computing device can embody the embodiments of the invention. For example, a mobile phone or other portable/mobile/handheld devices can be a computing device. Inside a device (e.g. USB memory stick), a destruction component (hardware or software) is installed. The function of the component is to destruct the contents on the device.
According to an embodiment, access to data is controlled in addition to normal access control on a computer by checking for an event condition, using a computer; and additionally protecting data content in relation to a normal data protection on the computer according to the event condition according to the event condition. For example, in
In addition, the device 100 at 4 can report via device interface by notifying a state of the data protection, such as a report that the data has been destroyed. The report can be to the remote device 102 and/or 104 and/or to a user of the device 100. The device 100 can include a backup function 5 to backup of data content according to application criteria/policy and/or a recovery function 6 to recover from an additional access control to data. The device 100 can include a tamper resistance function 7 that triggers an event condition, for example, upon detecting unauthorized tampering with hardware and/or software components of device 100, which in turn triggers additional data protection.
The device 100 can also include a Trusted Platform Module (TPM) 1514 that includes one or more of a crypto processor 220, a counter 222, a key storage 224 and/or a random number generator (RNG) 226. The device 100 can also include a real-time clock (RTC) 228 and/or a battery 229 for the RTC (as the case may be).
Scenarios or examples of event conditions that trigger additionally protecting data content in relation to a normal data protection on the computer are described.
For example, as the bypass logic 2, a wireless module is installed in the device 100 (e.g. cellular module). The wireless module can communicate to a server 104 constantly (e.g., continuously, or at random, or at fixed time intervals, or any combinations thereof). Once the device 100 receives a destruction command, it will turn on the destruction component on the device 100.
In case of data protection by destruction, some examples of the destruction components in a computer system that includes the destructible device 100 include:
Hardware: a component, for example, the PC 102 and/or server 104, to send signals to a self-destructible chip in the target device 100 that stores the content;
Hardware: a component that holds material, for example, chemical material, which will destruct the target device 100 once the chemical material released;
Software: a piece of program that will delete all the contents on the device once being invoked.
According to an embodiment, a mechanism is provided to turn on the destruction component on the device 100, when, as in most cases, the device 100 is already out of reach (lost or stolen or not in remote communication) of authorized persons.
Possible drawbacks could be the device 100 might need a lot of battery power to support constant communication; it needs wireless communication time if a cell network is used, which could be expensive; it could be unreliable since attackers may remove the battery 204 from the device 100 or hide the device in a location where wireless network become unavailable. In these circumstances, the device 100 will not receive the destruction command correctly and the destruction component will not be turned on.
One additional improvement provides in the device 100, a function, which maps a timestamp from the RTC 229 to a binary message, has been defined beforehand. A remote computer, such as the PC 102 and/or the server 104 is also aware of the function. One example of such functions is a SHA1 hash function. Instead of being always on, a security check point that checks in or waits for a check via, for example, the wireless module 210 will only be activated once every certain time period (random and/or predetermined time intervals). Optionally, the wait time between two consecutive activation times should be random so that attackers cannot guess what the next activation time is. According to an embodiment, random activation of the security checkpoint in the device 100 can be synchronized with the remote device 102 and/or 104. During the activation time, the security policy logic 206 will wait for a message from the remote device. The message from the remote device is encrypted, for example, by a remote server private key where the corresponding public key is known to the device 100. The message can include a unique ID about the device 100, the current time, the output of the pre-defined function using the current time, and a data protection function (e.g., command, flag states, notice, etc.), for example, a YES/NO flag, for activating additional data protection, for example, data destruction. Once the device 100 receives the message, the device 100 can decrypt the message using the known public key, check the unique ID (if the unique ID is not about the device, ignore the message and/or take other data protection related action) and check the binary output of the pre-defined function, one or more of which serve as authentication of the remote device as well as a remote data access control command. If the device 100 cannot be activated, or the device 100 cannot receive the message from the remote device within a time limit, or the device 100 cannot decrypt the message, or the device 100 cannot verify the binary message from the time stamp, or based upon an combinations thereof, it can be counted, for example, as one NG. For example, in case of data destruction as a form of data protection, under the following one or more conditions the destruction component will be turned on: 1) the server sets YES flag for destruction; or 2) the device has consecutive n NGs, where n is predefined. According to an aspect of an embodiment, once the destruction component is turned on and fulfilled its job, the device 100 can continuously send a “destructed” message back to the remote device, until one or more 1) battery 204 and/or 228 is/are used up; or 2) an acknowledge message is received from the remote device.
The state of the registry can be according to one or more event conditions, including an elapsed time, receipt of a remote data protection control message, user authentication failure, device 100 authentication failure, or any combinations thereof. In addition, occurrence of an event conditions is settable by one or more of predetermination, according to a policy, or dynamically and/or real-time configurable, or any combinations thereof.
According an embodiment, when a device 100 is not in communication with another remote computer, for example, upon detecting a USB device 100 is unplugged from a computer, a counter 310 in the USB device 100 using the RTC 229 counts down for a period of time or waits for a wake time, upon expiration of which or arrival of wake time an additional data protection is activated in the USB device 100.
According to an embodiment, the device 100 and/or target data of the device 100 has a life by activating independently of any check-in with a remote computer a counter 310 in the device 100 (e.g., a USB device 100) using the RTC 229. The counter 310 counts down for a period of time or waits for a wake time, upon expiration of which or arrival of wake time an additional data protection is activated in the USB device 100. The life can be extended be providing additional authorization by user interface and/or by communication with a remote computer.
A measurement refers to a fixed-length digital representation of an input data sequence of any length. A measurement can be, for example, a digital representation of whole and/or portion(s) of an operating environment (e.g., OS, data in computer readable media (memory, hard disk, etc.), data about configured peripherals/devices) and/or of files (e.g., files of software applications, data files) of a target machine, or in case of a VM an input virtual machine (VM) image including any VM hard disk and/or memory image, and/or files (e.g., files of software application, data files) of any VM on the target computing device, and used for verifying the target machine or target VM of the target machine as a ‘trust state’ of the target machine and/or target VM, for example, by comparison against another measurement(s) to detect any changes in the target machine and/or in the target VM in the target machine.
Another trigger is the device 100 receiving a data protection, such as a data destruction command. Another trigger is when the device 100 cannot report its security state to a remote device 102 and/or 104 and/or detecting physical tempering of the device 100.
In
At 506, the device 100 monitors for additional data protection triggers as event conditions. For example, the device 100 monitors whether the offline time limit has exceeded, where for the set time period the document is protected by normal security measures of USB access control and/or data encryption, and upon elapse of the set time period, the device 100 activates additional data content protection measures, for example, by making data inaccessible, for example, by destroying the data content, and/or to extend offline access by requiring a security check-in with and/or by the remote devices 102 and/or 104, and/or by the user. The security check-in can be to verify whether the data content should still be accessible, whether the device 100 can communicate with the remote devices 102 and/or 104, whether the user can be authenticated, or whether obtaining and/or applying new data encryption, or any combinations thereof.
In addition, at 506, the device 100 can monitor whether there is a connection to an unauthorized remote device 102 and/or 104 as a security event condition. At 506, user authentication failure can be a security event condition. At 506, the device 100 can receive an additional data protection command (e.g., a data destruction command) from a remote device. At 506, the device 100 can monitor whether reporting/receiving security state (e.g., via remote devices 102 and/or 104 to/from remote device 102 and/or 104) by the device 100 is possible or has failed. At 506, the device 100 can monitor whether there is any physical tampering of device 100, for example, tempering of the TPM 1514. According to an aspect of an embodiment, security related failures can be accumulated in a history until a condition to activate additional data protection is reached.
At 506, the device 100 monitors for security event conditions according to polic(ies) and additionally protects data of the device 100 in relation to a normal data protection on the device 100, according to the event security conditions. At 508, the device 100 performs normal activities, such as synchronize with the server 104, for example, to extend and/or to maintain the set time period of offline work, or upload document worked (e.g., updated) offline, or any combinations thereof.
According to an embodiment, the device 100 can send the remote device 102 and/or 104 a message at the beginning of each time window (tw). And the device 100 can also send asynchronous messages to a remote device, for example, when the device 100 may trigger a call for destruction not related by time, but, for example, because the device 100 is plugged to an unauthorized machine, for example, determined by a failure in a certificate for the machine (any information that can verify a machine, private/public key, document, etc.), and/or verification of a measurement of a virtual machine of the plugged to machine.
By sending messages at the beginning of each ON time window, tight synchronization might not be necessary between the remote device 102 and/or 104 and the device 100, as the remote device 102 and/or 104 will know when the device 100 is ready to receive messages. However the remote device 102 and/or 104 should still expect messages from the device 100 on specific time lapses, and react if these messages are not received timely.
In
According to an aspect of an embodiment, the time window is a window of time (period of time) during which the device 100 and a remote device 102 and/or 104 expect to transceive a message. The time window indicates that each device will be alive for a period of time to conduct a security related transaction. The duration of a time window is adjustable according to a policy, the longer the time window, the less important message synchronization between the devices and more power usage; and the shorter the time window, the more important message synchronization between the devices, which increases sensitivity of a trigger based upon message receipt failure, and less power usage.
In
In
In
In some cases when the security requirement is low, an alternative mechanism for remote destruction is described: every time when the device 100 is plugged to a PC 102, an inquiry is sent over PC's network to the server 104. If the server 104 returns YES for destruction, the destruction component of the device 100 will be turned on and the report will be sent to the server 104 after the destruction procedure completes; if the server 104 returns NO, users can start to use the device 100; or (in some cases) if the server 104 is unreachable (e.g. the host PC's network function is disabled), the device 100 will be disabled and will not release its content.
Another alternative method does not require any communication between device clients 100 and the remote devices, such as the PC 102 and/or the server 104: before delivering the device 100 to a user, a self-destruction time is set and stored in the device 100. Inside the device 100, there is a clock 229. When the preset self-destruction time is reached, the destruction component of the device 100 will be turned on. Optionally, the self destruction time can be modified when the device 100 receives messages from the remote device 102, 104 about updated self-destruction time before its destruction.
There can be other methods that do not need any communication between device clients 100 and the remote devices 102, 104: a policy is defined and stored in the device 100 before delivery to a user. Any security related mistake (breach and/or attempted breach) a user makes related to the device 100 will be assigned certain points. For example, when the user fails to verify itself in two consecutive occasions: 1 point; when the user tries to use the device 100 in an unauthorized platform: 2 points, and so on. The points will be accumulated and recorded in the device 100. When the total points reach a predefined threshold, the destruction component of the device 100 will be turned on.
Based on applications, these methods might be combined into a specific application oriented remote destruction rule. Example benefits include to securely transport and use confidential data, such as confidential internal or customer data of a company—not just to prevent data leakage, but also to ensure strict accountability in accordance with corporate compliance policies. For example, in case of a USB device, two conditions can be set to be met: 1) in the event the USB device is lost or stolen, the data should not only be encrypted, but should automatically be deleted; and 2) confidential data should be prevented from being copied except on specified USB devices or servers.
Therefore, according to an aspect of the embodiments of the invention, any combinations of one or more of the described features, functions, operations, and/or benefits can be provided. A combination may include only one or may include two or more. The embodiments can be implemented as an apparatus (a machine) that includes computing hardware (i.e., computing apparatus), such as (in a non-limiting example) any computer that can store, retrieve, process and/or output data and/or communicate (network) with other computers. In addition, an apparatus can include one or more apparatuses in computer network communication with each other or other apparatuses. In addition, a computer processor can include one or more computer processors in one or more apparatuses or any combinations of one or more computer processors and/or apparatuses. An aspect of an embodiment relates to causing one or more apparatuses and/or computer processors to execute the described operations. The results produced can be displayed on the display.
A program/software implementing the embodiments may be recorded on computer-readable recording media. Examples of the computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or volatile and/or non-volatile semiconductor memory (for example, RAM. ROM, etc.). Examples of the magnetic recording apparatus include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape (MT). Examples of the optical disk include a DVD (Digital Versatile Disc), DVD-ROM, DVD-RAM (DVD-Random Access Memory), BD (Blue-ray Disk), a CD-ROM (Compact Disc-Read Only Memory), and a CD-R (Recordable)/RW.
The program/software implementing the embodiments may also be included/encoded as a data signal and transmitted over transmission communication media. A data signal moves on transmission communication media, such as wired network or wireless network, for example, by being incorporated in a carrier wave. The data signal may also be transferred by a so-called baseband signal. A carrier wave can be transmitted in an electrical, magnetic or electromagnetic form, or an optical, acoustic or any other form.
All examples and conditional language recited herein are intended for pedagogical objects to aid the reader in understanding the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions, nor does the organization of such examples in the specification relate to a showing of the superiority and inferiority of the invention. Although the embodiment(s) of the present inventions have been described in detail, it should be understood that the various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the invention.
Claims
1. A method, comprising:
- checking by a computer for an event condition;
- protecting by the computer target data of the computer in addition to existing data protection on the computer, according to the event condition,
- the checking of the event condition comprises activating the computer with the target data at random time intervals to detect a security check received from a remote computer via a data communication interface and obtaining the event condition from the remote computer,
- the activating to detect the security check received from the remote computer further comprises receiving an encrypted message including a data protection function and a synchronization random number during a time window at the random time intervals, the time window duration to receive the security check from the remote computer being settable according to a policy for increasing or decreasing the encrypted message synchronization between the computer and the remote computer; and
- accumulating a history of failures to obtain the event condition during a set duration of one or more time windows at the random time intervals until reaching a condition to trigger the additionally protecting of the target data.
2. The method according to claim 1, wherein the checking of the event condition further comprises detecting a state of the computer.
3. The method according to claim 2, wherein the event condition obtained from the remote computer comprises one or more of a computer identification (ID), output of a function using a current time and a data protection function for the additionally protecting of the target data on the computer,
- wherein a detected state of the computer triggering the additionally protecting of the target data is according to one or more of a failure to obtain the event condition from the remote computer, verifications of the computer ID and/or the function output or any combinations thereof.
4. The method according to claim 2, wherein a detected state of the computer triggering the additionally protecting of the target data is according to a failure to obtain the event condition from the remote computer, a failure to verify the encrypted message, or a failure to receive a random number in sequence, or any combinations thereof.
5. The method according to claim 2, wherein the state of the computer comprises one or more of a failure based upon user authentication, verification of the computer, verification of a remote computer, physical tempering of the computer, or any combinations thereof, according to a policy.
6. The method according claim 5, further comprising operating at the computer and/or at the remote computer a virtual machine and measuring the virtual machine of the computer and/or the remote computer for verification.
7. The method according to claim 1, wherein the protecting of the target data includes destroying the target data content by erasing the data, invalidating an encryption key to the target data and/or physical destruction.
8. The method according to claim 1, wherein the event condition is a period of time and upon expiration of the time period, the additionally protecting of the target data includes making target data of the computer inaccessible.
9. The method according to claim 1, wherein the event condition includes communicably disconnecting the computer from another computer and the additionally protecting of the target data includes making target data of the computer inaccessible after a period of time from the disconnecting.
10. A computing device communicably connectable to a remote computer, comprising:
- a computer processor that executes checking for an event condition; protecting target data of the computing device in addition to existing data protection, according to the event condition, the checking of the event condition comprises activating the computing device at random time intervals to detect a security check received from the remote computer via a data communication interface and obtaining the event condition from the remote computer, the activating to detect the security check received from the remote computer further comprises receiving an encrypted message including a data protection function and a synchronization random number during a time window at the random time intervals, the time window duration to receive the security check from the remote computer being settable according to a policy for increasing or decreasing the encrypted message synchronization between the computing device and the remote computer; and accumulating a history of failures to obtain the event condition during a set duration of one or more time windows at the random time intervals until reaching a condition to trigger the additionally protecting of the target data.
11. The computing device according to claim 10, wherein the checking of the event condition further comprises:
- detecting a state of the computing device based upon: a failure based upon user authentication, verification of the computing device, verification of the remote computer, physical tempering of the computing device, or any combinations thereof, according to a policy.
12. The computing device according to claim 10, wherein the event condition is a period of time and upon expiration of the time period, the additionally protecting of the target data includes making target data of the computing device inaccessible.
13. The computing device according to claim 10, wherein the event condition includes communicably disconnecting from the remote computer and the additionally protecting of the target data includes making target data of the computing device inaccessible after a period of time from previous communication with the remote computer.
14. The device according to claim 11,
- wherein a detected state of the computing device triggering the additionally protecting of the target data is according to a failure to obtain the event condition from the remote computer, a failure to verify the message, or a failure to receive a random number in sequence, or any combinations thereof.
15. A computer system comprising:
- a server computer; and
- a portable device communicably connectable to the server computer and including a computer processor to execute: checking for an event condition from the server computer and/or from a state of the portable device; protecting target data of the portable device in addition to existing data protection, according to the event condition, the checking of the event condition comprises activating the portable device at random time intervals to detect a security check to be received from the server via a data communication interface and obtaining the event condition from the remote computer, the activating to detect the security check received from the server further comprises receiving an encrypted message including a data protection function and a synchronization random number during a time window at the random time intervals, the time window duration to receive the security check from the remote computer being settable according to a policy for increasing or decreasing the encrypted message synchronization between the portable device and the server; and accumulating a history of failures to obtain the event condition during a set duration of one or more time windows at the random time intervals until reaching a condition to trigger the additionally protecting of the target data.
20040019800 | January 29, 2004 | Tatebayashi et al. |
20040083373 | April 29, 2004 | Perkins et al. |
20040103288 | May 27, 2004 | Ziv et al. |
20040122940 | June 24, 2004 | Gibson et al. |
20040148385 | July 29, 2004 | Srinivasan et al. |
20050039046 | February 17, 2005 | Bardsley et al. |
20050221800 | October 6, 2005 | Jackson et al. |
20060015941 | January 19, 2006 | Mckenna |
20070260922 | November 8, 2007 | Cao et al. |
20070294770 | December 20, 2007 | Cuenod et al. |
20080016355 | January 17, 2008 | Beun et al. |
20080107262 | May 8, 2008 | Helfman et al. |
20080263658 | October 23, 2008 | Michael et al. |
20090122143 | May 14, 2009 | Latham et al. |
20100332744 | December 30, 2010 | Khosravi et al. |
2004-349902 | December 2004 | JP |
2007-074707 | March 2007 | JP |
2008-154080 | July 2008 | JP |
2008-269232 | November 2008 | JP |
- PCT International Search Report and Written Opinion of the International Searching Authority dated Oct. 12, 2010 in corresponding International Application No. PCT/US2010/046143 (7 pages).
- International Preliminary Report on Patentability (Chapter I of PCT), issued Jul. 4, 2012, in corresponding International Patent Application No. PCT/US2010/046143 (6 pages).
- Japanese Office Action mailed Nov. 12, 2013 in corresponding Japanese Patent Application No. 2012-547064 (5 pages) (3 pages English Translation).
Type: Grant
Filed: Dec 31, 2009
Date of Patent: Apr 1, 2014
Patent Publication Number: 20110162076
Assignee: Fujitsu Limited (Kawasaki)
Inventors: Zhexuan Song (Sunnyvale, CA), Jesus Molina (Sunnyvale, CA), Joseph Gordon (Sunnyvale, CA)
Primary Examiner: Jason Gee
Application Number: 12/651,269
International Classification: H04L 29/06 (20060101);