Abstract: An encryption for a distributed global online backup system with global two-stage deduplication in the absence of an indexing database where data blocks are encrypted using their SHA-1 signatures as encryption keys.

Abstract: A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ?-differentially uniform function on the result of the combination, XORing the result of the ?-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code.

Abstract: A method and apparatus for instantly-available applications in a computer system is presented. A computer that incorporates fast non-volatile primary memory for storing the application software and/or operating system, resulting in an instant-on computer is presented. Large parts of the application code and/or operating system code are stored in non-volatile write-protectable areas of the memory that cannot be modified by malicious sources, resulting in a secure computer. It solves the problem of typical computers having to load the applications from a slow device such as the hard disk to the main memory. This loading is avoided by permanently housing the applications in a non-volatile main memory. The system also solves the problem of corruption of application software areas from malicious sources. The memory system contains writeable and write-protected areas and a memory controller that controls the access to the various regions of the memory.

Abstract: A system and method for encrypting an electronic file in a mobile electronic device reads bytes of the electronic file from a cache of a memory system and divides the bytes into a plurality of byte lines. The system and method further assigns a numerical cipher to each byte line and searches a position of each numerical cipher in a corresponding byte line. Furthermore, the system and method encrypt each byte line by inserting one or more random bytes into each byte line, and generates an encrypted electronic file by combining all the encrypted byte lines.

Abstract: A right information encryption module 110a comprises a key generation part 111a, a right information encryption part 112a, and a key management information generation part 113a. Key information Km and key management information Mm corresponding to right information are generated and then recorded into a secret recording module 130a. In addition, the right information is encrypted, and then the encrypted right information Enc_a (ROm, Km) and the key management information Mm are recorded into a recording module 140a. This can eliminate the possibility of a capability shortage of a secret area caused by an increase in the data size of the right information including the key information and use restriction information for a content.

Abstract: A method for securing data includes encrypting the data and storing a key (54) for deciphering the encrypted data in a volatile memory (56) coupled to a power source (62). In response to an event indicative of a vulnerability of the data to unauthorized exposure, the power source is disconnected from the volatile memory.

Abstract: The invention relates to a non-volatile memory device comprising: an input for providing external data (D) to be stored on the non-volatile memory device; a first non-volatile memory block (100) and a second non-volatile memory block (200), the first non-volatile memory block (100) and the second non-volatile memory block (200) being provided on a single die (10), wherein the first non-volatile memory block (100) and second non-volatile memory block (200) are of a different type such that the first non-volatile memory block (100) and the second non-volatile memory block (200) require incompatible external attack techniques in order to retrieve data there from; and—an encryption circuit (50) for encrypting the external data (D) forming encrypted data (D?, D?) using unique data (K, K1, K2) from at least the first non-volatile memory block (100) as an encryption key, the encrypted data (D?, D?) at least being stored into the second non-volatile memory block (200).

Abstract: A device and method is provided for commonly and securely allowing, as access control on a memory card, a plurality of information processing apparatuses to lock/unlock the memory. On the basis of a lock command input from an information processing apparatus serving as a host, such as a PC, an information storage device, such as a memory card, determines whether (a) a standard lock key set serving as a key set prohibiting output or (b) an export lock key set serving as a key set permitting output is detected and stores corresponding key set information. Only when the export lock key set is detected, output is permitted provided that predetermined verification succeeds.

Abstract: The present invention provides an apparatus for security of accessing data, comprising a storage device including an address transform detector, a first lock bit register and a data comparator, the address transform detector providing a predetermined correction signal, data outputted from the storage device could be correctly identified when a memory address signal matches the predetermined correction signal and a latch signal is provided to the first lock bit register; and a micro-control unit for receiving data outputted from the storage device, the outputted data being stored in a second lock bit register and encoded by a serial encoding unit, a locking signal being feedback to the storage device; wherein a data encoded signal outputted from the first lock bit register and the locking signal are provided to a data comparator for comparison and determining whether output correct data to an encoding control unit according to the comparison.

Abstract: Systems and methods for registering a module for backup, backing up a module, and restoring a backed up module are provided.

Abstract: To protect data from corruption due to restoration of an encryption key to a wrong storage system, there is provided a computer system including a first storage system and a second storage system, wherein: the first storage system, upon receiving a request to write first data to a first area in the first storage system, encrypts the first data by using a first key and writes the first data in the first area, and, upon receiving a request to write second data to a third area, encrypts the second data by using a second key and transmits a request to write the encrypted second data in a second area in the second storage system; and the computer system holds the first key, an identifier of the first storage system associated with the first key, the second key, and an identifier of the second storage system associated with the second key.

Abstract: A storage system comprises a connector to which a removable module is connected. The removable module comprises a storage section for storing encryption/decryption information related to encryption and decryption of data, and/or an encryption/decryption engine for encrypting/decryption data by a predetermined encryption/decryption scheme. A control section and/or a module of the storage system encrypts data using the encryption/decryption information, or decrypts encrypted data using the encryption/decryption information. Alternatively the encryption/decryption engine encrypts data or decrypts encrypted data.

Abstract: An encryption scheme for mass storage devices employing a tweakable encryption scheme to add variability to the encrypted data to resist attacks by traffic analysis. Explicit tweak and implicit tweak may be used to add variability to plaintext prior to encryption and eventual storage. The tweak information is either stored on the storage device along with the encrypted data as in the case of an explicit tweak, or it is derived from another source when needed as in the case of an implicit tweak. The ciphertext is decrypted using either the stored explicit tweak value or derive the implicit tweak value to “de-tweak” the decrypted data prior to usage. The data may be deleted by destroying the cipher key(s) to render the ciphertext useless. The tweak information alone is useless for decryption, as the ciphertext needs to be decrypted with the cipher key(s).

Abstract: Methods and apparatus for accessing a redundant array of independent drives (RAID) storage device are disclosed. In some embodiments file data is broken into multiple segments. A cryptographic operation is performed on one or more segments to generate encrypted segment(s). One or more parity syndrome is computed from the encrypted segment(s) and the unencrypted segment(s). The encrypted segment(s), the unencrypted segment(s) and the parity syndrome(s) are striped onto different individual drives. Since the cryptographic operation is not performed on all the segments, it may also be performed concurrently with computing of parity syndrome(s) from other unencrypted segments.

Abstract: A security device including a first external interface; a second external interface; and a security controller connected to said first external interface and said second external interface, said security controller being adapted to validate an access right based on a codeword received via said first interface to perform an encrypted memory access via said second external interface to an external memory coupleable to said second external interface, and to prevent that encrypted memory access via said first external interface or prevent any output of data via said first external interface depending on data received via said second external interface in case of a negative validation.

Abstract: A system and method of operating a device to securely update the control firmware controlling the device. Downloading a firmware update package to a first microcontroller of the device. Determining a firmware update portion and an encrypted hash portion of the firmware update package wherein the encrypted hash portion is cryptographically signed by a signatory. Confirm that the encrypted hash portion conforms to the firmware update by independently computing the hash of the encrypted firmware update portion on the first microcontroller and comparing that value to the signed hash. Other systems and methods are disclosed.

Abstract: Firmware is securely downloaded from a host to an information storage device using an encryption key generated by the information storage device. The encryption key is generated in response to a firmware download request by the host. The host encrypts the firmware image with the encryption key and downloads the encrypted firmware image to the information storage device. The information storage device receives the encrypted firmware image, decrypts the firmware image, and updates its firmware with this firmware image.

Abstract: According to one embodiment, a storage medium configured to be connectable to apparatuses for processing an encrypted content, the medium stores a content key of the encrypted content, and a copy control list includes information indicating one of the apparatuses which is a copying destination of the encrypted content.

Abstract: In accordance with one or more embodiments of the present disclosure, systems and methods described herein provide for transferring data over one or more networks. A storage area network is adapted to communicate with the one or more networks. A first component is adapted to route data to and from the storage area network. A second component is adapted to route data to and from the storage area network. A gateway component is adapted to control the routing of data between the first and second components and the storage area network. The storage area network is adapted to separate metadata from the data and store the metadata in a secure server positioned behind the gateway component.

Abstract: A storage apparatus is provided, which allows a user to properly use an encrypted text and a plain text even when the storage apparatus has an encrypting function. An adaptor controlling transmission and reception of data to and from a memory device is provided with an encrypting function. Data requiring no encryption is transmitted to an adaptor having no encrypting function, and data to be encrypted is transmitted to the adaptor having an encrypting function. Thus, a user of the storage apparatus can properly use an encrypted text and a plain text.

Abstract: The present invention describes a system and a method for securely loading digital information from a storage device into a memory module in a data processing system, said data processing system comprising at least one storage device, one memory module and at least one processor, said data processing system further comprising a memory access controller module connected between the processor and the memory module, and a secure memory management module connected to the processor, the memory module, the storage device and the memory access controller. Requests by the processor for data are passed to the secure memory management module, which loads the data from the storage device to the memory module and configures the memory access controller such that the processor will have access to the data.

Abstract: A network storage server receives multiple write requests from a set of clients via a network and internally buffers multiple data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to a nonvolatile mass storage facility. The consistency point process includes using a storage operating system in the network storage server to compress the data blocks, encrypt selected data blocks, and store the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate subsequent deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted logical container.

Abstract: A dynamic logical unit number system is implemented as a storage device that includes processing logic and storage functionality. A storage device may be configured to provide a first logical unit number when the storage device is attached to a computer system or other computing device. The storage device through its dynamic logical unit number system provides a configuration interface through which the computer system can configure additional logical unit numbers and reconfigure existing logical unit numbers of the storage device. After the redefinition of the logical unit numbers, the dynamic logical unit number system may cause a reestablishment of the connection between the storage device and the computer system. Upon establishing the new connection, the computer system recognizes the redefined logical unit numbers and treats each logical unit number as a separate storage device, including assigning a different number to each logical unit number.

Abstract: In one embodiment, the present invention includes a method for setting an extensible policy mechanism to protect a root data structure including a page table, interpreting a bytecode of a pre-boot driver in a byte code interpreter, and controlling access to a memory location based on the extensible policy mechanism. Other embodiments are described and claimed.

Abstract: Method and apparatus to detect clock roll-forward attacks in a computing device or similar system. This protects against hackers who tamper with the system clock of, for instance, a digital media playback device in order to access a content item which has been rented for a limited time. By detecting clock roll-forward tampering, the present method and system prevent such hackers from accessing the content item outside its authorized rental time period.

Abstract: A business method for providing improved portable health care records management that is HIPAA compliant and legally reliable from the physician's perspective. The method provides service for providing a USB portable medical records database to a hospital patient in a USB device with multiple layers of security. The USB device and first and second softwares for implementing updates of the USB portable medical records database are provided. A first software resident on the USB device auto-runs a resident database of patient medical records and provides security and HMI functions. Second software resides on a business computer linked to the hospital medical records database for acquiring, sorting, and storing medical records on the USB device. A discharge service includes creating a USB portable medical records database for a patient being discharged, and may optionally include reviews of the records for compliance with medical and insurance standards. Only physician-dictated records are stored.

Abstract: A health monitoring and diagnostic device (LIFESTREAM cholesterol meter) configured as a self-contained testing and diagnostic unit in a clam-shell type case. One side of the case includes a spring-loaded finger stick and a compartment for carrying one or more packages of disposable items including a test strip, a needle for the finger stick, and an alcohol swipe. The other half of the case includes a test strip reader, a key pad, and a liquid crystal display. The meter reads a test strip carrying a droplet of blood and receives additional diagnostic information from the patient, such as age, gender, weight, and family history of heart disease. Within minutes, the meter displays test results, including total cholesterol levels. The meter also displays additional diagnostic results, such as the patient's “cardiac age,” recommended weight loss, and a cardiac risk assessment. The meter also works in connection with a network-based comprehensive health analysis and reporting system.

Abstract: To reduce the performance degradation of storage system, this invention provides a storage system comprising a disk drive and a disk controller. The disk controller provides a storage area of the disk drive to a host computer; executes a processing of switching an encryption key that is used to encrypt data stored in the logical volume from a first encryption key to a second encryption key; encrypts write data requested to be written with the second encryption key when the write request for one of storage areas within the logical volume that stores data for which switching of encryption keys has not been finished is received while the encryption key switching processing is being executed; and writes the encrypted write data in the logical volume to switch encryption keys for data stored in the storage area where the data is requested to be written by the received write request.

Abstract: In a data conversion auxiliary module which is at a higher level than a file system in a disk management hierarchy, data stored in a storage medium, which becomes an object, is successively accessed. Then, a data conversion module captures a sector-unit access request to a device driver from the file system, converts data of a sector which is returned from the device driver, and writes the conversion data in the sector. Thereby, data conversion can be executed on a specific region of the storage medium, which is associated with the data in the storage medium.

Abstract: In one embodiment, a method is provided that may include encrypting, based least in part upon at least one key, one or more respective portions of input data to generate one or more respective portions of output data to be stored in one or more locations in storage. The method of this embodiment also may include generating, based at least in part upon the one or more respective portions of the output data, check data to be stored in the storage, and/or selecting the one or more locations in the storage so as to permit the one or more respective portions of the output data to be distributed among two or more storage devices comprised in the storage. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: A secure data processing method includes the following steps: padding (E206) a memory area (MAC?) with a pad value (A); writing (E208) a first datum in the memory area (MAC?); in the area, reading (E210) a second datum with at least one part of the first datum as it was written in the memory area (MAC?); and executing an operation (E210) using the second datum.

Abstract: A user data protection method in which a management server includes an address replacement table having correspondence relation of memory addresses of a memory assigned to a virtual server and memory addresses of a memory assigned to a virtualization mechanism which is different from that at usual time, comprising the steps of: making, when an event occurs, the virtual server send virtual server identifier information for identifying the virtual server to the management server; making the management server detect the event; making the management server specify the virtual server in which the event occurs in accordance with the virtual server identifier information; sending the address replacement table to the virtualization mechanism of the physical server including the specified virtual server; and changing the correspondence relation of the memory addresses of the virtual server and the memory addresses of the virtualization mechanism on the basis of the address replacement table.

Abstract: Various mechanisms are disclosed for protecting the security of memory in a computing environment. A security layer can have an encryption layer and a hashing layer that can dynamically encrypt and then dynamically hash sensitive information, as it is being loaded to dynamic memory of a computing device. For example, a memory unit that can correspond to a memory page can be processed by the security layer, and header data, code, and protect-worthy data can be secured, while other non-sensitive data can be left alone. Once such information is secured and stored in dynamic memory, it can be accessed at a later time by a processor and unencrypted and hash checked. Then, it can be loaded back onto the dynamic memory, thereby preventing direct memory access attacks.

Abstract: Systems and methods for decryption and encryption for data being archived at archive storage systems. The system includes an archive storage coupled to host and client computers and optionally to a network attached storage. The data arriving at the archive storage may contain encrypted data. The encrypted data may be decrypted at the archive storage, at the host computer or at the network attached storage coupled to the archive storage. Indexing information is added to the decrypted data. The data is subsequently re-encrypted before being archived. Encryption key information may be obtained from a key manager or an encryption key may be generated by a host computer or a client computer.

Abstract: A semiconductor processing device according to the invention includes a first non-volatile memory (21) for erasing stored information on a first data length unit, a second non-volatile memory (22) for erasing stored information on a second data length unit, and a central processing unit (2), and capable of inputting/outputting encrypted data from/to an outside. The first non-volatile memory is used for storing an encryption key to be utilized for encrypting the data. The second non-volatile memory is used for storing a program to be processed by the central processing unit. The non-volatile memories to be utilized for storing the program and for storing the encryption key are separated from each other, and the data lengths of the erase units of information to be stored in the non-volatile memories are defined separately.

Abstract: A Secure Non-autonomous Peering (SNAP) system includes a hierarchical digital watermarking scheme, a central licensing authority, licensed fabricators and assemblers.

Abstract: An erasure declaration-related write request is received. In cases where, in response to the erasure declaration-related write request, erasure-corresponding data elements which are data elements corresponding to an erasure target and which are stored in a storage area A in the first logical volume are overwritten with erasure data elements which are data elements signifying erasure at or after the snapshot acquisition time point, the storage area A is associated with a storage area B in which encrypted data elements corresponding to the erasure-corresponding data elements stored in storage area A are stored.

Abstract: Systems and methods for protecting data in a tiered storage system are provided. The storage system comprises a management server, a media management component connected to the management server, a plurality of storage media connected to the media management component, and a data source connected to the media management component. Source data is copied from a source to a buffer to produce intermediate data. The intermediate data is copied to both a first and second medium to produce a primary and auxiliary copy, respectively. An auxiliary copy may be made from another auxiliary copy. An auxiliary copy may also be made from a primary copy right before the primary copy is pruned.

Abstract: A PC-slave device may securely load and decrypt an execution code and/or data, which may be stored, encrypted, in a PC hard-drive. The PC-slave device may utilize a dedicated memory, which may be partitioned into an accessible region and a restricted region that may only be accessible by the PC-slave device. The encrypted execution code and/or may be loaded into the accessible region of the dedicated memory; the PC-slave device may decrypt the execution code and/or data, internally, and store the decrypted execution code and/or data into the restricted region of the dedicated memory. The decrypted execution code and/or data may be validated, and may be utilized from the restricted region. The partitioning of the dedicated memory, into accessible and restricted regions, may be performed dynamically during secure code loading. The PC-slave device may comprise a dedicated secure processor that may perform and/or manage secure code loading.

Abstract: A method for transmitting and dispatching data stream, which is used for transmitting data stream to a storage device having a non-volatile memory and a smart card chip from a host, is provided. The method includes: setting a key between the host and the storage device; creating a temporary file in the non-volatile memory; verifying the temporary file based on the key; recording a logical block address of the temporary file when verification of the temporary file is successful; and judging whether the data stream from the host is written at the logical block address, wherein the data stream is identified to be a command-application protocol data unit (C-APDU) and is dispatched to the smart card chip when the data stream from the host is written at the logical block address. Accordingly, it is possible to efficiently distinguish a general data from a command of the smart card chip.

Abstract: A computer system to prevent intervention and falsification by setting encrypted transfer between a host computer and a first storage device that provides a virtual volume and between the first storage device and second and third storage devices that provide a real volume corresponding to the virtual volume. A management computer specifies the second and third storage device that provide the real volume corresponding to the virtual volume by providing a volume corresponding to the virtual volume used by a host computer in which encrypted transfer becomes necessary, and setting the encrypted transfer to communication between the first storage device and the second and third storage devices, makes a reconnection thereof, and also sets the encrypted transfer to an I/O port used for the communication with the host computer in the first storage device.

Abstract: A portable storage system. The portable storage system comprises a portable storage device having a flash memory element and a loss-prevention unit. The portable storage system further comprises Master and Slave proximity elements. One of the proximity elements is physically connected with the portable storage device, while the other is physically connected with the loss-prevention unit. The Master proximity element is configured to wirelessly determine the presence of the Slave proximity element within a predefined range.

Abstract: A semiconductor memory card that has a sufficient storage capacity when an EC application writes data to a storage is provided. A usage area for the EC application in an EEPROM 3 in a TRM 1 is expanded. The expansion is such that a partition generated in a flash memory 2 outside the TRM 1 is assigned to the EC application while a partition table is allocated in the internal EEPROM 3. Because the partition table is in the TRM 1, only a CPU 7 in the TRM 1 is able to access the generated partition table. Secrecy of stored contents increases because the access to the expanded area is limited to the CPU 7 in the TRM 1.

Abstract: A system for the encryption and decryption of data employing dual ported RAM for key storage to accelerate data processing operations. The on-chip key storage includes a dual-ported memory device which allows keys to be loaded into memory simultaneous with keys being read out of memory. Thus, an encryption or decryption algorithm can proceed while keys are being loaded into memory.

Abstract: A controller carries out a first determination as to whether or not data to be stored in a target logical volume can be used by a plurality of access devices. The controller carries out a second determination as to whether or not the access devices comprise data encryption units respectively when the result of the first determination is affirmative. The controller controls a setting related to the target logical volume for one access device of the plurality of access devices, based on the result of the second determination.

Abstract: Disclosed is a flash memory device having a secure flash file deletion function and a method for securely deleting a flash file. Data and object headers as actual contents of the flash file are separately stored in data blocks and header blocks. At this time, the data is encrypted and stored, and a decryption key is included in an object header and stored in a header block. When the flash file is deleted, the object header is deleted by searching the header block where the object header including the decryption key is stored. In order to search the header block, a binary tree structure is used in which a terminal node indicates an LSB of a file ID. Disclosed may be applied to an embedded system where a flash memory is used as a storage medium. In particular, disclosed is suitable for a NAND flash memory device.

Abstract: A method and system for storage of unstructured data in external data storage uses low-cost, minimally-functional external data stores (EDS) to store immutable, unstructured content. An external storage layer (ESL) interposed between an e-discovery management application (EMA), and the EDS constitutes an intermediary allowing access to external storage from the EMA and adding functionality unavailable on EDSs, offsetting the functional sacrifice incurred by using the EDS and preserving cost advantage. Caching content on the ESL during propagation to the EDS eliminates latency during file propagation. The ESL creates metadata and maintains an index of the data, allowing the data owner to search and retrieve from the EDS. The ESL compresses, decompresses, encrypts and decrypts data. An ESL vendor can service a number of clients on a fee or subscription basis. The ESL can distribute client data across EDSs and mirror data stored on a first ESL on another ESL.

Abstract: Methods of managing a secure area in a secure storage device include conducting an authentication process between a host and the secure storage device while modifying a size of the secure area, backing up secure data to the host from the secure area after completing the authentication process, updating management information to modify a size of the secure area, and storing the secure data, which has been backed up to the host, into the secure area that is modified in size. Related storage devices are also disclosed.

Abstract: A system performs system initialization for a computing device, comprising a module to back up one or more files of the computing device in response to a backup request and to restore one or more files of the computing device in response to a recovery request; and a point managing module to set up a backup point that comprises information based on the backup request and locate one or more backup points for the restoration operation.

Abstract: The invention relates to a method for cryptographic authentication in access security systems. The aim of the invention is to provide a software solution. To this end, the method for secured storage of counter states in a non-volatile memory (EEPROM) (10) involves an incrementing (11) process, and the current counter state is updated in only one EEPROM segment following each incrementing process (11), a subsequent access to the EEPROM (10) only being enabled in the event of a successful incrementing (11) of an EEPROM-based counter.