High Density Devices

The patent covers:

• any type of media (hard disk, tape, memory sticks, memory cards, etc)
• use of more then one encryption key to encrypt different addressable data blocks on a single media where selection of key depends on address of data (logical address, physical address, user area, block id, etc)
• use in applications for data storage (pc, mobile phone, camera, pda, cd, memory)
• use of keys stored in a token (smart card, key ring, plug-in module, contactless smartcard, SIM card, etc)
• keys are transferred from token to encryption unit by any means (wire, fibre, radio, IR) using any form of encrypted channel

HDD products are based on the US patent 7,434,069 owned by the company. The patent covers a large number of claims relevant to any secure data storage solution and transfer of keys related to secure storage solutions.

The figure above shows the different functional blocks of the patent. Data in clear text format (1) is transferred to the interface portion (2) of an encryption engine (3). After necessary transformation (e.g. serial to parallel), the data are processed in the processing block (4) and converted back for storage in outgoing interface block (5) and transferred to the storage medium (6). To control the operation a key token (7) inputs the necessary keys and parameters into the processing block (4).

Any data storage is by definition addressable and the main idea of the patent is to use the addresses associated with a specific block of data as part of the process for determining which key and algorithm to use when encrypting that specific block of data.

The patent refers to data storage in general and is thus applicable to many area in daily life. Storage of data is found in a most modern electronic appliances storing anything from sound, video, pictures, personal information, emails, addresses for the user to internal data for the appliance.

Implementation of the patent will secure data on a low level, normally directly associated with the hardware used for storing data like e.g. a hard disk drive. This means that the solution will be invisible from the operating system level and hence completely independent of which operating system is involved, even if more operating systems are installed on the same storage medium.

Since an encryption key and the address of the stored data is used in combination to get access, this allows for a solution where different keys introduced into the same storage medium may only give access to a particular segment of data.

The access to data is normally depending on the right key token being present at all times. This operation can however be modified when issuing key tokens. If required the system can be set up to – after initial key transfer from token – immediately stop operation or continue operation either for a given time period.

A MBR (Master Boot Record) contains the necessary information loaded by a computer system when a system is booted. The content of the MBR tells the computer system where and how to load the operating system from the hard disk drive. The MBR for different operating systems on the same hard disk drive can be stored together with an encryption key in for example a smart card as a key token. The MBR on the smart card can be loaded and then used as the MBR of the hard disk drive.

The patent also provides a 2-step authentication method of a computer system. First, a program code segment stored on a smartcard key token to the host computer system. This will give the user/administrator a possibility for entering a PIN code for authentication. After the authentication has been successful, the master boot sector (MBR) is made available to the computer.

Another possibility described by the patent is to provide increased security when encrypting a storage media with a particular key and an algorithm by providing a random number together with the key. This will ensure that even if successive data records are alike and encrypted with the same key and algorithm the result will be different. The random numbers are stored in a table permitting recovery of a particular random number used when decrypting the data.