US20150350172A1

Movatterモバイル変換

Info

Publication number: US20150350172A1
Application number: US14/822,269
Authority: US
Inventors: Rafiq Kiswani; Sufyan Almajali
Original assignee: DATA GUARD SOLUTIONS Inc
Current assignee: DATA GUARD SOLUTIONS Inc
Priority date: 2014-05-07
Filing date: 2015-08-10
Publication date: 2015-12-03
Also published as: US20180026953A1; US9104889B1

Abstract

A first component of a cryptographic key is received from a user via a user interface of a user computing device. A second component of the cryptographic key is received via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device. The cryptographic key is generated based at least on the first component and the second component. The cryptographic key is then used to encrypt and/or decrypt data.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 14/273,883, entitled “Encryption On Computing Device,” filed May 7, 2014, which is hereby incorporated herein by reference in its entirety.

FIELD OF THE DISCLOSURE

This disclosure relates generally to providing data protection for a computing device and more particularly providing data protection for data contained on the computing device with using encryption of the data to block unauthorized access to the data.

SUMMARY

One embodiment of the techniques of this disclosure is a method for generating cryptographic keys for encrypting and decrypting data, which can be executed by one or more processors. The method includes (i) receiving a first component of a cryptographic key from a user via a user interface of a user computing device, (ii) receiving a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device, (iii) generating the cryptographic key based at least on the first component and the second component; and (iv) using the cryptographic key to encrypt and/or decrypt data, by the one or more processors.

Another embodiment of these techniques is a network server including a communication interface to communicatively couple the network server to a user computing device via a communication network and a processing hardware. The processing hardware is configured to receive a request for a cryptographic key from the user computing device, where the request includes a first component of the cryptographic key, the first component having been specified by a user of the user computing device. The processing hardware is further configured to automatically generate a second component of the cryptographic key in response to the request, and provide the second component of the cryptographic key to the user device for storage on a storage device physically separate from the user computing device. The user computing device is configured to (i) generate the cryptographic key based at least on the first component and the second component of the cryptographic key and (ii) encrypt and/or decrypt user-selected data using the cryptographic key.

Yet another embodiment of these techniques is a method in a user computing device for efficiently encrypting and/or decrypting data, which can be executed on or more processors. The method includes (i) receiving an indication that a storage device physically separate from the user computing device is now communicatively coupled to the user computing device via a short-range communication interface, (ii) receiving, by the one or more processors, a first component of a cryptographic key from a user via a user interface, (iii) retrieving, from the storage device, (i) a second component of the cryptographic key, (ii) first control data, and (iii) second control data corresponding to the first control data encrypted using a correct version of the cryptographic key, (iv) generating the cryptographic key based at least on the first component and the second component; and (v) determining whether the generated cryptographic key is correct using the first control data and the second control data.

Still another embodiment of these techniques is a network server including a communication interface to communicatively couple the network to a user computing device via a communication network, a non-transitory computer-readable medium storing instructions that implement a data protection software module, and processing hardware. The data protection software module, when executed on one or more processors of the user computing device, causes the user device to (i) receive a first component of a cryptographic key from a user via a user interface of the user computing device, (ii) receive a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device, and (iii) generate a cryptographic key based at least on the first component and the second component, for use in encrypting and/or decrypting user-selected data. The processing hardware configured to provide an instance of the data protection software module to the client device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a block diagram that schematically illustrates a method for encryption and decryption of data using two keys, where one of the two keys is stored on a removable peripheral storage device;

FIG. 1B is a block diagram that schematically illustrates a method for verification of a removable peripheral storage device using control input and control output stored on the removable peripheral storage device;

FIG. 2 is a block diagram of an example computing system in which encryption, decryption, and key management techniques of this disclosure can be implemented;

FIG. 3A is a block diagram of an example user device that can operate in the computing system ofFIG. 2;

FIG. 3B is a block diagram of an example software module that can be implemented in the user device ofFIG. 3A to encrypt and decrypt data using two keys;

FIG. 4A is a block diagram of an example server that can operate in the computing system ofFIG. 2;

FIG. 4B is a block diagram of an example software system that can be implemented in the server ofFIG. 4A to manage keys and provide other functions related to encryption and decryption techniques of this disclosure;

FIG. 5 is a flow diagram of an example method for creating a pair of keys and generating authentication information for a removable storage device, which can be implemented in the user device ofFIG. 3A;

FIG. 6 is a flow diagram of an example method for encrypting data using one component of a key stored on a removable storage device and another component of a key submitted by a user, which can be implemented in the user computing device ofFIG. 3A;

FIG. 7 is a flow diagram of an example method for generating authentication information for a removable storage device, which can be implemented in the server ofFIG. 4A; and

FIG. 8 is a flow diagram of an example method for authenticating a removable storage device storing a key.

DETAILED DESCRIPTION

Through use of computing devices with respect to business or social interaction, people today are being inundated with business, technological and social related data and information. This data, as a result, is often stored on one's computing device(s). Since much of this information may be considered sensitive and/or confidential, no one wants the information accessible to unauthorized persons that may come into possession of their computing device. One approach to protecting this information is to encrypt the information on the computing device with the use of encryption/decryption techniques such as, Advanced Encryption Standard (AES) or the like. The encryption/decryption software will encrypt the sensitive and/or confidential information stored on the computing device and, in turn, permit access to the information by the authorized user using the software to decrypt the information when access to the information is needed.

Data files that will often be encrypted will include, for example, audio, video and text files and the like and will be often stored in an encrypted state on the computing device. As mentioned above, the software employed to encrypt and decrypt these files will include AES, another commonly known encryption/decryption algorithms which utilize a key, or a customized software designed to operate on the devices discussed below. The key is typically a parameter associated with the encryption/decryption software that when employed in association with the encryption/decryption software will transform the data into an encrypted state, one that is not understandable to a viewer. It will also transform that encrypted data back to its original unencrypted state so as to be easily understood by the viewer. In the unfortunate instance of an unauthorized person coming into possession of another's computing device, the unauthorized person is only separated from using the encryption and decryption software successfully to transform the stored data into an understandable state by not having the correct key. The key is typically created or set by the authorized user of the computing device in the form of a password.

These passwords can be compromised in any number of ways which include obtaining the password from the authorized user who has not properly secured the identity of the password. Once in possession of the password or key, in this example, the unauthorized user will have complete access to correctly use the encryption/decryption software stored on the computing device and thereby be able to successfully decrypt encrypted files and access the data of those decrypted files. An object to this disclosure is to provide additional layers of security or depth of security as to preventing an unauthorized user from acquiring the identity of a key. By further securing the identity of the key the unauthorized user will not be able to access the encrypted confidential and/or sensitive data stored on the computing device.

In this disclosure, the key for correctly running the encryption/decryption software must first be fully assembled from component parts which originate from separate sources. One component part of the key will be stored on a peripheral storage device. This one component, as will be discussed in more detail below, will have been previously randomly generated by an online security service and downloaded onto the user's peripheral storage device via the user's computing device at a time in which the user registers with the online security service. The peripheral storage device can be used within a short range of the computing device. With the computing device interfacing with the peripheral storage device, the computing device will automatically read the one component portion of the key stored on the peripheral device. In using the peripheral storage device after the initial registering with an online security service, the one component of the key is transferred to the computing device from the storage device without user interaction. Additionally, this peripheral storage device, at the time of user registration with the online security service, will also download additional data from the online security service in order to authenticate itself, which will be discussed in more detail below.

In this disclosure, another component part of the key will be needed to add to the one component of the key that has already been contributed by the peripheral storage device in order to assemble a complete and operable key. A complete key is needed: otherwise the encryption/decryption software stored on the computing device will not properly encrypt and decrypt data. The other component of the key will be one generated or created by the user also at the time the user registers their computing device with the online security service. For purposes of successfully operating the encryption/decryption software on the computing device, the user will have to input this other component of the key, typically a password, into the computing device through an input device, such as a keyboard or other commonly known input device.

With the user having the peripheral storage device interface with the computing device contributing one component of the key and the user in putting the password, the other component of the key, the key is fully assembled. As mentioned above, the user's computing device will run an authentication or verification routine that will determine if the storage device is the proper one with a correct one component of the key and will also further verify whether the user has input the correct password or other component of the key thereby verifying the correct completion of the assembly of the key. If the key is verified, the user will be able to use the key successfully with the encryption/decryption software on the computing device to encrypt and decrypt data files on the computing device for that session.

Depending on the embodiment, a session during which an assembled key is valid can stay active while the user is logged in, while the peripheral storage device is connected to the computing device, while the computing device is powered on, while a timer is running, or subject to any other suitable condition(s). The session accordingly can end when the users logs out, shuts down the computing device, removes the peripheral storage device, etc.

During an active session, the encryption/decryption software of this disclosure can access the assembled key in a volatile (non-persistent) memory such as RAM. The encryption/decryption software does not store the assembled key in a persistent memory. In general, the assembled key is not stored anywhere in a persistent memory except in a database maintained by the online security service, as discussed in more detail below. When the session is no longer active, the assembled key is purged from the non-persistent memory, so that the encryption/decryption software can no longer encrypt or decrypt data. To start a new session, the user will once again need to provide login/password information defining one of the component parts of the key.

If the user fails to successfully establish a session for failure to supply the proper password (corresponding to one of the component parts of the key), insert the correct peripheral device, etc., the encryption/decryption software cannot properly encrypt data or decrypt previously encrypted files. In one embodiment, the encryption/decryption software does not prevent the user from operating the computing device when a session fails. However, the user in this case cannot decrypt previously encrypted files or encrypt new data. The user still can, for example, use the other functionality of the computing device. Further, if the user chooses to create new files, he or she cannot protect these files using the encryption techniques of this disclosure.

An embodiment of assembling the component parts of the decryption and encryption key from separate sources would include using a Universal Serial Bus (USB) flash drive as the peripheral storage device that will store the one component or portion of the key. The USB flash drive will be inserted into the USB port of the computing device and will automatically interface with the computing device uploading the one component of the key to the computing device. The other component or portion of the key that will be needed to complete a functional key will be a password created by the authorized user also during the registration process with the security online security service. The user will be prompted to enter this other component of the key onto the computing device and the user will enter it through an input device of the computing device such as a keyboard. The software downloaded onto the user's computing device by the online security service at the time of registration will run a verification process of the assembled key now that one component and the other component have been entered onto the computing device. The verification will generally include utilizing a test file and applying the complete key with the encryption/decryption software to decrypt the test file that was previously encrypted and downloaded onto the peripheral device during registration. That encrypted test file was encrypted with the correct complete key and the encryption/decryption software or using the same encryption/decryption technique. The unencrypted version of this test file was also downloaded on the peripheral storage device at the time of registration. The encrypted test file is now subjected to the complete key assembled from one component stored on the peripheral device and the other component input by the user along with the encryption/decryption software that had been downloaded by the online security service onto the computing device during registration. The encrypted file is thusly transformed and compared to see if it matches the unencrypted test file. If there is a match, the peripheral storage device is the correct one carrying one component of the key and the password input by the user was correct completing the assembling of the complete key. This authentication process will be discussed in more detail below. Should the test result be a successful match the user is informed the proper key has been assembled and the user can now proceed to utilize the encryption/decryption software with the completed key to successfully encrypt and decrypt data on their computing device.

Thus, to gain access to the encrypted information on the computing device the user must be in possession of the computing device, the correct peripheral storage device containing one component of the key and the other component or password portion of the key which had been created by the authorized user. Thus, additional security is provided herein with the user having to not only be in possession of the computing device but also, in this embodiment, the proper USB flash drive device carrying the one component of the key and of the password which comprises the other component of the key in order to fully assemble a complete key and be able to successfully operate the encryption/decryption software on that computing device. The user is then capable of successfully carrying out decryption and encryption functions with the encryption/decryption software which had been stored on the computing device during the user's registration process with the online security service.

As will be discussed in more detail herein, a user that wishes to protect the data stored on their computing device will register with an online security service. At that time the user will be asked to provide the online security service information identifying the user, credit card information and the identity of the computing device. During this registration process the online security service will install on the user's computing device the encryption/decryption software for encrypting and decrypting information to be stored on the computing device. As mentioned above, this encryption/decryption software for this embodiment will be AES; however, any other higher level known standard encryption/decryption algorithm may be used. During the installation of this software onto the computing device, the user will be asked to insert a peripheral storage device, or in this embodiment a USB flash drive, into the USB port of the computing device. The online security service will install onto the USB flash drive one component of the key for the encryption/decryption software which the online security service randomly generated. The online security service will also provide the user's computing device with a software module for authenticating the USB drive. Additionally, the user will be asked to create a password, in this embodiment, which will be the other component to assembling a complete key. The password created by the user will allow the online security service to use this password along with the one component of the key it had randomly generated to complete the key. These two components of the key will need to be assembled through actions of the user on occasions when the user needs to successfully encrypt and decrypt data on their computing device. In this embodiment, in the subscription and registering process with the key being completed and the encryption/decryption software installed, the user will be asked whether all of the stored data files shall be encrypted or whether data files will be encrypted as selected by the user. This registration process will be discussed in more detail herein.

Once the user has registered with the online security service by registering themselves, the computing device, downloading the encryption software, uploading their peripheral storage device with one component of the key and authentication software and has created a password that comprises the other component for completing the key, the user has taken the steps they need to protect confidential and/or sensitive data files stored on their computing device. An unauthorized user being in possession of the computing device but not having access to the external peripheral storage device, such as the USB flash drive which carries in this embodiment one component of the key or access to the authorized user's password, the other component to the key, or both, the unauthorized user will not be able to successfully access or view the confidential and/or sensitive stored encrypted data on the computing device.

Encryption and decryption appears seamless to the user of the computing device. In particular, the user at some point selects a certain set of files, such as for example the entire hard drive, one or several folders, all text files, etc. The user subsequently accesses these files during active sessions (see above) without being notified or prompted about every encryption or decryption operation. For example, when the user opens or saves of these files saves one of these files, the encryption/decryption software automatically performs the encryption or decryption operation in a seamless manner, without distracting the user. To this end, as illustrated inFIG. 3A, the encryption/decryption software can operate in a kernel model, for example, to reside as a software layer between applications (e.g., text editors, graphics editors, browsers) and operating system calls for accessing hardware components such as the hard disk.

In another embodiment, with the authorized user having assembled the key with inserting the USB flash drive and entering the password, the user can select a particular file and decrypt it. The file can be closed out and the data will remain stored as an encrypted file. New data may be entered into a decrypted file or a new file can be created and with saving either, the file with the new data is encrypted. Thus, using the saving function will encrypt the file.

At the time of registration the online security service will securely store the registration data including the identity of the user and of the computing device, along with the randomly generated one component of the key for that user and the user's other component of the key or password. As a result, the user will be able to subsequently contact the online security service for a number of services related to maintaining the security of their computing device. These services could include assistance in retrieving a password that was forgotten or changing it. The user may have broken, destroyed or lost their peripheral storage device. Under those circumstances, the online security service will also assist the user in replacing the one component of the key or providing a new one component of the key with respect to that which was stored on the peripheral storage device at the time of original subscription and registration. These services will be provided by the online security service with the normal security measures taken to assure the requester is the authorized user of the registered computing device. These measures can include requiring the user to respond to a question to provide very private personal information to the online security service at the time of registration and ask the current requester the same question and match the answer to the original answer provided at the time of registration and if there is a match the online security service will provide the requested services.

In referring toFIG. 1A, a block diagram is shown that schematically illustrates an embodiment of the method of the present disclosure to encrypt and decrypt data stored on a computing device. In order to carry out this method, encryption and decryption software will have been downloaded on the computing device and will be executable by one or more processors on the computing device. The software will operate in conjunction with a complete key associated with that software, on data stored or being stored on the computing device. The step of encryption and decryption of data stored on a computing device is represented bybox100. In this embodiment, the encryption anddecryption step100 will only be able to be successfully carried out to encrypt and decrypt data on the computing device, as mentioned above, with a complete key assembled and working in conjunction with the encryption and decryption software.

Onecomponent102, which is stored onperipheral storage device104, automatically downloads onto theperipheral storage device104 interfacing with the computing device. In this embodiment,device104 is a USB flash drive and it interfaces with computing device by inserting the USB flash drive into the USB port of the computing device. This onecomponent102 of the key was previously randomly generated and uploaded to the USB flash drive by an online security service during the subscription and registration process with the user. The other component of the key106 will be input into the computing device by way ofuser input108. In this embodiment, theother component106 of the key will be a password that was created by the user during the registration process between the user and the online security service and is input into the computing device with a keyboard connected to the computing device; however, other inputs can be employed.

The

components

102 and106 can equally contribute to the overall strength of the key or provide different contributions to the overall strength of the key, depending on the embodiment. Thus, in one embodiment, each of the

components

102 and106 occupies the same number of bytes. In another embodiment,component106 is relatively short (e.g., six characters occupying six bytes) whilecomponent106 is relatively long (e.g., 26 characters occupying 26 bytes).

With the two components of the key102 and106 present on the computing device, the complete key has been assembled and is an operable parameter that works in conjunction with the encryption and decryption software. The software can now be executed successfully on the data on the computing device to carry out the step of encryption/decryption100 of the data the user has selected.

As will later be described in more detail, when the user initially subscribes and registers their computing device with the online security service, the complete key will be assembled at that time and the encryption/decryption software having been uploaded onto the computing device, the user will, in this embodiment, be asked to elect to proceed with the encryption of all files stored on the computing device or to elect to proceed to encrypt those files selected by the user that are stored files on the computing device. In either case, the user will be permitting the encryption/decryption software to operate on stored data in the step of encryption anddecryption100 resulting in the step of creatingencrypted data110.

Subsequent to the initial registration process the user will be able to createencrypted data110 on their computing device in the presence of a fully assembled key and the encryption/decryption software that is executable by a processor on the computing device, by selecting file(s) that are not encrypted and saving the file(s). This will result in the operation of the software of the encryption/decryption step100 thereby encrypting that data creatingencrypted data110. Also, the user can save edited versions of unencrypted data they are working on their computing device or save new stand alone data they have created or placed on their computing device, thereby operating the software of the encryption/decryption step100 which will also result inencrypted data110.

On the other hand, in the presence of the fully assembled or complete key on the computing device and the encryption and decryption software executable on the computing device, the user can decrypt previously encrypted information or data files stored on the computing device. The user can select a previously encrypted stored data file on the computing device to view, for example, and the step of encryption/decryption100 will operate on the encrypted data and accordingly transform the data, thereby creating decrypteddata112. In some embodiments, the decryption is seamless, and the user does not notice the file is being decrypted. For example, the user can simply select the file for reading, and the step of encryption/decryption100 executes automatically.

In referring toFIG. 1B, a block diagram is shown that schematically illustrates a method for verification of the removableperipheral storage device104. This verification process includes acontrol input114,control output116 and onecomponent102 being stored on theremovable storage device104 during the registration process with the online security service. In this embodiment, authenticatingperipheral storage device104 is a step taken before any decryption or encryption of data takes place on the computing device. In this embodiment, at a time the user wants to decrypt a particular data file stored on their computing device or wants to encrypt data, the user will need, to connect theperipheral storage device104 to interface with the computing device. As mentioned earlier, in this example, this will be accomplished by inserting USB flash drive into USB port of the computing device. In one embodiment, this will automatically trigger execution of a peripheral device authentication software on the computing device, which will retrieve onecomponent102 of the key from peripheral storage device104 (that was earlier randomly generated by the online security service at the time the user registered and subscribed to the security service).

In this embodiment, thecontrol input file114 and thecontrol output file116 that were downloaded onto theperipheral storage device104 are text files but can be any data that can be encrypted and decrypted with encryption/decryption software such as AES or other encryption and decryption algorithms. During the registration process as will be discussed in more detail below, a complete key was assembled that operates as a parameter in conjunction with the encryption/decryption software the online security service also downloaded onto the computing device during the registration process.Control input file114 is a text file, in this example, that was encrypted with the complete key and the encryption/decryption software before it was downloaded onto the memory of theperipheral storage device104 in the registration process. Thecontrol output file116 is the unencrypted version of thecontrol input file114 which was stored in the memory of theperipheral storage device104 as well.

With theUSB flash drive104 inserted into the USB port of the computing device, the onecomponent102 of the key is automatically uploaded onto the computing device. The user will be prompted by the computing device by way of the encryption/decryption software on the computing device to enter theother component106 of the key by way ofuser interface108, or in this example, the computing device keyboard. With both components of

key

104 and106 present, controlinput file114 is forwarded from the memory of theperipheral storage device104 to the computing device and subjected to the encryption/decryption software and the step of encryption/decryption100 is executed oncontrol input file114, thereby encryptingcontrol input file114. The result of this decryption ofcontrol input file114 is forwarded to acomparator118 of the verification software downloaded by the online security service during the registration process. The decryptedcontrol input file114 is compared to thecontrol output file116 which has also been forwarded from the memory of theperipheral storage device104 and if the comparison of decryptedcontrol input file114 equates or is the same ascontrol output file116, the verification of theperipheral storage device104 has been accomplished. At this point the user can proceed to encrypt and decrypt data on the computing device. If the comparison of the decryptedcontrol input file114 andcontrol output file116 results in them not equating or being the same, the user will not be able to exercise successful encryption and decryption operations on the computing device. In either case, the peripheral device authentication software can provide an appropriate notification via the user interface of the computing device.

In another embodiment,comparator118 can compare two encrypted versions of a same file. In other words, controlinput file114 can be unencrypted, andcontrol output file116 encrypted, versions of a same file. Encryption/decryption step100 in this case performs to encryption rather than decryption.

In referring toFIG. 2, it is a block diagram of an example computing system in which encryption, decryption, and key management techniques of this disclosure can be implemented. In the embodiment shown inFIG. 2, a security providingservice system120 operates throughdata protection server122 providing the user of a computing device126 a service as described herein for protecting the data stored on the user'scomputing device126 from access by an unauthorized user in possession of thecomputing device126.

It will be understood by those skilled in the art thatdata protection server122 could include a single server that performs all of the functions described below or could be divided into any number of servers as desired. Thisserver122 is connected to thenetwork124 which could be a variety of network types such as the Internet, a LAN, a WAN, cellular, WiFi, etc. The user that wishes to subscribe to the security service for securing data stored on their computing device that is provided bydata protection server122, will access thedata protection server122 throughnetwork124 with theirpersonal computing device126 also being connected tonetwork124.Personal computing device126 could comprise a wide variety of devices, such as a desk top computer, lap top computer, notebook, tablet computer, smart phone, etc. Thesecurity service system120 of the present embodiment will accommodate and be operable with the operating system ofcomputing device126, which can be Windows®, Mac OS®, Android®, etc.

Server

122 will support a web service that will exchange data with common formats such as XML, JSON and the like. As will be appreciated by those skilled in the art, this embodiment will utilize one of C and C++ language for driver programming. Also, in this embodiment, C# will be combined with C/C++ for use with Windows Platform for example on thepersonal computing device126. The web service supported bydata protection server122 can be accessed from computing devices via a web site that includes instructions in HTML or another suitable language. The website supported bydata protection server122 will work on common browsers such as Internet Explorer®, Firefox®, Chrome®, Opera®, Safari® and others.

The user seeking a security service will connect to the website through use of their browser. The website will provide the user an array of security packages to select from, as for example: one user with one computing device to secure; one user with multiple computing devices to secure; or family subscription with multiple devices to secure. The user will select the appropriate plan that will suit for them and proceed with the registration process for that plan.

Data protection server

122 will store and implement software for the security service. This software can be in one or more modules, downloadable onto thepersonal computing device126 or another suitable computing device. Some of the modules can be configured to execute on personal computers and other user devices as client components of the authentication system. In this embodiment, there are two modules,password management system128 anddata protection module130 that will be used to implement some of functionality the security service on user computing devices. Once the user has selected the desired plan or package they wish to subscribe to, passwordmanagement system module128 will be used to provide the user web pages to be populated by the user in order to collect information in registering the new user and their computing device to the security service. The information requested will include, in this embodiment, their name, address, e-mail address and banking information such as a credit card information. The user will be asked to execute a payment for the package or plan they had selected. With the payment transaction successfully completed, thepassword management system128 will provide the new user queries for creating a user name and password for logging into the security service web site.

With the user name and password completed, passwordmanagement system module128, in this embodiment, will assign a user identification (UID) number with the data collected above from the new user.Module128 will transmit the UID and the data collected above ascustomer subscription data134 todatabase132, which comprises one or more computing devices with non-transitory memory readable by one or more processors. Thedatabase132 can be, for example, a relational database in whichcustomer subscription data134 is accessible using SQL queries.

The new user will then be asked by the web page provided bymodule128 to identify the computing device(s)126 to be protected by the security service. In some embodiments, this information in this embodiment will include the make, model and serial number of the computing device(s)126. This data will likewise be stored indatabase132 under the UID number ascustomer subscription data134. A customer account has now been created. Module28 will also manage and interface with the subscriber/new user to provide the new user services related to implementing the security service to the user's computing device(s)126 and to provide services related to supporting and maintaining the security service for the user.

With the user now registered, the passwordmanagement system module128 will randomly generate onecomponent102 of a key that will be used to assist in assembling a complete key used in conjunction to successfully operate encryption/decryption software with this service. Throughpassword module128 the website will inform the user encryption/decryption software will be downloaded ontocomputing device126 and will cause an instance ofdata protection module130 to be downloaded ontocomputing device126. With the downloading of the encryption/decryption software commenced, thepassword module128 informs user through a web page to connectperipheral storage device104 tocomputing device126, as mentioned previously in this embodiment, to plug in USB flash drive into the USB port of thecomputing device126. Thepassword module128 sends onecomponent key102 that was randomly generated bypassword module128 tocomputing device126 wherein the onecomponent102 is stored onperipheral storage device104 and at the same time, in this embodiment,password module128 transmits this onecomponent102 of the key todata base132 to be stored as part of encryptionkey information135 associated with the UID number of this particular user.

During the downloading process of the encryption/decryption software ontocomputing device126,password module128 will request by way of a web page sent to the new subscriber to create a password. This password will operate as theother component106 of the key. This password will be transmitted fromcomputing device126 todata protection server122 whereinpassword module128 will transmit this password orother component106 of the key todatabase132 to be stored as encryptionkey information135 in association with this user's UID. At this point,password module128 will assemble a complete key from onecomponent102 andother component106. This complete key which is now associated with this particular user is used bypassword module128 in conjunction with the encryption/decryption software ofdata protection module130 to encrypt a file that was randomly generated bypassword module128. As mentioned above, this file could take many forms of information that can be encrypted and decrypted by the software. In this embodiment it is a text file. The encrypted text file is downloaded toperipheral storage device104 throughcomputing device126. This encrypted file iscontrol input file114. The unencrypted version of this file is transmitted toperipheral storage device114 frompassword module128 throughcomputing device126 ascontrol output file116.

During the registration process, with encryption/decryption software downloaded asdata protection module130 and completely assembled key present from onecomponent102 fromperipheral storage device104 and the other component orpassword106 present oncomputing device126, the user will provided a query as to whether they want all stored files oncomputing device126 or select files stored oncomputing device126 encrypted. The user will make a selection and the process will commence to encrypt stored files resulting inencrypted files136. The user can choose to log off and will have now armed theircomputing device126 to be able to more securely protect stored files oncomputing device126. At that point, user can then separate theirperipheral storage device114 fromcomputing device126 andsecure device114. The next time user wishes to usecomputing device126 to access stored encrypted data or to receive or create data that it wishes to encrypt, user plugs USB flash drive orperipheral storage device114 into connection withcomputing device126 such as USB port and goes through theperipheral storage device114 verification process as described earlier. Withstorage device114 authenticated, the user can commence decrypting and encrypting files oncomputing device126.

Password management module

128 will also allow a user who will access the web site supported bydata protection server122 to request a retrieval of theirpassword106 from encryptionkey information135 stored indatabase132. This may occur with thepassword106 of the user having been lost, forgotten or compromised. Additionally,password management module128 will also permit a user to change theirpassword106 for similar reasons. Each of these steps of retrieval and changing of passwords will be accompanied by security steps to assure the user to be associated with the particular customer account prior to going through either of these processes as discussed above.

Password management module

128 will operate to authenticate the requester. As mentioned earlier, at the time of registration the user will have been asked at least one question so as to provide certain very private information related to the user. This information will be stored bymodule128 intodata base132 ascustomer subscription data134 in association with the UID. At the time the request is made by the user, the user will be provided the same question asked at the time of registration and the user will provide an answer that will be compared bypassword management module128 to the answer provided by user at the time of registration that is stored incustomer subscription data134. If there is a match,password management module128 will proceed to retrieve or allow the user to change the password. A changed password will be forwarded bymodule128 todatabase132 and stored in encryptionkey information135 in association with the UID of the user in replacement of the former password.

Passwordmanagement system module128, as mentioned above, will, at the time of registration, randomly generate onecomponent102 for the key for the user. This onecomponent102 is transmitted frommodule128 bydata protection server122 toperipheral storage device104 throughcomputing device126 and stored onperipheral storage device104. Onecomponent102 is also transmitted frommodule128 todata base132 as encryptionkey information135 in association with the user UID at the time of registration. Thus, for example, if a user loses or breaks theirperipheral storage device104, the user will contact the web page supported bydata protection server122 andmodule128 and request either a retrieval or new onecomponent102. With the matching of very private information as described above with respect topassword106,password module128 will proceed to retrieve or generate a new, as requested, onecomponent102. The user will be instructed through a web page to connect theirperipheral storage device104 so thatmodule128 can transmit onecomponent102 data throughcomputing device126 and store it ontoperipheral storage device104. Depending on the circumstances, authentication software frompassword module128 along withinput control file114 and output control file116 can also be downloaded frommodule128 throughcomputing device126 and stored ontoperipheral storage device104. Thus, the online security service can provide services to the user to enable the user to continue to secure their data on theircomputing device126.

It is noted thatperipheral storage device104 can be a dedicated storage device (such as a USB flash drive discussed above) or any other device having storage capability that can be communicatively coupled topersonal computing device126. For example, a user can store

files

102,114, and116 on a smartphone with whichpersonal computing device126 can set up a USB connection or a wireless connection as a Wireless Personal Area Network (WPAN), for example. As another example, a wearable computer (e.g., a “smart watch”) can store the

files

102,114, and116 and wirelessly connect topersonal computing device126.

Now referring toFIG. 3A, it is a block diagram of an exampleuser computing device126 that can operate in the computing system ofFIG. 2.Personal computing device126 as mentioned earlier can comprise a desk top computer, lap top computer or notebook or the like.Computing device126 has auser interface136 such as a graphical user interface (GUI) which in this embodiment would comprise a screen, a keyboard, a mouse, speakers, etc. Anetwork interface138 is also provided to permitcomputing device126 to interconnect withnetwork124 in a wired or wireless manner.Computing device126 further includes aperipheral device interface140 that will permit other devices such as a USB flash drive or keyboard to be connected tocomputing device126 and communicate therewith. One ormore processors142 are provided to execute the software stored on non-persistent memory of thecomputing device126 such as on Random-Access Memory orRAM144 which stores such software programs asdevice driver software146,web browser148,data protection module130 which in this example carries the encryption/decryption module andoperating system software152 which may include systems such as DOS, OS/2, Windows, Linux, Mac etc.Computing device126 further includespersistent memory154, such as a hard disk, flash drive, etc., which will store files and in this embodiment will storeencrypted files164 that have been encrypted by encryption/decryption software withindata protection module130, as shown inFIG. 3B and will also store unencrypted files of user.

As schematically illustrated inFIG. 3A,data protection module130 can operate similar to adevice driver146 in a kernel mode unlikeweb browser148, for example, which runs in user mode. In this manner, the encryption and decryption can be achieved more seamlessly, as various software applications (such as text editing software) can invoke the encryption/decryption functionality of this disclosure similar to the functionality ofOS152.

In an embodiment,RAM144 also stores acomplete key155 generated based on

components

102 and106.Complete key155 can be purged fromRAM144 once the user shuts downcomputing device126, logs off, or issues an explicit command. In this manner,data protection module130 can usecomplete key155 to encrypt and decrypt files while the current user session is active.

In general,peripheral device interface140 can support any wired or wireless short-range communication link via whichpersonal computing device126 can communicate with a peripheral storage device. Some of the examples of a suitable interface include a serial RS232 connection, USB, IEEE 802.15 (Bluetooth®), IEEE 802.11n (WiFi Direct™), etc.

In referring toFIG. 3B, it is a block diagram of an example software module that can be implemented in the user device ofFIG. 3A to encrypt and decrypt data using two

component keys

102 and106.Data protection module130, in this embodiment will include akey management module156, a peripheral storagedevice authentication module157, and encryption/decryption engine158. Encryption/decryption engine158 in this embodiment comprises AES; however, it may comprise any comparable or higher level known standard encryption/decryption software may be used. With both

components

102,106 of the key provided in this embodiment onecomponent102 orKey1 is the component of the key that was randomly generated by the online security service at the time the user registered with the online security service wherein onecomponent102 was stored on USB flash drive. Onecomponent102 of the key is stored onto USB flash drive plugged into the USB port ofcomputing device126 during the registration process. Theother component106 of the key or Key2 is provided by the user as a password inputted into computing device, such as through use of a keyboard ofcomputing device126. This password was created at the time of registration with the online security service as well. With bothKey1 and Key2102,106 provided tokey management module156 the complete key is assembled and is provided as an operative parameter to encryption/decryption engine158. Withcomplete key155 present with encryption/decryption engine158, a user can select a file or save afile162 and the file will be encoded164. Similarly, with a fully assembledkey155 and the encryption/decryption engine158 in the presence of anencrypted file164,encrypted file164 can be properly decrypted.

Authentication module

157 can receiveKey1 and Key2, assemble a complete key, verify that the assembled key is correct using the techniques discussed in more detail below, and store the complete key inRAM144 if the complete key is correct.

Althoughdata protection module130 in the illustrated embodiments is downloaded fromdata protection server122, in general a user can obtaindata protection module130 from any suitable source via any suitable carrier of computer software (e.g., CD, DVD, flash drive). In one example embodiment, the user can downloaddata protection module130 from a server associated with an online application (“app”) store. This server can operate independently and separately fromserver122.Data protection module130 can be platform-specific, so that the online app store can provide one version for a computing device that executes Windows®, another version that executes Mac OS®, etc. In another embodiment, the user installsdata protection module130 from a compact disc (CD).

Further, the security system of this disclosure need not provide all components that makedata protection module130 in all embodiments. Thus, encryption/decryption engine158 can be provided as a service of an operating system of the computing device.Key management module156 in these cases can interface with this service using an appropriate application programming interface (API) exposed by the operating system.

In one example embodiment,key management module156 generates a complete key by simply appending Key2 to the end ofKey1. Thus, ifKey1 is an user-selected alphanumeric string and Key2 is a sequence of hexadecimal values,key management module156 can assemble the complete key by appending the sequence of hexadecimal values defining Key2 to the sequence of hexadecimal values corresponding toKey1. More generally,Key1 and Key2 can be combined in any suitable manner, such as by interleaving the sequences ofvalues defining Key1 and Key2, respectively.

In referring toFIG. 4A is a block diagram of an exampledata protection server122 that can operate in the computing system ofFIG. 2. As mentioned earlierdata protection server122 may comprise one or more servers.Server122 will comprise one or more processor (s)166,network interface168 andRAM170 much likecomputing device126 described earlier.RAM170 will store, in this example, two software modulespassword management system128 anddata protection module130.Processor166 will be used to executemodule128 and operatenetwork interface168 permittingserver122 to communicate withnetwork124.

In referring toFIG. 4B is a block diagram of an example software system that can be implemented in the server ofFIG. 4A to manage keys and provide other functions related to encryption and decryption techniques of this disclosure. The user of the security service, as described earlier, must first register with the online security service. The user communicates withserver122 usingcomputing device126 wherein, in this example, both are connected to theinternet network124. As mentioned earlier,user contacts server122 which along withpassword management system128 supports a web page for thesecurity providing system120. By way ofuser input172 andnetwork interface168 user is in communication withpassword management system128.

In the first instance of communicating with the web page provided, the new user registers with online security service by way of new user registration module174 ofpassword management system128. The new user will be asked to select from different packages offered by the online security service as discussed earlier. The user will provideinput172 selecting the package the user desires to obtain. The new user will be provided questions to answer from a web page provided such as in this embodiment, the name of the new user, their address, their e-mail address and banking information such as a credit card of the new user. The new user will be asked by new user registration module174, in this embodiment, to execute a payment to the online security service for the package they had selected. At that point, with a satisfactory payment received by the online security service, module174 will provide new user queries for creating a user name and a password for entering the system. With user name and password completed, module174 assigns a user identification (UID) number along with the selection of the package and all information at this point collected from the user and forwards the UID and data collected to customer data &password database interface176 and it is all then forwarded todatabase132 and is stored ascustomer subscription data134.

The new user will receive further queries by way of a web page in this embodiment from new device registration module178. The web page will ask the new user to register the device(s) that are under the package or plan the user chose. In this embodiment the user will be asked to provide some information about the computing device such as the make, model and serial number ofcomputing device126 that will protected under this security service. This information will be sent tocustomer database interface176 and forwarded todatabase132 and stored ascustomer subscription data134. In this embodiment this data is sent along with the UID and is stored in association with the previous data stored with the same UID. A new customer account has been created.

With the user registered,key generation module180 ofpassword management system128 randomly generates onecomponent102 of the key. This onecomponent102 is transmitted to thecustomer data interface176 and todatabase132 and stored under the UID of the new customer ascustomer subscription data134. In this embodimentkey generation module180 through a web page will inform the user the encryption/decryption software will be downloaded ontocomputing device126 and will commence downloading an instance of thedata protection module130. With the downloading of the encryption/decryption software commenced,system128 informs user though a web page to connectperipheral storage device104 tocomputing device126. In this example USB flash drive is plugged into USB port ofcomputing device126.Key generation module180 sends onecomponent key102 tocomputing device126 wherein the onecomponent102 is stored onperipheral storage device104 and at the same time, in this embodiment,key generation module180 transmits the onecomponent102 of the key todata base132 to be stored as encryptionkey information135 associated with the UID number of this particular user. In some embodiments,data protection module130, once downloaded and installed onpersonal computing device126, automatically attempts to locate a peripheral storage device, communicates withsystem128 to obtain a key, and otherwise set up subsequent encryption and decryption onpersonal computing device126.

While thedata protection module130 is being downloaded onto the memory ofcomputing device126, in this embodiment, password change/recovery module182 will send a web page tocomputing device126 requesting the subscriber to create theother component106 of the key or a password for the operation of the security system. Thispassword106 will be transmitted by thecomputing device126 of the user toserver122 whereinpassword module182 transmits thisother component106 of the key tocustomer interface176 and todatabase132 and enters it intocustomer subscription data134 associated with the UID number of that particular user.

At this point,database132 has stored both

components

102 and106 of the key.Password module182 assembles

components

102 and106 of the key and in conjunction with the encryption/decryption software of data protection module150 encrypts a file it has randomly generated. In this embodiment it is a text file, however, it can be any file that is subject to be being encrypted and decrypted by the encryption/decryption software.Password module182 transmits the unencrypted file tocomputing device126 to be stored on peripheral storage device ascontrol output file116.Password module182 also transmits tocomputing device126 the corresponding encrypted file tocomputing device126 to be stored ascontrol input file114.

Password management system

128 also will allow a user to enter the web site of the online security service that is supported byserver122 and through a web page provided by password change/recovery module182 request a recovery or retrieval of their password orother component106 of the key that is stored incustomer subscription data134. This may occur upon the user forgetting thepassword106 orpassword106 has been compromised. As discussed earlier, once the user has logged into the web site of the online security service and has requested such a retrieval, the web page will exercise a security step prior to carrying out the request. The web page will ask at least one question that user had provided the answer to at the time of registration. This information is typically very private in nature as it relates to the user. With a match answer received bymodule182, password change/recovery module182 will proceed to retrieve thepassword106 stored incustomer subscription data134 and transmit the same tocomputing device126 to the user.

This same security procedure will be used for the user to be able to change their password orother component106 of the key. The procedure for changing the password will require, in this embodiment, the user to forward from computingdevice126 two copies of thenew password106 for accuracy verification. Thenew password106 will be stored ascustomer subscription data134 indatabase132. In addition, this new other component orpassword106 will now have to be used to construct a new key. The user will be asked to connect theirperipheral storage device104, password change/recovery module182 will take thenew password106 and combine it with the onecomponent102 of the key to assemble a new complete key. This new key will be used to encrypt another file, in this instance a text file and forward it tocomputing device126 for it to be stored onperipheral storage device104 ascontrol input file114 and an unencrypted version of that file will be sent tocomputing device126 to be stored ascontrol output file116. As a note, the old complete key could be assembled bymodule182 and provide user with the correspondingcontrol input file114 andcontrol output file116 in order for user to access their stored encrypted files and decrypt them. At that point, the user can utilize the new complete key with the newcontrol input file114 andcontrol output file116 and begin encrypting and decrypting files with the new complete key.

To make this procedure appear seamless for the user,password management system128 automatically re-encrypts, using the new key, those files that were encrypted using the old key. It is noted, however, that this procedure may consume a noticeable amount of time.

As a result, the online security service can provide various needed services through a web page supported byserver122. The user can access the web page with itscomputing device126 through theinternet network124. In this way the user may changepasswords106, retrievepasswords106, retrieve onecomponent102 of the key, obtaincontrol input file114,control output file116 and the needed software to carry out authentication of theperipheral storage device104.

In referring toFIG. 5, it is a flow diagram of an example method for creating a pair of keys and generating authentication information for aremovable storage device104, which can be implemented in theuser computing device126 ofFIG. 3A. Withcomputing device126 connected todata protection server122 throughinternet network124 connection, in this embodiment, and the account opened by the user as described above,step186 commences withdata protection module130 being downloaded and/or installed ontocomputing device126.Data protection module130 can includekey management module156 and/or encryption/decryption engine158. Instep188, the web site of the online security service which is supported byserver122 will prompt user to insertperipheral storage device104 into theircomputing device126.Key generation module180 will randomly generate onecomponent102 of the key or first key instep190. The web site of the online security service will notify user to create a second key or other component106 (step192) and forward the same from computingdevice126 to be received byserver122 throughnetwork interface168. In this embodiment,password management system128 through password change/recovery module182 will assemble a complete or main key from onecomponent102 andother component106 of the key instep194.Password management system128 will generate authentication data with using the complete or main key in conjunction with encryption/decryption software ofdata protection module130 and encrypts a file it randomly generated. This file is an encryptable and decryptable file with respect to the encryption/decryption software. In this embodiment the file is a text file and it is encrypted, while maintaining an unencrypted version of the file as well forstep196. The encrypted version of the file is forwarded tocomputing device126 and stored on theperipheral storage device104 ascontrol input file114 and the unencrypted version of that file is forwarded tocomputing device126 and stored onperipheral device104 ascontrol output file116 instep198.

In referring toFIG. 6, it is a flow diagram of an example method for encrypting data using onecomponent102 of a key stored on aremovable storage device104 and anothercomponent106 of the key submitted by a user which can be implemented in theuser computing device126 ofFIG. 3A. In the illustrated embodiment, user login can be detected atblock200. This event can trigger the creation of a new session during which data is seamlessly encrypted and/or decrypted. More generally, a session can begin in response to any one of suitable events such as connection to a peripheral storage device or a user command, for example.

The encryption/decryption software can commence the process of assembling the encryption key by obtaining onecomponent102 of a key for encrypting from aperipheral storage device104 asstep202. In this embodiment onecomponent102 of the key was stored on theperipheral storage device104 by the online security service randomly generating it at the time of registration. The user then needs to provide anothercomponent106 of the key (which the user had created at the time of registration by the user) to the encryption/decryption software in putting it intocomputing device126 through a user interface such as a keyboard as step204. Thenext step206 is for the key to be assembled oncomputing device126 with using onecomponent102 and anothercomponent106.

With the complete key assembled and encryption/decryption software stored on thecomputing device126, at the time of registration, an encryption/decryption session begins instep208. In particular, the assembled key may be stored in volatile memory for the duration of the session. During the session, one or several files that require encryption or decryption are captured instep210. These files are encrypted or decrypted instep212 using the key assembled for the session. If an event indicating that the session completed is detected instep214, the flow returns to block210 (where additional file(s) may be captured). Otherwise, the flow proceeds to step216, where the key is removed from the volatile memory.

FIG. 7 shows a flow diagram of an example method for generating authentication information for aremovable storage device104, which can be implemented to authenticateperipheral storage device104 ofFIG. 2.Password management system128, stored onserver122 will generate a random file, one that can be encrypted and decrypted by the encryption/decryption engine158 ofdata protection module130 used in conjunction with onecomponent102 and anothercomponent106 of the key assembled into a complete key. In this embodiment,password management system128 will generate this random file as a text file instep220. With the fully assembled key comprised of onecomponent102 and anothercomponent106, both retrieved fromcustomer subscription data134 fromdatabase132,module182 with the complete key and encryption/decryption software fromdata protection module130 will encrypt the text file instep222. The encrypted text file is transmitted tocomputing device126 and stored inperipheral storage device104 ascontrol input file114, the corresponding unencrypted randomly generated file is transmitted tocomputing device126 and stored onperipheral storage device104 ascontrol output116 and onecomponent102 of the key is also transmitted tocomputing device126 and stored onperipheral storage device104 asstep224. This data stored onperipheral storage device104 will be used as discussed earlier to carry out the authentication function of theperipheral storage device104.

In referring toFIG. 8, it is a flow diagram of an example method for authenticating aremovable storage device104 storing a key. The method in this embodiment includes a user in operation of theircomputing device126 wishing to either encrypt/decrypt data on theircomputing device126. User will request the encryption/decryption of the data which will use onecomponent102 of the key which is stored onperipheral storage device104 asstep226. The user will be prompted to provide theother component106 of the key instep228 which as discussed earlier would be a password in this embodiment. At which point, user can enterother component106 by way of user interface or keyboard ofcomputing device126, instep230 in this example. With onecomponent102 andother component106 of the key, the main or complete key is assembled instep232.

With the main key assembled and the encryption/decryption engine158 present fromdata protection module130, a randomly generated file bypassword change module182 as discussed above, in this embodiment, the randomly generated file is generated bymodule182 and encrypted. The encrypted version is stored on theperipheral storage device104 ascontrol input114 asstep234, the corresponding unencrypted version of the file is stored on theperipheral storage device104 ascontrol output116 and the onecomponent102 of the key is also stored onperipheral storage device104.

With the encrypted version of the file orcontrol input file114 instep236 is decrypted by the complete or main

key comprising components

102 and106 in conjunction with encryption/decryption engine158 and the now decryptedinput control file114 is compared to correspondingunencrypted file116 instep236. If there is a match, “yes”,peripheral storage device104 is authenticated atstep238. This means the main key was properly assembled and used with the encryption/decryption engine158 and user can proceed to encrypt and decrypt files on theircomputing device126. The main key is stored in RAM (or other type of volatile memory) instep242 for the duration of the session. However, if there was not a match between the decryptedcontrol input file114 and thecontrol output file116, “no”, the peripheral storage device fails to authenticate instep240 meaning one or both of the

components

102 and106 of the key were wrong thereby indicating thestorage device104 is not the correct device carrying the correct onecomponent102 of the key or theother component106 of the key was not correct. In either instance, the user will not be able to successfully proceed to encrypt and decrypt files on thecomputing device126. Accordingly, instep244, the session is prevented from being activated, so that previously encrypted files cannot be decrypted and, conversely, new files cannot be encrypted using the techniques of this disclosure.

Throughout this specification, plural instances may implement components, operations, or structures described as a single instance. Although individual operations of one or more methods are illustrated and described as separate operations, one or more of the individual operations may be performed concurrently, and nothing requires that the operations be performed in the order illustrated. Structures and functionality presented as separate components in example configurations may be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component may be implemented as separate components. These and other variations, modifications, additions, and improvements fall within the scope of the subject matter of the present disclosure.

Additionally, certain embodiments are described herein as including logic or a number of components or modules. Modules may constitute either software modules (e.g., code stored on a non-transitory machine-readable medium) or hardware modules. A hardware module is tangible unit capable of performing certain operations and may be configured or arranged in a certain manner. A hardware module may comprise dedicated circuitry or logic that is permanently configured (e.g., as a special-purpose processor, such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC)) to perform certain operations. A hardware module may also comprise programmable logic or circuitry (e.g., as encompassed within a general-purpose processor or other programmable processor) that is temporarily configured by software to perform certain operations. It will be appreciated that the decision to implement a hardware module in dedicated and permanently configured circuitry or in temporarily configured circuitry (e.g., configured by software) may be driven by cost and time considerations.

Accordingly, the term hardware should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired), or temporarily configured (e.g., programmed) to operate in a certain manner or to perform certain operations described herein. Considering embodiments in which hardware modules are temporarily configured (e.g., programmed), each of the hardware modules need not be configured or instantiated at any one instance in time. For example, where the hardware modules comprise a general-purpose processor configured using software, the general-purpose processor may be configured as respective different hardware modules at different times. Software may accordingly configure a processor, for example, to constitute a particular hardware module at one instance of time and to constitute a different hardware module at a different instance of time.

Hardware and software modules can provide information to, and receive information from, other hardware and/or software modules. Accordingly, the described hardware modules may be regarded as being communicatively coupled. Where multiple of such hardware or software modules exist contemporaneously, communications may be achieved through signal transmission (e.g., over appropriate circuits and buses) that connect the hardware or software modules. In embodiments in which multiple hardware modules or software are configured or instantiated at different times, communications between such hardware or software modules may be achieved, for example, through the storage and retrieval of information in memory structures to which the multiple hardware or software modules have access. For example, one hardware or software module may perform an operation and store the output of that operation in a memory device to which it is communicatively coupled. A further hardware or software module may then, at a later time, access the memory device to retrieve and process the stored output. Hardware and software modules may also initiate communications with input or output devices, and can operate on a resource (e.g., a collection of information).

The performance of certain operations may be distributed among the one or more processors, not only residing within a single machine, but deployed across a number of machines. In some example embodiments, the processor or processors may be located in a single location (e.g., within a home environment, an office environment or as a server farm), while in other embodiments the processors may be distributed across a number of locations.

Some portions of this specification are presented in terms of algorithms or symbolic representations of operations on data stored as bits or binary digital signals within a machine memory (e.g., a computer memory). These algorithms or symbolic representations are examples of techniques used by those of ordinary skill in the data processing arts to convey the substance of their work to others skilled in the art. As used herein, an “algorithm” or a “routine” is a self-consistent sequence of operations or similar processing leading to a desired result. In this context, algorithms, routines and operations involve physical manipulation of physical quantities. Typically, but not necessarily, such quantities may take the form of electrical, magnetic, or optical signals capable of being stored, accessed, transferred, combined, compared, or otherwise manipulated by a machine. It is convenient at times, principally for reasons of common usage, to refer to such signals using words such as “data,” “content,” “bits,” “values,” “elements,” “symbols,” “characters,” “terms,” “numbers,” “numerals,” or the like. These words, however, are merely convenient labels and are to be associated with appropriate physical quantities.

Unless specifically stated otherwise, discussions herein using words such as “processing,” “computing,” “calculating,” “determining,” “presenting,” “displaying,” or the like may refer to actions or processes of a machine (e.g., a computer) that manipulates or transforms data represented as physical (e.g., electronic, magnetic, or optical) quantities within one or more memories (e.g., volatile memory, non-volatile memory, or a combination thereof), registers, or other machine components that receive, store, transmit, or display information.

As used herein any reference to “one embodiment” or “an embodiment” means that a particular element, feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.

Some embodiments may be described using the expression “coupled” and “connected” along with their derivatives. For example, some embodiments may be described using the term “coupled” to indicate that two or more elements are in direct physical or electrical contact. The term “coupled,” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other. The embodiments are not limited in this context.

As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).

In addition, use of the “a” or “an” are employed to describe elements and components of the embodiments herein. This is done merely for convenience and to give a general sense of the description. This description should be read to include one or at least one and the singular also includes the plural unless it is obvious that it is meant otherwise.

While particular embodiments of the present invention have been shown and described, it will be obvious to those skilled in the relevant arts that changes and modifications may be made without departing from the invention in its broader aspects. Therefore, the aim in the appended claims is to cover all such changes and modifications that fall within the true spirit and scope of the invention. The matter set forth in the foregoing description and accompanying drawings is offered by way of illustration only and not as a limitation. The actual scope of the invention is intended to be defined in the following claims when viewed in their proper perspective based on the prior art.

Claims

What is claimed is:

1. A method for generating cryptographic keys for encrypting and decrypting data, the method comprising:

receiving, by one or more processors, a first component of a cryptographic key from a user via a user interface of a user computing device;

receiving, by the one or more processors, a second component of the cryptographic key via a short-range communication interface that communicatively couples the user computing device to a physically separate storage device;

generating, by the one or more processors, the cryptographic key based at least on the first component and the second component; and

using the cryptographic key to encrypt and/or decrypt data, by the one or more processors.

2. The method ofclaim 1, wherein using the cryptographic key to encrypt and/or decrypt the data includes:

storing the generated cryptographic key in a volatile memory of the user computing device during an active session,

automatically encrypting and/or decrypting data accessed by the user during the active session, by the one or more processors, and

deleting the cryptographic key from the volatile memory when the active session completes.

3. The method ofclaim 2, further comprising:

verifying the cryptographic key using control data stored on the storage device, wherein the generated cryptographic key is stored in the volatile memory only in response to the cryptographic key having been successfully verified.

4. The method ofclaim 3, wherein the control data includes first control data and second control data, and wherein verifying the cryptographic key includes:

retrieving the first control data from the storage device,

applying the cryptographic key to the first control data to generate an encryption/decryption result, and

comparing the encryption/decryption result to the second control data, wherein the cryptographic key is successfully verified when the encryption/decryption result matches the second control data.

5. The method ofclaim 2, further comprising completing the active session in response to detecting that the storage device has been removed.

6. The method ofclaim 2, further comprising completing the active session in response to detecting that the user logged off.

7. The method ofclaim 1, wherein using the cryptographic key to encrypt and/or decrypt the data includes automatically applying, by the one or more processors, the cryptographic key to files stored in a persistent memory of the user computing device, which the user accesses during an active session, without prompting the user.

8. The method ofclaim 7, wherein applying the cryptographic key to the files stored in a persistent memory of the user computing device including executing a task in a kernel mode on the user computing device.

9. The method ofclaim 1, further comprising, prior to receiving the second component via the short-range communication interface:

receiving, by the one or more processors, the second component of the cryptographic key via a long-range communication interface from a network server;

causing, by the one or more processors, the second component of the cryptographic key to be stored in the storage device.

10. The method ofclaim 8, further comprising:

providing, by the one or more processors, an interactive menu for receiving registration data from a user; and

sending the registration data to the network server via the long-range communication interface, wherein the second component of the cryptographic key is received from the network server in response to the registration data.

11. The method ofclaim 1, wherein the user computing device has a port to removeably couple the user computing device to a peripheral storage device, wherein the second component of the cryptographic key is received via the port from the peripheral storage device.

12. The method ofclaim 1, wherein generating the cryptographic key includes appending, by the one or more processors, one of the first and the second component of the cryptographic key to the other one of the first and the second component of the cryptographic key.

13. A network server comprising:

a communication interface to communicatively couple the network server to a user computing device via a communication network; and

processing hardware configured to:

receive a request for a cryptographic key from the user computing device, wherein the request includes a first component of the cryptographic key, the first component having been specified by a user of the user computing device,

in response to the request, automatically generate a second component of the cryptographic key, and

provide the second component of the cryptographic key to the user device for storage on a storage device physically separate from the user computing device,

wherein the user computing device is configured to (i) generate the cryptographic key based at least on the first component and the second component of the cryptographic key and (ii) encrypt and/or decrypt user-selected data using the cryptographic key.

14. The network server ofclaim 13, further comprising:

a computer-readable storage in which a database is implemented;

wherein the processing hardware is further configured to:

receive registration data for the user from the user computing device, and

store the registration data, the first component of the cryptographic key, and the second component of the cryptographic key in the database.

15. The network server ofclaim 14, wherein the processing hardware is further configured to reset the cryptographic key in response to a user request, including generate a new second component of the cryptographic key.

16. The network server ofclaim 13, wherein the processing hardware is further configured to:

generate the cryptographic key based on the first component and the second component,

generate first control data,

apply the cryptographic key to the first control data to generate second control data, and

provide the first control data and the second control data to the user device for storage on the storage device,

wherein the user computing device is configured to verify user input of the first component of the cryptographic key using the first control data, the second control data, and the second component of the cryptographic key.

17. The network server ofclaim 16, wherein the processing hardware is configured to generate the first control data randomly.

18. A method in a user computing device for efficiently encrypting and/or decrypting data, the method comprising:

receiving, by one or more processors, an indication that a storage device physically separate from the user computing device is now communicatively coupled to the user computing device via a short-range communication interface;

receiving, by the one or more processors, a first component of a cryptographic key from a user via a user interface;

retrieving, from the storage device, (i) a second component of the cryptographic key, (ii) first control data, and (iii) second control data corresponding to the first control data encrypted using a correct version of the cryptographic key;

generating the cryptographic key based at least on the first component and the second component; and

determining whether the generated cryptographic key is correct using the first control data and the second control data.

19. The method ofclaim 18, further comprising:

receiving, by the one or more processors, the second component of the cryptographic key, the first control data, and second control data from a network server via a communication network; and

storing the second component of the cryptographic key, the first control data, and second control data in the storage device.

20. The method ofclaim 19, wherein receiving the second component of the cryptographic key, the first control data, and second control data from the network server includes is in response to a user requesting that a new cryptographic key be generated.