WO2019130040A1 - Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique - Google Patents

Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique Download PDF

Info

Publication number
WO2019130040A1
WO2019130040A1 PCT/IB2017/001784 IB2017001784W WO2019130040A1 WO 2019130040 A1 WO2019130040 A1 WO 2019130040A1 IB 2017001784 W IB2017001784 W IB 2017001784W WO 2019130040 A1 WO2019130040 A1 WO 2019130040A1
Authority
WO
WIPO (PCT)
Prior art keywords
peripheral device
microcontroller
spd
data
secured
Prior art date
Application number
PCT/IB2017/001784
Other languages
English (en)
Inventor
Benoit Berthe
Original Assignee
Vandelay
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vandelay filed Critical Vandelay
Priority to PCT/IB2017/001784 priority Critical patent/WO2019130040A1/fr
Publication of WO2019130040A1 publication Critical patent/WO2019130040A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present disclosure relates to the field of secure access to computer systems, in particular to a method for accessing to a data storage peripheral device from an electronic host device and a secured peripheral device.
  • Many electronic systems for example the computer systems and the systems with human to machine interface (such as personal computer, smart TV, printers, video projectors, speakers, ...), have a number of ports for connecting various types of peripheral devices to interface with users, connect to other computer systems, and / or store data. The integrity of these computer systems may be lost by the physical connection to the ports of these systems of devices hosting malicious data.
  • USB Universal Serial Bus
  • USB ports are "multifunctional" universal ports in the sense that they can accept a whole range of devices of different types, such as network interfaces, USB memory-type storage devices, keyboards, mice, web cams, etc.
  • a malicious peripheral device may be a modified Webcam (usually identified by Class 06h in USB Protocol) configured to send to the computer system a substitute identifier (Class 05B identifying a keyboard in USB protocol).
  • a substitute identifier Class 05B identifying a keyboard in USB protocol.
  • the computer system will accept to load any software (such as drivers, software) that would be necessary to understand input strings from a keyboard, a command line, a computer program, etc.
  • this antivirus software would not detect anything, since for instance the sensitive computer system would not be able to detect whether the communication was established with a keyboard or with a malicious device.
  • patent application EP2659419A1 discloses a device for controlling access to a computer system, the device comprising at least one multifunction port configured to be connected to different categories of peripherals and an access interface configured to be connected to the computer system, access management tools connected between the multifunction port and the access interface; the access management tools being physically configured to authorize the access of the interface by means of a peripheral device connected to the multifunction port only if the device belongs to a device category that is specifically and permanently associated with the multifunction port to which it is connected.
  • the use of such device is advantageous in that only data stored on a peripheral that belongs to a predetermined category of peripherals may be read and imported to the computer system.
  • the sole authorized category may be that of the mass storage devices that do not send any command.
  • the EP2659419A 1 disclosed device is implemented as a cumbersome electronic card intended to be used as an interface between a computer system and universal peripherals in fixed installation. Therefore this solution is not suitable for the protection needs of users in a mobility situation (laptops, travel, etc.).
  • the present description relates to a secured peripheral device, comprising: a first communication interface configured to be connected to an electronic host device; a second communication interface configured to be connected to a data storage peripheral device configured to store one or more data files; a first microcontroller configured to receive from the electronic host device through the first communication interface a read command according to a first communication protocol, wherein the read command comprises instructions for performing a copy of one or more selected data files from the data storage peripheral device to the electronic host device; a second microcontroller configured to communicate with the first microcontroller using a second communication protocol distinct from the first communication protocol.
  • the first microcontroller is configured to translate the read command into a translated read command according to the second communication protocol and to forward the translated read command to the second microcontroller.
  • the second microcontroller is configured to translate the translated read command into a second translated read command according to the first communication protocol and to forward the second translated read command to the data storage peripheral device through the second communication interface.
  • the present description relates to a secured peripheral device, comprising: a first communication interface configured to be connected to an electronic host device; a second communication interface configured to be connected to a data storage peripheral device configured to store one or more data files; a first microcontroller configured to receive from the electronic host device through the first communication interface a write command according to a first communication protocol, wherein the write command comprises instructions for performing a copy of one or more selected data files from the electronic host device to the data storage peripheral device; a second microcontroller configured to communicate with the first microcontroller using a second communication protocol distinct from the first communication protocol.
  • the first microcontroller is configured to translate the write command into a translated write command according to the second communication protocol and to forward the translated write command to the second microcontroller.
  • the second microcontroller is configured to translate the translated write command into a second translated write command according to the first communication protocol and to forward the second translated write command to the data storage peripheral device through the second communication interface.
  • the present description relates to a method for accessing to a data storage peripheral device from an electronic host device.
  • the method is intended to be performed by a secured peripheral device connected through a first communication interface to the electronic host device and connected through a second communication interface to the data storage peripheral device.
  • the secured peripheral device comprises a first microcontroller and a second microcontroller.
  • the method comprises receiving, by the first microcontroller, from the electronic host device through the first communication interface a read command according to a first communication protocol, wherein the read command comprises instructions for performing a copy of one or more selected data files from the data storage peripheral device to the electronic host device; translating, by the first microcontroller, the read command into a translated read command according to a second communication protocol distinct from the first communication protocol; forwarding, by the first microcontroller, the translated read command to the second microcontroller; translating, by the second microcontroller, the translated read command into a second translated read command according to the first communication protocol; and forwarding, by the second microcontroller, the second translated read command to the data storage peripheral device through the second communication interface.
  • the present description relates to a method for accessing to a data storage peripheral device from an electronic host device.
  • the method is intended to be performed by a secured peripheral device connected through a first communication interface to the electronic host device and connected through a second communication interface to the data storage peripheral device.
  • the secured peripheral device comprises a first microcontroller and a second microcontroller.
  • the method comprises receiving, by the first microcontroller, from the electronic host device through the first communication interface a write command according to a first communication protocol, wherein the write command comprises instructions for performing a copy of one or more selected data files from the electronic host device to the data storage peripheral device; translating, by the first microcontroller, the write command into a translated write command according to a second communication protocol distinct from the first communication protocol; forwarding, by the first microcontroller, the translated write command to the second microcontroller; translating, by the second microcontroller, the translated write command into a second translated write command according to the first communication protocol; and forwarding, by the second microcontroller, the second translated write command to the data storage peripheral device through the second communication interface for implementing said copy of one or more memory blocks.
  • FIG. 4B shows a flow chart of a method for deleting one or more data containers of a secured peripheral device connected to an electronic host device in accordance with one or more embodiments
  • FIG. 4C shows a flow chart of a method for creating one or more data containers of a secured peripheral device connected to an electronic host device in accordance with one or more embodiments
  • FIG. 6A shows a flow chart of a method for providing access to one or more data containers of a secured peripheral device not connected to an electronic host device in accordance with one or more embodiments
  • the remote authentication server RAS may be implemented as a single hardware device or may be implemented on separate interconnected hardware devices connected one to each other by a communication link, with wired and/or wireless segments.
  • the remote authentication server RAS may also be implemented within a cloud computing environment.
  • the electronic control device ECD may be implemented as a single hardware device, for example in the form of a desktop personal computer (PC), a laptop, a personal digital assistant (PDA), a smartphone, a server, a mobile device or may be implemented on separate interconnected hardware devices connected one to each other by a communication link, with wired and/or wireless segments.
  • the electronic control device ECD generally operates under the control of an operating system and executes or otherwise relies upon various computer software applications, components, programs, objects, modules, data structures, etc.
  • the electronic host device EHD may be implemented as a single hardware device, for example in the form of a desktop personal computer (PC), a laptop, a personal digital assistant (PDA), a smartphone, a server, a mobile device or may be implemented on separate interconnected hardware devices connected one to each other by a communication link, with wired and/or wireless segments.
  • the electronic host device EHD generally operates under the control of an operating system and executes or otherwise relies upon various computer software applications, components, programs, objects, modules, data structures, etc.
  • the data storage peripheral device DPD may be implemented as a single hardware device.
  • the data storage peripheral device DPD may be a USB device.
  • the data storage peripheral device DPD may be in the form of data storage key, a USB memory, a USB key, USB stick, USB drive, etc.
  • the data storage peripheral device DPD may be a third-party storage device whose security / integrity can not be verified by the user Ul .
  • the data storage peripheral device DPD is configured to communicate with the secured peripheral device SPD through a communication link L2.
  • the communication link L2 may be a USB (Universal Serial Bus) communication link.
  • a USB port e.g. a male USB port
  • a USB port e.g. a female USB port
  • a USB cable may be used to connect the secured peripheral device SPD to the secured peripheral device SPD.
  • Any other communication link may be used, for example a wired or wireless communication link.
  • a wired communication link may be based on communication protocol such as Ethernet, Lightning, Firewire, RS232, RS432, etc.
  • the electronic control device ECD is configured to communicate with the secured peripheral device SPD through a wired or wireless communication link L3.
  • the communication link is a bi-directional communication link.
  • the communication link L3 is a Bluetooth ® communication link. Any other communication link may be used.
  • a wired communication link may be compliant with a communication protocol such as Ethernet, Lightning, Firewire, RS232, RS432, etc.
  • a wireless communication link may be based on communication protocol such as Bluetooth, Wifi, Lifi, NFC (Near Field Communication), GSM (Global System for Mobile Communication), etc. In the following description, it will be assumed that the communication link L3 is wireless communication link, compliant for example with Bluetooth ®.
  • FIG. 2A shows a secured peripheral device SPD in accordance with one or more embodiments.
  • the secured peripheral device SPD comprises a flash memory MEM, a communication interface BT1 , one or more multifunction communication interfaces USB 1 , USB2, one or more microcontrollers MC 1 , MC2, and a power supply 210 (e.g. a battery).
  • the microcontroller MCI (respectively MC2) includes hardware (e.g. circuitry, optical and / or electronic components, etc), is configured (e.g. programmed) by means of firmware and / or software instructions and is configured to implement the functions described herein for the microcontroller MCI (respectively MC2).
  • the microcontroller MCI and / or the microcontroller MC2 is (are) configured to implement security management functions in order to secure and control the communication and the data access to / from the secured peripheral device SPD through the one or more multifunction communication interfaces USB1, USB2.
  • the security management functions may include authentication functions, communication control functions, encryption functions, filtering functions, etc.
  • the microcontroller MCI and / or the microcontroller MC2 includes an embedded cryptographic unit configured to implement ciphering / deciphering functions, thus enabling accelerated execution of these ciphering / deciphering functions.
  • the microcontroller MC I and / or the microcontroller MC2 is (are) configured to implement the security management functions under the control of the electronic control device ECD, e.g. under the control of a specific software application, also referred to therein as the security control application APP, executed by the electronic control device ECD.
  • USB1 , USB2 are configured to be connected to an external electronic device (e.g. the data storage peripheral device DPD or electronic host device EHD).
  • the microcontroller MC 1 and / or the microcontroller MC2 is (are) configured to implement, under the control of the security control application APP, communication functions and / or data access functions through the one or more multifunction communication interfaces USB 1 , USB2 to / from the secured peripheral device SPD.
  • the microcontroller MCI and / or the microcontroller MC2 is (are) configured for example to wait for predetermined control messages before performing any data container access function or communication function through the first and second multifunction communication interfaces USB1 , USB2.
  • the microcontroller MC I and / or the microcontroller MC2 is (are) responsive to messages from the software application APP to control the transition from a connected state, in which the communications through the first and / or second multifunction communication interfaces USB 1 , USB2 are operative (authorized), to a locked state, in which the communications through the multifunction communication interfaces USB 1 , USB2 are not operative (forbidden or blocked) or conversely from the locked state to the connected state.
  • performing a data access operation comprises accessing to the data storage peripheral device DPD through the second communication interface USB2 from the secured peripheral device SPD and / or copying one or more data files from the external data storage peripheral device DPD to at least one data container PI , P2, P3 of the secured peripheral device SPD.
  • performing a data access operation comprises mounting a file system to get access to data files stored in the data storage peripheral device DPD through the third communication interface USB2 from the secured peripheral device SPD. Further aspects and embodiments are described by reference to FIGS. 7A-7C.
  • the microcontroller MCI and / or the microcontroller MC2 is configured to implement, through the wireless communication link L3, the electronic control device ECD and the communication link L4, a challenge-response authentication process between the secured peripheral device SPD and the remote authentication server RAS.
  • the microcontroller MCI and / or the microcontroller MC2 is (are) configured to implement data encryption functions using one or more encryption keys.
  • FIG. 3A represents a flowchart of a method according to an example of the present description. While the various steps in the flowchart are presented and described sequentially, the man skill in the art will appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.
  • the method steps may be implemented respectively by a secured peripheral device SPD, a factory configuration tool PRG and a remote authentication server RAS according to any embodiment described herein
  • Step 322 the software application APP transmits the received identifiers SN1, SN2, SN3 to the remote authentication server RAS and obtains from the remote authentication server RAS a token TK.
  • the token TK is a digital key randomly generated by the remote authentication server RAS.
  • FIG. 4A shows a method for providing access to one or more data containers of the secured peripheral device SPD from an electronic host device EHD using an electronic control device ECD in accordance with one or more embodiments.
  • the multifunction communication interfaces USB1 , USB2 are assumed to be USB interfaces.
  • the electronic host device EHD is assumed to be operatively connected to the first multifunction communication interface USB 1 (e.g. male USB port) of the secured peripheral device SPD.
  • step 335 in case of success of the mounting operation of step 333, a message M335 is sent by the secured peripheral device SPD to the software application APP to indicate that the selected first data container PI has been successfully mounted and may be accessed to from the electronic host device EHD and / or from the electronic control device ECD.
  • a list of data files stored in the selected first data container PI is sent to the software application APP.
  • FIG. 4B represents a flowchart of a method according to an example of the present description. While the various steps in the flowchart are presented and described sequentially, the man skill in the art will appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.
  • the method steps may be implemented respectively by a secured peripheral device SPD (e.g. by one or more microcontrollers MC 1 , MC2 of the secured peripheral device SPD), an electronic control device ECD (e.g. by the software application APP of the electronic control device ECD) and an electronic host device EHD according to any embodiment described therein.
  • the steps of the method are performed under control of the software application APP that communicates by means of messages with the secured peripheral device SPD (e.g. with the microcontroller MC I) through the communication link L3.
  • the method for deleting one or more data containers is performed only if the pairing process and the challenge response authentication process were both successfully completed (see FIGS. 3B and 3C). In one or more embodiments, the method for deleting a data container is performed (and possible) only if the secured peripheral device SPD has received from the electronic control device ECD the encryption key KP1 , KP2, P3 associated with the data container PI , P2, P3. In one or more embodiments, the method for deleting one or more data containers is performed only if the communication between the electronic control device ECD and the secured peripheral device SPD through the communication link L3 is operatively active and secured by means of the encryption keys K.C1 , KC2.
  • Step 344 upon receipt of the confirmation of the user U1 , the software application APP is configured to send a message M344 to the secured peripheral device SPD to request the deletion of the selected second data container P2.
  • the method for creating one or more data containers is performed only if the pairing process and the challenge response authentication process were both successfully completed (see FIGS. 3B and 3C). In one or more embodiments, the method for creating a data container is performed (and possible) only if the secured peripheral device has received from the electronic control device ECD the encryption key KP1 , KP2, KP3 associated with the data container PI , P2, P3. In one or more embodiments, the method for creating one or more data containers is performed only if the communication between the electronic control device ECD and the secured peripheral device SPD through the communication link L3 is operatively active and secured by means of the encryption keys KC1 , KC2 (see FIG. 3C).
  • Step 355 the software application APP is configured to inform the user U1 of the creation of the new data container P3.
  • the software application APP is configured to store the encryption key KP3 associated to the new data container P3.
  • the software application APP is configured to store the associated encryption key KP3 in the secure storage tool SS.
  • the architecture of secured peripheral device SPD prohibits direct transfers from USB female port to male USB port or vice versa.
  • a protocol break e.g. a translation of protocol from the first communication protocol to the second communication protocol or vice-versa
  • the two microcontrollers MC I , MC2 of the secured peripheral device SPD for processing commands and transmitting data from the data storage peripheral device DPD to the electronic host device EHD or, respectively, from the electronic host device EHD to the data storage peripheral device DPD.
  • the microcontrollers MC I and MC2 are configured to implement only read and write operations on memory blocks using Ihe first and second file systems. Example embodiments will be presented below by reference to FIGS. 5A and 5B.
  • Step 360 the electronic host device EHD initiates the reading operation by sending a first USB message M360 including a reading command to the microcontroller MC I through the first multifunction communication interface USB 1 in accordance with the USB protocol.
  • Parameters of the reading command may include an address of a buffer to which the user data have to be transferred and the identification of the documents to be read.
  • Step 362 the microcontroller MC2 receives the SPI message M361 and converts (protocol translation) the SPI message into a second USB message M362 including the reading command and transmits the second USB message M362 to the data storage peripheral device DPD.
  • Step 369 the electronic host device EHD accesses to the specified buffer and extract the read user data from the specified buffer.
  • FIG. 5B represents a flowchart of a method according to an example of the present description. While the various steps in the flowchart are presented and described sequentially, the man skill in the art will appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.
  • the method steps may be implemented respectively by a secured peripheral device SPD (e.g. by one or more microcontrollers MCI , MC2 of the secured peripheral device SPD), an electronic control device ECD (e.g. by the software application APP of the electronic control device ECD), a data storage peripheral device DPD and an electronic host device EHD according to any embodiment described therein.
  • the steps are performed under control of the software application APP that communicates by means of messages with the secured peripheral device SPD (e.g. with the microcontroller MCI ) through the communication link L3.
  • Step 375 the microcontroller MC2 converts (protocol translation) the first USB response message M374 into a SP1 response message M375 and transmits the SPI response message M375 to the microcontroller MCI .
  • the microcontroller MC2 terminates the SPI communication with the microcontroller MC 1.
  • Step 377 the electronic host device EHD terminates the writing operation.
  • FIG. 6A shows a method for providing access to one or more data containers of the secured peripheral device SPD from an electronic control device ECD in accordance with one or more embodiments.
  • the method for providing access to a data container is performed only if the communication between the electronic control device ECD and the secured peripheral device SPD through the communication link L3 is operatively active and secured by means of the encryption keys KC1 , KC2 (see FIG. 3C).
  • the method is intended to be performed when the secured peripheral device SPD is not connected to the electronic host device EHD and may be performed without using any electronic host device EHD.
  • the list of data containers is built by the secured peripheral device SPD and sent to the software application APP.
  • the list of data containers shows only an identification of each data container, but not the content (i.e. data files and / or file folders) of each data container.
  • the identification may be a name, for example“private”,“company 1”,“company 2”.
  • step 612 the secured peripheral device SPD checks whether the selected first data container P 1 exists in the memory MEM of the secured peripheral device SPD. If the selected first data container PI does not exist, an error message is sent in step 612 by the secured peripheral device SPD to the software application APP to terminate the opening operation.
  • a led of the secured peripheral device SPD may be switched on / off to provide feedback to the user U1 regarding the success or failure of the opening operation. For example, in case of success of opening operation, a led of the secured peripheral device SPD may be switched on to provide feedback to the user U1.
  • step 615 upon receipt of the descriptive data, the software application APP displays an information message to inform the user U1 of the success of the opening of the selected first data container PI .
  • the first data container PI is now opened, i.e. the content of this data container may be accessed to.
  • a list of data files and / or one or more file folders stored in the selected first data container PI is displayed on a user interface of the software application APP. For example, a list of data files stored in the root folder of the data container is displayed.
  • the user interface of the software application APP is configured to allow the user U1 to trigger the execution of one or more operations on the opened first data container PI and / or the content of the opened first data container PI (i.e. on the data files and / or file folders stored in the opened first data container PI ).
  • the triggered operation may be any operation on a data file including: opening a data file, editing a data file, copying a data file, deleting a data file, moving a data file, renaming a data file, creating a new file, managing read/write rights, etc.
  • FIG. 6B represents a flowchart of a method according to an example of the present description. While the various steps in the flowchart are presented and described sequentially, the man skill in the art will appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.
  • the method steps may be implemented respectively by a secured peripheral device SPD (e.g. by one or more microcontrollers MCI , MC2 of the secured peripheral device SPD) and an electronic control device ECD (e.g. by the software application APP of the electronic control device ECD) according to any embodiment described therein.
  • the steps are performed under control of the software application APP that communicates by means of messages with the secured peripheral device SPD (e.g. with the microcontroller MC I ) through the communication link L3.
  • the method for performing an operation on one or more data containers is performed only if the pairing process and the challenge response authentication process were both successfully completed (see FIGS. 3B and 3C). In one or more embodiments, the method for performing an operation on one or more data containers is performed (and possible) only if the secured peripheral device SPD has received from the electronic control device ECD the encryption key KP1 , KP2, KP3 associated with the data container PI , P2, P3 and the data container has been opened using for example the method steps 610-612 described by reference to FIG. 6A.
  • a user interface of the software application APP is presented to the user U1.
  • the content of one or more data containers in the memory MEM of the secured peripheral device SPD is presented to the user U1 to allow him to trigger one or more operations to perform on this content.
  • the user U1 performs a predefined action on the user interface of the software application APP to trigger the execution of the one or more operations.
  • the operation is the opening of the folder of the data container, a change in the access rights (read / write rights) on one or more data files, a deletion of a data file, a deletion of a data folder, a copy of one or more selected data files, etc.
  • the use of the electronic control device ECD to control the access operations is advantageous from a user point of view because it is possible to present various, long and complex types of information on the electronic control device ECD.
  • the secured peripheral device SPD receives, from the software application APP through the wireless communication link L3, one or more first control messages comprising first instructions for instructing the self-powered peripheral device SPD to access to a file system of the data storage peripheral device DPD.
  • the first control messages are received after completion of the pairing process and / or the challenge- response authentication process.
  • the secured peripheral device SPD may provide, to the software application APP through the wireless communication link L3, a response message including descriptive data of the file system.
  • the secured peripheral device SPD receives, from the software application APP through the wireless communication link L3, one or more second control messages comprising reading instructions for instructing the self-powered peripheral device SPD to perform a copy of one or more selected data files from the external data storage peripheral device DPD to the self-powered peripheral device SPD.
  • the secured peripheral device SPD may send, to the software application APP through the wireless communication link L3, at least one feedback message on the completion of the requested copy. Further details and embodiments are described below by reference to FIGS. 7A-7C.
  • FIG. 7A-7C represent a flowchart of a method according to an example of the present description. While the various steps in the flowchart are presented and described sequentially, the man skill in the art will appreciate that some or all of the steps may be executed in different orders, may be combined or omitted, and some or all of the steps may be executed in parallel.
  • the method steps may be implemented respectively by a secured peripheral device SPD (e.g. by one or more microcontrollers MCI , MC2 of the secured peripheral device SPD), an electronic control device ECD (e.g. by the software application APP of the electronic control device ECD) and a data storage peripheral device DPD according to any embodiment described therein.
  • the steps are performed under control of the software application APP that communicates by means of messages with the secured peripheral device SPD (e.g. with the microcontroller MCI ) through the communication link L3.
  • FIG. 7A-7C shows a method for copying data stored on a data storage peripheral device DPD to a secured peripheral device SPD in accordance with one or more embodiments.
  • the multifunction communication interfaces USB2 are assumed here to be USB interfaces.
  • the data storage peripheral device DPD is assumed to be connected to the second multifunction communication interface USB2 (e.g. female USB port) of the secured peripheral device SPD.
  • the secured peripheral device SPD being a secured peripheral device, the method is intended to be performed when the secured peripheral device SPD is not connected to the electronic host device EHD and may be performed without using any electronic host device EHD.
  • the method for copying data is performed only if the pairing process and / or the challenge response authentication process were successfully completed (see FIGS. 3B and 3C).
  • the secured peripheral device SPD detects the data storage peripheral device DPD and reads the file system of the data storage peripheral device DPD as master device.
  • Step 714 the software application APP sends a control message M714 to the secured peripheral device SPD.
  • the control message M714 comprises instructions for instructing the secured peripheral device SPD to access to a file system of the external data storage electronic device DPD, e.g. to request the mounting of the file system of the data storage peripheral device DPD.
  • the secured peripheral device SPD accesses to the file system of the external data storage electronic device DPD upon receipt the control message M714.
  • Step 715 upon receipt of the control message M714, the secured peripheral device SPD accesses to the file system of the external data storage electronic device DPD.
  • the file system of the data storage peripheral device DPD is mounted by the secured peripheral device SPD.
  • Step 720 the software application APP provides a user interface showing the content of the data storage peripheral device DPD, e.g. a list of one or more data files and / or one or more data folders. Steps 730-736 may be executed after step 720: see FIG. 7B.
  • the software application APP is configured to allow the user Ul to navigate in the file system of the data storage peripheral device DPD, e. g. to change the current folder.
  • Step 731 the software application APP sends a message to the secured peripheral device SPD to request descriptive data of the content of the current folder.
  • the secured peripheral device SPD gets the descriptive data of the content of the current folder from the data storage peripheral device DPD using the mounted file system.
  • the secured peripheral device SPD sends a response message including the requested descriptive data.
  • Step 734 the software application APP displays a user interface showing the content of the current folder, e.g. a list of one or more data files stored in the current folder. After the execution of step 734, Steps 730-734 may be repeated. In Step 735, the software application APP displays a user interface to allow the user Ul to select one or more data files to be copied to the secured peripheral device SPD. One or more data files are selected.
  • Step 741 the software application APP displays a user interface to allow the user Ul to specify a destination data container of the secured peripheral device SPD.
  • Step 742 the software application APP receives user inputs specifying a destination data container and / or a destination folder of the secured peripheral device SPD.
  • Step 743 the software application APP checks whether the selected data files already exist in the destination data container and / or destination folder, and in case of a positive answer the software application APP displays a user interface to allow the user Ul to decide whether to proceed or not.
  • the software application APP receives user input to cancel or confirm the copy of the selected data files and proceeds accordingly. In case of confirmation, steps 744 is executed, otherwise steps 730-734 or 735-736 may be repeated.
  • Step 745 the secured peripheral device SPD performs the requested copy of the selected data files and stores them in the destination data container and / or destination folder.
  • Step 746 the secured peripheral device SPD sends to the software application APP at least one feedback message on the completion of the requested copy, for example to confirm the completion of the copy.
  • Step 747 the software application APP may display an information message to inform the user of the completion of the copy. After the execution of step 747, steps 730-734 or 735-736 may be repeated.
  • Each described function, engine, block of the block diagrams and flowchart illustrations may be implemented in hardware, software, firmware, middleware, microcode, or any suitable combination thereof. If implemented in software, the functions, engines, blocks of the block diagrams and/or flowchart illustrations can be implemented by computer program instructions or software code, which may be stored or transmitted over a computer-readable medium, or loaded onto a genera! purpose computer, special purpose computer or other programmable data processing apparatus to produce a machine, such that the computer program instructions or software code which execute on the computer or other programmable data processing apparatus, create the means for implementing the functions described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Information Transfer Systems (AREA)

Abstract

Un dispositif périphérique sécurisé (SPD) comprend une première interface de communication (USB1) connectée à un dispositif hôte électronique (EHD) ; une seconde interface de communication (USB2) connectée à un dispositif périphérique de stockage de données (DPD) ; un premier microcontrôleur (MC1) configuré pour recevoir, en provenance du dispositif hôte électronique (EHD) par le biais de la première interface de communication (USB1), un ordre de lecture selon un premier protocole, comprenant des instructions pour réaliser une copie d'un ou de plusieurs fichiers de données sélectionnés, du dispositif périphérique de stockage de données (DPD) vers le dispositif hôte électronique (EHD). Le second microcontrôleur (MC2) communique avec le premier microcontrôleur à l'aide d'un second protocole. Le premier microcontrôleur traduit l'ordre de lecture en un ordre de lecture traduit selon le second protocole et transfère l'ordre de lecture traduit au second microcontrôleur. Le second microcontrôleur traduit l'ordre de lecture traduit en un second ordre de lecture traduit et transfère le second ordre de lecture traduit au dispositif périphérique de stockage de données.
PCT/IB2017/001784 2017-12-29 2017-12-29 Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique WO2019130040A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2017/001784 WO2019130040A1 (fr) 2017-12-29 2017-12-29 Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2017/001784 WO2019130040A1 (fr) 2017-12-29 2017-12-29 Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique

Publications (1)

Publication Number Publication Date
WO2019130040A1 true WO2019130040A1 (fr) 2019-07-04

Family

ID=62749110

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2017/001784 WO2019130040A1 (fr) 2017-12-29 2017-12-29 Accès sécurisé à un dispositif périphérique de stockage de données à partir d'un dispositif hôte électronique

Country Status (1)

Country Link
WO (1) WO2019130040A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100115165A1 (en) * 2008-11-06 2010-05-06 International Business Machines Corporation Data Communications Among Electronic Devices Within A Computer
EP2659419A1 (fr) 2010-12-27 2013-11-06 Electricité de France Procédé et dispositif de contrôle d'accès à un système informatique
US20140337558A1 (en) * 2011-05-31 2014-11-13 Architecture Technology Corporation Mediating communication of a universal serial bus device
US20160028713A1 (en) * 2014-07-22 2016-01-28 Beautiful Enterprise Co., Ltd. Universal Serial Bus (USB) Flash Drive Security System And Method
US20160378971A1 (en) * 2015-06-26 2016-12-29 Intel Corporation Authentication of a multiple protocol connection
US20170149771A1 (en) * 2015-11-25 2017-05-25 Microsoft Technology Licensing, Llc. Automated device discovery of pairing-eligible devices for authentication

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100115165A1 (en) * 2008-11-06 2010-05-06 International Business Machines Corporation Data Communications Among Electronic Devices Within A Computer
EP2659419A1 (fr) 2010-12-27 2013-11-06 Electricité de France Procédé et dispositif de contrôle d'accès à un système informatique
US20140337558A1 (en) * 2011-05-31 2014-11-13 Architecture Technology Corporation Mediating communication of a universal serial bus device
US20160028713A1 (en) * 2014-07-22 2016-01-28 Beautiful Enterprise Co., Ltd. Universal Serial Bus (USB) Flash Drive Security System And Method
US20160378971A1 (en) * 2015-06-26 2016-12-29 Intel Corporation Authentication of a multiple protocol connection
US20170149771A1 (en) * 2015-11-25 2017-05-25 Microsoft Technology Licensing, Llc. Automated device discovery of pairing-eligible devices for authentication

Similar Documents

Publication Publication Date Title
EP3050335B1 (fr) Systèmes et procédés de contrôle d'accès de ccp dans une architecture de ccp centrique d'élément sécurisé
CN104662870B (zh) 数据安全管理***
WO2019130042A1 (fr) Contrôle d'intégrité d'un dispositif périphérique sécurisé
US20140108793A1 (en) Controlling mobile device access to secure data
US20160188896A1 (en) Secure host interactions
TW202232353A (zh) 安全儲存通行裝置
TW201407378A (zh) 藉由存取標記之集中管理以用於雲端儲存之有效資料轉移
JP2016186782A (ja) データ処理方法及びデータ処理装置
US9547773B2 (en) Secure event log management
EP2932690B1 (fr) Déchargement de copies pour fournisseurs de déchargement disparates
CN106575342A (zh) 包括关系数据库的内核程序、以及用于执行所述程序的方法和装置
GB2553944A (en) Secure host communications
CN101593252B (zh) 一种计算机对usb设备进行访问的控制方法和***
WO2017166362A1 (fr) Procédé d'écriture de numéro esim, système de sécurité, serveur de numéro esim et terminal
WO2023143646A2 (fr) Procédé, dispositif et système de protection de sécurité de données, cadre de commande de sécurité et support de stockage
WO2022126644A1 (fr) Dispositif de protection de modèle, procédé, et dispositif informatique
KR101534566B1 (ko) 클라우드 가상 데스크탑 보안 통제 장치 및 방법
CN104821878A (zh) 用于确保数据交换的安全性的便携式安全设备、方法和计算机程序产品
CN104680055A (zh) 一种u盘接入工业控制***网络后接受管理的控制方法
JP5799399B1 (ja) 仮想通信システム
CN116724309A (zh) 设备和通信方法
US11082222B2 (en) Secure data management
WO2019130041A1 (fr) Procédé de commande d'accès à un dispositif périphérique de stockage de données
KR101056423B1 (ko) 로그인된 계정권한 제어를 이용한 프로그램 실행관리 방법 및 기록매체
US7934099B2 (en) Device and method for generating digital signatures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17889517

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17889517

Country of ref document: EP

Kind code of ref document: A1