Introduction The present disclosure generally relates to a removable security device and a method to prevent unauthorized exploitation and control access to files stored in a local or remote storage device.

Technical background

A removable security device connectable to a personal computer may be used in order to authenticate a user of the personal computer to a remote network content server. The removable security device may comprise a memory storing an interface software program configured to use an encryption / decryption key generated during an initialization phase. The interface software program is executed on the personal computer for interfacing the personal computer via the network to the content server. The encryption / decryption key is used by the interface software program for authenticating the user of the personal computer to the content server and for establishing a secure connection between the personal computer and the content server. The removable security device may be connected to the personal computer via a standard USB (Universal Serial Bus) link. As the memory of the removable USB device is re-writable, the interface software program may be configured to write, during the connection to the personal computer, any temporary files in a location of the removable USB device memory and not in a standard temporary files folder of the personal computer. This ensures that after closing the secure connection to the content server and the removal of the removable security USB device, no temporary files containing confidential information may remain on the personal computer and thus provides increased security against hackers.

The removable security device may be based on a "USB powered computer" device as for example the device known under the name of "USB armory". This type of removable device may be designed to be connectable to a USB port of the personal computer, which may provide power and a bidirectional serial data link between the personal computer and the removable device. In addition to the re-writable memory for storing application software programs and associated data, the removable security device may comprise a central processor and an operating system. The operating system stored in a non-volatile memory manages the application software programs as well as the bidirectional serial data link.

Summary

According to one embodiment, there is disclosed a removable security device configured to prevent unauthorized exploitation of computer files stored in a local or remote storage device.

According to another embodiment, there is disclosed a method to prevent unauthorized exploitation of computer files accessible by a host device associated with a removable security device.

According to one example of a removable security device, the removable security device as disclosed may be based on a "USB powered computer" device. This type of removable device may be designed to be connectable to a host device via an USB (Universal Serial Bus) port providing power to the removable device and a bidirectional serial data link between the host device and the removable device.

The removable USB security devices or USB powered computers have the advantage of being able to present themselves as various USB devices as for example in form of a dongle having an USB type communication port to be plugged onto any host device having a corresponding USB port. Other types of communication ports may be implemented, for example, Apple Lightning, FireWire IEEE 1394, etc. According to further embodiments, the removable security device may be powered by other sources than the USB port of the host device as for example an internal battery or an external power supply.

The host device may preferably be in form of a portable personal computer (PC) also called laptop or a desktop personal computer coupled to a display screen. Other portable devices such tablets, smartphones, personal digital assistants (PDA) or pocket PCs may also be used as host devices. According to a first embodiment, the removable security device may contain components comprising at least one processor, memories and a communication link configured to exchange data with the host device. An operating system stored in a memory of the removable security device manages the components and various applications described below. The communication link between the host device and the removable security device may be managed by the host device as for example by using SSH (Secure Shell) connections over USB, or by using remote desktop displays as provided for example by using Microsoft ® RDP (Remote Desktop Protocol), allowing to interact from the host device with applications running on the removable security device. Such a removable security device is aimed to be secure, and offers a secure internal working environment to store and edit files. Applications (e.g., word processing, spreadsheets, presentation, etc.) may be used for processing files in the removable security device.

According to a second embodiment, the removable security device may further comprise a network interface configured to use network connection capabilities of the host device for communicating with network resources on a local network or a public network such as Internet. The network resources may comprise remote servers, virtual drives or databases being accessible by the host device through the removable security device for fetching and storing files. The removable security device may thus be recognized by the host device, for example, as an active network resource with a shared network drive attached. For processing with an application of the removable security device, the files may be downloaded from a remote server into a memory of the removable security device and saved into the memory and/or uploaded from the memory to the remote server after processing. In some embodiments, the files are processed without being stored on the host device preventing copying onto another external memory or drive. The removable security device allows files to be used on a host device without software and copyright protection to prevent potential leakage.

However, conventional anti-copy precautions fail to include protection against capturing screen shots of the content that is displayed by the host device or capturing a signal corresponding to displayed images. For example, screenshots or screen capture may be performed with an application of the host device as well as with a camera of a smartphone to capture all or part of the content. For capturing a digital signal corresponding to displayed content, the host device may be modified to redirect the signal from the display to a signal recording module.

An exemplary aspect of the disclosed method and device is to provide anti-copy protection by to integrating information into displayable frames generated by the removable security device that are displayable on the screen of the host device. The integrated information can be used to identify the removable security device associated with unauthorized copies of the displayable frames (e.g., screenshots or image captures). These information are preferably not visible for the user.The removable security device is referenced by a unique identifier registered in a database that may also associate user data with this identifier. The information, hereafter referred to as a watermark, may not prevent unauthorized copies (e.g., screen captures) but enables identification of the removable security device associated with a host device that displays the copied frame. In addition, the watermark may also include an identifier of the host device and temporal data.

According to an embodiment, the watermark may be a code allowing retrieving at least the identifier of the removable security device in the database.

Brief description of the drawings

Figure 1 shows a block diagram of a removable security device coupled to a host device. A remote desktop agent operating on the host device allows accessing, displaying and editing a content in which additional data may be inserted by a watermarking module implemented in the removable security device.

Figure 2 shows a detailed block diagram of a removable security device connectable to a host device, the removable security device allowing the host device executing a file processing application with files stored locally or in a remote server. A watermarking module inserts additional data into displayable frames generated by a graphic processor of the removable security device.

Detailed description

The disclosed removable security device may preferably be connectable with a host device via a standard USB (Universal Serial Bus) port having the advantage to offer a fast bidirectional data communication link with the host device. It can also advantageously provide power to the host device. The standard universal serial data bus may be for example of type USB 2.0, USB 3.0 or USB 3.1 , where the different types stand out from their throughput having a value of respectively 480 Mbit/s, 5 Gbit/s and 10 Gbit/s.

Modules of the removable security device

The removable security device 10, as schematically illustrated by the block diagram of Figure 2, may comprise hardware modules such a central processor 100, memories 102, a graphic processor 104, a network interface 109 and a communication port 108 (e.g., a USB port). The memory may comprise several types of memory sections such as read-only and read / write non-volatile memory 102 (i.e. non-volatile memory), and random access memory 102'.

The removable security device 10 further comprises various software modules loaded in non-volatile memory using hardware resources of the removable security device 10. An operating system 101 manages the different hardware and software modules. In order to secure the stored software modules, root of trust functions may be embedded in the operating system 101 , preferably in a hardware form. Hardware root of trust offers a higher level of trust than a software root of trust which is typically more exposed to attacks by hackers. The root of trust provides services (e.g., monitoring) to ensure hardware and software integrity is maintained throughout different operating modes (e.g. power-up, initialization and normal operating modes) of the removable security device 10.

The software modules may include an identification module 106, file processing applications 120, 121 , a remote desktop agent 107, an encryption / decryption module 103, and/or a watermarking module 105.

The identification module 106 can receive and store at least one user credential for authenticating a user to access resources of the removable security device 10.

The file processing applications 120, 121 comprise, for example, a text document editor such as Microsoft ® Word, a slide editor such as Microsoft ® Power Point, or a table editor such as Microsoft ® Excel or any other file creating / editing applications. The file processing applications 120, 121 may be managed by the central processor 100 under control of the operating system 101 and dedicated user interfaces.

The remote desktop agent 107 can be integrated with the operating system 101 . The remote desktop agent 107 enables remote access to at least one file and execution of the file processing application (e.g., 120, 121 ) with the at least one file. The remote desktop agent 107 also enables communication with the host device 20 and remote access to the files and to file processing applications 120, 121 for execution by the host device 20. The remote desktop agent 107 may be preferably embedded in the operating system 101 and protected by the hardware root of trust in order to prevent any tampering or unauthorized modification, (e.g. storing files into the host device 20).

The encryption / decryption module 103 is coupled to the network interface 109 and to the memories 102. The encryption / decryption module 103 encrypts files before storing, and decrypts the files when retrieved for processing. The encryption / decryption operations may be performed by using an appropriate algorithm with symmetric or asymmetric cryptographic keys. The network interface 109 may be configured to exploit network connection resources of the host device 20 for exchanging data with remote servers 30 and databases 40. The exchanged data may be encrypted by the encryption / decryption module 103. The watermarking module 105 is coupled to the graphic processor 104 and can insert additional data into displayable frames produced by the graphic processor 104. For example a screen associated with the host device 20 displays the frames. Different embodiments of additional data content and retrieval methods will be described hereafter. According to an embodiment, the removable security device 10 may comprise wireless network communication modules (e.g., 109', 109" in Figure 2) associated with the network interface 109. The network interface 109 can be, for example, a WiFi module, a mobile network communication module such as a 3G, 4G, LTE (Long Term Evolution) type module, etc. In some embodiments, the removable security device 10 may be connected to host devices 20 without network communication resources. In some embodiments, the wireless network communication modules 109', 109" ensures access by the host device 20 to files stored on remote servers 30 or virtual drives.

Operating of the removable security device

The removable security device 10, coupled to a communication port of the host device 20, may be activated automatically or manually (e.g., a physical switch, a button on the removable security device 10, etc.). The automatic activation may occur upon plugging the removable security devicel O onto the communication port of the host device 20. The activation may comprise steps of mounting the removable security device 10 as an active network device resource for the host device and exchanging information with the host device 20. The exchanged information may enable a user authentication request on the host device 20. A user interface of the host device 20 may prompt the user for credentials, for example, a username and a password. The credentials may also be in form of a fingerprint or other biometric data introduced by the user through a dedicated device associated with the host device 20 or located directly on the removable security device 10. The credentials may also include a one-time-password (OTP) having a limited validity period associated with a user name or a user address.

Conformity of the credentials may be verified by comparison with user data previously recorded in the identification module 106 during an initialization phase of the removable security device 10. When the recorded user data and the introduced credentials match, access to resources of the removable security device 10 is validated. The files and applications for processing the files with the host device 20 become operational through the remote desktop agent 107 that is activated. Otherwise, when the user authentication fails, access to files and applications is denied.

According to one example, the communication through the USB type link may use a standard RDP protocol (Remote Desktop Protocol). The RDP protocol may provide a user with a graphical interface to connect to another computer over a network connection. The removable security device 10 can be recognized by the host device 20 as a network device. The RDP protocol further provides a secure connection by encrypting the data exchanged between the connected devices. The remote desktop agent 107 stored in the removable security device 10 provides a user interface on the host device 20. The user interface can be used for file selection and launching applications to execute opening and editing the selected file. For example, a text document 130 stored in the read / write non-volatile memory 102 may be opened with the text document editor 120. The desktop agent 107 may facilitate execution of the text document editor 120 and saving the document once modified in the read / write non-volatile memory 102 without providing any possibility to save a copy of the document in a memory of the host device 20.

Figure 1 illustrates an example where a document 130 stored in the read / write non- volatile memory 102 of the removable security device 10 is opened by execution of a text document editor 120 providing a corresponding window on the host device 20 through the remote desktop agent 107.

The application 120 operates on the operating system 101 managing the hardware and software modules of the removable security device 10 as well as a communication link 1 10 with the host device 20.

The execution of the text document editor 120 with the document file enables generating, by the graphic processor 104, displayable frames to be watermarked by the watermarking module 105. At termination of the file execution by the text document editor 120, the file may be saved in the read / write non-volatile memory 102 of the removable security device 10.

According to an embodiment, in addition to accessing files stored in a the read / write non-volatile memory 102 of the removable security device 10, the remote desktop agent 107 may allow access to files previously stored in a remote server 30 or on a virtual drive. For access to the files on the remote server 30, the remote desktop agent 107 uses the network resources of the host device 20 and the network interface 109 of the removable security device 10. According to a preferred mode, the user authentication performed after activation of the removable security device 10 also enables connection of the host device 20, via the removable security device 10, to the remote server 30 and authorizes access to the stored files. These files may be encrypted with a user personal encryption key to prevent access by unauthorized users. During a file processing session a remotely stored file may be downloaded into a random access memory 102' associated with the central processor 100 of the removable security device 10, decrypted by the encryption / decryption module 103 and executed by a file processing application 120. At the end of processing, and if a modification of the file has been made, the file may be re-encrypted and saved into the remote storage and/or into the local read / write non-volatile memory 102 of the removable security device 10. A file executed for reading only may be downloaded into the random access memory 102' and decrypted for reading, the file remaining in the remote storage in encrypted form. In order to prevent any retrieval of a file loaded in the random access memory 102', it is preferably erased from the random access memory 102'. The remote desktop agent 107 may purge the random access memory 102' after termination of file processing application 120 that closes and saves the executed file into the read / write non-volatile memory 102 of the removable security device 10 or into the remote server 30 or virtual drive. The above discussed solution may solve the problem of having the documents being stored in a memory of the host device, as they will instead be stored on the removable security device only.

Watermarking of the displayable frames

Furthermore, the watermarking module 105 modifies displayable frames produced by the graphic processor 104 when a file is processed. The watermarking module 105 may insert additional data into at least some of the displayable frames.

The graphic processor 104 coupled to the central processor 100 generates displayable frames to be displayed as images on a screen of the host device 20 when a file processing application 120 executes a predetermined file. For example, according to a screen refresh rate standard, the graphic processor 104 generates 60 frames per second to display the content by the host device 20. The watermarking module 105 modifies the displayable frame so that an image capture made at any time will include the additional data. The displayable frames output to the graphic processor 104 may be watermarked by the watermarking module 105 that inserts additional data into the displayable frames before they are forwarded to the host device 20 via the communication link 1 10. The watermarking module can watermark each frame or a subset of the frames.

The watermark is preferably invisible by human eyes and inserted into the displayable frames. For example, a technology based on encoding video data blocks of the displayable frames with the additional data by applying a predetermined watermarking algorithm may be used. Only a computer based image analyzer will thus be able to localize, extract and read the watermark in an image captured from the host device. The image analyzer knowing the watermarking algorithm used for encoding the video data blocks and being able to identify the encoded video data blocks can determine the watermark representing the additional data. Depending on the type of watermarking algorithm, the watermark may be determined by comparing video data of the captured image with video data of a reference image without watermark.

The watermark of the displayable frame allows identifying an origin of a copy of content made, for example, by a screen capture on a host device 20. According to an embodiment, the unique identifier of the removable security device 10 may be used as additional data. The watermark of the content screen capture determined by the image analyzer thus allows knowing which removable security device has produced the content and additionally user data associated to the unique identifier of the removable security device 10.

Several embodiments may be implemented for providing additional data to be used by the watermarking module 105, namely: a) The additional data includes a unique identifier of the removable security device 10. This identifier may be retrieved by the watermarking module 105 from a local read-only memory (or a non-volatile memory) and inserted into the displayable frames during a watermarking process. b) The additional data including the unique identifier of the removable security device 10 may further include a unique identifier of the host device 20. The host device identifier may be received during the step of information exchange with the removable security device 10 at activation thereof and stored, for example, into the read / write non-volatile memory 102 by the identification module 106. The watermarking module 105 retrieves the host device identifier from the memory and, for example, concatenates the host device identifier with the identifier of the removable security device 10. c) The additional data including the unique identifier of the removable security device 10 and/or the identifier of the host device 20 may also include temporal data representing a date and time of a current file processing and/or a session number. The date and time may be received from the host device 20 via the remote desktop agent 107 or provided by an internal clock of the removable security device 10. The session number may be retrieved from a session counter embedded, for example, in a memory associated with the identification module 106. The session counter increments, for example, each time a session is opened after a successful user authentication. d) The additional data includes a result provided by a reversible mathematical function e.g. XOR, addition, multiplication by a predetermined parameter, or a reversible transformation by inversion, exponentiation, etc., applied on the additional data as in embodiment a), b) or c) or a combination thereof. This mathematical function may be known by a tracking server in order to retrieve the content of the additional data. e) The additional data includes a code representing at least an identifier of the removable security device 10 from a remote database 40 of the network. According to an embodiment, the user authentication with the removable security device 10 performed on the host device 20 activates a network connection of the host device 20 to the tracking server 30 managing a database 40. The network connection allows the host device 20 transmitting to the tracking server 30 data related to the removable security device 10 associated to the host device 20 as well as user data related to the user whose authentication with the removable security device 10 was successful. The tracking server 30 stores these received data into the database 40 in form of a record for a given session. A session is defined herein as an interactive data exchange between the removable security device 10, the host device 20 and the tracking server 30 after a successful user authentication. Each time, a user is authenticated with the removable security device 10, a new session is opened and a new record is created in the database 40 by the tracking server 30. During the session, the host device 20 transmits user data retrieved from the identification module 106 via the network interface 109 of the removable security device 10 and the communication link 1 10. The user data may comprise, for example, a user name, passwords and other authentication data. This user data may be completed by at least the identifier of the removable security device 10, and by further data such as an identifier of the host device 20, temporal data, and a session number.

Data related to operation of the removable security device 10 may also be transmitted by the host device 20 to the tracking server 30 in order to be added into the record in the database 40. These data may comprise, for example, identifiers of the files having been processed by the removable security device 10, file processing temporal data, reference and/or version of the application used for processing the file, etc.

Data related to the hardware and software configuration of the removable security device 10 may also be added into the record, for example, a type reference or model identifier of the removable security device 10, references of configuration options, memory capacity, references of installed applications, operating system type and version, etc.

Cryptographic keys to be used by the encryption / decryption module for encrypting / decrypting files may also complete the record in addition to the user data. These keys may be generated by the user with an appropriate application on the host device 20.

The record may be completed by the code to be used as additional data for watermarking the displayable frames. Code generated by the tracking server

According to an embodiment, the code may be generated by the tracking server 30 and added to the record of the database 40. The code may be a random number associated to the record or a digest obtained by applying a hash function or any other mathematical function on all or part of the recorded data. According to this embodiment, when a file is executed by an application of the removable security device 10 via the remote desktop agent 107, the watermarking module 105 sends a request to the tracking server 30 for acquiring the code from the database 40. The request may thus be forwarded by the watermarking module 105 via the network interface 109, the communication link 1 10, and the network resources of the host device 20 to the tracking server 30. The request may comprise at least the identifier of the removable security device 10 and an instruction allowing retrieving the code in the corresponding record in the database 40.

When a removable security device 10 is used by more than one user, the request may additionally contain the identifier of the user having been recorded by the tracking server 30 at authentication. The user's identifier may be retrieved by the watermarking module 105 from the identification module 106 and transmitted with the identifier of the removable security device 10 to the tracking server 30 which will return the corresponding code. In response to the request, the removable security device 10 thus receives the code from the tracking server 30 via the network resources of the host device 20, the communication link 1 10, and the network interface 109 of the removable security device 10. The code is then stored in a memory 102 of the removable security device 10 and made available to the watermarking module 105. For each session, the tracking server 30 generates a new code that is added to the record in the database 40, the watermarking module 105 sending a request to the tracking server 30 for receiving the code from the database record corresponding to the current session.

According to a further embodiment, the removable security device 10 may request the tracking server 30 to transmit the code and all remaining data contained in the database 40 related to a current session. The received data may be stored in a nonvolatile memory 102 of the removable security device 10 in order to be used in an off-line mode without connection of the host device 20 with the tracking server 30 and the database 40. All or part of the displayable frame generated by the graphic processor 104 when a file is executed by an application will be watermarked with the code. Code generated by the removable security device

According to a further embodiment, the code may be generated by the removable security device 10 instead of the tracking server 30 and stored in a non-volatile memory 102 of the removable security device 10 and in the database 40. In this case, the watermarking module 105 sends an instruction to the tracking server 30 to store the generated code into the record of the database 40 corresponding to the current session. The instruction comprises at least the identifier of the removable security device 10, which is used to find the record where to store the code. The identifier of the removable security device 10 may be transmitted by the host device 20 to the tracking server 30 and stored into the database record at beginning of the session.

The instruction may also comprise the user's identifier as additional parameter to the identifier of the removable security device 10. The watermarking module 105 obtains this user's identifier by interrogating the identification module 106 that has stored user credentials after successful authentication. The watermarking module 105 thus transmits the instruction to the tracking server 30 via the network interface 109, the communication link 1 10 and the network resources of the host device 20 to store the code previously generated in the record corresponding to the obtained user's identifier. In fact, the user's identifier was transmitted by the host device 20 to the tracking server 30 and stored into the database record at beginning of the session.

For each session, the removable security device 10 generates a new code that it sent, by the watermarking module 105, to the tracking server 30 for storing into the database record corresponding to the current session.

According to a further embodiment, the removable security device 10 may request the tracking server 30 to transmit all data contained in the database 40 related to the current session. The received data may be stored in a non-volatile memory 102 of the removable security device 10 in order to be used in an off-line mode without connection of the host device 20 with the tracking server 30 and the database 40. Once transmitted to the tracking server 30 for storing into the database 40, the code stored in the removable security device 10 may be directly used by the watermarking module 105 for watermarking the displayable frames.

Protection of the code According to a further embodiment, the code transmitted by the tracking server 30 to the removable security device 10 or vice-versa may be encrypted with a key known by the tracking server 30 and the removable security device 10. This encryption may prevent misuse of the code, e.g. its interception and modification during transmission between the tracking server 30 and the removable security device 10 via the host device 20.

According to a further embodiment, in order to prevent modification of a captured code and using the modified captured code for watermarking, the transmitted code may be signed. A signature of the code may be computed, for example, by applying a unidirectional collision free hash algorithm (e.g. types MD5 or SHA) to obtain a digest. An encryption algorithm may then be applied to the digest by using a key known by the tracking server 30 and the removable security device 10 in order to generate the signature. The set formed by the code and the signature may then be transmitted. Before executing a file with the processing application 120 for example, a signature verification application of the removable security device 10 operating system verifies the signature of the code. In case of a mismatch between the digest as decrypted with the key and a digest recomputed with the code, the code is not accepted by the removable security device 10 and file processing is blocked by the signature verification application.

Analysis of the code The code inserted as a watermark by the watermarking module 105 may be extracted by analyzing the displayed images. An image may be captured from the display either by a screen capture application of the host device 20 or by outputting the corresponding digital signal from the host device 20. The screen capture may also be performed with a camera and the captured image exported from the camera to an image analyzer. By knowing the used watermarking technology, the image analyzer may be able to extract the watermark from the image and to convert the extracted watermark into a code.

The code thus obtained may then be submitted to the database 40 for retrieving corresponding data comprising at least the identifier of the removable security device 10. Further data related to the user (e.g. user's identifier, temporal data, and other data received by the tracking server 30 from the host device 20) allow identifying origin of the displayable frame.

The tracking server 30, the server storing the files and the database 40 may form a single remote server entity dedicated to removable security devices management. According to a further embodiment, a type reference may be added to the additional data for defining whether the additional data in question are based on identifier(s) according to embodiments a), b), c) or d) or represent a code according to embodiment e) allowing retrieving the identifier from a database 40. For example, a leading bit 0 may indicate additional data based on effective identifier(s) while a leading bit 1 may indicate additional data represented by a code.

Design example of the removable security device

The removable security device 10 may be designed as a dongle connectable to a large variety of host devices 20 by using a universal communication port. For example the dongle may be provided with a USB or micro-USB connector which adapts to a corresponding socket of the most portable computers or mobile devices. An appropriate operating system supporting file processing applications implemented in the dongle and an adequate communication protocol ensure compatibility of the dongle with the most used host devices.