USB MEMORY ENCRYPTION DEVICE

The Related Art

The invention relates to a device, which enables storing the information carried in USB flash memories and USB external discs securely.

The Prior Art

In the IT sector, use of portable memory is increasing day by day. In the event of losing or robbery , accessibility to the contents has great risks. The most reasonable solution for this situation is using portable memories with encrypted content..

Various encryption methods are present. Nowadays, the most powerful method that is free to use is AES. AES is a method declared by American NIST to be convenient for storing top secret information. It has taken the place of its ancestor, DES in time. AES is quite secure to protect the data stored in portable memories.

Portable memories with encryption features are produced and offered to market in order to meet the demand of secure usage. Encryption features of portable memories found in the market are naturally limited with the memory capacity of the product. In other words, the security feature paid for is only limited to the capacity of that specific memory device.

In software based solutions, since encryption operations and encryption key usage is performed in the general environment of the host system and this environment is open to illegal access due to security vulnerabilities , this method is not secure enough.

In hardware based solutions, fee of security feature is only limited to the capacity of the specific disc. Cost per protected gigabyte is constant and high. In some products, when the product is properlyunfold for using and forgotten in unfold form, the security feature of the disc is lost. Therefore, these type hardware based solutions are also not secure enough.

In solutions specific for operating systems, since products having the same features for all operating systems can not be offered to the market, use of secure common disc is not possible among the host systems with different operating systems.

There is no security product in the market for cases wherein the host system is not a computer. It is not commercially possible to produce security software for operating systems that are not open, used relatively less, or outdated. For example, data is gathered insecurely from various test and measurement devices with portable discs.. Encryption of data can be made after being transferred to a computer. There is still need for a secure and low cost solution for portable discs. Certain attention is required for proper encryption operationsuch asprotection of the encryption key, encryption period, copying of the encrypted and non-encrypted files without confusing with each other, transfer of encrypted files to the disc, and removal of their residuals etc. Importance of the secure information can make these difficulties bearable. These difficulties would cause user to make procedural errors such asdeciding that the content is not so important to take this trouble and completely abandoning encryption especially in urgent works. Therefore, significant security vulnerabilities may be caused

As a result, the above said drawbacks and the inadequacy of the prior solutions about the subject have necessitated improvement in the related technical field.

Purpose of the Invention

The invention is developed by being inspired from the prior art and aims to solve the above said problems. Purpose of the invention is to provide a device, which can be plugged between USB port of the host system and the portable disc, encrypts the data passing through it towards the disc, and decrypts the data passing backwards the host system by using the encryption key determined by the user.

Another purpose of the invention is to provide a device wherein maximum security is ensured by maintaining the information stored in the discs in encrypted form in all time.

Another purpose of the invention is to provide security solution for possible risks due to lost or robbery of the low costed USB flash memories and USB external discs on the market in various types by encrypting the data with AES method.

Another purpose of the invention is to enable secure data transfer by means of its hardware encrypting capability even for the host systems on which there is no software development possibility.

Another purpose of the invention is to provide a device which enables secure usage of several USB flash memories and USB external discs that do not have security feature and so providing a cost that is gradually reduced per gigabyte. Another purpose of the invention is to enable data transfer between various host systems other than computers that are not compatible with each other in places such as test laboratories by means of the USB memories encrypted by theinvention..

The structural and characteristic features of the invention and all advantages will be understood better in detailed descriptions with the figures given below and with reference to the figures, and therefore, the assessment should be made taking into account the said figures and detailed explanations.

Figures for Better Understanding of the Invention Figure 1 : is the schematic view of the printed circuit board positioned within the device (501), which is the subject of the invention.

Figure 2: is the perspective view of the physical hardware units of the device (501), which is the subject of the invention.

Figure 3: is the schematic view of the software units of the device (501), which is the subject of the invention.

Figure 4a: is the exploded view of the device (501), which is the subject of the invention.

Figure 4b: is the mounted perspective view of the device (501), which is the subject of the invention.

Figure 4c: is the mounted internal structure view of the device (501), which is the subject of the invention.

Figure 5a: is the view showing the way of connection of the device (501), which is the subject of the invention, with the USB memory (502) and host system (500).

Figure 5b: is the view showing the way of connection of the device (501), which is the subject of the invention, to the host system (500) via the USB extension cord (504).

Figure 5c: is the view showing the way of connection of the device (501), which is the subject of the invention, to the USB external disc (505) via the USB extension cord (504).

Figure 5d: is the view showing the way of connection of the device (501), which is the subject of the invention, to the USB flash memory (502) via the USB extension cord (504).

Figure 5e: is the view showing the way of connection of the USB external disc (505) to the host system (500) and device (501) via the USB Y cable (506).

Below given are the descriptions of the terms for better understanding of the invention:

Memory: These are the structures that can store digital data. Disc, Hard Disc, Hard Drive: It is a type of device in which huge amount of data storage can be made. Data is stored on optic, magnetic, or electronic featured materials.

Hot plug: It is the feature enabling plugging a peripheral unit into and out of the system while the host system is operating (without shutting the system down). USB port: Connection point according to USB standards. The part forming and serving the port is called the USB Host, while the part receiving service is called the USB Device (Device).

Portable memory: These are the memory units that can be easily separated from the host system and carried. They have interface with hot plug feature such as USB flash memory and USB external discs.

Host system: in the scope of the description, the devices which have USB ports and USB memory and disc can be used with. These are generally computers. However, test and measurement devices wherein USB memory and disc can be used without the need of a computer are also accepted as host system.

Operating system: Whole software package which provides the hardware resources of the host system to the user within a certain order. For example: Windows, Linux, and MAC.

File system: It is the method of storing digital data in the form of file and folder on a memory unit. Basically, files are organized in the form of a database. Together with the files, a few tables such as index tables are also stored within the memory unit (formatting). Its purpose is to reach the files in a quicker manner, use the memory unit in the most efficient way, and minimize possible data losses. E.g.: FAT, NTFS, EXT4, JFSS

SCSI: Small Computer System Interface

It is one of the protocols that determine communication with certain devices that can be plugged into the computer. Portable USB discs also use this protocol. Sector: Standard size data portion used by the file system. Its commonly used value is 512 bytes. Data transfer is made in the form of portions at the size of sectors.

MSP: Mass Storage Device It is a communication protocol developed for devices having large enough memory that requires file system It is not dependent to any file system. It is a sub-level interface used for reading and writing the sectors found in the disc via carrying the SCSI commands.

FIPS: Federal Information Processing Standard

These are the standards formed by the USA federal government for non-military public institutions and contractors about information processing issues.

AES: Advanced Encryption Standard

It is an encryption method using symmetrical key. Key length can be 128, 192, 256 bits. Its developers are Joan Deamen and Vincent Rijmen. USA have adapted this method into the standard form and declared its convenience for top secret information. It is announced as U.S. FIPS PUB 197 by NIST (National Institute of Standards and Technology).

Description of the References

100. Printed circuit board

101. USB plug

102. Voltage regulator

103. USB peripheral unit

104. Light indicator

105. System clock source

106. Processor unit

107. Random Access memory (RAM)

108. Program memory

109. Serial no

110. AES encryption unit

112. USB host unit

113. Non-volatile memory unit (E2PROM)

114. Extra non-volatile memory unit

115. USB receptacle

116. Microcontroller mounted printed circuit board

RTOS (Real time operating system)

USB peripheral interface

AES encryption

USB host interface

MSD slave

SCSI LUN 0

SCSI master

MSD master

SCSI LUN 1

Virtual disc

User menu

Serial number generator

Extra flash memory interface

Light indicator control unit

Operation control unit

Non-volatile memory storage unit

External businterface (USB peripheral (103) connection)

SPI interface (Extra non-volatile memory (114) connection)

GPIO interface (Light indicator (104) connection)

I2C interface (Non-volatile memory (113) connection)

USB interface (USB flash memory (502) and USB external disc (505) connection)

Upper cover

Lower cover

Front cover

Rear cover

Hole

Host system

Device

USB flash memory

USB extension cord 505. USB external disc

506. USB Y cable

507. USB disc connecting cable

Drawings do not have to be scaled and details not necessary for understanding the present invention may be neglected. Moreover, components which are at least widely equal or which have at least widely equal functions are shown with the same number.

Detailed Description of the Invention

In this detailed description, the preferred embodiments of the USB memory encryption device, which is the subject of the invention, will only be disclosed for better understanding of the subject, and will not form any limiting effect.

The invention is a device (501), which can be plugged in between the host system (500) USB port and the portable memories (502, 505), can introduce itself to the host system (500) as a device (501) that can communicate in MSD- SCSI protocol, encrypts the data passing towards the portable memory (502, 505) by using the encryption key determined by the user, decrypts the information passing backwards the host system (500), and makes all these operations only after the person using the host system enters the correct password, viand storesdthe encryption keys and use them conveniently, and not export or show them encryption keys by no means (Figure 5a, Figure 5b, Figure 5c, Figure 5d, Figure 5e).

Device (501) performs the encryption operation by means of hardware. Via encrypting or decrypting the data transmitted on the fly sector by sector through it, the device enables the user with the facility to use any file system in any desired operating system. In this way, the usage area of the product would be extended. The way of connection of the device to the host system (500) and the USB flash memory (502) is as follows: Via the USB plug (101), the device (501) is connected to the host system (500) USB port directly or by means of an extension cord (504) (Figure 5a, Figure 5b). While the host system (500) could be a computer, it can also be any device such as a test device or measurement device that can use USB disc (502, 505). USB flash memory (502) or USB external disc (505) is plugged into the USB receptacle (115) side of the device (501) directly or by means of an extension cord (504). One end of the USB extension cords (504) is in the form of a plug, while the other end has the form of a receptacle..

The device (501) shares the energy it gathers from the host system (500) with the discs (502, 505) placed its backside. If the USB external disc (505) demands more energy than the energy that could be provided from a USB port of the host system (500), energy support would be provided from a second USB port via USB Y cable (506). Such kind of a demand is generally present in some old USB external discs (505). New environment-friendly (Green) featured models are connected to the device (501) with their own cables (507) (Figure 5e).

If the host system (500) USB port is not placed at an easily accessible place, it can be extended to the tabletop via an extension cord (504). Device (501) can be plugged into an extension cord (504) at this point (Figure 5d).

Mounted printed circuit board (117) placed in the device (501) is positioned in the plastic box formed of the upper cover (401) and the lower cover (402) (Figure 4a, Figure 4b). When the device (501) is not used, front cover (403) and rear cover (404) can be attached to the device (501) for protection purposes. Also a hole (405) is placed on the device (501) to enable attachment to key ring etc. accessories (Figure 4b).

Mounted printed circuit board (117) is positioned between the upper cover (401) and the lower cover (402) (Figure 4b). When the ports placed on the completed device (501) are not used, they are covered with the front cover (403) and the rear cover (404). Plastic front cover (403) and rear cover (404) do not have an impact on operation of the device (501). The task of the front cover (403) and the rear cover (404) is to prevent entrance of foreign substances into the connectors.

All the hardware components and connections between them are shown in Figure 1 by arrows. Electronic materials are mounted on the printed circuit board (100) designed in accordance with the expected functionality of the device (501). Physical hardware components are shown in Figure 2.

Preferably, AT32UC3A3 type microcontroller (116) from Atmel AVR32 UC family is an integrated circuit comprising the processor unit (106), RAM (107), program memory unit (108), and AES encryption unit (110) with the USB host unit (112) (Figure 1). Instead of microcontroller (116), here, a separate circuit that is formed of the said components (106, 107, 108, 110, 112) and that can perform the task of the microcontroller (116) can also be used. Or, the whole structure can be collected in a single microcontroller (116) with an improved microprocessor (116). Here, the task of the said program memory unit (108) is to store the software. And the AES encryption unit (110) performs the encryption and decryption operations. The task of the USB host unit (112) is to control the USB flash memory (502) and the USB external disc (505). This integrated circuit (116) is programmable. In the software, the function units (300, 301 , 302, 303, 304, 305, 306, 307, 308, 309, 310, 311 , 312, 313, 314, 315) shown in Figure 3 are present. Connections between the software units are shown in Figure 3. Tasks of the said functional units (300, 301 , 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315) are as follows: RTOS (300) is the infrastructure mechanism providing synchronous operation of the device functions. USB peripheral interface (301) performs the USB protocol operations between the device (501) and the host system (500) according to the USB flash memory (502) and USB device protocol. MSD slave (304) performs the tasks of the data communication mechanism with the host system (500). SCSI master (306) performs the host actions to support the portable memory (502, 505) according to the SCSI protocol. MSD master is the mechanism performing data transfer to portable disc (502, 505) according to the MSD protocol. SCSI LUN 1 (308) provides the connection between the host system (500) and the virtual disc (505) performing the virtual disc tasks according to the FAT file system according to the SCSI protocol. Serial number generator (311) generates individual unique serial number specific to the device (500). Nonvolatile memory storage unit (315) is the E2PROM type memory interface wherein the permanent data of the user and the operation are stored.

Device (501) is plugged into the host system (500) USB port via the USB receptacle connector(115) . Preferably Net2272 type USB peripheral unit (103) and the USB peripheral interface (301) supporting computer connection via USB plug (101) perform all the USB protocol works. Communication between them is performed through external bus (350). Since the device (501) introduces itself in plug-and-play inquiry as a device that acts according to MSD-SCSI protocol, the host system (500) loads the driver according to this situation. According to the MSD protocol, incoming messages are processed by the MSD slave (304). There, incoming packages are forwarded towards the relevant SCSI LUN (305, 308). SCSI LUN 0 (305) represents the USB flash memory (502) or the USB external disc (505) plugged into the device (501) in a controlled manner. Together with the MSD master (307), the SCSI master (306) manages the discs (502, 505) plugged into the USB receptacle (115) of the device (501) over the USB host interface (303) (Figure 3).

The plugged USB flash memory (502) or the USB external disc (505) can or can not be seen by the host system (500) depending on whether the user has entered the password correctly or not. If the correct password is entered, SCSI LUN 0 (305) transmits the read and write requests of the host system (500) to the SCSI master (306). All the reading and writing contents are passed through AES encryption (302) (Figure 3). Written content is transferred by being encrypted. Read content is transferred by being decrypted. In this way, secure communication is formed. SCSI LUN 1 (308) represents the second disc shown to the host system. Read and write requests are forwarded to the virtual disc (309) unit. Extra flash memory interface (312) that is virtual content unit gathers data from the nonvolatile memory unit (113) through the SPI interface (351). The user menu (310) is operated via the Vendor Specific commands according to the SCSI protocol. Operations like entering password, changing password, changing encryption key, choosing encryption key etc. are performed by means of the user menu (310).

User menu (310) can also be accessed through the USERMENU.TXT file found in the virtual disc (309). The device (501) stores password and encryption key etc. information of the user in the non-volatile memory storage unit (315). This kind of information can be changed from the user menu (310). Non-volatile memory storage unit (315) uses integrated non-volatile memory unit (E2PROM) (113) through the I2C interface (353). Main act of the device (501) is performed in the operation control unit (314).

The light indicator control unit (313) displays the status of the device (510) with the light indicators (104). The serial number (109) provided by the serial number generator (311) supports the features ensuring that each device (501) is different from each other such as storage encryption key, disc serial number, device serial number etc. RTOS (300) provides internal communication and proper operation of software components found in the processor (106), the task of which is to operate the software.

Operational functioning of the device is performed as follows: When the host system (500) inquires the device (501) plugged into it, the device (501) indicates that it can communicate in accordance to SCSI - MSD protocols, it is a device comprising two discs on it, however the first disc is not plugged in. The first disc is the USB port, or in other words, the USB receptacle (115) found on the device (501) and the USB flash memory (502) or the USB external disc (505) plugged into this port is displayed to the host system (500) in a controlled manner. If the USB receptacle (115) is plugged and the user has authenticate himself with the password, the USB flash memory (502) or the USB external disc (505) is presented to the host system (500) as decrypted. In all other cases, the USB port (115) is shown to be empty(as unplugged). The second disc is the virtual disc (309) found within the device (501). It comprises icon file (for easy distinction from other discs found in the host system (500)), Autorun.inf file (file carrying comprising autorun commands), user interface program for commonly used operation systems, and USERMENU.TXT file (user interface only operating with file system sources).

The user enters his/her password to the user menu (310) placed on the device (501) via the software provided. User menu (310) checks the password of the user with the password recorded in the non-volatile memory unit (E2PROM) (113). It accepts or rejects the password according to one-to-one correspondence. If the password is successively entered wrong for three times, the device writes the factory settings over the recorded user password and encryption key, becoming a newly purchased device. The purpose in doing this is to prevent the device (501) from being used by a person who does not know the password recorded in the device (501). When the device (501) resets itself to factory settings as a result of entering wrong password for 3 times, it destroys the stored information and then the device can be used again as desired. If the user password matches, it loads the AES encryption unit (302) with the encryption key found in the non-volatile memory unit (E2PROM) (114). If a USB flash memory (502) or USB external disc (505) is present as plugged into the USB receptacle (115) of the device (501), after this moment, it is presented to the host system (500) (Figure 5a). All information wanted by the host system (500) from the plugged USB flash memory (502) or USB external disc (505) are sent by being decrypted via the encryption key. All information wanted to be written on the plugged USB flash memory (502) or USB external disc (505) by the host system (500) are sent by being encrypted via the encryption key.

Received and sent data are found in certain size of portions, called sectors. Each portion (sector) is exposed to encryption or decryption operation by the device (501) according to its direction. This feature provides formatting of the disc according to any file system. The user sends the deactivation command to the user menu (310) via the software provided. Operation control unit (314) stops the AES encryption unit (302). If a USB flash memory (502) or USB external disc (505) is plugged to the SCSI LUN 0 (305) , it is then shown as unplugged.

In the preferred embodiment, said USB peripheral unit (103) is Net2272 type, said microcontroller (116) is AT32UC3A3 type of Atmel AVR32 UC family, said non-volatile memory storage unit (113) 24 series of I2C E2PROM type, said extra non-volatile memory unit (114) is AT45xxx series data flash, voltage regulator (102) providing energy supply from USB is TPS763xx series regulator, and the system clock source (105) source is XO53 series oscillator.

Some institutions detach and cancel USB ports, because they can not ensure security. The device (501) of the present invention can also be placed within the host system (500) in such cases. Mounting into the host system (500) is performed in this way: First of all, the host system (501) cover is opened. Afterwards, the USB cable coming from the main board is detached. The cable is attached to the USB plug (101) end of the device (501). The USB receptacle (115) of the device (501) is connected to the USB port found on the case. Host system (500) cover is closed. In this way, the device (501) is placed between the host system (500) mainboard and the USB port. From the USB ports of the host systems (500) modified in this way, input-output are only provided for encrypted memories.