DESCRIPTION

The present invention relates to a system and a method for storing encrypted and non-modifiable data.

It is known in the technical sector relating to the management and storage of data by means of electronic processors that there is a need to adopt systems for limiting and recording access to the data stored in the said processor, in order to prevent random and/or illegal use thereof.

In particular, these storage systems must have the characteristics of being complete and non-modifiable and allow verification of their integrity.

It is also known that security systems for example based on the assignment of authentication credentials (e.g. username and password) among several authorized individuals, for example representing a legal body, have been developed; these credentials, however, are not suitable for the predefined objects since the authorized individuals themselves and/or the legal body concerned may have an interest in concealing an illegal act and the security of the data is thus not ensured.

Likewise a negative aspect is that any third parties (for example software companies, consultants or installation engineers) who are required to implement a system designed for this purpose may be aware of the procedures and the credentials for access thereto and may make illegal use of the stored data; the economic relationship between client and supplier could, in fact, give rise to agreements which conflict with the aim of ensuring safe storage of the data.

US 9049011 B1 describes a distributed security system comprising a plurality of computers that enables the secure storage and distribution of private keys provided by a publisher who is external to the security system to users who are also external to the security system. The private keys generated by the publisher outside the security system are encrypted using a single public encryption key, common to the whole security system. To protect against malicious activity, the security system private key necessary for decrypting the publication private keys is not stored in its entirety in any of the computers, but portions or parts of the security system private decryption key are stored in a respective computer, such that each key portion can be used by the respective computer to obtain a partial decryption of a private publication key. Using these partial decryptions obtained from a plurality of said computers it is possible to decrypt a private publication key stored in the security system.

The security system described in US904901 1 is therefore able to store and distribute outside of the said system private keys generated outside of the security system, using a decryption key common to the entire security system; in the system of US9049011 each computer which stores a part of a decryption key is able to perform a partial decryption of these private keys. By breaching the security of a single computer it is therefore possible to access part of the private publication key.

EP 2 341 657 describes a method for creation and secure storage of encrypted digital data which comprises the following steps:

-) creation of a public encryption key and a private encryption key;

-) writing of the private key on a physical storage device in such a way that it cannot be erased, read, modified or duplicated;

-) creation of an encrypted folder for containing dedicated decryption programs;

-) sending of an encryption program which retrieves the files from the database, generates an encrypted copy assuming the public key as encryption key and the private key as decryption key;

-) conservation of the physical medium for storage of the private key by an authorized body.

This method, although fulfilling its function, nevertheless has the drawback that the private decryption key is stored on a physical medium available to a body, and therefore to physical persons, who may record it or in any case use it in an inappropriate manner.

The technical problem which is posed therefore is that of providing a system and a method for storing data which ensures that the same cannot be effectively modified, in a voluntary or involuntary manner, by any person authorized or not authorized to have access to said data.

In connection with this problem it is also required that this method should be such that the original data is stored and made available exclusively to authorized persons, for example so that any checks may be carried out by the judicial authorities.

In connection with this problem it is also required that the storage should be performed in an automatic or automatable and secure manner without depending on human intervention or the reliability of a person and that it should also be able to be installed in an easy and low-cost manner at any user location using standard means for access to data processing systems. These results are obtained according to the present invention by a system for secure storage of data according to the characteristic features of Claim 1 and by a method for secure storage of data according to the characteristic features of Claim 12.

A process for providing such a storage system is described in Claim 18. Further details may be obtained from the following description of a non- limiting example of embodiment of the subject of the present invention, provided with reference to the accompanying drawings, in which:

Figure 1 : shows a schematic view of an example of implementation of the storage system according to the invention;

Figure 2: shows a schematic view of a number of component modules of a storage device of a system according to Figure 1 ;

Figure 3: shows a block diagram illustrating an example of the step for configuration and locking of the device according to Figure 2;

Figure 4: shows a block diagram illustrating an example of the step for encrypted storage of data to be stored in the device according to Figure 2; Figure 5: shows a block diagram illustrating an example of the step for decryption and retrieval of data stored in the device according to Figure 2; and

Figure 6: shows a schematic view of an example of implementation of the storage system with the expansion device of the system.

Figure 1 shows an example of a storage system S according to the invention comprising a number N=6 of storage devices 100 interconnected in a network of devices.

The number N of devices is preferably greater than or equal to 4.

With reference to Figure 2, a number of functional modules included in each device 100 of the system S are now described.

Each device 100 shown by way of example is an electronic processor such as a personal computer or a server with a motherboard on which a processor is installed.

"Key" is understood as meaning a string or a random number, of suitable complexity.

"Symmetric cryptography" is understood as meaning encryption with an algorithm by means of a key, such that decryption is possible with the same key, while "asymmetric cryptography" is understood as meaning encryption with an algorithm by means of an encryption key, such that decryption is possible only with a decryption key different from the encryption key.

The device 100 shown by way of example comprises the following elements which, depending on their nature, may be implemented by physical devices or virtual devices such as programs or processes managed by the device. Elements generally of a hardware nature:

- a processor 105, preferably provided with an auxiliary mathematical coprocessor for performing mathematical functions;

- a mass storage memory 1 10;

- a volatile RAM storage memory 120;

- an interface 130 for connection to a network, associated with corresponding modules for managing the connections;

- a chip 170 which stores a key (consisting of a string or a complex or random number) for encryption by the operating system (of at least a part) of the mass memory, so that the stored key is not accessible or reconstructable unless one is in possession of the chip 170 which stores it; the chip 170 may for example be a TPM (Thrusted Platform Module) chip installed on the motherboard;

Elements generally of a software nature:

- an operating system;

- a generator 140 of a pair of random asymmetric cryptography keys, for encryption and decryption, respectively;

- a module 142 for asymmetric encryption with an asymmetric cryptography encryption key generated by the asymmetric cryptography key generator

140;

- a generator 150 of random symmetric cryptography keys;

- a module 152 for encryption with a symmetric cryptography key generated by the symmetric cryptography key generator;

- a module 160 for subdividing and sending an asymmetric cryptography decryption key generated by the generator 140;

The module 160 comprises preferably:

- a submodule for subdividing the asymmetric cryptography decryption key into M parts AD-K1 ,AD-K2,... ,AD-KM of a decryption key AD-K with 2<M<N;; - a module for generating corresponding M markers mk1 ,mk2,mkM, to be associated with a respective decryption key part;

- a module for sending each decryption key part and the respective marker to a designated device 100 of the storage system S, different from the device 100 which generated the decryption key;

- a module for generating and saving data for reconstruction of the decryption key, for example consisting of a map file S-MAP which contains for each sent key part AD-K1 ,AD-K2,AD-KM:

·· the respective marker mk1 ,mk2,mkM,; identification data of the respective device 100- 1 ,100-2, ... , 100- N of the system (S), different from the device 100 which generated the decryption key AD-K, designated as receiver and storer of the part AD-K1.AD- K2.....AD-KM;

·· preferably, the position in which the key part is located in the respective data packet sent to the respective designated device.

According to preferred embodiments, each device 100 also comprises:

- a module 180 for locking the device 100;

- a module 190 for managing the access to the data stored in the device 100.

With reference to Figure 3 an example of the steps for initial configuration of each device 100 of the secure storage system S is described.

-) once the device 100 has been installed in the assigned location and connected to an electrical power supply and in the network together with the other devices, a series of initial configuration instructions 1 are sent to the device 100 for the initial configuration 2 thereof;

-) the initial configuration 2 on the basis of the configuration instructions 1 determines the creation of initial configuration data INITIAL DATA which will comprise for example data for verifying the authentication credentials of a predefined number of users U1 ;U2; ... ;UN authorized to access the stored data, and other initial configuration settings of the system. In the example shown in Figure 1 , the authorized users U1 , U2 consist of an employee of the police force U2 and an authorized administrator U1 , the authentication credentials may consist for example a password associated with a smart card assigned to the user U1 ;U2 and containing the unique and non- duplicatable authentication credentials and/or a further authentication factor based on biometric data, for example the fingerprint, on the basis of which, when the smart card is inserted, a mathematical algorithm generates a unique code which constitutes data for verification of the authentication credentials, in this way avoiding the need to store the sensitive biometric data;

-) once the initial configuration 2 has been completed, by means of the device-locking module 180 an instruction 3 for locking the device is sent so as to switch the operating mode thereof from the initial configuration to the secure data storage condition. Preferably the module 180 consists of a physical external drive connected to the device 100, the removal of which results in sending of the locking instruction;

-) the locking instruction 3 activates 4: -) the asymmetric cryptography key generator 140 which generates an asymmetric cryptography encryption key AC-K saved in the mass memory 110 and an asymmetric cryptography decryption key AD-K which is stored instead in the RAM volatile memory;

-) the symmetric cryptography key generator 150 which generates one or more symmetric cryptography encryption/decryption keys SK of a number necessary/suitable for encrypting the initial configuration data INITIAL DATA using a symmetric key cryptography algorithm;

-) the symmetric cryptography encryption module 152 encrypts 5a the initial configuration data INITIAL DATA by means of the respective symmetric cryptography keys SK generated, obtaining respective encrypted initial configuration data C-ID which is stored 5b in the storage memory 110 of the device 100;

-) the asymmetric cryptography encryption module 142 encrypts 6a the symmetric cryptography keys SK used to encrypt the initial configuration data, with the asymmetric encryption key AC-K generated by the generator 140, obtaining respective encrypted keys C-SK which are stored 6b in the storage memory 1 10 of the device, preferably in a known relative position; -) At this point 7, the unencrypted initial data INITIAL DATA and the respective unencrypted encryption keys SK are erased from the memory of the device.

The initial configuration also comprises steps for subdividing and sending the asymmetric cryptography decryption key AD-K generated to other devices 100 of the system; in particular:

-) the subdivision module 160 subdivides 8a the asymmetric cryptography decryption key AD-K into a number M, with 2<M<N, of parts (AD-K1 , AD- K2,...,AD-KM) of an asymmetric cryptography decryption key AD-K;

-) each part AD-K1 ,AD-K2,... ,AD-KM of a generated key is inserted in a respective data packet, preferably the data packet has a size greater than the key part which is inserted in a random position inside it;

-) a marker mk1 ,mk2,... ,mkM generated by the respective marker generation module, and preferably consisting of a random string, is associated 8b with each part AD-K1 ,AD-K2, ... ,AD-KM of the key AD-K;

-) a map-file for sending the parts AD-K1 ,AD-K2, ... ,AD-KM of the key AD-K is generated 8c, said map-file comprising, for each part AD-K1.AD- K2, ... ,AD-KM of the sent key:

- the respective marker mk1 ,mk2,mkM;

- identification data of the respective device 100- 1 ,100-2,... , 100- N of the system S, different from the device 100 which generated the decryption key AD-K, designated as receiver and storer of the part AD-K1.AD-K2,... ,AD- KM;

~ preferably, the position in which the key part is located in the respective data packet sent to the respective designated device 100;

-) the data packets comprising the key parts AD-K1 , ... ,AD-KM and the respective associated markers mk1 ,..,mkM are sent 8d, by means of the network interface 130 connected to the network of devices 100 of the storage system S, in accordance with the map S-MAP, to the respective designated devices 100-1 , 100-N for receiving and storing them; preferably this send operation is performed by encrypting the data packets and the respective markers with an asymmetric encryption algorithm, for example of the so-called "handshake" type, established between the device 100 and each designated receiving device 100-1 , 100 N, so as to improve the security of sending on the network of the asymmetric key parts AD-K; and -) the asymmetric cryptography decryption key AD-K and the respective parts and markers are erased 8e from the volatile memory of the device 100 which generated them;

-) the map file S-MAP for sending the parts AD-K1 ,AD-K2,AD-KM and the respective markers mk1 ,mk2,mkM is saved 9a in the mass memory 110 and the operating system encrypts the entire mass memory (disk) of the device 100, by means of one or more encryption keys generated by the locking module 180. In particular, the operating system performs at least the encryption 9b of the memory part where the S-MAP file is saved, which is therefore stored C-S-MAP in the encrypted part of the mass storage memory 110 of the device 100 which generated it;

-) the TPM chip which is designed to save the encryption key generated by the locking device 180, which the operating system uses as encryption key for the encryption of the data input into/output from the mass memory (disk) of the device 100 and which is sent 9c to the TPM chip 170 by the operating system for storage.

The TPM chip, during this stage, is initialized, namely associated with the operating system which claims possession thereof so that only the latter is able to access it for reading;

-) the unencrypted S-MAP map is then erased 9c from the volatile memory of the device 100 which generated it;

-) the device is now ready to receive, encrypt and store in a secure manner useful data DATA1 to be stored. With reference to Fig. 4, a method for secure storage of data DATA1 to be stored in unencrypted and non-modifiable form, by means of a device 100 forming part of system S configured as described above comprises the following steps:

-) the data DATA1 to be stored, in the example shown in Figure 1 consisting of a stream of data generated externally to the system S, such as video data from the security TV camera T, reach 10 the device 100 for example via a respective network interface connected to the TV camera T;

-) the device 100 stores 10b the data DATA1 in the volatile memory for the time needed to:

-) generate 10c a respective symmetric cryptography encryption key SK- DATA1 ,

-) encrypt 11 the data DATA1 to be stored by means of a symmetric cryptography algorithm using the symmetric key SK-DATA1 generated, obtaining corresponding encrypted data ENCRYPT. DATA1 to be stored, and -) save 11 b the encrypted data ENCRYPT. DATA1 to be stored in the mass memory 1 10 of the device 100;

-) once the encrypted data ENCRYPT. DATA1 has been saved, the unencrypted data DATA1 is erased 1 1c from the volatile memory 120;

-) at the same time, the symmetric key SK-DATA1 which encrypted the data DATA1 to be stored is encrypted 12a by means of an asymmetric cryptography algorithm using the asymmetric encryption key AC-K generated by the asymmetric key generator 140 and saved in the mass memory 110 of the device 100;

-) the encrypted key C-SK-DATA1 thus obtained is then saved 12b in the memory 110 of the device 100 in a known relative position with respect to the position of the respective data ENCRYPT. DATA1 encrypted with the key SK-DATA1 , for example in the same folder of the file system;

-) once encrypted C-SK-DATA1 and saved 12b, the unencrypted symmetric cryptography encryption key SK-DATA1 is erased 13 from the RAM volatile memory 120 of the device 100.

It is therefore clear how the data DATA1 to be stored is now stored in the device 100 encrypted with a symmetric cryptography key which is in turn stored encrypted with an asymmetric cryptography encryption key, the corresponding asymmetric decryption key of which is not available inside the device 100 which stores the stored data.

This means that, a person attempting to illegally access the data DAT1 stored in the device 100, must have at his/her disposal the symmetric encryption key which encrypted the data and, in order to extract it, must reconstruct the asymmetric cryptography decryption key generated by the device itself. This involves the need to have access physically to the device 100 which stores the files in order to be able to access the motherboard and breach the TPM chip which contains encrypted at least the data S-MAP for sending the asymmetric key AD-K and preferably all the stored data; this breaching of the TPM chip is necessary in order to recover the encrypted data, the respective symmetric encryption encrypted keys and the maps for sending the asymmetric decryption key parts.

In addition, in order to be able to reconstruct the asymmetric decryption key, it is also necessary to breach at the same time physically all the other M devices which store the parts of the asymmetric cryptography decryption key generated by the device 100 which stores the stored data, something which may be regarded as being impossible if there are four units and even more so if the system S comprises tens or hundreds or more devices 100 which are spread over the territory and are only available to end users who have every interest in protecting the device acquired by them from thefts and/or illegal access.

With reference to Figure 5, an example of consultation of the stored encrypted data ENCRYPT. DATA1 by a user U2 having the correct authentication credentials for access thereto is now described.

-) the user U 1 sends a request 14 for access to the device 100 together with the corresponding authentication credentials 14a which are processed so as to provide the data for verification of the authentication credentials;

-) the device 100 extracts the map S-MAP for reconstruction of the parts of the asymmetric decryption key AD-K stored in the mass memory encrypted by means of the string or the random number (key) stored by the TPM chip 170;

-) the device 100 then forwards to each device 100-1 ,... , 100N of the system S indicated in the S-MAP as designated storer of a part of the asymmetric decryption key AD-F a request 15 for recovery of the previously distributed parts of the decryption key AD-K; the request is made for example by providing proof of one's identity, at each designated device, by means of the respective marker associated with the key part stored in the device;

-) the devices of the system S, which are aware of device 100 which sent each part of the decryption key AD-K1 ,AD-K2, ... ,AD-Km stored by them (for example by means of a unique string identifying the requestor and initially used by the remote device 100) search in the data stored by them for the data packet comprising the respective part AD-K1.AD-K2, ... ,AD-Km of the key AD-K associated with the marker mk1 ,mk2,...,mkm sent by the device 100 and send 15a the packet to the device 100 which made the request 15; this send operation is also preferably performed by means of an encrypted communication protocol, for example using the handshake technique.

-) once all the available parts AD-k1 ,AD-K2, ... ,AD-Km of the decryption key have been received, the device 100 reconstructs 16 the asymmetric cryptography decryption key AD-K, reconstructing the fragments AD-k1 ,AD- K2, ... ,AD-Km on the basis of the reconstruction data of the map S-MAP; according to a preferred example, this is performed by extracting from each data packet received the respective key part in accordance with the indication given in the map S-MAP and reconstructing these parts in the correct order shown in the map S-MAP.

-) the decryption key AD-K thus reconstructed is then saved in the volatile memory 120 of the device and used 17 to decrypt, by means of the asymmetric cryptography decryption algorithm, the symmetric encryption keys C-SK used to encrypt that initial data INITIAL DATA used for verifying the authentication data.

The asymmetric decryption may be performed by the same asymmetric encryption module 142 or by another module configured for this purpose;

-) the decrypted symmetric encryption keys SK are temporarily stored unencrypted in the volatile memory 120 of the device 100;

-) the device 100 then uses the asymmetric encryption keys SK which have just been extracted, in order to decrypt 18 that initial configuration data for verification of the authentication credentials of the user wishing to access the files stored by the device 100.

The symmetric decryption may be performed by the same symmetric encryption module or by a different module configured for this purpose;

-) The initial configuration data ID extracted, suitable for verifying the credentials, is stored unencrypted in the volatile memory 120 at least for the time needed to verify 19 the authentication credentials entered 14a by the user U1 who requested access, by means of comparison 19 with the data for verification of the authentication credentials of the initial configuration data ID;

-) if the outcome of verification of the authentication credentials entered 14a is negative 19a, access to the encrypted stored data ENCRYPT. DATA1 is denied and the illegal access attempt is recorded in a log for recording the (attempted) access events, which will also be securely stored using the methods described above for the data to be stored DATA1 ;

-) if, on the other hand, the outcome of verification of the authentication credentials 14a is positive 19c, the device 100 authorizes the user U1 for access, for example allowing viewing of a list of files and folders stored and encrypted by the device;

-) the authorized user U 1 may then select the stored data DATA1 of interest and the device 100 extracts the data DATA1 requested for consultation by the user U1 ;

-) using the asymmetric cryptography decryption key AD-K stored in the volatile memory 120, the device 100 decrypts 20 the encrypted keys C-SK-

DATA1 used to encrypt by means of symmetrical cryptography the data requested DAT1 and stored in the mass memory 110;

-) once the aforementioned keys SK-DATA1 have been decrypted 20a, the device 100 executes 21a the algorithm for symmetric decryption of the requested data ENCRYPT. DATA1 stored in the mass memory 1 10 and, using the symmetric keys SK-DATA1 which have just been extracted, extracts 21 b the stored data DATA1 requested by the user U1 authorized for access;

-) the extracted data DATA1 is stored, preferably 21 c in the volatile memory, but in practice if necessary in the mass memory, for the time required for consultation 22 and any copying onto an external medium by the authorized user U1 ;

-) modification of the data DATA1 is not in any case possible;

-) access by the authorized user and the data consulted are recorded in the log for recording the access events.

It is therefore clear how with the secure storage system and method according to the present invention it is possible to store data to be protected by encrypting it with control over the possibility of access for unencrypted reading or duplication thereof only by authorized persons, while preventing in all cases deletion or misuse of the original. Any illegal access attempts are recorded. Once locked following the initial configuration, a device 100 of the system may no longer be tampered with (e.g. reconfigured), not even by the original designer.

Any persons engaged to install and configure a device 100 of the system S and subsequently take care of the maintenance thereof will in fact not be able, following locking of the configurations, to modify the configurations in order to perpetrate malicious acts such as allowing access to the stored data also by unauthorized persons. The keys for symmetrical encryption of the data to be stored, which are generated by each device, and all the reserved data stored in said device, are inaccessible except by means of simultaneous breaching - together with physical destruction - of all the system devices which store parts of the asymmetric cryptography decryption key generated by the device 100, something which per se is only possible in theory.

EXPANSION OF THE SYSTEM

According to a preferred aspect of the invention the system S comprises an expansion device 1000 connected to all the devices 1000 and able to allow expansion of the system with the addition of further devices 100.

A catalogue of all the devices 100 of the system S, which are for example identified by means of a serial number of the devices 100 and a series of data relating to the installation date and/or the operating state of the device, is stored in the expansion device 1000.

Should it be required to add a new device 100 to the system S, this will be facilitated by the device 1000.

The catalogue in the device 1000 will be updated with the data of the new device 100 which, in the manner described above, will generate an asymmetric cryptography decryption key which will be subdivided into a suitable number of parts of a decryption key depending on the how many other devices 100 are present in the system S.

This information is recovered from the catalogue in the expansion device 1000.

Preferably, information relating to the last devices 100 which contacted the device 1000 is also present in the expansion device.

Once the decryption key parts are ready to be distributed, the new device 100 will contact the other devices 100 and will send them the respective key parts in a secure manner, as illustrated above.

This preferred embodiment allows expansion or any dynamic contraction of the system S even after the devices 100 have been locked following initial installation.

ADDITION OF AUTHORIZED USERS

The device 1000 may also store a list of authorized users with corresponding data for verification of the access credentials, to which the devices 100 may have access in order to update their own list of authorized users.

The expansion may be performed in two different ways: Succession mode or subordinate generation mode Both modes are made available to a user once the user has undergone complete initial authentication by means of verification of the credentials with the device 100.

According to the first mode, the user will be given the possibility of generating a new user with new credentials which allow the new user to have access equivalent to that of the user performing the operation.

Once this process has been completed, the original user will lose all powers to access the system and these powers will be acquired by the new user generated, whose access and credential verification data will replace the preceding data stored in the device 100.

According to the second mode, the main user may generate additional subordinate users.

Access to the system may occur when the conditions programmed during configuration exist, for example with authentication of a subordinate user being subject to an authentication process whereby access by the subordinate user is permitted only if the combined condition of joint access by two separate users is satisfied, the second user being the main user or optionally also another user.

RECYCLING OF THE KEYS

In order to ensure a further degree of security of the stored data, a further preferred embodiment is envisaged whereby each device 100 performs, at pseudo-random time intervals and in any case a time interval of not more than 365 days, recycling of their asymmetric cryptography decryption key. This recycling operation is performed by means of storage of the single parts of the old key by the selected devices 1 10 and reconstruction of the old key. The key thus reconstructed will be encrypted by means of a new asymmetric cryptography encryption key, generated by the same device 100, the corresponding decryption key thereof being subdivided again into parts which are redistributed using the same techniques described above.

When this operation is performed in a dynamically expandable system owing to the presence of the device 1000 provided with a catalogue of the devices 100, recycling of the asymmetric decryption key of each device 100 may benefit from the further protection ensured by an increased number of devices 100 among which the new asymmetric decryption key is subdivided. Although described in connection with a number of embodiments and a number of preferred examples of implementation of the invention, it is understood that the scope of protection of the present patent is determined solely by the claims below.