`Dumas et al.
`
`USOO6199163B1
`(10) Patent No.:
`US 6,199,163 B1
`45) Date of Patent:
`Mar. 6, 2001
`9
`
`(54) HARD DISK PASSWORD LOCK
`(75) Inventors: Patrick A. Dumas, Barrington; Mark
`Pulver, Elmhurst, both of IL (US)
`
`rr. A
`(73) Assignee: NEC Corporation, Tokyo (JP)
`-
`0
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(*) Notice:
`
`(21) Appl. No.: 08/621,672
`(22) Filed:
`Mar. 26, 1996
`(51) Int. Cl." ................................................... H04K 1100
`(52) U.S. Cl. ............................................. 713/183: 713/184
`(58) Field of Search ........................ 380.44, 94, 713183,
`s 1 is 713is4
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,231,662 * 7/1993 van Rumpt et al. ..................... 380/9
`5,283,828
`2/1994 Saunders et al. ........................ 380/4
`5,327,563 * 7/1994 Singh ..............
`... 380/4
`5,343.525
`8/1994 Hung et al. ..
`380/4
`5,375,243 * 12/1994 Parzych et al.
`380/4
`5,497,419
`3/1996 Hill .......................................... 380/9
`5,513,262 * 4/1996 van Rumpt et al. ..................... 380/4
`5,615,262
`3/1997 Guy et al. ................................ 380/4
`6,038,220 * 3/2000 Mi. s - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 380/44
`
`* cited by examiner
`
`Primary Examiner Salvatore Cansialosi
`(74) Attorney, Agent, or Firm- Katten Muchin Zavis
`(57)
`ABSTRACT
`The invention provides an encryption circuit for encrypting
`and decrypting data as it travels to and from a hard disk. The
`encryption circuit can be turned on or off under control of
`the BIOS program and a user supplied password. With the
`present invention, a removed hard disk cannot be read
`without the user Supplied password and a similar encryption
`circuit.
`
`4,937,861
`5,212,729
`
`6/1990 Cummins ................................. 380/4
`5/1993 Schafer .................................... 380/4
`
`8 Claims, 5 Drawing Sheets
`
`
`
`
`
`
`
`2O
`A/
`
`PROCESSOR
`
`
`
`CONTROL
`
`
`
`
`
`2 4.
`
`ENCRYPTION
`CIRCUIT
`
`IPR2018-00067
`Unified EX1029 Page 1
`
`
`
`U.S. Patent
`
`Mar. 6, 2001
`
`Sheet 1 of 5
`
`US 6,199,163 B1
`
`HARD DISK
`
`HARD DISK
`
`
`
`HETTOH LNO O
`
`TOH_LNOO
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TOH_LNOO
`
`
`
`TOH_LNOO
`
`
`
`TOH LNO O
`
`
`
`HOSSE OOHd
`
`IPR2018-00067
`Unified EX1029 Page 2
`
`
`
`U.S. Patent
`
`Mar. 6, 2001
`
`Sheet 2 of 5
`
`US 6,199,163 B1
`
`PROMPT USER FOR
`POWER-ON
`PASSWORD
`
`PASSWORD
`CORRECT?
`
`Fig. 3
`
`36
`
`
`
`40
`
`SHARD DISK
`ENCRYPTED?
`(FIGURE 4)
`
`
`
`
`
`NO
`
`
`
`DOES USER WANT
`TO ENCRYPT DISK?
`
`NO
`
`
`
`
`
`
`
`
`
`
`
`YES
`
`38
`
`PROMPTUSER FOR HARD
`DISK PASSWORD
`(FIGURE 5)
`
`
`
`
`
`ENCRYPT DISK
`(FIGURE 6)
`
`
`
`
`
`
`
`ENABLE ENCRYPTION
`CIRCUIT
`
`DISABLE ENCRYPTION
`CIRCUIT
`
`/ 48
`
`CONTINUE WITH OS BOOT
`AS NORMAL
`
`IPR2018-00067
`Unified EX1029 Page 3
`
`
`
`U.S. Patent
`
`Mar. 6, 2001
`
`Sheet 3 of 5
`
`US 6,199,163 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`/
`
`60
`
`READ HARD DISK
`PASSWORD FROM
`END OF BOOTBLOCK
`
`
`
`READ HARD DISK
`PASSWORD FIELD FROM
`END OF BOOT DISK
`
`PROMPTUSER
`FOR HARD DISK
`PASSWORD
`
`
`
`DISK IS NOT
`ENCRYPTED
`
`
`
`
`
`
`
`DISKS
`ENCRYPTED
`
`ENCRYPT ENTRY WITH
`HARD DISK PASSWORD
`
`
`
`
`
`PASSWORD MATCHES
`ARD DISKPASSWORD21 No
`
`
`
`Fig. 5 ACCESS GRANTED
`
`OK TO BOOT
`
`
`
`IPR2018-00067
`Unified EX1029 Page 4
`
`
`
`U.S. Patent
`
`Mar. 6, 2001
`
`Sheet 4 of 5
`
`US 6,199,163 B1
`
`PROMPT USER FOR
`HARD DISK
`PASSWORD
`
`SEEK TO END OF 2ND FILE
`ALLOCATION TABLE
`
`DISABLE ENCRYPTION
`CIRCUIT
`
`READ NEXT BLOCK
`
`ENABLE ENCRYPTION
`CIRCUIT
`
`WRITE BLOCK
`
`
`
`
`
`
`
`
`
`
`
`YES / 64
`ENCRYPTION
`COMPLETE
`
`Fig. 6
`
`
`
`7O
`
`PROMPT USER FOR
`HARD DISK
`PASSWORD
`
`90
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SEEK TO END OF 2ND FILE
`ALLOCATION TABLE
`
`ABLE ENCRYPTION
`CIRCUIT
`
`DISABLE ENCRYPTION
`CIRCUIT
`
`WRITE BLOCK
`
`YES
`
`1O4
`
`DECRYPTION
`COMPLETE
`
`Fig. 7
`
`IPR2018-00067
`Unified EX1029 Page 5
`
`
`
` Q“N\\<
`
`
`
`
`0.004IOX
`
`QIO>>mm<Qv55Dm<I
`
`US. Patent
`
`Mar. 6, 2001
`
`Sheet 5 0f 5
`
`US 6,199,163 B1
`
`Dmhm>mozm
`
`IOFOmmxwaQE<I
`
`mm:
`
`
`
`EmEEozmza>><m
`
`xwa9%:
`
`mOFOMm
`
`|PR2018—00067
`
`Unified EX1029 Page 6
`
`IPR2018-00067
`Unified EX1029 Page 6
`
`
`
`
`1
`HARD DISK PASSWORD LOCK
`
`US 6,199,163 B1
`
`2
`FIG. 4 is a flow chart showing the test for an encrypted
`hard disk.
`FIG. 5 is a flow chart showing the test for the user
`Supplied password.
`FIG. 6 is a flow chart showing the method for encrypting
`an unencrypted disk.
`FIG. 7 is a flow chart showing the method for unencrypt
`ing an encrypted disk.
`FIG. 8 is a block diagram of the encryption circuit.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS OF THE
`INVENTION
`Referring to FIG. 1, a computer System according to the
`prior art, consists of a processor 10, requesting data through
`a bus 12. Requests for data from a hard disk 14 are sent by
`the processor 10 over the bus 12 to a disk controller 16. The
`disk controller 16 retrieves the data from the hard disk 14
`and returns the data over the bus 12 to the processor 10.
`FIG. 2 shows a block diagram of a computer System
`incorporating the present invention. A processor 20, requests
`data through a bus 22. Requests for data from a hard disk 24
`are sent by the processor 20 over the bus 22 to a disk
`controller 26. The disk controller 26 retrieves the data from
`the hard disk 24 and returns the data over the bus 22 to the
`processor 20. The present invention adds an encryption
`circuit 28. Data must pass through encryption circuit 28 to
`travel from hard disk 24 to processor 20, or from processor
`20 to hard disk 24. In the preferred embodiment of the
`invention, an encryption circuit 28, is implemented in an
`application specific integrated circuit (ASIC). An ASIC can
`encrypt or decrypt a word of data in a single clock cycle.
`This allows the encryption process to work within the
`normal data transfer time and hence be transparent to the rest
`of the computer System. Data is encrypted as it passes
`through encryption circuit 28, as it goes from processor 20
`to hard disk 24. Data is decrypted as it passes through
`encryption circuit 28 as it goes from hard disk 24 to
`processor 20. The encryption algorithm is a function of a
`provided password.
`Since the encryption algorithm is a function of the user's
`password, many users can have identical encryption circuit
`and not be able to read each other's data without the
`encrypting password. At the Same time, encrypted data can
`easily be moved to another machine with the Same encryp
`tion circuit and the same password. AS long as the user
`protects his password, the data is Secure even though the
`encryption algorithm may be well known.
`The password is Stored in two locations. It is Stored in a
`write only register on the encryption ASIC. The password
`register is non-volatile memory, and is lost each time the
`computer is turned off. The password is also Stored at the end
`of the boot block on the hard disk. Since the data on the hard
`disk Survives power loSS, the password is encrypted by itself.
`Hence, an intruder who is able to access the password cannot
`read the password unless he already has the password. The
`encryption circuit simply replicates the encryption algorithm
`in hardware to execute it quickly.
`It is possible, if desired by the user, to Store the password
`both on the drive and in the computer System. AS long as the
`two passwords match the hard disk can be used without
`having to input a password. If the hard disk is removed from
`the computer System and placed in another computer
`System, the password must be entered in the new computer
`System before a user can access the data on the hard disk.
`
`FIELD OF THE INVENTION
`The invention relates to computer Security devices.
`Specifically, this invention relates to a method of encrypting
`data on a removable hard disk.
`
`5
`
`15
`
`BACKGROUND OF THE INVENTION
`Early computer Systems were protected by physical Secu
`rity. These computers were kept in locked rooms and often
`had around the clock Security or were used around the clock
`because of their extreme cost. The first challenge to com
`puter Security came with remote terminals. The terminals
`were often distributed throughout a building or campus, and
`did not receive the same Security as the computer.
`To meet this challenge, computer operating Systems were
`equipped with user accounts. Each user account was pro
`tected by a password. A user at a remote terminal could not
`access the computer without his assigned password. In these
`early Systems, the password control formed part of the
`operating System. The computer itself had to remain Secure
`or the user account and password Security was useleSS.
`With the advent of personal computers, operating System
`or application Software Security Systems became unreliable.
`An unauthorized user could simply turn off the computer and
`restart it using Software from an external Source, Such as a
`floppy disk. In response to this new threat to Security,
`personal computers were equipped with BIOS (Basic Input
`Output System) based software passwords. A BIOS based
`password program runs before control of the computer is
`given to any disk based Software. This prevents an unau
`thorized user from accessing data by starting the computer
`from a floppy disk or using other means to change the disk
`based Software.
`While the BIOS based security Software is better than disk
`based Security Software, it still does not protect data
`removed from the computer. An unauthorized user can
`remove a hard disk or other mass Storage device from a
`40
`protected computer and read the data using another com
`puter. Many computers now come with easily removable
`hard disks. This is particularly common in Servers and
`portable computers. Removable hard disks make it easier
`than ever to bypass a computer's Security by moving data to
`another computer.
`
`25
`
`35
`
`45
`
`SUMMARY OF THE INVENTION
`The invention provides an encryption circuit for encrypt
`ing and decrypting data as it travels to and from a hard disk
`or other mass Storage device. The encryption circuit can be
`turned on or off under control of the BIOS program and a
`user Supplied password. With the present invention, a
`removed hard disk cannot be read without the user Supplied
`password and a similar encryption circuit.
`
`50
`
`55
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`Preferred embodiments demonstrating the various objec
`tives and features of the invention will now be described in
`conjunction with the following drawings:
`FIG. 1 is a block diagram of a typical prior art computer
`System.
`FIG. 2 is a block diagram of a computer System including
`the present invention.
`FIG. 3 is a flow chart showing control of the encryption
`circuit.
`
`60
`
`65
`
`IPR2018-00067
`Unified EX1029 Page 7
`
`
`
`3
`Therefore, encryption circuit 28 can be identical in mul
`tiple computers. An encrypted hard disk can only be read on
`another computer if the computer operator has the password
`used to encrypt the disk.
`As with the BIOS based system password, the software
`that controls the encryption circuit 28 must run as part of the
`BIOS before control of the computer is given any disk based
`Software.
`Referring to FIG. 3, the drive Security program begins
`with a power-on password Such as exists in many prior art
`Systems. The System prompts the user for a password 32 and
`then tests to see if the user Supplied password matches a
`password Stored on the hard disk. If the passwords do not
`match, the user again receives a prompt for the user pass
`word 32. This loop will continue until the correct password
`is supplied. The BIOS will not start the computer without the
`correct password. If the user Supplied password matches the
`password Stored on the hard disk, then the Software tests to
`determine if the hard drive is encrypted 36. Step 36 is
`described in more detail in FIG. 4. If the hard disk 24 is
`encrypted, the Software prompts the user for hard disk
`password 38. Step 38 is shown in more detail in FIG. 5.
`If the hard drive is not encrypted, the Software asks if the
`user wants to encrypt the hard drive 40. If the user responds
`yes, the drive is encrypted 42. Step 42 is shown in greater
`detail in FIG. 6. Then, the encryption circuit 28 is enabled
`44. If the user responds “no' to the question in step 40, the
`encryption circuit 28 is disabled 46. Then, the normal BIOS
`boot up procedure continues 48.
`FIG. 4 expands on step 36 in FIG. 3. The system deter
`mines if the drive is encrypted by reading the hard disk
`password 50 and comparing it with null 52. If the password
`is null, the drive is not encrypted 54. If the password is not
`null, the drive is encrypted. 56.
`FIG. 5 expands on step 38 in FIG. 3. The hard disk
`password Verification routine begins by reading the
`encrypted hard disk password 60. The system prompts the
`user for the hard disk password 62, loads the user provided
`password into the encryption circuit 28, and then encrypts
`the user's entry using itself 64. The System compares the two
`passwords 66. If there is a match the boot proceSS continues
`68. If not, the system again prompts the user for the hard disk
`password 62.
`FIG. 6 expands on step 42 in FIG. 3. The hard disk
`encryption routine begins by prompting the user for a new
`hard disk password 70. Then, the drive seeks the end of the
`second file allocation table (FAT) 72. The file allocation
`tables are not encrypted. The following loop is repeated: the
`encryption circuit is disabled 74; a block is read from the
`hard disk 76; the encryption circuit is enabled 78; the same
`block is written back to the hard disk 80. After each
`repetition, the system tests for the end of the hard disk 82.
`If it is not the end of the hard disk, the process 74-80 is
`repeated. The encryption is complete 84 after encryption of
`the last block on the drive.
`FIG. 7 describes the opposite function, the decryption of
`an encrypted disk. The hard disk decryption routine begins
`by prompting the user for the current hard disk password 90.
`Then, the drive seeks the end of the second file allocation
`table (FAT) 92. The following loop is repeated: the encryp
`tion circuit is enabled 94; a block is read from the hard disk
`96; the encryption circuit is disabled 98; the same block is
`written back to the hard disk 100. After each repetition the
`system tests for the end of the hard disk 102. If it is not the
`end of the hard disk, the process 94-80 is repeated. The
`encryption is complete 104 after encryption of the last block
`on the drive.
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,199,163 B1
`
`4
`Referring to FIG. 8, the encryption circuit 28 includes a
`password Storage register 110. Password Storage register 110
`is both write only and volatile. The register cannot be read
`and loses its contents when power is lost. The encryption
`circuit 28 also includes a memory for Storing one unen
`crypted Sector 112. The password and unencrypted Sector are
`combined in exclusive or (XOR) logic 114 and output to a
`memory for Storing one encrypted Sector 116.
`The password can be combined with the data to be
`encrypted in many different ways depending on how much
`complexity is desired. The Simplest method is to combine
`the first byte of the password with the first byte of the data
`with an XOR. Then, combine the second byte of the data
`with the second byte of the password with the XOR. When
`the last byte of the password is used, the first byte is used
`again to XOR with the data. This is continued to the end of
`the Sector. A new Sector always begins at the beginning of
`the password.
`Although described above in terms of the preferred
`embodiment, the present invention is Set forth with particu
`larity in the appended claims. Such modifications and alter
`ations as would be apparent to one of ordinary skill in the art
`and familiar with the teachings of this application shall be
`deemed to fall within the spirit and scope of the invention.
`In particular, the preferred embodiment of the invention
`describes a hard disk. In the near future, it is probable that
`computer mass data Storage will not be in the form of a
`magnetic hard disk but in Some form of non-volatile Silicon.
`The invention is independent of the technology used to Store
`data and any mass-Storage device is deemed to be within the
`spirit of the invention.
`What is claimed is:
`1. A computer System comprising:
`a CPU;
`a mass Storage device;
`a bus for coupling the CPU and the mass Storage device;
`a encryption circuit intercepting data traveling between
`Said CPU and Said mass Storage device, for encrypting
`and decrypting data as it travels to and from Said mass
`storage device and said CPU.
`2. The computer System according to claim 1 further
`comprising means for Storing a password.
`3. The computer System according to claim 2 wherein Said
`encryption circuit includes means for encrypting and
`decrypting data according to Said password.
`4. The computer System according to claim 1 further
`comprising means for removing Said mass Storage device.
`5. The computer System according to claim 1 further
`comprising means for removing Said mass Storage device
`and Said means for Storing a password as a single unit.
`6. A mass Storage device for installation in a computer
`comprising:
`mass Storage media for Storing data;
`means for Storing a password;
`mounting means for mounting Said mass Storage device in
`a computer; and
`an encryption circuit for encrypting data using Said pass
`word as a key.
`7. A method for encrypting and decrypting data compris
`ing:
`providing a computer System including a CPU and a mass
`Storage device connected by a bus,
`requesting a password from a user;
`encrypting data, using Said password as a key, as it travels
`from Said CPU to Said mass Storage device; and
`
`IPR2018-00067
`Unified EX1029 Page 8
`
`
`
`US 6,199,163 B1
`
`S
`decrypting data using Said password as a key, as it travels
`from said mass storage device to said CPU.
`8. The method according to claim 7 further comprising
`Storing Said password and only requesting Said password on
`
`6
`a first use and retrieving Said password from Storage on
`Subsequent uses.
`
`k
`
`.
`
`.
`
`.
`
`.
`
`IPR2018-00067
`Unified EX1029 Page 9
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`CERTIFICATE OF CORRECTION
`
`PATENT NO. : 6,199,163 B1
`DATED
`: March 6, 2001
`INVENTOR(S) : Dumas et al.
`
`Page 1 of 3
`
`It is certified that error appears in the above-identified patent and that said Letters Patent is
`hereby corrected as shown below:
`
`Claims,
`1. (Amended). A computer system comprising:
`a CPU:
`a mass storage device;
`a bus for coupling the CPU and the mass storage device;
`a encryption circuit employing a predetermined encryption algorithm;
`a password Storage register operable with Said encryption circuit for
`intercepting data traveling between said CPU and said mass storage device,
`for encrypting and decrypting data as it travels to and from said mass storage
`device and said CPU, and
`System Software for retreiving a password from Said mass storage device
`for comparision with Said password storage register.
`
`2. (Amended) The computer system according to claim 1 further comprising
`means for wherein said password storage register comprises a write only register for
`storing a password.
`
`3. (Amended) The computer system according to claim 2 wherein
`said encryption circuit includes means) provides for encrypting and decrypting
`data including the password from said mass storage device according to said password.
`
`4. (Amended) The computer system according to claim 1 further
`comprising means for removing wherein said mass storage device is removable.
`
`5. (Amended) The computer system according to claim 1 further comprising
`means for removing said mass storage device and said means for storing a password as
`a single unit) wherein said System software comprises a basic input Output System
`(BIOS) for retreiving the password from Said mass Storage device facilitating the
`removal of said mass storage device for use in personal computers employing said
`predetermined encryption algorithm.
`
`IPR2018-00067
`Unified EX1029 Page 10
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`CERTIFICATE OF CORRECTION
`
`PATENT NO. : 6,199,163 B1
`DATED
`: March 6, 2001
`INVENTOR(S) : Dumas et al.
`
`Page 2 of 3
`
`It is certified that error appears in the above-identified patent and that said Letters Patent is
`hereby corrected as shown below:
`
`6. (Amended) A mass storage device for installation in a computer
`comprising:
`mass storage media for storing data;
`means for storing a password;
`mounting means a bus connection for mounting said mass storage
`device in a computer; and
`an encryption circuit employing a predetermined encryption algorithm;
`a password Storage register Operable with Said encryption circuit for for
`encrypting data using said a password as a key; and
`System Software for retreiving the password from said mass storage
`media for comparison with Said password storage register.
`
`7. (Amended) A method for encrypting and decrypting data comprising:
`providing a computer system including a CPU and a mass storage device
`connected by a bus;
`requesting a password from a user;
`encrypting data employing a predetermined encryption algorithm and a
`stored password operable with an encryption circuit, using said password
`as a key, as it travels from said CPU to said mass storage device; and
`decrypting data using said password as a key, as it travels from said mass
`storage device to said CPU; and
`retrieving a password from the mass storage device for comparison with
`the stored password.
`
`IPR2018-00067
`Unified EX1029 Page 11
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`CERTIFICATE OF CORRECTION
`
`PATENT NO. : 6,199,163 B1
`DATED
`: March 6, 2001
`INVENTOR(S) : Dumas et al.
`
`Page 3 of 3
`
`It is certified that error appears in the above-identified patent and that said Letters Patent is
`hereby corrected as shown below:
`
`8. (Amended) The method according to claim 7 further comprising
`storing said password in a write only register and only requesting said password
`from a user on a first use and retrieving said password from storage the mass
`Storage device on Subsequent uses.
`
`Signed and Sealed this
`
`Twentieth Day of November, 2001
`7c44, f abée
`
`Attesting Officer
`
`NICHOLAS P. GODCI
`Acting Director of the United States Patent and Trademark Office
`
`IPR2018-00067
`Unified EX1029 Page 12
`
`