1. Field of the Invention
This invention relates to methods and systems to maintain portable computer data secure and authentication tokens for use therein.
2. Background Art
Portable computers such as laptops are vulnerable to theft, greatly increasing the likelihood of exposing sensitive files. Storing laptop data in a cryptographic file system does not fully address this problem. Such systems ask the user to imbue them with long-term authority for decryption, but that authority can be used by anyone who physically possesses the machine. Forcing the user to frequently reestablish his identity is too intrusive, encouraging him or her to work around or disable encryption entirely.
Safeware, an insurer of computer equipment, estimates that 387,000 laptops were stolen during the 2000 calendar year. For many users, the true cost of laptop theft is not the lost hardware, but rather the exposure of sensitive data. There have been at least three high-profile losses within the past year. A laptop containing two years of financial data and internal company e-mail was stolen from Qualcomm founder Irwin Jacobs. The U.S. Department of State reported the loss of a laptop that identified sources and methods used to gather nuclear proliferation intelligence. Such events are not limited to the United States; a British MI6 agent left a laptop describing field methods in a taxi. All of these laptops were insecure.
Once an adversary has physical possession of a laptop, he has full access to all of the information on it. This is true even with secure login facilities; such protections can be bypassed by removing its disk and examining it at leisure. The best defense against physical inspection is to leave all data on the machine encrypted without exposing the decryption keys. Current cryptographic file systems do not provide this property.
To see why, consider the role played by user authentication. At login time, a user proves his identity to the machine, typically with a password. If successful, the machine is empowered to act on the user's behalf. The duration for which these rights persist is a matter of policy. Often, they last until the user explicitly logs out, though some systems require users to reauthenticate infrequently.
This model of authentication is troublesome when used with file system encryption. Authentication provides the keys for decrypting file system data, either directly or indirectly. However, while authentication persists, anyone in physical possession of the machine can act as that user; authentication transfers authority from the user to the machine.
If the reauthentication period is long, the window of vulnerability is correspondingly wide. This is a dangerous proposition for laptops. Requiring frequent reauthentication limits this vulnerability, but places a substantial burden on the user. This encourages him to leave his files decrypted or find a way to automatically renew authentication. In either case, the protection afforded by encryption is forfeit.
The discussion so far has focused on password-based authentication, but other methods suffer a similar fate. One alternative is a secure device, such as a smartcard, that provides decryption services. Such a device is inserted into the laptop and either transfers its keys to the machine or must remain attached for continued operation. The former is identical to password-style authentication. The latter encourages a user to leave the card in the laptop, providing little protection.
Biometric authentication schemes intrude on users in two ways. The first is the false-negative rate: the chance of rejecting a valid user. For face recognition, this ranges between 10% and 40%, depending on the amount of time between training and using the recognition system. For fingerprints, the false-negative rate can be as high as 44%, depending on the subject. The second stems from physical constraints. For example, a user must touch a special reader to validate his fingerprint. Such burdens encourage users to disable or work around biometric protection. A notable exception is iris recognition. It can have a low false-negative rate, and can be performed unobtrusively. However, doing so requires three cameras; an expensive and bulky proposition for a laptop.
The Jones, et al., U.S. Pat. No. 5,623,637, provides for an encrypted data storage card including smartcard integrated circuit for storing an access password and encryption keys. Disclosed within is a method and apparatus for storing access passwords, encryption or decryption keys, or digital signatures, in a smart-card integrated circuit interconnected with a data access mechanism (hard drive) which are integral parts of a memory card of a laptop or notebook computer.
The Cyras, et al., U.S. Pat. No. 5,889,866, provides for a method and apparatus for controlling access to detachably connectable computer devices using an encrypted password. Of interest is a method and apparatus for controlling access to a laptop or notebook computer using an encrypted password. The laptop computer includes a utility software that prompts the user for password assignment, password entry, etc. Encryption logic encrypts the entered password and stores the encrypted password as the key on the computer. Furthermore, if the encrypted entered password is the same as the key and, thus, the entered password is the same as the assigned password, an enable signal is sent to render the computer operable.
The Rallis, et al., U.S. Pat. No. 6,189,099, provides for a notebook security system (NBS). Disclosed is a multi-level security system for preventing unauthorized use of a notebook, or laptop computer. A validation record stored on the computer's hard disk contains an encrypted key device serial number and an encrypted hard disk serial number. A program that is automatically invoked at computer power-up, or reset, implements the user validation procedure. The procedure permits entry past a first security level if the key device serial number matches the unencrypted number in the validation record. If the first-level validation is successful, the procedure then uses the encryption key to decrypt the hard disk serial number found in the stored validation record. The procedure permits entry past the second security level only if the validation record is properly decrypted and the actual hard disk serial number matches the decrypted number. A failure at any step in the user-validation procedure will immediately power down the computer, thereby rendering it useless to a thief not possessing the required key device.
The patent document to Jones, et al., WO 95/16238, provides for a secure computer memory card. Described within is a method and apparatus for password protecting a computer. An integrated circuit incorporated within the computer's memory card may store public and private key values used to encrypt and decrypt data stored on the memory card or elsewhere on the host computer.
The Xydis U.S. Pat. No. 6,070,240, provides for a method of controlling a computer system comprising the steps of: disposing a computer in an operating space and placing the computer in a lockout mode to prevent operation of the computer software by a user. It also provides for a transponder that transmits an authorized user code in the operating spaced and identifying the user owning the transponder. The authorized user is then free to operate the computer software while the sensing for the presence of a transponder transmitting an authorized user code in the operating space is continued.
The Davis et al., U.S. Pat. No. 6,088,450, provides for a wireless authentication system to control an operating state of a computer based on the proximity of an authorized user to the computer. The wireless authentication system comprises a security device implemented within the computer and a user authentication token (“token”) in possession of the authorized user. A Challenge/Response protocol is configured between the security device and the token. The first successful Challenge/Response message exchange between the security device and the token places the node in an operational state allowing the authorized user access to the contents and/or networked resources of the node. Later Challenge/Response message exchanges are set to occur periodically to check whether the authorized user possessing the token has left the node unattended thereby causing the node to be placed in a non-operational state.
The MacDoran et al., U.S. Pat. No. 5,757,916, provides for a method and apparatus for authenticating the identity of a remote user entity where the identity of such user entity is authenticated by use of information specific to geodetic location of the user entity but that changes constantly, making “spoofing” the host device extremely difficult. The invention is preferably implemented utilizing satellite positioning technology to produce the identifying information.
The Theimer, U.S. Pat. Nos. 5,544,321 and 5,611,050, provide for a method for superimposing prespecified locational, environmental, and contextual controls on user interactions, including interactions of mobile users, with computational resources. A system is described for electronically monitoring contextual information concerning users and machines, including state and locational information including proximity. Interaction policies, including user specified interaction policies, may be registered on an identifiable address path. Methods are described for detecting, selecting and controlling computer-controlled devices, based; on the proximity of the device to the user, the current context of the user, the location of other nearby users and devices, and the current state of the devices. Temporary transfer of control, including exclusive control, of particular computers and computer-controlled devices to individual users based on the context and environment in proximity to those computing devices is also described.
The following U.S. patents are also generally related to the present invention: U.S. Pat. Nos. 5,012,514; 5,091,939; 5,226,080; 5,375,243; 5,657,470; and 5,836,010.