Patent Application
20070136821
The present invention is related to data security. More particularly, the present invention is related to a method and system for protecting data stored in a node.
Computer security software is ubiquitous in today's digital world. One of the security software products available to users is known as The CyberAngel®. The CyberAngel® detects unauthorized access to, or possible theft, of a computer and alerts a user within several minutes. The CyberAngel® may also lock the communication ports, the mouse, and the keyboard, and prevent data transmission upon detection of the unauthorized access or possible theft. This prohibits an intruder from accessing, copying, downloading or printing of any files. The CyberAngel® requires that a valid user supply an unprompted password. Any use without the input of the unprompted password is considered as an attempted security breach.
Another security software product is known as ComputracePlus, by which data on a stolen computer can be deleted. To protect data on a computer, ComputracePlus customers have the option of subscribing to a data delete service which deletes valuable data from the computer if it is stolen. This data delete service prevents a thief from accessing and compromising the data. The data delete service works in the background to erase data from the computer, and can be configured to include or exclude the computer's operating system.
The state of security existing at a node may change over time. A node that was deemed to be highly secure at one time may become insecure. A node, onto which user data was placed when the node was secure, needs to monitor its level of security continuously, (or periodically), and take actions to protect the data that is residing on it if the node's level of security decreases. Conventional systems do not address this issue other than just sending audit messages when certain operations are performed on user data.
The present invention is related to a method and system for protecting data stored in a node. Upon detection of an attempt to compromise security at a residing node, the data may be moved from the residing node to an escrow node which is a trustworthy intermediary node. The data may be encrypted prior to transmission to the escrow node. Stakeholders of the data may be notified of such movement so that the stakeholders may take action. An attempted breach of security may automatically place the residing node in a compromised state, upon which the owner may submit the residing node to a security bureau to clear the compromised state. The escrow node may transfer the data to an off-site node if the owner or user of the residing node is not trustworthy. Alternatively, a usage right associated with the data may be disallowed. In an alternative embodiment, a message may be sent to a generator of the data to inform the generator of the attempted or successful breach in security, whereby the generator takes an action to protect the data. In yet another alternative, the residing node may send a message to an intermediary node as a notification regarding the breach in security, and encrypts the data with a new encryption key issued by the intermediary node.
The features of the present invention may be incorporated into an integrated circuit (IC) or be configured in a circuit comprising a multitude of interconnecting components.
The behavior metrics may indicate that malware has been detected, that anti-virus software is out-of-date, that digital signatures or hash codes of software, firmware, and configuration data cannot be verified, that an attempt to penetrate the physical security of the node has been detected, that the node has accessed or was accessed by other nodes having a certain probability of being compromised, and that the node is taken out of or placed into certain physical locations.
An evaluation procedure involves any logical formula where the behavior metrics are used as inputs. For example, the evaluation procedure may be a set of ordered rules where, for each rule, if a combination of conditions are present, a set of actions are taken. The evaluation procedure may also take the form of a weighted sum with a threshold or a set of thresholds, each associated with a different security level or may comprise more elaborate if-then statements. When the security module 120 detects an attempt to compromise security of the node 100, the node 100 implements a security mechanism in accordance with the present invention, which will be explained in detail hereinafter.
The data is associated with usage rights and a security policy. The usage rights involve rights to render, edit, alter or distribute the data. The security policy guides the evaluation of the security level of the node 100 and specific security aspects at the node 100. The security level is related to the usage rights as specific rights may be based on a particular aspect of security existing at the node 100. Determining the security level of a node may be used to restrict usage rights, such as preventing the ability to print, copy, or distribute the associated data. Shutting down these rights makes the data largely inaccessible. However, with a node under attack, there may be a way to extract a decryption key or to circumvent the programming code that follows the access instructions inherent in the associated usage rights. The present invention makes the data impervious to an attack on the system through the use of entombment and escrowing.
Digital rights management (DRM) is used to associate the data with the usage rights. The usage rights are specified with a rights expression language (REL). The REL is a language for specifying rights to content, fees or other consideration required to secure those rights, types of users qualified to obtain those rights, and other associated information necessary to enable transactions in content rights. The REL offers an approach for associating inputs concerning a security breach with outputs for controlling the protection of data that is more flexible than a hard-coded algorithmic approach. The exemplary association of the security breach with the protective actions is shown in Table 1.
DRM can be extended so that control mechanisms may be initiated based on the data owner's preferences as specified by the security policy using an extension to the REL. In addition to security policies being specified by data owners, the owner or user of the node 100 may specify the security policy for how the node 100 should handle security related aspects. For example, the security extensions to the REL may be used to protect the data by specifying an allowed transfer of the data to other nodes. The security policy may be desired for expediency and as a safety net for data on the node 100 that is owned by the owner or user of the node 100, and may be based on a moral or legal obligation that the owner or user of the node 100 has for the protection of the data of others that resides on the node 100. The security policy may be expressed using extensions to the REL. The security policy is communicated as highly flexible content in a field in a protocol, such as open mobile alliance (OMA) or rights object acquisition protocol (ROAP).
In addition to extending the REL with the security policy, a common but less flexible security policy may be hard-coded in the protocol by adding messages or fields in existing messages. Placing security related data directly in the protocol may allow for a more efficient flow of messages.
The security policy states that under what circumstances, which data should be “escrowed” or “entombed”, where the data should be sent with or without encryption, whether and when to destruct the data, or the like, which will be explained in detail hereinafter. The allowed usage of the data as expressed in the security policy may be contingent on the node possessing a certain security state.
When a state of compromised security at the node is detected, a protection mechanism, (passive or active), is implemented. In accordance with the present invention, upon detection of an attempt to compromise security, and before the attack is successful, a usage right may be disallowed as a passive protection mechanism. An active protection mechanism is explained hereinafter.
There may have been many parties involved along the way as the data was being formed into its current state. A change history for the data may be maintained, and the paths that were followed to generate the data are retraced to send the data to the generators(s) 220. The security policy associated with the data may indicate that the data only needs to be partially retraced.
Since encrypting a large amount of data with a public key can be a time consuming procedure, the intermediary node 320 may supply the public key in advance so that encryption may be performed in the background on a continuous basis. Entombment in this case means deleting the plaintext data. Since symmetric encryption is much faster than asymmetric encryption, the intermediary node 320 may periodically issue a symmetric key to be used for the background encryption of data. Each time a new symmetric key is issued by the intermediary node 320, the residing node 310 encrypts the old symmetric key with a public key issued by the intermediary node 320 and deletes the old symmetric key. The encrypted symmetric keys remain associated with their corresponding sections of data. When the need for entombment arises, most of the data is already entombed and the residing node 310 only needs to encrypt any remaining plaintext with the last received symmetric key and then deletes the symmetric key.
The symmetric key may be encrypted by the intermediary node's public key when the symmetric key is first received. In fact, when the symmetric key is received by the residing node 310, it can be accompanied by the symmetric key already encrypted with the intermediary node's public key or even with a symmetric key that is only known by the intermediary node 320. Alternatively, each symmetric key sent by the intermediary node 320 may be accompanied by a code which the intermediary node 320 may use to look up the symmetric key. The residing node 310 has this code be associated with data that the corresponding symmetric key encrypts. Having a copy of data stored on a hard drive in encrypted form that may never be used unless the node experiences an attempted security breach may be considered costly. This same data may be considered a backup in case the working copy of data is accidentally erased. If this pre-entombed data is kept on a separate physical disk drive then this extra copy of the data may serve as protection for a disk drive failure.
The escrow node 420 is a trusted intermediary. This trust may be achieved for example, through the use of the Trusted Computing Group's (TCG's) Trusted Network Connect (TNC). The TCG is a not-for-profit organization formed to develop, define and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals and devices. TCG specifications aim to enable more secure computing environments without compromising functional integrity, privacy or individual rights. A primary goal is to help users protect their information assets, (e.g., data, passwords, keys, or the like), from compromise due to external software attack or physical theft. The TCG allows for a node to be evaluated for its level of security prior to it being allowed to participate in a network. One of the aims of this admission control is the protection of data residing on the network.
The TNC enables network operators to enforce policies regarding endpoint integrity at or after network connection. The TNC ensures multi-vendor interoperability across a wide variety of endpoints, network technologies and policies. In general, TCG establishes trust through a process of attestation where hash's of program and configuration data are compared to reference values. In accordance with the present invention, the difference in these values is used as an indication that a security breach is occurring, or has occurred. The detection of a malware, including a virus, may also be used as an indication of a security breach.
The data transferred to the escrow node 420 may be encrypted. The DRM approach of super-distribution may be used for this transfer. Alternatively, TCG's migratable keys facility may be used to transfer symmetric keys securely so that keys that can be used to decrypt the encrypted data, (i.e., primarily encrypted data on the residing node on which the decryption key has been deleted), may be securely transferred and stored on the escrow node, and the plaintext data may be accessed at the escrow node.
The data is stored in the escrow node 420 temporarily while the security situation at the residing node 410 is resolved. The behavior metrics which led to the decision to escrow the data may also be sent to the escrow node 420 or another intermediary node so that the proper resolution of the security problem may be addressed.
After a certain period of time subsequent to the data being moved to the escrow node 420, the escrow node 420 may delete the data if the user does not properly re-claim it. The administrator may offer to store the escrowed data for an extended period of time, or the user may request to hold the deletion.
The user of the data may specify the alternate residing node 430 to receive the data upon a security breach. If this is allowed by the usage rights and the security breach is not attributable to the user, the escrow node 420 may send the data to the alternate residing node 430.
The escrow node 420 may convert the security policy associated with the data to replace device specific designations, (e.g., a device ID), with values applicable to the alternate residing node 430. For example, if the data is tied to an ID of the residing node 410 under the associated security policy, the escrow node 420 converts any device IDs to be in agreement with the alternate residing node 430. The escrow node 420 may transfer the content and/or rights to the alternate residing node 430 using DRM transfer protocols rather than a bulk transfer so that each DRM transfer restriction is satisfied.
If it is determined by the escrow node 420 that the owner or user of the residing node 410 is not trustworthy, (e.g., the residing node 410 was physically attacked or the owner's fingerprints were found on the metal interconnect layer of some ICs as determined by a security bureau 460 after the owner followed the directions of the administrator of the escrow node and shipped or brought the residing node 410 to the security bureau 460 in hopes of gaining re-access to the data), then the data may be transferred from the escrow node 420 to the off-site node 440. The off-site node 440 is a separate node to which the owner or the user of the residing node 410 cannot physically access. The owner or user of the residing node 410 may still need access to some of the data, (e.g., if the data is needed for some vital function). In such case, access to the data may be allowed in a limited way. The limitation may be imposed by using DRM as to how the data may be edited, rendered and distributed.
After the data is moved to the escrow node 420, all of the stakeholders 450 of the data may be notified that the data is now residing in the escrow node 420 such that the stakeholders 450 may resolve the situation. The stakeholders 450 include, but are not limited to, the owner of the residing node 410, the user of the residing node 410 and the owner(s) of the data. These roles may be shared by the same entity.
Some data may have gone through various transformations involving the aggregation of data owned by various parties. This makes it difficult to send the data back to the owners of the data. A change history for the data may be maintained, and the paths that were followed to generate the data are retraced to send the data to the owners. The policies associated with the data may indicate that the data only needs to be partially retraced.
The security breach may place the residing node 410 in a persistent compromised state such as can exist with a virus infection that can not be removed. This compromised state may automatically be indicated on the residing node 410 by the setting of certain bits and the storage of descriptive information in a protected memory. Another node wanting to communicate with the residing node 410 may query this information to determine whether the residing node 410 is in a compromised state. The security bureau 460 may list an ID of the compromised nodes in a compromised device list. This ID may be the communications address of the node.
The security bureau 460 may take various forms. The security bureau 460 may be a single large organization with many offices opened for interacting with the public (similar to a postal service whether public, quasi-public, or private), or may be a federation of smaller companies where each member company is legally committed to follow common ethical standards and technical methodologies.
In order for the residing node 410 to have its compromise state cleared and to be taken off of the compromised device list, the owner or user of the residing node 410 may submit the residing node 410 to the security bureau 460. The security bureau 460 inspects the residing node 410 for impairments to its physical construction and cleans the residing node 410 of any configuration and software based impairments. If the residing node 410 passes the inspection, the security bureau 460 clears the compromise state of the residing node 410, for example, by using a special password reserved for the security bureau 460. The security bureau 460 may be entrusted with a password that allows write access to protected registers that indicate whether or not a node is in a compromised state. The use of the password may be automated and involve a challenge-response protocol with the node, making it more difficult for the personnel working at the security bureau 460 to gain access to the password.
The security bureau 460 also removes the residing node 410 from the compromised device list. The security bureau 460 may also issue a digitally signed certificate describing the initial problem, the solution, and the current state of the residing node 410. This certificate may be embedded in the residing node 410 and be available for review. The data that was uploaded to the escrow node 420 may be placed back on the residing node 410.
After a security mechanism for the data is implemented in accordance with the present invention, there may be remnants of the data in plaintext remaining on the node. This is most likely to occur if not all the data on the node has been protected. Therefore, as part of the data protection process, a search is conducted to see if the data is still residing somewhere on the node. The remnants may also be protected or may be deleted. This search may be performed by first evaluating data before it is encrypted and/or transferred off the node to determine if a section of the data has aspects of relative uniqueness upon which it is placed in a queue for searching the remainder of the node. A match results in the protection or deletion (wiping) of the data. This deletion can be dangerous as an independent piece of data can share informational aspects with the protected data being escrowed or entombed. Therefore, as part of the REL associated with the protected data, the node soon to become the residing node 410, agrees that by accepting the data, it accepts any unintended consequences of the automatic deletion of the data. An alternative or complementary approach is for a record to be kept of the copying of sections of protected data so that the selection of data for deletion can be performed deterministically. Any copy of protected data that is stored on a disk drive, even if only temporarily, in order to perform the procedures described here, will require that its location on the disk drive be wiped.
Although the features and elements of the present invention are described in the preferred embodiments in particular combinations, each feature or element can be used alone without the other features and elements of the preferred embodiments or in various combinations with or without other features and elements of the present invention. The methods in the present invention may be implemented in a computer program, software, or firmware tangibly embodied in a computer-readable storage medium for execution by a general purpose computer or a processor. Examples of computer-readable storage mediums include a read only memory (ROM), a random access memory (RAM), a register, cache memory, semiconductor memory devices, magnetic media such as internal hard disks and removable disks, magneto-optical media, and optical media such as CD-ROM disks, and digital versatile disks (DVDs).
Suitable processors include, by way of example, a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), a plurality of microprocessors, one or more microprocessors in association with a DSP core, a controller, a microcontroller, Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) circuits, any integrated circuit, and/or a state machine.
A processor in association with software may be used to implement a radio frequency transceiver for in use in a wireless transmit receive unit (WTRU), user equipment, terminal, base station, radio network controller, or any host computer. The WTRU may be used in conjunction with modules, implemented in hardware and/or software, such as a camera, a video camera module, a videophone, a speakerphone, a vibration device, a speaker, a microphone, a television transceiver, a handsfree headset, a keyboard, a Bluetooth module, a frequency modulated (FM) radio unit, a liquid crystal display (LCD) display unit, an organic light-emitting diode (OLED) display unit, a digital music player, a media player, a video game player module, an Internet browser, and/or any wireless local area network (WLAN) module.
This application claims the benefit of U.S. Provisional Application No. 60/750,030 filed Dec. 13, 2005, which is incorporated by reference as if fully set forth.
| Number | Date | Country | |
|---|---|---|---|
| 60750030 | Dec 2005 | US |
