Host validation mechanism for preserving integrity of portable storage data

摘要

A host validation system runs on a portable storage device, and protects data stored thereon from unauthorized access by host computers. The system identifies a host to which the portable device is coupled, for example by using the host's TPM. This can further comprise identifying the host's current configuration. The system uses the identification and configuration information to verify whether the host is approved to access data stored on the portable device. The system provides the host a level of data access responsive to this verification. This can involve denying all data access to the host, or providing at least some access to data stored on the portable device, for example based on a stored access policy specifying levels of access to provide to specific hosts with specific configurations.

主权项

1. A computer implemented method for validating a host computer from a portable storage device, the method comprising the steps of:
detecting that the portable storage device is communicatively coupled to the host computer, the portable storage device comprising a secure partition with data, credentials and an access policy, and wherein the host computer is unable to access the data on the secure partition until authorized; the portable storage device interrogating a Trusted Platform Module (TPM) of the host computer to authorize the host computer, wherein the TPM comprises a secure crypto-processor chip, and wherein authorizing the host computer comprises:
the portable storage device interrogating remote attestation of the TPM to identify a current configuration of the host computer and verify whether the host computer is approved for access based on the current configuration;the portable storage device verifying whether the host computer to which the portable storage device is communicatively coupled is approved for access based on the credentials in the secure partition;determining a level of access for the host computer based on the access policy in the secure partition; and providing the level of access to the host computer for data stored in the secure partition of the portable storage device responsive to the host computer authorization and access level determination.