Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberCN1776563 A
Publication typeApplication
Application numberCN 200510130655
Publication dateMay 24, 2006
Filing dateDec 19, 2005
Priority dateDec 19, 2005
Publication number200510130655.1, CN 1776563 A, CN 1776563A, CN 200510130655, CN-A-1776563, CN1776563 A, CN1776563A, CN200510130655, CN200510130655.1
Inventors菅晓翔, 高宏
Applicant清华紫光股份有限公司
Export CitationBiBTeX, EndNote, RefMan
External Links: SIPO, Espacenet
File encrypting device based on USB interface
CN 1776563 A
Abstract
The encryption unit includes following parts: USB interface chip connected to computer host; digital signal processor (DSP) connected to USB interface chip; chip of smart card connected to DSP; drive of encryption unit is located between drive of file system in computer and hardware drive. In the invention, encryption unit for file folder, complete computer and its shortened cryptographic key are separated from computer system so as to prevent risk of information leakage caused by lost or stolen computer. Authentication is carried out for users before procedure of use in order to prevent information leakage from hardware. The invention satisfies requirement of data protection indifferent security level. Moreover, the unique sequence number of product inside chip of smart card ensures uniqueness of encryption key and encryption unit.
Claims(1)  translated from Chinese
1.一种基于通用串行总线接口的计算机文件夹加密装置,其特征在于该装置包括:(1)通用串行总线接口芯片,用于计算机主机与数字信号处理器之间的高速数据传输和通讯,与计算机主机相连接;(2)数字信号处理器,用于对由计算机主机读取的数据流进行加密和解密,与通用串行总线接口芯片相连接;(3)智能卡芯片,用于存储密钥和个人信息,与数字信号处理器相连接;(4)加密装置驱动器,用于获取计算机主机中文件系统对计算机硬盘的读写操作,将多组16位的硬盘数据转换为一组128位的加密解密数据,控制加密装置对128位的数据进行加密解密,置于计算机内的文件系统驱动器与硬盘驱动器之间。 1. A universal serial bus interface based computer folder encryption means, characterized in that the device comprises: (1) universal serial bus interface chip, a computer for high-speed data transfer between the host and the digital signal processor and communications, and connected to the host computer; (2) digital signal processor for data flow from the host computer to read the encryption and decryption, connected with a Universal Serial Bus interface chip; (3) smart card chip for storage keys and personal information connected with a digital signal processor; (4) the encryption device driver for the host computer to obtain the file system on your computer hard disk read and write operations, the multiple sets of 16 hard disk data into a set of 128-bit encryption and decryption of data, control of the 128-bit encryption device data encryption and decryption, is placed between the file system drive and the hard drive in the computer.
Description  translated from Chinese
一种基于通用串行总线接口的文件夹加密装置 Based on Universal Serial Bus interface folder encryption device

技术领域 FIELD

本发明涉及一种基于通用串行总线接口的文件夹加密装置,属于计算机信息安全技术领域。 The present invention relates to a universal serial bus interface based on folder encryption devices are computer information security technology.

背景技术 BACKGROUND

计算机软、硬件系统的开放性、易用性和标准化等特点,使计算机存在先天性的致命安全隐患,导致计算机硬盘数据很容易被非法获取、盗用、篡改或破坏。 Computer software and open hardware system, ease of use and standardization, etc., so that the presence of a congenital lethal computer security risk, cause the computer hard disk data can easily be illegal acquisition, theft, alteration or destruction.

保证计算机数据安全的最有效办法是采用加密技术对数据进行加密,将原来的明文数据按某种算法进行处理,使其成为不可读的密文,保护关键数据不被非法用户窃取、阅读、篡改或破坏。 Computer data security guarantee the most effective way is to use encryption technology to encrypt the data, the original plaintext data is processed by an algorithm, making it unreadable ciphertext, protect critical data is not stolen unauthorized users, reading, tampering or damage.

西北工业大学在申请号为200410025825.5的发明专利申请中,公开了一种“计算机硬盘数据加密方法及其装置”。 Northwestern Polytechnical University in Application No. 200,410,025,825.5 invention patent application discloses a "computer hard disk data encryption method and device." 该技术将数据加密装置放置在硬盘与主机之间,对计算机的硬盘和主机之间传输的数据进行加密。 The technology will be the data encryption device placed between the hard drive and the host, the data transfer between the host computer's hard disk and encryption. 数据加密装置采用PCI总线,可直接插入计算机主板上的PCI插槽中。 Data encryption device uses the PCI bus, can be directly inserted into the PCI slot on the motherboard of a computer. 加密装置上有一IC卡读写口,可将合法用户持有的IC卡中的密钥,读取并存储到加密装置内的密钥管理模块中。 Has an IC card reader port, the IC card can be held by the user in a legitimate key, read and stored into the key management module within the encryption device in the encryption device.

IBM公司在申请号为CN00131477.7的发明专利申请中,公开了一种“用不可访问的唯一密钥对储存的数据进行加密/解密”的方法及装置。 IBM Corporation in the application number of the patent application CN00131477.7 invention discloses a method and apparatus for the "unique key used to store inaccessible data encryption / decryption carried out." 该专利申请采用了对于该计算机系统而言是唯一的一个不可访问密钥。 This patent application uses for the purposes of the computer system is not only an access key. 这个唯一密钥可以嵌入这一计算机系统的不可拆卸硬件中,或者可以从例如该计算机系统不可拆卸硬件的标识号产生。 The only non-removable hardware key can be embedded in the computer system, or can be generated from a computer system such as the non-removable hardware identification number. 其中的处理过程包括构造这一唯一密钥,用这个密钥加密数据,并将加密数据存入存储媒介,而不需要将唯一密钥存入存储媒介。 Wherein the process includes the unique key configuration, use this key to encrypt data, and the encrypted data stored in the storage medium, without the need of a unique key is stored in the storage medium. 这一存储媒介可以包括任何不可拆卸或者可拆卸存储媒介,包括例如一个计算机硬盘、软盘或者可记录光盘。 The storage medium may include any non-detachable or removable storage media, including for example a computer hard drive, floppy disk or CD-ROM can be recorded.

上述两种方法均可防止硬盘丢失或被盗时,数据可被其它计算机读取的危险,但上述已有技术存在以下缺点:1、西北工业大学的数据加密方法将加密/解密时使用的密钥存储在加密装置内的密钥管理模块中,IBM的数据加密方法中的密钥由计算机系统中不可拆卸硬件的标识号产生,如果整机丢失或被盗,这两种方法都不能保证硬盘内的数据安全。 Both methods prevent dangerous lost or stolen hard disk, the data can be read by other computers, but the above-described prior art has the following disadvantages: 1, Northwestern University data encryption method of encryption / decryption using the secret key stored in the encryption key management module within the device, IBM has data encryption method of the key is not removable from the computer system to generate the hardware identification number, if the machine is lost or stolen, both methods can not guarantee that the hard disk data in the security.

2、对计算机硬盘中的全部数据进行加密,不能满足用户对不同安全等级数据的保护要求。 2, on the computer's hard drive to encrypt all data, can not meet the user's different security levels of data protection requirements.

发明内容 SUMMARY

本发明的目的是提出一种基于通用串行总线接口的计算机文件夹加密装置,以防止计算机整机丢失或被盗时出现的信息泄露危险,将存有密钥的加密装置与计算机系统分离,实现对计算机中信息的保护。 The purpose of this invention is to provide a computer file-based universal serial bus interface folder encryption devices to prevent the message is lost or stolen computer machine leaking dangerous, there are key encryption device to the computer system is separated, to achieve the protection of computer information.

本发明提出的基于通用串行总线接口的计算机文件夹加密装置,包括:(1)通用串行总线接口芯片,用于计算机主机与数字信号处理器之间的高速数据传输和通讯,与计算机主机相连接;(2)数字信号处理器,用于对由计算机主机读取的数据流进行加密和解密,与通用串行总线接口芯片相连接;(3)智能卡芯片,用于存储密钥和个人信息,与数字信号处理器相连接;(4)加密装置驱动器,用于获取计算机主机中文件系统对计算机硬盘的读写操作,将多组16位的硬盘数据转换为一组128位的加密解密数据,控制加密装置对128位的数据进行加密解密,置于计算机内的文件系统驱动器与硬盘驱动器之间。 Based on the universal serial bus interface of the present invention provides a computer file folder encryption device, comprising: (1) universal serial bus interface chip for high-speed data transmission and computer communication between the host and the digital signal processor, the host computer connected; (2) a digital signal processor for data stream read by the host computer for encryption and decryption, and connected to a universal serial bus interface chip; (3) a smart card chip, for storing the key and personal information connected with the digital signal processor; (4) the encryption device driver for the host computer to obtain the file system read and write operations on the computer's hard drive, the more the group 16 of the hard disk data into a set of 128-bit encryption and decryption data, control of the 128-bit encryption device data encryption and decryption, is placed between the file system drive and the hard drive in the computer.

本发明提出的基于通用串行总线接口的计算机文件夹加密装置,具有以下优点:1、本发明的加密装置及其中的密钥与计算机系统分离,可防止计算机整机丢失或被盗时产生的信息泄露危险。 The present invention proposes a universal serial bus interface of the computer file folder encryption means, based on the following advantages: 1, and wherein the key encryption apparatus and computer system of the present invention is isolated to prevent lost or stolen computer machine generated information leakage risks. 本加密装置对用户进行身份验证,因此即使加密装置和计算机一起丢失或被盗,也可防止计算机硬盘中的信息泄露。 The encryption device to authenticate the user, so even if the encryption device and your computer is lost or stolen together, but also to prevent the computer's hard drive information leakage.

2、本发明的加密装置设置在计算机内的文件系统与硬盘驱动器之间,可对指定的文件或文件夹进行加密,而不是对硬盘上的所有数据加密,满足用户对不同安全等级的数据保护要求。 2, between the encryption device of the present invention is set in the computer's file system and hard drive, you can specify a file or folder is encrypted, but not all data on the hard disk encryption to meet users with different security levels of data protection Claim.

3、本发明的加密装置中包括智能卡芯片,利用智能卡芯片内的产品唯一序列号作为种子产生加密密钥,即保证了加密密钥的唯一性,也保证了加密装置的唯一性。 3, the encryption apparatus of the present invention comprises a smart card chip, the use of the smart card chip products unique serial number as a seed to generate an encryption key, which is to ensure the uniqueness of the encryption key, but also to ensure the uniqueness of the encryption device.

4、双因素身份认证。 4, two-factor authentication. 只有在计算机通用串行总线接口插入本发明的加密装置,并输入正确的用户口令后,用户才能通过身份验证,对加密文件夹进行操作,因此身份认证的安全强度较高。 Only after the Universal Serial Bus interface insert computer encryption device of the invention, and enter the correct password, the user can be authenticated, encrypted folder to operate, so the higher the intensity of authentication security.

5、使用安全、方便。 5, the use of safe and convenient. 加密装置的形状和大小与闪存盘相当,用户可象使用钥匙一样,随身携带加密装置,可防止加密装置丢失或被盗。 The shape and size of the encryption device and the flash drive rather, as the user can use the same key, portable encryption device to prevent encryption device is lost or stolen.

附图说明 Brief Description

图1是本发明装置的结构框图,虚线框内为本发明装置,其它部分为计算机主机部分。 Figure 1 is a block diagram of the apparatus of the present invention, apparatus of the present invention within the dashed box, the other part is the part of the host computer.

具体实施方式 DETAILED DESCRIPTION

本发明提出的基于通用串行总线接口的计算机文件夹加密装置,其结构框图如图1所示,包括:通用串行总线接口芯片,用于计算机主机与数字信号处理器之间的高速数据传输和通讯,与计算机主机相连接;数字信号处理器,用于对由计算机主机读取的数据流进行加密和解密,与通用串行总线接口芯片相连接;智能卡芯片,用于存储密钥和个人信息,与数字信号处理器相连接;加密装置驱动器,用于获取计算机主机中文件系统对计算机硬盘的读写操作,将多组16位的硬盘数据转换为一组128位的加密解密数据,控制加密装置对128位的数据进行加密解密,置于计算机内的文件系统驱动器与硬盘驱动器之间。 Based on the universal serial bus interface of the present invention provides a computer file folder encryption device, and its block diagram shown in Figure 1, include: Universal Serial Bus interface chip for high-speed data transmission and digital signal processor mainframe computer between and communications, and connected to the host computer; a digital signal processor for data flow from the host computer to read the encryption and decryption, connected with a Universal Serial Bus interface chip; smart card chip for storing keys and personal information connected with the digital signal processor; encryption device driver for the host computer to obtain the file system on your computer hard disk read and write operations, the multiple sets of 16 hard disk data into a set of 128-bit encryption and decryption of data, control 128 encryption device for data encryption and decryption, is placed between the file system drive and the hard drive in the computer.

当用户需要对计算机主机加密文件夹内的关键数据进行读写操作时,可将加密装置插到计算机主机的通用串行总线接口上。 When the user needs to encrypt a folder within the host computer key data read and write operations, encryption device can be plugged into the host computer on the Universal Serial Bus interface. 本发明的加密装置自动在设备层对保存到“加密文件夹”内的所有文件进行加密。 Encryption apparatus of the present invention is automatically saved in the device layer to all files "encrypted folder" within encrypted. 数据的加密运算、密钥的使用和保存全部在与通用串行总线接口相连接的加密装置内的芯片内部进行,不进入计算机环境,因此可以完全杜绝黑客程序的跟踪和攻击。 Data encryption algorithm, the key used and stored in the chip all the encryption device and a Universal Serial Bus interface will be connected to the inner, not into the computer environment, it is possible to completely eliminate a hacker program tracking and attack. 即使计算机整机丢失或被盗,也能有效防止信息泄露。 Even if the whole computer is lost or stolen, it can effectively prevent information leakage.

本发明的基于通用串行总线接口的计算机文件夹加密装置中,所用的通用串行总线接口芯片,使用飞利浦公司的ISP1581高速USB2.0接口器件,完全符合USB2.0规范,用于计算机主机与数字信号处理器之间的高速数据传输和通讯。 Based on Universal Serial Bus interface computer file folder encryption device of the present invention, and the use of universal serial bus interface chip, using the Philips ISP1581 Hi-Speed USB2.0 interface devices, in full compliance with USB2.0 specification for the host computer and High-speed data transmission and communication between digital signal processors.

所用的数字信号处理器,使用德州仪器公司的TMS320数字信号处理器,内部封装了标准的DES、3DES对称密码算法。 The use of digital signal processors, using the Texas Instruments TMS320 digital signal processor, internal packaging standard DES, 3DES symmetric ciphers. 对计算机主机读写数据流进行加密解密操作时,首先从智能卡芯片中读取密钥,然后执行密码算法对数据流进行加密解密。 When the host computer to read and write data stream encryption and decryption operations, first read from the smart card chip in the key, and then perform the cryptographic algorithm for encryption and decryption of data streams. TMS320数字信号处理器运算DES加密算法时可达到每秒100Mbit的数据传输率,完全满足硬盘数据加密速度的要求。 TMS320 digital signal can reach 100Mbit per second data transfer rate when the processor computing DES encryption algorithm, to fully meet the requirements of hard disk data encryption speed.

所用的智能卡芯片,使用Atmel公司的8位AT05SC智能卡微控制器,用于存储执行密码算法所需的密钥,以及用户口令(PIN码)等个人信息。 The use of smart card chip, using Atmel's 8-bit smart card microcontroller AT05SC key storage required for the implementation of cryptographic algorithms, and user password (PIN code) and other personal information. 该芯片内含40KB只读储存器、2KB电可擦可编程只读储存器,具有全球唯一的64位产品序列号。 The chip contains 40KB read-only memory, 2KB electrically erasable programmable read-only memory, with a globally unique serial number 64. 初始化时用64位产品序列号作为种子,产生128位的用户加密/解密密钥,使得每把硬件钥匙内的数字密钥具有唯一性,密钥重复出现的可能性为1/1038,保证了使用者进行身份认证时的唯一性。 Initialized with 64 product serial number as a seed to generate 128 user encryption / decryption keys, each key makes the hardware key figures within the unique possibility for key recurring 1/1038, guaranteed Uniqueness of user identity authentication. 智能卡芯片不易伪造,可以抵御物理、电子、化学方法的攻击,使基于通用串行总线接口的加密装置具有很高的安全保密性。 Smart card chip is not easy to counterfeit, can withstand the physical, electrical, chemical attack, so with high security and confidentiality based encryption device Universal Serial Bus interface.

加密装置驱动器,用于获取计算机主机中文件系统对计算机硬盘的读写操作信息,如盘符(C:D:等)、文件夹名、文件名和数据流等;将多组16位的硬盘数据转换为一组128位的加密解密数据;控制加密装置对128位的数据进行加密解密。 Encryption device driver for the host computer to obtain the file system to read and write information on the hard drive of the computer, such as a drive letter (C: D: etc.), folder names, file names, and data streams, such as; the multiple sets of 16 hard disk data into a set of 128 data encryption and decryption; control encryption device 128 for data encryption and decryption. 加密装置驱动器置于计算机文件系统驱动器与硬盘驱动器之间,为一段运行在Windows操作系统Ring0级上的设备驱动程序,使应用程序能够在操作系统底层控制加密装置的操作。 Drive encryption device placed between the computer's file system drive and a hard drive, for a period of operation of the device driver on Windows operating systems Ring0 level, so that the application can control the operation of the encryption device in the underlying operating system. 当操作系统对文件发出“写”指令时,由加密装置驱动程序拦截内存中将要进行写操作的数据流,同时调用加密装置对数据进行加密处理后存储到指定的硬盘空间。 When the operating system issued a "write" command on the file encryption device driver intercepts memory will have to be written by the data stream, while calling encryption device encrypts the data stored in the designated treatment of hard disk space. 由于这种方法是动态实现加密处理,无论系统出现死机或断电,存入硬盘的数据始终是密文,使得加密文件的安全性更加可靠。 Since this method is dynamic encryption processing, regardless of system crash or power failure occurs, the data stored in the hard disk is always ciphertext encrypted files so that security is more reliable. 最重要的是,使用者无须对文件加密解密进行任何操作,只需使用Windows操作系统原有的命令,在对文件进行保存、另存为、拷贝粘贴、拖动的过程中,计算机自动完成对文件的加/解密操作,从而可实现Windows操作系统的透明操作。 Most importantly, the user need not file encryption and decryption of any operation, simply use the original Windows operating system command in the file save, save as, copy and paste, drag the process, the computer automatically complete file encryption / decryption operations, enabling transparent operation of the Windows operating system.

以下介绍本发明装置的工作原理和工作过程:本发明提出了一种加密装置和密钥与计算机系统分离的加密方法,可防止计算机整机丢失或被盗时产生的信息泄露危险。 The following describes the working principle and process of the present invention apparatus: The present invention proposes a method of encryption key and an encryption device and a separate computer system, the computer machine information generating prevent lost or stolen leakage risk. 用户可设置专门用于存储关键数据的加密文件夹,加密装置只对指定文件夹中的数据进行加密解密操作。 Users can set up a special encrypted file is used to store critical data folder encryption means only the data in the specified folder encryption and decryption operations.

1、工作原理:密钥的生成和注入:使用加密装置内智能卡芯片的唯一产品序列号作为种子,经Hash算法产生128位的用户加密解密密钥。 1, the working principle: key generation and injection: Use encryption device inside the smart card chip unique serial number as the seed, the Hash algorithm produces a 128-bit encryption and decryption key users. 密钥以密文的形式存放在加密装置内的智能卡芯片中,智能卡芯片的安全保护功能可防止攻击者读取密钥信息。 Key to the ciphertext is stored in the form of a smart card chip inside the encryption device, the security features of the smart card chip to prevent an attacker to read the key information.

由于使用了智能卡芯片内的产品唯一序列号为种子产生密钥,即使非法用户窃取了合法使用者的加密装置进行复制,每个加密装置内的智能卡芯片序列号不同,用同型号的通用串行总线接口芯片、数字信号处理器和智能卡芯片进行复制,其结果也是截然不同的,保证了加密装置硬件的不可复制性。 The use of the smart card chip products unique serial number for the seed to generate the key, even if the illegal user steal a user's encryption apparatus legitimate copy, each encryption means within the smart card chip serial numbers are different, with the same type of universal serial bus interface chip, a digital signal processor and a smart card chip for replication, the result is different, ensuring hardware encryption device can not be copied.

(1)加密装置驱动器实时监控计算机内存对硬盘的读写操作。 (1) real-time monitoring of the encryption device driver on the hard disk of the computer's memory read and write operations. 当计算机对加密文件夹进行读写操作时,加密装置驱动器截获主机和硬盘之间的数据流;(2)加密装置驱动器将多组16位的硬盘数据转换为一组128位的加密解密数据后,送入基于通用串行总线接口的加密装置进行加密解密;(3)加密装置驱动器将加密装置输出的128位加密解密数据转换为可供计算器和硬盘读写的多组16位数据。 (2) encrypting means drives the plurality of sets of 16-bit hard disk data into a set of 128-bit encryption and decryption of data; when the encrypted computer folder read and write operations, the encryption device driver to intercept the data stream between the host and the hard disk , into the encryption and decryption based on encryption means universal serial bus interface; (3) the encrypted encryption device driver means 128 output the cryptographic data into a plurality of sets of data to the calculator 16 and the hard disk read and write.

2、身份验证过程:(1)计算机对加密装置进行身份验证:将加密装置插入计算机通用串行总线接口时,加密装置驱动器从加密装置内的智能卡芯片中读取产品序列号,判断是否为合法加密装置。 2, the authentication process: (1) computer encryption device authentication: When the encryption device into your computer a Universal Serial Bus interface, encryption device driver reads the serial number from the smart card chip inside the encryption device, to determine whether the legal encryption devices.

(2)加密装置对用户进行身份验证:鉴别用户身份的用户口令(PIN码)存放在加密装置内的智能卡芯片中。 (2) encryption device for user authentication: identify the user's identity password (PIN code) is stored in the smart card chip inside the encryption device. 将加密装置插入计算机通用串行总线接口时,加密装置驱动器提示用户用键盘输入用户口令。 When the encryption device into the computer Universal Serial Bus interface, encryption device driver prompts the user for a password using the keypad. 如果输入的口令与智能卡芯片中的相同,则通过身份验证。 If you enter the password and smart card chips are the same, authenticated. 如果输入的口令连续三次错误,加密装置驱动程序将锁定身份验证过程。 If you enter the wrong password three times in succession, the encryption device driver locks the authentication process.

3、用户在使用本发明的加密装置时,对文件的加密、解密操作方法:创建加密文件夹:在每台计算机中,可创建1-20个加密文件夹。 3, the user when using the encryption device of the present invention, the encrypted file decryption methods of operation: create an encrypted folder: in each computer, you can create an encrypted folder 1-20.

文件加密:直接使用Windows的拷贝、粘贴、拖入、另存为等操作,将重要文件写入已设置好的加密文件夹,或直接在加密文件夹中创建文件后保存,文件都将在上述过程中自动被加密。 File encryption: Direct use of the copy of Windows, paste, drag, save for other operations, will be important to set a good write encrypted file folders, or create the file saved directly in the encrypted folder, the file will be in the above process automatically encrypted.

文件解密:直接使用Windows的拷贝、粘贴、拖出、从所设置的文件夹中直接打开文件或另存为,文件将在上述操作中被自动解密。 File decryption: directly copy of Windows, paste, drag, open the file from the file folder set directly or Save As, the file will be automatically decrypted in the above operation.

Referenced by
Citing PatentFiling datePublication dateApplicantTitle
CN100446024CJan 26, 2007Dec 24, 2008北京飞天诚信科技有限公司Protection method and system of electronic document
CN100449560CSep 26, 2006Jan 7, 2009南京擎天科技有限公司Computer data security protective method
CN101236535BJul 31, 2007Dec 22, 2010北京理工大学Hard disk encryption method based on optical disk under Window environment
CN102236747A *Apr 23, 2010Nov 9, 2011北京同方微电子有限公司Method for upgrading conventional computer into trusted computer
CN102436568A *Sep 29, 2010May 2, 2012孔令军Computer external encryption device with storage function and encryption and decryption method utilizing same
CN103761067A *Dec 13, 2013Apr 30, 2014昆山五昌新精密电子工业有限公司Processing system and processing method for encryption/decryption of data files
CN104751072A *Mar 17, 2015Jul 1, 2015山东维固信息科技股份有限公司Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology
Classifications
International ClassificationG06F1/00
Legal Events
DateCodeEventDescription
May 24, 2006C06Publication
Jul 19, 2006C10Request of examination as to substance
Feb 6, 2008C02Deemed withdrawal of patent application after publication (patent law 2001)