Method forversatile content control

US 20060242068A1
Filed: 12/20/2005
Published: 10/26/2006
Est. Priority Date: 12/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for storing data in a memory system which comprises a rewritable non-volatile memory, and a memory controller controlling access to said non-volatile memory;

said method comprising;

causing the controller to generate a key useful for encrypting and/or decrypting data stored in the memory by the controller, said key being substantially inaccessible to devices external to the system; and

storing in the memory a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium. When implemented in a flash memory, the above features result in a particularly useful medium for content protection. Many storage devices are not aware of file systems while many computer host devices read and write data in the form of files. The host device provides a key reference or ID, while the memory system generates a key value in response which is associated with the key ID, which is used as the handle through which the memory retains complete and exclusive control over the generation and use of the key value for cryptographic processes, while the host retains control of files.

Citations

19 Claims

1. A method for storing data in a memory system which comprises a rewritable non-volatile memory, and a memory controller controlling access to said non-volatile memory;
- said method comprising;
  
  causing the controller to generate a key useful for encrypting and/or decrypting data stored in the memory by the controller, said key being substantially inaccessible to devices external to the system; and
  
  storing in the memory a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising accessing data in the memory in the form of files, wherein the controller is not aware of files.
  - 3. The method of claim 1, wherein the policy permits one or more entities in a set of entities to use the key for accessing the same data stored in the memory and prevents entities not in the set to use the key for accessing data stored in the memory.
  - 4. The method of claim 3, wherein the policy permits a first set of one or more entities to use the key to encrypt and/or decrypt data and to write and read data from the memory and a second set of one or more entities to use the key to only decrypt data in the memory and read the decrypted data.
  - 5. The method of claim 3, wherein the policy permits a set of one or more entities to use the key to only encrypt data and write the encrypted data to the memory, to only decrypt data in the memory and read the decrypted data, or both.
  - 6. The method of claim 3, wherein the policy permits an entity to delete access rights to the memory of another entity or alter the policy to disallow access by another entity to use the key, where said another entity was permitted such access prior to the alteration.
  - 7. The method of claim 3, wherein the policy permits an entity to delegate access rights to the key to another entity or alter the policy to permit such delegation.
  - 8. The method of claim 1, wherein the policy requires the establishment of a secure channel for at least one entity to access the memory, or to the key.
  - 9. The method of claim 1, wherein the policy requires the establishment of a secure channel for access to the memory, or to the key.
  - 10. The method of claim 1, wherein the policy permits access to the memory, or to the key, only by a limited number of entities.
  - 11. The method of claim 1, wherein the policy permits access to the memory, or to the key, only by a limited number of entities irrespective of whether an entity has been authenticated.
  - 12. The method of claim 1, wherein the policy does not require the establishment of a secure channel for at least one entity to access the memory, or to the key

13. A method for storing data in a memory system which comprises a flash memory, and a memory controller controlling access to said non-volatile memory;
- said method comprising;
  
  causing the controller to generate a key useful for encrypting and/or decrypting data stored in the memory by the controller; and
  
  storing in the memory a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.

14. A method for storing data in a memory system which comprises a rewritable non-volatile memory, and a memory controller controlling access to said non-volatile memory;
- said method comprising;
  
  storing in the memory a key useful for encrypting and/or decrypting data stored in the memory by the controller;
  
  accessing data in the memory in the form of files, wherein the controller is not aware of files; and
  
  storing in the memory a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.
- View Dependent Claims (15)
- - 15. The method of claim 14, said key being substantially inaccessible to systems external to the device.

16. A secure storage method for use in a storage system comprising a non-volatile flash memory;
- and a controller controlling access to the memory;
  
  said method comprising;
  
  storing in said memory or controller at least two records for controlling access to the memory by at least two corresponding entities, each of said records containing an authentication requirement for and permission(s) to access encrypted and/or unencrypted data stored in the memory by the corresponding entity of the at least two entities wherein the authentication requirement(s) and the permission(s) in the records of the at least two corresponding entities are not entirely the same; and
  
  controlling access by at least two corresponding entities to data stored in said memory according to the at least two records.
- View Dependent Claims (17)
- - 17. The method of claim 16, each of said records containing permission(s) to access partitions in the memory by the corresponding entity of the at least two entities wherein the permission(s) in the records of the at least two corresponding entities for accessing partitions are not entirely the same.

18. A secure storage method for providing or accepting data files when requested by a host device, said system comprising a non-volatile memory storing a data file and a controller controlling access to the memory;
- said method comprising;
  
  providing to the system a key reference associated with said data file;
  
  causing said controller to generate a cryptographic key and to associate said key with said key reference, said key useful for encrypting and/or decrypting said data file; and
  
  using said key reference for communication between the host device and the system for encrypting and/or decrypting said one of the plurality of data files.
- View Dependent Claims (19)
- - 19. The method of claim 18, said key being substantially inaccessible to devices external to the storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sansa Security, Inc. (SoftBank Group Corp.), SanDisk Technologies LLC (Western Digital Corporation)
Original Assignee
Sandisk Technologies Incorporated (Western Digital Corporation)
Inventors
Holtzman, Michael, Bar-El, Hagai, Jogand-Coulomb, Fabrice, Barzilai, Ron, Qawami, Bahman

Granted Patent

US 8,504,849 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/50
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 21/78 to assure secure storage of...

Method forversatile content control

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method forversatile content control

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links