Memory system with versatile content control

US 20070168292A1
Filed: 12/20/2005
Published: 07/19/2007
Est. Priority Date: 12/21/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for storing data, comprising:

a rewritable non-volatile memory storing data; and

a controller controlling access to said non-volatile memory;

wherein a cryptographic key is stored in said non-volatile memory or controller, said key useful for encrypting and/or decrypting data stored in the memory by the controller, said key being substantially inaccessible to devices external to the system; and

wherein the memory also stores a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium. When implemented in a flash memory, the above features result in a particularly useful medium for content protection. Many storage devices are not aware of file systems while many computer host devices read and write data in the form of files. The host device provides a key reference or ID, while the memory system generates a key value in response which is associated with the key ID, which is used as the handle through which the memory retains complete and exclusive control over the generation and use of the key value for cryptographic processes, while the host retains control of files.

Citations

22 Claims

1. A system for storing data, comprising:
- a rewritable non-volatile memory storing data; and
  
  a controller controlling access to said non-volatile memory;
  
  wherein a cryptographic key is stored in said non-volatile memory or controller, said key useful for encrypting and/or decrypting data stored in the memory by the controller, said key being substantially inaccessible to devices external to the system; and
  
  wherein the memory also stores a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein data in the memory is accessed by an external device in the form of files, and the controller is not aware of files.
  - 3. The system of claim 1, wherein the policy permits one or more entities in a set of entities to use the key for accessing the same data stored in the memory and prevents entities not in the set to use the key for accessing data stored in the memory.
  - 4. The system of claim 3, wherein the policy permits a first set of one or more entities to use the key to encrypt and/or decrypt data and to write and read data from the memory and a second set of one or more entities to use the key to only decrypt data in the memory and read the decrypted data.
  - 5. The system of claim 3, wherein the policy permits a set of one or more entities to use the key to only encrypt data and write the encrypted data to the memory, to only decrypt data in the memory and read the decrypted data, or both.
  - 6. The system of claim 3, wherein the policy permits an entity to delete access rights to the memory of another entity or alter the policy to disallow access by another entity to use the key, where said another entity was permitted such access prior to the alteration.
  - 7. The system of claim 3, wherein the policy permits an entity to delegate access rights to the key to another entity or alter the policy to permit such delegation.
  - 8. The system of claim 1, wherein the policy requires the establishment of a secure channel for at least one entity to access the memory, or to the key.
  - 9. The system of claim 1, wherein the policy requires the establishment of a secure channel for access to the memory, or to the key.
  - 10. The system of claim 1, wherein the policy permits access to the memory, or to the key, only by a limited number of entities.
  - 11. The system of claim 1, wherein the policy permits access to the memory, or to the key, only by a limited number of entities irrespective of whether an entity has been authenticated.
  - 12. The system of claim 1, wherein the policy does not require the establishment of a secure channel for at least one entity to access the memory, or to the key
  - 13. The system of claim 1, wherein said memory cells and controller are encapsulated in a card.
  - 14. The system of claim 1, said memory or controller storing a plurality of records for a plurality of corresponding entities for controlling access to the memory, each of said records containing an authentication requirement for and permission(s) to access encrypted and/or unencrypted data stored in the memory by a corresponding authenticated entity, wherein the authentication requirement(s) and the permission(s) in the records of at least two corresponding entities are not entirely the same.

15. A system for storing data, comprising:
- a flash memory storing data; and
  
  a controller controlling access to said non-volatile memory;
  
  wherein a first cryptographic key is stored in said non-volatile memory or controller, said key useful for encrypting or decrypting data stored in the memory by the controller; and
  
  wherein the memory also stores a policy concerning different permissions granted to authorized entities for using the key for encrypting and/or decrypting data stored in the memory.

16. A system for storing data, comprising:
- a rewritable non-volatile memory storing data; and
  
  a controller controlling access to said non-volatile memory;
  
  wherein a cryptographic key is stored in said non-volatile memory or controller, said key useful for encrypting and/or decrypting data stored in the memory by the controller, wherein data in the memory is accessed by an external device in the form of files, and the controller is not aware of files; and
  
  wherein the memory also stores a policy concerning different permissions granted to authorized entities to use the key for encrypting and/or decrypting data stored in the memory.
- View Dependent Claims (17)
- - 17. The system of claim 16, said key being substantially inaccessible to devices external to the system.

18. A secure storage system, comprising:
- a non-volatile flash memory; and
  
  a controller controlling access to the memory, said memory or controller storing at least two records for controlling access to the memory by at least two corresponding entities, each of said records containing an authentication requirement for and permission(s) to access encrypted and/or unencrypted data stored in the memory by the corresponding entity of the at least two entities wherein the authentication requirement(s) and the permission(s) in the records of the at least two corresponding entities are not entirely the same.
- View Dependent Claims (19)
- - 19. The system of claim 18, each of said records containing permission(s) to access partitions in the memory by the corresponding entity of the at least two entities wherein the permission(s) in the records of the at least two corresponding entities for accessing partitions are not entirely the same.

20. A secure storage system which provides or accepts data files when requested by a host device, said host device providing to the system a key reference associated with a data file, comprising:
- a non-volatile memory storing said data file; and
  
  a controller controlling access to the memory;
  
  wherein a cryptographic key is generated by said controller and associated with said key reference, said key useful for encrypting and/or decrypting said data file, and said key reference used for communication between the host device and the system for encrypting and/or decrypting said data file.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, said key being substantially inaccessible to devices external to the system.
  - 22. The system of claim 20, wherein the controller is not aware of files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sansa Security, Inc. (SoftBank Group Corp.), SanDisk Technologies LLC (Western Digital Corporation)
Original Assignee
SanDisk Technologies LLC (Western Digital Corporation)
Inventors
Holtzman, Michael, Bar-El, Hagai, Jogand-Coulomb, Fabrice, Barzilai, Ron, Qawami, Bahman

Application Number

US11/314,410
Publication Number

US 20070168292A1
Time in Patent Office

Days
Field of Search
US Class Current

705/52
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

Memory system with versatile content control

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Memory system with versatile content control

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links