Method and System for Access Control and Data Protection in Digital Memories, Related Digital Memory and Computer Program Product Therefor

US 20080089517A1
Filed: 12/22/2004
Published: 04/17/2008
Est. Priority Date: 12/22/2004
Status: Active Grant

First Claim

Patent Images

1-49. -49. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital memory such as a memory card for mobile communication equipment, is adapted to be accessed by a plurality of users and have protected data stored therein. The memory is dynamically partitionable in private memory areas for storing data therein and has associated therewith a secrecy tool for securely allocating to the users respective private areas and permitting the users to access the respective private areas via a secure session channel to perform read/write commands in the respective private areas. Typically, the memory/card includes: a card interface controller for managing a physical communication layer between the digital memory and external host equipment, an internal memory having associated therewith a hardware lock to control access to the internal memory, a set of cryptographic modules to manage the secure session channel between the users and the digital memory, and a memory certificate for certifying a public key associated with the digital memory.

50 Citations

View as Search Results

81 Claims

1-49. -49. (canceled)

50. A method of controlling access by a plurality of users to a digital memory and protecting data in said digital memory comprising the steps of:
- dynamically partitioning said digital memory in private areas for storing data in said digital memory, said users in said plurality being securely allocated respective private areas in said digital memory; and
  
  permitting said users in said plurality to access said respective private areas via a secure session channel to perform read/write commands in said respective private areas.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 81)
- - 51. The method of claim 50, comprising the step of said users in said plurality, self-allocating respective private areas in said digital memory.
  - 52. The method of claim 50, comprising the step of allocating said respective private areas by opening a secure session channel, whereby allocation of said respective private areas in said digital memory can be securely requested.
  - 53. The method of claim 50, comprising the step of preventing users in said plurality from accessing data stored in respective private areas allocated to other users in said plurality.
  - 54. The method of claim 53, comprising the steps of:
    - allotting to at least one privileged user a privileged personal identification number; and
      
      allowing said privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory.
  - 55. The method of claim 54, wherein said step of allowing said privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory is via said privileged personal identification number without opening a session.
  - 56. The method of claim 54, wherein said predetermined set of operations comprises at least one of deleting respective private areas allocated in said digital memory and changing said privileged personal identification number.
  - 57. The method of claim 50, comprising the step of generating a list of the users that have allocated private areas in said digital memory.
  - 58. The method of claim 57, comprising the step of making said list available to users in said plurality without opening a session.
  - 59. The method of claim 50, comprising the step of managing communication between said users in said plurality and said digital memory by means of a cryptographic key mechanism.
  - 60. The method of claim 59, comprising the step of managing communication between said users in said plurality and said digital memory by means of a public key infrastructure.
  - 61. The method of claim 60, comprising the step of said users in said plurality communicating respective public keys by means of a user certificate.
  - 62. The method of claim 50, comprising the step of having respective user IDs assigned to said users in said plurality by said digital memory.
  - 63. The method of claim 50, comprising the steps of:
    - before permitting said users in said plurality to perform said read/write commands, opening a session by generating at least one session key adapted for use in at least one of;
      
      providing said secure channel between said users in said plurality and said digital memory by encrypting the data exchanged over said channel, and signing said commands in order to authenticate said users in said plurality issuing said commands.
  - 64. A system comprising a digital memory adapted to receive data stored therein and to be accessed by a plurality of users, the system being configured to implement the method of claim 50, in order to:
    - dynamically partition said digital memory in private areas for storing data in said digital memory, said users in said plurality being securely allocated respective private areas in said digital memory, and permit said users in said plurality to access said respective private areas via a secure session channel to perform read/write commands in said respective area allocated.
  - 81. A computer program product, loadable in the memory of at least one computer and comprising software code portions capable of implementing the method of claim 50.

65. A digital memory adapted to be accessed by a plurality of users and have protected data stored therein, said memory being dynamically partitionable in private memory areas for storing data therein and having associated therewith a secrecy tool for securely allocating respective private memory areas to said users in said plurality and permitting said users in said plurality to access said respective private areas allocated in said digital memory via a secure session channel to perform read/write commands in said respective private areas.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
- - 66. The memory of claim 65, wherein said secrecy tool is configured for allocating said respective private areas by opening a secure session channel, whereby allocation of said respective private areas in said digital memory can be securely requested.
  - 67. The memory of claim 65, comprising a lock module configured for preventing users in said plurality from accessing data stored in respective private areas allocated to other users in said plurality.
  - 68. The memory of claim 65, wherein said secrecy tool comprises at least one cryptographic algorithm engine for managing communication between said users in said plurality and said digital memory by means of a cryptographic key mechanism.
  - 69. The memory of claim 68, wherein said at least one cryptographic algorithm engine is configured for implementing a public key infrastructure.
  - 70. The memory of claim 69, comprising a set of memory areas for managing communication between said users in said plurality and said digital memory, said set comprising memory areas storing at least one of:
    - a public keys table containing information about the users, a user allocation table containing information about the private memory areas, and a session keys table containing information about sessions in progress.
  - 71. The memory of claim 70, wherein said public keys table comprises information items as to:
    - a user ID, an associated public key, and an associated identification name.
  - 72. The memory of claim 70, wherein said user allocation table comprises information items as to:
    - user IDs, the starting blocks of said respective private areas allocated in said digital memory, and the number of allocated blocks in said respective private areas allocated in said digital memory.
  - 73. The memory of claim 70, wherein said session keys table comprises information items as to:
    - a session ID, the correspondent user ID, and a session key
  - 74. The memory of claim 65, wherein said secrecy tool is configured for:
    - before permitting said users in said plurality to perform said read/write commands, opening a session by generating at least one session key adapted for use in at least one of;
      
      providing said secure channel between said users in said plurality and said digital memory by encrypting the data exchanged over said channel, and signing said commands in order to authenticate said users in said plurality issuing said commands.
  - 75. The memory of claim 65, comprising a card interface controller for managing a physical communication layer between the digital memory and external host equipment for the digital memory.
  - 76. The memory of claim 65, comprising an internal memory having associated therewith a hardware lock to control access to said internal memory.
  - 77. The memory of claim 65, wherein said secrecy tool comprises a set of cryptographic modules selected from:
    - a random number generator for providing a random number to build a session key;
      
      an asymmetric algorithm engine for encoding data by a private key and decoding them by a correspondent public key or vice versa;
      
      a symmetric algorithm engine for encoding data by a same key used to decode said data; and
      
      a hash module for signing data by a key.
  - 78. The memory of claim 65, comprising a memory certificate for certifying a public key associated with said digital memory.
  - 79. The digital memory of claim 65, comprising a memory card.
  - 80. The digital memory of claim 65, comprising a memory card adapted to be hosted by mobile communication equipment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Bianco, Alberto, Ricciato, Fabio, Turolla, Maura, Varriale, Antonio

Granted Patent

US 8,789,195 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/259
CPC Class Codes

G06F 12/0223   User address space allocati...

G06F 12/1466   Key-lock mechanism

G06F 12/1491   in a hierarchical protectio...

G06F 21/78   to assure secure storage of...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3555   Personalisation of two or m...

G06Q 20/35765   Access rights to memory zones

G07F 7/1008   Active credit-cards provide...

H04W 12/086   using security domains

Method and System for Access Control and Data Protection in Digital Memories, Related Digital Memory and Computer Program Product Therefor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

81 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Access Control and Data Protection in Digital Memories, Related Digital Memory and Computer Program Product Therefor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

81 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links