Host Device and Method for Protecting Data Stored in a Storage Device
First Claim
1. A host device comprising:
- an interface configured to communicate with a storage device; and
a controller in communication with the interface, wherein the controller is operative to;
send to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and
send to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device.
2 Assignments
0 Petitions
Accused Products
Abstract
The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium. When implemented in a flash memory, the above features result in a particularly useful medium for content protection. Many storage devices are not aware of file systems while many computer host devices read and write data in the form of files. The host device provides a key reference or ID, while the storage device generates a key value in response which is associated with the key ID, which is used as the handle through which the memory retains complete and exclusive control over the generation and use of the key value for cryptographic processes, while the host retains control of files.
155 Citations
34 Claims
-
1. A host device comprising:
-
an interface configured to communicate with a storage device; and a controller in communication with the interface, wherein the controller is operative to; send to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and send to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for protecting data stored in a storage device, the method comprising:
performing by a host device in communication with a storage device; sending to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and sending to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
Specification