Host Device and Method for Protecting Data Stored in a Storage Device

US 20100077214A1
Filed: 11/23/2009
Published: 03/25/2010
Est. Priority Date: 12/21/2004
Status: Abandoned Application

First Claim

Patent Images

1. A host device comprising:

an interface configured to communicate with a storage device; and

a controller in communication with the interface, wherein the controller is operative to;

send to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and

send to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium. When implemented in a flash memory, the above features result in a particularly useful medium for content protection. Many storage devices are not aware of file systems while many computer host devices read and write data in the form of files. The host device provides a key reference or ID, while the storage device generates a key value in response which is associated with the key ID, which is used as the handle through which the memory retains complete and exclusive control over the generation and use of the key value for cryptographic processes, while the host retains control of files.

155 Citations

View as Search Results

34 Claims

1. A host device comprising:
- an interface configured to communicate with a storage device; and
  
  a controller in communication with the interface, wherein the controller is operative to;
  
  send to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and
  
  send to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The host device of claim 1, wherein the one or more policies permit one or more entities in a set of entities to use the key for accessing the same data stored in the storage device and prevent entities not in the set to use the key for accessing data stored in the storage device.
  - 3. The host device of claim 1, wherein the one or more policies permit a first set of one or more entities to use the key to encrypt and/or decrypt data and to write and read data from the storage device and a second set of one or more entities to use the key to only decrypt data in the storage device and read the decrypted data.
  - 4. The host device of claim 1, wherein the one or more policies permit a set of one or more entities to use the key to only encrypt data and write the encrypted data to the storage device, to only decrypt data in the storage device and read the decrypted data, or both.
  - 5. The host device of claim 1, wherein the one or more policies permit an entity to delete access rights to the storage device of another entity or alter the one or more policies to disallow access by another entity to use the key, where said another entity was permitted such access prior to the alteration.
  - 6. The host device of claim 1, wherein the one or more policies permit an entity to delegate access rights to the key to another entity or alter the one or more policies to permit such delegation.
  - 7. The host device of claim 1, wherein the one or more policies require establishment of a secure channel for at least one entity to access the storage device or the key.
  - 8. The host device of claim 1, wherein the one or more policies require the establishment of a secure channel for access to the storage device, or to the key.
  - 9. The host device of claim 1, wherein the one or more policies permit access to the storage device, or to the key, only by a limited number of entities.
  - 10. The host device of claim 1, wherein the one or more policies permit access to the storage device, or to the key, only by a limited number of entities irrespective of whether an entity has been authenticated.
  - 11. The host device of claim 1, wherein the one or more policies do not require establishment of a secure channel for at least one entity to access the storage device or the key
  - 12. The host device of claim 1, wherein the controller is further operative to send at least one of the following to the storage device:
    - an additional policy applicable to usage of the key; and
      
      a request for generation of an additional key.
  - 13. The host device of claim 1, wherein the one or more policies permit different sets of entities to make different uses of the key and have different access rights to data, the different uses of the key including one or both of encryption and decryption and the different access rights including one or both of reading and writing data.
  - 14. The host device of claim 1, wherein the controller is further operative to send, to the storage device, an association linking the key with a file to be encrypted with the key and stored in the storage device.
  - 15. The host device of claim 14, wherein the controller is further operative to send, to the storage device, a request to read the file and the reference name for the key.
  - 16. The host device of claim 1, wherein the controller is further operative to:
    - send two or more records to the storage device, each record containing an authentication requirement for and permission(s) for controlling access to data in the storage device by an entity, wherein the two or more of the records received differ from each other in at least one of the authentication requirement(s) and the permission(s).
  - 17. The host device of claim 16, wherein each of the at least two records contain permission(s) to access partitions in the storage device by the corresponding entity, wherein the permission(s) in the records of the at least two corresponding entities for accessing partitions are not entirely the same.

18. A method for protecting data stored in a storage device, the method comprising:
- performing by a host device in communication with a storage device;
  
  sending to the storage device a request for generating a key, which request includes a reference name for the key although generation of the key in the storage device would be independent from its reference name, wherein the key is accessible only internally within the storage device; and
  
  sending to the storage device for storage one or more policies applicable to usage of the key, the one or more policies concerning different permissions, granted to authenticated entities, to request the storage device to use the key for encrypting and/or decrypting data in the storage device, wherein a request sent to the storage device would be grantable or deniable based on the one or more policies, which request contains the reference name for using the key in encryption or decryption of data written or read, respectively, in the storage device.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The method of claim 18, wherein the one or more policies permit one or more entities in a set of entities to use the key for accessing the same data stored in the storage device and prevent entities not in the set to use the key for accessing data stored in the storage device.
  - 20. The method of claim 18, wherein the one or more policies permit a first set of one or more entities to use the key to encrypt and/or decrypt data and to write and read data from the storage device and a second set of one or more entities to use the key to only decrypt data in the storage device and read the decrypted data.
  - 21. The method of claim 18, wherein the one or more policies permit a set of one or more entities to use the key to only encrypt data and write the encrypted data to the storage device, to only decrypt data in the storage device and read the decrypted data, or both.
  - 22. The method of claim 18, wherein the one or more policies permit an entity to delete access rights to the storage device of another entity or alter the one or more policies to disallow access by another entity to use the key, where said another entity was permitted such access prior to the alteration.
  - 23. The method of claim 18, wherein the one or more policies permit an entity to delegate access rights to the key to another entity or alter the one or more policies to permit such delegation.
  - 24. The method of claim 18, wherein the one or more policies require establishment of a secure channel for at least one entity to access the storage device or the key.
  - 25. The method of claim 18, wherein the one or more policies require the establishment of a secure channel for access to the storage device, or to the key.
  - 26. The method of claim 18, wherein the one or more policies permit access to the storage device, or to the key, only by a limited number of entities.
  - 27. The method of claim 18, wherein the one or more policies permit access to the storage device, or to the key, only by a limited number of entities irrespective of whether an entity has been authenticated.
  - 28. The method of claim 18, wherein the one or more policies do not require establishment of a secure channel for at least one entity to access the storage device or the key
  - 29. The method of claim 18 further comprising sending at least one of the following to the storage device:
    - an additional policy applicable to usage of the key; and
      
      a request for generation of an additional key.
  - 30. The method of claim 18, wherein the one or more policies permit different sets of entities to make different uses of the key and have different access rights to data, the different uses of the key including one or both of encryption and decryption and the different access rights including one or both of reading and writing data.
  - 31. The method of claim 18 further comprising sending, to the storage device, an association linking the key with a file to be encrypted with the key and stored in the storage device.
  - 32. The method of claim 31 further comprising sending, to the storage device, a request to read the file and the reference name for the key.
  - 33. The method of claim 18 further comprising:
    - sending two or more records to the storage device, each record containing an authentication requirement for and permission(s) for controlling access to data in the storage device by an entity, wherein the two or more of the records received differ from each other in at least one of the authentication requirement(s) and the permission(s).
  - 34. The method of claim 33, wherein each of the at least two records contain permission(s) to access partitions in the storage device by the corresponding entity, wherein the permission(s) in the records of the at least two corresponding entities for accessing partitions are not entirely the same.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SanDisk Technologies LLC (Western Digital Corporation)
Original Assignee
SanDisk Technologies LLC (Western Digital Corporation)
Inventors
Barzilai, Ron, Holtzman, Michael, Bar-El, Hagai, Jogand-Coulomb, Fabrice, Qawami, Bahman

Application Number

US12/624,036
Publication Number

US 20100077214A1
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

Host Device and Method for Protecting Data Stored in a Storage Device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Host Device and Method for Protecting Data Stored in a Storage Device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others