Digital rights managment system, devices, and methods for binding content to an intelligent storage device

US 20130266137A1
Filed: 04/30/2012
Published: 10/10/2013
Est. Priority Date: 04/10/2012
Status: Active Grant

First Claim

Patent Images

1. A storage device configured to generate a binding key for binding data stored in the storage device, said storage device comprising:

a storage medium comprising a user area and a non-user area; and

a controller comprising a cryptographic module providing a hardware root of trust and a secured memory, wherein the controller is configured to generate a unique identifier for data to be stored in the user area of the storage medium, determine a first cryptographic key that is concealed by the cryptographic module, and generate a binding key that can be exposed based on the unique identifier and the concealed first cryptographic key.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to digital rights management (DRM) for content that may be downloaded and bound to a storage device. The storage device may be an intelligent storage device, such as a disk drive, or network attached storage. In addition, the storage device is capable of performing cryptographic operations and providing a root of trust. In one embodiment, the DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. However, the binding key is not stored on the storage with the content. The content key is a key that has been assigned to the content, for example, by a trusted third party. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is encrypted based on the access key and stored in encrypted form in the storage device.

82 Citations

View as Search Results

20 Claims

1. A storage device configured to generate a binding key for binding data stored in the storage device, said storage device comprising:
- a storage medium comprising a user area and a non-user area; and
  
  a controller comprising a cryptographic module providing a hardware root of trust and a secured memory, wherein the controller is configured to generate a unique identifier for data to be stored in the user area of the storage medium, determine a first cryptographic key that is concealed by the cryptographic module, and generate a binding key that can be exposed based on the unique identifier and the concealed first cryptographic key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The storage device of claim 1, wherein the secured memory comprises a one-time-programmable, non-volatile memory.
  - 3. The storage device of claim 1, wherein the controller is configured to determine first information that is unique to the storage device.
  - 4. The storage device of claim 1, wherein the controller is configured to determine first information that is unique to the storage device based on a random number.
  - 5. The storage device of claim 1, wherein the controller is configured to digitally sign the unique identifier based on information provided by the hardware root of trust.
  - 6. The storage device of claim 1, wherein the controller is configured to generate the binding key as an ephemeral key.
  - 7. The storage device of claim 1, wherein the controller is configured to prevent storage of the binding key in the user area of the storage medium.
  - 8. The storage device of claim 1, wherein the controller is configured to determine the unique identifier based on defect information about the storage medium.

9. A digital rights management system, said system comprising:
- a content key server configured to provide a first cryptographic key for encrypting content;
  
  a storage device comprising a storage medium configured to store content and a hardware cryptographic processor determining an ephemeral binding key that is unique to the hardware processor;
  
  a download server configured to provide encrypted content to the storage device, wherein the download server receives the binding key from the storage device, receives the first cryptographic key from the content key server, and encrypts the content based on a cryptographic combination of at least the first cryptographic key and the binding key; and
  
  a media player configured to receive the binding key, the first cryptographic key, and the encrypted content from the storage device, and decrypt the encrypted content based on a cryptographic combination of at least the first cryptographic key and the binding key.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the media player and the storage device are configured to perform mutual authentication with each other.
  - 11. The system of claim 9, wherein the media player is configured to generate a decryption key based on combining the content keys and the binding cryptographic key.
  - 12. The system of claim 9, wherein the storage device is configured as a network attached storage.
  - 13. The system of claim 9, wherein the hardware cryptographic processor is configured to receive a private key and a public key in a secure manufacturing environment.

14. A method of determining a key that binds data to a storage device, wherein said storage device comprises a controller, a cryptographic module with a memory, and a storage medium, said method comprising:
- generating a unique identifier for data to be stored on the storage medium of the storage device;
  
  determining, by the cryptographic module, a first cryptographic key that is concealed in the storage device;
  
  generating, by the cryptographic module, a binding key based on the unique identifier and the concealed first cryptographic key; and
  
  transmitting the binding key to a server that provides the data to the storage device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein determining the first information that is unique to the storage device comprises identifying a set of defects present on the storage medium of the storage device.
  - 16. The method of claim 14, wherein determining the first information that is unique to the storage device comprises identifying a defect log on the storage medium of the storage device that was generated when the storage device was manufactured.
  - 17. The method of claim 14, wherein generating the binding key comprises generating the key based on information in the defect log and a unique identifier assigned to the storage device.
  - 18. The method of claim 14, further comprising digitally signing the unique identifier based on information from a hardware root of trust provided by the storage device.
  - 19. The method of claim 14, further comprising concealing the first cryptographic key in a secured memory accessible by the cryptographic module.
  - 20. The method of claim 14, wherein generating the binding key comprises:
    - digitally signing the unique identifier based on information from the hardware root of trust provided by the storage;
      
      accessing the concealed first cryptographic key; and
      
      determining the binding key based on a cryptographic combination of the digitally signed unique identifier and the concealed first cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Inventors
Ybarra, Danny O., Hesselink, Lambertus, BLANKENBECKLER, David L.

Granted Patent

US 9,214,184 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G06F 21/1014   to tokens

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 2221/2107   File encryption

G11B 20/00115   wherein the record carrier ...

G11B 20/00123   the record carrier being id...

G11B 20/00137   involving measures which re...

G11B 20/00246   wherein the key is obtained...

H04L 2209/603   Digital right managament [DRM]

H04L 9/006   involving public key infras...

H04L 9/0861   Generation of secret inform...

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Digital rights managment system, devices, and methods for binding content to an intelligent storage device

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Digital rights managment system, devices, and methods for binding content to an intelligent storage device

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links