Method for creating control structure for versatile content control

US 8,051,052 B2
Filed: 12/20/2005
Issued: 11/01/2011
Est. Priority Date: 12/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access in a storage device, the method comprising:

performing in a controller in a storage device;

creating a tree in the storage device that has a non-volatile memory, wherein the controller in the storage device is operative to control access to the memory, the tree comprising nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree is further configured such that, when the storage device receives a request from an entity that has been authenticated to the storage device, the tree can be checked by the controller for a permission corresponding both to the entity and to the request from the entity for access to data stored in the storage device;

creating a second tree in the storage device, wherein the second tree comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree and the second tree have different root nodes, wherein there are no nodes in the tree above the root nodes; and

storing the trees in the storage device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The mobile storage device may be provided with a system agent that is able to create at least one hierarchical tree comprising nodes at different levels for controlling access to data stored in the memory by corresponding entities. Each node of the tree specifies permission or permissions of a corresponding entity or entities for accessing memory data. The permission or permissions at the node of each of the trees has a predetermined relationship to permission or permissions at nodes at a higher or lower or the same level in the same tree. Thus, the mobile storage devices may be issued without any trees already created so that the purchaser of the devices has a free hand in creating hierarchical trees adapted to the applications the purchaser has in mind. Alternatively, the mobile storage devices may also be issued with the trees already created so that a purchaser does not have to go through the trouble of creating the trees. In both situations, preferably certain functionalities of the trees can become fixed after the devices are made so that they cannot be further changed or altered. This provides greater control over access to the content in the device by the content owner. Thus, in one embodiment, the system agent can preferably be disabled so that no additional trees can be created.

Citations

84 Claims

1. A method for controlling access in a storage device, the method comprising:
- performing in a controller in a storage device;
  
  creating a tree in the storage device that has a non-volatile memory, wherein the controller in the storage device is operative to control access to the memory, the tree comprising nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree is further configured such that, when the storage device receives a request from an entity that has been authenticated to the storage device, the tree can be checked by the controller for a permission corresponding both to the entity and to the request from the entity for access to data stored in the storage device;
  
  creating a second tree in the storage device, wherein the second tree comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree and the second tree have different root nodes, wherein there are no nodes in the tree above the root nodes; and
  
  storing the trees in the storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1, wherein there is no cross-talk between the tree and the second tree.
  - 3. The method of claim 1, wherein the root nodes of the tree and the second tree cannot be altered or deleted.
  - 4. The method of claim 3, wherein authentication to the storage device is not required in order to create the root nodes of the tree and the second tree.
  - 5. The method of claim 3, wherein the root nodes are created irrespective of authentication by the storage device of an entity requesting creation of the root nodes.
  - 6. The method of claim 3, wherein the root nodes are created only after authentication by the storage device of an entity requesting creation of the root nodes.
  - 7. The method of claim 1, further comprising preventing additional trees from being created.
  - 8. The method of claim 1, wherein a permission at a node of the tree indicates access rights to data stored in the memory that are not less than access rights indicated by a permission at a node at a lower level in the tree.
  - 9. The method of claim 1, wherein a node in the tree has the capability to create a child node at a lower level for enabling access by the entity to data stored in the memory, the method further comprising creating the child node.
  - 10. The method of claim 9, wherein a permission of the child node is not greater than that of the node that created the child node.
  - 11. The method of claim 1, wherein a permission at a node of the tree permits the entity to perform one or more of:
    - creating another node in the tree, deleting another node in the tree, altering a permission at another node in the tree, delegating a permission to another node in the tree, and transferring association with the node to another node in the tree.
  - 12. The method of claim 1, wherein a permission at a node of the tree is for access to a key for encrypting and/or decrypting data stored in the memory.
  - 13. The method of claim 1, wherein a permission at a node of the tree is for access to one or more partitions of the memory.
  - 14. The method of claim 1, wherein a permission at a node permits a key for data encryption and/or decryption to be created on behalf of the entity.
  - 15. The method of claim 14, wherein the permission at a node permits the entity to delegate at least one of the following:
    - (i) ownership of the key created on its behalf and (ii) permission to use the key.
  - 16. The method of claim 14, wherein the permission at a node permits the entity for whom the key has been created to delete the key.
  - 17. The method of claim 1, wherein the tree is created by a system agent.
  - 18. The method of claim 17, wherein the system agent is stored in the controller.
  - 19. The method of claim 17, wherein the system agent is stored in the memory.
  - 20. The method of claim 1, wherein a permission at a node of the tree has a predetermined relationship to a permission at another node at a different level of the tree.
  - 21. The method of claim 1, wherein two nodes of the tree contain a same permission only if the two nodes share a common parent node in the tree.
  - 22. The method of claim 21, wherein the two nodes have a parent-child relationship.
  - 23. The method of claim 21, wherein the two nodes are in a same account group.
  - 24. The method of claim 1, wherein the storage device comprises a single controller.
  - 25. The method of claim 1, wherein the controller is operative to control access to and manage the memory.
  - 26. The method of claim 1, wherein different nodes in the tree are associated with different authentication algorithms.
  - 27. The method of claim 1, wherein the tree is independent of a file system in the storage device.
  - 28. The method of claim 1, wherein the second tree is created by the storage device.
  - 29. The method of claim 1, wherein a relationship between the nodes also corresponds to relationship between entities with permissions in the tree.
  - 30. The method of claim 1, wherein the data is stored outside of all the nodes in the tree and the second tree.
  - 31. The method of claim 1, wherein the tree and the second tree are created by a system agent, and wherein the system agent is not a node in either the tree or the second tree.

32. A method for controlling access to data in a storage device, the method comprising:
- performing in a controller in a storage device;
  
  receiving from an entity that has been authenticated to the storage device a request for access to data stored in the storage device;
  
  checking for a permission corresponding to the entity and the request in a tree, which tree is in the storage device and comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling access by the entity to data stored in the storage device;
  
  granting the request according to the permission;
  
  receiving from a second entity that has been authenticated to the storage device a second request for access to data stored in the storage device;
  
  checking for a second permission corresponding to the second entity and the second request in a second tree, which second tree comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling access by the second entity to data stored in the storage device, wherein the tree and the second tree have different root nodes, wherein there are no nodes in the tree above the root nodes; and
  
  granting the second request according to the second permission.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 33. The method of claim 32, wherein there is no cross-talk between the tree and the second tree.
  - 34. The method of claim 32, wherein the tree and the second tree contain access permissions to two separate sets of data so that granting the request and the second request enables the entity and the second entity to access a corresponding one of the two sets of data according to the permission and second permission.
  - 35. The method of claim 32, wherein a permission in a node of the tree indicates access rights to data that are not less than access rights indicated by a permission in a node at a lower level in the tree.
  - 36. The method of claim 32, wherein the request for access to data comprises a request for access to data stored in a partition of the memory, and the permission comprises a permission to access the partition of the memory.
  - 37. The method of claim 32, wherein the trees are stored in a controller within the storage device.
  - 38. The method of claim 32, wherein the trees are stored in a memory within the storage device.
  - 39. The method of claim 32, wherein a permission at a node of the tree is found without having to access a node at a different level of the tree.
  - 40. The method of claim 32, wherein the second permission corresponds to at least one additional entity.
  - 41. The method of claim 32, wherein the data is stored outside of all the nodes in the tree and the second tree.
  - 42. The method of claim 32, wherein the tree and the second tree are created by a system agent, and wherein the system agent is not a node in either the tree or the second tree.

43. A storage device comprising:
- a non-volatile memory; and
  
  a controller in communication with the memory, the controller operative to;
  
  control access to the non-volatile memory;
  
  create a tree in the storage device, the tree comprising nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree is further configured such that, when the storage device receives a request from an entity that has been authenticated to the storage device, the tree can be checked by the controller for a permission corresponding both to the entity and to the request from the entity for access to data stored in the storage device;
  
  create a second tree in the storage device, wherein the second tree comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling entity access to data stored in the storage device, wherein the tree and the second tree have different root nodes, wherein there are no nodes in the tree above the root nodes; and
  
  store the trees in the storage device.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
- - 44. The storage device of claim 43, wherein there is no cross-talk between the tree and the second tree.
  - 45. The storage device of claim 43, wherein the root nodes of the tree and the second tree cannot be altered or deleted.
  - 46. The storage device of claim 45, wherein authentication to the storage device is not required in order to create the root nodes of the tree and the second tree.
  - 47. The storage device of claim 45, wherein the root nodes are created irrespective of authentication by the storage device of an entity requesting creation of the root nodes.
  - 48. The storage device of claim 45, wherein the root nodes are created only after authentication by the storage device of an entity requesting creation of the root nodes.
  - 49. The storage device of claim 43, wherein the controller is further operative to prevent additional trees from being created.
  - 50. The storage device of claim 43, wherein a permission at a node of the tree indicates access rights to data stored in the memory that are not less than access rights indicated by a permission at a node at a lower level in the tree.
  - 51. The storage device of claim 43, wherein a node in the tree has the capability to create a child node at a lower level for enabling access by the entity to data stored in the memory, and wherein the controller is further operative to create the child node.
  - 52. The storage device of claim 51, wherein a permission of the child node is not greater than that of the node that created the child node.
  - 53. The storage device of claim 43, wherein a permission at a node of the tree permits the entity to perform one or more of:
    - creating another node in the tree, deleting another node in the tree, altering a permission at another node in the tree, delegating a permission to another node in the tree, and transferring association with the node to another node in the tree.
  - 54. The storage device of claim 43, wherein a permission at a node of the tree is for access to a key for encrypting and/or decrypting data stored in the memory.
  - 55. The storage device of claim 43, wherein a permission at a node of the tree is for access to one or more partitions of the memory.
  - 56. The storage device of claim 43, wherein a permission at a node permits a key for data encryption and/or decryption to be created on behalf of the entity.
  - 57. The storage device of claim 56, wherein the permission at a node permits the entity to delegate at least one of the following:
    - (i) ownership of the key created on its behalf and (ii) permission to use the key.
  - 58. The storage device of claim 56, wherein the permission at a node permits the entity for whom the key has been created to delete the key.
  - 59. The storage device of claim 43, wherein the tree is created by a system agent.
  - 60. The storage device of claim 59, wherein the system agent is stored in the controller.
  - 61. The storage device of claim 59, wherein the system agent is stored in the memory.
  - 62. The storage device of claim 43, wherein a permission at a node of the tree has a predetermined relationship to a permission at another node at a different level of the tree.
  - 63. The storage device of claim 43, wherein two nodes of the tree contain a same permission only if the two nodes share a common parent node in the tree.
  - 64. The storage device of claim 63, wherein the two nodes have a parent-child relationship.
  - 65. The storage device of claim 63, wherein the two nodes are in a same account group.
  - 66. The storage device of claim 43, wherein the controller is the only controller in the storage device.
  - 67. The storage device of claim 43, wherein the controller is further operative to control access to and manage the memory.
  - 68. The storage device of claim 43, wherein different nodes in the tree are associated with different authentication algorithms.
  - 69. The storage device of claim 43, wherein the tree is independent of a file system in the storage device.
  - 70. The storage device of claim 43, wherein the second tree is created by the storage device.
  - 71. The storage device of claim 43, wherein a relationship between the nodes also corresponds to relationship between entities with permissions in the tree.
  - 72. The storage device of claim 43, wherein the data is stored outside of all the nodes in the tree and the second tree.
  - 73. The storage device of claim 43, wherein the tree and the second tree are created by a system agent, and wherein the system agent is not a node in either the tree or the second tree.

74. A storage device comprising:
- a non-volatile memory; and
  
  a controller in communication with the memory, the controller operative to;
  
  receive from an entity that has been authenticated to the storage device a request for access to data stored in the storage device;
  
  check for a permission corresponding to the entity and the request in a tree, which tree is in the storage device and comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling access by the entity to data stored in the storage device;
  
  grant the request according to the permission;
  
  receive from a second entity that has been authenticated to the storage device a second request for access to data stored in the storage device;
  
  check for a second permission corresponding to the second entity and the second request in a second tree, which second tree comprises nodes organized hierarchically therein, each node containing entity authentication credentials and permissions for controlling access by the second entity to data stored in the storage device, wherein the tree and the second tree have different root nodes, wherein there are no nodes in the tree above the root nodes; and
  
  grant the second request according to the second permission.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84)
- - 75. The storage device of claim 74, wherein there is no cross-talk between the tree and the second tree.
  - 76. The storage device of claim 74, wherein the tree and the second tree contain access permissions to two separate sets of data so that granting the request and the second request enables the entity and the second entity to access a corresponding one of the two sets of data according to the permission and second permission.
  - 77. The storage device of claim 74, wherein a permission in a node of the tree indicates access rights to data that are not less than access rights indicated by a permission in a node at a lower level in the tree.
  - 78. The storage device of claim 74, wherein the request for access to data comprises a request for access to data stored in a partition of the memory, and the permission comprises a permission to access the partition of the memory.
  - 79. The storage device of claim 74, wherein the trees are stored in the controller.
  - 80. The storage device of claim 74, wherein the trees are stored in the memory.
  - 81. The storage device of claim 74, wherein a permission at a node of the tree is found without having to access a node at a different level of the tree.
  - 82. The storage device of claim 74, wherein the second permission corresponds to at least one additional entity.
  - 83. The storage device of claim 74, wherein the data is stored outside of all the nodes in the tree and the second tree.
  - 84. The storage device of claim 74, wherein the tree and the second tree are created by a system agent, and wherein the system agent is not a node in either the tree or the second tree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SanDisk Technologies LLC (Western Digital Corporation)
Original Assignee
Sandisk Technologies Incorporated (Western Digital Corporation)
Inventors
Barzilai, Ron, Holtzman, Michael, Jogand-Coulomb, Fabrice, Qawami, Bahman
Primary Examiner(s)
Ali; Mohammad
Assistant Examiner(s)
HASAN, SYED HAROON

Application Number

US11/313,538
Publication Number

US 20060242064A1
Time in Patent Office

2,142 Days
Field of Search

707/9, 705/50
US Class Current

707/694
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 2221/2145   Inheriting rights or proper...

Method for creating control structure for versatile content control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

84 Claims

Specification

Solutions

Use Cases

Quick Links

Method for creating control structure for versatile content control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

84 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links