Securing a flash memory block in a secure device system and method

US 8,200,961 B2
Filed: 02/26/2007
Issued: 06/12/2012
Est. Priority Date: 11/19/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

encrypting data of a versionable file having an associated file version number, the encrypting based on a key stored in a security kernel;

storing the encrypted data as stored data in one or more flash memory data blocks of a flash memory device that includes a flash header and flash memory data blocks;

updating a flash header global version number and a security kernel global version number;

generating a cryptographic message authentication code (MAC) covering the data and informational variables, wherein the informational variables are generated by or accessible to the operating system software, wherein at least some of the variables are not stored on the flash device;

storing the MAC in the flash header and the one or more flash memory data blocks;

storing the updated flash header global version number in the flash header;

requesting in the clear a key handle to the key in the security kernel and storing the updated security kernel global version number in a key/signature store in the security kernel;

generating a new MAC for the one or more flash memory data blocks using the file version number as a parameter;

storing the new MAC in the one or more flash memory data blocks;

retrieving the encrypted data and the MAC from the one or more flash memory data blocks;

performing a validation check on the retrieved data using the MAC;

rejecting the retrieved data if the retrieved data fails the validation check;

if the retrieved data passes the validation check;

accepting the retrieved data;

decrypting the retrieved data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing a flash memory block in a secure device system involves cryptographic techniques including the generation of a Message Authentication Code (MAC). The MAC may be generated each time a file is saved to one or more data blocks of a flash memory device and stored with the file'"'"'s metadata and to each of the data blocks. A technique for reading and storing versioned files may be employed when applications utilize versioning.

Citations

23 Claims

1. A method comprising:
- encrypting data of a versionable file having an associated file version number, the encrypting based on a key stored in a security kernel;
  
  storing the encrypted data as stored data in one or more flash memory data blocks of a flash memory device that includes a flash header and flash memory data blocks;
  
  updating a flash header global version number and a security kernel global version number;
  
  generating a cryptographic message authentication code (MAC) covering the data and informational variables, wherein the informational variables are generated by or accessible to the operating system software, wherein at least some of the variables are not stored on the flash device;
  
  storing the MAC in the flash header and the one or more flash memory data blocks;
  
  storing the updated flash header global version number in the flash header;
  
  requesting in the clear a key handle to the key in the security kernel and storing the updated security kernel global version number in a key/signature store in the security kernel;
  
  generating a new MAC for the one or more flash memory data blocks using the file version number as a parameter;
  
  storing the new MAC in the one or more flash memory data blocks;
  
  retrieving the encrypted data and the MAC from the one or more flash memory data blocks;
  
  performing a validation check on the retrieved data using the MAC;
  
  rejecting the retrieved data if the retrieved data fails the validation check;
  
  if the retrieved data passes the validation check;
  
  accepting the retrieved data;
  
  decrypting the retrieved data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising using a DES or an AES method to encrypt and decrypt data.
  - 3. The method of claim 1, further comprising storing the MAC in spare area of the flash memory block.
  - 4. The method of claim 1, wherein the MAC is generated using an HMAC technique.
  - 5. The method of claim 1, wherein storing the MAC includes storing a copy of the MAC in spare area.
  - 6. The method of claim 1, wherein the plurality of variables accessible to the operating system software is selected from one or more of a group consisting of a value determined by software means of the operating system during run-time, a unique number that is assigned to the file and stored with file-specific meta data, a value representing a logical block index, a physical block number of the flash memory block, a variable associated with an application.
  - 7. The method of claim 1, wherein the plurality of variables accessible to the operating system software includes an application variable, wherein the application variable includes one or more values selected from the group consisting of an application ID parameter, an input to a security kernel for use as part of the data covered by the message authentication code, a version number of the data in the flash memory block.

8. A system comprising:
- a flash memory device including at least one flash memory block;
  
  a flash memory device driver embodied in a computer-readable medium;
  
  a security kernel embodied in a computer-readable medium, the security kernel comprising a key/signature store;
  
  wherein, in operation;
  
  the security kernel;
  
  generates a MAC using a plurality of variables accessible to operating system software;
  
  receives from the flash memory device driver a request in the clear for a key handle to a key stored in the key/signature store;
  
  stores an updated security kernel global version number based on the request in the clear;
  
  generates a new MAC for the flash memory block using a file version number as a parameter;
  
  performs a validation check using the new MAC;
  
  the flash memory device driver facilitates;
  
  sending the request in the clear for the key handle;
  
  sending the MAC to the flash memory device for storage in the flash memory block;
  
  storing the MAC in the flash header of the flash memory device;
  
  storing an updated flash header global version number in the flash header;
  
  receiving the MAC from the flash memory block.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the MAC is stored in the flash memory block spare area.
  - 10. The system of claim 8, wherein a protected key associated with the flash memory device driver is stored in secret non-volatile memory accessible through the security kernel.
  - 11. The system of claim 8, further comprising an encryption engine, embodied in a computer-readable medium, for encrypting data for storage in or read from the flash memory block.
  - 12. The system of claim 8, a wherein the security kernel comprises a decryption engine, embodied in a computer-readable medium, for decrypting data for storage in or read from the flash memory block.

13. A method comprising:
- reading a file version number associated with a versionable file;
  
  storing file data in one or more flash memory blocks of a flash memory device;
  
  updating a copy of a global version number on the flash memory device, wherein the global version number is associated with all versioned files stored, at least in part, on the flash memory device;
  
  receiving, in the clear, a key handle of a key stored in a secure kernel, the key used to encrypt data;
  
  updating, using the key, the global version number in non-volatile memory of the secure kernel;
  
  generating a MAC, to protect the global version number, using a plurality of variables accessible to operating system software;
  
  storing the MAC in the one or more flash memory blocks of the flash memory device;
  
  storing a copy of the updated global version number in the one or more flash memory blocks of the flash memory device;
  
  storing, using the key, the global version number in non-volatile memory of the security kernel.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system of claim 13, further comprising saving the MAC in spare area of the one or more flash memory blocks.
  - 15. The method of claim 13, wherein the MAC is generated using an HMAC technique.
  - 16. The method of claim 13, wherein the plurality of variables accessible to the operating system software includes one or more variables selected from the group consisting of a value that is determined by software means of the operating system during run-time, a unique number that is assigned to the file and stored with the file-specific meta data, a number representing a logical block index, a physical block number of the flash memory block, an owner ID of a computer system associated with the security kernel, a variable associated with an application.
  - 17. The method of claim 16, wherein the variable associated with an application includes a value selected from the group consisting of, an application ID parameter, an ID parameter tagged by the application and written to the flash memory device, the version number of the data in the flash memory block.
  - 18. The method of claim 13, wherein storing the MAC includes storing the MAC in spare area of the flash memory block.
  - 19. The method of claim 13, wherein storing the MAC includes storing a copy of the MAC.
  - 20. The method of claim 19, wherein storing a copy of the MAC includes storing the MAC in spare area of the flash memory block.
  - 21. The method of claim 13, further comprising signing a block including the global version number, using at least some parameters not stored on the device.
  - 22. The method of claim 21, including a file specific version number associated with each versioned file in the block.
  - 23. The method of claim 22, further comprising using the file specific version number as a variable in calculating the MAC that protects data blocks of the versioned file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
iGware Inc (Acer, Inc.)
Inventors
Srinivasan, Pramila, Princen, John, Chan, Andy, Mielke, Paul, Wheeler, Rob
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US11/679,108
Publication Number

US 20080117679A1
Time in Patent Office

1,933 Days
Field of Search

713/156, 713/161, 713/170, 365/185.04
US Class Current

713/161
CPC Class Codes

G06F 21/79 in semiconductor storage me...

Securing a flash memory block in a secure device system and method

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Securing a flash memory block in a secure device system and method

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links