Content control method using versatile control structure

US 8,613,103 B2
Filed: 11/06/2006
Issued: 12/17/2013
Est. Priority Date: 07/07/2006
Status: Active Grant

First Claim

Patent Images

1. A storage device comprising:

a non-volatile memory operative to store a data object;

one or more software applications; and

an access control structure containing information for authenticating an entity, further information for determining a permission of the entity to access the data object, and further information to associate the data object with a particular one of the software applications, wherein the particular one of the software applications is operative to process the data object; and

a controller operative to;

receive a request for the data object from the entity;

if the entity is authenticated, is a user of the data object, and has permission to access the data object, invoke the particular one of the software applications based on the association stored in the access control structure, wherein the request from the user of the data object is a request to access the data object; and

if the entity is authenticated and is an owner of the data object, execute the request, wherein the request from the owner of the data object is a request to perform at least one of the following;

read the data object, write to the data object, delete the data object, delegate ownership of the data object, and delegate permission to use the data object.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data object storing data in the memory device is associated with at least one software application. Accessing the object will invoke the at least one software application which processes the data in the object. Individual ones of a plurality of first sets of protocols are selectable for enabling data to be provided and stored in a data object. A second set of protocols can be used to retrieve data from the data object, or data derived from such data, irrespective of which of the first set of protocols was used to enable the provision and storing of data in the object.

Citations

74 Claims

1. A storage device comprising:
- a non-volatile memory operative to store a data object;
  
  one or more software applications; and
  
  an access control structure containing information for authenticating an entity, further information for determining a permission of the entity to access the data object, and further information to associate the data object with a particular one of the software applications, wherein the particular one of the software applications is operative to process the data object; and
  
  a controller operative to;
  
  receive a request for the data object from the entity;
  
  if the entity is authenticated, is a user of the data object, and has permission to access the data object, invoke the particular one of the software applications based on the association stored in the access control structure, wherein the request from the user of the data object is a request to access the data object; and
  
  if the entity is authenticated and is an owner of the data object, execute the request, wherein the request from the owner of the data object is a request to perform at least one of the following;
  
  read the data object, write to the data object, delete the data object, delegate ownership of the data object, and delegate permission to use the data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37)
- - 2. The storage device of claim 1, wherein the access control structure contains further information for determining permissions of the one or more software applications.
  - 3. The storage device of claim 1, wherein the access control structure contains further information for determining whether the data object is accessible both by the entity and the one or more software applications.
  - 4. The storage device of claim 1, wherein the access control structure includes further information for controlling a permission of the particular one of the software applications to access the data object stored in the non-volatile memory.
  - 5. The storage device of claim 1, wherein the controller is operative to further utilize the access control structure for delegating permissions between different entities and software applications for the purpose of sharing the data object.
  - 6. The storage device of claim 1, wherein the access control structure includes a first and a second control sub-structure, the first control sub-structure associated with the one or more software applications, the second control structure associated with an entity, wherein permissions can be delegated between the first control sub-structure and the second control sub-structure.
  - 7. The storage device of claim 1, wherein the one or more software applications include DRM software applications selectable and capable of being invoked by the entity for processing the data object.
  - 8. The storage device of claim 1, wherein the one or more software applications includes two or more of them, and wherein the entity invokes the two or more software applications by data processing requests, the storage device further comprising a communication channel corresponding to each one of the two or more software applications for passing the data processing requests from the entity to the two or more software applications, the access control structure controlling the communication channels to pass one of the data processing requests from the entity to one of the two or more software applications, wherein each of the communication channels corresponds to only one application.
  - 9. The storage device of claim 8, further comprising a secure storage application, wherein information in the data processing request passing in the communication channel is transparent to the secure storage application.
  - 10. The storage device of claim 1, further comprising a secure storage application that interfaces with the access control structure, the entity, and the one or more software applications.
  - 12. The storage system of claim 1, wherein when a request for information is sent to the access control structure by the entity, the particular one of the software applications is invoked.
  - 13. The storage device of claim 12, further comprising encrypted content stored in the non-volatile memory, wherein the data object includes a decryption key value, and the information includes decrypted content obtained from the encrypted content and the decryption key value by the one or more software applications.
  - 14. The storage device of claim 12, wherein the data includes a seed value for generating a one time password by the one or more software applications, and wherein the information includes the one time password.
  - 15. The storage device of claim 1, further comprising an object including a key pair comprising a private key and a public key, and at least one certificate containing the public key, wherein the one or more software applications employs the at least one certificate for certifying to the entity that the public key is genuine and for obtaining data encrypted with the public key.
  - 16. The storage device of claim 1, further comprising encrypted data stored in the non-volatile memory, wherein the encrypted data is decryptable by a decryption key stored in the storage device, and wherein the access control structure is utilized to control access to the decryption key.
  - 17. The storage device of claim 16, wherein the decryption key is accessible only to the controller.
  - 18. The storage device of claim 1, further comprisinga set of protocols stored in the non-volatile memory for communication between the entity and the storage device;
    - wherein at least one of the protocols is modifiable by invocation of the one or more software applications.
  - 19. The storage device of claim 18, wherein the invocation of the one or more software applications replaces the at least one protocol by a different protocol.
  - 20. The storage device of claim 19, wherein the different protocol relates to a credential revocation scheme.
  - 21. The storage device of claim 1, wherein the access control structure controls access to the data object by executing an access policy and invocation of the one or more software applications imposes at least an additional condition that is different from the access policy for access to the data object by the entity.
  - 22. The storage device of claim 21, wherein the at least an additional condition relates to a license.
  - 23. The storage device of claim 21, wherein the entity needs to comply with both the first and second access policies before access to the data object is granted.
  - 24. The storage device of claim 1, wherein the access control structure controls access to the data object stored in the non-volatile memory by the entity through an authentication process, wherein information is revealable to the entity, without any further invocation of the one or more software applications, after the entity has been authenticated by the access control structure through the authentication process.
  - 25. The storage device of claim 1, wherein the entity does not have access to the at least some data in the data object.
  - 26. The storage device of claim 1, wherein the access control structure comprises a first control sub-structure for controlling access by the entity to information obtainable from data stored or to be stored in the non-volatile memory, and a second control sub-structure for controlling invocation of the one or more software applications, wherein the first and second control sub-structures employ substantially the same control mechanism.
  - 27. The storage device of claim 1, further comprising:
    - a plurality of first sets of different protocols stored in the non-volatile memory, the first sets being individually selectable by the entity to enable data from the entity or derivative data derived from the data to be provided to and stored in the data object under the control of the access control structure; and
      
      a second set of protocols stored in the non-volatile memory that enables the data or derivative data to be retrieved from the data object under the control of the access control structure;
      
      wherein the second set of protocols is capable of enabling the retrieval of the data or derivative data irrespective of which of the first sets of protocols enabled the providing and storing.
  - 28. The storage device of claim 27, wherein a difference between the first sets of protocols relates to authentication of the non-volatile memory or encryption of the data.
  - 29. The storage device of claim 27, further comprising a plurality of different software applications stored in the non-volatile memory, wherein each of at least some of the different software applications corresponds to one of the first sets of protocols, so that when one of the first sets of protocols is selected to enable the providing and storing of the data or derivative data, the software application corresponding to the one first set is invoked to process the data or derivative data.
  - 30. The storage device of claim 29, wherein the at least some different software applications produce different results from processing the data or derivative data.
  - 31. The storage device of claim 29, wherein the data or derivative data includes one of a plurality of seed values, wherein each of the at least some software applications processes a corresponding one of the plurality of seed values to produce a corresponding one time password.
  - 32. The storage device of claim 29, wherein the non-volatile memory stores encrypted data, the data or derivative data includes one of a plurality of decryption keys for decrypting the encrypted content and each of the at least some software applications employs a corresponding one of the plurality of decryption keys for decrypting the encrypted content.
  - 33. The storage device of claim 1, wherein data is accessed by the entity after being processed by the one or more software applications.
  - 34. The storage device of claim 1, wherein the data stored in the storage device includes at least one license for accessing encrypted content stored in the non-volatile memory, and the data provided to the entity includes an indication whether the at least one license is valid.
  - 36. The storage device of claim 1, wherein the one or more software applications is invoked implicitly by the controller.
  - 37. The storage device of claim 1, wherein the entity does not have access to data object stored on the storage device but is allowed to communicate with the one or more software applications.

11. The storage device of 10, wherein the one or more software applications sends requests to the secure storage application, and wherein the secure storage application does not distinguish between requests from the entity and from the one or more software applications.

35. The storage device of 34, wherein the non-volatile memory stores encrypted data, and the access control structure controls decryption of the encrypted content in response to the indication.

38. A method for providing data processing services to an entity, the method comprising:
- performing the following in a storage device comprising a controller, a non-volatile memory storing a data object, one or more software applications, and an access control structure containing information for authenticating an entity, further information for determining a permission of the entity to access the data object, and further information to associate the data object with a particular one of the software applications, wherein the particular one of the software applications is operative to process the data object;
  
  receiving a request for the data object from an entity;
  
  if the entity is authenticated, is a user of the data object, and has permission to access the data object, invoke the particular one of the software applications based on the association stored in the access control structure, wherein the request from the user of the data object is a request to access the data object; and
  
  if the entity is authenticated and is an owner of the data object, execute the request, wherein the request from the owner of the data object is a request to perform at least one of the following;
  
  read the data object, write to the data object, delete the data object, delegate ownership of the data object, and delegate permission to use the data object.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 39. The method of claim 38, wherein the access control structure contains further information for determining permissions of the one or more software applications.
  - 40. The method of claim 38, wherein the access control structure contains further information for determining whether the data object is accessible both by the entity and the one or more software applications.
  - 41. The method of claim 38, wherein the access control structure includes further information for controlling a permission of the particular one of the software applications to access the data object stored in the non-volatile memory.
  - 42. The method of claim 38, wherein the controller is operative to further utilize the access control structure for delegating permissions between different entities and software applications for the purpose of sharing the data object.
  - 43. The method of claim 38, wherein the access control structure includes a first and a second control sub-structure, the first control sub-structure associated with the one or more software applications, the second control structure associated with an entity, wherein permissions can be delegated between the first control sub-structure and the second control sub-structure.
  - 44. The method of claim 38, wherein the one or more software applications include DRM software applications selectable and capable of being invoked by the entity for processing the data object.
  - 45. The method of claim 38, wherein the one or more software applications includes two or more of them, and wherein the entity invokes the two or more software applications by data processing requests, the storage device further comprising a communication channel corresponding to each one of the two or more software applications for passing the data processing requests from the entity to the two or more software applications, the access control structure controlling the communication channels to pass one of the data processing requests from the entity to one of the two or more software applications, wherein each of the communication channels corresponds to only one application.
  - 46. The method of claim 45, wherein information in the data processing request passing in the communication channel is transparent to a secure storage application in the storage device.
  - 47. The method of claim 38, further comprising sending requests from the one or more software applications to a secure storage application in the storage device, and wherein the secure storage application does not distinguish between requests from the entity and from the one or more software applications.
  - 48. The method of claim 38, wherein when a request for information is sent to the access control structure by the entity.
  - 49. The method of claim 48, wherein the data object includes a decryption key value, and the information includes decrypted content obtained from encrypted content and the decryption key value by the one or more software applications.
  - 50. The method of claim 48, wherein the data includes a seed value for generating a one time password by the one or more software applications, and wherein the information includes the one time password.
  - 51. The method of claim 38, wherein the one or more software applications employs at least one certificate containing a public key of a public key/private key pair for certifying to the entity that the public key is genuine and for obtaining data encrypted with the public key.
  - 52. The method of claim 38, wherein encrypted data stored in the non-volatile memory is decryptable by a decryption key stored in the storage device, and wherein the access control structure is utilized to control access to the decryption key.
  - 53. The method of claim 52, wherein the decryption key is accessible only to the controller.
  - 54. The method of claim 38, wherein a set of protocols stored in the non-volatile memory for communication between the entity and the storage device is modifiable by invocation of the one or more software applications.
  - 55. The method of claim 54, wherein the invocation of the one or more software applications replaces the at least one protocol by a different protocol.
  - 56. The method of claim 55, wherein the different protocol relates to a credential revocation scheme.
  - 57. The method of claim 38, wherein the access control structure controls access to the data object by executing an access policy and invocation of the one or more software applications imposes at least an additional condition that is different from the access policy for access to the data object by the entity.
  - 58. The method of claim 57, wherein the at least an additional condition relates to a license.
  - 59. The method of claim 57, wherein the entity needs to comply with both the first and second access policies before access to the data is granted.
  - 60. The method of claim 38, wherein the access control structure controls access to the data stored in the non-volatile memory by the entity through an authentication process, wherein the information is revealable to the entity, without any further invocation of the one or more software applications, after the entity has been authenticated by the access control structure through the authentication process.
  - 61. The method of claim 38, wherein the entity does not have access to the at least some data in the at least one data object.
  - 62. The method of claim 38, wherein the access control structure comprises a first control sub-structure for controlling access by the entity to information obtainable from data stored or to be stored in the non-volatile memory, and a second control sub-structure for controlling invocation of the one or more software applications, wherein the first and second control sub-structures employ substantially the same control mechanism.
  - 63. The method of claim 38, wherein the storage device further comprises:
    - a plurality of first sets of different protocols stored in the non-volatile memory, the first sets being individually selectable by the entity to enable data from the entity or derivative data derived from the data to be provided to and stored in the data object under the control of the access control structure; and
      
      a second set of protocols stored in the non-volatile memory that enables the data or derivative data to be retrieved from the data object under the control of the access control structure;
      
      wherein the second set of protocols is capable of enabling the retrieval of the data or derivative data irrespective of which of the first sets of protocols enabled the providing and storing.
  - 64. The method of claim 63, wherein a difference between the first sets of protocols relates to authentication of the non-volatile memory or encryption of the data.
  - 65. The method of claim 63, wherein a plurality of different software applications are stored in the non-volatile memory, wherein each of at least some of the different software applications corresponds to one of the first sets of protocols, so that when one of the first sets of protocols is selected to enable the providing and storing of the data or derivative data, the software application corresponding to the one first set is invoked to process the data or derivative data.
  - 66. The method of claim 65, wherein the at least some different software applications produce different results from processing the data or derivative data.
  - 67. The method of claim 65, wherein the data or derivative data includes one of a plurality of seed values, wherein each of the at least some software applications processes a corresponding one of the plurality of seed values to produce a corresponding one time password.
  - 68. The method of claim 65, wherein the non-volatile memory stores encrypted data, the data or derivative data includes one of a plurality of decryption keys for decrypting the encrypted content and each of the at least some software applications employs a corresponding one of the plurality of decryption keys for decrypting the encrypted content.
  - 69. The method of claim 38, wherein data is accessed by the entity after being processed by the one or more software applications.
  - 70. The method of claim 38, wherein the data stored in the storage device includes at least one license for accessing encrypted content stored in the non-volatile memory, and the data provided to the entity includes an indication whether the at least one license is valid.
  - 71. The method of claim 70, wherein the non-volatile memory stores encrypted data, and the access control structure controls decryption of the encrypted content in response to the indication.
  - 72. The method of claim 38, wherein the one or more software applications is invoked implicitly by the controller.
  - 73. The method of claim 38, wherein the entity does not have access to data object stored on the storage device but is allowed to communicate with the one or more software applications.
  - 74. The method of claim 38 further comprising receiving a request to write or read data to or from the memory and grant the write or read request if the entity has the permission to access the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SanDisk Technologies LLC (Western Digital Corporation)
Original Assignee
Sandisk Technologies Incorporated (Western Digital Corporation)
Inventors
Holtzman, Michael, Barzilai, Ron, Jogand-Coulomb, Fabrice
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Durham, Imhotep

Application Number

US11/557,049
Publication Number

US 20080010685A1
Time in Patent Office

2,598 Days
Field of Search

711/164, 365/232, 726/27
US Class Current

726/27
CPC Class Codes

G06F 12/1483   using an access-table, e.g....

G06F 21/10   Protecting distributed prog...

G06F 21/445   by mutual authentication, e...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/79   in semiconductor storage me...

G06F 21/805   using a security table for ...

G06F 2221/2129   Authenticate client device ...

G06F 2221/2141   Access rights, e.g. capabil...

Content control method using versatile control structure

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

74 Claims

Specification

Solutions

Use Cases

Quick Links

Content control method using versatile control structure

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

74 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links