Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor

US 8,789,195 B2
Filed: 12/22/2004
Issued: 07/22/2014
Est. Priority Date: 12/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access by a plurality of users to a digital memory accessible by a plurality of users, and protecting data in said digital memory, the method comprising:

generating a list of users that have allocated private areas in said digital memory;

making said list available to users in said plurality without opening a session;

receiving a request for self-allocation from at least one of said users in said plurality for a first private area in said digital memory;

allocating by said digital memory said first private area of a plurality of private areas for storing data in said digital memory in response to said request for self-allocation of a private area by at least one of said users in said plurality, said users in said plurality being an individual or a service provider which securely requested allocation of respective private areas in said digital memory;

opening a secure session channel for said first private area, whereby allocation of said respective private areas in said digital memory can be securely requested; and

permitting said at least one of said users in said plurality access to said first private area via said secure session channel to perform read/write commands; and

allowing at least one privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory via a privileged personal identification number without opening a session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital memory such as a memory card for mobile communication equipment, is adapted to be accessed by a plurality of users and have protected data stored therein. The memory is dynamically partitionable in private memory areas for storing data therein and has associated therewith a secrecy tool for securely allocating to the users respective private areas and permitting the users to access the respective private areas via a secure session channel to perform read/write commands in the respective private areas. Typically, the memory/card includes: a card interface controller for managing a physical communication layer between the digital memory and external host equipment, an internal memory having associated therewith a hardware lock to control access to the internal memory, a set of cryptographic modules to manage the secure session channel between the users and the digital memory, and a memory certificate for certifying a public key associated with the digital memory.

Citations

24 Claims

1. A method of controlling access by a plurality of users to a digital memory accessible by a plurality of users, and protecting data in said digital memory, the method comprising:
- generating a list of users that have allocated private areas in said digital memory;
  
  making said list available to users in said plurality without opening a session;
  
  receiving a request for self-allocation from at least one of said users in said plurality for a first private area in said digital memory;
  
  allocating by said digital memory said first private area of a plurality of private areas for storing data in said digital memory in response to said request for self-allocation of a private area by at least one of said users in said plurality, said users in said plurality being an individual or a service provider which securely requested allocation of respective private areas in said digital memory;
  
  opening a secure session channel for said first private area, whereby allocation of said respective private areas in said digital memory can be securely requested; and
  
  permitting said at least one of said users in said plurality access to said first private area via said secure session channel to perform read/write commands; and
  
  allowing at least one privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory via a privileged personal identification number without opening a session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising the step of preventing users in said plurality from accessing data stored in respective private areas allocated to other users in said plurality.
  - 3. The method of claim 2, wherein said predetermined set of operations comprises at least one of deleting respective private areas allocated in said digital memory and changing said privileged personal identification number.
  - 4. The method of claim 1, comprising the step of managing communication between said users in said plurality and said digital memory by means of a cryptographic key mechanism.
  - 5. The method of claim 4, comprising the step of managing communication between said users in said plurality and said digital memory by means of a public key infrastructure.
  - 6. The method of claim 5, comprising the step of said users in said plurality communicating respective public keys by means of a user certificate.
  - 7. The method of claim 1, comprising the step of having respective user IDs assigned to said users in said plurality by said digital memory.
  - 8. The method of claim 1, comprising the steps of:
    - before permitting said at least one of said users in said plurality to perform said read/write commands, opening a session by generating at least one session key using at least one of;
      
      providing a secure channel between said at least one of said users in said plurality and said digital memory by encrypting the data exchanged over said secure channel, andsigning said commands in order to authenticate said at least one of said users in said plurality issuing said read/write commands.

9. A digital memory being accessible by a plurality of users and comprising protected data stored therein, said digital memory further comprising:
- a first private area of a plurality of private areas allocated by said digital memory to at least one of said plurality of users in response to a request by said at least one of said plurality of users for self-allocation of a private area of said digital memory; and
  
  a secrecy tool configured for securely allocating respective private memory areas to said users in said plurality by opening a secure session channel, whereby allocation of said respective private areas in said digital memory can be securely requested, said users in said plurality being an individual or a service provider;
  
  a control unit permitting said at least one of said users in said plurality to access said first private area via said secure session channel to perform read/write commands in said first private area, and allowing at least one privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory via a privileged personal identification number without opening a session,wherein said memory is configured for generating a list of the users that have allocated private areas in said digital memory and for making said list available to users in said plurality without opening a session.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 10. The memory of claim 9, comprising a lock module configured for preventing users in said plurality from accessing data stored in respective private areas allocated to other users in said plurality.
  - 11. The memory of claim 9, wherein said secrecy tool comprises at least one cryptographic algorithm engine for managing communication between said users in said plurality and said digital memory by means of a cryptographic key mechanism.
  - 12. The memory of claim 11, wherein said at least one cryptographic algorithm engine is configured for implementing a public key infrastructure.
  - 13. The memory of claim 12, comprising a set of memory areas for managing communication between said users in said plurality and said digital memory, said set comprising memory areas storing at least one of:
    - a public keys table containing information about the users,a user allocation table containing information about the private memory areas, anda session keys table containing information about sessions in progress.
  - 14. The memory of claim 13, wherein said public keys table comprises information items as to:
    - a user ID,an associated public key, andan associated identification name.
  - 15. The memory of claim 13, wherein said user allocation table comprises information items as to:
    - user IDs,the starting blocks of said respective private areas allocated in said digital memory, andthe number of allocated blocks in said respective private areas allocated in said digital memory.
  - 16. The memory of claim 13, wherein said session keys table comprises information items as to:
    - a session ID,the correspondent user ID, anda session key.
  - 17. The memory of claim 9, wherein said secrecy tool is configured for:
    - before permitting said at least one of said users in said plurality to perform said read/write commands, opening a session by generating at least one session key using at least one of;
      
      providing said secure channel between said at least one of said users in said plurality and said digital memory by encrypting the data exchanged over said channel, andsigning said commands in order to authenticate said users in said plurality issuing said commands.
  - 18. The memory of claim 9, comprising a card interface controller for managing a physical communication layer between the digital memory and external host equipment for the digital memory.
  - 19. The memory of claim 9, comprising an internal memory having associated therewith a hardware lock to control access to said internal memory.
  - 20. The memory of claim 9, wherein said secrecy tool comprises a set of cryptographic modules selected from:
    - a random number generator for providing a random number to build a session key;
      
      an asymmetric algorithm engine for encoding data by a private key and decoding them by a correspondent public key or vice versa;
      
      a symmetric algorithm engine for encoding data by a same key used to decode said data; and
      
      a hash module for signing data by a key.
  - 21. The memory of claim 9, comprising a memory certificate for certifying a public key associated with said digital memory.
  - 22. The digital memory of claim 9, comprising a memory card.
  - 23. The digital memory of claim 9, comprising a memory card for being hosted by mobile communication equipment.

24. A non-transitory computer-readable storage medium encoded with a computer program product, stored in the memory of at least one computer and comprising software code portions for performing a method comprising:
- generating a list of the users that have allocated private areas in said digital memory;
  
  making said list available to users in said plurality without opening a session;
  
  receiving a request for self-allocation from at least one of said users in said plurality for a first private area in said digital memory;
  
  allocating by said digital memory said first private area of a plurality of private areas for storing data in said digital memory in response to said request for self-allocation of a private area by at least one of said users in said plurality, said users in said plurality being an individual or a service provider which securely requested allocation of respective private areas in said digital memory;
  
  opening a secure session channel for said first private area, whereby allocation of said respective private areas in said digital memory can be securely requested; and
  
  permitting said at least one of said users in said plurality access to said first private area via said secure session channel to perform read/write commands; and
  
  allowing at least one privileged user to perform a predetermined set of operations in said respective private areas allocated in said digital memory via a privileged personal identification number without opening a session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Bianco, Alberto, Colazzo, Laura, Ricciato, Fabio, Turolla, Maura, Varriale, Antonio
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
NGUY, CHI D

Application Number

US11/793,239
Publication Number

US 20080089517A1
Time in Patent Office

3,499 Days
Field of Search

726/28
US Class Current

726/26
CPC Class Codes

G06F 12/0223   User address space allocati...

G06F 12/1466   Key-lock mechanism

G06F 12/1491   in a hierarchical protectio...

G06F 21/78   to assure secure storage of...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3555   Personalisation of two or m...

G06Q 20/35765   Access rights to memory zones

G07F 7/1008   Active credit-cards provide...

H04W 12/086   using security domains

Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links