Digital rights management system, devices, and methods for binding content to an intelligent storage device

US 9,214,184 B2
Filed: 04/30/2012
Issued: 12/15/2015
Est. Priority Date: 04/10/2012
Status: Active Grant

First Claim

Patent Images

1. A storage device configured to generate a binding key for binding data stored in the storage device, said storage device comprising:

a storage medium comprising a user area and a non-user area; and

a controller comprising a cryptographic module providing a secured memory separate from the storage medium, wherein the controller is configured to;

generate a unique identifier based on defect data associated with the storage medium, the unique identifier being uniquely associated with the storage medium;

store the unique identifier in the non-user area of the storage medium;

determine a first cryptographic key stored in the secured memory of the cryptographic module;

generate a binding key that binds content to the storage device based at least in part on the unique identifier and the first cryptographic key;

provide the binding key to a remote download server over a secure communication channel; and

receive content from the download server encrypted based in part on the binding key.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to digital rights management (DRM) for content that may be downloaded and bound to a storage device. The storage device may be an intelligent storage device, such as a disk drive, or network attached storage. In addition, the storage device is capable of performing cryptographic operations and providing a root of trust. In one embodiment, the DRM employs a binding key, a content key, and an access key. The binding key binds the content to a specific storage and is based on a key that is concealed on the storage. However, the binding key is not stored on the storage with the content. The content key is a key that has been assigned to the content, for example, by a trusted third party. The access key is determined based on a cryptographic combination of the content key and the binding key. In one embodiment, the content is encrypted based on the access key and stored in encrypted form in the storage device.

Citations

17 Claims

1. A storage device configured to generate a binding key for binding data stored in the storage device, said storage device comprising:
- a storage medium comprising a user area and a non-user area; and
  
  a controller comprising a cryptographic module providing a secured memory separate from the storage medium, wherein the controller is configured to;
  
  generate a unique identifier based on defect data associated with the storage medium, the unique identifier being uniquely associated with the storage medium;
  
  store the unique identifier in the non-user area of the storage medium;
  
  determine a first cryptographic key stored in the secured memory of the cryptographic module;
  
  generate a binding key that binds content to the storage device based at least in part on the unique identifier and the first cryptographic key;
  
  provide the binding key to a remote download server over a secure communication channel; and
  
  receive content from the download server encrypted based in part on the binding key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The storage device of claim 1, wherein the secured memory comprises a one-time-programmable, non-volatile memory.
  - 3. The storage device of claim 1, wherein the controller is further configured to digitally sign the unique identifier based on information provided by a hardware root of trust of the cryptographic module.
  - 4. The storage device of claim 1, wherein the controller is configured to generate the binding key as an ephemeral key.
  - 5. The storage device of claim 1, wherein the controller is further configured to prevent storage of the binding key in the user area of the storage medium.

6. A digital rights management system, said system comprising:
- a content key server configured to provide a first cryptographic key for encrypting content;
  
  a storage device comprising a storage medium and a controller configured to generate a binding key based on defect data associated with the storage medium and the first cryptographic key;
  
  a download server configured to;
  
  provide encrypted content to the storage device;
  
  receive the binding key from the storage device;
  
  receive the first cryptographic key from the content key server; and
  
  encrypt the content based on at least the first cryptographic key and the binding key; and
  
  a media player configured to receive the binding key, the first cryptographic key, and the encrypted content from the storage device, and decrypt the encrypted content based on at least the first cryptographic key and the binding key.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the media player and the storage device are configured to perform mutual authentication with each other.
  - 8. The system of claim 6, wherein the media player is configured to generate a decryption key based on at least the first cryptographic key and the binding key.
  - 9. The system of claim 6, wherein the storage device is configured as a network attached storage.
  - 10. The system of claim 6, wherein the storage device is configured to receive a private key and a public key in a secure manufacturing environment.

11. A method of determining a key that binds data to a storage device, wherein said storage device comprises a controller, a cryptographic module with a memory, and a storage medium, said method comprising:
- generating a unique identifier based on defect data associated with the storage device, the unique identifier being uniquely associated with a storage medium of the storage device;
  
  store the unique identifier in a non-user area of the storage medium;
  
  determining, by the cryptographic module, a first cryptographic key that is concealed in the storage device;
  
  generating, by the cryptographic module, a binding key that binds content to the storage device based at least in part on the unique identifier and the concealed first cryptographic key; and
  
  transmitting the binding key to a server that provides the data to the storage device.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising determining the defect data at least in part by identifying a set of defects present on the storage medium.
  - 13. The method of claim 11, further comprising determining the defect data at least in part by identifying a defect log on the storage medium that was generated when the storage device was manufactured.
  - 14. The method of claim 11, wherein generating the binding key comprises generating the binding key based on information in a defect log.
  - 15. The method of claim 11, further comprising digitally signing the unique identifier based on information from a hardware root of trust provided by the storage device.
  - 16. The method of claim 11, further comprising concealing the first cryptographic key in a secured memory accessible by the cryptographic module.
  - 17. The method of claim 11, wherein generating the binding key comprises:
    - digitally signing the unique identifier based on information from a hardware root of trust provided by the storage device;
      
      accessing the concealed first cryptographic key; and
      
      determining the binding key based on at least the digitally signed unique identifier and the concealed first cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sandisk Technologies Incorporated (Western Digital Corporation)
Original Assignee
Western Digital Technologies Incorporated (Western Digital Corporation)
Inventors
Blankenbeckler, David L., Ybarra, Danny, Hesselink, Lambertus
Primary Examiner(s)
Moorthy, Aravind

Application Number

US13/460,604
Publication Number

US 20130266137A1
Time in Patent Office

1,324 Days
Field of Search

380/44, 380/201, 380/202, 713/189, 726/26, 705/57
US Class Current

1/1
CPC Class Codes

G06F 21/1014   to tokens

G06F 21/602   Providing cryptographic fac...

G06F 21/71   to assure secure computing ...

G06F 2221/2107   File encryption

G11B 20/00115   wherein the record carrier ...

G11B 20/00123   the record carrier being id...

G11B 20/00137   involving measures which re...

G11B 20/00246   wherein the key is obtained...

H04L 2209/603   Digital right managament [DRM]

H04L 9/006   involving public key infras...

H04L 9/0861   Generation of secret inform...

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

Digital rights management system, devices, and methods for binding content to an intelligent storage device

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Digital rights management system, devices, and methods for binding content to an intelligent storage device

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links