CN102203790A - Memory device upgrade - Google Patents

Abstract

Technology for replacing a first storage unit operatively coupled to a device is provided. Content of the first storage unit is sent to a new storage unit that serves as the replacement of the first storage unit. In one embodiment, the content is first sent to a trusted third-party server and then transferred from the server to the new storage unit. A portion of the content on the new storage unit is adjusted in one embodiment to maintain content security features that were implemented in the first storage unit. The upgrading can be performed under the control of a software entity that is installed on the device. In various embodiments, the first storage unit may be bound to a third storage unit prior to the upgrade process. In such cases, the process can include measures to bind the new storage unit to the third storage unit.

Description

Storage component part upgrades

Technical field

Embodiment of the present disclosure relates to the technology of safe storage device.

Background technology

Semiconductor memory has become to become more and more popular and has been used for various electronic equipments.For example, in cell phone, digital camera, mobile media player, personal digital assistant, mobile computing device, non-moving computing equipment and other equipment, use nonvolatile semiconductor memory.

Along with technology strengthens, prevent from that unauthorized access to the safety Nonvolatile semiconductor memory device from having become more to be paid close attention to.An example of safe storage device be can comprise should be protected with subscriber's identification module (SIM) card or the removable storage card of the secure content that do not used by unauthorized.

The content that protection is stored on the safe storage device has become important feature, especially considers the protection to copyright material.For example, the user can be by the content of copyright of electronic equipment purchase such as music.The content owner only is intended to usually that the buyer uses this content, and may require only to use by authorizing, plays the content of buying on the electronic equipment such as being used to buy being applied in of this content.

Can use and carry out safely such as the various resist technologies of encrypting that canned data is not used by unauthorized with the protection secure content.Before can reading of content, the application of attempting on the equipment of visit encrypted content must use encryption key to decipher this content.Mandate will have the suitable encryption key that is used for decryption content with the application of visit encrypted content.Unauthorized is used still may can visit encrypted content, but does not have suitable encryption key, and unauthorized is used may not read this content.

Though the various resist technologies that exist the safe storage device to implement if the safe storage device is updated to the new memory device, then may lose protection at reproducting periods.Existence is to the needs of updated stored device device in improved, that simplify and mode safety of the security feature that guarantees to keep storage component part.

Summary of the invention

Technology described here is coupled in first storage unit of main process equipment with belonging to renewal or replacement operation.The content that sends first storage unit by the new storage unit to renewal that is used as first storage unit or replacement is carried out this renewal.In one embodiment, at first send this content to trusting third-party server.Then, transmit this content from trusting third-party server to new storage unit.The part that is adjusted at the content on the new storage unit in one embodiment is to maintain the content safety characteristic that has realized in first storage unit.Can under the control that is installed in the software entity on this equipment, carry out this renewal.

In various embodiments, first storage unit can be tied to the 3rd storage unit before upgrading processing.First storage unit and the 3rd storage unit can be considered to bind together, and wherein, a storage unit is provided for visiting the certificate of the content on other storage unit.In this case, upgrade processing and can comprise the measure of new storage unit being bound the 3rd storage unit with the identical or similar fashion that before upgrading, first storage unit is tied to the 3rd storage unit.Being transferred to the content of new storage unit and/or some of the content on the 3rd storage unit can be modified so that new storage unit is tied to the 3rd storage unit.

Consider that Nonvolatile memory card and subscriber's identification module (SIM) card wherein all is coupled in to being operated property the example embodiment of main process equipment.Based on the one or more bindtype that are associated with the content of storing on the Nonvolatile memory card, these cards can be bound to together.The certificate that is used to visit the content on the Nonvolatile memory card can be stored and/or be calculated to SIM card.Can be used for replacing existing Nonvolatile memory card and/or replacing existing SIM card according to embodiment of the present disclosure with new SIM card with new Nonvolatile memory card.In either case, current disclosed technology helps to replace (one or more) card, keeps the safety practice that is used to protect the content of storing on existing Nonvolatile memory card simultaneously.

If existing Nonvolatile memory card is provided by new Nonvolatile memory card, the content on existing Nonvolatile memory card can be transferred to new Nonvolatile memory card.At least one part of the content that is transmitted can be modified so that new Nonvolatile memory card is tied to existing SIM card.In addition, one can calculate and store one or more new authentications by SIM card and be used to visit the content that is transferred to new Nonvolatile memory card.If existing SIM card is replaced by new SIM card, can be transferred to new SIM card from the one or more certificates that have SIM card now.If use some bindtype of the content on existing Nonvolatile memory card, can calculate and the storage new authentication by SIM card, and/or can carry out having the modification of the content on the Nonvolatile memory card now.

Provide the various embodiment of disclosed technology and possible example at this.Embodiment comprises and being used for and processing that newly storage unit is replaced first storage unit.Before replacing it, be coupled in main process equipment first memory cell operation, and be bound to the 3rd storage unit that also functionally is coupled in main process equipment.First cell stores is bound to the first content of the 3rd storage unit based on one or more bindtype.After reception was replaced the request of first storage unit with new storage unit, this equipment sent first content from first storage unit to new storage unit.This equipment is notified the part of the first content in new storage unit and the part of the second content in the 3rd storage unit based on one or more bindtype, so that new storage unit is bound to the 3rd storage unit.In one embodiment, this equipment can send first content to server from first storage unit.Then, this first storage unit can remove from this equipment, and inserts new storage unit.Then, this equipment receives first content from server, and sends it to new storage unit.

An embodiment who is used for the processing of updated stored device comprises from first storage unit and sends certificate to server.Be coupled in equipment this first memory cell operation.This certificate is sent to server under the control of the software entity on the equipment.This software entity notifies the user to insert new storage unit in this equipment.This software entity receives inserting the notice of new storage unit.This software entity control sends certificate from the server acceptance certificate with to new storage unit.

An embodiment who is used for the processing of updated stored device comprises that first storage unit with main process equipment is updated to new storage unit.First storage unit is associated with the 3rd storage unit based on one or more certificates, and first storage unit and the 3rd being operated property of storage unit be coupled in main process equipment.The identifier of the new storage unit of sign is provided when inserting in main process equipment to server at the software entity on the main process equipment.One or more certificates that this software entity use obtains from the 3rd storage unit visit the content on first storage unit.Then, this software entity provides content to server.Software entity control comprises the first content that is associated with the 3rd storage unit based on one or more certificates from the server received content.Send content to new storage unit under the control of software entity, this software entity notifies the 3rd storage unit to generate the new authentication that first content is associated with new storage unit.New authentication provides the visit to first content.

Technology described here also belongs to the content on first main process equipment, and wherein, this content is associated with one or more certificates on second main process equipment.On first main process equipment or use first storage unit of first main process equipment control to be bound on second main process equipment or use second storage unit of second main process equipment control based on the bindtype of the content on first storage unit.Need this second storage unit to calculate the certificate that is used for the visit of the content on first storage unit.When by the content on first host device requests, first storage unit, first main process equipment calculates the account identification symbol that is associated with the bindtype of the content of asking.To send the account identification symbol to server from main process equipment.This server will send the account identification symbol to second main process equipment.Second storage unit identifier that will access to your account calculates certificate.Then, send certificate, and server sends certificate to first main process equipment to server.If certificate is effective, this first main process equipment will use certificate to visit the content of request.

An embodiment who is used for the processing of accessed content is included in the account identification symbol that first equipment content definite and on first storage unit that functionally is coupled in first equipment is associated.To send the account identification symbol from first device-to-server.From the second equipment acceptance certificate, wherein, this certificate accords with based on described account identification first equipment via server.If certificate is effective, this first equipment uses this certificate to visit this content.

An embodiment who is used for the processing of accessed content is included in the server place and receives the account identification symbol from first equipment.Account identification symbol is associated with content on first storage unit that functionally is coupled in first equipment.Send the account identification symbol from server to second storage unit that functionally is coupled in second equipment.Second storage unit is associated with first storage unit.This server accords with from the second storage unit acceptance certificate corresponding to sending account identification.This certificate accords with based on account identification.This server sends this certificate to first equipment.If this certificate is effective, this certificate provides the visit to the content on first storage unit.

An embodiment who is used for the processing of accessed content comprise reception to accessing operation be coupled in requests for content on first storage card of first equipment.This first storage card is bound to second storage card based on bindtype.Be coupled in to this second storing card operation second equipment.Carry out this reception by the software entity on first equipment.This software entity calculates the account identification symbol based on bindtype, and sends the account identification symbol to server.This software entity is from the server acceptance certificate.Generate this certificate by second storage card based on account identification symbol and bindtype.If certificate is effective, this software entity uses this certificate to visit this content.

An embodiment who is used for the processing of accessed content is included in the first equipment place and calculates the account identification that is associated with content on first storage unit that functionally is coupled in first equipment and accord with.This first storage unit is associated with second storage unit that functionally is coupled in second equipment.Send account identification symbol from first equipment to second equipment by server.This second storage unit generates certificate based on the account identification symbol.This first equipment comes from the second storage unit acceptance certificate by server, and if certificate effective, the content of visit on first storage unit.

Can comprise one or more non-volatile memory cells and one or more processors of communicating by letter according to embodiment of the present disclosure with one or more non-volatile memory cells.One or more processors go for carrying out one or more processing and upgrade or visit as described at least one non-volatile memory cells.Can use the combination of hardware, software or hardware and software to realize according to embodiment of the present disclosure.This software can be stored on one or more computer-readable mediums such as hard disk, CD-ROMA, DVD, CD, floppy disk, tape reel, RAM, ROMA, flash memory or other suitable (one or more) memory devices.In alternative embodiment, some or all of softwares can be comprised the specialized hardware replacement of custom layout, gate array, FPGA, PLD and application specific processor.In one embodiment, (on memory device, storing) software of implementing one or more embodiment one or more processors that are used to programme.One or more processors can be communicated by letter with the one or more non-volatile memory cells in storage system, periphery and/or communication interface.

Description of drawings

Figure 1A is the block scheme of two storage component parts of communicating by letter with main process equipment.

Figure 1B is and the block scheme of handing two storage component parts that main process equipment communicates by letter.

Fig. 2 is the process flow diagram that is used to visit the processing of the content on storage component part.

Fig. 3 is the process flow diagram that is used to calculate the processing of account identification symbol.

Fig. 4 is the process flow diagram that is used to calculate the processing of certificate.

Fig. 5 A-5B describes the block scheme of replacing the system of existing subscriber's identification module (SIM) card with new SIM card, and wherein, existing SIM card was bound to Nonvolatile memory card before being replaced.

Fig. 6 is the process flow diagram that is used for replacing with new SIM card the processing of existing SIM card, and wherein, existing SIM card was bound to Nonvolatile memory card before being replaced.

Fig. 7 is the process flow diagram that is used for setting up in SIM card the processing of New Account.

Fig. 8 A-8C describes the block scheme of replacing the system of existing storage card with new storage card, and wherein, existing storage card was bound to SIM card before being replaced.Fig. 9 is the process flow diagram that is used for replacing with new storage card the processing of existing storage card, and wherein, existing storage card was bound to SIM card before being replaced.

Figure 10 is the process flow diagram that is used to be kept at the processing of the content on the new storage card.

Figure 11 is the process flow diagram that is used to set up the processing that channel is installed.

Figure 12 is used for the content (clear content) of knowing on the existing storage card is transferred to the process flow diagram of the processing of new storage card.

Figure 13 is used for the process flow diagram of the encrypted content transfer on the existing storage card to the processing of new storage card.

Figure 14 is the block scheme of the equipment of communicating by letter with the trust third-party server that is used to visit the certificate on handheld device.

Figure 15 is the process flow diagram that is used for the processing of the certificate by the access to netwoks content.

Figure 16 is the process flow diagram of processing that is used for the certificate of accessed content.

Figure 17 is the block scheme of storage component part.

Figure 18 is a block scheme of describing an embodiment of memory array.

Embodiment

Disclosed technology provides from the security update of existing storage component part to the new memory device.Existing storage component part can comprise the nonvolatile semiconductor memory member of any type, such as subscriber's identification module (SIM) card or removable storage card.Existing storage component part functionally is coupled in main process equipment, and is operated by the master agent on the main process equipment usually.Main process equipment may be any electronic equipment, such as cell phone, digital camera, mobile media player, personal digital assistant, mobile computing device or non-moving computing equipment.Existing storage component part can remove or be embedded into the main process equipment from main process equipment.In addition, existing storage component part can be by main process equipment not within it portion be operated.

Before upgrading processing, existing storage component part can be associated with the 3rd storage component part that also functionally is coupled in main process equipment by master agent.The 3rd storage component part can also be the nonvolatile semiconductor memory member of any type.The 3rd storage component part can be in-line memory device, removable storage component part or by main process equipment but not at the storage component part of main process equipment built-in function.In one embodiment, existing storage component part and new memory device can be the non-volatile memories cards, and the 3rd storage component part can be a SIM card simultaneously.In another embodiment, existing storage component part and new memory device can be SIM card, and the 3rd storage component part can be the non-volatile memories card simultaneously.Master agent can be at any software entity that is used for coming by main process equipment on the main process equipment of operational store device, such as the application of installing on main process equipment.Master agent allows the visit to storage component part, and control is to the renewal of storage component part.Describe various the processing at this and undertaken, for standard clear, simple and that meet those terms of the prior art is used by software entitys such as master agent, little application etc.To understand, and can comprise by one or more equipment (for example, processor, control circuit etc.) quoting of the software entity that moves and under the control of software entity, moving.

In order to increase security, existing storage component part and the 3rd storage component part implement to be used to visit the security feature of the content on these equipment.Existing storage component part is bound to the 3rd storage component part, and the visit of content is depended on how these equipment are bound to together.For example, the content on storage card can comprise the bindtype that is used for obtaining from the SIM card that is used for accessed content certificate.

When request had the renewal of storage component part now, at least a portion of the content of existing device was sent to the new memory device.If existing and new memory device can be accepted or visit to main process equipment simultaneously, this content can directly be sent to the new memory device from existing storage component part.If one of these cards can only be accepted or visit to main process equipment simultaneously, the content of existing device can at first be sent to server.Internet Service Provider by main process equipment, operate this server such as mobile network operator (MNO) or any third party.In one embodiment, this server is to trust third party (TTP) server.Though present example embodiment with reference to the TTP server, can use the server of any kind with disclosed technology.The content of existing storage component part is sent to TTP by the master agent on the main process equipment.In case master agent sends content from existing storage component part to TTP, master agent can ask the new memory device to be inserted in the main process equipment.When inserting the new memory device, master agent is from the TTP request content, and sends it to the new memory device.

The storage component part binding

Figure 1A describes an example of storage component part mutually bound and that operate by the master agent 175 on the main process equipment 100.As previously discussed, main process equipment 100 can be any electronic equipment.Main process equipment 100 comprises processor 130.Processor 130 can be the processor that is used for any type of operating host equipment 100.Processor 130 is used for visiting SIM card 110 and Nonvolatile memory card 120 by main process equipment 100.In one embodiment, processor 130 is carried out the function of 175 pairs of SIM card 110 of master agent and Nonvolatile memory card 120.

Figure 1B describes an example of the system shown in Figure 1A.In Figure 1B, main process equipment 100 is hand-held sets 105, such as mobile phone or other computing equipments.The first memory device is a SIM card 115, and the second memory device is removable storage card 125.Hand-held set 105 comprises that the processor (not shown) of describing among Figure 1A is to carry out Storage Card Drivers device 155, application 1160, application 2165, application n 170, master agent 175 and the SIM card driver 180 on hand-held set 105.In order to simplify, disclosed most of with reference to the example shown in Figure 1B.But disclosed technology is so restriction not.

Hand-held set 105 has as the international MOVING STRUCTURE sign (IMEI) of unique identifier number.Master agent 175 receives the requests for content of visit on storage card 125, and verifies the entity of attempting accessed content before allowing accessed content.The entity of attempting accessed content can be the user of hand-held set 105.This user can also attempt by using 1160, using 2165 or use n 170 and visit content.These use the entity that still can experience checking before allowing visit.Use 1160, use 2165 or to use n 170 can be the application of any type, such as the media player that is used for playing back music or video file, word processor, calendar watch etc.

Hand-held set 105 comprises and allows storage card 125 by the accessed Storage Card Drivers device 155 of hand-held set 105.This hand-held set 105 also comprises and allows SIM card 115 by the accessed SIM card driver 180 of hand-held set 105.

Storage card 125 comprises storage area 150 and control circuit 145.Storage area 150 is included in the content on the storage card 125.Visit this content by control circuit 145, content is read and write to these control circuit 145 controls to storage card 125.Storage card 125 also has unique card identifier (CID) of the concrete storage card of sign.

This storage area 150 can be divided into the public or security partitioning of any amount.Visit to the content in the security partitioning need be from effective checking of authorized entity.Content in public partition can comprise and not need to verify and can be verified so that accessed protected content by the clearly content and needs of any entities access.In the example shown in Figure 1B, storage area 150 is divided into two subregions: subregion 152 and subregion 154.Each subregion has the file allocation table (FAT) that comprises the information where in this subregion that is stored in about each file.FAT-0 comprises the information about the content of storage in subregion 152, and FAT-1 comprises the information of subregion 154.

Subregion 152 is examples of security partitioning.Security partitioning is the undetectable hidden partition of user or main process equipment.Any entity of attempting the content in the access security subregion must use the main process equipment 175 on hand-held set 105 and at first be verified.This entity can be the user, in the application on the hand-held set 105 or attempt to visit the user of this content by the application on the hand-held set 105.When entity attempted to visit content in security partitioning, master agent 175 was at first visited the file header of this content.The file header of each file is stored in the file itself, and comprise information about this content, such as content metadata, it can indicate the content of storing what type, about the information of this content of encryption and decryption with about the information of checking, such as bindtype.The Application No. 12/124 of the Mei Yan that the more information of handling about checking can be submitted on May 21st, 2008 etc., 450, be entitled as in " Authentication for Access to Software Development Kit for a Peripheral Device " and find, its integral body is cited and invests this.

After the checking of success, the entity of attempting to visit this content is logged in the storage card 125, and can visit the content in the subregion 152, such as file A and logical groups territory 1 and territory 2.Logical groups is the content group by the individualized encryption protection.Each is protected logical groups territory 1 and territory 2 by contents encryption key (CEK).Use the concrete CEK be associated with territory 1 be encrypted in all the elements of territory 1 stored, such as file B, and another CEK that use is associated with territory 2 comes all the elements of encrypted domain 2 stored, such as file C and file D.Information about the CEK of each logical groups is stored in the file header of the content in the logical groups.If the checking entity has the proper authorization to accessed content, this information can be used to visit the correct CEK that is used to decipher this content.Do not have as sporocarp and to make the mandate that CEK can be accessed of earning money, their may access domain 1 or territory 2 in file, but can not decipher its content.Carry out the encryption and decryption of content by control circuit 145, this control circuit 145 can be supported such as symmetric cryptography (for example AES, DES, 3DES etc.), cryptographic hash function (for example SHA-1 etc.), asymmetric encryption (for example PKl, key to generate etc.) or any encryption method of other cryptographic methods arbitrarily.

Subregion 154 is examples that comprise the public partition of knowing content file E and file F.Public partition can detect user or household register equipment.Know that content is the arbitrary content that is stored in the public partition of storage component part 125 and encrypts without CEK.Any entity of knowing content of attempting to visit in the public partition can be done like this, and need not verify.

Use control circuit 145 is controlled the visit to the arbitrary content of storage on the storage component part 125.Control circuit allows the main process equipment 175 on the hand-held set 105 successfully to verify the content on the reference-to storage device 125 after the entity of attempting accessed content in master agent 175.

SIM card 115 among Figure 1B can be any removable integrated circuit card that uses in cell phone or mobile computer such as usually.SIM card 115 is storage cards of the international mobile subscriber sign of storage (IMSI), and the mobile subscriber's sign in this world (IMSI) is subscriber's the identifier that is used to identify the mobile service of hand-held set 105.When beginning calling or beginning data transmission, send IMSI from SIM card 115 to hand-held set 105, and hand-held set 105 sends IMSI to subscriber's network then.Subscriber's network is the MNO that the service of moving is provided for hand-held set 105.When MNO when hand-held set 105 receives IMSI, it allows to begin to call out or the transmission data.SIM card 115 is also stored mobile logo symbol integrated services digital network network (MSlSDN) number, and this is the identifier that is associated with the telephone number of SIM card 115.SIM card 115 is usually by a MNO operation.Can identify MNO by the network identifier unique (NetID) to this concrete MNO.NetID can be any identifier of MNO, such as Mobile Country Code MCC (MCC) or Mobile Network Code (MNC).

SIM card 115 also in its storer storage use, such as the little application 140 of SIM.The little application 140 of SIM is application that the master agent 175 on hand-held set 105 is used, and is used for verifying and login the entity attempting to visit the content on the storage card 125.The little application 140 of SIM will generate the certificate 135 that is used for the visit of the content on the storage card 125 based on the bindtype that finds in the file header of the content of correspondence.Because the content on storage card 124 is bound to SIM card 115, so these cards are bound to together.Can comprise the different bindtype in the file header of different piece (for example, different files) of content in the content on the storage card 125.

Fig. 2 is the process flow diagram that is used for verifying and login in the processing of the entity of attempting to visit the protected content on the storage card 125.Attempting to visit the entity of knowing content in public partition does not need to be verified and is used to visit this content.In step 200, the request that master agent 175 receives visit file of storage in storage card 125.In one embodiment, this request can be from the user of hand-held set 105.In another embodiment, this request can be from the application on the hand-held set 105, such as using 1160.

In step 201, the bindtype that main process equipment 175 visit is associated with requested content from the file header of requested file.All protected contents of storage have the concrete bindtype that is associated with it in storage card 125.Can in the file header of content, find bindtype.The bindtype indication is tied to SIM card 115 by indicating concrete identifier to be used for calculating the required certificate of this content of visit by SIM card 115 with the content in storage card 125.Storage card 125 can based in storage card 125 storage content one or more bindtype and be bound to SIM card 115.For example, bindtype can be indicated the MNO (that is network bound) of identifier (that is SIM card binding), hand-held set 105 (that is hand-held set binding), storage card 125 (that is storage card binding) or the hand-held set 105 of SIM card 115.Can in the file header of the different piece of content, specify different bindtype.

In case determined bindtype (step 201) from the file header of requested file, master agent 175 visits suitable ident value based on bindtype in step 202.If bindtype is the SIM card binding, master agent 175 is from the suitable SIM card ident value of SIM card 115 visits.In one embodiment, the ident value of SIM card binding is IMSI number.In another embodiment, the ident value of SIM card binding is MSISDN number.If bindtype is the hand-held set binding, master agent 175 is from the suitable hand-held set ident value of hand-held set 105 visits.In one embodiment, the ident value of hand-held set binding is an IMEI number.If bindtype is the storage card binding, master agent 175 is from the suitable storage card ident value of storage card 125 visits.In one embodiment, the ident value of storage card binding is CID.If bindtype is a network bound, master agent 175 uses the telecommunication capability of hand-held set 105 from the suitable network identity value of MNO visit.In one embodiment, the ident value of network bound is NetID.

After master agent 175 visited suitable ident value based on the bindtype of requested content, master agent 175 used these ident values to calculate account identification symbol (step 203) based on bindtype.Master agent 175 visit binding rules are so that calculate the account identification symbol.The binding rule is stored on the SIM card 115 usually, but also can be stored in master agent 175 places, or with this content.The binding rule can be indicated the specific algorithm of calculating, and can be proprietary concerning each bindtype, or they can be identical to any bindtype.Can calculate the account identification symbol by import ident value (and can by binding rule other values of appointment alternatively) with the specific algorithm that is associated with binding rule.In one embodiment, specific algorithm is a cryptographic function.Cryptographic function is one or more values of input and the function of returning another value, and wherein, this another value is used as the performance or the fingerprint of the value of one or more inputs.Any encryption method be can use, symmetric cryptography (for example AES, DES, 3DES etc.), cryptographic hash function (for example, SHA-1 etc.) or asymmetric encryption by unrestriced example (for example, PKI, key to generate etc.) comprised.

Master agent 175 is sent in account identification symbol that calculates in the step 203 and the ident value (step 204) of visiting to the little application 140 of the SIM in SIM card 115 in step 202.Then, access to your account identifier and ident value is arbitrary or both come to calculate certificate 135 (step 205) based on bindtype of the little application of this SIM.How the binding rule indication of bindtype calculates certificate, for example specifies the specific algorithm that will use such as cryptographic function.The little application 140 of SIM uses account identification symbol and the optional ident value in the algorithm of the regular appointment of binding to calculate certificate 135.The little application 140 of SIM will be preserved the certificate 135 that is calculated in SIM card 115 storeies.

In case calculate certificate 135 by the little application 140 of SIM, the little application 140 of SIM sends certificate (step 206) to master agent 175.Certificate 135 that master agent 175 uses receive in step 206 and the account identification of calculating in step 203 accord with and sign in to the account (step 207) that is associated with the file of request.Each agent-protected file in storage card 125 and the account identification that is allowed to access file by indication accord with the permission of indicating which entity to be allowed to visit this document and are associated.In step 208, control circuit 145 determines whether the account that is associated with the account identification symbol can visit this content and whether this certificate 135 is effective in the account.If account identification symbol and certificate 135 are invalid, negate visit.Master agent receives logging status from control circuit, and mistake is returned to the entity (step 209) of this content of request.If account identification symbol 175 and certificate 135 are effective, the visit (step 210) that master agent 175 allows requested file.

Fig. 3 is the process flow diagram that calculates the processing of account identification symbol in the step 203 of Fig. 2 as being used to of describing.In step 211, the binding rule that master agent 175 visits are associated with the bindtype of requested content.Master agent 175 is identified for calculating the algorithm (step 212) of account identification symbol.Specify this algorithm by the binding rule.Master agent 175 is provided at the input (step 213) of the ident value of visit in the step 202 of Fig. 2 as algorithm.In one embodiment, can use other value also to be used for this input, as by the binding regular appointment.Master agent 175 is calculated account identifier (step 214) by carrying out this algorithm with these inputs.

Fig. 4 is the process flow diagram that calculates the processing of certificate 135 in the step 205 of Fig. 2 as being used to of describing.In step 215, the binding rule that little application 140 visits of SIM are associated with the bindtype of requested content.The little application 140 of SIM is identified for calculating the algorithm (step 216) of this certificate 135.Specify this algorithm by the binding rule.The little application 140 of SIM provides the input (step 217) of account identification symbol as this algorithm.In one embodiment, can use other ident value also to be used for this input, as by the binding regular appointment.The little application 140 of SIM is calculated this certificate 135 (step 218) by carrying out this algorithm with these inputs.The little application 140 of SIM also will be preserved this certificate 135 (step 219) in SIM card 115.

SIM card in bound equipment is arranged is replaced

Fig. 5 A-5B has described the block scheme of a system of the existing SIM card 115 that is used to upgrade the security feature that is provided for visiting the content on Nonvolatile memory card 125.Renewal in master agent 175 use 300 be used for helping by Storage Card Drivers device 155 and SIM card driver 180 will have now SIM card 115 be updated to new SIM card 115 '.Be shown in the example stream of data between the various assemblies and order by the arrow among Fig. 5 A-5B.

In Fig. 5 A, SIM card 115 and Nonvolatile memory card 125 functionally are coupled in hand-held set 105.Upgrade using 300 receives with new SIM card 115 ' the replace request that has SIM card 115 now.SIM card 115 ' describe discretely with hand-held set 105 also functionally is not coupled in this hand-held set to illustrate it.Use 300 certificates of existing SIM card, storing from little application 140 requests of SIM 135 when using 300 by the renewal in master agent 175 when receiving the request of upgrading SIM card 115, upgrading, as by shown in the arrow 230.The renewal of the little application 140 of SIM on master agent 175 used 300 and sent these certificates 135, as by shown in the arrow 232.Then, upgrade using 300 will be by safe lane 315 to TTP 310 transmission certificate 135, as by shown in the arrow 234.

Safe lane 315 helps the transmission of the data between master agent 175 and TTP 310.Can use hand-held set 105 telecommunication capabilities to pass through safe lane 315 (OTA) transmission data aloft.Can also send this data by the Internet or other networks by channel 315 safe in utilization.In addition, pass through safe lane 315 from the data of master agent 175, then these data are sent to TTP 310 to TTP 310 transmissions by master agent 175 encryptions.Then, can work as and decipher this content when receiving this content at TTP 310 places.When by safe lane 315 from TTP 310 when master agent 175 sends data, these data are encrypted similarly before it is sent to the hand-held set 105 of new storage unit, in case and it receives at master agent 175 places then be decrypted then.

In case TTP 310 uses 300 by the renewal of safe lane 315 from master agent 175 and receives this certificate, can remove existing SIM card from hand-held set 105, and can insert new SIM card.In one embodiment, renewal application 300 provides to the user and removes existing SIM card and insert one new indication.Can be inserted in the hand-held set 105 in new SIM card and the hand-held set conducting after the renewal that is invoked on the master agent 175 use 300.Fig. 5 B is described in the system that removes existing SIM card 115 and insert new SIM card 115 ' afterwards.Then, upgrade to use 300 and will ask certificates to TTP 310, as by shown in the arrow 236 by safe lane 315.Upgrade to use 300 acceptance certificates, as by shown in the arrow 238, and send the certificate that is received, as by shown in the arrow 240 to the little application of the SIM of new SIM card.SIM is applied in for a short time and preserves these certificates in the new SIM card.

Fig. 6 is the process flow diagram that is used to upgrade an embodiment of SIM card 115.In step 400, user or other entity requests are upgraded existing SIM card.In one embodiment, the user can use 300 by the renewal on the master agent 175 and ask the SIM card renewal.In step 402, upgrade the SIM little application 140 of application 300 notices in existing SIM card and received update request.This allows the little application 140 of SIM to prepare certificate for upgrading to handle.

In step 404, upgrade the address of using 300 use TTP 310 and visit TTP 310.In one embodiment, this address is the URL(uniform resource locator) (URL) that is used for TTP 310 location.

In case location and visit TTP 310, the little application 140 of SIM on existing SIM card can be used 300 and uploads the certificate of being preserved 135 (step 406) to TTP 310 by upgrading.These certificates 135 are by being uploaded to TTP 310 by upgrading the safe lanes 315 of using 300 foundation.

In case certificate 135 is successfully uploaded to TTP 310, upgrade application 300 these certificates (step 408) of deletion from existing SIM card.Then, upgrading application 300 notifies the user that new SIM card is inserted in the hand-held set 105 (step 410).

Upgrade application 300 and determine whether to have inserted new SIM card (step 412).Determine to have inserted new SIM card in case upgrade application 300, this renewal is used 300 and is notified the SIM application 140 of new SIM card to prepare to be received in the certificate 135 of TTP 310 places preservation.In step 414, the little application 140 of the SIM of new SIM card uses 300 from TTP 310 downloadable authentication 135 by upgrading.Channel 315 safe in utilization sends certificate 135 from TTP 310 to the little application 140 of SIM.Certificate 135 is preserved in the little application 140 of this SIM in the storer of new SIM card.

For the arbitrary content in the storage card 125 of bindtype, can revise the account that is associated with this content with the binding of indication SIM card.The certificate that can be modified in those accounts on the storage card 125 and be associated with those accounts on new SIM card.Be used to have the SIM card bindtype content existing account and account identification symbol and based on the identifier calculation of existing SIM card the account identification symbol be associated.Set up New Account and will be bound to new SIM card so that have the content of SIM card bindtype.Can calculate New Account identifier and certificate.This assurance can use new SIM card visit to have the content of SIM card bindtype.In step 416, set up New Account at the storage card 125 of all existing accounts that are used for having had the SIM card bindtype.

In case set up New Account, upgrade application 300 notice TTP 310 and delete saved certificate 135 on TTP 310, and finish (step 418) handled in the renewal of SIM card 115.

Fig. 7 describes step (step 416 of Fig. 6) how to set up New Account.In step 429, renewal application 300 signs in to the existing account with the SIM card bindtype.Upgrading application 300 uses the certificate of preserving at the TTP310 place to sign in to existing account.

In step 422, the account identification that renewal application 300 visits are calculated the account with SIM card bindtype based on the binding rule of existing account accords with needed suitable ident value.This comprises the ident value of visiting new SIM card, such as for example IMSI number or MSISDN number.

After having visited suitable ident value, the ident value that upgrades the visit of using the 175 use SIM card bindings of 300 indication master agent calculates the New Account identifier (step 424) of all existing accounts.Upgrade the little application 140 of the SIM of application 300 in new SIM card and send New Account identifier and ident values (step 426).In step 428, SIM uses 140 new authentications that generate with each account identification symbol that receives with the described similar mode of the step 205 of Fig. 2.Calculate new authentication based on SIM card binding rule.The little application 140 of SIM is preserved new authentication and is replaced the existing certificate (step 430) that is associated with existing account in new SIM card.Can delete the existing certificate of the identifier calculation of using existing SIM card.The renewal of the little application 140 of SIM on master agent 175 used 300 and sent new authentication (step 432).

Upgrade application 300 and send the new certificate (step 434) that calculates to begin that all the existing accounts in the storage card 125 with SIM card binding are set up New Account to the control circuits 145 of storage card 125.125 pairs of storage cards have all existing accounts of SIM binding and set up New Account (step 436), and with New Account and corresponding account identifier with to the certificate of new SIM card calculating be associated (step 438).The permission that is associated with existing account is appointed to New Account (step 440) so that New Account can be visited suitable content.In case in storage card 125, successfully set up New Account, can have the existing account (step 442) of SIM card bindtype from storage card 125 deletions.

Nonvolatile memory card in the equipment of binding is arranged is replaced

Fig. 8 A-8C describes to upgrade to have the block scheme of use in the system of the Nonvolatile memory card 125 of the content of the certificate access of storage of SIM card 115 places or calculating.Be shown in the example stream of data between the various assemblies and order by the arrow among Fig. 8 A-8C.Fig. 9 is a corresponding process flow diagram of describing a processing of updated stored card 125.Fig. 8 A-8C and 9 will be described with being bonded to each other.Fig. 8 A is described in renewal that the user removed existing Nonvolatile memory card 125 and inserted the step 450 of new Nonvolatile memory card 125 ' the begin Fig. 9 system after handling.Use 300 notifiedly when inserting 125 ' time of new storage card, upgrading, and for example use that the address of the TTP 310 of URL visits TTP 310 (step 452).At step 454 place, upgrade and use 300 CID, as representing by arrow 250 to the new storage card 125 of TTP 310 transmissions.In case the CID of the new storage card 125 of TTP 310 receptions, TTP 310 send the request that existing storage card should be inserted at step 456 place to upgrading application 300, as being represented by arrow 252.Upgrading application 300 notifies the user to insert existing storage card (step 458).

Upgrade and use 300 waits up to removing new storage card and inserting existing storage card (step 460).In one embodiment, hand-held set 105 may can be operated a plurality of storage cards simultaneously, and therefore new storage card not necessarily removed from hand-held set 105 before the content from existing storage component part is sent to TTP 310.In one embodiment, can ask significantly to upgrade, and not by removing existing storage card and inserting new storage card.Fig. 8 B described removed new Nonvolatile memory card 125 ' and inserted existing storage card 125 again after system.

In case existing storage card 125 is inserted in the hand-held set 105, upgrades and use the little application 140 of 300 indication SIM so that the certificate on the SIM card 115 135 is uploaded to TTP 310, as representing by arrow 254.At step 462 place, from the little application acceptance certificate 135 of SIM, as by arrow 256 expression, and channel safe in utilization 315 uploads to TTP 310 with it, as by shown in the arrow 258.

At step 464 place, upgrade to use 300 and use certificates 135 to sign in in the existing storage card account on Nonvolatile memory card 125, as by shown in the arrow 260.Signed in in the existing storage card account in case upgrade to use 300, upgrade and use 300 and from existing storage card, receive this content, as by shown in the arrow 262.At step 466 place, upgrade to use and to upload this content, as by shown in the arrow 264 to TTP 310.This content can be included in storage user data and other information in the existing storage card.User data can comprise protected or the perhaps file and the clearly content of storing in existing storage card in the protection.Other information from existing storage card can comprise configuration information, accounts information, hidden partition, user data information and any other information that is associated with existing storage card.Configuration information is indicated this content how to be organized and is stored in the existing storage card.For example, accounts information can be any information of being associated with account in the existing storage card, such as the account identification symbol, accord with certificate and the account level that is associated with account identification.The account level provides the information that has the visit level bigger than other accounts about those accounts.In addition, can set up account, how set up account so that the account level is also indicated by another account.Hidden partition information can comprise for example zone name and size.User data information can comprise the permission (for example, permission object of CEK, DRM etc.) that is associated with user data.For example, upgrade to use 300 any other information that can also provide storage card 125 to store to TTP 310, such as existing storage card CID.

Successfully uploaded to TTP 310 in case be updated application 300, upgraded application 300 and delete the contents that have storage card now at step 468 place, shown in arrow 266 from the content that has storage card 125 now.

In case from the information of existing storage card with content successfully has been transferred to TTP 310 and from existing storage card deletion, upgrade and use 300 and notify the user to insert new storage card (step 470).Upgrade application 300 and determine whether new storage cards have been inserted in the hand-held set 105 (step 472).Fig. 8 C has described and has removed existing Nonvolatile memory card 125 and inserting the system of existing Nonvolatile memory card 125 ' afterwards.When having inserted new storage card, upgrade to use 300 to TTP send by arrow 268 step 474 expression to before from the renewal or the download request of existing storage card 125 uploaded content and configuration information.Download request will comprise the CID of new and existing storage card.In step 476, TTP 310 checks at step 474 place the CID that uses the new storage card that the CID coupling that receives received in step 454 from upgrading.If the CID that the CID that receives at step 474 place does not match and receives at step 454 place, TTP returns mistake (step 478) to upgrading application 300.

If CID coupling is upgraded and is used 300 configuration informations of downloading subregions and account at step 480 place from TTP 310, by shown in the arrow 270.At step 482 place, upgrade to use the new storage card of 300 indications and rebulid subregion, as by shown in the arrow 272 based on configuration information.At step 484 place, then, upgrade to use 300 from TTP 310 download accounts informations, such as account identification symbol, certificate and permission, as by shown in the arrow 274.Upgrade to use the new storage card of 300 indications and set up New Account based on the accounts information and the certificate that receive from TTP 310, as by shown in the arrow 276 in step 486.

In case new storage card has been configured and New Account is established, upgrade and use 300 and download from TTP 310 at step 488 place and to comprise corresponding permission () content for example, CEK, permission object etc. is by shown in the arrow 278.At step 490 place, upgrade to use the new storage card of 300 indications and preserve this content and permission in position, as by shown in the arrow 280.Upgrade using 300 also is associated content with suitable account.When in new storage card, preserving this content, revise the account of content with the bindtype that is associated with storage card 125.In addition, the certificate that is associated with this content also is modified, and will be associated with new storage card so that have the content of storage card bindtype.

In case by upgrade to use 300 downloaded from all the elements of TTP 310 and with its be saved in new storage card 125 ', upgrade to use 300 indication TTP 310 at step 492 place from the contents of existing storage card 125 deletions, as by shown in the arrow 282 in TTP 310 storages.

Figure 10 has described a processing (step 490 of Fig. 9) that is used for preserving content on new storage card.This processing comprises the part of revising the content with storage card bindtype.Because the part of content is associated with account identification symbol with based on the certificate that the CID of existing storage card has calculated, therefore, the part of content should be modified so that it is associated with the account identification symbol with based on the certificate of the CID calculating of new storage card.In addition, the part of the certificate in the SIM card of having calculated based on the CID of existing storage card 115 should be modified, so that the new authentication that SIM card 115 storages are calculated based on the CID of new storage card.

In the step 500 of Figure 10, upgrade to use 300 storage card bindtype and visit that the ident value that is based on the account of downloading from TTP 310.These ident values can be the CID of new storage card.Upgrading application 300 uses those ident values to use the storage card bindtype of the account with storage card bindtype to calculate New Account identifier (step 502).Upgrade the little application 140 of the SIM of application 300 on new SIM card and send New Account identifier and ident values (step 504).

The little application 140 of SIM is used from renewal and is used the account identification symbol of 300 transmissions and the new authentication (step 506) that ident value calculates the account with storage card bindtype.The part of the certificate that is associated with existing storage card is also revised in the little application 140 of SIM by the existing certificate of preserving new authentication and delete those accounts in SIM card 115.

In case the generation new authentication, the little application 140 of SIM is used 300 transmission new authentications (step 508) to upgrading.Then, upgrade to use 300 and send new authentication and New Account identifier, begin to have the modification (step 510) of the content of storage card bindtype to new storage card.

Upgrade to use the new storage card of 300 indications and be existing account and set up New Account (step 512) with storage card bindtype of having downloaded from TTP 310.Then, upgrade to use the new storage card of 300 indications with New Account be associated with New Account identifier and new authentication (step 514).Upgrade to use the new storage card of 300 indications New Account (step 516) to correspondence is appointed in the permission of existing account.In case successfully set up New Account and it be associated with new storage card, be bound to the existing account (step 518) of existing storage card from new storage card deletion.

How Figure 11 description is for the transmission of the data between hand-held set 105 and the TTP 310, such as an example that transmits certificate or this content of transmission is set up safe lane 315 in the step 466 of Fig. 9 in the step 406 of Fig. 6.When setting up safe lane 315, master agent 175 is set up the session that is used to transmit data.Set up this session by session participant words ID is associated, this session id is the unique identifier that is established for the session of transmission.This session id is associated with session key, and this session key is the encryption key that is used to encrypt these data.In the step 520 of Figure 11, master agent 175 uses the session key that is associated with the session id of safe lane session to encrypt this content (for example, certificate, memory card contents etc.).Master agent 175 sends session id (step 522) to TTP 310.TTP 310 has the record which session key with which session id is associated, and therefore, TTP 310 can search the session key corresponding to the session id that is sent by master agent 175.Master agent 175 sends the encryption version (step 524) of this content to TTP 310.TTP 310 can use the session key that is associated with the session id that has sent to TTP 310 from master agent 175 to decipher the content that receives from master agent 175.

Figure 12 describes an example (that is the unprotected content in public partition) that is used to transmit the processing of knowing content.Because it is addressable to know that content discloses any entity, therefore know that content is not associated with account.Therefore, the step in Fig. 9 and Figure 10 may not need concerning knowing content.In step 530, the renewal application 300 in master agent 175 is uploaded to the computing equipment of temporary storage, for example TTP or existing storage card communication or with storage medium from existing storage card and is known content.In one embodiment, if hand-held set 105 has the content memorizer that enough is used as temporary storage, master agent 175 can be uploaded to hand-held set 105 from existing storage card and know content.In step 532,, upgrade application 300 and know content to new storage card download from temporary storage in case temporary storage is communicated by letter with new storage card.

Figure 13 describes and is used for using CEK to come the example of encryption and decryption in the processing of the content of storage card.When from existing storage card during to new storage card transmission protected content, the protected content in existing storage card should use CEK decrypted (step 540) at it before TTP 310 sends.This takes place when application 300 signs in in the existing storage card account when upgrading in the step 464 of Fig. 9.Begin the CEK of content by the permission that is associated with content.

In case protected content is decrypted, upgrades application 300 channels 315 safe in utilization and upload the content (step 542 of Fig. 9 and step 466) of deciphering to TTP 310.When new storage card is ready to when existing storage card is stored this content, upgrade and use 300 channels 315 safe in utilization and download shielded content from TTP 310, and with the permission object (step 544 of Fig. 9 and step 488) of protected content.Upgrade to use 300 and send this content, and use CEK to indicate new storage card to encrypt this shielded content (step 546) to new storage card.New storage card is preserved the content (step 548 of Fig. 9 and step 490) of encrypting in correct position.

Use network to visit the storage component part content

Can also be used to provide visit according to embodiment of the present disclosure, wherein be coupled in different main process equipments first memory device and second memory device operation the content on the first memory device that is tied to the second memory device.For example, the first memory device can be any nonvolatile semiconductor memory member, such as removable non-volatile flash memory card.Be coupled in first main process equipment first memory device operation.Can operate the first memory device by the master agent on first main process equipment.First main process equipment may be any electronic equipment, such as cell phone, digital camera, mobile media player, personal digital assistant, mobile computing device, non-moving computing equipment or other equipment arbitrarily.

The second memory device functionally is coupled in second main process equipment by the master agent on second main process equipment.For example, the second memory device can also be any nonvolatile semiconductor memory member, blocks such as subscriber's identification module (SIM).The first memory device is associated with the second memory device.In one embodiment, can use the master agent on the main process equipment to operate two storage component parts by a main process equipment.Master agent can be at any software entity that is used for coming by main process equipment on the main process equipment of operational store device, such as the application of installing on main process equipment.Master agent allows the visit to storage component part.

When request during to the visit of the content on the first memory device, the master agent on first main process equipment is calculated the account identification that is associated with requested content and is accorded with.Send the account identification symbol to server.Internet Service Provider by main process equipment, operate this server such as mobile network operator (MNO) or any third party.In one embodiment, this server is to trust third party (TTP) server.Run through the description of disclosed technology, this server will be called as TTP.But this technology is not limited to this embodiment, and can use any server with disclosed technology.In case master agent sends the account identification symbol to TTP, TTP will send the account identification symbol to second main process equipment.Second memory device in second main process equipment identifier that will access to your account calculates certificate.Send this certificate from second main process equipment to server, and send this certificate from the master agent of server on first main process equipment.If certificate is effective, this card will allow the application on this equipment that requested content is conducted interviews.This card can return logging status to master agent.

As shown in Figure 2, need be to the visit of the content on the storage card in the hand-held set 105 125 from the certificate of the SIM card in the hand-held set 105 115.Usually, visit by a main process equipment (for example, hand-held set 105).But, if user operation should be visited these certificates from the SIM card on the hand-held set 105 115 except SIM card 115 storage card 125 on the equipment the apparatus operating thereon.Figure 14 describes the block scheme of a system that is used for visiting the content on the storage card of first main process equipment 304, and wherein, storage card is bound to the SIM card of operation in second main process equipment 305.This system comprises first main process equipment 304, and it uses first Device Host agency 175 to operate SIM card 115.Second main process equipment 305 is acted on behalf of 175A by second Device Host on second main process equipment 305 and is come operation store card 125.First and second main process equipments 304 and 305 can be any electronic equipments, such as mobile phone, media player, mobile computing device, non-moving computing equipment, personal digital assistant or other equipment arbitrarily.Two equipment need not be similar.Be similar to master agent 175 on first main process equipment 304 in the master agent 175 on second main process equipment 305, in Fig. 2, describe for these two.TTP 310 is used for SIM card 115 access certificate 135 from first main process equipment 304, so that second main process equipment 305 can use certificate 135 to exist in content on the storage card 125.For example, TTP 310 can be any server, such as the third-party server of trusting.Second main process equipment 305 is communicated by letter with TTP 310 by channel 2230.Hand-held set 105 uses channel 1315 to communicate by letter with TTP 310.

When entity requests by the master agent 175A on second main process equipment 305 during to the visit of the content on the storage card 125, the bindtype that master agent 175A is associated with requested content in the memory block 150 by control circuit 145 visit, and calculate account identification symbol based on bindtype, as describing among Fig. 2.

In case calculate the account identification symbol, master agent 175A sends the account identification symbol by channel 2320 to TTP 310., channel 2320 be can use the telecommunication capability of second equipment 305 transmit (OTA) number in the air according to safe lane, if second equipment 305 can be done like this.If second equipment 305 can access the Internet or other networks, channel 2320 can also transmit data by the Internet or other networks.Safe lane help to be transmitted in its before being sent out by this channel encrypted and after it receives by this channel decrypted data, obtain this data between transmission period, to prevent another entity by this channel.Set up safe lane by the session that begins to be used to transmit.This session has been assigned with session id.Each session id is associated with session key, and session key is the encryption key that is used to encrypt the data that will be transmitted.Session id and its corresponding session key can be positioned at the reference table of being kept by master agent 175A.From master agent 175A before TTP 310 sends the account identification symbol, master agent 175A is by coming open session to session assign sessions ID.Master agent 175A uses the session key that is associated with the session id of this session to encrypt the account identification symbol.Master agent 175A sends session id to TTP 310, and the account identification symbol of encrypting to TTP 310 transmission by channel 2320 then.TTP310 and master agent 175 are kept the reference table that is similar to the similar session id of being kept by master agent 175A.TTP 310 can use the session id that is sent by master agent 175A, the account identification symbol that is received to use the session key that is associated with this session id to decipher.Carry out the encryption and decryption of the content of safe lane by master agent 175A, master agent 175 or TTP 310, it can be supported such as symmetric cryptography (for example AES, DES, 3DES etc.), cryptographic hash function (for example SHA-1 etc.), asymmetric encryption (for example PKl, key to generate etc.) or any encryption method of other cryptographic methods arbitrarily.

In case TTP 310 slave unit master agent 175A receive the account identification symbol, TTP 310 sends the account identification symbol by channel 1315 to hand-held set master agent 175.Channel 1315 still can use the telecommunication capability of hand-held set 105 to transmit the safe lane of data OTA.TTP 310 can decipher the account identification symbol that receives from second equipment 305, and is used to be transferred to hand-held set 105 again.

The little application 140 of hand-held master agent 175 indication SIM is used the account identification of requested content to accord with and is calculated this certificate 135.When calculating certificate 135, master agent 175 sends this certificate by safe lane 1315 to TTP 310.

In case TTP 310 receives this certificate 135 from master agent 175, TTP 310 reaches the finite time amount at TTP place storage temporary credentials 135A.Temporary credentials 135A is stored, so that second equipment 305 can be visited this content once more by account identification symbol is provided to TTP 310 during limited time quantum, and this TTP 310 will be not necessarily SIM card 115 request certificates 135 from first main process equipment 304 once more.

TTP 310 sends certificate 135 by the master agent 175A of safe lane 2320 on second equipment 305.In one embodiment, master agent 175A uses certificate 135 to visit this content, as described in Figure 2.Device Host is acted on behalf of 175A and is also stored temporary credentials 135B and also reach limited time quantum, so that can during limited time quantum, visit this content, and not necessarily another account identification symbol or certificate 135 again.In one embodiment, act on behalf of 175A storage temporary credentials 135B, up to 305 outages of second equipment by Device Host.

Figure 15 is the process flow diagram that is used for visiting in the processing of the content that is similar to the system shown in Figure 14.In step 600, the Device Host on second equipment 305 is acted on behalf of the request that the file in the memory block 150 of the storage card 125 on second equipment 305 is visited in the 175A reception.When receiving this request, Device Host is acted on behalf of 175A visits requested content by the control module 145 of storage card 125 file header.The position of the bindtype of file header memory contents, TTP 310, such as for example universal resource locator of the position of TTP 310 (URL) and the MSISDN that is bound to the SIM card 115 of storage card 125.Device Host is acted on behalf of 175A can visit bindtype, TTP 310 positions and the MSISDN that is associated with this content in step 605.

In step 610, Device Host is acted on behalf of 175A and is determined that requested content is whether by prestrain or content clearly.The fabricator that the content of prestrain is stored card 125 is pre-loaded on the storage card 125.The content of prestrain can be a perhaps protected content in store in the public partition of storage card 125 unprotected.Know that content can be the unprotected content of storing in the public partition of storage card 125.If it is the prestrain content that master agent 175A determines requested content, master agent 175A allows request entity to visit this content (step 615).

If it is not prestrain or content clearly that master agent 175A determines requested content, master agent determines whether the bindtype of visit in step 605 is SIM card binding (step 620).Usually, when coming operation store card 125 with the SIM card on the identical device 115, the content that is bound to SIM card 115 can be only accessed.If requested content has the SIM card bindtype, master agent 175A refusal is to the visit (step 625) of this content.

If requested content is not tied to SIM card 115, master agent 175A determines whether requested content has NetID or CID bindtype (step 639).If requested content is not tied to MNO or storage card 125, master agent 175A returns mistake (step 635) to the entity of request.If requested content is bound to MNO or storage card 125, Device Host is acted on behalf of 175A and is visited suitable ident value (step 640) based on bindtype.For example, if requested content is bound to MNO, the ident value (for example MCC, MNC) of visit MNO.If requested content is bound to storage card 125, the ident value (for example CID) of visit storage card 125.

In step 645, Device Host is acted on behalf of 175A and is used accessed ident value to calculate the account identification symbol based on bindtype.As in the step 215 of Fig. 2 and described in Fig. 3, calculate the account identification symbol.Device Host is acted on behalf of 175A and is used the TTP position of visit in step 605 to locate TTP 310, and sends the ident value of account identification symbol, visit in step 640, the MSISDN of visit in step 605 and the bindtype (step 650) of visit in step 605 by safe lane 2320 to TTP 310.Device Host is acted on behalf of 175A and can be used API to come to send this information to TTP 310, and asks this certificate 135.The example of API can be the GetCredential order that comprises following parameter: CID, NetID (it can be " empty (null) ", if requested content is not tied to MNO), MSISDN and account identification symbol.Master agent 175A can use this api command to come by coming for this data allocations session id by safe lane 2320 to TTP 310 these data of transmission.In addition, TTP 310 keeps the database of information that can store such as CID, NetID, MSISDN, account identification symbol etc.

TTP 310 uses MSISDN to come with SIM card 115 location hand-held sets 105 (step 655).In case located SIM card 115, TTP 310 (for example sends account identification symbol, ident value by the master agent 175 of safe lane 1315 on hand-held set 105, NetID, CID) and bindtype, and the little application 140 transmission information (step 600) of the SIM of master agent 175 on SIM card 115.In step 665, the little application 140 of SIM uses the information that is received to calculate certificate 135 based on the bindtype of requested content.As what in the step 205 of Fig. 2 and Fig. 4, describe, calculate certificate 135.After having calculated certificate 135, little application 140 channels 1315 safe in utilization of SIM send certificate 135 (step 670) to TTP 310.

In case TTP 310 has received certificate 135, TTP 310 preserves temporary credentials 135A and reaches limited time quantum (step 675).Temporary credentials 135A is stored in the database that maintains TTP 310 places.That is to say that temporary credentials 135A and temporary credentials 135A should be maintained at the database with CID, NetID, MSISDN and account identification symbol from the time of TTP 310 deletions.

The Device Host of TTP 310 channels 2320 safe in utilization on another equipment 305 acted on behalf of 175A and sent certificate 135.Device Host is acted on behalf of the certificate that is received that the 175A deciphering sends by safe lane, and preservation temporary credentials 135B reaches limited time quantum (step 685) in master agent 175A.After limited time quantum, Device Host is acted on behalf of 175A deletion temporary credentials 135B.Device Host is acted on behalf of 175A and is used certificate 135 and account identification to accord with to attempt to sign in to the account (step 690) that is associated with requested content.Whether successfully Device Host is acted on behalf of 175A and is determined this login (step 692).That is to say that Device Host is acted on behalf of 175A and determined that this certificate is whether effective to the account that is associated with the account identification symbol.If this certificate is not effectively, then Device Host is acted on behalf of 175A and is sent wrong (step 695) to the entity of just asking.If this certificate is effective, Device Host is acted on behalf of 175A from storage card 125 visit requested contents (step 698).

Figure 16 is the process flow diagram that is used for the processing of the other guide of the storage card 125 of visit on second equipment 305 after the certificate of before having asked this content.The previous request of content can be similar to be described among Figure 15.In the step 700 in Figure 16, the Device Host on second equipment 305 is acted on behalf of another request that 175A receives visit file of storage in storage card 125.Device Host is acted on behalf of 175A and is determined whether requested content is prestrain or knows content (step 705).If requested content is prestrain or knows content that Device Host is acted on behalf of the visit (step 710) of 175A permission to this content.If requested content is not prestrain or knows content that Device Host is acted on behalf of 175A and determined whether requested content has SIM card bindtype (step 715).If requested content is bound to SIM card 115, Device Host is acted on behalf of the visit (step 720) of 175A refusal to requested content.If requested content is not tied to SIM card 115, Device Host is acted on behalf of 175A and is determined whether requested content is bound to MNO or storage card 125 (step 725).If requested content is not tied to MNO or storage card 125, Device Host is acted on behalf of 175A and is returned mistake (step 730) to the entity of request.

Determine that requested content is bound to MNO or storage card 125 if Device Host is acted on behalf of 175A, Device Host is acted on behalf of 175A and is determined that this Device Host acts on behalf of the temporary credentials 135B (step 735) whether 175A has had storage.Had temporary credentials 135B if Device Host is acted on behalf of 175A, Device Host is acted on behalf of 175A and is used temporary credentials 135B to attempt login and visit this document (step 765).If this document is effective, storage card 125 allows Device Host to act on behalf of 175A visit this document (step 770).

Do not have the temporary credentials 135B that is stored for requested content if Device Host is acted on behalf of 175A, Device Host is acted on behalf of 175A and is calculated account identification symbol (step 738) based on the bindtype of requested content.This is similar to the step 640-645 among Figure 15.Device Host is acted on behalf of 175A and is used in the file header be stored in requested content just that the TTP position visits TTP 310, and sends account identification symbols (step 740) by safe lane 2320 to TTP 310.

TTP 310 checks whether the account identification symbol that slave unit master agent 175A receives is stored in the TTP database (step 745) with temporary credentials 135A.If TTP 310 has had the temporary credentials 135A that is associated with the account identification symbol, TTP 310 acts on behalf of 175A by safe lane 2320 to Device Host and sends temporary credentials 135A (step 755).Device Host is acted on behalf of 175A and is used the certificate 135A received to act on behalf of at Device Host that storage temporary credentials 135B reaches limited time quantum (step 760) among the 175A.Device Host is acted on behalf of 175A and is used temporary credentials 135A to attempt to sign in to the account that is associated with the account identification symbol to visit this document (step 765).If this document is effective, storage card allows Device Host to act on behalf of 175A visit this document (step 770).

If TTP 310 does not have the temporary credentials 135A that is stored in its database, TTP 310 uses the account identification that receives in step 740 to accord with from SIM card 115 these certificates (step 750) of request.That is to say,, therefore carry out the step 455-480 of Fig. 6 because certificate before be not requested to be used for requested content.TTP 310 obtains certificate 315 from hand-held set 105, preserves temporary credentials 135A at TTP 310 places, and sends this certificate (more details are seen Figure 15, step 655-680) to second equipment 305.Device Host on another equipment 305 is acted on behalf of 175A and is preserved temporary credentials 135B and reach limited time quantum (step 760), attempts to use this certificate to login and visit this document (step 765), and if certificate 135 effectively then visit this document (step 770).

Figure 17 illustrates having and is used for parallel reading and the storage component part 870 of the read/write circuit of one page memory cell of programming (for example, NAND multimode flash memory).For example, storage component part 870 can be SIM card 115 or storage card 125.Storage component part 870 can comprise one or more memory chips or chip 805.Memory chips 805 comprises memory cell 800 (two dimension or three-dimensional) array, control circuit 810 and read/write circuit 835A and 835B.In one embodiment, on the opposite side of this array, realize by of the visit of various peripheral circuits, so that the density of access line on each side and circuit has reduced half with symmetrical manner memory array 800.Read/ write circuit 835A and 835B comprise a plurality of sensing block 845, and it allows parallel one page memory cell that reads or programme.This memory array 800 can be come addressing via row decoder 865A and 865B and by bit line via column decoder 840A and 840B by word line.In common embodiment, controller 855 is included in the same memory device 870 (for example removable storage card or bag) as one or more memory chips 805.Via line 860 between main frame and the controller 855 and via line 850 transmission command and data between controller and one or more memory chips 805.

Control circuit 810 is cooperated with 835B so that memory array 800 is carried out storage operation with read/write circuit 835A.Control circuit 810 comprises address decoder 825 and power control module 820 on firmware module 815, state machine 830, the chip.For example, firmware module 815 provides the security feature of storage component part 870, such as encryption and decryption.State machine 830 provides the chip-scale control of storage operation.On the chip address decoder 825 provide use by main frame or Memory Controller with by demoder 840A, 840B, 865A, and the address interface between the hardware address that uses of 865B.Power control circuit 820 is controlled at power and the voltage that is supplied to word line and bit line during the storage operation.In one embodiment, power control module 820 comprises the one or more charge pumps that can create greater than the voltage of supply voltage.

In one embodiment, in control circuit 810, power control circuit 820, decoder circuit 825, state machine circuit 830, firmware module 815, decoder circuit 840A, decoder circuit 840B, decoder circuit 865A, decoder circuit 865B, read/write circuit 835A, read/write circuit 835B and/or the controller 855 or combination in any can be called as one or more management circuits.One or more management circuits can carry out handling as memory access described here.

Figure 18 has described the example structure of memory cell array 800.In one embodiment, array of memory cells is divided into the big gauge block (for example, piece 0-1023 or another amount) of memory cell.As common for quickflashing EEPROM system, this piece can be the unit of wiping.Each piece can comprise the memory cell of the minimum number that is wiped free of together.Can also use wiping of other unit.

Piece comprises one group of NAND string via bit line (for example, bit line BLO-BL69623) and word line (WL0, WLl, WL2, WL3) visit.Figure 17 shows and is connected in series to form four memory cells of NAND string.Though show four memory elements to be included in each NAND string, can use than four more or less (for example, 16,32,64,128 or another quantity, or memory cell can be on the NAND string).One end of NAND string selects grid to be connected to corresponding bit lines via (be connected to and select grid logic line SGD's) drain electrode, and the other end is connected to source electrode line via (be connected to and select gate source polar curve SGS's) drain selection grid.

In one embodiment, bit line is divided into odd bit lines and even bitlines.In the odd/even bit-line architecture, be programmed a time along common word line and the memory cell that is connected to odd bit lines, and along common word line and the memory cell that is connected to even bitlines at another time programming.In another embodiment, all memory cells that are connected to common word line are programmed together.

Each piece is divided into a large amount of pages or leaves usually.In one embodiment, one page is the unit of programming.One page or multipage data are stored in the row memory elements usually.For example, one page or multipage data can be stored in the memory cell with common word line.One page can be stored one or more sectors.The sector comprises user data and overhead data (overhead data) (being also referred to as system data).The error correcting code (ECC) that overhead data generally includes header information and calculated from the user data of sector.Controller (or other assemblies) calculates ECC when data just are being programmed in the array, also when just checking it during reading of data from this array.Perhaps, ECC and/or other overhead datas be stored in they under user data different the page or leaf or even with piece in.The sector of user data is 512 bytes normally, corresponding to the size of the sector in disk.A large amount of pages or leaves form pieces, no matter from for example 8 pages up to 32,64,128 or multipage more.Can also use piece, page or leaf and the sector of other sizes.

The aforementioned detailed description of various embodiment is not intended to exhaustive or disclosed technical limitation is arrived disclosed precise forms.In the above teachings, many modifications and variations are possible.Select described embodiment so that the application of principle He its reality of present technique is described best, thereby to make that those skilled in the art can be in various embodiments and have the various modifications ground that is suitable for the concrete purposes conceived and use present technique best.Thus, aforementioned description is not intended to limit the scope of disclosed technology, and the scope of disclosed technology is described by claims.

Claims (61)

1. method that is used for accessed content comprises:

The account identification symbol that content definite and on first storage unit is associated in first equipment is coupled in to described first the being operated property of storage unit described first equipment;

Send the account identification symbol from described first device-to-server;

In described first equipment via described server from the second equipment acceptance certificate, described certificate accords with based on described account identification;

If certificate is effective, use the content of described certificate access in described first storage unit, described visit is undertaken by described first equipment.

2. according to the process of claim 1 wherein:

Described first storage unit is associated with second storage unit based on one or more ident values, is coupled in described second equipment described second memory cell operation, described determine to comprise based on described one or more ident values determine described account identification symbol.

3. according to the method for claim 2, also comprise: the bindtype that visit is associated with described content, described bindtype indication is corresponding to one or more identifiers of one or more ident values, and described visit is undertaken by described first equipment.

4. according to the method for claim 2, also comprise:

If one or more ident values are the identifiers that are associated with described second storage unit, then prevent visit to described content.

5. according to the method for claim 2, wherein: described one or more ident values are the identifiers that are associated with described first storage unit.

6. according to the method for claim 2, wherein: described one or more ident values are the identifiers that are associated with Internet Service Provider.

7. according to the method for claim 1, also comprise: in described first equipment, receive the described requests for content of visit, determine the step of account identification symbol in response to receiving described request.

8. according to the method for claim 1, also comprise:

Determine in described first equipment whether described certificate is effective.

9. according to the method for claim 1, also comprise:

If described certificate is effective, the other guide that visit is associated with described account identification symbol, described visit is undertaken by described first equipment.

10. according to the method for claim 9, also comprise:

The described certificate of storage reaches limited time quantum in described first equipment, the step of the other guide that conducts interviews during described limited time quantum; And

After described limited time quantum, delete described certificate.

11. according to the process of claim 1 wherein that the step that receives described certificate in described first equipment comprises:

Receive the encryption version of described certificate; And

Decipher the encryption version of described certificate.

12. the method according to claim 1 also comprises:

If described certificate is invalid, return mistake.

13. according to the process of claim 1 wherein:

Send described account identification symbol by the Internet connection to described server; And

Receive described certificate by the connection of described the Internet from described server.

14. according to the process of claim 1 wherein:

Send described account identification symbol by the mobile network to described server; And

Receive described certificate by described mobile network from described server.

15. the method according to claim 1 also comprises:

Visit is from the server address of described content, and

Use described server address to locate described server.

16. according to the process of claim 1 wherein: described first storage unit is removable non-volatile flash memory card.

17. according to the process of claim 1 wherein:

Described second storage unit is subscriber's identification module card.

18. one kind is used to provide the method to the visit of content, comprises:

Receive the account identification symbol from first equipment, described account identification symbol is associated with content on first storage unit that functionally is coupled in described first equipment;

Send the account identification symbol to second storage unit that functionally is coupled in second equipment, described second storage unit is associated with described first storage unit;

In response to sending described account identification symbol from the described second storage unit acceptance certificate, described certificate accords with based on described account identification; And

Send described certificate to described first equipment, if described certificate is effective, described certificate provides the visit to the content on described first storage unit.

19. the method according to claim 18 also comprises:

Based on being stored described certificate, first request of described certificate reaches limited time quantum;

From second request of described first equipment reception to described certificate;

During limited time quantum, come to send certificate to described first equipment corresponding to described second request; And

After described limited time quantum, delete described certificate.

20. according to the method for claim 18, the step that wherein sends described certificate comprises:

Encrypt described certificate; And

Send the encryption version of described certificate to described first equipment.

21. the method according to claim 18 also comprises:

Receive the identifier that is associated with described second storage unit from described first equipment; And

Use the identifier that is associated with described second storage unit to locate described second equipment.

22. according to the method for claim 18, wherein:

Send described account identification symbol by the mobile network to second storage unit; And

Receive described certificate by described mobile network from described second storage unit.

23. a method that is used for accessed content comprises:

Reception is to visiting in the requests for content that functionally is coupled on first storage card of first equipment, described first storage card is tied to second storage card based on the bindtype that is associated with described content, be coupled in to described second storing card operation second equipment, described reception is undertaken by the software entity on described first equipment;

Calculate the account identification symbol based on described bindtype, described calculating is undertaken by described software entity;

Send the account identification symbol from described software entity to server;

From server acceptance certificate, generate described certificate based on described account identification symbol and described bindtype by described second storage card at software entity; And

If described certificate is effective, use described certificate to visit described content, described visit is undertaken by described software entity.

24. the method according to claim 23 also comprises:

If described certificate is effective, the other guide that visit is associated with described account identification symbol.

25. the method according to claim 23 also comprises:

Visit is from the certificate of described server during limited time quantum.

26. a method that is used for accessed content comprises:

The account identification symbol that calculates and be associated in the content that functionally is coupled on first storage unit of first equipment, comprise the account identification symbol of calculating at the first equipment place, described first storage unit is associated with second storage unit that functionally is coupled in second equipment;

Send account identification symbol from described first equipment to described second equipment by server;

Generate certificate based on described account identification symbol, described certificate is generated by described second storage unit;

Receive certificate at the described first equipment place by described server from described second equipment; And

If described certificate is effective, use described certificate to visit content on described first storage unit.

27. the method according to claim 26 also comprises:

Come in described first equipment, to store described certificate based on first request and reach limited time quantum described content;

Reception is to second request of the other guide that is associated with described account identification symbol;

During limited time quantum, use described certificate to visit described other guide; And

The described certificate of deletion in described first equipment after described limited time quantum.

28. the method according to claim 26 also comprises:

Store described certificate at described server place and reach limited time quantum;

Receive request from described first equipment at described server to described certificate;

During limited time quantum, send described certificate to described first equipment from described server; And

Deletion is at the described certificate at described server place after described limited time quantum.

29. an equipment that is used for accessed content, described equipment comprises:

Processor; And

Can carry out to carry out following master agent by described processor:

The account identification symbol that content definite and on first storage unit is associated is coupled in to described first the being operated property of storage unit described equipment;

Send the account identification symbol from described device-to-server;

From the second equipment acceptance certificate, described certificate accords with based on described account identification via described server; And

If described certificate is effective, use described certificate to visit content in described first storage unit.

30., wherein, be coupled in described second equipment, and described first storage unit is tied to described second storage unit based on the bindtype that is associated with described content according to the equipment of claim 29 described second memory cell operation.

31. a method that is used for the updated stored device comprises:

In equipment, receive the request of replacing first storage unit with new storage unit, the described first cell stores first content and be bound to the 3rd storage unit based on one or more bindtype before receiving described request is coupled in described equipment described first storage unit and described the 3rd memory cell operation;

Send described first content to described new storage unit, send described first content to described new storage unit and undertaken by described equipment;

Be modified in the part of the first content in the described new storage unit based on described one or more bindtype, so that described new storage unit is tied to described the 3rd storage unit, the part of the described first content of described modification is undertaken by described equipment; And

Be modified in second content in described the 3rd storage unit based on described one or more bindtype, described modification second content is undertaken by described equipment.

32. the method according to claim 31 also comprises:

Send the first content of described first storage unit to server, describedly send described first content to server and before sending described first content, carry out to described new storage unit by described equipment;

Notify the user from described equipment, to remove described first storage unit, and after described first content is sent to described server, in described equipment, insert described new storage unit; And

In described equipment, receive described first content from described server;

Wherein, send described first content to described new storage unit and comprise the first content that receives from described server to described new storage unit transmission.

33., wherein, send described first content to described server and comprise according to the method for claim 32:

Be encrypted in the first content in the described equipment; And

Send the encryption version of described first content to described server from described equipment.

34., wherein, send described first content to described new storage unit and comprise according to the method for claim 33:

Decipher the encryption version of described first content, described deciphering is undertaken by described equipment, and

In new storage unit, store first content.

35. the method according to claim 32 also comprises:

Notifying described user to delete described first content from described first storage unit before removing first storage unit from described equipment, described deletion is undertaken by described equipment; And

Notify described server with the described first content of deletion in described server, described notice is being carried out after described server receives first content by described equipment.

36. according to the method for claim 32, wherein:

Send first content and receive described first content to server and undertaken by the mobile network.

37. according to the method for claim 31, wherein:

Described first storage unit is subscriber's identification module card;

Described first content comprises certificate, and described certificate provides the visit to the content on described the 3rd storage unit, comprises the visit to described second content; And

Described one or more bindtype is indicated concrete identifier, and described certificate is based on the one or more ident values corresponding to concrete identifier.

38. according to the method for claim 37, wherein said modification second content comprises:

Use visits second content in described the 3rd storage unit from the existing certificate of described first content, and described second content has the bindtype of one or more ident values of described first storage unit of sign;

Use one or more ident values of the described new storage unit of sign to determine the New Account identifier;

Send the New Account identifier to new storage unit;

Receive new authentication from new storage unit, described new authentication uses the New Account identifier to generate by new storage unit; And

Described second content is associated with New Account identifier and new authentication, and described new authentication provides the visit to described second content.

39. according to the method for claim 38, wherein, the step of revising the part of first content comprises:

The existing certificate of deletion; And preservation new authentication.

40. according to the method for claim 31, wherein:

Described first storage unit is removable non-volatile flash memory card;

Described the 3rd storage unit is subscriber's identification module card;

Described first content comprises file, the existing account that is associated with described file and the information that is associated with the configuration of file;

The certificate that provides the visit of described file is provided described second content; And

Described one or more bindtype is indicated concrete identifier, and described certificate is based on the one or more ident values corresponding to concrete identifier.

41., wherein, in equipment, receive the request of replacing first storage unit and comprise according to the method for claim 40:

Receive described new storage unit and be inserted in indication in the described equipment.

42. the method according to claim 41 also comprises:

Send first ident value that obtains from new storage unit to server, described first ident value of described transmission is undertaken by described equipment;

Notify the user to remove described new storage unit from described equipment, and insert described first storage unit, the described user of notice removes described new storage unit and is undertaken by described equipment;

Send the first content of described first storage unit to server, describedly send described first content to server and before sending described first content, carry out to described new storage unit by described equipment;

Notify the user to remove described first storage unit from described equipment, and after described first content is sent to server, insert described new storage unit in described equipment, the described user of notice removes described first storage unit and is undertaken by described equipment;

Notifying the user inserts new storage unit in described equipment after, send second ident value that obtains from the new storage unit of described equipment, inserting to described server;

Confirm whether described first ident value mates described second ident value, and described affirmation is undertaken by described server.

43., wherein, send described first content to described new storage unit and comprise according to the method for claim 40:

In new storage unit, set up New Account and be included in the New Account of setting up each existing account in the first content;

The permission of existing account is associated with New Account, and described permission indication is to the visit of concrete file; And

Come in new storage unit, to preserve file based on the information that is associated with the configuration of file.

44. according to the method for claim 43, wherein, a part of revising first content comprises:

First New Account of the part correlation connection of visit and described first content, the part of described first content is associated with bindtype, and described bindtype indicates one or more ident values to identify first storage unit;

Use one or more ident values of the described new storage unit of sign to determine the New Account identifier;

Send the New Account identifier to the 3rd storage unit;

Receive new authentication from the 3rd storage unit, described new authentication uses the New Account identifier to generate by the 3rd storage unit; And

New authentication and New Account identifier are associated with first New Account, and described new authentication provides the visit to the part of described first content.

45. according to the method for claim 44, wherein said modification second content comprises:

Preserve described new authentication; And

The existing certificate that deletion is associated with the existing account of the part of first content.

46. a method that is used for the updated stored device comprises:

Send certificate from first storage unit to server, be coupled in equipment described first memory cell operation, described step to server transmission certificate is controlled by the software entity on the described equipment;

Receive the notice that functionally has been coupled in the new storage unit of described equipment, described reception notification is controlled by described software entity;

Receive described certificate from described server, the described certificate of described reception is controlled by described software entity; And

Send described certificate to described new storage unit, describedly send described certificate to described new storage unit and control by described software entity.

47. according to the method for claim 46, wherein:

Described certificate provides the visit to the 3rd storage unit that functionally is coupled in described equipment, and described first storage unit was associated with the 3rd storage unit by one or more bindtype before newly being coupled in described equipment memory cell operation.

48. the method according to claim 47 also comprises:

Use the content of described certificate access in described the 3rd storage unit, described content is associated with described first storage unit by the ident value that identifies described first storage unit;

Use the ident value of the described new storage unit of sign to determine the New Account identifier;

Send the New Account identifier to new storage unit;

Receive new authentication from new storage unit, described new authentication uses the New Account identifier to generate; And

Described content is associated with New Account identifier and new authentication, and described new authentication provides the visit to described content.

49. the method according to claim 48 also comprises:

Create the New Account of the existing account that is associated with described content, comprise and set up the New Account with the permission that is associated with existing account, described existing content is associated with described first storage unit, and described New Account is associated with described new storage unit.

50. according to the method for claim 48, wherein:

Described content and the ident value that identifies described new storage unit.

51. the method according to claim 46 also comprises:

Notify the user with new memory cell operation be coupled in described equipment, described notice is controlled by described software entity.

52. a method that is used for the updated stored device comprises:

Use visits in the content that functionally is coupled on first storage unit of equipment at one or more certificates of second storage unit that functionally is coupled in equipment, described second storage unit is associated with described first storage unit based on described one or more certificates, and described accessed content is controlled by the software entity on the described equipment;

Send described content to described new storage unit under the control at described software entity after newly being coupled in described equipment memory cell operation; And

Notify described second storage unit to generate one or more new authentications that described content is associated with described new storage unit, described one or more new authentications provide the visit to described content, and described notice is undertaken by described software entity.

53. the method according to claim 52 also comprises:

Set up the account that is associated with content in the new storage unit based on one or more new authentications.

54. the method according to claim 52 also comprises:

Provide first ident value that obtains from new storage unit to server, described providing by described software entity undertaken;

Notify the user to remove new storage unit from functionally being coupled in described equipment, and after described first ident value is provided for server with described first memory cell operation be coupled in described equipment; And

Provide described content from described first storage unit to described server.

55. the method according to claim 54 also comprises:

After the content of described first storage unit is provided for described server, notify described user with new memory cell operation be coupled in described equipment;

Under the control of described software entity, receive described content from described server;

Wherein, under the control of described software entity, send the content that content comprises that transmission receives from described server to new storage unit.

56. the method according to claim 54 also comprises:

Notifying the user in described equipment, functionally to be coupled after the new storage unit, second ident value that obtains from described new storage unit is being provided to described server;

Confirm whether described first ident value mates described second ident value, and described affirmation is undertaken by described server.

57. according to the method for claim 52, wherein:

Described content comprises file and the permission that is associated with described file.

58., wherein, send described content to described new storage unit and comprise according to the method for claim 57:

If described permission indicates the described file should be encrypted, encrypt described file; And

In new storage unit, preserve the encryption version of described file.

59. an equipment that is used for the updated stored device, described equipment comprises:

Processor; And

Can be by the master agent of described processor execution, described master agent is configured to:

Receive the request of replacing first storage unit with new storage unit, the described first cell stores first content and be bound to the 3rd storage unit based on one or more bindtype before receiving described request is coupled in described equipment described first storage unit and described the 3rd memory cell operation;

Send described first content to described new storage unit;

Be modified in the part of the first content in the new storage unit based on described one or more bindtype, so that described new storage unit is tied to described the 3rd storage unit; And

Be modified in second content in described the 3rd storage unit based on described one or more bindtype.

60. according to the equipment of claim 59, wherein, described master agent be further configured with:

Before sending described first content, send the first content of described first storage unit to server to described new storage unit;

Notify the user from described equipment, to remove described first storage unit, and after described first content is sent to described server, in described equipment, insert described new storage unit; And

Receive described first content from described server in described equipment, wherein, the described first content that is sent to described new storage unit comprises the first content that receives from described server.

61. according to the equipment of claim 60, wherein, described master agent is configured to by being encrypted in the first content in the described equipment and sending described first content to server from described equipment originally to the encrypted version that described server sends described first content.

Images