WO2011080720A2 - Methods circuits apparatuses and systems for secure content duplication distribution and access - Google Patents

Methods circuits apparatuses and systems for secure content duplication distribution and access Download PDF

Info

Publication number
WO2011080720A2
WO2011080720A2 PCT/IB2010/056152 IB2010056152W WO2011080720A2 WO 2011080720 A2 WO2011080720 A2 WO 2011080720A2 IB 2010056152 W IB2010056152 W IB 2010056152W WO 2011080720 A2 WO2011080720 A2 WO 2011080720A2
Authority
WO
WIPO (PCT)
Prior art keywords
nvm
data
memory device
secure
content
Prior art date
Application number
PCT/IB2010/056152
Other languages
French (fr)
Other versions
WO2011080720A3 (en
Inventor
Yoav Yogev
Original Assignee
Infinite Memory Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infinite Memory Ltd. filed Critical Infinite Memory Ltd.
Publication of WO2011080720A2 publication Critical patent/WO2011080720A2/en
Publication of WO2011080720A3 publication Critical patent/WO2011080720A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B20/00Signal processing not specific to the method of recording or reproducing; Circuits therefor
    • G11B20/00086Circuits for prevention of unauthorised reproduction or copying, e.g. piracy
    • G11B20/00094Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving measures which result in a restriction to authorised record carriers
    • G11B20/00115Circuits for prevention of unauthorised reproduction or copying, e.g. piracy involving measures which result in a restriction to authorised record carriers wherein the record carrier stores a unique medium identifier
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11BINFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
    • G11B2220/00Record carriers by type
    • G11B2220/60Solid state media

Definitions

  • the present invention generally relates to methods, circuits, apparatuses and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). More specifically, the present invention relates to secured duplication of NVM based memory device(s) and authenticated, encrypted and/or scrambled solutions for content communication between NVM based memory device(s) and host device(s) thereof.
  • NVM Non- Volatile Memory
  • NVM Non- Volatile Memory
  • NVM Non- Volatile Memory
  • the present invention includes methods, circuits, apparatus and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card).
  • NVM Non- Volatile Memory
  • a non-volatile memory device e.g. the media
  • control logic e.g. a controller
  • NVM non-volatile memory
  • the content on the secure memory portion and/or other memory portions of a first memory device may be securely duplicated onto one or more additional memory devices as part of their production/programming phase.
  • an encryption logic module may be adapted to encrypt raw opened content prior to, or substantially at the time, of its writing onto the non-volatile memory (NVM) array of the first memory device.
  • the first memory device may be functionally associated with a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit; (3) apply the identification string(s) as one or more factors in a single or multi-factor encryption schemes, wherein each identification string or group of identification strings is at least partially used to encrypt a copy of the first memory device's content which is to be written to the additional memory device from which that identification string or group of identification strings were obtained; and (4) write each of the encrypted content copies onto its respective additional memory device - the from which the encryption identification string(s) have been obtained.
  • a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit
  • a non-volatile memory device e.g. the media
  • control logic e.g. a controller
  • Regulating access to the secure portion of the NVM array may include password based authentication by a host device.
  • NVM cells on the NVM array or on circuitry associated with the control logic may store an identification string(s) or value(s) of the device, which identification string(s) or value(s) may be accessible or readable by a host device such a media player.
  • the password for accessing the secure portion of the NVM array may be based on some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first digital certificate encrypted using the device identification string(s) or value(s) as the encryption key).
  • content stored on the secure portion of the NVM device may be encrypted using some key based encryption algorithm, where the key is some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first or second digital certificate modified using the device identifier string or value).
  • a host device corresponding to a given memory device may access content stored on the secure NVM portion of the given memory device by: (1) reading the device's identification string(s) or value(s); (2) generating an access password using the identification string(s) or value(s) and some pre-shared digital signature/certificate/value; (3) scrambling the password using a host device generated random or pseudo-random value; (4) gaining access to the secure NVM portion by submitting the scrambled password (optionally: password encrypted using pre-shared key(s)) for authentication; (5) reading scrambled data stored on the secure portion; (6) unscrambling the read data using the random or pseudo-random value; and (7) decrypting the data stored on the secure portion using a combination of the pre-shared digital signature/certificate/value with the memory device's identification string(
  • the memory device control logic may communicate the content from the secure portion of the non-volatile memory (NVM) array of the device to the host device.
  • the memory device control logic may be adapted to read encrypted data from the secure portion, use the host generated random or pseudo-random value to scramble the encrypted data and communicate the encrypted and scrambled data to the host device.
  • the host may use its own generated random or pseudo-random value to unscramble the received data and decrypt it using one or more second keys it possesses. The unscrambled and decrypted data may then be sent for playback.
  • a new random or pseudo-random value may be generated by the host device and/or by the memory device either intermittently or when a predetermined amount of data (e.g. a certain number of pages) has been read from the memory device and communicated to the host device.
  • a predetermined amount of data e.g. a certain number of pages
  • the Pseudo-Random Bit Stream may be at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) and/or on the memory device identification string(s) or value(s) communicated to the host device, parallel (e.g.
  • Pseudo-Random Bit Streams may be generated by the host device's and the memory device's Pseudo-Random Bit Stream Generators.
  • data scrambled by the host device's Data Scrambler/Unscrambler may be unscrambled by the memory device's Data Scrambler/Unscrambler and vice versa.
  • the random or pseudorandom value may be generated by the host device based on: (1) A measurement of the host device on/off button pressing time; (2) A recording of white noise picked up by a microphone functionally associated with the host device; (3) One or more pseudo-random value sets saved on the host device built-in Serial Peripheral Interconnect (SPI) memory die; (4) on any combination of some or all of the above; and/or on any other random or pseudo-random value/bit-string generation method known today or to be devised in the future.
  • SPI Serial Peripheral Interconnect
  • Figure 1A shows the modules and steps of an exemplary duplication system and process, in accordance with some embodiments of the present invention
  • Figure IB shows an exemplary secured duplication module, in accordance with some embodiments of the present invention.
  • Figure 2 A shows an exemplary an exemplary encrypted authentication and data communication scheme between a host device and a memory device, in accordance with some embodiments of the present invention.
  • Figure 2B shows an exemplary scrambling based security layer scheme, combined with the encrypted authentication and data communication scheme of FIG. 2A, in accordance with some embodiments of the present invention.
  • Embodiments of the present invention may include apparatuses for performing the operations herein.
  • Such apparatus may be specially constructed for the desired purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs) electrically programmable read-only memories (EPROMs), electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
  • the present invention includes methods, circuits, apparatus and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card).
  • NVM Non- Volatile Memory
  • a non-volatile memory device e.g. the media
  • control logic e.g. a controller
  • NVM non-volatile memory
  • the content on the secure memory portion and/or other memory portions of a first memory device may be securely duplicated onto one or more additional memory devices as part of their production/programming phase.
  • an encryption logic module may be adapted to encrypt raw opened content prior to, or substantially at the time, of its writing onto the non-volatile memory (NVM) array of the first memory device.
  • the first memory device may be functionally associated with a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit; (3) apply the identification string(s) as one or more factors in a single or multi-factor encryption schemes, wherein each identification string or group of identification strings is at least partially used to encrypt a copy of the first memory device's content which is to be written to the additional memory device from which that identification string or group of identification strings were obtained; and (4) write each of the encrypted content copies onto its respective additional memory device - the from which the encryption identification string(s) have been obtained.
  • a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit
  • FIG. 1A there are shown, in accordance with some embodiments of the present invention, the modules and steps of an exemplary duplication system and process.
  • Open Content is communicated to an Encryption Logic Module where it is encrypted.
  • Encrypted content is then written onto a Secured Master Memory Device.
  • This initial process may, in accordance with some embodiments, be executed within the a limited area of a Secured Zone in order to prevent the presence of any open non-secured (e.g. not encrypted, not scrambled) content on the Production Floor where it may be more prone to theft or unauthorized duplication.
  • the Secured Master containing the encrypted content may be connected to/interfaced with a Secured Duplication Module adapted to also connect to/interface with one or more Additional Memory Devices.
  • the Secured Duplication Module may comprise a Decryption Logic adapted to decrypt the content of the Secured Master and a Memory Device ID Based Encryption Logic adapted to receive one, or a set of, ID String(s) (identification string(s)) from each of the one or more Additional Memory Devices.
  • the Memory Device ID Based Encryption Logic may re-encrypt the decrypted content from the Secured Master at least partially based on ID String(s) of a first additional memory device (i.e.
  • ID String(s) No. 1 and write the corresponding ID String(s) No. 1 Based Encrypted Content to the first additional memory device.
  • additional encrypted copy versions may be made, wherein each copy of the Secured Master written to a given Additional Memory Device is encrypted at least partially based on ID String(s) received from that same Additional Memory Device (e.g. Copy (n) of the content is encrypted using ID String(s) of Additional Memory Device (n) and once encrypted written onto Memory Device (n)'s NVM secured section).
  • one or more of the Additional Memory Devices may be used as a Secured Master Memory Device for duplicating its content onto further one or more additional memory devices.
  • a Secured Duplication Module comprising a Secured Master Memory Device Slot adapted to host a Secured Master Memory Device.
  • a Controller with Encryption/Decryption Logic may decrypt the content from the Secured Master and re- encrypt it using ID String(s) from each of the Additional Memory Devices hosted in the Secured Duplication Module's Copy Memory Device Slots 1 through n, wherein content encrypted using ID String(s) from the memory device hosted in Copy Memory Device Slot 1 is written back to that same Copy Memory Device Slot 1 memory device; content encrypted using ID String(s) from the memory device hosted in Copy Memory Device Slot 2 is written back to that same Copy Memory Device Slot 2 memory device; and content encrypted using ID String(s) from a given memory device hosted in Copy Memory Device Slot n is written back to that same Copy Memory Device Slot n memory device.
  • a non-volatile memory device e.g. the media
  • control logic e.g. a controller
  • Regulating access to the secure portion of the NVM array may include password based authentication by a host device.
  • NVM cells on the NVM array or on circuitry associated with the control logic may store an identification string(s) or value(s) of the device, which identification string(s) or value(s) may be accessible or readable by a host device such a media player.
  • the password for accessing the secure portion of the NVM array may be based on some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first digital certificate encrypted using the device identification string(s) or value(s) as the encryption key).
  • content stored on the secure portion of the NVM device may be encrypted using some key based encryption algorithm, where the key is some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first or second digital certificate modified using the device identifier string or value).
  • a host device corresponding to a given memory device may access content stored on the secure NVM portion of the given memory device by: (1) reading the device's identification string(s) or value(s); (2) generating an access password using the identification string(s) or value(s) and some pre-shared digital signature/certificate/value; (3) scrambling the password using a host device generated random or pseudo-random value; (4) gaining access to the secure NVM portion by submitting the scrambled password (optionally: password encrypted using pre-shared key(s)) for authentication; (5) reading scrambled data stored on the secure portion; (6) unscrambling the read data using the random or pseudo-random value; and (7) decrypting the data stored on the secure portion using a combination of the pre-shared digital signature/certificate/value with the memory device's identification string(
  • the memory device control logic may communicate the content from the secure portion of the non-volatile memory (NVM) array of the device to the host device.
  • the memory device control logic may be adapted to read encrypted data from the secure portion, use the host generated random or pseudo-random value to scramble the encrypted data and communicate the encrypted and scrambled data to the host device.
  • the host may use its own generated random or pseudo-random value to unscramble the received data and decrypt it using one or more second keys it possesses. The unscrambled and decrypted data may then be sent for playback.
  • the memory device control logic may be further adapted to scramble the memory device's NVM array addresses of data requested by the host and to communicate the scrambled NVM array addresses to the host device.
  • FIG. 2A there is shown, in accordance with some embodiments of the present invention, an exemplary encrypted authentication and data communication scheme between a Host Device and a Memory Device.
  • the Host Device may send a request to get device's identification string(s) or value(s).
  • the Memory Device may, in response, communicate its identification string(s) or value(s) to the Host Device.
  • the Host Device may comprise a Password Generator adapted to generate a password based on the communicated identification string(s) or value(s) and pre-shared digital signature(s)/certificate(s)/value(s).
  • the generated, and possibly encrypted, password may be communicated to the Memory Device, decrypted by the memory device's Password decryption Module based on the memory device's own identification string(s) or value(s) and the pre-shared digital signature(s)/certificate(s)/value(s).
  • a Password Authentication Module may authenticate the password (e.g. as generated by a host authorized to access its Secure NVM Portion content) and instruct the memory device's Control Logic to enter a Data Phase.
  • the memory device Control Logic may access Encrypted Data written to the memory device's Secure NVM Portion of its NVM Array and communicate it to the Host Device which may decrypt it using the pre-shared digital signature(s)/certificate(s)/value(s) and/or the identification string(s) or value(s) it received from the Memory Device during the ID Phase.
  • the now Decrypted Data may then be played back or else wise outputted by the Host Device.
  • FIG. 2B there is shown, in accordance with some embodiments of the present invention, an additional exemplary scrambling based security layer scheme, combined with the encrypted authentication and data communication scheme of FIG. 2A. It is, however, made clear that this scrambling based security layer, or any subparts of this security layer, may be practiced solely and/or in combination with any subparts of FIG. 2A's encrypted authentication and data communication scheme.
  • the Host Device and the Memory Device may each comprise a Pseudo- Random Bit Stream Generator adapted to generate and communicate a Pseudo- Random Bit Stream to a respective Data Scrambler/Unscrambler.
  • the Pseudo- Random Bit Stream Generator may generate the Pseudo-Random Bit Stream at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) or on the memory device identification string(s) or value(s); and/or based on a full or partial combination of both.
  • the Host Device generated password may be scrambled by the Host Device Data Scrambler/Unscrambler, at least partially based on the Host Device's Pseudo-Random Bit Stream Generator's Pseudo-Random Bit Stream, prior to its communication to the Memory Device.
  • the Memory Device may use its own respective Data Scrambler/Unscrambler to unscramble the received password, prior to its decryption and authentication.
  • Encrypted Data written to the Secure NVM Portion of the Memory Device, and/or to any other of the Memory Device's memory portions may be scrambled by the Memory Device Data Scrambler/Unscrambler, at least partially based on the Memory Device's Pseudo-Random Bit Stream Generator's Pseudo-Random Bit Stream, prior to its communication to the Host Device.
  • the Host Device may use its own respective Data Scrambler/Unscrambler to unscramble the received data, prior to its decryption and playback/output.
  • a new random or pseudo-random value may be generated by the host device and/or by the memory device either intermittently or when a predetermined amount of data (e.g. a certain number of pages) has been read from the memory device and communicated to the host device.
  • a predetermined amount of data e.g. a certain number of pages
  • the Pseudo-Random Bit Stream may be at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) and/or on the memory device identification string(s) or value(s) communicated to the host device, parallel (e.g.
  • Pseudo-Random Bit Streams may be generated by the host device's and the memory device's Pseudo-Random Bit Stream Generators.
  • data scrambled by the host device's Data Scrambler/Unscrambler may be unscrambled by the memory device's Data Scrambler/Unscrambler and vice versa.
  • the random or pseudorandom value may be generated by the host device based on: (1) A measurement of the host device on/off button pressing time; (2) A recording of white noise picked up by a microphone functionally associated with the host device; (3) One or more pseudo-random value sets saved on the host device built-in Serial Peripheral Interconnect (SPI) memory die; (4) on any combination of some or all of the above; and/or on any other random or pseudo-random value/bit-string generation method known today or to be devised in the future.
  • SPI Serial Peripheral Interconnect

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are methods, circuits, apparatuses and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). A secured duplication module is adapted to access encrypted content from a source NVM device, to decrypt the content, and to re-encrypt the decrypted content for each of a set of target NVM devices, wherein re-encryption for each target device is based on a unique identifier of the given target device. Secured content communication between a Non Volatile Memory (NVM) device and a host device uses NVM device identification string and a pre-shared value based password, and scrambling techniques for secure password and content communication.

Description

Methods Circuits Apparatuses and Systems for Secure Content Duplication Distribution and Access
INVENTORS:
Yoav Yogev - Mazkeret-Batya, Israel FIELD OF THE INVENTION
[001] The present invention generally relates to methods, circuits, apparatuses and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). More specifically, the present invention relates to secured duplication of NVM based memory device(s) and authenticated, encrypted and/or scrambled solutions for content communication between NVM based memory device(s) and host device(s) thereof.
BACKGROUND
[002] The pirating of media players and media players' content continuously causes huge financial damages to manufacturers and distributors of media players and media players' content and to the entire media players' market. Taking the above into account, there clearly remains a need for an antipiracy solution that may prevent the unauthorized copying of content, prevent illegal contents from being activated on legal players and prevent legal content and content storage devices from being activated on pirated, modified or cloned players.
[003] Taking the above into account, there clearly remains a need for better more efficient methods, circuits, apparatuses and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). SUMMARY OF THE INVENTION
[004] Below are described a number of novel, innovative features of methods, circuits, apparatuses and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card).
[005] The present invention includes methods, circuits, apparatus and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). According to some embodiments of the present invention, there is provided a non-volatile memory device (e.g. the media) including control logic (e.g. a controller) adapted to regulate access to data stored in a secure portion of a non-volatile memory (NVM) array of the device.
[006] According to some embodiments of the present invention, the content on the secure memory portion and/or other memory portions of a first memory device may be securely duplicated onto one or more additional memory devices as part of their production/programming phase. According to some embodiments of the present invention, an encryption logic module may be adapted to encrypt raw opened content prior to, or substantially at the time, of its writing onto the non-volatile memory (NVM) array of the first memory device.
[007] According to some embodiments of the present invention, the first memory device may be functionally associated with a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit; (3) apply the identification string(s) as one or more factors in a single or multi-factor encryption schemes, wherein each identification string or group of identification strings is at least partially used to encrypt a copy of the first memory device's content which is to be written to the additional memory device from which that identification string or group of identification strings were obtained; and (4) write each of the encrypted content copies onto its respective additional memory device - the from which the encryption identification string(s) have been obtained.
[008] According to some embodiments, there is provided a non-volatile memory device (e.g. the media) including control logic (e.g. a controller) adapted to regulate access to data stored in a secure portion of a non-volatile memory (NVM) array of the device. Regulating access to the secure portion of the NVM array may include password based authentication by a host device.
[009] According to further embodiments of the present invention, NVM cells on the NVM array or on circuitry associated with the control logic may store an identification string(s) or value(s) of the device, which identification string(s) or value(s) may be accessible or readable by a host device such a media player. The password for accessing the secure portion of the NVM array may be based on some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first digital certificate encrypted using the device identification string(s) or value(s) as the encryption key).
[0010] According to further embodiments of the present invention, content stored on the secure portion of the NVM device may be encrypted using some key based encryption algorithm, where the key is some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first or second digital certificate modified using the device identifier string or value).
[0011] According to some embodiments, a host device corresponding to a given memory device (i.e. knows the encryption algorithms, digital certificates, signatures or values, and/or encryption keys used to secure the data on the memory device) may access content stored on the secure NVM portion of the given memory device by: (1) reading the device's identification string(s) or value(s); (2) generating an access password using the identification string(s) or value(s) and some pre-shared digital signature/certificate/value; (3) scrambling the password using a host device generated random or pseudo-random value; (4) gaining access to the secure NVM portion by submitting the scrambled password (optionally: password encrypted using pre-shared key(s)) for authentication; (5) reading scrambled data stored on the secure portion; (6) unscrambling the read data using the random or pseudo-random value; and (7) decrypting the data stored on the secure portion using a combination of the pre-shared digital signature/certificate/value with the memory device's identification string(s) or value(s).
[0012] According to some embodiments of the present invention, the memory device control logic, having the needed password, may communicate the content from the secure portion of the non-volatile memory (NVM) array of the device to the host device. The memory device control logic may be adapted to read encrypted data from the secure portion, use the host generated random or pseudo-random value to scramble the encrypted data and communicate the encrypted and scrambled data to the host device. The host may use its own generated random or pseudo-random value to unscramble the received data and decrypt it using one or more second keys it possesses. The unscrambled and decrypted data may then be sent for playback.
[0013] According to some embodiments of the present invention, a new random or pseudo-random value may be generated by the host device and/or by the memory device either intermittently or when a predetermined amount of data (e.g. a certain number of pages) has been read from the memory device and communicated to the host device. According to some embodiments of the present invention, as the Pseudo-Random Bit Stream may be at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) and/or on the memory device identification string(s) or value(s) communicated to the host device, parallel (e.g. similar) Pseudo-Random Bit Streams may be generated by the host device's and the memory device's Pseudo-Random Bit Stream Generators. Thus, data scrambled by the host device's Data Scrambler/Unscrambler may be unscrambled by the memory device's Data Scrambler/Unscrambler and vice versa.
[0014] According to some embodiments of the present invention, the random or pseudorandom value may be generated by the host device based on: (1) A measurement of the host device on/off button pressing time; (2) A recording of white noise picked up by a microphone functionally associated with the host device; (3) One or more pseudo-random value sets saved on the host device built-in Serial Peripheral Interconnect (SPI) memory die; (4) on any combination of some or all of the above; and/or on any other random or pseudo-random value/bit-string generation method known today or to be devised in the future. BRIEF DESCRIPTION OF THE DRAWINGS
[0015] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying appendix:
[0016] Figure 1A shows the modules and steps of an exemplary duplication system and process, in accordance with some embodiments of the present invention;
[0017] Figure IB shows an exemplary secured duplication module, in accordance with some embodiments of the present invention;
[0018] Figure 2 A shows an exemplary an exemplary encrypted authentication and data communication scheme between a host device and a memory device, in accordance with some embodiments of the present invention; and
[0019] Figure 2B shows an exemplary scrambling based security layer scheme, combined with the encrypted authentication and data communication scheme of FIG. 2A, in accordance with some embodiments of the present invention.
DETAILED DESCRIPTION
[0020] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention.
[0021] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as "processing", "computing", "calculating", "determining", or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices.
[0022] Embodiments of the present invention may include apparatuses for performing the operations herein. Such apparatus may be specially constructed for the desired purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs) electrically programmable read-only memories (EPROMs), electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
[0023] The processes and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the desired method. The desired structure for a variety of these systems will appear from the description below. In addition, embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the inventions as described herein.
[0024] The present invention includes methods, circuits, apparatus and systems for secure content duplication, distribution and/or access using Non- Volatile Memory (NVM) based media (e.g. SD Card). According to some embodiments of the present invention, there is provided a non-volatile memory device (e.g. the media) including control logic (e.g. a controller) adapted to regulate access to data stored in a secure portion of a non-volatile memory (NVM) array of the device.
[0025] According to some embodiments of the present invention, the content on the secure memory portion and/or other memory portions of a first memory device may be securely duplicated onto one or more additional memory devices as part of their production/programming phase. According to some embodiments of the present invention, an encryption logic module may be adapted to encrypt raw opened content prior to, or substantially at the time, of its writing onto the non-volatile memory (NVM) array of the first memory device.
[0026] According to some embodiments of the present invention, the first memory device may be functionally associated with a secured duplication module adapted to: (1) decrypt the content received from the first memory device; (2) receive from each of the additional memory devices one or more identification strings, such as a chip serial number and/or one or more measured physical, electrical and/or operational parameters of the die's integrated circuit; (3) apply the identification string(s) as one or more factors in a single or multi-factor encryption schemes, wherein each identification string or group of identification strings is at least partially used to encrypt a copy of the first memory device's content which is to be written to the additional memory device from which that identification string or group of identification strings were obtained; and (4) write each of the encrypted content copies onto its respective additional memory device - the from which the encryption identification string(s) have been obtained.
[0027] In FIG. 1A there are shown, in accordance with some embodiments of the present invention, the modules and steps of an exemplary duplication system and process. Open Content is communicated to an Encryption Logic Module where it is encrypted. Encrypted content is then written onto a Secured Master Memory Device. This initial process may, in accordance with some embodiments, be executed within the a limited area of a Secured Zone in order to prevent the presence of any open non-secured (e.g. not encrypted, not scrambled) content on the Production Floor where it may be more prone to theft or unauthorized duplication.
[0028] According to some embodiments of the present invention, the Secured Master containing the encrypted content may be connected to/interfaced with a Secured Duplication Module adapted to also connect to/interface with one or more Additional Memory Devices. The Secured Duplication Module may comprise a Decryption Logic adapted to decrypt the content of the Secured Master and a Memory Device ID Based Encryption Logic adapted to receive one, or a set of, ID String(s) (identification string(s)) from each of the one or more Additional Memory Devices. The Memory Device ID Based Encryption Logic may re-encrypt the decrypted content from the Secured Master at least partially based on ID String(s) of a first additional memory device (i.e. ID String(s) No. 1) and write the corresponding ID String(s) No. 1 Based Encrypted Content to the first additional memory device. Similarly, additional encrypted copy versions may be made, wherein each copy of the Secured Master written to a given Additional Memory Device is encrypted at least partially based on ID String(s) received from that same Additional Memory Device (e.g. Copy (n) of the content is encrypted using ID String(s) of Additional Memory Device (n) and once encrypted written onto Memory Device (n)'s NVM secured section).
[0029] According to some embodiments of the present invention, one or more of the Additional Memory Devices may be used as a Secured Master Memory Device for duplicating its content onto further one or more additional memory devices.
[0030] In FIG. IB there is shown, in accordance with some embodiments of the present invention, a Secured Duplication Module comprising a Secured Master Memory Device Slot adapted to host a Secured Master Memory Device. A Controller with Encryption/Decryption Logic may decrypt the content from the Secured Master and re- encrypt it using ID String(s) from each of the Additional Memory Devices hosted in the Secured Duplication Module's Copy Memory Device Slots 1 through n, wherein content encrypted using ID String(s) from the memory device hosted in Copy Memory Device Slot 1 is written back to that same Copy Memory Device Slot 1 memory device; content encrypted using ID String(s) from the memory device hosted in Copy Memory Device Slot 2 is written back to that same Copy Memory Device Slot 2 memory device; and content encrypted using ID String(s) from a given memory device hosted in Copy Memory Device Slot n is written back to that same Copy Memory Device Slot n memory device.
[0031] According to some embodiments, there is provided a non-volatile memory device (e.g. the media) including control logic (e.g. a controller) adapted to regulate access to data stored in a secure portion of a non-volatile memory (NVM) array of the device. Regulating access to the secure portion of the NVM array may include password based authentication by a host device.
[0032] According to further embodiments of the present invention, NVM cells on the NVM array or on circuitry associated with the control logic may store an identification string(s) or value(s) of the device, which identification string(s) or value(s) may be accessible or readable by a host device such a media player. The password for accessing the secure portion of the NVM array may be based on some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first digital certificate encrypted using the device identification string(s) or value(s) as the encryption key).
[0033] According to further embodiments of the present invention, content stored on the secure portion of the NVM device may be encrypted using some key based encryption algorithm, where the key is some combination of a digital signature/certificate/value with the memory device's identification string(s) or value(s) (e.g. first or second digital certificate modified using the device identifier string or value).
[0034] According to some embodiments, a host device corresponding to a given memory device (i.e. knows the encryption algorithms, digital certificates, signatures or values, and/or encryption keys used to secure the data on the memory device) may access content stored on the secure NVM portion of the given memory device by: (1) reading the device's identification string(s) or value(s); (2) generating an access password using the identification string(s) or value(s) and some pre-shared digital signature/certificate/value; (3) scrambling the password using a host device generated random or pseudo-random value; (4) gaining access to the secure NVM portion by submitting the scrambled password (optionally: password encrypted using pre-shared key(s)) for authentication; (5) reading scrambled data stored on the secure portion; (6) unscrambling the read data using the random or pseudo-random value; and (7) decrypting the data stored on the secure portion using a combination of the pre-shared digital signature/certificate/value with the memory device's identification string(s) or value(s).
[0035] According to some embodiments of the present invention, the memory device control logic, having the needed password, may communicate the content from the secure portion of the non-volatile memory (NVM) array of the device to the host device. The memory device control logic may be adapted to read encrypted data from the secure portion, use the host generated random or pseudo-random value to scramble the encrypted data and communicate the encrypted and scrambled data to the host device. The host may use its own generated random or pseudo-random value to unscramble the received data and decrypt it using one or more second keys it possesses. The unscrambled and decrypted data may then be sent for playback.
[0036] According to some embodiments of the present invention, the memory device control logic may be further adapted to scramble the memory device's NVM array addresses of data requested by the host and to communicate the scrambled NVM array addresses to the host device.
[0037] In FIG. 2A there is shown, in accordance with some embodiments of the present invention, an exemplary encrypted authentication and data communication scheme between a Host Device and a Memory Device. According to some embodiments, of an exemplary ID Phase, the Host Device may send a request to get device's identification string(s) or value(s). The Memory Device may, in response, communicate its identification string(s) or value(s) to the Host Device. The Host Device may comprise a Password Generator adapted to generate a password based on the communicated identification string(s) or value(s) and pre-shared digital signature(s)/certificate(s)/value(s). The generated, and possibly encrypted, password may be communicated to the Memory Device, decrypted by the memory device's Password decryption Module based on the memory device's own identification string(s) or value(s) and the pre-shared digital signature(s)/certificate(s)/value(s). A Password Authentication Module may authenticate the password (e.g. as generated by a host authorized to access its Secure NVM Portion content) and instruct the memory device's Control Logic to enter a Data Phase.
[0038] According to some embodiments, of an exemplary Data Phase, the memory device Control Logic may access Encrypted Data written to the memory device's Secure NVM Portion of its NVM Array and communicate it to the Host Device which may decrypt it using the pre-shared digital signature(s)/certificate(s)/value(s) and/or the identification string(s) or value(s) it received from the Memory Device during the ID Phase. The now Decrypted Data may then be played back or else wise outputted by the Host Device.
[0039] In FIG. 2B there is shown, in accordance with some embodiments of the present invention, an additional exemplary scrambling based security layer scheme, combined with the encrypted authentication and data communication scheme of FIG. 2A. It is, however, made clear that this scrambling based security layer, or any subparts of this security layer, may be practiced solely and/or in combination with any subparts of FIG. 2A's encrypted authentication and data communication scheme. According to some embodiments, the Host Device and the Memory Device may each comprise a Pseudo- Random Bit Stream Generator adapted to generate and communicate a Pseudo- Random Bit Stream to a respective Data Scrambler/Unscrambler. The Pseudo- Random Bit Stream Generator may generate the Pseudo-Random Bit Stream at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) or on the memory device identification string(s) or value(s); and/or based on a full or partial combination of both.
[0040] According to some embodiments of the present invention, as part of an exemplary ID Phase, the Host Device generated password may be scrambled by the Host Device Data Scrambler/Unscrambler, at least partially based on the Host Device's Pseudo-Random Bit Stream Generator's Pseudo-Random Bit Stream, prior to its communication to the Memory Device. The Memory Device may use its own respective Data Scrambler/Unscrambler to unscramble the received password, prior to its decryption and authentication. [0041] According to some embodiments of the present invention, as part of an exemplary Data Phase, Encrypted Data written to the Secure NVM Portion of the Memory Device, and/or to any other of the Memory Device's memory portions, may be scrambled by the Memory Device Data Scrambler/Unscrambler, at least partially based on the Memory Device's Pseudo-Random Bit Stream Generator's Pseudo-Random Bit Stream, prior to its communication to the Host Device. The Host Device may use its own respective Data Scrambler/Unscrambler to unscramble the received data, prior to its decryption and playback/output.
[0042] According to some embodiments of the present invention, a new random or pseudo-random value may be generated by the host device and/or by the memory device either intermittently or when a predetermined amount of data (e.g. a certain number of pages) has been read from the memory device and communicated to the host device. According to some embodiments of the present invention, as the Pseudo-Random Bit Stream may be at least partially based on the pre-shared digital signature(s)/certificate(s)/value(s) and/or on the memory device identification string(s) or value(s) communicated to the host device, parallel (e.g. similar) Pseudo-Random Bit Streams may be generated by the host device's and the memory device's Pseudo-Random Bit Stream Generators. Thus, data scrambled by the host device's Data Scrambler/Unscrambler may be unscrambled by the memory device's Data Scrambler/Unscrambler and vice versa.
[0043] According to some embodiments of the present invention, the random or pseudorandom value may be generated by the host device based on: (1) A measurement of the host device on/off button pressing time; (2) A recording of white noise picked up by a microphone functionally associated with the host device; (3) One or more pseudo-random value sets saved on the host device built-in Serial Peripheral Interconnect (SPI) memory die; (4) on any combination of some or all of the above; and/or on any other random or pseudo-random value/bit-string generation method known today or to be devised in the future.
[0044] It is hereby made clear that all scrambling, encryption, content access and authentication features, techniques and schemes, between a memory device and a host device, taught hereinbefore; may also be applicable for secured master (source) memory device to secured duplication module and secured duplication module to additional (target) memory device(s) communications.
[0045] While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

1. A Non- Volatile Memory (NVM) based digital content storage device comprising: a set of NVM cells including an unsecure subset of cells and a secure subset of cells, wherein the unsecure subset of cells stores one or more unique device identifiers and the secure subset of cells stores: (a) one or more encryption factors, and (b) content related data;
control logic adapted to provide credential based access to the secure portion of the NVM array; and
a credential decryption module adapted to decrypt secure cell access credentials provided by a host device, wherein decryption is based at least partially on the unique identifier and at least partially on the one or more encryption factors.
2. The device according to claim 1 , further comprising a secure cell access
credentials authentication module adapted to authenticate credentials received by the device and decrypted by said credential decryption module.
3. The device according to claim 1, wherein content stored on the secure cells is encrypted at least partially based on the unique identifier and at least partially based on the one or more encryption factors.
4. The device according to claim 1 , further comprising a pseudorandom bit stream generator adapted to generate scrambling bits based at least partially on data exchanged between said device and a host device.
5. The device according to claim 4, further comprising a data scrambler adapted to use the scrambling bits to scramble data bits sent to a host.
6. The device according to claim 4, further comprising a data descrambler adapted to use the scrambling bits to descramble data bits received from a host.
7. A Non- Volatile Memory (NVM) based digital content player comprising: interface circuitry for interfacing with an NVM based digital content storage device, which storage device includes a set of NVM cells including an unsecure subset of cells and a secure subset of cells, wherein the unsecure subset of cells stores one or more unique device identifiers and the secure subset of cells stores: (a) one or more encryption factors, and (b) content related data;
control logic adapted regulate communication with the NVM based digital content storage device by: (1) reading the one or more unique device identifiers, (2) generating credentials for accessing the subset of secure cells using the unique identifier, (3) encrypting the credentials using a local copy of the one or more encryption factors, and (4) submitting the encrypted credentials to the content storage device.
8. The player according to claim 7, further comprising a decryption module adapted decrypt content stored on the secure cells at least partially based on the unique identifier and at least partially based on the local copy of the one or more encryption factors.
9. The device according to claim 7, further comprising a pseudorandom bit stream generator adapted to generate scrambling bits based at least partially on data exchanged between said player and the storage device.
10. The device according to claim 9, further comprising a data scrambler adapted to use the scrambling bits to scramble data bits sent to a storage device.
11. The device according to claim 9, further comprising a data descrambler adapted to use the scrambling bits to descramble data bits received from the storage device.
12. A system for secure duplication of content stored on a Non Volatile Memory (NVM) device comprising: a secured duplication module adapted to access encrypted content from a source NVM device, wherein accessing secured content includes providing the source NVM device with secure cell access credentials encrypted at least partially using a unique identifier of the first NVM;
a decryption module adapted to decrypt the accessed content; and encryption logic adapted to re-encrypt the decrypted content for each of a set of target NVM devices, wherein re-encryption for each target device is at least partially based on a unique identifier of the given target device.
13. The system of claim 12, wherein said encryption logic is adapted to receive one or more identification strings corresponding to each of one or more target NVM devices.
14. A system for secured content communication between a Non Volatile Memory (NVM) device and a host device comprising:
a password generator adapted to receive one or more identification strings corresponding to the NVM device and generate a password at least partially based on both the identification string and a value pre-shared between the host and the NVM device;
a random value generator adapted to generate a random or pseudo-random value; and
a password scrambler adapted to receive the password from said password generator and the random value from said random value generator, scramble the password at least partially based on the random or pseudo-random value and communicate the scrambled password and the random or pseudo-random value for authentication by the host device.
15. The system according to claim 14 further comprising:
A memory device data scrambler adapted to receive encrypted data from a secure NVM portion of the memory device, to scramble it using the communicated random or pseudo-random value and to communicate the encrypted and scrambled data to the host device.
16. A system for securing a host's memory device bus data traffic comprising:
A host device random value generator adapted to generate a random or pseudorandom value;
A host memory device bus adapted to communicate the random or pseudorandom value to a memory device;
A memory device data scrambler adapted to scramble data read from the memory device's Non Volatile Memory (NVM) and to communicate scrambled data to the host memory device bus.
17. The system according to claim 16 wherein said memory device data scrambler is further adapted to scramble the memory device's NVM array addresses of data requested by the host and to communicate the scrambled NVM array addresses to the host memory device bus.
PCT/IB2010/056152 2009-12-31 2010-12-31 Methods circuits apparatuses and systems for secure content duplication distribution and access WO2011080720A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US29141809P 2009-12-31 2009-12-31
US61/291,418 2009-12-31

Publications (2)

Publication Number Publication Date
WO2011080720A2 true WO2011080720A2 (en) 2011-07-07
WO2011080720A3 WO2011080720A3 (en) 2011-08-25

Family

ID=44226915

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2010/056152 WO2011080720A2 (en) 2009-12-31 2010-12-31 Methods circuits apparatuses and systems for secure content duplication distribution and access

Country Status (1)

Country Link
WO (1) WO2011080720A2 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070061581A1 (en) * 2005-09-14 2007-03-15 Micky Holtzman Methods used in a secure yet flexible system architecture for secure devices with flash mass storage memory
US20070083491A1 (en) * 2004-05-27 2007-04-12 Silverbrook Research Pty Ltd Storage of key in non-volatile memory
US20080219443A1 (en) * 2003-08-25 2008-09-11 Brant Candelore Apparatus and method for an iterative cryptographic block
US20090262929A1 (en) * 2004-05-27 2009-10-22 Silverbrook Research Pty Ltd Method for secure storage of plural keys in device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080219443A1 (en) * 2003-08-25 2008-09-11 Brant Candelore Apparatus and method for an iterative cryptographic block
US20070083491A1 (en) * 2004-05-27 2007-04-12 Silverbrook Research Pty Ltd Storage of key in non-volatile memory
US20090262929A1 (en) * 2004-05-27 2009-10-22 Silverbrook Research Pty Ltd Method for secure storage of plural keys in device
US20070061581A1 (en) * 2005-09-14 2007-03-15 Micky Holtzman Methods used in a secure yet flexible system architecture for secure devices with flash mass storage memory

Also Published As

Publication number Publication date
WO2011080720A3 (en) 2011-08-25

Similar Documents

Publication Publication Date Title
US8650393B2 (en) Authenticator
KR101536086B1 (en) Authenticator, authenticatee and authentication method
EP1067447B1 (en) Storage medium for contents protection
EP1374237B1 (en) Method and system for providing bus encryption based on cryptographic key exchange
EP2786521B1 (en) Device and authentication method therefor
EP1855224B1 (en) Method and system for command authentication to achieve a secure interface
US20050210236A1 (en) Digital rights management structure, portable storage device, and contents management method using the portable storage device
US8650398B2 (en) Device authentication using restricted memory
US20130054961A1 (en) Authenticator, authenticatee and authentication method
EP2786523B1 (en) Semiconductor memory device
JP4773723B2 (en) Method for realizing data security storage and algorithm storage by a semiconductor memory device
TW201532417A (en) Encryption key providing method, semiconductor integrated circuit, and encryption key management device
US9124432B2 (en) Host device and authentication method for host device
CN101742072A (en) Anti-copy method for set-top box software
JP4470373B2 (en) Authentication processing apparatus and security processing method
WO2010005425A1 (en) Systems and method for data security
CN1934821A (en) Authentication between device and portable storage
US20130142333A1 (en) Semiconductor storage device
US20090187770A1 (en) Data Security Including Real-Time Key Generation
US8627455B1 (en) Manufacturing method of a memory device to be authenticated
EP2786520B1 (en) Memory
US8989374B2 (en) Cryptographic device for secure authentication
US20150074421A1 (en) Security system
US20130339735A1 (en) Authentication method
US8995657B2 (en) Device and method for certifying one's own authenticity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10840696

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10840696

Country of ref document: EP

Kind code of ref document: A2