TREA

Access control for secure portable storage device

Follow

Information

  • Patent Application
  • 20080028452
  • Publication Number
    20080028452
  • Date Filed
    December 12, 2006
    18 years ago
  • Date Published
    January 31, 2008
    17 years ago
Information
Abstract
The invention provides an access control for a secure portable storage device. The control method is applied to a host for accessing from the secure portable storage device. The control method includes the following steps. First, the host transmits a first key into a first temporary space in the file system of the secure portable storage device. Next, the secure portable storage device verifies if the first key is valid. If the first key is valid, an encrypted content key is duplicated into a second temporary space. Then, the encrypted content key is uploaded to the host. Afterward, the encrypted content key is decrypted into a content key. Lastly, an encrypted content data stored in the secure portable storage device is decrypted into a content data by use of the content key.
Description

BRIEF DESCRIPTION OF THE APPENDED DRAWINGS


FIG. 1 is a system context diagram showing a host accessing from a secure portable storage device according to a preferred embodiment of the invention.



FIG. 2 is a flowchart of an access control method according to the preferred embodiment of invention.





DETAILED DESCRIPTION OF THE INVENTION

The present invention provides an access control for a secure portable storage device. The access control is applicable to a host for accessing from the secure portable storage device. In particular, the host and the secure portable storage device cross-verify a key through a file system. The preferred embodiment according to the invention discloses the followings.


First, referring to FIG. 1, FIG. 1 is a system context diagram showing a host 1 accessing from a secure portable storage device 2 according to a preferred embodiment of the invention. The host 1 includes a first decrypting module 11 and a second decrypting module 12. The secure portable storage device 2 includes a file system 21, a controlling/processing module 22, a memory 23, and a buffer 24.


The host 1 described above can be an electronic device with an arithmetic function, such as a computer, a handheld communication device, a personal digital assistant, or a digital video disc playing device. The secure portable storage device 2 described above is used for storing encrypted content data, and the secure portable storage device 2 is usually called a memory card. The specification of the memory card described previously can be one selected from the specifications of a CompactFlash Card, a SmartMedia Card, a MultiMedia Card, a Memory Stick Card, an SD Memory Card, or an XD-Picture Card. The secure portable storage device 2 includes a transmission interface 20. As shown in FIG. 1, the secure portable storage device 2 can be detachably connected to the host 1 through the transmission interface 20.


In the secure portable storage device 2 in FIG. 1, the file system 21, coupled to the host 1, is configured to store encrypted content data. The file system 21 includes a first temporary space 211 and a second temporary space 212. In this case, each of the first temporary space 211 and the second temporary space 212 is a respective file. The file system 21 can also be a system context complying with a FAT 12 file system specification, a FAT 16 file system specification, a FAT 32 file system specification, or a NTFS file system specification, in accordance with applications in different environments. The controlling/processing module 22, coupled to the file system 21 and the memory 23, respectively, is a micro-controller, which is responsible for the controlling and the arithmetic functions of the secure portable storage device 2.


In the preferred embodiment of the invention, the host 1 pre-stores a first key, and the memory 23 of the secure portable storage device 2 pre-stores an encrypted content key. When the host 1 starts to access the secure portable storage device 2, the host transmits the first key to the first temporary space 211 of the secure portable storage device 2. The controlling/processing module 22 accesses the first key, and verifies if the first key is valid. If the first key is valid, the encrypted content key is duplicated into the second temporary space 212. The host 1 also uploads the encrypted content key stored in the second temporary space 212 by itself. The first decrypting module 11 of the host 1 is an arithmetic unit. The first decrypting module 11 uses the first key to decrypt the encrypted content key into a content key. The second decrypting module 12 uses the content key to decrypt the encrypted content data into content data. The host 1 can then transmit the content data out normally.


The decrypting algorithm built in the first decrypting module 11 and the second decrypting module 12 are prior art, and the decrypting algorithm is written in accordance with practical needs. Therefore, the decrypting algorithm is not described in details here.


Then, referring to FIG. 2, FIG. 2 is a flowchart of the access control method 3 according to the preferred embodiment of invention. Please refer to FIG. 1 and relevant figure for the related system context. In FIG. 2, the step S30 of the control method 3 is first performed when the host 1 requests to access the encrypted content data of the secure portable storage device 2.


Next, the host 1 transmits the first key to the first temporary space 211 of the secure portable storage device 2 (step S31).


Then, the secure portable storage device 2 performs the verifying of the first key, in response to the change in the first temporary space 211. The controlling/processing module 22 downloads the first key stored in the first temporary space 211 to the buffer 24 to verify if the first key is valid (Step S32).


If the first key is verified to be valid, the step S33 is performed. The controlling/processing module 22 duplicates the encrypted content key pre-stored in the memory 23 into the second temporary space 212 (step S33).


Next, the controlling/processing module 22 uploads the encrypted content key stored in the second temporary space 212 to the host 1 (Step S34).


Next, the first decrypting module 11 uses the first key to decrypt the encrypted content key into the content key (Step S35).


Finally, the second decrypting module 12 uses the content key to decrypt the encrypted content data into content data (Step S36).


The inventor states that after the control method 3 is started and before the host 1 transmits the first key to the first temporary space 211, the controlling/processing module 22 can first clear the content of the first temporary space 211 and the second temporary space 212. At the same time, as described in step S34, after the second key stored in the second temporary space 212 is uploaded to the host 1, the controlling/processing module 22 can also clear the second temporary space 212. In this way, the security of the first key and the encrypted content key can be more complete.


In one embodiment of the invention, the memory 23 pre-stores a second key. In step S32, the verification of the first key is performed by comparing the first key with the second key.


In one preferred embodiment of the invention, the host 1 also includes a pre-stored third key. In the step S35, the decryption of the encrypted content key can be performed by use of the first key and the third key at the same time, or by using either the first key or the third key. The decryption method described here uses a combination of the first key and the third key to perform a decryption.


Accordingly, by the specifications of the invention above, one can clearly see that the access control of the secure portable storage device disclosed in the invention performs, based on the file system, the verification process of the key between the host and the secure portable storage device. At the same time, the performing of the decrypting algorithm of the encrypted content key is totally responsible by the host. In prior art, the verification process is performed through the protocol, and the decrypting algorithm of the encrypted content data is performed in the secure portable storage device. Obviously, the technology according to the invention differs from that according to prior art, and according to the access control method of the secure portable storage device of the invention, the host no longer needs to install a driver corresponding to the upgraded version to cope with the secure portable storage device when its hardware is upgraded. Moreover, the decrypting algorithm of the encrypted content key is totally the responsibility of the host, thus guaranteeing the copy control mechanism of copyrighted data.


With the example and explanations above, the features and spirits of the invention will be hopefully well described. Those skilled in the art will readily observe that numerous modifications and alterations of the device may be made while retaining the teaching of the invention. Accordingly, the above disclosure should be construed as limited only by the metes and bounds of the appended claims.

Claims
  • 1. A secure portable storage device capable of being detachably connected to a host comprising a first decrypting module, a second decrypting module, and a pre-stored first key, said secure portable storage device comprising: a file system, coupled to the host and configured to store an encrypted content data, having a first temporary space and a second temporary space;a controlling/processing module being coupled to the file system; anda memory, coupled to the controlling/processing module, storing therein an encrypted content key;
  • 2. The secure portable storage device of claim 1, wherein the memory also stores a second key, and the controlling/processing module compares the first key with the second key to verify if the first key is valid.
  • 3. The secure portable storage device of claim 1, wherein the host also comprises a pre-stored third key, the first decrypting module decrypts the encrypted content key into the content key by use of the first key and the third key.
  • 4. The secure portable storage device of claim 1, further comprising a buffer coupled to the controlling/processing module, wherein the controlling/processing module downloads the first key stored in the first temporary space to the buffer before verifying if the first key is valid.
  • 5. The secure portable storage device of claim 1, wherein the controlling/processing module clears the first temporary space and the second temporary space before the host transmits the first key to the secure portable storage device.
  • 6. The secure portable storage device of claim 5, wherein the controlling/processing module detects the change in the first temporary space, and executes the verifying of the first key in response to the change in the first temporary space.
  • 7. The secure portable storage device of claim 1, wherein the file system complies with one selected from the group consisting of a FAT12 file system specification, a FAT16 file system specification, a FAT32 file system specification, and a NTFS file system specification.
  • 8. The secure portable storage device of claim 1, wherein after the encrypted content key stored in the second temporary space is uploaded to the host, the host clears the second temporary space.
  • 9. A control method for accessing from a secure portable storage device by a host comprising a pre-stored first key, the secure portable storage device, capable of being detachably connected to the host, comprising a memory therein storing an encrypted content key and a file system, the file system, coupled to the host and configured to store an encrypted content data, having a first temporary space and a second temporary space, said control method comprising the steps of: transmitting the first key to the first temporary space;verifying if the first key is valid, and if the first key is verified to be valid, duplicating the encrypted content key stored in the memory into the second temporary space;uploading the encrypted content key stored in the second temporary space to the host;decrypting the encrypted content key into a content key by use of the first key; anddecrypting the encrypted content data into a content data by use of the content key.
  • 10. The control method of claim 9, wherein the memory also stores a second key, and the verifying of the first key is performed by comparing the first key with the second key.
  • 11. The control method of claim 9, wherein the host also comprises a pre-stored third key, the decrypting of the encrypted content key into the content key is performed by use of the first key and the third key.
  • 12. The control method of claim 9, wherein the first temporary space and the second temporary space are cleared before transmitting the first key to the first temporary space.
  • 13. The control method of claim 12, wherein the verifying of the first key is performed in response to the change in the first temporary space.
  • 14. The control method of claim 9, wherein the file system complies with one selected from the group consisting of a FAT12 file system specification, a FAT16 file system specification, a FAT32 file system specification, and a NTFS file system specification.
  • 15. The control method of claim 9, wherein after the second key stored in the second temporary space is uploaded to the host, the second temporary space is cleared.
Priority Claims (1)
Number Date Country Kind
095127225 Jul 2006 TW national