IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
UP-0586446
(2006-10-24)
|
등록번호 |
US-7624276
(2009-12-02)
|
발명자
/ 주소 |
- Princen, John
- Srinivasan, Pramila
- Anderson, Craig Steven
|
출원인 / 주소 |
- BroadOn Communications Corp.
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
5 인용 특허 :
91 |
초록
▼
A technique for security and authentication on block-based media includes involves the use of protected keys, providing authentication and encryption primitives. A system according to the technique may include a secure device having a security kernel with protected keys. A disk drive security mechan
A technique for security and authentication on block-based media includes involves the use of protected keys, providing authentication and encryption primitives. A system according to the technique may include a secure device having a security kernel with protected keys. A disk drive security mechanism may support authentication of data, secrecy, and ticket validation using the security kernel and, for example, a ticket services module (e.g., a shared service that may or may not be used by other storage devices like flash).
대표청구항
▼
The invention claimed is: 1. A method comprising: accessing a header including a data structure and a set of hash values; obtaining from the data structure a first root hash of a hierarchical hash tree; computing a second root hash from the set of hash values; comparing the first root hash to the s
The invention claimed is: 1. A method comprising: accessing a header including a data structure and a set of hash values; obtaining from the data structure a first root hash of a hierarchical hash tree; computing a second root hash from the set of hash values; comparing the first root hash to the second root hash; if the first root hash and the second root hash match, obtaining an encrypted key from the data structure; securely decrypting the encrypted key; securely storing the key such that the key is not passed in the clear; providing a reference to the key; decrypting a data block with the reference to the key; loading authentication data from a sub-block associated with the data block; identifying, in the authentication data, a first set of hash values associated with a first level of the hierarchical hash tree; computing a cryptographic hash of the data block to determine a first hash value; comparing the first hash value to a corresponding value in the first set of hash values; rejecting a block data request if the first hash value and the corresponding value in the first set of hash values do not match. 2. The method of claim 1, wherein the data structure is public key signed. 3. The method of claim 1, further comprising authenticating the data structure. 4. The method of claim 1, further comprising securely storing the set of hash values included in the header. 5. The method of claim 1, further comprising caching the hierarchical hash tree. 6. The method of claim 1, further comprising rejecting the header if the first root hash and the second root hash do not match. 7. The method of claim 1, further comprising validating a rights management ticket from a source other than the header. 8. The method of claim 1, wherein the reference to the key is provided in the clear. 9. The method of claim 1, wherein decrypting a data block with the reference to the key further comprises: providing the reference to the key to a secure decryption engine; decrypting the data block such that the key is not passed in the clear. 10. The method of claim 1, further comprising decrypting at least a portion of the sub-block. 11. The method of claim 1, further comprising, in each hash block: inserting a calculated hash in an appropriate location; computing the hash of the hash block. 12. The method of claim 1, if the first hash value matches the corresponding value in the first set of hash values, further comprising: computing a second hash value corresponding to the first set of hash values; identifying, in the authentication data, a second set of hash values associated with a second level of the hierarchical hash tree; comparing the second hash value to a corresponding value in the second set of hash values; rejecting the block data request if the second hash value and the corresponding value in the second set of hash values do not match. 13. The method of claim 12, if the second hash value matches the corresponding value in the second set of hash values, further comprising: computing a third hash value corresponding to the second set of hash values; identifying, in the authentication data, a third set of hash values associated with a third level of the hierarchical hash tree; comparing the third hash value to a corresponding value in the third set of hash values; rejecting the block data request if the third hash value and the corresponding value in the third set of hash values do not match. 14. The method of claim 13, if the third hash value matches the corresponding value in the third set of hash values, wherein the set of hash values of the header are a fourth set of hash values, and wherein the fourth set of hash values are associated with a fourth level of the hierarchical hash tree, further comprising: computing a fourth hash value corresponding to the third set of hash values; providing a fourth set of hash values associated with a fourth level of the hierarchical hash tree; comparing the fourth hash value to a corresponding value in the fourth set of hash values; rejecting the block data request if the fourth hash value and the corresponding value in the fourth set of hash values do not match; returning the data block if the fourth hash value and the corresponding value in the fourth set of hash values match. 15. A system comprising: a block-based media driver coupled to a security API, wherein, in operation, the block-based media driver accesses a header associated with a block-based media device and extracts authentication data from the header; ticket services coupled to the block-based media driver and the security API, wherein, in operation, the ticket services receive the authentication data from the block-based media driver and send a key decryption request to the security API; a security kernel including the security API, an encryption/decryption engine, and a key store accessible to the security API, wherein, in operation, the encryption/decryption engine decrypts the key, the key is stored in the key store, and the security API returns a reference to the key to the ticket services; wherein, in operation, the ticket services validates the authentication data and returns the reference to the key to the block-based media driver; wherein, in operation, the block-based media driver accesses data blocks of the block-based media device, sends a block decryption request to the security API, and the security kernel decrypts the blocks and validates a hierarchical hash tree associated with the data blocks. 16. The system of claim 15, further comprising the block-based media device, wherein the header associated with the block-based media device includes a root hash value and a plurality of root-child hash values. 17. The system of claim 15, further comprising the block-based media device, wherein the data blocks each include a hash sub-block and a plurality of content data blocks. 18. A system having a means for secure content delivery with block-based media, comprising: a secure key store means; a means for accessing an encrypted key from a header of a block-based media device; a means for securely decrypting the encrypted key; a means for securely storing the key in the key store; a means for referencing the key to securely decrypt data blocks of the block-based media device; a means for providing hash values in association with the block-based media device and each data block of the block-based media device. 19. The system of claim 18, further comprising a means for aborting block-based media device access if hash values in the header are rejected. 20. The system of claim 18, further comprising a means for aborting data block access if hash values in the data block are rejected. 21. A method comprising: accessing a header including a data structure and a set of hash values; obtaining from the data structure a first root hash of a hierarchical hash tree; computing a second root hash from the set of hash values; comparing the first root hash to the second root hash; if the first root hash and the second root has match, obtaining an encrypted key from the data structure; securely decrypting the encrypted key; securely storing the key such that the key is not passed in the clear; providing a reference to the key; loading authentication data from a sub-block associated with an encrypted data block; identifying, in the authentication data, a first set of hash values associated with a first level of the hierarchical hash tree; computing a cryptographic hash of the encrypted data block to determine a first hash value; comparing the first hash value to a corresponding value in the first set of hash values; rejecting a block data request if the first hash value and the corresponding value in the first set of hash values do not match; decrypting the encrypted data block with the reference to the key.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.