System and method for copying protected data from one secured storage device to another via a third party
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-007/04
G06F-021/10
G06F-021/60
H04L-009/08
H04L-009/32
출원번호
US-0113338
(2008-05-01)
등록번호
US-8966580
(2015-02-24)
발명자
/ 주소
Sela, Rotem
Zer, Aviad
출원인 / 주소
SanDisk IL Ltd.
대리인 / 주소
Brinks Gilson & Lione
인용정보
피인용 횟수 :
1인용 특허 :
3
초록▼
A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibili
A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibility prerequisites. An SSD is configured to operate as a source SSD, from which protected data can be copied to a destination SSD, and also as a destination SSD, to which protected data of a source SSD can be copied.
대표청구항▼
1. A third party system for safeguarding and securely delivering digital data from a source storage to a destination storage, the third party system comprising: a memory;a communication interface configured to communicate with a host device system that at a given time hosts one or both of the source
1. A third party system for safeguarding and securely delivering digital data from a source storage to a destination storage, the third party system comprising: a memory;a communication interface configured to communicate with a host device system that at a given time hosts one or both of the source storage and the destination storage, wherein the digital data comprises protected data that are not available to unauthorized devices; anda processor configured to enable the third party system to: transmit information to the source storage in order for the source storage to authorize the third party system to transfer the protected data from the source storage to the destination storage via the third party system;receive information from the source storage and using this information, as well as one or more transfer rules, to determine whether to allow the source storage to transfer the protected data to the destination storage;transmit information to the destination storage in order for the destination storage to authorize the third party system to transfer the protected data to the destination storage via the third party system;receive information from the destination storage in order to determine whether to enable the destination storage to receive the protected data from the source storage;in response to determining that the source storage and the destination storage are both allowed to send and receive, respectively: communicate with the source storage to create a session key;establish a virtual secure channel between the source storage and the third party system using the session key;establish a virtual secure channel between the third party system and the destination storage;receive a key of the destination storage;relay, to the source storage, the key of the destination storage;receive, from the source storage, a content key encrypted with the key of the destination storage;relay, to the destination storage, the content key encrypted with the key in order for it to be decrypted by the destination storage;relay the protected data in encrypted form from the source storage to the destination storage for decryption by the destination storage using the content key, where the third party system is unable to decrypt the encrypted protected data; andprompt the source storage to make the protected data on the source storage inaccessible to any electronic device, wherein until the transfer the protected data was accessible only from the source storage. 2. The third party system according to claim 1, wherein the third party system is configured to establish the virtual secure channel by establishing a first secure channel with the source storage and a second secure channel with the destination storage. 3. The third party system according to claim 1, wherein the third party system is configured to instruct the source storage to make the protected data inaccessible to any electronic device after completion of transfer of the protected data to the destination storage. 4. The third party system according to claim 1, wherein the third party system is configured to instruct the source storage to make the protected data inaccessible to any electronic device after completion of transfer of the protected data to the third party system. 5. The third party system according to claim 1, wherein the third party system is configured to communicate with the source storage and the destination storage when the source storage and the destination storage are both concurrently connected to a single host device. 6. The third party system according to claim 1, wherein the third party system is configured to determine whether the source storage is allowed to send the protected data to the destination storage by: receiving a source storage certificate; anddetermining whether the received source storage certificate is included in a list of certificates, the list indicative of storage devices entitled to a data copy service provided by the third party system. 7. The third party system according to claim 1, wherein the third party system is further configured to receive from the host device system a user instruction, the user instruction indicative of a request to commence the process of delivering the protected content from the source storage to the destination storage; and wherein, in response to receiving the user instruction and in response to determining that the source storage and the destination storage are both allowed to send and receive, respectively, the third party system is configured to relay the encrypted protected data from the source storage to the destination storage. 8. The third party system according to claim 1, wherein the processor is configured to: authorize the third party system to the source storage to transfer the protected data from the source storage to the destination storage via the third party system by sending authentication data in order to identify the third party system to the source storage and to prove to the source storage that the third party system is allowed to transfer the protected data from the source storage to the destination storage;authorize the third party system to the destination storage-to transfer the protected data to the destination storage via the third party system by sending the authentication data in order to identify the third party system to the destination storage and to prove to the destination storage that the third party system is allowed to transfer the protected data to the destination storage;receive information from the source storage in order for the third party system to determine whether to enable the source storage to transfer the protected data to the destination storage by receiving, from the source storage, source storage data in order to identify the source storage and to determine whether the source storage is allowed to send the protected data to the destination storage; andreceive information from the destination storage in order for the third party system to determine whether to enable the destination storage to receive the protected data from the source storage by receiving, from the destination storage, destination storage data in order to identify the destination storage and to determine whether the destination storage is allowed to receive the protected data. 9. The third party system according to claim 8, wherein the virtual secure channel between the source storage and the destination storage is configured to enable transfer of the protected data without the source storage and the destination storage communicating with each other directly. 10. The third party system according to claim 8, wherein the third party system is configured to prove to the destination storage that the third party system is allowed to write the protected data into a restricted storage area of the destination storage and allowed to write data into a security management storage area of the destination storage. 11. The third party system according to claim 10, wherein the data to write into the security management storage area of the destination storage comprises authentication keys that are entitled to access the restricted storage area of the destination storage. 12. The third party system according to claim 10, wherein the processor is further configured to send a request to the source storage for configuration data of the source storage; and wherein, prior to the third party system transferring the protected data to the destination storage, the processor is configured to use the configuration data of the source storage to configure the destination storage in a same way as the source storage. 13. The third party system according to claim 1, wherein the third party system comprises a computer system; and wherein the processor is configured to instruct the source storage to make the protected data on the source storage inaccessible by instructing the source storage to erase authentication parameters associated with the protected data. 14. The third party system according to claim 1, wherein the processor is further configured to: poll the source storage of a configuration for storing the protected data; andinstruct the destination storage to configure itself in the configuration for storing the protected data. 15. The third party system according to claim 1, wherein the processor is configured to receive the key of the destination storage by receiving a public key of the destination storage; wherein the processor is configured to relay to the source storage the public key of the destination storage;wherein the processor is configured to receive, from the source storage, the content key encrypted with the public key of the destination storage;wherein the processor is configured to relay, to the destination storage, the content key encrypted with the public key in order for it to be decrypted by the destination storage. 16. The third party system according to claim 15, wherein the controller is configured to receive the encrypted content key by receiving a random number generated by the source storage and encrypted by the public key of the destination storage. 17. The third party system according to claim 16, wherein the controller is configured to receive the encrypted content key by receiving the encrypted content key signed by a private key of the source storage and concatenated with an authentication certificate of the source storage; wherein the controller is configured to transmit the encrypted content key by transmitting, to the destination storage, the encrypted content key signed by a private key of the source storage and concatenated with an authentication certificate of the source storage in order for the destination storage to ensure that the authentication certificate of the source storage was signed by the source storage's root authentication certification held by the third party system. 18. A source storage for transferring protected data to a destination storage via a third party system, the source storage comprising: a mass storage area storing digital data, the digital data including the protected data that are not transferable to ineligible devices and one or more usage rules, the protected data is only accessible from the source storage according to the one or more usage rules until transfer of the protected data; anda storage controller adapted to: transmit information to the third party system in order for the third party system to determine using one or more transfer rules whether the source storage is allowed to transfer the protected data via the third party system;receive information from the third party system in order for the storage controller to determine that the third party system is authorized to transfer the protected data;communicate with the third party system in order to create a session key;establish a secure channel between the source storage and the third party system using the session key;receive, from the third party system, a key of the destination storage;encrypt a content key with the key of the destination storage;transmit the encrypted content key to the third party system in order for the third party system to transmit the encrypted content key to the destination storage;encrypt the protected content using the content key;send, via the third party system over the secure channel, the protected data in encrypted form to the destination storage for decryption by the destination storage using the content key, wherein the third party system is unable to decrypt the encrypted protected data using the content key;receive an instruction from the third party system, the instruction indicative of making the protected data inaccessible to any electronic device; andin response to receiving the instruction, make the protected data inaccessible to any electronic device. 19. The source storage according to claim 18, wherein the storage controller is adapted to receive the public key of the destination storage by: receiving, from the third party system, an authentication certificate of the destination storage; andobtaining the public key using the authentication certificate of the destination storage. 20. The source storage according to claim 18, wherein the storage controller is configured to generate the session key randomly by using data originating from the destination storage. 21. The source storage according to claim 18, wherein the storage controller is adapted to communicate with the third party system in order for the third party system to determine that the source storage is allowed to transfer the protected data via the third party system by sending a source storage certificate to the third party system, the source storage certificate for checking against a list of certificates, the list indicative of storage devices entitled to a data copy service provided by the third party system. 22. The source storage according to claim 18, wherein the storage controller is adapted to: communicate with the third party system in order for the third party system to determine using one or more transfer rules whether the source storage is allowed to transfer the protected data via the third party system by sending source storage data to the third party system in order to identify the source storage to the third party system and for the third party system to determine that the source storage is allowed to transfer the protected data via the third party system; andcommunicate with the third party system in order for the storage controller to determine whether the third party system is authorized to transfer the protected data to a destination storage by receiving third party data from the third party system in order to identify the third party system and for the storage controller to determine whether the third party system is allowed to receive therefrom the protected data and to transfer the protected data to a destination storage. 23. The source storage according to claim 18, wherein the storage controller is configured to receive, from the third party system, the key of the destination storage by receiving a public key of the destination storage; wherein the storage controller is configured to encrypt the content key with the public key of the destination storage; andwherein the storage controller is further configured to generate the content key. 24. The source storage according to claim 23, wherein the storage controller is configured to generate the content key by generating a random number that serves as the content key. 25. The source storage according to claim 24, wherein the storage controller is further configured to sign the encrypted content key with a private key of the source storage, concatenate an authentication certificate of the source storage to the signed encrypted content key, and transmit the signed encrypted content key with the concatenated source storage's authentication certificate to the third party system. 26. A method for a third party system to facilitate delivering digital data from a source storage to a destination storage, the digital data comprising protected data, the method comprising: in the third party system: transmitting information to the source storage in order for the source storage to authorize the third party system to transfer the protected data from the source storage to the destination storage via the third party system;transmitting information to the destination storage in order for the destination storage to authorize the third party system to transfer the protected data to the destination storage via the third party system;receiving, from the source storage, source storage data and using the source storage data, as well as one or more transfer rules, to determine whether to allow the source storage to send the protected data to the destination storage;receiving, from the destination storage, destination storage data and using the destination storage data to determine whether the destination storage is allowed to receive the protected data;in response to determining the source storage and the destination storage are both allowed to send and receive, respectively: communicating with the source storage to create the session key;establishing a virtual secure channel between the source storage and the third party system using the session key;establish a virtual secure channel between the third party system and the destination storage;receiving a key of the destination storage;relaying, to the source storage, the key of the destination storage;receiving, from the source storage, a content key encrypted with the key of the destination storage;relaying, to the destination storage, the content key encrypted with the key in order for it to be decrypted by the destination storage;relaying protected data in encrypted form from the source storage to the destination storage for decryption by the destination storage using the content key where the third party system is unable to decrypt the encrypted protected data; andinstructing the source storage to make the protected data on the source storage inaccessible to any electronic device, wherein until the transfer the protected data was accessible only from the source storage. 27. The method according to claim 26, wherein instructing the source storage to make the protected data inaccessible to any electronic device is performed after completion of transfer of the protected data to the destination storage. 28. The method according to claim 26, wherein instructing the source storage to make the protected data inaccessible to any electronic device is performed after completion of transfer of the protected data to the third party system. 29. The method according to claim 26, wherein communicating with the source storage and the destination storage are performed when the source storage and the destination storage are concurrently connected to a single host device. 30. The method according to claim 26, wherein determining whether the source storage is allowed to send the protected data to the destination storage comprises: receiving a source storage certificate; anddetermining whether the received source storage certificate is included in a list of certificates, the list indicative of storage devices entitled to a data copy service provided by the third party system. 31. The method according to claim 26, further comprising receiving from the host device system a user instruction to copy; and in response to receiving the user instruction and in response to determining that the source storage and the destination storage are both allowed to send and receive, respectively, relaying the encrypted protected data from the source storage to the destination storage. 32. The method according to claim 26, further comprising sending configuration information to the destination storage in order for the destination storage to configure itself to a same configuration as a configuration of the source storage before the protected data is sent from the third party system to the destination storage. 33. A method for transferring protected data from a source storage to a destination storage via a third party system, the method comprising: in the source storage: using one or more usage rules in order for the source storage to determine whether to use the protected data;transmitting information to the third party in order for the third party system, using one or more transfer rules, to determine whether the source storage is allowed to transfer the protected data via the third party system, the protected data is only accessible from the source storage until transfer of the protected data;receiving information from the third party system in order for the storage controller to determine that the third party system is authorized to transfer the protected data;communicating with the third party system in order to create a session key;establishing a secure channel between the source storage and the third party system using the session key;receiving, from the third party system, a key of the destination storage;encrypting a content key with the key of the destination storage;transmitting the encrypted content key to the third party system in order for the third party system to transmit the encrypted content key to the destination storage;encrypting the protected content using the content key;sending, via the third party system using the secure channel, the protected data in encrypted form to the destination storage for decryption by the destination storage using the content key, wherein the third party system is unable to decrypt the encrypted protected data using the content key;receiving an instruction from the third party system, the instruction indicative of making the protected data inaccessible to any electronic device; andin response to receiving the instruction, making the protected data inaccessible to any electronic device. 34. The method according to claim 33, wherein receiving the public key of the destination storage comprises receiving, from the third party system, an authentication certificate of the destination storage and obtaining the content key using the authentication certificate of destination storage. 35. The method according to claim 33, wherein the session key is generated randomly by using data originating from the destination storage. 36. The third party system according to claim 1, wherein the source storage comprises a memory stick. 37. The source storage according to claim 21, wherein the storage controller is adapted to: send source storage data to the third party system in order to identify the source storage to the third party system and for the third party system to determine that the source storage is allowed to transfer the protected data via the third party system; and receive third party data from the third party system in order to identify the third party system and for the storage controller to determine whether the third party system is allowed to receive therefrom the protected data and to transfer the protected data to a destination storage; wherein the storage controller is configured to determine whether the third party system is allowed to receive the protected data by:comparing the third party data with a certificate issued by a trusted certificate authority, the certificate indicative of an entity entitled to copy the protected data, in order for the source storage to determine whether the third party system has permission to copy the protected data. 38. A destination storage for receiving protected data from a source storage via a third party system, the destination storage comprising: a mass storage area; anda storage controller adapted to transmit information to the third party system in order for the third party system to determine using one or more transfer rules whether the destination storage is allowed to receive the protected data via the third party system;receive information from the third party system in order for the storage controller to determine that the third party system is authorized to send therefrom the protected data and to transfer the protected data from a source storage and, if so: communicate with the third party system in order to create a session key;establish a secure channel between the destination storage and the third party system using the session key;send, to the third party system, a key of the destination storage;receive, from the third party system, an encrypted content key, the content key being generated by the source storage and encrypted with the key of the destination storage;decrypting the encrypted content key;receive configuration information in order for the destination storage to configure itself to a same configuration as a configuration of the source storage before the protected data is sent from the third party system to the destination storage;receive encrypted protected data and one or more usage rules from the third party system over the secure channel, wherein the encrypted protected data is encrypted using the content key and wherein the third party system is unable to decrypt the encrypted protected data;decrypt the protected data in encrypted form using the content key; anduse the protected data according to the one or more usage rules. 39. The destination storage according to claim 38, wherein the destination storage is configured to determine whether the third party system is allowed to write the protected data into a restricted storage area of the destination storage and allowed to write data into a security management storage area of the destination storage. 40. The destination storage according to claim 39, wherein the data to write into the security management storage area of the destination storage comprises authentication keys that are entitled to access the restricted storage area of the destination storage.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (3)
Tidwell, Justin Owen; Zeitz, Karlton Mark, Methods and systems for encrypting, transmitting, and storing electronic information and files.
LeVine,Richard B.; Lee,Andrew R.; Howard,Daniel G.; Goldman,Daniel M.; Hart, III,John J., Systems and methods for preventing unauthorized use of digital content.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Fuller, Erik James; Kelly, Adam Blair; Khan, KMR Mumit; Munro, Timothy Peter; Nishigaya, Andrew Norimasa; Wright, Kerry Michael, Multi-tiered encryption system for efficiently regulating use of encryption keys.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.