A SECURE DATA STORAGE DEVICE
Field of the Invention
The present invention relates to secure storage of data, and in particular to a device for secure data storage for use with electronic devices to provide for secure distribution and rights management of stored data.
Background of the Invention
Improvements in technology have led to a proliferation of handheld electronic devices such as tiny computers, personal data assistants (PDAs), game systems, MP3 audio players and mobile phones. These devices have limited storage capacities, which restricts their use for applications (e.g., multimedia), which require large amounts of data. Flash memory expansion cards are able to provide additional memory, but they do not provide any security features to inhibit copying of the memory content, nor do they provide any kind of digital rights management. This is particularly relevant to situations where proprietary or copyrighted content is provided on a non-volatile read-only memory device.
United States Patent 5,761,609 to Chen, Chung-Shan discloses a limited use circuit in an electronic system that comprises a state machine which controls the operability of the electronic system and determines after boot whether a non-volatile memory device is at its initial data point and then allows the system to operate if it is at its initial data point or causes the electronic system to go down if it is not. The non- volatile memory and an adder may be used to maintain a count of each time the system is turned on..The circuit however is limited in the access control it can provide since it relies merely on a count and nothing more . Unauthorised access can only be prevented after a count is reached, and not before.
It is desired to provide a secure data storage system, and a means for controlling access to facilitate secure distribution and digital rights management of stored content, or at least provide a useful alternative.
Summarv of the Invention
In accordance with the present invention there is provided a data storage device, including: data storage memory; access control means for maintaining an attempt count of invalid access attempts and an access count of valid accesses, to said data storage memory; and means for disabling access to said data storage memory when said attempt count or said access count reaches a respective predetermined integer value.
The present invention also provides a circuit for a digital storage device capable of interfacing with a handheld electronic device, comprising at least one access control circuit, each said access control circuit including two registers for storing access keys, a non-volatile read-only fixed key register containing a first key, which is permanently stored in said register, a user key register for temporarily storing a second key supplied by application software, a key test circuit capable of comparing said first key and said second key, means for denying access to said storage device if said first key and said second key do not match, and an attempt counter circuit capable of recording an unsuccessful attempt to match said first and second keys, said attempt counter circuit including a programmable, non-volatile memory, capable of storing the total number of said unsuccessful key match attempts, means for permanently denying access if said number of unsuccessful attempts equals or exceeds a preset number stored in a read-only memory register in said attempt counter circuit, said user key register being implemented in volatile memory so that when power is removed or when said secure storage device is disconnected from said handheld electronic device, said user key is lost.
The present invention also provides a data storage device, including: data storage memory; and access control means for maintaining an attempt count of invalid access attempts and an access count of valid accesses to said memory, and for disabling access to said memory when said attempt count or said access count exceed a respective predetermined value.
The present invention also provides a data storage device including: data storage memory; and an access control circuit for maintaining an attempt count of invalid access attempts, said count being represented by data in memory cells having fusible links, and for disabling access to said memory when the attempt count exceeds a predetermined value.
Brief Description of the Drawings
Preferred embodiments of the present invention are hereinafter described, by way of example only, with reference to the accompanying drawings, wherein:
Figure 1 is a block diagram of a preferred embodiment of a secure digital storage device;
Figure 2 is block diagram of a preferred embodiment of a secure address logic circuit of the secure digital storage device; and
Figure 3 is a schematic diagram of a fuse cell of the secure digital storage device.
Detailed Description of the Preferred Embodiments
Referring to Figure 1, a secure data storage device 1 includes a data storage memory 6 and a secure address logic circuit 4 for controlling access to the storage memory 6. There is one access control circuit 4 in this embodiment, but in other embodiments a plurality of access control circuits could be provided. The storage device 1 may be used to provide data to an electronic device (not shown) by connecting the hardware interface 2 of the storage device 1 to the expansion port of the electronic device. The electronic device could be a handheld digital computer such as a personal data assistant (PDA), a mobile telephone, a game system, or any other kind of digital processing device with standard hardware interface 2, such as an expansion port. The secure data storage device 1 can be used with a variety of electronic devices by providing industry standard interfaces such as the Handspring Springboard interface, the Compact Flash interface, or Sony's Memory Stick interface as the hardware interface 2. The electronic device may communicate with a host computing device, such as a server of service provider.
The storage memory 6 is preferably a non-volatile, solid-state, programmable readonly memory (PROM), such as the fuse or anti-fuse memories developed by Actel and Quicklogic. However, the storage memory 6 could also be erasable programmable readonly memory (e.g., flash memory, EPROM, EEPROM), or any kind of device that can store digital data, including mini disk drives. The only practical requirements are small size, high density, rapid access and low cost.
Access to the storage memory 6 is controlled by the access control circuit 4, which restricts access to certain memory addresses input from the address bus 3, based on security data supplied from the data bus 5 and data contained in the access control circuit 4. The address bus 3 and the data bus 5 signals are supplied from the connected electronic device to the storage device 1 through the hardware interface 2. In the present embodiment, the access control circuit 4 is only applied to the address bus 3; however, it could also be used to restrict access to the data bus 5.
Additional security is available by including a decryption engine 8 and storing the digital data in an encrypted form in the storage memory 6. The decryption engine 8 processes encrypted data from the storage medium 6 and passes the unencrypted result to the data bus 5 of the handheld device via the hardware interface 2. The decryption engine 8 could be a software or hardware implementation of a decryption algorithm such as the DES, RSA, AES, ECC, or other known algorithms, or a general-purpose engine capable of deciphering custom encryption algorithms. In this case, the same user supplied key can be used for the decryption as well as the access control. The user supplied key can be obtained for example by purchasing a data storage card that provides the storage memory 6 or device 1 and which contains a device ID or password. This ID or password is then provided to a distributor who supplies the user with the key.
In an alternative embodiment an additional user input storage register can be provided for the decryption key.
In another configuration, the decryption can be performed in software totally on the host computing device. This could serve as a lower cost alternative. In this case again a unique device ID (identification) could be provided which would be accessible to users
who purchase a loaded storage device 6 or 1 in the form of a card or the like, and are then able to provide the ID to a distributor online or otherwise, so as to be provided with at least one user key (password). In this distribution model each storage device 1 or 6 is uniquely identified in the form of a hardwired number. This number would be required to be provided in order to receive a decryption key.
Alternately, the key can be provided by a distributor, online or otherwise, without having to pass on the ID from a storage device or card. A plurality of keys could be provided in a pay per view type system, so that for each key paid for, a user would be entitled to one or more plays or views. In such an arrangement using a software cipher, the key would be passed to the software of the host computer. In a hardware cipher arrangement the key would be stored on the device 1.
Figure 2 illustrates a block diagram of the access control circuit 4. The circuit 4 includes two registers 22 and 24 for storing access keys or passwords. These keys are preferably at least 128 bits long to make the system more secure, however a shorter key would also be allowable. A read-only fixed key register 24 contains a key, which is permanently stored in the non-volatile register by the content provider. A user key register
22 temporarily stores a key supplied by application software. A key test circuit 26 compares the two keys. If the keys do not match, then access to the storage memory 6 is denied and an attempt counter circuit 34 records the unsuccessful attempt. The attempt counter circuit 34 contains a programmable, non- volatile memory, which stores the total number of unsuccessful key match attempts. Access is permanently denied if the number of unsuccessful attempts equals or exceeds a preset number stored in a read-only memory register in the attempt counter circuit 34. The user key register 22 is implemented in volatile memory so that when power is removed (i.e., when the secure storage device 1 is disconnected from the handheld electronic device), the user key is lost.
In an alternative embodiment because the system uses read only memory 6, it is possible to use the same or overlap the memory address for accessing one or more of the user key register 22, the security control circuit 32 or the fixed key register with memory addresses for the data storage memory 6. A write operation at an overlapped address would access only the registers and circuit that can be written to, and this can be used to
distinguish the overlapped or duplicated address spaces. The overlapping with the ROM memory address makes it very difficult to locate the address of the key and therefore enhances the security of the storage device.
The access control circuit 4 is also used to limit the number of times that the storage memory 6 can be accessed. A read count register bank 36 contains a number of read-only registers and associated programmable, non-volatile counters. The read-only registers permanently store memory addresses, which map into the storage memory 6, and associated counters record the number of accesses to memory addresses within the ranges defined by the stored addresses. For example, 16 registers could be used to divide the storage memory 6 into 16 regions. Access to a particular address within the storage memory 6 is denied if the address falls within an address range, which has already been accessed a given number of times. The number of accesses allowed by this circuit is determined by presetting the counters to some non-zero value, and access is denied when the counters reach zero. A preset value of 30 for a particular range of memory addresses would allow 30 accesses to that memory region. The same can be achieved by presetting the counters to an integer value P and access denial taking place when the counters attain an integer value Q. Thus a particular range of memory addresses would allow {P-Q} accesses to the memory region where {P-Q} is the absolute value of the difference between integer P and integer Q.
The two access methods of key matching and access counting may be used independently or in combination. A security control circuit 32 of the access circuit 4 enables or disables each method, based on a (possibly encrypted) security key sent to the circuit and preset, read-only data stored in the circuit by the content provider. Thus either one or both of the access methods could be bypassed in certain circumstances, provided that the access limits described above have not been reached. In one mode of operation, an encrypted user key could be retrieved from a content distributor's online key server, decrypted, sent to the user key register 22 to enable access to the storage memory 6, and then deleted when the access has completed. This would facilitate a pay-per-view type of charging system without requiring a preset limit on the number of accesses to the storage memory 6. However, once the maximum number of unsuccessful key attempts has been determined as having been reached by the attempt count circuit 34, access to the storage
memory 6 is permanently denied, irrespective of whether the key test circuit 26 is enabled or disabled. Similarly, when the read count register bank 36 determines that the number of successful accesses to a region of memory has reached the maximum access count, access to that region of memory is permanently disabled, irrespective of whether the read count register bank 36 is enabled or disabled.
The output of the two test circuits 34 and 36 is sent to address gate logic 30 of the circuit 4, which sends the address data to the storage memory 6 if the enabled user key and the access count tests have passed. If the key test is disabled, its output is set to be the same output that is sent when the test succeeds. When access is granted by the address gate logic 30, a signal is sent to the read count register bank 36 in order to increment the counter recording the number of accesses to this memory range. However, if the memory count register bank 36 is disabled, the counter is not incremented.
The attempt counter circuit 34 and the read count register bank 36 in the access control circuit 4 store data in programmable, non-volatile memory. This could be conventional flash memory or electrically erasable EEPROM. However, this memory is advantageously based on fuse or anti-fuse technology.
Figure 3 is a schematic diagram of a fuse cell of the counter circuit 34 and the register bank 36. As illustrated, a non- volatile memory cell may be formed from a single transistor 16 and a fuse element 14 in which the state of the fuse determines the binary value of the memory cell bit. Each cell can have its state changed only once after manufacturing by 'blowing' the cell fuse 14. Blowing a fuse opens the initially closed circuit, whereas blowing an anti-fuse closes the initially open connection. A cell is programmed by applying a relatively high-voltage (e.g., * 15 volts generated by a DC amplifier within the access control circuit 4) across the fuse. The cell is then read in the usual way when selected by the address line 10, sending the cell bit value out on the digit line 12.
If fuse or anti-fuse memory cells are used for the programmable counters of the access control circuit 4, they would not constitute normal 'counters' as such, since each bit can only be 'written' once and is not erasable. A fuse based 'counter' can only count up to the number of bits within the counter, since bits cannot be cleared once they have been set. For example, a 32-bit counter based on fuse technology could only be changed 32 times, effectively counting, for example, from zero to 31. As will be well understood, after the count is read a cell is blown to change the count.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described with reference to the accompanying drawings.