WO2004081706A2 - Method and apparatus for controlling the provision of digital content - Google Patents

Method and apparatus for controlling the provision of digital content Download PDF

Info

Publication number
WO2004081706A2
WO2004081706A2 PCT/SG2004/000024 SG2004000024W WO2004081706A2 WO 2004081706 A2 WO2004081706 A2 WO 2004081706A2 SG 2004000024 W SG2004000024 W SG 2004000024W WO 2004081706 A2 WO2004081706 A2 WO 2004081706A2
Authority
WO
WIPO (PCT)
Prior art keywords
storage device
content
data storage
authentication data
authentication
Prior art date
Application number
PCT/SG2004/000024
Other languages
French (fr)
Other versions
WO2004081706A3 (en
Inventor
Andrew Chow
Ser Yen Lee
Puay Hui Lau
Boon Quee Chia
Teck Weng Paul Tan
Chee We Ng
Hin Meng Timothy Soo
Venkateswara Rao Gattameni
Whye Ho Jamez Loo
Original Assignee
Digisafe Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digisafe Pte Ltd filed Critical Digisafe Pte Ltd
Publication of WO2004081706A2 publication Critical patent/WO2004081706A2/en
Publication of WO2004081706A3 publication Critical patent/WO2004081706A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • G06F21/87Secure or tamper-resistant housings by means of encapsulation, e.g. for integrated circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Definitions

  • the present invention relates to @. digital security method and apparatus, of particular but by no means exclusive application in controlling the distribution of electronic content such as software (and, in one particular example, software drivers) , the distribution of digital content or media with copy protection, digital personal identification devices (typically carrying personal identity and other data) , data management and portable devices for the secure storage of electronic content (such as data or software) .
  • electronic content such as software (and, in one particular example, software drivers)
  • digital personal identification devices typically carrying personal identity and other data
  • data management and portable devices for the secure storage of electronic content (such as data or software) .
  • PDAs Personal Digital Assistants
  • WO 01/61692 There also exist a number of mass storage USB tokens, including that of Trek Technology (Singapore) Pte Ltd as described in WO 01/61692. Further, WO 00/42491 (Rainbow Technologies Inc) describes a cryptographic USB token.
  • an apparatus for controlling the provision of digital content comprising: a data storage device controller for receiving a data storage device on which is provided said content; an authentication data storage device for storing authentication data; a data port connectable to a host device so that said apparatus can be placed into electronic communication with said host device; and a communications hub to mediate electronic communication between said data storage device controller, said authentication data storage device and said data port; wherein said apparatus is configured to permit content provided on said data storage device to be outputted from said data port according to said authentication data.
  • said data storage device is a non-volatile data storage device. More preferably said data storage device is a flash memory device.
  • the data storage device controller is preferably a controller suitable for the respective device.
  • content (which could comprise software, audio. video, personal or other information, etc.) can be provided on the data storage device (such as a flash memory device, for example a flash card) , but only copied to the data port (and thence to, for example, a computer or a playback device) if a suitable correspondence exists between the authentication data and the content.
  • the content may be configured to be read from the data storage device only if a particular password, security key or digital certificate is provided: that password or security key would be stored as the authentication data on the authentication data storage device.
  • the authentication data storage device could take any suitable form, as will be understood by those in the art, such as a smart card chip or a biometric device.
  • the apparatus - though configured to permit content provided on said data storage device to be outputted from the data port according to said authentication data - may be configured so that this outputting is limited in a predetermined way.
  • the data storage device may include a first storage portion for storing at least one software viewer or player for viewing or playing said content, and a second storage portion for storing said content, wherein said apparatus is configured to permit the accessing of said software viewer or player and of said content (such as by a computer when said apparatus is connected to that computer) such that said content can be viewed or played by means of said software viewer or player without allowing said content to be copied (such as to another device, storage medium or printer) .
  • the apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device.
  • the cryptographic key may comprise or be derived from the authentication data.
  • the authentication data (whether comprising a password, a secret key and/or a digital certificate, or otherwise) can additionally be used for encryption and copy protection, and the apparatus is preferably operable to encrypt and/or decrypt said content on the basis of the authentication data (i.e. using the authentication data as a cryptographic key, or deriving a cryptographic key from the authentication data) .
  • the authentication data storage device may also comprise a combination of secure microcontrollers and EEPROM chips .
  • the invention thereby provides an apparatus that can be used as both a mass storage token and as a cryptographic token (the latter preferably in the form of a cryptographic processor) .
  • said communications hub comprises a Universal
  • USB Serial Bus
  • the data port comprises a USB connector.
  • said content comprises software
  • said content comprises software device drivers .
  • said apparatus includes a communications port for connecting said apparatus to a hardware device associated with said content.
  • said apparatus is provided in a hardware device and in electronic communication with said hardware device.
  • the hardware device would typically be a hardware peripheral that the software device drivers will be working with.
  • the data storage device is then used to contain the software drivers for the hardware device, or digital media, personal data and other data to be secured.
  • the authentication data storage device can then also store unique secret keys for identifying the hardware device and/or for ensuring the authenticity and .originality of the hardware .
  • the data storage device when the content comprises digital media for distribution with copy protection, contains software portions or drivers for reading, displaying or playing said digital media.
  • these software components would typically be designed to prevent unauthorized duplication of the digital media stored on the data storage device by using techniques such as encryption and capturing operating system functions.
  • further authentication data is stored on said data storage device.
  • the content comprises software modules for the host device that are designed to be incorporated into software applications so that personal identity data, such as secret keys and digital certificates, may be stored in the data storage device as well as in the authentication data storage device.
  • personal identity data such as secret keys and digital certificates
  • Other personal data such as email and personal calendar, can be stored in the data storage device.
  • the data storage device contains said digital data in encrypted form while the authentication data storage device contains secret keys for the encryption.
  • the data in the data storage device may be in clear or in encrypted form, depending on the application.
  • the present also provides, in a second broad aspect, a method for controlling the provision of digital content, comprising: providing said content on a data storage device readable by means of a data storage device controller; providing authentication data on an authentication data storage device; placing said data storage device controller and authentication data storage device in data communication with a host device; controlling the provision of said content to said host device according to at least said authentication data.
  • the present provides, in a third broad aspect, a method for controlling access to digital content, comprising: providing said content on a computing or other electronic device; providing authentication data and control software on an authentication apparatus comprising: a control software storage device controller for receiving a control software storage device on which is provided control software; an authentication data storage device for storing authentication data; a data port connectable to said computing or other electronic device so that said apparatus can be placed into electronic communication with said computing or other electronic device; and a communications hub to mediate electronic communication between said authentication data storage device controller, said authentication data storage device and said data port; wherein said apparatus is configured to permit said control software provided on said control software storage device storage device to be used to control application software on said computing or other electronic device according to said authentication data.
  • the electronic device could be a computer peripheral, such as a printer, a scanner or a digital camera.
  • the software drivers can be distributed with the electronic device itself, rather than on a separate CD-ROM or the like.
  • the authentication apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device. More preferably, the cryptographic key comprises or is derived from the authentication data.
  • Figure 1 is a schematic diagram of an apparatus for distributing content associated with a hardware device according to a preferred embodiment of the present invention, together with the hardware device;
  • Figure 2 is a schematic diagram of an apparatus for distributing software device drivers associated with a hardware device according to another preferred embodiment of the present invention, together with the hardware device;
  • Figure 3 is a schematic diagram of an apparatus for distributing digital storage media with copy protection according to a further preferred embodiment of the present invention.
  • FIG. 4 is a schematic diagram of an authentication apparatus for personal identity and data management and for portable secure storage of digital data according to another preferred embodiment of the present invention
  • Figure 5 is a schematic diagram of a system for centrally programming and managing the apparatus of figure 4.
  • Figure 6 is a perspective view of an example of the apparatus of figure 4.
  • FIG. 1 An apparatus 10 for distributing digital content associated with a hardware device according to an embodiment of the present invention, together with the hardware device 12, is shown in figure 1.
  • the apparatus 10 comprises a Universal Serial Bus (USB) hub 14, an authentication device in the form of a smart card chip 16 or a biometric device 18, a flash controller 20 for reading flash memory 22 and a USB connector 24.
  • USB Universal Serial Bus
  • the authentication device 16,18 and the flash controller 20 communicate via USB hub 14 with a host device (not shown: typically a computer) by means of USB connector 24.
  • the apparatus 10 is in fact incorporated within the hardware device 12 and connected thereto by means of a further USB connector (not shown) to the USB hub 14.
  • the USB hub 14 in this embodiment will typically be the USB hub of the hardware device 12 itself.
  • the content on flash memory 22 (provided with the hardware device 12) to the host device is permitted only if the correct and corresponding authentication data is detected on the authentication device 16,18.
  • Figure 2 is a schematic diagram of an apparatus 30 for distributing software device drivers associated with a hardware device according to an embodiment of the present invention, together with the hardware device 32.
  • the apparatus 30 comprises USB hub 34, an authentication device in the form of a smart card chip 36, a flash controller 40 for reading flash memory 42 and a USB connector 44.
  • Flash memory 42 contains the content (here in the form of the software device drivers for hardware device 32) that are needed for the operating system of the host device (not shown, but connected at USB connector 44) to operate with the hardware device 32.
  • the hardware device 32 could be a computer peripheral such as a printer, or scanner, or it could represent a smart card that itself acts as the authentication device.
  • the smart card chip 36 contains secret keys, etc., for establishing authenticity of the hardware device 32 and the software device driver: the software device driver performs authentication with the smart card chip 36 to ensure that the device driver has not been modified and the hardware device 32 is original.
  • FIG. 3 is a schematic diagram of an apparatus 50 for distributing digital storage media with copy protection according to an embodiment of the present invention.
  • the content in this example may be digitised music and video such as MP3 and MPEG or software packages .
  • the apparatus 50 comprises USB hub 54, an authentication device in the form of a smart card chip 56, a flash controller 60 for reading flash memory 62 and a USB connector 64.
  • Flash memory 62 contains the content, in this example in the form of audio/video digital content to be distributed, and software applications to view, play and install the content on the host device (not shown, but connected at USB connector 64) .
  • the content stored in the flash memory 62 is in encrypted form to prevent unauthorised duplication.
  • Software viewers, players or installers also reside in the flash memory. The viewers, players and installers ' are written in a way that they only allow the media and applications to be viewed, played or installed, but do not allow them to be duplicated. Strong cryptographic protocols are used in these viewers, players and installers to prevent unauthorized duplication.
  • the smart card chip 56 contains secret keys or other parameters to prove the authenticity and originality of the media. Other information regarding the number of times a digital data has been accessed or the identity of the computer or player can be recorded in the smart card chip. This allows the number of times or the location the digital data or the software package has been accessed or installed can be restricted.
  • FIG 4 is a schematic diagram of an authentication apparatus 70 for personal identity and data management and for portable secure storage of digital data in the form of personal identity data according to an embodiment of the present invention.
  • the authentication data is in the form of personal identity data such as digital certificates and passwords while the content (or personal data) could be electronic mail, personal documents, passwords, and other data.
  • the apparatus 70 comprises USB hub 74, an authentication device in the form of a smart card chip 76, a flash controller 80 for reading flash memory 82 and a USB connector 8 .
  • Flash memory 82 contains the content which, as mentioned above, in this example is in the form of electronic mail, personal documents, passwords and other data.
  • the flash memory 82 is used to store these data in clear or encrypted form.
  • the more sensitive data (together with the digital certificates or passwords for proving identity or the secret keys used to sign, encrypt and decrypt the data in the flash card 82) is securely stored in the smart card chip 76.
  • Digital certificates are used for secure computer applications such as secure email (S/MIME) and secure internet connection (Secure Socket Layer, SSL) , for signing and encrypting email.
  • S/MIME secure email
  • SSL Secure Socket Layer
  • Figure 5 is a schematic diagram of a system 90 for centrally programming and managing the authentication apparatus 70 of figure 4, in use with such the authentication apparatus 70 and a computer network 92.
  • the system 90 comprises a central management system 94 and a programmer 96.
  • the programmer 96 includes a USB port for connecting to the USB port of USB connector 84 of authentication apparatus 70, so that the system 90 can be used to program each such authentication apparatus 70 bj installing in an authentication apparatus 70 keys belonging to each user.
  • the keys are held in a Public Key Depository 98, which holds such keys for secure applications such as S/MIME.
  • the Public Key Depository 98 is accessible by the central management system 94 by computer network.
  • the system 90 installs - into the flash memory 82 of each authentication apparatus 70 - installation and configuration programs for subsequently configuring the software applications on networked computers 100 (each running secure applications such as S/MIME) on computer network 92; a user can take an authentication apparatus that has been programmed in this manner (such as authentication apparatus 70') and use it to gain ready access to those applications on any of computers 100.
  • This enables each user to use these applications easily without the necessity of a system administrator installing applications or performing configuration for the user.
  • the user also does not need to carry along another medium (such as an installation disk) , and is free to perform this installation at all the computers that the user is authorized to use.
  • This system thus reduces the complexity of deployment by incorporating all the installation program and information within the device itself.
  • Figure 6 is a perspective view of an example of an authentication apparatus 102 according to this embodiment
  • the authentication apparatus 102 includes a UBS plug 104 (for plugging into a USB port) and a body 106 that encases the data storage and processing components of the apparatus.
  • the apparatus 102 is designed to be hand-held, so it is of appropriate dimensions and provided with finger grips 108 for ease of manipulation.
  • the present invention allows device drivers to be distributed together with the hardware device itself, and for a single architecture to be used for multiple application .

Abstract

An apparatus for controlling the provision of digital content, comprising a data storage device controller for receiving a data storage device on which is provided the content, an authentication data storage device for storing authentication data, a data port connectable to a host device so that the apparatus can be placed into electronic communication with the host device, and a communications hub to mediate electronic communication between the data storage device controller, the authentication data storage device and the data port, wherein the apparatus is configured to permit content provided on the data storage device to be outputted from the data port according to the authentication data.

Description

METHOD AND APPARATUS FOR CONTROLLING THE PROVISION
OF DIGITAL CONTENT
FIELD OF THE IϊWEHTIOM The present invention relates to @. digital security method and apparatus, of particular but by no means exclusive application in controlling the distribution of electronic content such as software (and, in one particular example, software drivers) , the distribution of digital content or media with copy protection, digital personal identification devices (typically carrying personal identity and other data) , data management and portable devices for the secure storage of electronic content (such as data or software) .
BACKGROUND OF THE INVENTION
Software including software drivers are presently commonly distributed with corresponding hardware on computer readable media such as CD-ROM, or over the Internet. These approaches, however, require the provision of such media or an Internet connection, both restrictions on the portability of the hardware.
Currently techniques exist for preventing the copying of digital content on music CDs, but few particular effective approaches exist for digital media such as floppy diskettes, zip diskettes, CD-ROMs and USB-flash devices.
In the field of smart cards and other devices for storing personal data or for data management, techniques such as the use of secret keys and digital certificates are presently employed to identify a person' s identity. Personal Digital Assistants (PDAs) carry personal information but are not generically designed to prove a person's identity. No such device exists that combines the storage of a person' s identity with personal information such as electronic mail. There also exist a number of mass storage USB tokens, including that of Trek Technology (Singapore) Pte Ltd as described in WO 01/61692. Further, WO 00/42491 (Rainbow Technologies Inc) describes a cryptographic USB token.
Existing approaches for the portable secure storage of digital data also include the encryption of files on diskettes .
SUMMARY OF THE INVENTION
The present provides, in a first broad aspect, an apparatus for controlling the provision of digital content, comprising: a data storage device controller for receiving a data storage device on which is provided said content; an authentication data storage device for storing authentication data; a data port connectable to a host device so that said apparatus can be placed into electronic communication with said host device; and a communications hub to mediate electronic communication between said data storage device controller, said authentication data storage device and said data port; wherein said apparatus is configured to permit content provided on said data storage device to be outputted from said data port according to said authentication data.
Preferably said data storage device is a non-volatile data storage device. More preferably said data storage device is a flash memory device. In these embodiments, the data storage device controller is preferably a controller suitable for the respective device.
Thus, content (which could comprise software, audio. video, personal or other information, etc.) can be provided on the data storage device (such as a flash memory device, for example a flash card) , but only copied to the data port (and thence to, for example, a computer or a playback device) if a suitable correspondence exists between the authentication data and the content. For example, the content may be configured to be read from the data storage device only if a particular password, security key or digital certificate is provided: that password or security key would be stored as the authentication data on the authentication data storage device. The authentication data storage device could take any suitable form, as will be understood by those in the art, such as a smart card chip or a biometric device.
It should be understood, however, that the apparatus - though configured to permit content provided on said data storage device to be outputted from the data port according to said authentication data - may be configured so that this outputting is limited in a predetermined way.
Thus, the data storage device may include a first storage portion for storing at least one software viewer or player for viewing or playing said content, and a second storage portion for storing said content, wherein said apparatus is configured to permit the accessing of said software viewer or player and of said content (such as by a computer when said apparatus is connected to that computer) such that said content can be viewed or played by means of said software viewer or player without allowing said content to be copied (such as to another device, storage medium or printer) .
Preferably the apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device. The cryptographic key may comprise or be derived from the authentication data.
Thus, the authentication data (whether comprising a password, a secret key and/or a digital certificate, or otherwise) can additionally be used for encryption and copy protection, and the apparatus is preferably operable to encrypt and/or decrypt said content on the basis of the authentication data (i.e. using the authentication data as a cryptographic key, or deriving a cryptographic key from the authentication data) .
The authentication data storage device may also comprise a combination of secure microcontrollers and EEPROM chips .
The invention thereby provides an apparatus that can be used as both a mass storage token and as a cryptographic token (the latter preferably in the form of a cryptographic processor) .
Preferably said communications hub comprises a Universal
Serial Bus (USB) hub.
Preferably the data port comprises a USB connector.
In one embodiment, said content comprises software.
In another embodiment, said content comprises software device drivers .
Preferably said apparatus includes a communications port for connecting said apparatus to a hardware device associated with said content.
Alternatively, said apparatus is provided in a hardware device and in electronic communication with said hardware device. Thus, the hardware device would typically be a hardware peripheral that the software device drivers will be working with. The data storage device is then used to contain the software drivers for the hardware device, or digital media, personal data and other data to be secured. The authentication data storage device can then also store unique secret keys for identifying the hardware device and/or for ensuring the authenticity and .originality of the hardware .
In another embodiment, when the content comprises digital media for distribution with copy protection, the data storage device contains software portions or drivers for reading, displaying or playing said digital media.
Thus, these software components would typically be designed to prevent unauthorized duplication of the digital media stored on the data storage device by using techniques such as encryption and capturing operating system functions.
In one embodiment, further authentication data is stored on said data storage device.
Thus, for data management (such as of personal data) , the content comprises software modules for the host device that are designed to be incorporated into software applications so that personal identity data, such as secret keys and digital certificates, may be stored in the data storage device as well as in the authentication data storage device. Other personal data, such as email and personal calendar, can be stored in the data storage device.
In another embodiment, for portable secure storage of digital data, the data storage device contains said digital data in encrypted form while the authentication data storage device contains secret keys for the encryption.
In all the applications above, the data in the data storage device may be in clear or in encrypted form, depending on the application.
The present also provides, in a second broad aspect, a method for controlling the provision of digital content, comprising: providing said content on a data storage device readable by means of a data storage device controller; providing authentication data on an authentication data storage device; placing said data storage device controller and authentication data storage device in data communication with a host device; controlling the provision of said content to said host device according to at least said authentication data.
The present provides, in a third broad aspect, a method for controlling access to digital content, comprising: providing said content on a computing or other electronic device; providing authentication data and control software on an authentication apparatus comprising: a control software storage device controller for receiving a control software storage device on which is provided control software; an authentication data storage device for storing authentication data; a data port connectable to said computing or other electronic device so that said apparatus can be placed into electronic communication with said computing or other electronic device; and a communications hub to mediate electronic communication between said authentication data storage device controller, said authentication data storage device and said data port; wherein said apparatus is configured to permit said control software provided on said control software storage device storage device to be used to control application software on said computing or other electronic device according to said authentication data.
The electronic device could be a computer peripheral, such as a printer, a scanner or a digital camera. By this means, the software drivers can be distributed with the electronic device itself, rather than on a separate CD-ROM or the like.
Preferably the authentication apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device. More preferably, the cryptographic key comprises or is derived from the authentication data.
BRIEF DESCRIPTION OF THE DRAWINGS
In order that the present invention may be more clearly ascertained, preferred embodiments will now be described, by way of example, with reference to the accompanying drawing, in which:
Figure 1 is a schematic diagram of an apparatus for distributing content associated with a hardware device according to a preferred embodiment of the present invention, together with the hardware device;
Figure 2 is a schematic diagram of an apparatus for distributing software device drivers associated with a hardware device according to another preferred embodiment of the present invention, together with the hardware device;
Figure 3 is a schematic diagram of an apparatus for distributing digital storage media with copy protection according to a further preferred embodiment of the present invention;
Figure 4 is a schematic diagram of an authentication apparatus for personal identity and data management and for portable secure storage of digital data according to another preferred embodiment of the present invention;
Figure 5 is a schematic diagram of a system for centrally programming and managing the apparatus of figure 4; and
Figure 6 is a perspective view of an example of the apparatus of figure 4.
DETAILED DESCRIPTION OF THE DRAWINGS
An apparatus 10 for distributing digital content associated with a hardware device according to an embodiment of the present invention, together with the hardware device 12, is shown in figure 1.
The apparatus 10 comprises a Universal Serial Bus (USB) hub 14, an authentication device in the form of a smart card chip 16 or a biometric device 18, a flash controller 20 for reading flash memory 22 and a USB connector 24.
The authentication device 16,18 and the flash controller 20 communicate via USB hub 14 with a host device (not shown: typically a computer) by means of USB connector 24. The apparatus 10 is in fact incorporated within the hardware device 12 and connected thereto by means of a further USB connector (not shown) to the USB hub 14. The USB hub 14 in this embodiment will typically be the USB hub of the hardware device 12 itself.
The content on flash memory 22 (provided with the hardware device 12) to the host device is permitted only if the correct and corresponding authentication data is detected on the authentication device 16,18.
Particular examples of applications of this approach are given below by reference to figures 2 to 4.
(1) Software Driver Distribution
Figure 2 is a schematic diagram of an apparatus 30 for distributing software device drivers associated with a hardware device according to an embodiment of the present invention, together with the hardware device 32.
The apparatus 30 comprises USB hub 34, an authentication device in the form of a smart card chip 36, a flash controller 40 for reading flash memory 42 and a USB connector 44. Flash memory 42 contains the content (here in the form of the software device drivers for hardware device 32) that are needed for the operating system of the host device (not shown, but connected at USB connector 44) to operate with the hardware device 32. The hardware device 32 could be a computer peripheral such as a printer, or scanner, or it could represent a smart card that itself acts as the authentication device.
The smart card chip 36 contains secret keys, etc., for establishing authenticity of the hardware device 32 and the software device driver: the software device driver performs authentication with the smart card chip 36 to ensure that the device driver has not been modified and the hardware device 32 is original.
(2) Digital Media Distribution with Copy Protection Figure 3 is a schematic diagram of an apparatus 50 for distributing digital storage media with copy protection according to an embodiment of the present invention. The content in this example may be digitised music and video such as MP3 and MPEG or software packages . The apparatus 50 comprises USB hub 54, an authentication device in the form of a smart card chip 56, a flash controller 60 for reading flash memory 62 and a USB connector 64. Flash memory 62 contains the content, in this example in the form of audio/video digital content to be distributed, and software applications to view, play and install the content on the host device (not shown, but connected at USB connector 64) .
The content stored in the flash memory 62 is in encrypted form to prevent unauthorised duplication. Software viewers, players or installers also reside in the flash memory. The viewers, players and installers' are written in a way that they only allow the media and applications to be viewed, played or installed, but do not allow them to be duplicated. Strong cryptographic protocols are used in these viewers, players and installers to prevent unauthorized duplication.
The smart card chip 56 contains secret keys or other parameters to prove the authenticity and originality of the media. Other information regarding the number of times a digital data has been accessed or the identity of the computer or player can be recorded in the smart card chip. This allows the number of times or the location the digital data or the software package has been accessed or installed can be restricted.
(3) Personal Identity and Data Management and Portable Secure Storage of Digital Data
Figure 4 is a schematic diagram of an authentication apparatus 70 for personal identity and data management and for portable secure storage of digital data in the form of personal identity data according to an embodiment of the present invention. The authentication data is in the form of personal identity data such as digital certificates and passwords while the content (or personal data) could be electronic mail, personal documents, passwords, and other data.
The apparatus 70 comprises USB hub 74, an authentication device in the form of a smart card chip 76, a flash controller 80 for reading flash memory 82 and a USB connector 8 . Flash memory 82 contains the content which, as mentioned above, in this example is in the form of electronic mail, personal documents, passwords and other data.
The flash memory 82 is used to store these data in clear or encrypted form. The more sensitive data (together with the digital certificates or passwords for proving identity or the secret keys used to sign, encrypt and decrypt the data in the flash card 82) is securely stored in the smart card chip 76.
Digital certificates are used for secure computer applications such as secure email (S/MIME) and secure internet connection (Secure Socket Layer, SSL) , for signing and encrypting email.
Figure 5 is a schematic diagram of a system 90 for centrally programming and managing the authentication apparatus 70 of figure 4, in use with such the authentication apparatus 70 and a computer network 92.
The system 90 comprises a central management system 94 and a programmer 96. The programmer 96 includes a USB port for connecting to the USB port of USB connector 84 of authentication apparatus 70, so that the system 90 can be used to program each such authentication apparatus 70 bj installing in an authentication apparatus 70 keys belonging to each user.
The keys are held in a Public Key Depository 98, which holds such keys for secure applications such as S/MIME. The Public Key Depository 98 is accessible by the central management system 94 by computer network.
The system 90 installs - into the flash memory 82 of each authentication apparatus 70 - installation and configuration programs for subsequently configuring the software applications on networked computers 100 (each running secure applications such as S/MIME) on computer network 92; a user can take an authentication apparatus that has been programmed in this manner (such as authentication apparatus 70') and use it to gain ready access to those applications on any of computers 100. This enables each user to use these applications easily without the necessity of a system administrator installing applications or performing configuration for the user. The user also does not need to carry along another medium (such as an installation disk) , and is free to perform this installation at all the computers that the user is authorized to use.
This convenience for the user is enabled by the flash storage space, in addition to the smart card ehip, the latter of which is responsible for the key storage.
This system thus reduces the complexity of deployment by incorporating all the installation program and information within the device itself.
Figure 6 is a perspective view of an example of an authentication apparatus 102 according to this embodiment
(such as authentication apparatus 70 of figures 4 and 5) . As is apparent in this figure, the authentication apparatus 102 includes a UBS plug 104 (for plugging into a USB port) and a body 106 that encases the data storage and processing components of the apparatus. The apparatus 102 is designed to be hand-held, so it is of appropriate dimensions and provided with finger grips 108 for ease of manipulation.
Thus, the present invention allows device drivers to be distributed together with the hardware device itself, and for a single architecture to be used for multiple application .
Modifications within the scope of the invention may be readily effected by those skilled in the art. It is to be understood, therefore, that this invention is not limited to the particular embodiments described by way of example hereinabove .
In the claims that follow and in the preceding description of the invention, except where the context requires otherwise owing to express language or necessary implication, the word "comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention.

Claims

CLAIMS :
1. An apparatus for controlling the provision of digital content, comprising: a data storage device controller for receiving a data storage device on ifhich is provided said content; an authentication data storage device for storing authentication data; a data port connectable to a host device so that said apparatus can be placed into electronic communication with said host device; and a communications hub to mediate electronic communication between said data storage device controller, said authentication data storage device and said data port; wherein said apparatus is configured to permit content provided on said data storage device to be outputted from said data port according to said authentication data.
2. An apparatus as claimed in claim 1, wherein said apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device.
3. An apparatus as claimed in claim 2, wherein said cryptographic key comprises or is derived from said authentication data.
4. An apparatus as claimed in any one of the preceding claims, wherein said data storage device includes a first storage portion for storing at least one software viewer or player for viewing or playing said content, and a second storage portion for storing said content, wherein said apparatus is configured to permit the accessing of said software viewer or player and of said content such that said content can be viewed or played by means of said software viewer or player without allowing said content to be copied.
5. An apparatus as claimed in any one of the preceding claims, wherein said authentication data, storage device comprises a combination of secure microcontrollers and
EEPROM chips and said data storage device, is a flash memory device.
6. An apparatus as claimed in any one of the preceding claims, wherein said communications hub comprises a Universal Serial Bus hub.
7. An apparatus as claimed in any one of the preceding claims, wherein said data port comprises a Universal Serial Bus connector.
8. An apparatus as claimed in any one of the preceding claims, wherein said content c mprises software.
9. An apparatus as claimed in any one of preceding claims, wherein said content comprises software device drivers .
10. An apparatus as claimed in any one of preceding claims, including a communications port for connecting said apparatus to a hardware device associated with said content .
11. An apparatus as claimed in any one of preceding claims, wherein said apparatus is provided in a hardware device and in electronic communication with said hardware device.
12. An apparatus as claimed in claim 1, wherein said content comprises digital media for distribution with copy protection, and said data storage device contains software portions or drivers for reading, displaying or playing said digital media.
13. An apparatus as claimed in claim 1, wherein further authentication data, is stored on said data storage device.
14. A method for controlling the provision of digital content, comprising: providing said content on a data storage device readable by means of a data storage device controller; providing authentication data on an authentication data storage device; placing said data storage device controller and authentication data storage device in data communication with a host device; controlling the provision of said content to said host device according to at least said authentication data.
15. A method as claimed in claim 14, including encrypting or decrypting said content by means of at least one cryptographic key stored in said authentication data storage device.
16. A method as claimed in claim 15, wherein said cryptographic key comprises or is derived from said authentication data.
17. A method for controlling access to digital content, comprising: providing said content on a computing or other electronic device; providing authentication data and control software on an authentication apparatus comprising: a control software storage device controller for receiving a control software storage device on which is provided control software; an authentication data storage device for storing authentication data; a data port connectable to said computing or other electronic device so that said authentication apparatus can be placed into electronic communication with said computing or other electronic device; and a communications hub to mediate electronic communication between said authentication data storage device controller, said authentication data storage device and said data port; wherein said authentication apparatus is configured to permit said control software provided on said control software storage device storage device to be used to control application software on said computing or other electronic device according to said authentication data.
18. A method as claimed in claim 17, wherein said authentication apparatus includes a cryptographic processor that is operable to encrypt or decrypt said content by means of at least one cryptographic key stored in said authentication data storage device.
19. A method as claimed in claim 18, wherein said cryptographic key comprises or is derived from said authentication data.
PCT/SG2004/000024 2003-03-11 2004-01-27 Method and apparatus for controlling the provision of digital content WO2004081706A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2003901095 2003-03-11
AU2003901095A AU2003901095A0 (en) 2003-03-11 2003-03-11 Method and apparatus for controlling the provision of digital content

Publications (2)

Publication Number Publication Date
WO2004081706A2 true WO2004081706A2 (en) 2004-09-23
WO2004081706A3 WO2004081706A3 (en) 2004-11-25

Family

ID=31500139

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2004/000024 WO2004081706A2 (en) 2003-03-11 2004-01-27 Method and apparatus for controlling the provision of digital content

Country Status (2)

Country Link
AU (1) AU2003901095A0 (en)
WO (1) WO2004081706A2 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7213766B2 (en) 2003-11-17 2007-05-08 Dpd Patent Trust Ltd Multi-interface compact personal token apparatus and methods of use
EP1902421A2 (en) * 2005-05-12 2008-03-26 Cyberflow Solutions, Inc. A digital publication system and apparatus
EP1975839A3 (en) * 2007-03-30 2009-05-13 Sony Corporation Information processing apparatus and method, program, and information processing system
WO2009062965A2 (en) * 2007-11-12 2009-05-22 Gemalto Sa System and method for secure firmware update of a secure token having a flash memory controller and a smart card
WO2009062972A1 (en) * 2007-11-12 2009-05-22 Gemalto Sa System and method for resizing a drive's partition and exchanging partition sizes between a flash memory controller and a smart card
US7597250B2 (en) 2003-11-17 2009-10-06 Dpd Patent Trust Ltd. RFID reader with multiple interfaces
US7762470B2 (en) 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
US20130097689A1 (en) * 2011-10-17 2013-04-18 Stephen Villoria Creation and management of digital content and workflow automation via a portable identification key

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5584043A (en) * 1991-06-26 1996-12-10 Smartdiskette Gmbh Apparatus having a smart card accomodated by a diskette frame containing processor memory and battery power for interfacing with a standard diskette drive
US5887145A (en) * 1993-09-01 1999-03-23 Sandisk Corporation Removable mother/daughter peripheral card
WO2000001138A2 (en) * 1998-06-26 2000-01-06 Fotonation, Inc. Camera network communication device
WO2000042491A1 (en) * 1999-01-15 2000-07-20 Rainbow Technologies, Inc. Usb-compliant personal key with integral input and output devices
US20020073340A1 (en) * 2000-12-12 2002-06-13 Sreenath Mambakkam Secure mass storage device with embedded biometri record that blocks access by disabling plug-and-play configuration
US20030043485A1 (en) * 2001-07-27 2003-03-06 Storcard, Inc. Apparatus for reading and writing cards having rotating memory

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5584043A (en) * 1991-06-26 1996-12-10 Smartdiskette Gmbh Apparatus having a smart card accomodated by a diskette frame containing processor memory and battery power for interfacing with a standard diskette drive
US5887145A (en) * 1993-09-01 1999-03-23 Sandisk Corporation Removable mother/daughter peripheral card
WO2000001138A2 (en) * 1998-06-26 2000-01-06 Fotonation, Inc. Camera network communication device
WO2000042491A1 (en) * 1999-01-15 2000-07-20 Rainbow Technologies, Inc. Usb-compliant personal key with integral input and output devices
US20020073340A1 (en) * 2000-12-12 2002-06-13 Sreenath Mambakkam Secure mass storage device with embedded biometri record that blocks access by disabling plug-and-play configuration
US20030043485A1 (en) * 2001-07-27 2003-03-06 Storcard, Inc. Apparatus for reading and writing cards having rotating memory

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7597250B2 (en) 2003-11-17 2009-10-06 Dpd Patent Trust Ltd. RFID reader with multiple interfaces
US7213766B2 (en) 2003-11-17 2007-05-08 Dpd Patent Trust Ltd Multi-interface compact personal token apparatus and methods of use
US7762470B2 (en) 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
EP1902421A2 (en) * 2005-05-12 2008-03-26 Cyberflow Solutions, Inc. A digital publication system and apparatus
EP1902421A4 (en) * 2005-05-12 2010-08-04 Cyberflow Solutions Inc A digital publication system and apparatus
EP1975839A3 (en) * 2007-03-30 2009-05-13 Sony Corporation Information processing apparatus and method, program, and information processing system
WO2009062965A2 (en) * 2007-11-12 2009-05-22 Gemalto Sa System and method for secure firmware update of a secure token having a flash memory controller and a smart card
WO2009062965A3 (en) * 2007-11-12 2009-07-09 Gemalto Sa System and method for secure firmware update of a secure token having a flash memory controller and a smart card
WO2009062972A1 (en) * 2007-11-12 2009-05-22 Gemalto Sa System and method for resizing a drive's partition and exchanging partition sizes between a flash memory controller and a smart card
US8307131B2 (en) 2007-11-12 2012-11-06 Gemalto Sa System and method for drive resizing and partition size exchange between a flash memory controller and a smart card
US8898477B2 (en) 2007-11-12 2014-11-25 Gemalto Inc. System and method for secure firmware update of a secure token having a flash memory controller and a smart card
US20130097689A1 (en) * 2011-10-17 2013-04-18 Stephen Villoria Creation and management of digital content and workflow automation via a portable identification key
US9166976B2 (en) * 2011-10-17 2015-10-20 Stephen Villoria Creation and management of digital content and workflow automation via a portable identification key

Also Published As

Publication number Publication date
WO2004081706A3 (en) 2004-11-25
AU2003901095A0 (en) 2003-03-27

Similar Documents

Publication Publication Date Title
JP3389186B2 (en) Semiconductor memory card and reading device
US8528096B2 (en) Secure universal serial bus (USB) storage device and method
US10592641B2 (en) Encryption method for digital data memory card and assembly for performing the same
JP4610557B2 (en) DATA MANAGEMENT METHOD, PROGRAM THEREOF, AND PROGRAM RECORDING MEDIUM
US8694799B2 (en) System and method for protection of content stored in a storage device
US20090268906A1 (en) Method and System for Authorized Decryption of Encrypted Data
US20070156587A1 (en) Content Protection Using Encryption Key Embedded with Content File
JP2003067256A (en) Data protection method
US20090052671A1 (en) System and method for content protection
CN101578608A (en) Methods and apparatuses for accessing content based on a session ticket
JP2009526472A (en) Data security including real-time key generation
US8261076B2 (en) Method and device for agreeing shared key between first communication device and second communication device
WO2004081706A2 (en) Method and apparatus for controlling the provision of digital content
JP4673150B2 (en) Digital content distribution system and token device
KR101043255B1 (en) Usb hub device for providing datasecurity and method for providing datasecurity using the same
EP1163659A1 (en) Protecting compressed content after separation from original source
JP5180362B1 (en) Content reproduction apparatus and content reproduction program
JP2008191851A (en) Electronic equipment and information processing method
KR101450131B1 (en) Methods and apparatuses for accessing content based on a session ticket
JP2004110588A (en) Storage media access system
KR20080032786A (en) Portable memory media for recording and using contents applied drm
KR20090108690A (en) Methods and apparatuses for linking content with license

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)