WO2005093558A1 - Portable storage device and method of managing files in the portable storage device - Google Patents
Portable storage device and method of managing files in the portable storage device Download PDFInfo
- Publication number
- WO2005093558A1 WO2005093558A1 PCT/KR2005/000546 KR2005000546W WO2005093558A1 WO 2005093558 A1 WO2005093558 A1 WO 2005093558A1 KR 2005000546 W KR2005000546 W KR 2005000546W WO 2005093558 A1 WO2005093558 A1 WO 2005093558A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- authentication
- portable storage
- access
- storage device
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000004044 response Effects 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 239000003795 chemical substances by application Substances 0.000 description 6
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002124 flame ionisation detection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F17/00—Coin-freed apparatus for hiring articles; Coin-freed facilities or services
- G07F17/20—Coin-freed apparatus for hiring articles; Coin-freed facilities or services for washing or drying articles, e.g. clothes, motor cars
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Definitions
- the present invention relates to a method of managing files in a portable storage device, and more particularly, to a method of managing files in a portable storage device enabling digital rights management (DRM).
- DRM digital rights management
- DRM digital rights management
- DRM digital rights management
- FIG. 1 is a conceptual diagram of conventional DRM.
- DRM relates to management of contents (hereafter, referred to as encrypted contents) protected using a method such as encryption or scrambling and rights objects allowing access to the encrypted contents.
- a DRM system includes devices 110 and 150 wanting to access encrypted content, a contents issuer 120 issuing content, a rights issuer 130 issuing a rights object (RO) containing a license to execute the content, and a certification authority 140 issuing a certificate.
- RO rights object
- the device 110 can obtain desired content from the contents issuer 120 in an encrypted format protected by DRM.
- the device 110 can obtain a license to play the encrypted content from a rights object received from the rights issuer 130.
- the device 110 can freely transmit the encrypted content to the device 150.
- the device 150 needs the rights object to play the encrypted content.
- the rights object can be obtained from the rights issuer 130.
- An RO containing a license to execute content may also contain predetermined constraint information so that the RO can be prevented from being distributed or copied without permission.
- the RO may contain information regarding a limited number of times the RO can be copied or moved from one device to another device. In this case, whenever the RO is moved or copied, a copy or move count set in the RO increases by one. When the copy or move count reaches the predetermined limited number of times, the RO is prohibited from being moved or copied so that the RO is prevented from being distributed without permission.
- the certification authority 140 issues a certificate containing information on an identifier of a device whose public key is validated, a serial number of the certificate, a certificate authority's name, a public key of the pertinent device, and an expiry of the certificate issued.
- the certificate provides information on whether the devices are proper users or not. Thus, it is possible to prevent an invader device pretending that it is an authenticate device from communicating with other devices or systems.
- the present invention provides a method of securely managing files in a portable storage device having a digital rights management (DRM) function.
- DRM digital rights management
- a portable storage device including a control module sorting DRM data from received data and forming a file comprising the DRM data, and a storage module storing the file.
- control module sets a restricted region in the storage module, allocates a file identifier mapped to the restricted region to the file comprising the digital rights management data, and stores the file identifier in the restricted region.
- the file stored in the storage module may have a tree structure.
- the digital rights management data may be one of a rights object and authentication information needed for authentication with a device.
- the authentication information may be one of a certificate and a certificate revocation list.
- the file comprising the digital rights management data may comprise a rights object dedicated file comprising an elementary file for a rights object and an authentication dedicated file comprising an elementary file for the authentication information.
- the control module may comprise an access condition for restricting the device's access to the file stored in the storage module.
- the access condition for the file comprising the digital rights management data may be authentication.
- the access condition is authentication and valid duration of the certificate or the certificate revocation list.
- control module Preferably, but not necessarily, the control module generates a table in which an identifier of content that can be executed by the rights object or an identifier of the rights object is mapped to a file identifier allocated to the rights object elementary file, searches the table for the rights object that the device attempts to access, and allows the device to access the rights object.
- the device accesses a file in the portable storage device
- the device sends a command to the control module, and in response to the command the control module accesses the file and performs an operation according to the command.
- a method of managing a file in a portable storage device including sorting digital rights management data from received data, forming a file comprising the digital rights management data, and storing the file in a storage module.
- the storing of the file comprises setting a restricted region in the storage module using a control module, and allocating a file identifier mapped to the restricted region to the file comprising the digital rights management data.
- the file stored in the storage module may have a tree structure.
- the digital rights management data may be one of a rights object and authentication information needed for authentication with a device.
- the authentication information may be one of a certificate and a certificate revocation list.
- the file comprising the digital rights management data may comprise a rights object dedicated file comprising an elementary file for a rights object and an authentication dedicated file comprising an elementary file for the authentication information.
- the method may further comprise causing a control module to generate an access condition for restricting the device's access to the file stored in the storage module.
- the access condition for the file comprising the digital rights management data may be authentication.
- the access condition may be authentication and valid duration of the certificate or the certificate revocation list.
- the control module generates a table in which an identifier of content that can be executed by the rights object or an identifier of the rights object is mapped to a file identifier allocated to the rights object elementary file, searches the table for the rights object that the device attempts to access, and allows the device to access the rights object.
- the device accesses a file in the portable storage device, the device sends a command to the control module, and in response to the command the control module accesses the file and performs an operation according to the command.
- FIG. 1 is a conceptual diagram of conventional digital rights management (DRM);
- FIG. 2 is a schematic conceptual diagram of DRM between a portable storage device and a device
- FIG. 3 is a diagram illustrating authentication between a device and a multimedia card according to an embodiment of the present invention
- FIG. 4 is a block diagram of a portable storage device according to an embodiment of the present invention.
- FIG. 5 is a schematic diagram illustrating a directory structure stored in a storage module according to an embodiment of the present invention.
- FIG. 6 is a table illustrating the configuration of a rights object (RO) according to an embodiment of the present invention.
- FIG. 7 is a table illustrating constraints given to permission shown in FIG. 6;
- FIG. 8 illustrates the configuration of an RO file supported by a multimedia card according to an embodiment of the present invention
- FIG. 9 is a table showing information regarding a tag according to a type of data included in a file
- FIG. 10 is a flowchart of a procedure for storing data in a multimedia card according to an embodiment of the present invention.
- FIG. 11 is a flowchart of a procedure for permitting access to a file stored in a multimedia card according to an embodiment of the present invention.
- Mode for Invention
- a portable storage device used in the present invention includes a non-volatile memory such as a flash memory which data can be written to, read from, and deleted from and which can be connected to a device.
- a non-volatile memory such as a flash memory which data can be written to, read from, and deleted from and which can be connected to a device.
- portable storage device are smart media, memory sticks, compact flash (CF) cards, xD cards, and multimedia cards.
- CF compact flash
- xD cards compact flash
- multimedia cards multimedia cards.
- a MMC will be explained as a portable storage device.
- the portable storage device according to the present invention is not restricted to a multimedia card.
- FIG. 2 is a conceptual diagram of digital rights management (DRM) between a multimedia card and a device.
- DRM digital rights management
- a device 210 can obtain encrypted content from a contents issuer 220.
- the encrypted content is content protected through DRM.
- a rights object (RO) for the encrypted content is needed.
- the RO may contain a definition of a right to content and constraints to the right and may further include a right to the RO itself.
- An example of the right to the RO may be move or copy. In other words, an RO containing a right to move may be moved to another device or a MMC. An RO containing a right to copy may be copied to another device or a MMC.
- the move of the RO is a process of generating the RO at a new place and deactivating it at the previous place (i.e., the RO itself is deleted or a right contained in the RO is deleted).
- the RO is copied, the RO at an original place remains in an activated state.
- the device 210 may purchase an RO from a rights issuer 230 to obtain a right to play.
- the device 210 can play the encrypted content using the RO.
- the device 210 may transfer (move or copy) the RO to a device 250 through a multimedia card 260.
- the device 210 can move the RO to the multimedia card 260 after authenticating with the multimedia card 260.
- the device 210 may request a right to play from the multimedia card 260 and receive the right to play, i.e., a content encryption key (CEK), from the multimedia card 260.
- CEK content encryption key
- the device 250 can receive a right to play particular content from the multimedia card 260 storing ROs after authenticating with the multimedia card 260 and can play the encrypted particular content using the received right.
- a play count included in the RO stored in the multimedia card 260 may be increased.
- An RO may be moved or copied from the multimedia card 260 to the device 250.
- a move or copy count of the RO may be increased.
- the device 210 or 250 is permitted to play an encrypted content using a right contained in an RO, or move or copy an RO until a play, move or copy count reaches a predetermined limited number set in the RO.
- a device authenticates with a multimedia card before exchanging data such as an RO with the multimedia card.
- FIG. 3 is a diagram illustrating authentication between a device 310 and a multimedia card 320 according to an embodiment of the present invention.
- Authentication is a procedure in which the device 310 and the multimedia card 320 authenticate each other's genuineness and exchange random numbers for generation of a session key.
- a session key can be generated using a random number obtained during authentication.
- descriptions above horizontal arrowed lines relate to a command requesting another device to perform a certain operation and descriptions below the horizontal arrow-headed lines relate to a parameter needed to execute the command or data transported.
- the device 310 issues all commands for the authentication and the multimedia card 320 performs operations needed to execute the command.
- the device 310 may send a command such as an authentication request to the multimedia card 320. Then, the multimedia card 320 sends a certificate M and an encry r pted random number M to the device 310 in response to the authentication request. Accordingly, each horizontal arrow in FIG. 3 denotes a moving direction of a parameter or data.
- both of the device 310 and the multimedia card 320 may issue commands.
- the multimedia card 320 may send the authentication response together with the certificate and the encrypted random number M to the device 310.
- a subscript 'D' of an object indicates that the object is stored in or generated by the device 310 and a subscript 'M' of an object indicates that the object is stored in or generated by the multimedia card 320.
- the device 310 sends an authentication request to the multimedia card 320 tog °ether with a device certificate D .
- the device certificate D includes an identifier (ID) of the device 310, i.e., a device ID, and a device public key and is signed with a digital signature of a certification authority.
- ID an identifier
- the multimedia card 320 verifies whether the device certificate is valid using a certificate revocation list (CRL) stored therein. If the device certificate is registered in the CRL, the multimedia card 320 may reject the authentication with the device 310. If the device certificate is not registered in the CRL, the multimedia card 320 verifies that the device certificate D is valid and obtains the device public key D from the device certificate D .
- CRL certificate revocation list
- the multimedia card 320 verifying that the device certificate is valid generates a random number in operation S25 and encrypts the random number using the device M M public key in operation S30. Thereafter, in operation S40, an authentication response procedure is performed by sending an authentication response from the device 310 to the multimedia card 320 or from the multimedia card 320 to the device 310. During the authentication response procedure, the multimedia card 320 sends a multimedia card public certificate and an encrypted random number to the device 310.
- the device 310 receives the multimedia card certificate M and the encrypted random number and authenticates the multimedia card 320 by verifying the multimedia card certificate M based on the CRL. In addition, the device 310 obtains the multimedia card r public key M from the multimedia card certificate M and obtains the random number generated by the multimedia card 320 by decrypting the encrypted random number using its private key. [68] In operation S55, the device 310 generates a random number . In operation S60, the device 310 encrypts the random number using the multimedia card public key . Thereafter, an authentication end procedure is performed in operation S70 where the device 310 sends the encrypted random number to the multimedia card 320.
- the multimedia card 320 receives and decrypts the encrypted random number using its private key. As a result, the device 310 and the multimedia card 320 know the random numbers (the random number and the random number ) D M generated by each other.
- the device 310 and the multimedia card 320 that share each other's random numbers generates their session keys using both of their two random numbers.
- the session keys are identical with each other. Once the session keys are generated, diverse operations protected by DRM can be performed between the device 310 and the multimedia card 320.
- FIG. 4 is a block diagram of a portable storage device, e.g., a multimedia card 400, according to an embodiment of the present invention.
- the term 'module' means, but is not limited to, a software or hardware component, such as a Field Programmable Gate Array (FPGA) or Application Specific Integrated Circuit (ASIC), which performs certain tasks.
- a module may advantageously be configured to reside on the addressable storage medium and configured to execute on one or more processors.
- a module may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
- components such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
- the functionality provided for in the components and modules may be combined into fewer components and modules or further separated into additional components and modules.
- the components and modules may be implemented such that they execute one or more CPUs in a device or MMC.
- the multimedia card 400 needs a security function, a function of storing content or an RO, a function of exchanging data with a device, and a DRM function.
- the multimedia card 400 includes an encryption module 430 with a security function, a storage module 440 with a storage function, an interface module 410 allowing data exchange with a device, and a control module 420 controlling each module to perform a DRM procedure.
- the interface module 410 allows the MMC 400 to be connected with the device.
- the interface module 410 of the MMC 100 may be electrically connected with an interface module of the device.
- the electrical connection is just an example, and the connection may indicate a state in which the MMC 100 can communicate with the device through a wireless medium without a contact.
- the encryption module 430 includes a public-key encryption module 432, a session key generation module 434, and a symmetric-key encryption module 436.
- the public-key encryption module 432 performs public-key encryption. More particularly, the public-key encryption module 432 performs RSA encryption according to a request from the control module 420. During the above-described authentication, the RSA encryption may be used for random number exchange or digital signature.
- the public-key encryption module 432 is just an example, and other public-key encryption schemes, including Diffie-Hellman encryption, RSA encryption, ElGamal encryption, and elliptic curve encryption, can be used.
- the session key generation module 434 generates a random number to be transmitted to a device and generates a session key using the generated random number and a random number received from the device.
- the random number generated by the session key generation module 434 is encrypted by the public-key encryption module 432 and then transmitted to the device through the interface module 410.
- the random number may be selected from a plurality of random numbers provided in advance.
- the symmetric-key encryption module 436 performs symmetric-key encryption. More particularly, the symmetric-key encryption module 436 performs advanced encryption standard (AES) encryption using the session key generated by the session key generation module 434.
- AES advanced encryption standard
- the AES encryption is usually used to encrypt a CEK included in an RO using the session key when the CEK is transmitted to a device.
- encryption by the symmetric-key encryption module 436 may be used to encrypt other important information during communication with a device.
- the AES encryption using the session key may be performed to encrypt an RO during move of the RO.
- the AES encryption is just an example, and the symmetric-key encryption module 436 may use other symmetric-key encryption such as data encryption standard (DES) encryption.
- DES data encryption standard
- the control module 420 may divide the storage module 440 into a restricted region and a normal region, encrypt and store DRM-related information in the restricted region, and store other data in the normal region.
- the DRM-related information may include authentication information needed to verify the authenticity of the identity of a device during authentication with the device and an RO including a right to use content and right information.
- the authentication information may be a certification of the multimedia card 400, a certification of a certification authority, or a CRL.
- the control module 420 may restrict a device's access to the DRM-related information among data stored in the storage module by dividing the storage module 440 into the restricted region and the normal region and storing the DRM-related information in the restricted region.
- the storage module 440 may be physically or logically divided into the restricted region and the normal region.
- the control module 420 may set a condition for access to data stored in the storage module 440.
- the access condition may be authentication, necessity of the update of the certification of the multimedia card 400, or necessity of the update of a CRL stored in the storage module 440.
- control module 420 may set authentication as access restriction information regarding an RO.
- the control module 420 may determine whether the device has performed authentication with the multimedia card 400 and allow the device to access the RO only when the device has completed the authentication normally.
- access may indicate read or write.
- control module 420 may determine whether the device has authenticated with the multimedia card 400 and permits the copy or move only when the authentication has been done.
- an access condition for a certificate or a CRL will be described.
- the control module 420 may set no access conditions to allow the device to access without authentication.
- the control module 420 may set authentication and the valid duration of the certificate or the CRL as access conditions.
- the control module 420 may encrypt DRM data to be stored in the storage module 440 using a unique encryption key of the multimedia card 400 and store in the restricted region of the storage module 440 the encrypted DRM data together with a file identifier (FID) allocated to address the DRM data to the restricted region. Encryption of the DRM-related information may be performed partially or entirely. For example, when an RO is encrypted and stored, only a CEK included in the RO may be encrypted or the entire RO may be encrypted. When ROs are entirely encrypted, the control module 420 may map an ID of each RO or an ID of content that can be played by each RO to an FID and separately store a table of content IDs or RO IDs to facilitate searching for a particular RO.
- FID file identifier
- the storage module 440 stores encrypted content, an RO, a CRL, etc.
- the storage module 440 may be divided into the restricted region and the normal region physically or logically.
- Data stored in the storage module 440 may have a file format in a tree structure.
- DRM data such as an RO or a CRL may be stored in the restricted region in an encrypted state.
- the symmetric-key encryption module 426 may encrypt an RO using a unique encryption key that other devices cannot read according to the AES encryption.
- the symmetric-key encryption module 436 may decrypt the encrypted RO using the unique encryption key when the RO is moved or copied to other devices.
- Use of symmetric-key encryption is just an example.
- the public-key encryption module 432 may perform public -key encryption using a public key of the multimedia card 400 and perform decryption using a private key of the multimedia card 400 when necessary. Encrypted contents or data for other applications may be stored in the normal region of the storage module 440.
- access to the restricted region of the storage module 440 may be selectively restricted by the control module 420.
- FIG. 5 is a schematic diagram illustrating a directory structure stored in the storage module 440 according to an embodiment of the present invention.
- the restricted region of the storage module 440 included in the multimedia card 400 may be protected by setting access conditions.
- a tree structure may be used as a file structure for appropriately utilizing the access conditions.
- the file structure of the multimedia card 400 illustrated in FIG. 5 includes a master file (MF) corresponding to an entire directory, a dedicated file (DF) corresponding to a sub-directory, and a plurality of elementary files (EFs) storing necessary content. To identify these files, FIDs may be used. In FIG. 5, a number in each parenthesis denotes an FID. In the embodiment illustrated in FIG. 5, since an FID ranges from 1401 to 17FE, 1023 RO EFs can be generated.
- MF master file
- DF dedicated file
- EFs elementary files
- DFs may be divided into a DRM DF for the DRM of the multimedia card 400 and other DF applications.
- the DRM DF may be stored in the restricted region of the storage module 440.
- the control module 420 may set an access condition such that only a device completing authentication with the multimedia card 400 can access the DRM DF. When the access condition is not satisfied, the control module 420 may prohibit the access to the DRM DF.
- 'access' may indicate indirect access in which a device sends a command to the multimedia card 400 and then the control module 420 of the multimedia card 400 accesses a relevant file and inputs/outputs necessary information.
- the DRM DF may include an RO DF and an authentication DF.
- the RO DF includes RO EFs storing an RO, which may have been stored in the multimedia card 400 since manufacturing or may be copied or moved from a device after authentication.
- the authentication DF includes information needed by the multimedia card 400 to perform authentication with a device.
- the authentication DF includes a card's certificate EF containing the certificate of the multimedia card 400, a certification authority's certificate EF containing a certificate of a certification authority, or a CRL EF containing a CRL.
- FIG. 6 illustrates the configuration of an RO according to an embodiment of the present invention.
- the RO includes a version field 500, an asset field 520, and a permission field 540.
- the version field 500 contains version information of a DRM system.
- the asset field 520 contains information regarding content data, the consumption of which is managed by the RO.
- the permission field 540 contains information regarding usage and action that are permitted by a right issuer with respect to the content protected through DRM.
- 'id' information indicates an identifier used to identify the RO and 'uid' information is used to identify the content the usage of which is dominated by the RO and is a uniform resource identifier (URI) of content data of a DRM content format (DCF).
- URI uniform resource identifier
- 'KeyNalue' information contains a binary key value used to encrypt the content, which is referred to as a CEK.
- the CEK is a key value used to decrypt encrypted content to be used by a device. When the device receives the CEK from a multimedia card, it can use the content.
- 'Permission' is a right to use content permitted by the right issuer.
- Types of permission include 'Play', 'Display', 'Execute', 'Print', and 'Export'.
- the Play component indicates a right to express DRM content in an audio/video format.
- a DRM agent does not allow an access based on Play with respect to content such as JAVA games that cannot be expressed in the audio/video format.
- the Play component may optionally have a constraint. If a specified constraint is present, the DRM agent grants a right to Play according to the specified constraint. If no specified constraints are present, the DRM agent grants unlimited Play rights.
- the Display component indicates a right to display DRM content through a visual device.
- a DRM agent does not allow an access based on Display with respect to content such as gif or jpeg images that cannot be displayed through the visual device.
- the Execute component indicates a right to execute DRM content such as JAVA games and other application programs.
- the Print component indicates a right to generate a hard copy of DRM content such as jpeg images.
- the Export component indicates a right to send DRM contents and corresponding ROs to a DRM system other than an open mobile alliance (OMA) DRM system or a content protection architecture.
- the Export component must have a constraint.
- the constraint specifies a DRM system of a content protection architecture to which DRM content and its RO can be sent.
- the Export component is divided into a move mode and a copy mode. When an RO is exported from a current DRM system to another DRM system, the RO is deleted from the current DRM system in the move mode but is not deleted from the current DRM system in the copy mode.
- the Move component deactivates the original RO in the current DRM system, while the Copy component does not deactivate the original RO in the current DRM system.
- FIG. 7 is a table illustrating constraints given to permission shown in FIG. 6.
- a Count constraint 600 has a positive integer value and specifies the count of permissions granted to content.
- a Datetime constraint 610 specifies a duration for permission and selectively contains a start component or an end component. When the start component is contained, use of the DRM content is not permitted before a specified time/date. When the end component is contained, use of the DRM content is not permitted after a specified time/date.
- An Interval constraint 620 specifies a time interval at which an RO can be executed for the corresponding DRM content.
- a start component is contained in the Interval constraint 620
- consumption of the DRM content is permitted during a period of time specified by a duration component contained in the Interval constraint 620 after a specified time/date.
- an end component is contained in the Interval constraint 620
- consumption of the DRM content is permitted during the period of time specified by the duration component before a specified time/date.
- An Accumulated constraint 630 specifies a maximum time interval for an accumulated measured period of time while the RO is executed for the corresponding DRM content. If the accumulated measured period of time exceeds the maximum time interval specified by the Accumulated constraint 630, a DRM agent does not permit an access to the DRM content.
- An Individual constraint 640 specifies a person to whom the DRM content is bound.
- a System constraint 650 specifies a DRM system or a content protection architecture to which the content and the RO can be exported.
- a version component specifies version information of the DRM system or the content protection architecture.
- a 'Sid' component specifies a name of the DRM system or the content protection architecture.
- FIG. 8 illustrates the configuration of an RO file supported by a multimedia card according to an embodiment of the present invention.
- the multimedia card usually has smaller storage capacity than a device and thus supports a small data structure like an RO file structure 700.
- the RO file structure 700 includes a tag of an RO, a content ID, a content type, permission-related data, and constraint-related data.
- the permission-related data includes a tag indicating that current data relates to permission, a bit string (i.e., permission information) 720 indicating the content of the permission, and a tag indicating a type of the permission.
- the constraint-related data includes a tag indicating that current data relates to a constraint, a bit string (i.e., constraint information) 740 indicating the content of the constraint, and a tag indicating a type of the constraint.
- the function of the DRM agent may be performed by the control module 420 of the multimedia card 400.
- FIG. 10 is a flowchart of a procedure for storing data in a multimedia card according to an embodiment of the present invention.
- data is received from a device which the multimedia card has authenticated.
- the multimedia card determines whether the data is DRM data, which is needed for DRM between the multimedia card and the device.
- the DRM data may be authentication information such as a certificate or a CRL needed for authentication or an RO including a license to use particular content.
- the control module 420 may store the data in a restricted region of the storage module 440 (FIG. 4). For this operation, the control module 420 may divide the storage module 440 into a restricted region for storing DRM data and a normal region for storing other data.
- the storage module 440 may be divided physically or logically.
- control module 420 may set an access condition for data stored in the storage module 440 to restrict access by the device.
- the access condition may be authentication, necessity of the update of the multimedia card's certificate, or necessity of the update of a CRL stored in the storage module 440.
- the control module 420 may set authentication as access restriction information regarding an RO.
- the control module 420 may determine whether the device has performed authentication with the multimedia card and allow the device to access the RO only when the device has completed the authentication normally.
- access may indicate read or write.
- the control module 420 may determine whether the device has authenticated with the multimedia card and permits the copy or move only when the authentication has been done.
- an access condition for a certificate or a CRL will be described.
- the control module 420 may set no access conditions to allow the device to access without authentication.
- the control module 420 may set authentication and the valid duration of the certificate or the CRL as access conditions.
- the control module 420 may encrypt DRM data to be stored in the storage module 440 using a unique encryption key of the multimedia card and store in the restricted region of the storage module 440 the encrypted DRM data together with an FID allocated to address the DRM data to the restricted region. Encryption of the DRM-related information may be performed partially or entirely. For example, when an RO is encrypted and stored, only a CEK included in the RO may be encrypted or the entire RO may be encrypted. When ROs are entirely encrypted, the control module 420 may map an ID of each RO or an ID of content that can be played by each RO to an FID and separately store a table of content IDs or RO IDs to facilitate searching for a particular RO.
- Data stored in the storage module 440 may have a tree structure and may be divided into a DF for an RO and DF for authentication information.
- FIG. 11 is a flowchart of a procedure for permitting access to a file stored in a multimedia card according to an embodiment of the present invention.
- a request for access to the storage module 440 (FIG. 4) of the multimedia card is received from a device.
- the control module 420 (FIG. 4) of the multimedia card determines whether an access condition for a particular file that the device attempts to access is satisfied. The access condition has been described above.
- the control module 420 permits the device to access the particular file.
- the device's access may be indirect access in which the device sends a command to the multimedia card and then the control module 420 of the multimedia card accesses the file and inputs/ outputs necessary information.
- the device sends an ID of an RO that the device attempts to access or an ID of content that can be executed by the RO that the device attempts to access to the multimedia card. Then, the table is searched for an FID to which the received ID is mapped, and the RO is found using the FID and is accessed.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002560474A CA2560474A1 (en) | 2004-03-29 | 2005-02-28 | Portable storage device and method of managing files in the portable storage device |
EP05726872A EP1754134A4 (en) | 2004-03-29 | 2005-02-28 | Portable storage device and method of managing files in the portable storage device |
JP2007506070A JP4742096B2 (en) | 2004-03-29 | 2005-02-28 | Portable storage device and file management method for portable storage device |
NZ545669A NZ545669A (en) | 2004-03-29 | 2005-02-28 | Portable storage device and method of managing files in the portable storage device |
AU2005225950A AU2005225950B2 (en) | 2004-03-29 | 2005-02-28 | Portable storage device and method of managing files in the portable storage device |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020040021295A KR20050096036A (en) | 2004-03-29 | 2004-03-29 | Portable storage and management method of files in the portable storage |
KR10-2004-0021295 | 2004-03-29 | ||
US57575704P | 2004-06-01 | 2004-06-01 | |
US60/575,757 | 2004-06-01 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005093558A1 true WO2005093558A1 (en) | 2005-10-06 |
Family
ID=37031158
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2005/000546 WO2005093558A1 (en) | 2004-03-29 | 2005-02-28 | Portable storage device and method of managing files in the portable storage device |
Country Status (8)
Country | Link |
---|---|
EP (1) | EP1754134A4 (en) |
JP (1) | JP4742096B2 (en) |
KR (1) | KR20050096036A (en) |
CN (1) | CN100555205C (en) |
AU (1) | AU2005225950B2 (en) |
CA (1) | CA2560474A1 (en) |
NZ (1) | NZ545669A (en) |
WO (1) | WO2005093558A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007055539A1 (en) * | 2005-11-11 | 2007-05-18 | Lg Electronics Inc. | Method and apparatus for managing digital rights of secure removable media |
KR101076529B1 (en) | 2008-07-30 | 2011-10-24 | 엘지전자 주식회사 | Method and apparatus for managing digital rights of secure removable media |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101221222B1 (en) * | 2005-12-06 | 2013-01-11 | 엘지전자 주식회사 | System and Method of Down-Loading the Data to Portable Device |
CN101094062B (en) * | 2006-06-21 | 2011-03-23 | 普天信息技术研究院有限公司 | Method for implementing safe distribution and use of digital content by using memory card |
KR101389928B1 (en) | 2007-01-30 | 2014-04-30 | 삼성전자주식회사 | Method for supporting mutual exclusion function and drm device thereof |
KR101348245B1 (en) * | 2007-02-26 | 2014-01-08 | 삼성전자주식회사 | Apparatus and method for providing security domain |
CN101141814B (en) * | 2007-10-11 | 2010-06-02 | 中兴通讯股份有限公司 | System and method for mobile terminal to download DRM file to movable storage medium |
KR101424973B1 (en) | 2008-01-02 | 2014-08-04 | 삼성전자주식회사 | Method, recording medium and apparatus for updating revocation list and reproducing encrypted contents |
CN101763251B (en) * | 2010-01-05 | 2014-04-16 | 浙江大学 | Multithreading microprocessor including decode buffer device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020013772A1 (en) * | 1999-03-27 | 2002-01-31 | Microsoft Corporation | Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like |
GB2387505A (en) * | 2002-04-12 | 2003-10-15 | Vodafone Plc | Method of securely coupling communications devices |
KR20040020175A (en) * | 2002-08-29 | 2004-03-09 | 예스 소프트 주식회사 | The method which decodes the content file encoded by public key algorithm, and DRM client program which is independent of plug-in of viewer program |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000113047A (en) * | 1998-10-01 | 2000-04-21 | Hitachi Ltd | Electronic book system, electronic bookshelf, and ic card |
WO2001016821A2 (en) * | 1999-09-01 | 2001-03-08 | Matsushita Electric Industrial Co., Ltd. | Distribution system, semiconductor memory card, receiving apparatus, computer-readable recording medium and receiving method |
JP2001092721A (en) * | 1999-09-17 | 2001-04-06 | Fujitsu Ltd | Device and method for controlling content use and computer readable recording medium having content use control program recorded thereon |
AU1651701A (en) * | 1999-12-06 | 2001-06-18 | Fujitsu Limited | Data distribution system and recorder for use therein |
JP3782356B2 (en) * | 2000-03-31 | 2006-06-07 | 三洋電機株式会社 | Recording apparatus and data distribution system using the same |
CN100527141C (en) * | 2000-06-02 | 2009-08-12 | 松下电器产业株式会社 | Recording and playback apparatus and method |
JP2002163000A (en) * | 2000-08-29 | 2002-06-07 | Matsushita Electric Ind Co Ltd | Distribution system |
JP3790661B2 (en) * | 2000-09-08 | 2006-06-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Access control system |
JP2002140450A (en) * | 2000-11-01 | 2002-05-17 | Sanyo Electric Co Ltd | Data distributing system and data terminal equipment |
JP4409081B2 (en) * | 2000-11-28 | 2010-02-03 | 三洋電機株式会社 | Data terminal equipment |
JP2003115840A (en) * | 2001-10-02 | 2003-04-18 | Matsushita Electric Ind Co Ltd | Method and system for exchanging certiftcate invalidity list, and server device |
KR100445092B1 (en) * | 2002-06-03 | 2004-08-21 | 동 훈 김 | Portable storage device for preventing outflow of data |
JP4118092B2 (en) * | 2002-06-19 | 2008-07-16 | 株式会社ルネサステクノロジ | Storage device and information processing device |
JP2004054473A (en) * | 2002-07-18 | 2004-02-19 | Renesas Technology Corp | Memory card, information apparatus and information distribution method |
JP2004094778A (en) * | 2002-09-03 | 2004-03-25 | Matsushita Electric Ind Co Ltd | Storage device and copying device |
KR20020086444A (en) * | 2002-10-26 | 2002-11-18 | 주식회사 드림시큐리티 | Combination type usb drive having storage and operation function |
KR20030029550A (en) * | 2003-03-06 | 2003-04-14 | (주)비트와이어 | USB Removable disk partition (allocation) and method for this partition(allocation) |
-
2004
- 2004-03-29 KR KR1020040021295A patent/KR20050096036A/en active Search and Examination
-
2005
- 2005-02-28 CN CNB2005800010055A patent/CN100555205C/en not_active Expired - Fee Related
- 2005-02-28 AU AU2005225950A patent/AU2005225950B2/en not_active Ceased
- 2005-02-28 WO PCT/KR2005/000546 patent/WO2005093558A1/en active Application Filing
- 2005-02-28 NZ NZ545669A patent/NZ545669A/en not_active IP Right Cessation
- 2005-02-28 EP EP05726872A patent/EP1754134A4/en not_active Withdrawn
- 2005-02-28 JP JP2007506070A patent/JP4742096B2/en not_active Expired - Fee Related
- 2005-02-28 CA CA002560474A patent/CA2560474A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020013772A1 (en) * | 1999-03-27 | 2002-01-31 | Microsoft Corporation | Binding a digital license to a portable device or the like in a digital rights management (DRM) system and checking out / checking in the digital license to / from the portable device or the like |
GB2387505A (en) * | 2002-04-12 | 2003-10-15 | Vodafone Plc | Method of securely coupling communications devices |
KR20040020175A (en) * | 2002-08-29 | 2004-03-09 | 예스 소프트 주식회사 | The method which decodes the content file encoded by public key algorithm, and DRM client program which is independent of plug-in of viewer program |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007055539A1 (en) * | 2005-11-11 | 2007-05-18 | Lg Electronics Inc. | Method and apparatus for managing digital rights of secure removable media |
US8256009B2 (en) | 2005-11-11 | 2012-08-28 | Lg Electronics Inc. | Method and apparatus for managing digital rights of secure removable media |
US8683610B2 (en) | 2005-11-11 | 2014-03-25 | Lg Electronics Inc. | Method and apparatus for managing digital rights of secure removable media |
KR101076529B1 (en) | 2008-07-30 | 2011-10-24 | 엘지전자 주식회사 | Method and apparatus for managing digital rights of secure removable media |
Also Published As
Publication number | Publication date |
---|---|
AU2005225950A1 (en) | 2005-10-06 |
EP1754134A4 (en) | 2009-09-16 |
NZ545669A (en) | 2008-03-28 |
CA2560474A1 (en) | 2005-10-06 |
EP1754134A1 (en) | 2007-02-21 |
CN1842759A (en) | 2006-10-04 |
AU2005225950B2 (en) | 2008-04-24 |
JP4742096B2 (en) | 2011-08-10 |
CN100555205C (en) | 2009-10-28 |
JP2007531148A (en) | 2007-11-01 |
KR20050096036A (en) | 2005-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20050216739A1 (en) | Portable storage device and method of managing files in the portable storage device | |
AU2005223193B2 (en) | Digital rights management structure, portable storage device, and contents management method using the portable storage device | |
US8181266B2 (en) | Method for moving a rights object between devices and a method and device for using a content object based on the moving method and device | |
EP1754167B1 (en) | Method and apparatus for transmitting rights object information between device and portable storage | |
AU2005255327B2 (en) | Method and apparatus for digital rights management using certificate revocation list | |
AU2005225950B2 (en) | Portable storage device and method of managing files in the portable storage device | |
US8180709B2 (en) | Method and device for consuming rights objects having inheritance structure in environment where the rights objects are distributed over plurality of devices | |
WO2005119677A1 (en) | Method and apparatus for playing back content based on digital rights management between portable storage and device, and portable storage for the same | |
US20080126705A1 (en) | Methods Used In A Portable Mass Storage Device With Virtual Machine Activation | |
US8438112B2 (en) | Host device, portable storage device, and method for updating meta information regarding right objects stored in portable storage device | |
MXPA06011033A (en) | Portable storage device and method of managing files in the portable storage device | |
MXPA06011034A (en) | Method and apparatus for acquiring and removing information regarding digital rights objects |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200580001005.5 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2005225950 Country of ref document: AU Ref document number: 545669 Country of ref document: NZ |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1223/DELNP/2006 Country of ref document: IN |
|
ENP | Entry into the national phase |
Ref document number: 2005225950 Country of ref document: AU Date of ref document: 20050228 Kind code of ref document: A |
|
WWP | Wipo information: published in national office |
Ref document number: 2005225950 Country of ref document: AU |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2560474 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: PA/a/2006/011033 Country of ref document: MX |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007506070 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005726872 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2005726872 Country of ref document: EP |