Data protection system, data protection method, and memory card

摘要

This data protection system encrypts and stores data in a memory card, using a double encryption key scheme for encrypting the data with a data key and further encrypting the data key with a user key. This system provides data to a particular host device from the memory card and limits provision of the data to other host devices. The host device includes DPS program that governs control of writing data to, and reading data from the memory card. The memory card includes a first non-volatile memory and a memory controller that controls the first non-volatile memory. DPSA program is implemented in the memory controller that manages ID information for identifying a user capable of decrypting the encrypted data with the user key.

主权项

1. A data protection system providing data to a particular host device from a memory card in which the data is stored, and limiting provision of the data to other host devices, the data being encrypted with a double encryption key scheme for encrypting the data with a data key and further encrypting the data key with a user key, the data protection system comprising:
the host device including
DPS (Data Protection System) program governing control of writing data to, and reading data from the memory card, the memory card including
a first non-volatile memory as a main storage device, the first non-volatile memory being configured to store a table that includes a plurality of user keys associated with a plurality of users, and that indicates whether each of the plurality of user keys is one of allowed and not allowed to be used by each of the plurality of users;a memory controller controlling the first non-volatile memory to govern encryption, decryption, read, and write of the data; andDPSA (Data Protection System Agent) program implemented in the memory controller, the DPSA program encrypting the data with the data key and further encrypting the data key with the user key according to an instruction from the DPS program, and then causing the encrypted data and the encrypted data key to be stored in the first non-volatile memory, whereas the DPSA program decrypting the encrypted data with the user key and the data key to read the data according to an instruction from the DPS program, and managing ID information that identifies a user capable of decrypting the encrypted data with the user key, in writing the data,
the DPS program indicating to the DPSA program a storage location in the first non-volatile memory to store the data; andthe DPSA program encrypting the data with the data key to obtain encrypted data and further encrypting the data key with the user key to obtain an encrypted data key according to a write instruction from the DPS program, and then causing the encrypted data and the encrypted data key to be stored at the storage location in the first non-volatile memory, in reading the data,
the DPS program presenting user information that identifies a user to request the DPSA program to read the desired data;the DPSA program performing authentication by determining whether the user information presented by the DPS program matches the ID information managed by the DPSA program; andin response to the DPSA program determining a match, and with reference to the ID information, the DPSA program decrypting the encrypted data key with the user key corresponding to the presented user information to obtain the data key, and further decrypting the encrypted data with the data key to read the data to the host device.