Abstract: The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium.

Abstract: The present invention presents techniques for transmitting application specific instruction between a host and a memory card. The commands for the application specific protocol are embedded along with a signature in the data portion of a transmission protocol that is used to communicate between the host the memory card. This allows for the transmission of application specific commands that lack a corresponding command in the transmission protocol to still be transmitted in that protocol. The method can be implemented on the host side either at the device driver level or the file level. In order to implement a read command in the application specific protocol, a write command in the first protocol with an embedded read command is first sent to a logical address, followed by a second read command to the same logical address.

Abstract: A memory system comprises an encryption engine implemented in the hardware of a controller. In starting up the memory system, a boot strapping mechanism is implemented wherein a first portion of firmware when executed pulls in another portion of firmware to be executed. The hardware of the encryption engine is used to verify the integrity of at least the first portion of the firmware. Therefore, only the firmware that is intended to run the system will be executed.

Abstract: A memory system comprises an encryption engine implemented in the hardware of a controller. In starting up the memory system, a boot strapping mechanism is implemented wherein a first portion of firmware when executed pulls in another portion of firmware to be executed. The hardware of the encryption engine is used to verify the integrity of at least the first portion of the firmware. Therefore, only the firmware that is intended to run the system will be executed.

Abstract: In some mobile storage devices, content protection is afforded by dividing the memory into separate areas where access to protected areas requires prior authentication. While such feature does provide some protection, it does not protect against a user who obtained a password by illicit means. Thus, another aspect of the invention is based on the recognition that a mechanism or structure may be provided to divide a memory into partitions and so that at least some data in the partitions can be encrypted with a key, so that in addition to authentication that is required for accessing some of the partitions, access to one or more keys may be required to decrypt the encrypted data in such partitions. In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again.

Abstract: The mobile storage device may be provided with a system agent that is able to create at least one hierarchical tree comprising nodes at different levels for controlling access to data stored in the memory by corresponding entities. Each node of the tree specifies permission or permissions of a corresponding entity or entities for accessing memory data. The permission or permissions at the node of each of the trees has a predetermined relationship to permission or permissions at nodes at a higher or lower or the same level in the same tree. Thus, the mobile storage devices may be issued without any trees already created so that the purchaser of the devices has a free hand in creating hierarchical trees adapted to the applications the purchaser has in mind. Alternatively, the mobile storage devices may also be issued with the trees already created so that a purchaser does not have to go through the trouble of creating the trees.

Abstract: A tree structure stored in the storage medium provides control over what an entity can do even after gaining access. Each of the nodes of the tree specifies permissions by an entity who has gained entry through such node of the tree. Some trees have different levels, where the permission or permissions at a node of the tree has a predetermined relationship to permission or permissions at another node at a higher or lower or the same level in the same tree. By requiring entities to comply with the permissions so specified at each of the nodes, the tree feature of this application allows a content owner to control which entities can take action, and which actions each of the entities can take, irrespective of whether the tree has different levels. To enhance the commercial value that can be provided by the mobile storage medium, it is desirable for mobile storage devices to be capable of supporting more than one application simultaneously.

Abstract: A tree structure stored in the storage medium provides control over what an entity can do even after gaining access. Each of the nodes of the tree specifies permissions by an entity who has gained entry through such node of the tree. Some trees have different levels, where the permission or permissions at a node of the tree has a predetermined relationship to permission or permissions at another node at a higher or lower or the same level in the same tree. By requiring entities to comply with the permissions so specified at each of the nodes, the tree feature of this application allows a content owner to control which entities can take action, and which actions each of the entities can take, irrespective of whether the tree has different levels. To enhance the commercial value that can be provided by the mobile storage medium, it is desirable for mobile storage devices to be capable of supporting more than one application simultaneously.

Abstract: The mobile storage device may be provided with a system agent that is able to create at least one hierarchical tree comprising nodes at different levels for controlling access to data stored in the memory by corresponding entities. Each node of the tree specifies permission or permissions of a corresponding entity or entities for accessing memory data. The permission or permissions at the node of each of the trees has, a predetermined relationship to permission or permissions at nodes at a higher or lower or the same level in the same tree. Thus, the mobile storage devices may be issued without any trees already created so that the purchaser of the devices has a free hand in creating hierarchical trees adapted to the applications the purchaser has in mind. Alternatively, the mobile storage devices may also be issued with the trees already created so that a purchaser does not have to go through the trouble of creating the trees.

Abstract: The owner of proprietor interest is in a better position to control access to the encrypted content in the medium if the encryption-decryption key is stored in the medium itself and substantially inaccessible to external devices. Only those host devices with the proper credentials are able to access the key. An access policy may be stored which grants different permissions (e.g. to different authorized entities) for accessing data stored in the medium. A system incorporating a combination of the two above features is particularly advantageous. On the one hand, the content owner or proprietor has the ability to control access to the content by using keys that are substantially inaccessible to external devices and at the same time has the ability to grant different permissions for accessing content in the medium. Thus, even where external devices gain access, their access may still be subject to the different permissions set by the content owner or proprietor recorded in the storage medium.

Abstract: In some mobile storage devices, content protection is afforded by dividing the memory into separate areas where access to protected areas requires prior authentication. While such feature does provide some protection, it does not protect against a user who obtained a password by illicit means. Thus, another aspect of the invention is based on the recognition that a mechanism or structure may be provided to divide a memory into partitions and so that at least some data in the partitions can be encrypted with a key, so that in addition to authentication that is required for accessing some of the partitions, access to one or more keys may be required to decrypt the encrypted data in such partitions. In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again.

Abstract: A secure memory card with encryption capabilities comprises various life cycle states that allow for testing of the hardware and software of the card in certain of the states. The testing mechanisms are disabled in certain other of the states thus closing potential back doors to secure data and cryptographic keys. Controlled availability and generation of the keys required for encryption and decryption of data is such that even if back doors are accessed that previously encrypted data is impossible to decrypt and thus worthless even if a back door is found and maliciously pried open.

Abstract: A secure memory card with encryption capabilities comprises various life cycle states that allow for testing of the hardware and software of the card in certain of the states. The testing mechanisms are disabled in certain other of the states thus closing potential back doors to secure data and cryptographic keys. Controlled availability and generation of the keys required for encryption and decryption of data is such that even if back doors are accessed that previously encrypted data is impossible to decrypt and thus worthless even if a back door is found and maliciously pried open.

Abstract: A flash non-volatile memory system that normally operates its memory cells in multiple storage states is provided with the ability to operate some selected or all of its memory cell blocks in two states instead. The two states are selected to be the furthest separated of the multiple states, thereby providing an increased margin during two state operation. This allows faster programming and a longer operational life of the memory cells being operated in two states when it is more desirable to have these advantages than the increased density of data storage that multi-state operation provides. An exemplary embodiment is as a memory card where the user can choice between two state and multi-state operation.