Search

US-12625997-B2 - Authenticating a host computer system to access a data storage device

US12625997B2US 12625997 B2US12625997 B2US 12625997B2US-12625997-B2

Abstract

A method for authenticating a host computer system to access a data storage device (DSD) comprising a non-volatile storage medium including a plurality of blocks, the method comprising: receiving, from a computer program on the host computer system, an initial read request to read a block of the plurality of blocks and in response sending information from the block to the host computer system; iteratively receiving, from the computer program on the host computer system, a subsequent read request to read a subsequent block of the plurality of blocks based on the information sent from the block of a previous response; and in each iteration sending information from the subsequent block to the host computer system or terminating the iterative process in response to determining that each block of the plurality of blocks has been read; and determining the host computer system is authenticated in response to determining one or more conditions are met, wherein the one or more conditions include determining that each block of the plurality of blocks has been read.

Inventors

  • Bharath RADHAKRISHNAN
  • Ramanathan Muthiah
  • Uthayarajan Rasalingam

Assignees

  • SanDisk Technologies, Inc.

Dates

Publication Date
20260512
Application Date
20240625

Claims (20)

  1. 1 . A method for authenticating a host computer system to access a data storage device (DSD) comprising a non-volatile storage medium including a plurality of blocks, wherein the method comprises: receiving, from the host computer system, an initial read request to read a block of the plurality of blocks; sending, responsive to receiving the initial read request, information from the block to the host computer system, thereby causing the host computer system to retrieve, using a combined key based on the information from the block, an address of a subsequent block of the plurality of blocks, wherein the combined key is based on combination information on a channel, a die, a plane, and the subsequent block in the non-volatile storage medium; iteratively receiving, from the host computer system, subsequent read requests to read each subsequent block of the plurality of blocks based on information sent from a block of a previous response; sending, in each iteration, information from the subsequent block to the host computer system for retrieving an address of a next subsequent block; terminating the iterations in response to determining that each block of the plurality of blocks has been read; and determining the host computer system is authenticated in response to determining one or more conditions are met, wherein the one or more conditions include determining that each block of the plurality of blocks has been read.
  2. 2 . The method of claim 1 , wherein determining that each block of the plurality of blocks has been read comprises determining the subsequent block to be read is the block of the initial read request.
  3. 3 . The method of claim 1 , wherein the one or more conditions further include determining that every block of the plurality of blocks has been read once.
  4. 4 . The method of claim 1 , wherein the combined key comprises a quad key parsed from at least one set of bytes in the information from the block.
  5. 5 . The method of claim 1 , wherein retrieving the address of the subsequent block comprises: parsing the information sent from the block to retrieve the combination information on the channel, the die, the plane and the subsequent block; and decoding the combined key for a physical address of a subsequent page of the subsequent block.
  6. 6 . The method of claim 1 , wherein the combined key is selected from: a quad key comprising channel/die/plane/block; a hexadecimal string; an encrypted hash; and a binary sequence.
  7. 7 . The method of claim 1 , wherein each iteration further comprises: determining whether the subsequent read request was sent within a time interval; in response to determining that the subsequent read request was sent within the time interval, allowing the subsequent read request to the subsequent block; and in response to determining that the subsequent read request was not sent within the time interval: rejecting the subsequent read request; terminating the iterations; and/or determining the host computer system is unauthenticated.
  8. 8 . The method of claim 7 , further comprising generating an arbitrary timestamped identifier configured to define the time interval, a length of the time interval being arbitrary as defined by the arbitrary timestamped identifier.
  9. 9 . The method of claim 1 , wherein the one or more conditions further include determining that each block of the plurality of blocks has been read in a predetermined order.
  10. 10 . The method of claim 9 , wherein the predetermined order is one of a plurality of permutations, each permutation indicating an order for traversing the plurality of blocks.
  11. 11 . The method of claim 9 , further comprising performing a further authentication, wherein the further authentication comprises: detecting an error event caused by one or more changes in one or more components of the DSD, wherein the error event indicates that: reading one or more blocks of the plurality of blocks in the predetermined order did not succeed; and/or each iteration has not been executed; and in response to the error event is detected, restricting access by the host computer system to the DSD.
  12. 12 . The method of claim 1 , further comprising performing a first authentication before executing the iterative process, the first authentication comprising: receiving a request from the host computer system for a unique identifier of the DSD and in response sending identity information to the host computer system; generating a first key, by the host computer system, based on the identity information; generating a second key, by a controller of the DSD, based on the unique identifier stored on the DSD; determining, by the controller of the DSD, whether the first key matches the second key; in response to determining the first key does not match the second key, determining the host computer system is unauthenticated; and in response to determining the first key matches the second key, executing sending information from the block to the host computer system to initiate the iterations.
  13. 13 . The method of claim 12 , wherein generating, by the host computer system, the first key based on the identity information comprises: decoding and/or decrypting, by the host computer system, the identity information for the unique identifier; generating, by the host computer system, the first key based on the decoded and/or decrypted unique identifier; and sending, by the host computer system, the first key to the controller of the DSD.
  14. 14 . The method of claim 13 , wherein generating the first key comprises hashing the decoded and/or decrypted unique identifier, and/or wherein generating the second key comprises hashing the unique identifier stored on the DSD.
  15. 15 . The method of claim 1 , wherein the method is triggered in one or more scenarios, the one or more scenarios comprising: the DSD being in an initialization state; the DSD being in a recovering state from a sleep state; the DSD being in between two logical states fitting one or more requirements; a predefined timing condition met; and/or the DSD being in an abnormal state, wherein the abnormal state includes that a number of data access requests attempted by the host computer system has exceeded a threshold value.
  16. 16 . The method of claim 1 , further comprising: encrypting data transmitted between the host computer system and the DSD; and decrypting the encrypted data, by the host computer system and/or the DSD.
  17. 17 . A data storage device (DSD) comprising: a non-volatile storage medium configured to store data, wherein the non-volatile storage medium is further configured to store a plurality of blocks; a data path configured to transmit at least data between the non-volatile storage medium and a host computer system; and one or more processors, individually or in combination, configured to: receive, from the host computer system, an initial read request to read a block of the plurality of blocks; send, responsive to receiving the initial read request, information from the block to the host computer system; iteratively receive, from the host computer system and in a predetermined order, subsequent read requests to read each subsequent block of the plurality of blocks based on the information sent from the block of a previous response, wherein: the predetermined order is one of a plurality of permutations; and each permutation indicates a different order for traversing the plurality of blocks; send, in each iteration, information from the subsequent block to the host computer system; terminate the iterations in response to determining that each block of the plurality of blocks has been read; and determine the host computer system is authenticated in response to determining one or more conditions are met, wherein the one or more conditions include determining that each block of the plurality of blocks has been read.
  18. 18 . A computer-implemented method configured to be performed by a host computer system for authenticating the host computer system to access a data storage device (DSD) comprising a non-volatile storage medium including a plurality of blocks, wherein the computer-implemented method comprises: sending, to the DSD, an initial read request to read a block of the plurality of blocks; receiving, responsive to the initial read request, information from the block; retrieving, using the information from the block, an address of a subsequent block of the plurality of blocks; iteratively sending, to the DSD and in a predetermined order, subsequent read requests to read each subsequent block of the plurality of blocks based on the information received from the block of a previous response, wherein: the predetermined order is one of a plurality of permutations; and each permutation indicates a different order for traversing the plurality of blocks; receiving, in each iteration, information from the subsequent block; and terminating the iterations in response to the DSD determining that each block of the plurality of blocks has been read, wherein the DSD is configured to determine the host computer system is authenticated in response to determining one or more conditions are met, wherein the one or more conditions include the DSD determining that each block of the plurality of blocks has been read.
  19. 19 . A data storage device (DSD) comprising: a non-volatile storage medium configured to store data in a plurality of blocks; a data path configured to transmit at least data between a host computer system and the data storage device; means, stored in memory for execution by at least one processor, for receiving, from the host computer system, an initial read request to read a block of the plurality of blocks; means, stored in the memory for execution by the at least one processor, for and in response sending information from the block to the host computer system; means, stored in the memory for execution by the at least one processor, for iteratively receiving, from the host computer system, subsequent read requests to read each subsequent block of the plurality of blocks based on the information sent from the block of a previous response; means, stored in the memory for execution by the at least one processor, for sending, in each iteration, information from the subsequent block to the host computer system, wherein: the host computer system is configured to use a combined key based on the information from the subsequent block to retrieve an address of a next subsequent block of the plurality of blocks; and the combined key is based on combination information on a channel, a die, a plane, and the next subsequent block in the non-volatile storage medium; means, stored in the memory for execution by the at least one processor, for terminating the iterations in response to determining that each block of the plurality of blocks has been read; and means, stored in memory for execution by at least one processor, for determining the host computer system is authenticated in response to determining one or more conditions are met, wherein the one or more conditions include determining that each block of the plurality of blocks has been read.
  20. 20 . A data storage device comprising: a non-volatile storage medium configured to store data in a plurality of blocks; a data path configured to transmit data between a host computer system and the non-volatile storage medium; and one or more processors, individually or in combination, configured to: receive, from the host computer system, an initial read request to read a block of the plurality of blocks; send, responsive to the initial read request, information from the block to the host computer system; iteratively receive, from the host computer system, subsequent read requests to read each subsequent block of the plurality of blocks based on the information sent from the block of a previous response; send, in each iteration, information from the subsequent block to the host computer system, wherein: the host computer system is configured to use a combined key based on the information from the subsequent block to retrieve an address of a next subsequent block of the plurality of blocks; and the combined key is based on combination information on a channel, a die, a plane, and the next subsequent block in the non-volatile storage medium; terminate the iterative process in response to determining that each block of the plurality of blocks has been read; and determine, responsive to determining that each block of the plurality of blocks has been read, that the host computer system is authenticated.

Description

TECHNICAL FIELD This disclosure relates to authenticating a host computer system to access a data storage device (DSD) by a computer program to prevent unauthenticated host computer systems from accessing the storage device. BACKGROUND Data storage devices (DSDs) are electronic devices with the capability to store information in the form of digital data. DSDs are typically deployed as an integrated part of, or as a removable component configured to interface with, a mobile computing system for the purpose of improving the data transmission and storage capabilities of the computing system. From the perspective of the computing system, a data storage device (DSD) is typically implemented as a block storage device where the data stored is in the form of one or more blocks, being sequences of bytes or bits having a maximum length, referred to as block size. DSDs are commonly used to supplement the data storage capabilities of a computer system. For example, DSDs are often standalone physical devices that house an internal storage component, such as a hard disk drive (HDD) or a solid state drive (SSD), that provides a host computer system with an additional portion of non-volatile memory (i.e., the volume of the drive) in which to store digital data. These drive-type devices are connectable to the host computer system via a data path operating over a particular connectivity protocol (e.g., via a Universal Serial Bus (USB) cable or Peripheral Component Interconnect Express (PCIe) bus). In response to being connected to the host computer system, the host computer system recognizes the drive as a block data storage device such that a user of the device may access the storage of the drive via the data path (e.g., through operations of the host computer system). Access to the drive typically enables one or more users of the host computer system and computer programs on the host computer system to access (e.g., read, write and/or modify) user data stored on the drive. It is common that, over time, as the volume of data getting stored on DSDs increases, the risk of user content data getting hijacked or compromised also escalates, potentially resulting in significant losses for the end user. Therefore, it is desirable to secure the user content data on a DSD against access by unauthenticated, such as malicious, host computer systems and maintain trusted connections between authenticated host computer systems and the DSD, thereby preventing data access by un-trustworthy host computer systems and minimizing the risk of data loss. SUMMARY Disclosed herein is a method for authenticating a host computer system to access a data storage device (DSD) comprising a non-volatile storage medium including a plurality of blocks, wherein the method comprises: receiving, from a computer program on the host computer system, an initial read request to read a block of the plurality of blocks and in response sending information from the block to the host computer system; iteratively receiving, from the computer program on the host computer system, a subsequent read request to read a subsequent block of the plurality of blocks based on the information sent from the block of a previous response; and in each iteration sending information from the subsequent block to the host computer system or terminating the iterative process in response to determining that each block of the plurality of blocks has been read; and determining the host computer system is authenticated to access the DSD in response to determining one or more conditions are met, wherein the one or more conditions include determining that each block of the plurality of blocks has been read. In some embodiments, determining that each block of the plurality of blocks has been read comprises determining the subsequent block to be read is the block of the initial read request. In some embodiments, the one or more conditions further include determining that every block of the plurality of blocks has been read once. In some embodiments, the subsequent read request is generated by the computer program, and wherein the generation of the subsequent read request comprises: retrieving address information of the subsequent block from the information sent from the block of the previous response; and generating the subsequent read request to the subsequent block to which the address information directs. In some embodiments, retrieving the address information of the subsequent block from the information sent from the block of the previous response comprises: parsing the information sent from the block to retrieve a combined key, the combined key associated with combination information on a channel, a die, a plane and a block of the non-volatile storage medium of the DSD; and decoding the combined key for a physical address of a subsequent page of the subsequent block. In some embodiments, the generation of the subsequent read request further comprises sending a read request to the subsequent pa