Computing system and operating method thereof

The integration of a write protection area and parallel data authentication in storage devices enhances secure read performance by reducing read time and preventing unauthorized access, addressing data integrity and replay attacks.

KR102991581B1Active Publication Date: 2026-07-15SK HYNIX INC

Patent Information

Authority / Receiving Office
KR · KR
Patent Type
Patents
Current Assignee / Owner
SK HYNIX INC
Filing Date
2020-03-09
Publication Date
2026-07-15

AI Technical Summary

Technical Problem

Existing storage devices lack enhanced secure read performance, particularly in ensuring data integrity and preventing replay attacks during secure read operations.

Method used

Incorporating a write protection area in the storage device and a memory controller that performs read operations and generates a device authentication code in parallel, enhancing secure read performance by verifying data integrity and preventing unauthorized access.

Benefits of technology

The solution provides enhanced secure read performance by reducing total secure read time and preventing replay attacks through parallel data transmission and authentication code generation, ensuring data integrity.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 112020024933052-PAT00005_ABST
    Figure 112020024933052-PAT00005_ABST
Patent Text Reader

Abstract

The present invention relates to an electronic device, wherein the storage device according to the present invention includes a memory device and a memory controller. The memory device includes a write protection area. The memory controller controls the memory device to perform a read operation on the write protection area in response to a series of requests regarding a secure read received from a host, provides read data received from the memory device to the host, and generates a device authentication code based on the read data. The memory controller performs the generation of the device authentication code and the provision of read data to the host in parallel.
Need to check novelty before this filing date? Find Prior Art

Description

Technology Field

[0001] The present invention relates to an electronic device, and more specifically, to a computing system and a method of operating the same. Background Technology

[0002] A storage device is a device that stores data under the control of a host device, such as a computer or a smartphone. A storage device may include a memory device where data is stored and a memory controller that controls the memory device. Memory devices are classified into volatile memory devices and non-volatile memory devices.

[0003] Volatile memory devices are memory devices that store data only when power is supplied, and the stored data is lost when the power supply is cut off. Volatile memory devices include Static Random Access Memory (SRAM) and Dynamic Random Access Memory (DRAM).

[0004] Non-volatile memory devices are memory devices in which data is not lost even when the power is cut off, and include ROM (Read Only Memory; ROM), PROM (Programmable ROM), EPROM (Electrically Programmable ROM), EEPROM (Electrically Erasable and Programmable ROM), and Flash Memory. A memory device may include a Replay Protected Memory Block (RPMB) as a memory area for storing secure data. The RPMB may use an authentication-based approach to ensure integrity and prevent replay attacks. A read operation on the RPMB may be performed as the host transmits a read request containing authentication information to the memory controller. After verifying the validity of the authentication information included in the read request, the memory device may read data from the corresponding memory area. The read data may be returned to the host, including a Message Authentication Code. The host can verify the integrity and reliability of the data by verifying the received data and the Message Authentication Code. The problem to be solved

[0005] An embodiment of the present invention provides a storage device having enhanced secure read performance and a method of operating the same. means of solving the problem

[0006] A storage device according to an embodiment of the present invention includes a memory device and a memory controller. The memory device includes a write protection area. The memory controller controls the memory device to perform a read operation on the write protection area in response to a series of requests regarding a secure read received from a host, provides read data received from the memory device to the host, and generates a device authentication code based on the read data. The memory controller performs the generation of the device authentication code and the provision of the read data to the host in parallel.

[0007] A method of operation of a storage device including a write protection area according to an embodiment of the present invention comprises the steps of receiving a first request and read information among a series of requests regarding a secure read from a host, reading data stored in a write protection area based on the read information, generating a device authentication code based on the read data, and providing the read data to the host. The step of generating the device authentication code is performed in parallel with the step of providing the read data.

[0008] A computing system according to an embodiment of the present invention includes a host and a storage device. The storage device includes a write protection area and receives a first request and read information among a series of first and second requests regarding a secure read from a host, reads data stored in the write protection area based on the read information, and performs in parallel the provision of read data to the host and the generation of a device authentication code based on the read data. Effects of the invention

[0009] According to the present technology, a computing system having enhanced secure read performance and a method of operation thereof are provided. Brief explanation of the drawing

[0010] FIG. 1 is a drawing for explaining a computing system according to an embodiment of the present invention. FIG. 2 is a flowchart illustrating a secure read operation according to one embodiment. FIG. 3 is a flowchart illustrating a secure read operation according to one embodiment. FIG. 4 is a flowchart illustrating a secure read operation according to one embodiment. Figure 5 is a diagram illustrating the configuration and operation of the storage device of Figure 1. Figure 6 is a diagram illustrating the configuration and operation of the memory controller of Figure 5. Figure 7 is a diagram for explaining the lead information of Figures 5 and 6. Figure 8 is a diagram illustrating the structure of the memory device of Figure 1. Figure 9 is a diagram illustrating the memory cell array of Figure 8. FIG. 10 is a drawing for explaining another embodiment of the memory controller of FIG. 1. FIG. 11 is a block diagram showing a memory card system to which a storage device according to an embodiment of the present invention is applied. FIG. 12 is a block diagram showing a Solid State Drive (SSD) system to which a storage device according to an embodiment of the present invention is applied. FIG. 13 is a block diagram showing a user system to which a storage device according to an embodiment of the present invention is applied. Specific details for implementing the invention

[0011] Specific structural or functional descriptions regarding embodiments according to the concept of the present invention disclosed in this specification or application are provided merely for the purpose of explaining embodiments according to the concept of the present invention, and embodiments according to the concept of the present invention may be implemented in various forms and should not be interpreted as being limited to the embodiments described in this specification or application.

[0013] FIG. 1 is a drawing for explaining a computing system according to an embodiment of the present invention.

[0014] Referring to FIG. 1, the computing system (500) may include a storage device (50) and a host (300).

[0015] The storage device (50) may include a memory device (100) and a memory controller (200) that controls the operation of the memory device. The storage device (50) is a device that stores data under the control of a host (300), such as a mobile phone, smartphone, MP3 player, laptop computer, desktop computer, game console, TV, tablet PC, or in-vehicle infotainment system.

[0016] The storage device (50) can be manufactured as any one of various types of storage devices according to the host (300) interface, which is a method of communication with the host (300). For example, the storage device (50) can be configured as any one of various types of storage devices such as an SSD, MMC, eMMC, RS-MMC, micro-MMC type multimedia card, SD, mini-SD, micro-SD type secure digital card, USB (universal serial bus) storage device, UFS (universal flash storage) device, PCMCIA (personal computer memory card international association) card type storage device, PCI (peripheral component interconnection) card type storage device, PCI-E (PCI express) card type storage device, CF (compact flash) card, smart media card, memory stick, etc.

[0017] The storage device (50) can be manufactured in any one of various types of package forms. For example, the storage device (50) can be manufactured in any one of various types of package forms such as POP (package on package), SIP (system in package), SOC (system on chip), MCP (multi-chip package), COB (chip on board), WFP (wafer-level fabricated package), WSP (wafer-level stack package), etc.

[0018] The memory device (100) can store data. The memory device (100) operates in response to the control of the memory controller (200). The memory device (100) may include a memory cell array comprising a plurality of memory cells that store data.

[0019] Memory cells can be configured as a Single Level Cell (SLC) that stores one data bit, a Multi Level Cell (MLC) that stores two data bits, a Triple Level Cell (TLC) that stores three data bits, or a Quad Level Cell (QLC) that can store four data bits.

[0020] A memory cell array may include a plurality of memory blocks. Each memory block may include a plurality of memory cells. A single memory block may include a plurality of pages. In an embodiment, a page may be a unit for storing data in a memory device (100) or reading data stored in a memory device (100).

[0021] A memory block may be a unit for erasing data. In an embodiment, the memory device (100) may be DDR SDRAM (Double Data Rate Synchronous Dynamic Random Access Memory), LPDDR4 (Low Power Double Data Rate 4) SDRAM, GDDR (Graphics Double Data Rate) SDRAM, LPDDR (Low Power DDR), RDRAM (Rambus Dynamic Random Access Memory), NAND flash memory, Vertical NAND flash memory, NOR flash memory, resistive random access memory (RRAM), phase-change random access memory (PRAM), magnetoresistive random access memory (MRAM), ferroelectric random access memory (FRAM), spin transfer torque random access memory (STT-RAM), etc. For convenience of explanation, the present specification assumes that the memory device (100) is a NAND flash memory.

[0022] The memory device (100) is configured to receive a command and an address from the memory controller (200) and to access an area selected by the address among the memory cell array. That is, the memory device (100) can perform the operation instructed by the command on the area selected by the address. For example, the memory device (100) can perform a write operation (program operation), a read operation, and an erase operation. During the program operation, the memory device (100) will program data into the area selected by the address. During the read operation, the memory device (100) will read data from the area selected by the address. During the erase operation, the memory device (100) will erase the data stored in the area selected by the address.

[0023] In an embodiment, the memory device (100) may include a write protection area. Write data with verified integrity may be stored in the write protection area. The integrity of the write data may be such that the write data received from the host (300) is not distorted or tampered with.

[0024] The memory controller (200) controls the overall operation of the storage device (50).

[0025] When power is applied to the storage device (50), the memory controller (200) can execute firmware (FW). If the memory device (100) is a flash memory device, the memory controller (200) can execute firmware such as a Flash Translation Layer (FTL) to control communication between the host (300) and the memory device (100).

[0026] In an embodiment, the memory controller (200) receives data and a logical block address (LBA) from the host (300) and can convert the logical block address into a physical block address (PBA) representing the addresses of memory cells to be stored in the memory device (100).

[0027] The memory controller (200) can control the memory device (100) to perform a program operation, a read operation, or an erase operation, etc., according to a request from the host (300). When performing a program operation, the memory controller (200) can provide a write command, a physical block address, and data to the memory device (100). When performing a read operation, the memory controller (200) can provide a read command and a physical block address to the memory device (100). When performing an erase operation, the memory controller (200) can provide an erase command and a physical block address to the memory device (100).

[0028] In an embodiment, the memory controller (200) can independently generate commands, addresses, and data and transmit them to the memory device (100) regardless of a request from the host (300). For example, the memory controller (200) can provide commands, addresses, and data to the memory device (100) to perform background operations such as program operations for wear leveling and program operations for garbage collection.

[0029] In an embodiment, the memory controller (200) can control at least two memory devices (100). In this case, the memory controller (200) can control the memory devices (100) according to an interleaving method to improve operational performance. The interleaving method may be an operation method that overlaps the operating periods of at least two memory devices (100).

[0030] In an embodiment, the memory controller (200) can receive a series of requests for secure reads from the host (300).

[0031] In an embodiment, a series of requests may include a first request and a second request. The first request may be a request instructing a read operation on a write protection area of ​​the memory device (100). The second request may be a request for retrieval of the result of the read operation. The first request and the second request will be described later in FIGS. 2 through 5.

[0032] In an embodiment, the memory controller (200) may provide a first response to the host (300) indicating whether the first request has been received in response to a first request. The memory controller (200) may provide a second response to the host (300) including a device authentication code in response to a second request.

[0033] The memory controller (200) can receive a first request and read information from the host (300). In response to the first request, the memory controller (200) can control the memory device (100) to read data stored in a write protection area based on the read information.

[0034] In an embodiment, the read information may include values ​​requiring a read operation on a write-protected area. For example, the read information may include a nonce value generated by the host (300) for the security of a series of requests. The read information may include an address value of a target area to be read within the write-protected area. The read information may include a start address value of the target area. The read information may include a block count value, which is the number of memory blocks included in the target area.

[0035] In an embodiment, the memory controller (200) may provide a second response to the host (300) that includes a copy value of the nonce value. The host (300) may compare the nonce value provided to the memory controller (200) with the copy value received from the memory controller (200) to determine whether the storage device (50) is a legitimate sender and receiver of encrypted data.

[0036] The memory controller (200) can receive read data from the memory device (100).

[0037] The memory controller (200) can generate a device authentication code based on the received read data. The memory controller (200) can generate a device authentication code using a MAC (Message Authentication Code) algorithm based on the key and read data shared with the host (300). The device authentication code can be used to verify the integrity of the read data. The integrity of the read data may mean that the read data provided by the memory controller (200) to the host (300) is not distorted or tampered with.

[0038] The memory controller (200) can provide read data received from the memory device (100) to the host (300).

[0039] In an embodiment, the memory controller (200) may provide a first response and read data to the host (300) in response to a first request. After providing the read data to the host (300), the memory controller (200) may provide the first response to the host (300).

[0040] In another embodiment, the memory controller (200) may provide a second response and read data to the host (300) in response to the second request. The memory controller (200) may provide the second response to the host (300) after providing the read data to the host (300).

[0041] The memory controller (200) can perform the generation of device authentication codes and the provision of read data to the host (300) in parallel.

[0042] The host (300) can communicate with the storage device (50) using at least one of various communication methods such as USB (Universal Serial Bus), SATA (Serial AT Attachment), SAS (Serial Attached SCSI), HSIC (High Speed ​​Interchip), SCSI (Small Computer System Interface), PCI (Peripheral Component Interconnection), PCIe (PCI express), NVMe (NonVolatile Memory express), UFS (Universal Flash Storage), SD (Secure Digital), MMC (MultiMedia Card), eMMC (embedded MMC), DIMM (Dual In-line Memory Module), RDIMM (Registered DIMM), LRDIMM (Load Reduced DIMM).

[0043] In an embodiment, the host (300) may provide a series of requests regarding secure reads to the memory controller (200). The series of requests may include a first request and a second request.

[0044] The host (300) may provide a first request and read information to the memory controller (200). The host (300) may receive a first response from the memory controller (200). In response to the first response, the host (300) may provide a second request to the memory controller (200). The host (300) may receive a second response from the memory controller (200).

[0045] In an embodiment, the host (300) may receive a first response along with read data from the memory controller (200). After receiving the read data from the memory controller (200), the host (300) may receive the first response.

[0046] In an embodiment, the host (300) may receive a second response along with read data from the memory controller (200). The host (300) may receive the second response after receiving the read data from the memory controller (200).

[0048] FIG. 2 is a flowchart illustrating a secure read operation according to one embodiment.

[0049] Referring to FIG. 2, the host (300) may provide a series of requests for secure reading to the storage device (50). In response to the series of requests, the storage device (50) may read data stored in a write-protected area and provide the read data to the host (300).

[0050] In step S201, the host (300) may provide a first request among a series of requests to the storage device (50). The first request may be a request to read data stored in the write protection area of ​​the storage device (50).

[0051] In step S203, the storage device (50) may provide a first response to the host (300) indicating whether the first request has been received. The host (300) may determine whether the storage device (50) has received the first request based on the first response.

[0052] In step S205, the host (300) may provide a second request to the storage device (50) in response to the first response. The second request may be a retrieval request for the result of a read operation performed by the storage device (50) in accordance with the first request.

[0053] In step S207, the storage device (50) may provide a second response to the host (300) in response to the second request. In an embodiment, the storage device (50) may provide read data and the second response to the host (300). The storage device (50) may provide the second response after providing the read data to the host (300).

[0054] The storage device (50) may provide a second response containing a device authentication code to the host (300). The storage device (50) may copy a nonce value included in the read information and provide a second response containing the copy value to the host (300).

[0055] In step S209, the storage device (50) can receive read information from the host (300). The read information may include values ​​necessary to read data stored in a write protection area.

[0056] For example, the read information may include a nonce value, an address value, and a block count value. The nonce value may be a value generated by the host (300) for the security of a series of requests. The address value may represent the address of the target area to be read among the write-protected areas. In an embodiment, the address value may represent the starting address of the target area. The block count value may be the number of memory blocks included in the target area.

[0057] In step S211, the storage device (50) can perform a read operation based on read information in response to the second request. The storage device (50) can read data stored in the target area based on the address value and block count value included in the read information.

[0058] In step S213, the storage device (50) can generate a device authentication code after the read operation is completed. The storage device (50) can generate a device authentication code based on the key and read data shared with the host (300). The device authentication code can be used to verify the integrity of the read data.

[0059] In step S215, the storage device (50) can transmit read data and a device authentication code to the host (300). In an embodiment, the storage device (50) can transmit read data to the host (300) and transmit a second response including a device authentication code to the host (300).

[0060] In an embodiment, the host (300) can compare the nonce value included in the read information provided to the storage device (50) with the copy value included in the second response. Based on the comparison result, the host (300) can determine whether a series of requests and responses regarding secure reads have been properly exchanged with the storage device (50). That is, based on the comparison, the host (300) can prevent a replay attack in which a device other than the storage device (50) intercepts a series of requests in the middle and provides a response to the host (300).

[0061] In FIG. 2, a host delay may occur until the host (300) provides a second request to the storage device (50) in response to the first response received from the storage device (50).

[0063] FIG. 3 is a flowchart illustrating a secure read operation according to one embodiment.

[0064] Referring to FIG. 3, in step S301, the host (300) may provide a first request among a series of requests for a secure read to the storage device (50). The first request may be a request to read data stored in the write-protected area of ​​the storage device (50).

[0065] In step S303, the storage device (50) may provide a first response to the host (300) indicating whether the first request has been received. In an embodiment, the storage device (50) may provide read data and the first response to the host (300). The storage device (50) may provide the first response after providing the read data to the host (300). The host (300) may determine whether the storage device (50) has received the first request based on the first response.

[0066] In step S305, the host (300) may provide a second request to the storage device (50) in response to the first response. The second request may be a retrieval request for the result of a read operation performed by the storage device (50) in accordance with the first request.

[0067] In step S307, the storage device (50) may provide a second response to the host (300) in response to the second request. The storage device (50) may provide a second response to the host (300) that includes a device authentication code. The storage device (50) may provide a second response to the host (300) that includes a copy value of the nonce value included in the read information.

[0068] In step S309, the storage device (50) can receive read information from the host (300). The read information may include values ​​necessary to read data stored in a write protection area.

[0069] For example, the read information may include a nonce value, an address value, and a block count value. The nonce value may be a value generated by the host (300) for the security of a series of requests. The address value may represent the address of the target area to be read among the write-protected areas. In an embodiment, the address value may represent the starting address of the target area. The block count value may be the number of memory blocks included in the target area.

[0070] In step S311, the storage device (50) can perform a read operation based on read information in response to the first request. The storage device (50) can read data stored in a target area based on the address value and block count value included in the read information.

[0071] In step S313, the storage device (50) can transmit read data to the host (300). In an embodiment, the storage device (50) can transmit a first response after transmitting read data to the host (300).

[0072] In step S315, the storage device (50) can generate a device authentication code based on the key and read data shared with the host (300). The device authentication code can be used to verify the integrity of the read data.

[0073] In step S317, the storage device (50) may transmit a device authentication code to the host (300). In an embodiment, the storage device (50) may transmit a second response containing the device authentication code to the host (300).

[0074] In FIG. 3, steps S313 and S315 can be performed in parallel. That is, the storage device (50) can perform the transmission of read data to the host (300) and the generation of the device authentication code in parallel. The total secure read time can be reduced by the overlap between the transmission of read data and the generation of the device authentication code.

[0075] A host delay may occur until the host (300) provides a second request to the storage device (50) in response to the first response received from the storage device (50).

[0076] In FIG. 3, the storage device (50) generates a device authentication code during the host delay, thereby reducing the total secure read time.

[0078] FIG. 4 is a flowchart illustrating a secure read operation according to one embodiment.

[0079] Referring to FIG. 4, in step S401, the host (300) may provide a first request among a series of requests for a secure read to the storage device (50). The first request may be a request to read data stored in the write-protected area of ​​the storage device (50).

[0080] In step S403, the storage device (50) may provide a first response to the host (300) indicating whether the first request has been received. In an embodiment, the storage device (50) may provide the first response to the host (300) when the reception of read information is completed. The host (300) may determine whether the storage device (50) has received the first request based on the first response.

[0081] In step S405, the host (300) may provide a second request to the storage device (50) in response to the first response. The second request may be a retrieval request for the result of a read operation performed by the storage device (50) in accordance with the first request.

[0082] In step S407, the storage device (50) may provide a second response to the host (300) in response to the second request. The storage device (50) may provide a second response to the host (300) that includes a device authentication code. The storage device (50) may provide a second response to the host (300) that includes a copy value of the nonce value included in the read information.

[0083] In step S409, the storage device (50) can receive read information from the host (300). The read information may include values ​​necessary to read data stored in a write protection area.

[0084] For example, the read information may include a nonce value, an address value, and a block count value. The nonce value may be a value generated by the host (300) for the security of a series of requests. The address value may represent the address of the target area to be read among the write-protected areas. In an embodiment, the address value may represent the starting address of the target area. The block count value may be the number of memory blocks included in the target area.

[0085] In step S411, the storage device (50) can perform a read operation based on read information in response to the first request. The storage device (50) can read data stored in a target area based on the address value and block count value included in the read information.

[0086] In step S413, the storage device (50) may transmit read data to the host (300) in response to the second request. In an embodiment, the storage device (50) may transmit the second response after transmitting the read data to the host (300).

[0087] In step S415, the storage device (50) can generate a device authentication code based on the key and read data shared with the host (300). When the read operation of step S411 is completed, the storage device (50) can begin generating the device authentication code regardless of whether the second request is received. The device authentication code can be used to verify the integrity of the read data.

[0088] In step S417, the storage device (50) may transmit a device authentication code to the host (300). In an embodiment, the storage device (50) may transmit a second response containing the device authentication code to the host (300).

[0089] In FIG. 4, steps S413 and S415 can be performed in parallel. That is, the storage device (50) can perform the transmission of read data to the host (300) and the generation of the device authentication code in parallel. The total secure read time can be reduced by the overlap between the transmission of read data and the generation of the device authentication code.

[0090] A host delay may occur until the host (300) provides a second request to the storage device (50) in response to the first response received from the storage device (50).

[0091] In FIG. 4, during the host delay, the storage device (50) can perform a read operation or generate a device authentication code, thereby reducing the total secure read time.

[0093] Figure 5 is a diagram illustrating the configuration and operation of the storage device of Figure 1.

[0094] Referring to FIG. 5, the memory device (100) may include a write protection area (110). Write data with verified integrity may be stored in the write protection area (110). The integrity of the write data may mean that the write data received from the host (300) is not distorted or tampered with.

[0095] In an embodiment, the memory controller (200) may include an authentication read control unit (210) and a buffer (220).

[0096] The authenticated read control unit (210) can receive a series of requests (REQ) regarding secure reads from the host (300). The authenticated read control unit (210) can provide responses (RES) corresponding to the series of requests (REQ) to the host (300).

[0097] In an embodiment, a series of requests (REQ) may include a first request and a second request. The first request may be a request instructing a read operation for a write protection area (110) of a memory device (100). The second request may be a request for retrieval of the result of the read operation.

[0098] In an embodiment, the authentication read control unit (210) may provide a first response to the host (300) indicating whether the first request has been received in response to a first request. The authentication read control unit (210) may provide a second response to the host (300) including a device authentication code (DA_CODE) in response to a second request.

[0099] The authentication read control unit (210) can receive a first request and read information (RI) from the host (300). In response to the first request, the authentication read control unit (210) can provide a read command for data stored in the write protection area (110) to the memory device (100) based on the read information (RI).

[0100] In an embodiment, the read information (RI) may include values ​​for which a read operation is required for the write protection area (110). For example, the read information (RI) may include a nonce value generated by the host (300) for security in a series of requests (REQ). The read information (RI) may include an address value of the target area to be read within the write protection area (110). The read information (RI) may include a start address value of the target area. The read information (RI) may include a block count value, which is the number of memory blocks included in the target area.

[0101] In an embodiment, the authentication read control unit (210) may provide a second response to the host (300) that includes a copy value of the nonce value. The host (300) may determine whether the storage device is a legitimate sender and receiver of encrypted data by comparing the nonce value included in the read information (RI) provided to the authentication read control unit (210) with the copy value received from the authentication read control unit (210). That is, by comparing the nonce value and the copy value, the host (300) can prevent a replay attack in which a device other than the storage device intercepts a series of requests in the middle and provides a response to the host (300).

[0102] The authentication read control unit (210) can generate a device authentication code (DA_CODE) based on read data (R_DATA) received from the buffer (220). The authentication read control unit (210) can generate a device authentication code (DA_CODE) using a MAC (Message Authentication Code) algorithm based on the key shared with the host (300) and the read data (R_DATA). The device authentication code (DA_CODE) can be used to verify the integrity of the read data (R_DATA). The integrity of the read data (R_DATA) may mean that the read data (R_DATA) provided by the authentication read control unit (210) to the host (300) is not distorted or tampered with.

[0103] The authentication read control unit (210) can provide read data (R_DATA) stored in the buffer (220) to the host (300). The authentication read control unit (210) can provide read data (R_DATA) to the host (300) in response to a first request or a second request.

[0104] In an embodiment, as described with reference to FIG. 3, the authentication read control unit (210) may provide a first response and read data (R_DATA) to the host (300) in response to a first request. After providing the read data (R_DATA) to the host (300), the authentication read control unit (210) may provide the first response to the host (300).

[0105] In an embodiment, as described with reference to FIG. 4, the authentication read control unit (210) may provide a second response and read data (R_DATA) to the host (300) in response to a second request. The authentication read control unit (210) may provide the second response to the host (300) after providing the read data (R_DATA) to the host (300).

[0106] The authentication read control unit (210) can perform the generation of a device authentication code (DA_CODE) and the provision of read data (R_DATA) to the host (300) in parallel.

[0107] The buffer (220) can store data (R_DATA) read from the write protection area (110). The buffer (220) can provide the stored read data (R_DATA) to the host (300) under the control of the authentication read control unit (210).

[0109] Figure 6 is a diagram illustrating the configuration and operation of the memory controller of Figure 5.

[0110] Referring to FIG. 6, the memory controller (200) may include an authentication read control unit (210) and a buffer (220).

[0111] In an embodiment, the authentication read control unit (210) may include an authentication read processing unit (211) and an authentication code generation unit (212). In various embodiments, the authentication code generation unit (212) may be located outside the authentication read control unit (210).

[0112] The authenticated read processing unit (211) can receive a series of requests (REQ) regarding secure reads from the host (300). The authenticated read processing unit (211) can provide responses (RES) corresponding to the series of requests (REQ) to the host (300).

[0113] The authentication read processing unit (211) can receive a first request and read information (RI) among a series of requests (REQ). The authentication read processing unit (211) can provide a command to the memory device (100) to read data stored in the write protection area of ​​the memory device (100) based on the read information (RI). In response to the first request, the authentication read processing unit (211) can provide a first response to the host (300) indicating whether the first request has been received.

[0114] The authentication read processing unit (211) can receive a second request among a series of requests (REQ). The authentication read processing unit (211) can provide a second response to the host (300) indicating whether the second request has been received.

[0115] The authentication read processing unit (211) can provide a buffer control signal (BF_CNT) to the buffer (220). The authentication read processing unit (211) can control the operation of the buffer (220) through the buffer control signal (BF_CNT). In an embodiment, the authentication read processing unit (211) can control the buffer (220) to provide read data (R_DATA) to the host (300) in response to a first request. In an embodiment, the authentication read processing unit (211) can control the buffer (220) to provide read data (R_DATA) to the host (300) in response to a second request.

[0116] The authentication read processing unit (211) can provide an authentication code generation unit control signal (CG_CNT) to the authentication code generation unit (212). The authentication read processing unit (211) can control the operation of the authentication code generation unit (212) through the authentication code generation unit control signal (CG_CNT). In an embodiment, the authentication read processing unit (211) can control the authentication code generation unit (212) to provide a device authentication code (DA_CODE) to the host (300) in response to a second request.

[0117] The authentication code generation unit (212) can generate a device authentication code (DA_CODE) based on read data (R_DATA) received from the buffer (220) in response to the authentication code generation unit control signal (CG_CNT). The authentication code generation unit (212) can generate a device authentication code (DA_CODE) based on the key and read data (R_DATA) shared with the host (300). The shared key value may be set in advance. The shared key value may be changed at the request of the host (300). The authentication code generation unit (212) can provide the generated device authentication code (DA_CODE) to the host (300) in response to the authentication code generation unit control signal (CG_CNT).

[0118] The buffer (220) receives read data (R_DATA) from the memory device (100) and can store the received read data (R_DATA). In response to a buffer control signal (BF_CNT), the buffer (220) can provide the stored read data (R_DATA) to the host (300) or to the authentication code generation unit (212).

[0120] Figure 7 is a diagram for explaining the lead information of Figures 5 and 6.

[0121] Referring to FIG. 7, the read information (RI) may include values ​​for which a read operation is required for a write protection area. For example, the read information may include a nonce value, an address value, and a block count value.

[0122] The nonce value can be a random value generated by the host to secure a series of requests provided by the host to the storage device. The nonce value can be used to prevent replay attacks.

[0123] The address value may be the address of the target area to be read within the write-protected area. The address value may be the starting address of the target area.

[0124] The block count value may be the number of memory blocks included in the target area.

[0125] The target area within the write protection area can be determined through the address value and the block count value.

[0127] Figure 8 is a diagram illustrating the structure of the memory device of Figure 1.

[0128] Referring to FIG. 8, the memory device (400) may include a memory cell array (410), peripheral circuits (420), and control logic (430).

[0129] A memory cell array (410) includes a plurality of memory blocks (BLK1 to BLKz). The plurality of memory blocks (BLK1 to BLKz) are connected to an address decoder (421) via row lines (RL). The plurality of memory blocks (BLK1 to BLKz) are connected to a read and write circuit (423) via bit lines (BL1 to BLm). Each of the plurality of memory blocks (BLK1 to BLKz) includes a plurality of memory cells. In an embodiment, the plurality of memory cells are non-volatile memory cells. Among the plurality of memory cells, memory cells connected to the same word line are defined as a single physical page. That is, the memory cell array (410) is composed of a plurality of physical pages. According to an embodiment of the present invention, each of the plurality of memory blocks (BLK1 to BLKz) included in the memory cell array (410) may include a plurality of dummy cells. At least one dummy cell may be connected in series between the drain select transistor and the memory cells and between the source select transistor and the memory cells.

[0130] The memory cells of the memory device (400) can each be configured as a single level cell (SLC) that stores one data bit, a multi-level cell (MLC) that stores two data bits, a triple level cell (TLC) that stores three data bits, or a quad level cell (QLC) that can store four data bits.

[0131] The peripheral circuit (420) may include an address decoder (421), a voltage generator (422), a read and write circuit (423), a data input / output circuit (424), and a sensing circuit (425).

[0132] The peripheral circuit (420) drives the memory cell array (410). For example, the peripheral circuit (420) can drive the memory cell array (410) to perform program operations, read operations, and erase operations.

[0133] The address decoder (421) is connected to the memory cell array (410) through row lines (RL). The row lines (RL) may include drain select lines, word lines, source select lines, and a common source line. According to an embodiment of the present invention, the word lines may include normal word lines and dummy word lines. According to an embodiment of the present invention, the row lines (RL) may further include pipe select lines.

[0134] The address decoder (421) is configured to operate in response to the control of the control logic (430). The address decoder (421) receives an address (ADDR) from the control logic (430).

[0135] The address decoder (421) is configured to decode a block address among the received addresses (ADDR). The address decoder (421) selects at least one memory block among the memory blocks (BLK1~BLKz) according to the decoded block address. The address decoder (421) is configured to decode a row address among the received addresses (ADDR). The address decoder (421) can select at least one word line among the word lines of the selected memory block according to the decoded row address. The address decoder (421) can apply an operating voltage (Vop) supplied from the voltage generation unit (422) to the selected word line.

[0136] During program operation, the address decoder (421) will apply a program voltage to the selected word lines and a pass voltage of a level lower than the program voltage to the unselected word lines. During program verification operation, the address decoder (421) will apply a verification voltage to the selected word lines and a verification pass voltage of a level higher than the verification voltage to the unselected word lines.

[0137] During a read operation, the address decoder (421) will apply a read voltage to the selected word lines and apply a read pass voltage of a higher level than the read voltage to the unselected word lines.

[0138] According to an embodiment of the present invention, the erase operation of the memory device (400) is performed in units of memory blocks. The address (ADDR) input to the memory device (400) during the erase operation includes a block address. The address decoder (421) decodes the block address and can select at least one memory block according to the decoded block address. During the erase operation, the address decoder (421) can apply a ground voltage to the word lines input to the selected memory block.

[0139] According to an embodiment of the present invention, the address decoder (421) may be configured to decode a column address among the transmitted addresses (ADDR). The decoded column address may be transmitted to a read and write circuit (423). For example, the address decoder (421) may include components such as a row decoder, a column decoder, an address buffer, etc.

[0140] The voltage generation unit (422) is configured to generate multiple operating voltages (Vop) using an external power supply voltage supplied to the memory device (400). The voltage generation unit (422) operates in response to the control of the control logic (430).

[0141] As an example, the voltage generating unit (422) can generate an internal power supply voltage by regulating an external power supply voltage. The internal power supply voltage generated by the voltage generating unit (422) is used as the operating voltage of the memory device (400).

[0142] As an example, the voltage generation unit (422) can generate a plurality of operating voltages (Vop) using an external power supply voltage or an internal power supply voltage. The voltage generation unit (422) can be configured to generate various voltages required by the memory device (400). For example, the voltage generation unit (422) can generate a plurality of erase voltages, a plurality of program voltages, a plurality of pass voltages, a plurality of select read voltages, and a plurality of non-select read voltages.

[0143] The voltage generation unit (422) includes a plurality of pumping capacitors that receive an internal power supply voltage to generate a plurality of operating voltages (Vop) having various voltage levels, and will selectively activate the plurality of pumping capacitors in response to the control of the control logic (430) to generate a plurality of operating voltages (Vop).

[0144] The generated multiple operating voltages (Vop) can be supplied to the memory cell array (410) by the address decoder (421).

[0145] The read and write circuit (423) includes first to m-th page buffers (PB1 to PBm). The first to m-th page buffers (PB1 to PBm) are each connected to a memory cell array (410) through first to m-th bit lines (BL1 to BLm). The first to m-th page buffers (PB1 to PBm) operate in response to the control of the control logic (430).

[0146] The first to m-th page buffers (PB1 to PBm) communicate data (DATA) with the data input / output circuit (424). During programming, the first to m-th page buffers (PB1 to PBm) receive data (DATA) to be stored through the data input / output circuit (424) and data lines (DL).

[0147] During a program operation, the first to m-page buffers (PB1 to PBm) will transfer data (DATA) to be stored through the data input / output circuit (424) to the selected memory cells via the bit lines (BL1 to BLm) when a program voltage is applied to a selected word line. The memory cells of the selected page are programmed according to the transferred data (DATA). A memory cell connected to a bit line to which a program allow voltage (e.g., ground voltage) is applied will have an elevated threshold voltage. A memory cell connected to a bit line to which a program prohibit voltage (e.g., power supply voltage) is applied will maintain its threshold voltage. During a program verification operation, the first to m-page buffers (PB1 to PBm) read data (DATA) stored in the memory cells from the selected memory cells via the bit lines (BL1 to BLm).

[0148] When a read operation is performed, the read and write circuit (423) can read data (DATA) from the memory cells of the selected page through bit lines (BL1 to BLm) and store the read data (DATA) in the first to m page buffers (PB1 to PBm).

[0149] During an erase operation, the read and write circuit (423) can float the bit lines (BL1 to BLm). As an example, the read and write circuit (423) may include a column selection circuit.

[0150] The data input / output circuit (424) is connected to the first to m-page buffers (PB1 to PBm) through data lines (DL). The data input / output circuit (424) operates in response to the control of the control logic (430).

[0151] The data input / output circuit (424) may include a plurality of input / output buffers (not shown) for receiving input data (DATA). During program operation, the data input / output circuit (424) receives data (DATA) to be stored from an external controller (not shown). During a read operation, the data input / output circuit (424) outputs data (DATA) transmitted from the first to m-th page buffers (PB1~PBm) included in the read and write circuit (423) to the external controller.

[0152] The sensing circuit (425) can generate a reference current in response to an allow bit (VRYBIT) signal generated by the control logic (430) during a read operation or a verification operation, and compare the sensing voltage (VPB) received from the read and write circuit (423) with the reference voltage generated by the reference current to output a pass signal or a fail signal to the control logic (430).

[0153] The control logic (430) can be connected to an address decoder (421), a voltage generator (422), a read and write circuit (423), a data input / output circuit (424), and a sensing circuit (425). The control logic (430) can be configured to control the general operation of the memory device (400). The control logic (430) can operate in response to a command (CMD) transmitted from an external device.

[0154] The control logic (430) can control the peripheral circuit (420) by generating various signals in response to the command (CMD) and address (ADDR). For example, the control logic (430) can generate an operation signal (OPSIG), an address (ADDR), a read and write circuit control signal (PBSIGNALS), and an allow bit (VRYBIT) in response to the command (CMD) and address (ADDR). The control logic (430) can output the operation signal (OPSIG) to the voltage generator (422), output the address (ADDR) to the address decoder (421), output the read and write control signal to the read and write circuit (423), and output the allow bit (VRYBIT) to the sensing circuit (425). Additionally, the control logic (430) can determine whether the verification operation has passed or failed in response to the pass or fail signal (PASS / FAIL) output by the sensing circuit (425).

[0156] Figure 9 is a diagram illustrating the memory cell array of Figure 8.

[0157] Referring to FIG. 9, the first to z memory blocks (BLK1 to BLKz) are commonly connected to the first to m bit lines (BL1 to BLm). In FIG. 9, for convenience of explanation, elements included in the first memory block (BLK1) among the plurality of memory blocks (BLK1 to BLKz) are shown, and elements included in each of the remaining memory blocks (BLK2 to BLKz) are omitted. It will be understood that each of the remaining memory blocks (BLK2 to BLKz) is configured in the same way as the first memory block (BLK1).

[0158] A memory block (BLK1) may include a plurality of cell strings (CS1_1 to CS1_m, (m is a positive integer)). The first to m cell strings (CS1_1 to CS1_m) are each connected to the first to m bit lines (BL1 to BLm). The first to m cell strings (CS1_1 to CS1_m) each include a drain select transistor (DST), a plurality of serially connected memory cells (MC1 to MCn, (n is a positive integer)), and a source select transistor (SST).

[0159] The gate terminal of the drain select transistor (DST) included in each of the first to m cell strings (CS1_1 to CS1_m) is connected to the drain select line (DSL1). The gate terminal of each of the first to n memory cells (MC1 to MCn) included in each of the first to m cell strings (CS1_1 to CS1_m) is connected to the first to n word lines (WL1 to WLn). The gate terminal of the source select transistor (SST) included in each of the first to m cell strings (CS1_1 to CS1_m) is connected to the source select line (SSL1).

[0160] For the convenience of explanation, the structure of the cell strings is described based on the first cell string (CS1_1) among the multiple cell strings (CS1_1 to CS1_m). However, it will be understood that each of the remaining cell strings (CS1_2 to CS1_m) is configured in the same way as the first cell string (CS1_1).

[0161] The drain terminal of the drain select transistor (DST) included in the first cell string (CS1_1) is connected to the first bit line (BL1). The source terminal of the drain select transistor (DST) included in the first cell string (CS1_1) is connected to the drain terminal of the first memory cell (MC1) included in the first cell string (CS1_1). The first to nth memory cells (MC1~MCn) are connected in series with each other. The drain terminal of the source select transistor (SST) included in the first cell string (CS1_1) is connected to the source terminal of the nth memory cell (MCn) included in the first cell string (CS1_1). The source terminal of the source select transistor (SST) included in the first cell string (CS1_1) is connected to the common source line (CSL). As an example, the common source line (CSL) may be commonly connected to the first to zth memory blocks (BLK1~BLKz).

[0162] The drain select line (DSL1), the first to n word lines (WL1 to WLn), and the source select line (SSL1) are included in the row lines (RL) of FIG. 8. The drain select line (DSL1), the first to n word lines (WL1 to WLn), and the source select line (SSL1) are controlled by an address decoder (421). The common source line (CSL) is controlled by control logic (430). The first to m bit lines (BL1 to BLm) are controlled by a read and write circuit (423).

[0164] FIG. 10 is a drawing for explaining another embodiment of the memory controller of FIG. 1.

[0165] Referring to FIG. 10, a memory controller (1000) is connected to a host and a memory device. In response to a request from the host, the memory controller (1000) is configured to access the memory device. For example, the memory controller (1000) is configured to control the write, read, erase, and background operations of the memory device. The memory controller (1000) is configured to provide an interface between the memory device and the host. The memory controller (1000) is configured to run firmware for controlling the memory device.

[0166] The memory controller (1000) may include a processor (1010), a memory buffer (1020), an error correction unit (ECC; 1030), a host interface (1040), a buffer controller (1050), a memory interface (1060), and a bus (1070).

[0167] The bus (1070) can be configured to provide a channel between the components of the memory controller (1000).

[0168] The processor unit (1010) can control the general operations of the memory controller (1000) and perform logical operations. The processor unit (1010) can communicate with an external host through the host interface (1040) and with a memory device through the memory interface (1060). Additionally, the processor unit (1010) can communicate with the memory buffer unit (1020) through the buffer control unit (1050). The processor unit (1010) can control the operation of the storage device by using the memory buffer unit (1020) as an operating memory, cache memory, or buffer memory.

[0169] The processor unit (1010) can perform the function of a flash translation layer (FTL). The processor unit (1010) can convert a logical block address (LBA) provided by the host into a physical block address (PBA) through the flash translation layer (FTL). The flash translation layer (FTL) can receive a logical block address (LBA) as input using a mapping table and convert it into a physical block address (PBA). There are various address mapping methods of the flash translation layer depending on the mapping unit. Representative address mapping methods include the page mapping method, the block mapping method, and the hybrid mapping method.

[0170] The processor unit (1010) is configured to render data received from the host. For example, the processor unit (1010) will render data received from the host using a rendering seed. The rendered data is provided to a memory device as data to be stored and programmed into a memory cell array.

[0171] The processor unit (1010) is configured to derander data received from the memory device during a read operation. For example, the processor unit (1010) will derander data received from the memory device using a derandering seed. The derandered data will be output to the host.

[0172] As an example of an embodiment, the processor unit (1010) can perform rendering and de-rendering by running software or firmware.

[0173] The memory buffer section (1020) can be used as an operating memory, cache memory, or buffer memory of the processor section (1010). The memory buffer section (1020) can store codes and commands executed by the processor section (1010). The memory buffer section (1020) can store data processed by the processor section (1010). The memory buffer section (1020) may include SRAM (Static RAM) or DRAM (Dynamic RAM).

[0174] The error correction unit (1030) can perform error correction. The error correction unit (1030) can perform error correction encoding (ECC encoding) based on data to be written to a memory device through the memory interface (1060). The error correction encoded data can be transmitted to a memory device through the memory interface (1060). The error correction unit (1030) can perform error correction decoding (ECC decoding) on ​​data received from a memory device through the memory interface (1060). For example, the error correction unit (1030) can be included in the memory interface (1060) as a component of the memory interface (1060).

[0175] The host interface (1040) is configured to communicate with an external host under the control of the processor unit (1010). The host interface (1040) may be configured to communicate using at least one of various communication methods such as USB (Universal Serial Bus), SATA (Serial AT Attachment), SAS (Serial Attached SCSI), HSIC (High Speed ​​Interchip), SCSI (Small Computer System Interface), PCI (Peripheral Component Interconnection), PCIe (PCI express), NVMe (NonVolatile Memory express), UFS (Universal Flash Storage), SD (Secure Digital), MMC (MultiMedia Card), eMMC (embedded MMC), DIMM (Dual In-line Memory Module), RDIMM (Registered DIMM), LRDIMM (Load Reduced DIMM).

[0176] The buffer control unit (1050) is configured to control the memory buffer unit (1020) according to the control of the processor unit (1010).

[0177] The memory interface (1060) is configured to communicate with a memory device under the control of the processor unit (1010). The memory interface (1060) can communicate commands, addresses, and data with the memory device through a channel.

[0178] For example, the memory controller (1000) may not include a memory buffer section (1020) and a buffer control section (1050).

[0179] For example, the processor unit (1010) can control the operation of the memory controller (1000) using codes. The processor unit (1010) can load codes from a non-volatile memory device (e.g., Read Only Memory) provided inside the memory controller (1000). As another example, the processor unit (1010) can load codes from a memory device through a memory interface (1060).

[0180] For example, the bus (1070) of the memory controller (1000) may be divided into a control bus and a data bus. The data bus may be configured to transmit data within the memory controller (1000), and the control bus may be configured to transmit control information, such as commands and addresses, within the memory controller (1000). The data bus and the control bus may be separated from each other and may not interfere with or affect each other. The data bus may be connected to a host interface (1040), a buffer control unit (1050), an error correction unit (1030), and a memory interface (1060). The control bus may be connected to a host interface (1040), a processor unit (1010), a buffer control unit (1050), a memory buffer unit (1020), and a memory interface (1060).

[0181] In the embodiment, the authentication read control unit (210) of FIG. 5 is included in the processor unit (1010), and the buffer (220) may be included in the memory buffer unit (1020).

[0183] FIG. 11 is a block diagram showing a memory card system to which a storage device according to an embodiment of the present invention is applied.

[0184] Referring to FIG. 11, the memory card system (2000) includes a memory controller (2100), a memory device (2200), and a connector (2300).

[0185] The memory controller (2100) is connected to the memory device (2200). The memory controller (2100) is configured to access the memory device (2200). For example, the memory controller (2100) may be configured to control the read, write, erase, and background operations of the memory device (2200). The memory controller (2100) is configured to provide an interface between the memory device (2200) and the host. The memory controller (2100) is configured to run firmware for controlling the memory device (2200). The memory controller (2100) may be implemented in the same way as the memory controller (200) described with reference to FIG. 1.

[0186] For example, the memory controller (2100) may include components such as RAM (Random Access Memory), a processing unit, a host interface, a memory interface, and an error correction unit.

[0187] The memory controller (2100) can communicate with an external device through a connector (2300). The memory controller (2100) can communicate with an external device (e.g., a host) according to a specific communication standard. For example, the memory controller (2100) is configured to communicate with an external device through at least one of various communication standards such as USB (Universal Serial Bus), MMC (multimedia card), eMMC (embedded MMC), PCI (peripheral component interconnection), PCI-E (PCI-express), ATA (Advanced Technology Attachment), Serial-ATA, Parallel-ATA, SCSI (small computer system interface), ESDI (enhanced small disk interface), IDE (Integrated Drive Electronics), Firewire, UFS (Universal Flash Storage), WIFI, Bluetooth, NVMe, etc. For example, the connector (2300) may be defined by at least one of the various communication standards described above.

[0188] For example, the memory device (2200) may be composed of various non-volatile memory devices such as EEPROM (Electrically Erasable and Programmable ROM), NAND flash memory, NOR flash memory, PRAM (Phase-change RAM), ReRAM (Resistive RAM), FRAM (Ferroelectric RAM), STT-MRAM (Spin-Torque Magnetic RAM), etc.

[0189] The memory controller (2100) and the memory device (2200) can be integrated into a single semiconductor device to form a memory card. For example, the memory controller (2100) and the memory device (2200) can be integrated into a single semiconductor device to form a memory card such as a PC card (PCMCIA, Personal Computer Memory Card International Association), Compact Flash card (CF), Smart Media card (SM, SMC), Memory Stick, Multimedia card (MMC, RS-MMC, MMCmicro, eMMC), SD card (SD, miniSD, microSD, SDHC), Universal Flash Storage (UFS), etc.

[0191] FIG. 12 is a block diagram showing a Solid State Drive (SSD) system to which a storage device according to an embodiment of the present invention is applied.

[0192] Referring to FIG. 12, the SSD system (3000) includes a host (3100) and an SSD (3200). The SSD (3200) transmits and receives signals with the host (3100) through a signal connector (3001) and receives power through a power connector (3002). The SSD (3200) includes an SSD controller (3210), a plurality of flash memories (3221 to 322n), an auxiliary power supply (3230), and a buffer memory (3240).

[0193] According to an embodiment of the present invention, the SSD controller (3210) can perform the function of the memory controller (200) described with reference to FIG. 1.

[0194] The SSD controller (3210) can control a plurality of flash memories (3221 to 322n) in response to a signal received from the host (3100). For example, the signal may be a signal based on an interface between the host (3100) and the SSD (3200). For example, the signal may be a signal defined by at least one of interfaces such as USB (Universal Serial Bus), MMC (multimedia card), eMMC (embedded MMC), PCI (peripheral component interconnection), PCI-E (PCI-express), ATA (Advanced Technology Attachment), Serial-ATA, Parallel-ATA, SCSI (small computer system interface), ESDI (enhanced small disk interface), IDE (Integrated Drive Electronics), Firewire, UFS (Universal Flash Storage), WIFI, Bluetooth, NVMe, etc.

[0195] The auxiliary power unit (3230) is connected to the host (3100) via a power connector (3002). The auxiliary power unit (3230) receives power from the host (3100) and can charge. The auxiliary power unit (3230) can provide power to the SSD (3200) when power supply from the host (3100) is not smooth. For example, the auxiliary power unit (3230) may be located inside the SSD (3200) or outside the SSD (3200). For example, the auxiliary power unit (3230) may be located on the main board and provide auxiliary power to the SSD (3200).

[0196] The buffer memory (3240) operates as a buffer memory of the SSD (3200). For example, the buffer memory (3240) may temporarily store data received from the host (3100) or data received from a plurality of flash memories (3221 to 322n), or may temporarily store metadata (e.g., mapping tables) of the flash memories (3221 to 322n). The buffer memory (3240) may include volatile memory such as DRAM, SDRAM, DDR SDRAM, LPDDR SDRAM, GRAM, etc., or non-volatile memory such as FRAM, ReRAM, STT-MRAM, PRAM, etc.

[0197] In an embodiment, the host (3100) can operate in the same way as the host (300) described with reference to FIG. 5.

[0199] FIG. 13 is a block diagram showing a user system to which a storage device according to an embodiment of the present invention is applied.

[0200] Referring to FIG. 13, the user system (4000) includes an application processor (4100), a memory module (4200), a network module (4300), a storage module (4400), and a user interface (4500).

[0201] The application processor (4100) can run components included in the user system (4000), an operating system (OS), or user programs, etc. For example, the application processor (4100) may include controllers, interfaces, graphics engines, etc. that control components included in the user system (4000). The application processor (4100) may be provided as a system-on-chip (SoC).

[0202] The memory module (4200) can operate as the main memory, operational memory, buffer memory, or cache memory of the user system (4000). The memory module (4200) may include volatile random access memory such as DRAM, SDRAM, DDR SDRAM, DDR2 SDRAM, DDR3 SDRAM, LPDDR SDRAM, LPDDR2 SDRAM, LPDDR3 SDRAM, etc. or non-volatile random access memory such as PRAM, ReRAM, MRAM, FRAM, etc. For example, the application processor (4100) and the memory module (4200) may be packaged based on POP (Package on Package) and provided as a single semiconductor package.

[0203] The network module (4300) can communicate with external devices. For example, the network module (4300) can support wireless communication such as CDMA (Code Division Multiple Access), GSM (Global System for Mobile communication), WCDMA (wideband CDMA), CDMA-2000, TDMA (Time Division Multiple Access), LTE (Long Term Evolution), WiMAX, WLAN, UWB, Bluetooth, Wi-Fi, etc. For example, the network module (4300) can be included in the application processor (4100).

[0204] The storage module (4400) can store data. For example, the storage module (4400) can store data received from the application processor (4100). Alternatively, the storage module (4400) can transfer data stored in the storage module (4400) to the application processor (4100). For example, the storage module (4400) can be implemented as a non-volatile semiconductor memory device such as PRAM (Phase-change RAM), MRAM (Magnetic RAM), RRAM (Resistive RAM), NAND flash, NOR flash, or a three-dimensional NAND flash. For example, the storage module (4400) can be provided as a removable storage medium such as a memory card or an external drive of the user system (4000).

[0205] For example, the storage module (4400) may include a plurality of non-volatile memory devices, and the plurality of non-volatile memory devices may operate in the same manner as the memory device (100) described with reference to FIG. 1. The storage module (4400) may operate in the same manner as the storage device (50) described with reference to FIG. 1.

[0206] The user interface (4500) may include interfaces for inputting data or commands to the application processor (4100) or outputting data to an external device. For example, the user interface (4500) may include user input interfaces such as a keyboard, keypad, button, touch panel, touch screen, touch pad, touch ball, camera, microphone, gyroscope sensor, vibration sensor, piezoelectric element, etc. The user interface (4500) may include user output interfaces such as an LCD (Liquid Crystal Display), OLED (Organic Light Emitting Diode) display, AMOLED (Active Matrix OLED) display, LED, speaker, monitor, etc. Explanation of the symbols

[0207] 100: Memory device 110: Write protection area 200: Memory controller 210: Authentication Read Control Unit 220: Buffer 300: Host

Claims

Claim 1 A storage device comprising: a memory device including a write protection area; and a memory controller that controls the memory device to perform a read operation on the write protection area in response to a series of secure read requests received from a host, provides read data obtained from the read operation to the host, and generates a device authentication code based on the read data while providing the read data to the host. Claim 2 In claim 1, the storage device comprises: an authentication read control unit that receives a first request and read information among the series of secure read requests from the host, controls the memory device to perform the read operation based on the read information in response to the first request, and provides the device authentication code to the host in response to a second request among the series of secure read requests; and a buffer that stores the read data obtained from the read operation. Claim 3 In claim 2, the authentication read control unit provides to the host a first response indicating whether the first request has been received in response to the first request, and provides to the host a second response including the device authentication code in response to the second request. Claim 4 In claim 3, the authentication read control unit is a storage device that provides the first response to the host after providing the read data to the host in response to the first request. Claim 5 In claim 3, the authentication read control unit is a storage device that provides the second response to the host after providing the read data to the host in response to the second request. Claim 6 In claim 2, the authentication read control unit is a storage device that generates the device authentication code based on the key shared with the host and the read data. Claim 7 A storage device according to claim 2, wherein the first request is a request to direct the read operation for the write protection area, and the second request is a request to retrieve the result of the read operation. Claim 8 In claim 2, the read information comprises a nonce value generated by the host for the security of the series of secure read requests, a starting address value of a target area to be read among the write protection areas, and a block count value which is the number of blocks included in the target area. Claim 9 A method of operation of a storage device including a write protection area, comprising: receiving a first request and read information among a series of secure read requests from a host; reading data stored in the write protection area based on the read information; providing the read data read from the write protection area to the host; and generating a device authentication code based on the read data while providing the read data to the host. Claim 10 A method of operation of a storage device according to claim 9, further comprising the step of providing a first response to the host indicating whether the first request has been received in response to the first request. Claim 11 A method of operation of a storage device according to claim 10, further comprising: receiving a second request among the series of secure read requests from the host; and providing a second response including the device authentication code to the host in response to the second request. Claim 12 In claim 11, the step of providing the read data is a method of operation of a storage device that provides the read data to the host in response to the first request. Claim 13 In claim 11, the step of providing the read data is a method of operation of a storage device that provides the read data to the host in response to the second request. Claim 14 In claim 9, the read information comprises a nonce value generated by the host for the security of the series of secure read requests, a starting address value of a target area to be read among the write protection areas, and a block count value which is the number of blocks included in the target area. Claim 15 In claim 9, the step of generating the device authentication code is a method of operation of a storage device that generates the device authentication code based on a key shared with the host and the read data. Claim 16 A computing system comprising: a host; and a storage device including a write protection area, receiving a first request and read information among a series of secure read requests from the host, reading data stored in the write protection area based on the read information, and generating a device authentication code based on the read data while providing the read data to the host. Claim 17 In claim 16, the storage device provides the host with the read data and a first response indicating whether the first request has been received in response to the first request, and provides the host with the second response including the device authentication code in response to the second request among the series of secure read requests received from the host. Claim 18 In claim 16, the storage device provides to the host a first response indicating whether the first request has been received in response to the first request, and provides to the host a second response including the device authentication code and the read data in response to the second request among the series of secure read requests. Claim 19 In claim 16, the above read information comprises a nonce value generated by the host for the security of the series of security read requests, a starting address value of a target area to be read among the write protection areas, and a block count value which is the number of blocks included in the target area. Claim 20 In claim 16, the storage device is a computing system that generates the device authentication code based on the key shared with the host and the read data.