Device Functionality Access Control Using Unique Device Credentials

What is claimed is: 1 . A computer-implemented method comprising: combining a plurality of identification (ID) values associated with a data storage device to form a combined ID value; encrypting the combined ID value using a secret symmetric encryption key and a cryptographic process to generate a unique device credential for the data storage device; and using the unique device credential as an input to a selected cryptographic function to control access to a protected function of the data storage device. 2 . The method of claim 1 , wherein the cryptographic process is a selected hash function and the using step comprises: applying the selected hash function to the unique device credential to generate a first hash ID value; storing the first hash ID value in a memory of the data storage device; and subsequently accessing the protected function of the data storage device by generating a second unique device credential responsive to application of the selected encryption algorithm and the secret cryptographic key to a second combined ID value obtained from a second set of ID values from the data storage device, applying the selected hash function to the second unique device credential to generate a second hash ID value, and comparing the second hash ID value to the first hash ID value stored in the memory of the data storage device. 3 . The method of claim 2 , wherein the selected hash function comprises a secure hash algorithm (SHA) function. 4 . The method of claim 2 , wherein the selected hash function comprises a selected hash function from a universal family of hash functions. 5 . The method of claim 1 , wherein the cryptographic process is a key derivation function (KDF) and the using step comprises: supplying the unique device credential to the data storage device for storage in a memory of the data storage device as a first unique device credential; requesting a multi-bit challenge value from the data storage device; using the unique device credential as a product key to encrypt the multi-bit challenge value using the second selected encryption algorithm to output an encrypted challenge value; and providing the encrypted challenge value to the data storage device. 6 . The method of claim 5 , wherein the data storage device authorizes access to the protected function by retrieving the first unique device credential from the memory of the data storage device, using the first unique device credential as an encryption key to encrypt the multi-bit challenge value to generate a second encrypted challenge value, and comparing the second encrypted challenge value to the encrypted challenge value provided to the data storage device. 7 . The method of claim 5 , wherein the data storage device authorizes access to the protected function by retrieving the first unique device credential from the memory of the data storage device, using the first unique device credential as decryption key to decrypt the encrypted challenge value provided to the data storage device to generate a second challenge value, and comparing the second challenge value to the challenge value requested from the data storage device. 8 . The method of claim 1 , wherein the protected function comprises at least a selected one of a diagnostic routine, specially configured data stored on the device, device firmware, control information, or security information associated with the data storage device. 9 . The method of claim 1 , wherein the plurality of unique ID values include at least a selected one of a model number, a serial number, a data capacity, a component serial number or a performance parameter of the data storage device. 10 . The method of claim 1 , wherein an agent device connected to the data storage device operates in an online verification mode in which the agent device obtains the ID values from the data storage device and communicates the same to a remote server over a network, in which the remote server returns a verification value to the agent device, and the agent device forwards the verification value to the agent device. 11 . The method of claim 1 , wherein an agent device connected to the data storage device operates in an offline verification mode in which the agent device obtains the ID values from the data storage device and communicates the same to a local smart card connected to the agent device, in which the smart card returns a verification value to the agent device, and the agent device forwards the verification value to the agent device. 12 . A data storage device, comprising: a non-volatile main memory adapted to store user data from a host device; a local memory which stores an authentication value derived from a plurality of identification (ID) values associated with the data storage device; a controller adapted to transfer the user data from the main memory to the host device, the controller having a protected function associated with the main memory; and an access control module which uses the authentication value as an input to a selected cryptographic function to control access to the protected function. 13 . The data storage device of claim 12 , wherein the authentication value stored in the local memory is an output hash value from application of a selected hash function to a unique device credential derived by combining the plurality of ID values into a combined ID value and encrypting the combined ID value using a selected encryption algorithm and a secret symmetric encryption key, wherein the access control module controls access to the protected function by generating a second unique device credential responsive to application of the selected encryption algorithm and the secret symmetric encryption key to a second combined ID value obtained from a second set of ID values from the data storage device, applying the selected hash function to the second unique device credential to generate a second hash value, and comparing the second hash value to the output hash value stored in the local memory of the data storage device, wherein access to the protected function is granted by the access control module upon a match between the output hash value and the second hash value, and wherein access to the protected function is denied by the access control module upon a mis-match between the output hash value and the second hash value. 14 . The data storage device of claim 12 , wherein the authentication value stored in the local memory is a unique device credential derived by combining the plurality of ID values into a combined ID value and encrypting the combined ID value using a key derivation function (KDF) and a secret symmetrical encryption key, wherein the access control module controls access to the protected function by outputting a multi-bit challenge value responsive to a request therefor, receiving an encrypted multi-bit challenge value responsive to the output multi-bit challenge value, using the unique device credential as an input to an encryption engine of the access control block to either decrypt the received encrypted multi-bit challenge value to provide a decrypted challenge value or to encrypt the output multi-bit challenge value to provide a second encrypted challenge value, and using a comparison block of the access control block to either compare the decrypted challenge value to the output multi-bit challenge value or compare the received encrypted multi-bit challenge value to the second encrypted challenge value. 15 . The data storage device of claim 12 , wherein the protected function comprises at least a selected one of a diagnostic routine, specially configured data s