Simultaneous state-based cryptographic splitting in a secure storage appliance

US 10,007,807 B2
Filed: 12/30/2008
Issued: 06/26/2018
Est. Priority Date: 12/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method of managing input/output (I/O) requests in a secure storage appliance, the method including:

receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently;

storing a plurality of primary blocks of data in buffers of the secure storage appliance, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer;

associating a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request;

determining an availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer; and

upon determining that the resource is available, applying the resource to a primary block of data in the buffer and updating the state associated with the primary block of data;

wherein the volume is presented as a single virtual disk to clients;

wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks;

wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device;

wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset;

wherein each stripe of dataset further includes a share label, the share label is in plain text; and

wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for managing I/O requests in a secure storage appliance are disclosed. One method includes receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a block of data and a volume, each volume associated with a plurality of shares stored on a plurality of physical storage devices. The method further includes storing a plurality of blocks of data in buffers of the secure storage appliance, each of the blocks of data associated with one or more of the plurality of I/O requests. The method also includes associating a state with each of the blocks of data, the state selected from a plurality of states associated with processing of an I/O request. The method includes determining the availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer, and, upon determining that the resource is available, applying the resource to a block of data in the buffer and updating the state associated with the block of data.

22 Citations

View as Search Results

15 Claims

1. A method of managing input/output (I/O) requests in a secure storage appliance, the method including:
- receiving a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently;
  
  storing a plurality of primary blocks of data in buffers of the secure storage appliance, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer;
  
  associating a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request;
  
  determining an availability of a resource in the secure storage appliance, the resource used to process an I/O request of a buffer; and
  
  upon determining that the resource is available, applying the resource to a primary block of data in the buffer and updating the state associated with the primary block of data;
  
  wherein the volume is presented as a single virtual disk to clients;
  
  wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks;
  
  wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device;
  
  wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset;
  
  wherein each stripe of dataset further includes a share label, the share label is in plain text; and
  
  wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the resource includes a storage resource configured to write the plurality of secondary data blocks to shares associated with the volume.
  - 3. The method of claim 1, wherein the resource includes a parser driver configured to perform a reconstitution operation on a plurality of secondary data blocks to form the primary block of data.
  - 4. The method of claim 1, wherein the plurality of states includes at least one of a read state, a decode state, an idle state, a transfer state, an encode state, or a write state.
  - 5. The method of claim 1, wherein the primary block of data is received from a client device.
  - 6. The method of claim 1, wherein the resource includes an entry in an outstanding write list.
  - 7. The method of claim 1, further comprising, after processing the I/O request using the resource, releasing the buffer.
  - 8. The method of claim 1, further comprising receiving a plurality of I/O requests related to a primary block of data.
  - 9. The method of claim 1, further comprising, upon detecting changed data in a buffer, marking the buffer to be written to a plurality of shares of the volume.
  - 10. The method of claim 9, wherein the primary block of data in the buffer relates to a read I/O request and a write I/O request.

11. A secure storage appliance comprising:
- a plurality of buffers;
  
  a plurality of resources useable in processing input/output (I/O) requests;
  
  a programmable circuit configured to execute program instructions to;
  
  receive a plurality of I/O requests at the secure storage appliance, each I/O request associated with a primary block of data and a volume, each volume associated with a plurality of primary data blocks, the volume being mapped to a specific subset of a plurality of physical storage devices, and the volume including a metadata store, wherein the plurality of I/O requests are thereby processed concurrently;
  
  store a plurality of primary blocks of data in buffers from among the plurality of buffers, each of the primary blocks of data associated with one or more of the plurality of I/O requests, wherein at least one of the buffers is a direct buffer;
  
  associate a state with each of the primary blocks of data, the state selected from a plurality of states associated with processing of an I/O request;
  
  determine an availability of a resource from among the plurality of resources; and
  
  apply the resource to a primary block of data in a buffer and updating the state associated with the primary block of data upon determining that the resource is available;
  
  wherein the volume is presented as a virtual disk to clients;
  
  wherein the resource includes a parser driver configured to perform a cryptographic splitting operation on the primary block of data to generate a plurality of secondary data blocks;
  
  wherein the metadata store includes share and key information defining volumes, virtual disks and client access rights, to either process or reroute requests assigned to the failed device;
  
  wherein after cryptographically splitting the primary block of data into the plurality of secondary data blocks, each secondary data block is encrypted with a different session key, each secondary data block is included in a stripe of dataset;
  
  wherein each stripe of dataset further includes a share label, the share label is in plain text; and
  
  wherein each stripe of data further includes a signature identifying physical device that the stripe is stored, each stripe of data includes a header information, each stripe of data includes a virtual disk information, the signature, the header information, and the virtual disk information are encrypted with a same community of interest key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The secure storage appliance of claim 11, wherein the plurality of resources includes a parser driver configured to perform a reconstitution operation on a plurality of secondary data blocks to form the primary block of data.
  - 13. The secure storage appliance of claim 11, wherein the plurality of states includes at least one of a read state, a decode state, an idle state, a transfer state, an encode state, or a write state.
  - 14. The secure storage appliance of claim 11, wherein the plurality of resources includes at least one resource selected from the group consisting of:
    - a parser driver;
      
      a host bus adapter port; and
      
      an entry in an outstanding write list.
  - 15. The secure storage appliance of claim 11, wherein the programmable circuit is programmed to receive a plurality of I/O requests related to the primary block of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Summers, Scott, French, Albert
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US12/346,561
Publication Number

US 20100169661A1
Time in Patent Office

3,465 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 11/1456   Hardware arrangements for b...

G06F 21/72   in cryptographic circuits

G06F 21/80   in storage media based on m...

G06F 21/85   interconnection devices, e....

G06F 2201/815   Virtual middleware or OS fu...

H04L 63/0428   wherein the data content is...

H04L 67/1097   for distributed storage of ...

Simultaneous state-based cryptographic splitting in a secure storage appliance

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Simultaneous state-based cryptographic splitting in a secure storage appliance

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links