Multiple data center data security

US 10,021,075 B1
Filed: 06/23/2016
Issued: 07/10/2018
Est. Priority Date: 06/23/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of securely replicating backup data in a network having a production site and a plurality of remote sites, comprising:

generating in the production site a data encryption key, and in each remote site a respective key encryption key that are each sent to the production site;

encrypting in the production site a plurality of encrypted keys using the plurality of key encryption keys, with one encrypted key per remote site;

transmitting to each remote site the encrypted keys for the other remote sites and not a remote site'"'"'s own encrypted key;

encrypting, in the production site, the backup data to create a plurality of encrypted data blocks using the data encryption key;

designating, in the event of a defined condition, a selected remote site to become the new production site; and

receiving in the new production site from a remaining remote site a key encryption key generated by the remaining remote site to enable the new production site to decrypt the data encryption key and use the decrypted data encryption key to decrypt the encrypted data blocks.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Securely replicating backup data in a network having a production site and a plurality of remote sites by generating in the production site a data encryption key, and in each remote site a respective key encryption key that are sent to the production site; encrypting a plurality of encrypted keys using the plurality of key encryption keys with one encrypted key per remote site, and transmitting to each remote site the encrypted keys for the other remote sites and not a remote site'"'"'s own encrypted key; encrypting the data to create encrypted data blocks using the data encryption key; designating a selected remote site to become the new production site if the production site fails; and receiving in the new production site from a remaining remote site a key encryption key generated by the remaining remote site to enable the new production site to decrypt the data encryption key and use the decrypted data encryption key to decrypt the encrypted data blocks.

17 Citations

View as Search Results

18 Claims

1. A computer-implemented method of securely replicating backup data in a network having a production site and a plurality of remote sites, comprising:
- generating in the production site a data encryption key, and in each remote site a respective key encryption key that are each sent to the production site;
  
  encrypting in the production site a plurality of encrypted keys using the plurality of key encryption keys, with one encrypted key per remote site;
  
  transmitting to each remote site the encrypted keys for the other remote sites and not a remote site'"'"'s own encrypted key;
  
  encrypting, in the production site, the backup data to create a plurality of encrypted data blocks using the data encryption key;
  
  designating, in the event of a defined condition, a selected remote site to become the new production site; and
  
  receiving in the new production site from a remaining remote site a key encryption key generated by the remaining remote site to enable the new production site to decrypt the data encryption key and use the decrypted data encryption key to decrypt the encrypted data blocks.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the production site and remote sites each comprise large-scale data centers, and wherein the defined condition comprises one of a failure of the production site, periodic disaster recovery testing, or repurposing the data.
  - 3. The method of claim 2 wherein the data centers comprise large capacity storage arrays and components that implement disaster recovery rules to be used in event of the defined condition.
  - 4. The method of claim 3 further comprising implementing the backup data replication as part of a disaster recovery process in a continuous availability network.
  - 5. The method of claim 1 wherein the encrypting is performed using an RSA encryption algorithm.
  - 6. The method of claim 1 wherein the transmitting is performed using a public key exchange process.

7. A computer-implemented method of requiring access to at least three remote sites to recover data in a network, comprising:
- generating at each remote site S_i, a respective key encryption key, k_n;
  
  transmitting each key encryption key to a production site using public key system, wherein the production site S₀selects a data encryption key k₀;
  
  encrypting k₀using two encryption keys in multiple combinations to create encrypted keys C_ij;
  
  transmitting to each remote site S₀only encrypted keys;
  
  C_ij=f_ki(f_kj(k₀)) i=1 . . . N−
  
  1, j=i+1 . . . N as long as i≠
  
  n and j≠
  
  n;
  
  encrypting each clear data block to create an encrypted data block E; and
  
  replicating E to all the remote sites, such that E=f_k0(D) so that in the event of occurrence of a defined condition, any remote site can become a new production site.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the defined condition comprises one of a failure of the production site, periodic disaster recovery testing, or repurposing the data, the method further comprising, in the event of the defined condition:
    - receiving at the new production site from two of the other remote sites their respective keys k_iand k_j;
      
      using k_iand k_jto decrypt k₀; and
      
      using k₀to decipher the encrypted text E.
  - 9. The method of claim 8 wherein n is any integer from 1 to a selected number N.
  - 10. The method of claim 8 wherein the production site and remote sites each comprise large-scale data centers.
  - 11. The method of claim 10 wherein the data centers comprise large capacity storage arrays and components that implement disaster recovery rules to be used in event of failure of the production site.
  - 12. The method of claim 11 further comprising implementing the backup data replication as part of a disaster recovery process in a continuous availability network.

13. A system configured to securely replicate backup data in a network having a production site and a plurality of remote sites, comprising:
- a remote site component generating in each remote site a respective key encryption key that are sent to the production site;
  
  a production site component generating a data encryption key and encrypting a plurality of encrypted keys using the plurality of key encryption keys, with one encrypted key per remote site;
  
  a transmission component transmitting to each remote site the encrypted keys for the other remote sites and not a remote site'"'"'s own encrypted key;
  
  a backup component encrypting the data to create a plurality of encrypted data blocks using the data encryption key;
  
  a disaster recovery component designating, in the event of a defined condition, a selected remote site to become the new production site, and receiving in the new production site from a remaining remote site a key encryption key generated by the remaining remote site to enable the new production site to decrypt the data encryption key and use the decrypted data encryption key to decrypt the encrypted data blocks.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13 wherein the production site and remote sites each comprise large-scale data centers, and wherein the defined condition comprises one of a failure of the production site, periodic disaster recovery testing, or repurposing the data.
  - 15. The system of claim 14 wherein the data centers comprise large capacity storage arrays and components that implement disaster recovery rules to be used in event of failure of the production site.
  - 16. The system of claim 15 further comprising implementing the backup data replication as part of a disaster recovery process in a continuous availability network.
  - 17. The system of claim 13 wherein the encryption component executes one or more RSA encryption algorithms.
  - 18. The system of claim 13 wherein the transmission component comprises utilizes a public key exchange process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Saad, Yossef
Primary Examiner(s)
Bonzo, Bryce P
Assistant Examiner(s)
Arcos, Jeison C

Application Number

US15/191,361
Time in Patent Office

747 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1471   involving logging of persis...

G06F 11/2028   eliminating a faulty proces...

G06F 11/2041   with more than one idle spa...

G06F 11/2097   maintaining the standby con...

G06F 2201/805   Real-time

G06F 2201/84   Using snapshots, i.e. a log...

G06F 2201/85   Active fault masking withou...

H04L 63/0428   wherein the data content is...

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Multiple data center data security

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple data center data security

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links