Content aware hierarchical encryption for secure storage systems

US 10,223,544 B1
Filed: 07/28/2016
Issued: 03/05/2019
Est. Priority Date: 03/28/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for accessing data objects of a storage system, the method comprising:

in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node;

traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and

transmitting decrypted data associated with the plurality of nodes to the client.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, in response to a request received from a client for retrieving a data object stored in a storage system, a root key is obtained from the request. The data object is represented by metadata in a hierarchical structure having a plurality of levels. Each level includes a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node. The hierarchical structure of metadata associated with the data object is traversed in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key. Decrypted data associated with the plurality of nodes is transmitted to the client.

10 Citations

View as Search Results

21 Claims

1. A computer-implemented method for accessing data objects of a storage system, the method comprising:
- in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node;
  
  traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and
  
  transmitting decrypted data associated with the plurality of nodes to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein each leaf node of the hierarchical structure represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes.
  - 3. The method of claim 1, further comprising:
    - for a given first node as a parent node to one or more second nodes as child nodes, decrypting the first node using a first key associated with the first node to reveal one or more second keys corresponding to the one or more second nodes, respectively; and
      
      decrypting, using the second keys, the one or more second nodes, to reveal content of the one or more second nodes.
  - 4. The method of claim 1, wherein the one or more second keys are derived from fingerprints of the one or more second nodes, respectively.
  - 5. The method of claim 1, wherein the root key is provided by a user who initiated encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 6. The method of claim 1, wherein a child key encrypting content of a child node is stored in a parent node that references the child node.
  - 7. The method of claim 6, wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node.

8. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations of accessing data objects of a storage system, the operations comprising:
- in response to a request received from a client for retrieving a data object stored in a storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node;
  
  traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key; and
  
  transmitting decrypted data associated with the plurality of nodes to the client.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The machine-readable medium of claim 8, wherein each leaf node of the hierarchical structure represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes.
  - 10. The machine-readable medium of claim 8, wherein the operations further comprise:
    - for a given first node as a parent node to one or more second nodes as child nodes, decrypting the first node using a first key associated with the first node to reveal one or more second keys corresponding to the one or more second nodes, respectively; and
      
      decrypting, using the second keys, the one or more second nodes, to reveal content of the one or more second nodes.
  - 11. The machine-readable medium of claim 8, wherein the one or more second keys are derived from fingerprints of the one or more second nodes, respectively.
  - 12. The machine-readable medium of claim 8, wherein the root key is provided by a user who initiated encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 13. The machine-readable medium of claim 8, wherein a child key encrypting content of a child node is stored in a parent node that references the child node.
  - 14. The machine-readable medium of claim 13, wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node.

15. A storage system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to perform operations of accessing data objects, the operations including in response to a request received from a client for retrieving a data object stored in the storage system, obtaining a root key from the request, the data object being represented by metadata in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, wherein each intermediate node or leaf node is encrypted using an encryption key, wherein the encryption key is stored together with content of a parent node, and is further encrypted together with the content of the parent node by a parent key of the parent node,traversing the hierarchical structure of metadata associated with the data object in a top-down approach to decrypt each of a plurality of nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes, including decrypting the root node using the root key, andtransmitting decrypted data associated with the plurality of nodes to the client.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein each leaf node of the hierarchical structure represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes.
  - 17. The system of claim 15, wherein the operations further comprise:
    - for a given first node as a parent node to one or more second nodes as child nodes, decrypting the first node using a first key associated with the first node to reveal one or more second keys corresponding to the one or more second nodes, respectively; and
      
      decrypting, using the second keys, the one or more second nodes, to reveal content of the one or more second nodes.
  - 18. The system of claim 15, wherein the one or more second keys are derived from fingerprints of the one or more second nodes, respectively.
  - 19. The system of claim 15, wherein the root key is provided by a user who initiated encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 20. The system of claim 15, wherein a child key encrypting content of a child node is stored in a parent node that references the child node.
  - 21. The system of claim 20, wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Pogde, Prashant, Botelho, Fabiano C., Garg, Nitin
Primary Examiner(s)
Henderson, Esther B.

Application Number

US15/222,435
Time in Patent Office

950 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 2209/60   Digital content management,...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Content aware hierarchical encryption for secure storage systems

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Content aware hierarchical encryption for secure storage systems

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others