Storing and retrieving ciphertext in data storage

US 10,374,807 B2
Filed: 04/04/2014
Issued: 08/06/2019
Est. Priority Date: 04/04/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor; and

a non-transitory storage medium storing data storage instructions and data retrieval instructions, the data storage instructions executable on the processor to;

compute a first ciphertext value for a first data chunk to be saved to a storage system, the first ciphertext value computed based on encrypting information of the first data chunk using, as an initial value for encryption, an encrypted chunk hash value associated with the first data chunk, the encrypted chunk hash value encrypted using an encryption key, the computing of the first ciphertext value responsive to an indication provided as part of deduplicating ciphertext values corresponding to data chunks to be stored by a storage operation to the storage system, wherein the indication is responsive to a determination that the encrypted chunk hash value associated with the first data chunk is not stored in an index, and the deduplicating of ciphertext values avoids storing a redundant ciphertext value in the storage system in response to a determination that an encrypted chunk hash value associated with a given data chunk is stored in the index; and

provide the first ciphertext value to a server for storage in the storage system, and provide the encrypted chunk hash value for storage in the index; and

the data retrieval instructions executable on the processor to;

in response to a request from a client for the first data chunk;

receive the encrypted chunk hash value associated with the first data chunk from the index;

decrypt the first ciphertext value for the first data chunk using the received encrypted chunk hash value;

decrypt the received encrypted chunk hash value to produce a decrypted chunk hash value;

determine, using the decrypted chunk hash value, whether the decrypted first ciphertext value corresponds to the first data chunk; and

accept or reject the decrypted first ciphertext value based on the determining.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Storing and retrieving ciphertext in data storage can include determining a first ciphertext value for a first data chunk to be saved to a client-server data storage system using an encrypted chunk hash value associated with the first data chunk as an initial value, and storing the first data chunk on a server in the client-server data storage system in response to determining that the first ciphertext value is a unique ciphertext value. Also, storing and retrieving ciphertext in data storage can include decrypting a ciphertext value for a second data chunk received from a client in the client-server data storage system and based on an encrypted chunk hash value associated with the second data chunk, and sending the second data chunk to the client in response to determining that the decrypted ciphertext value corresponds to an original data chunk saved to the server by the client.

41 Citations

View as Search Results

16 Claims

1. A system, comprising:
- a processor; and
  
  a non-transitory storage medium storing data storage instructions and data retrieval instructions, the data storage instructions executable on the processor to;
  
  compute a first ciphertext value for a first data chunk to be saved to a storage system, the first ciphertext value computed based on encrypting information of the first data chunk using, as an initial value for encryption, an encrypted chunk hash value associated with the first data chunk, the encrypted chunk hash value encrypted using an encryption key, the computing of the first ciphertext value responsive to an indication provided as part of deduplicating ciphertext values corresponding to data chunks to be stored by a storage operation to the storage system, wherein the indication is responsive to a determination that the encrypted chunk hash value associated with the first data chunk is not stored in an index, and the deduplicating of ciphertext values avoids storing a redundant ciphertext value in the storage system in response to a determination that an encrypted chunk hash value associated with a given data chunk is stored in the index; and
  
  provide the first ciphertext value to a server for storage in the storage system, and provide the encrypted chunk hash value for storage in the index; and
  
  the data retrieval instructions executable on the processor to;
  
  in response to a request from a client for the first data chunk;
  
  receive the encrypted chunk hash value associated with the first data chunk from the index;
  
  decrypt the first ciphertext value for the first data chunk using the received encrypted chunk hash value;
  
  decrypt the received encrypted chunk hash value to produce a decrypted chunk hash value;
  
  determine, using the decrypted chunk hash value, whether the decrypted first ciphertext value corresponds to the first data chunk; and
  
  accept or reject the decrypted first ciphertext value based on the determining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the data storage instructions are executable on the processor to compute the first ciphertext value using a concatenation of a second ciphertext value for the first data chunk and a message authentication code (MAC) value for the first data chunk.
  - 3. The system of claim 1, wherein, to determine that the decrypted first ciphertext value corresponds to the first data chunk, the data retrieval instructions are executable on the processor to determine that a hash of the decrypted first ciphertext value is the same as the decrypted chunk hash value.
  - 4. The system of claim 1, wherein the data retrieval instructions are executable on the processor to determine a first message authentication code (MAC) value for the first data chunk using an encryption key for a MAC operation and a concatenation of the encrypted chunk hash value and the first ciphertext value.
  - 5. The system of claim 4, wherein to determine that the decrypted first ciphertext value corresponds to the first data chunk, the data retrieval instructions are executable on the processor to determine whether the first MAC value is the same as a second MAC value determined based on the first data chunk.
  - 6. The system of claim 1, wherein, in response to receiving the request for the first data chunk, the data retrieval instructions are executable on the processor to identify, from the index comprising encrypted chunk hash values for respective data chunks, the encrypted chunk hash value associated with the first data chunk.
  - 7. The system of claim 1, wherein, in response to receiving the request for the first data chunk, the data retrieval instructions are executable on the processor to identify the first ciphertext value for the first data chunk from a list of encrypted data chunks, and return the identified first ciphertext value to the client.
  - 8. The system of claim 1, wherein the data storage instructions are executable on the processor to:
    - create a manifest as part of the storage operation to store the data chunks to the storage system, the manifest comprising encrypted chunk hash values corresponding to the data chunks.
  - 9. The system of claim 1, wherein the data storage instructions are executable on the processor to cause, as part of the storage operation, storing of at least a subset of ciphertext values corresponding to the data chunks in the storage system.
  - 10. The system of claim 1, wherein the first ciphertext value is computed by an encryption of the first data chunk using the encrypted chunk hash value associated with the first data chunk and at least a portion of the encryption key.
  - 11. The system of claim 1, wherein the encrypted chunk hash value associated with the first data chunk is based on encrypting a hash value using the encryption key, and the hash value is based on hashing the first data chunk.

12. A non-transitory computer readable medium storing instructions executable by a processing resource to cause a computer to:
- cause storage of ciphertext values for data chunks in a storage system that performs deduplication of the ciphertext values using an index comprising encrypted chunk hash values for respective data chunks;
  
  calculate a first decryption value for a first data chunk in the storage system using an encryption key, an encrypted chunk hash value as an initial value for decryption, and a ciphertext associated with the first data chunk, the encrypted chunk hash value associated with the first data chunk and based on encryption of a hash value using an encryption key;
  
  calculate a second decryption value by decrypting the encrypted chunk hash value using the encryption key;
  
  calculate a hash of the first decryption value to produce a calculated hash value; and
  
  determine whether to accept or reject the first decryption value as equivalent to the first data chunk, based on comparing the calculated hash value and the second decryption value,wherein the instructions to cause the computer to, as part of the deduplication;
  
  determine whether the encrypted chunk hash value associated with the first data chunk is stored in the index;
  
  in response to determining that the encrypted chunk hash value associated with the first data chunk is not stored in the index;
  
  compute the ciphertext associated with the first data chunk by encrypting information of the first data chunk using as an initial value for encryption the encrypted chunk hash value; and
  
  store the ciphertext associated with the first data chunk in the storage system.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory computer readable medium of claim 12, wherein the instructions are executable to calculate a respective first decryption value for each of a plurality of data chunks in a data stream.
  - 14. The non-transitory computer readable medium of claim 12, wherein determining that the encrypted chunk hash value associated with the first data chunk is not stored in the index comprises a determination that the ciphertext associated with the first data chunk is not already stored in the storage system.
  - 15. The non-transitory computer readable medium of claim 12, wherein the ciphertext is computed by an encryption of the first data chunk using the initial value for decryption and at least a portion of the encryption key.

16. A method executed by a system comprising a hardware processor, comprising:
- computing a first ciphertext value for a first data chunk to be saved to a storage system, the first ciphertext value computed based on encrypting information of the first data chunk using, as an initial value for encryption, an encrypted chunk hash value associated with the first data chunk, the encrypted chunk hash value encrypted using an encryption key, the computing of the first ciphertext value responsive to an indication provided as part of deduplicating ciphertext values corresponding to data chunks to be stored by a storage operation to the storage system, wherein the indication is responsive to a determination that the encrypted chunk hash value associated with the first data chunk is not stored in an index, and the deduplicating of ciphertext values avoids storing a redundant ciphertext value in the storage system in response to a determination that an encrypted chunk hash value associated with a given data chunk is stored in the index; and
  
  providing the first ciphertext value to a server for storage in the storage system, and providing the encrypted chunk hash value for storage in the index;
  
  in response to a request from a client for the first data chunk;
  
  receiving the encrypted chunk hash value associated with the first data chunk from the index;
  
  decrypting the first ciphertext value for the first data chunk using the received encrypted chunk hash value;
  
  decrypting the received encrypted chunk hash value to produce a decrypted chunk hash value;
  
  determining, using the decrypted chunk hash value, whether the decrypted first ciphertext value corresponds to the first data chunk; and
  
  accepting or rejecting the decrypted first ciphertext value based on the determining.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Chen, Liqun, Camble, Peter T., Buckingham, Jonathan P., Pelly, Simon, Shiu, Simon Kai-Ying, Ficara, Joseph S., Radon, Hendrik
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Le, Canh

Application Number

US15/114,921
Publication Number

US 20160344553A1
Time in Patent Office

1,950 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1453   using de-duplication of the...

G06F 16/2365   Ensuring data consistency a...

G06F 16/278   Data partitioning, e.g. hor...

G06F 21/602   Providing cryptographic fac...

G06F 21/79   in semiconductor storage me...

G06F 2201/83   the solution involving sign...

G06F 2221/2107   File encryption

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3242   involving keyed hash functi...

Storing and retrieving ciphertext in data storage

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Storing and retrieving ciphertext in data storage

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links