Filekey access to data

US 10,430,599 B1
Filed: 06/30/2014
Issued: 10/01/2019
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for performing an operation for data objects associated with an owner in a computing system, the method comprising:

generating a key from an unencrypted data object during the operation;

encrypting the unencrypted data object with the key to generate an encrypted data object;

generating a fingerprint of the encrypted data object;

encrypting the key with different access keys to generate access codes, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to one of the access keys and wherein the access codes are each associated with a different user and wherein the access codes are different and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis, wherein the access codes are associated with the fingerprint and allow the encrypted data object to be accessed using the access code to be identified;

storing the encrypted data objects in a tree-type structure that includes multiple levels of blocks, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and

allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for backing up data are provided. Data objects or blocks of data can be encrypted with individualized keys. The keys are generated from the unencrypted data objects or blocks. The encrypted data objects or blocks and fingerprints of the encrypted data objects or blocks can be uploaded to a datacenter. Even though the data objects or blocks are encrypted, deduplication can be performed by the datacenter or before the data object is uploaded to the datacenter. In addition, access can be controlled by encrypting the key used to encrypt the data object with access keys to generate one or more access codes. The key to decrypt the encrypted data object is obtained by decrypting the access code.

Citations

18 Claims

1. A method for performing an operation for data objects associated with an owner in a computing system, the method comprising:
- generating a key from an unencrypted data object during the operation;
  
  encrypting the unencrypted data object with the key to generate an encrypted data object;
  
  generating a fingerprint of the encrypted data object;
  
  encrypting the key with different access keys to generate access codes, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to one of the access keys and wherein the access codes are each associated with a different user and wherein the access codes are different and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis, wherein the access codes are associated with the fingerprint and allow the encrypted data object to be accessed using the access code to be identified;
  
  storing the encrypted data objects in a tree-type structure that includes multiple levels of blocks, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and
  
  allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the key and the fingerprint are generated deterministically.
  - 3. The method of claim 2, wherein the fingerprint comprises a message digest.
  - 4. The method of claim 1, further comprising deduplicating the data object based on the fingerprint.
  - 5. The method of claim 1, further comprising uploading the encrypted data object and the fingerprint to a datacenter.
  - 6. The method of claim 5, further comprising uploading the access codes to the datacenter, wherein the access codes and the fingerprint are stored in metadata nodes and the encrypted data object is stored in data nodes.
  - 7. The method of claim 1, wherein patch objects for a previously uploaded data object are encrypted with the key used to encrypt the data object.

8. A method for uploading data associated with an owner, the method comprising:
- encrypting a plurality of data objects with different keys, wherein each key is deterministically derived from a corresponding data object and wherein each of the data objects is associated with a different key;
  
  determining a plurality of fingerprints deterministically from the encrypted data objects;
  
  generating one or more access codes using a different access key for each access code, wherein each of the access keys is a private key that that is associated a different public key, wherein each access code corresponds to a different encrypted key and wherein each of the access codes is different from the others and corresponds to a different user, wherein the access codes allow the owner of the data objects to control which of the data objects can be accessed by the different users associated with the owner on an individual basis;
  
  uploading the encrypted data objects, the one or more access codes and the fingerprints to a datacenter, wherein access to an encrypted data object is achieved by decrypting one of the access codes associated with the encrypted data object to obtain the corresponding key, wherein the datacenter is unable to view the unencrypted data objects in the clear;
  
  encrypting updates to the plurality of data objects with the same keys used to encrypt the plurality of data objects, wherein the access codes can be used to access the updates to the plurality of data objects, wherein the updates comprise data objects that include changes to the plurality of data objects;
  
  storing the encrypted data objects in a tree-type structure that includes multiple levels, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and a fingerprints, wherein each of the access codes allows a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and
  
  allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further comprising preventing a duplicate data object from being uploaded based on a comparison of the fingerprint with fingerprints stored in the datacenter.
  - 10. The method of claim 8, wherein the keys are symmetric and wherein the access codes are generated using other access keys that include public/private key pairs.
  - 11. The method of claim 8, wherein the access codes are layered and at least two access keys are needed to obtain the key to one of the encrypted data objects.

12. A non-transitory computer readable medium that includes computer readable instructions that, when executed by a processor, perform a method for uploading data objects associated with an owner, the method including:
- generating a key from an unencrypted data object being uploaded during an operation;
  
  encrypting the unencrypted data object with the key to generate an encrypted data object;
  
  generating a fingerprint of the encrypted data object;
  
  encrypting the key with one or more different access keys to generate one or more different access codes, wherein each of the one or more different access keys is a private key that that is associated a different public key, wherein the access codes are each associated with a different user and wherein the access codes are all different from each other and are configured to allow the owner of the data object to control which users associated with the owner are allowed to access the data object on an individual user basis;
  
  controlling access to the unencrypted data object based on the access codes, wherein only users having both one of the access codes and a corresponding access key are able to decrypt the key necessary to decrypt the encrypted data object;
  
  generating a new key for an update to the unencrypted data object being uploaded during a subsequent operation, wherein the same access keys are used to encrypt the new key and result in new access codes, wherein accessing the updates and the unencrypted data object requires the access codes and the new access codes;
  
  storing the encrypted data objects in a tree-type structure that includes multiple levels, wherein higher levels of the tree-type structure point to lower levels of the tree-type structure, wherein the higher levels include encrypted keys needed to unlock lower levels and fingerprints or data objects, wherein a lowest level includes data blocks of at least the data object, wherein each of the access codes allow a chain of blocks in the tree-type structure to be decrypted, wherein each block in the chain is encrypted with a different key and, as each block in the chain is decrypted, the key to decrypt the next block in the chain is obtained, wherein each of the data objects is associated with a different key; and
  
  allowing a group that is separate from the owner access to at least one of the data objects by generating an access code using a public key associated with the group, wherein members of the group access the at least one of the data objects using a private key associated with the group.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer readable medium of claim 12, wherein the key and the fingerprint are generated deterministically.
  - 14. The non-transitory computer readable medium of claim 13, wherein the fingerprint comprises a message digest.
  - 15. The non-transitory computer readable medium of claim 12, the method further comprising deduplicating the data object based on the fingerprint.
  - 16. The non-transitory computer readable medium of claim 12, the method further comprising uploading the encrypted data object, the access codes and the fingerprint to a datacenter.
  - 17. The non-transitory computer readable medium of claim 16, wherein the access codes and the fingerprint are stored in metadata nodes and the encrypted data object is stored in data nodes.
  - 18. The non-transitory computer readable medium of claim 12, wherein patch objects for a previously uploaded data object are encrypted with the key generated from the unencrypted data object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Whitmer, Ray D., Anderson, David S.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Mohammadi, Fahimeh

Application Number

US14/319,998
Time in Patent Office

1,919 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/152   using file content signatur...

G06F 16/174   Redundancy elimination perf...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/50   using hash chains, e.g. blo...

Filekey access to data

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Filekey access to data

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links