Method and apparatus for heterogeneous data storage management in cloud computing

US 10,581,856 B2
Filed: 01/19/2015
Issued: 03/03/2020
Est. Priority Date: 01/19/2015
Status: Active Grant

First Claim

Patent Images

1. An apparatus for managing data storage in a communication network, the apparatus comprising:

at least one processor; and

at least one memory including computer-executable code,wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;

receive from a first device, a request for storing a data in the apparatus;

check whether the same data has been stored in the apparatus;

in response to a check result that no same data has been stored in the apparatus, receive from the first device a data package comprising at least the data in plaintext or ciphertext, and the data package further comprising an index list and a hash chain information;

in response to a check result that the same data has been stored in the apparatus, obtain a deduplication policy for the data;

when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party and an owner of the data, or only the authorized party, or only the data owner, contact both or either of the authorized party and the data owner, or only the authorized party, or only the data owner to conduct deduplication for the data, wherein the contacting comprises the apparatus being caused torequest the first device to transmit a hash information corresponding to at least one index from the index list;

verify whether the first device holds the data based on the hash information from the first device corresponding to the requested at least one index; and

in response to a positive verification result, contact to conduct deduplication or record a deduplication information of the data for the first device; and

when the deduplication policy indicates deduplication to be controlled by none of the authorized party and the data owner, conduct deduplication for the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus are disclosed for heterogeneous data storage management in cloud computing. According to some embodiments, a method for managing data storage in a communication network comprises: receiving at a data center in the communication network from a first device, a request for storing a data in the data center; checking whether the same data has been stored in the data center; in response to a check result that no same data has been stored in the data center, receiving from the first device a data package containing at least the data in plaintext or ciphertext (CT) in response to a check result that the same data has been stored in the data center, obtaining a deduplication policy for the data; when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner, contacting both or either of the AP and the data owner, or only the AP, or only the data owner to conduct deduplication for the data; and when the deduplication policy indicates deduplication to be controlled by none of the AP and the data owner, conducting deduplication for the data at the data center. In some embodiments, the data package may contain or indicate the deduplication policy, and contain information for data holdership verification. The data center may challenge to ensure the data holdership before contacting to conduct deduplication or conducting deduplication at the data center.

Citations

20 Claims

1. An apparatus for managing data storage in a communication network, the apparatus comprising:
- at least one processor; and
  
  at least one memory including computer-executable code,wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;
  
  receive from a first device, a request for storing a data in the apparatus;
  
  check whether the same data has been stored in the apparatus;
  
  in response to a check result that no same data has been stored in the apparatus, receive from the first device a data package comprising at least the data in plaintext or ciphertext, and the data package further comprising an index list and a hash chain information;
  
  in response to a check result that the same data has been stored in the apparatus, obtain a deduplication policy for the data;
  
  when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party and an owner of the data, or only the authorized party, or only the data owner, contact both or either of the authorized party and the data owner, or only the authorized party, or only the data owner to conduct deduplication for the data, wherein the contacting comprises the apparatus being caused torequest the first device to transmit a hash information corresponding to at least one index from the index list;
  
  verify whether the first device holds the data based on the hash information from the first device corresponding to the requested at least one index; and
  
  in response to a positive verification result, contact to conduct deduplication or record a deduplication information of the data for the first device; and
  
  when the deduplication policy indicates deduplication to be controlled by none of the authorized party and the data owner, conduct deduplication for the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus according to claim 1, wherein the index list comprising a plurality of indexes each indicating a specific part of the data, the hash chain information comprising a plurality of hash information each corresponding to one index.
  - 3. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - read the deduplication policy stored in advance in the data center, or receive the deduplication policy from the data owner, or determine the deduplication policy according to the data package.
  - 4. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when the data package further contains a first cipherkey and a second cipherkey being not equal to each other, determine deduplication to be controlled by both of the authorized party and the data owner, the first and second cipherkeys being generated by separating a data encryption key into a first data encryption key and a second data encryption key and encrypting the first and second data encryption keys respectively, the data encryption key being used for encrypting the data to obtain the ciphertext;
      
      when the data package further contains the first and second cipherkeys being equal to each other, determine deduplication to be controlled by either of the authorized party or the data owner;
      
      when the data package further contains only the first cipherkey or only the second cipherkey, determine deduplication to be controlled by only the authorized party or only the data owner; and
      
      when the data package contains no cipherkey, determine deduplication to be controlled by none of the authorized party and the data owner.
  - 5. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive a re-encryption key from the authorized party when the authorized party is not available;
      
      re-encrypt the first cipherkey with the re-encryption key according to a proxy re-encryption scheme; and
      
      transmit the re-encrypted first cipherkey to the first device such that the first device can decrypt the re-encrypted first cipherkey with a secret key of the first device.
  - 6. The apparatus according to claim 5, further comprising:
    - in response to a request for updating the ciphertext of a data, obtain the deduplication policy for the data;
      
      when the deduplication policy indicates that authorized party deduplication control is needed, re-encrypt the updated first cipherkey with the re-encryption key according to a proxy re-encryption scheme; and
      
      transmit the re-encrypted updated first cipherkey to the first device such that the first device can decrypt the re-encrypted updated first cipherkey with a secret key of the first device;
      
      when the deduplication policy indicates that a deduplication control by the data owner is needed, informing the data owner the data identifier and the public key information of the data holder when necessary according to a attribute based encryption scheme in order to allow the data owner to perform data deduplication by issuing a secret key to the first device that can decrypt the updated second cipherkey.
  - 7. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit an attribute identity of the first device to the data owner such that the data owner can issue an attribute secret key for the first device when it is eligible to decrypt the second cipherkey according to an attribute based encryption scheme.
  - 8. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - in response to a check result that no same data has been stored in the apparatus, request at least one further data center to check whether the same data has been stored in it;
      
      in response to a positive reply from the at least one further data center, record a deduplication information of the data for the first device, wherein the at least one further data center is able to conduct deduplication for the data;
      
      in response to a negative reply from the at least one further data center, performing data storage accordingly.
  - 9. The apparatus according to claim 1, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive at the apparatus from a second device, a request for deleting a data;
      
      check whether the data is stored in the apparatus by the second device;
      
      in response to a positive check result, delete a record of storage of the data for the second device;
      
      delete the data when a deduplication record for the data is empty; and
      
      notify an owner of the data for updating the ciphertext when the deduplication record for the data is not empty; and
      
      in response to a negative check result, contact another data center that stores the data, wherein the another data center is able to delete a record of storage of the data for the second device.
  - 10. The apparatus according to claim 9, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - inquire whether the owner decides to continue deduplication control;
      
      in response to a positive decision, cooperate with the data owner to update the ciphertext according to the deduplication policy of the data;
      
      in response to a negative decision, request another holder of the data for updating the ciphertext, or cooperate with the data owner to update the ciphertext according to a new deduplication policy, the new deduplication policy indicating deduplication to be controlled by only the authorized party.

11. An apparatus for managing data storage in a user device, the apparatus comprising:
- at least one processor; and
  
  at least one memory including computer-executable code,wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;
  
  transmit a request for storing a data to a data center;
  
  in response to a request for the data from the data center, transmit a data package comprising at least the data in plaintext or ciphertext to the data center, and the data package further comprising an index list, and a hash chain information, wherein a deduplication policy for the data is contained in the data package or can be determined according to the data package, the deduplication policy indicating deduplication to be controlled by both or either or none of an authorized party and an owner of the data, or only the authorized party, or only the data owner;
  
  in response to receiving a deduplication request from the data center or at least one other data center, issuing an attribute secret key to an eligible data holder according to an attribute based encryption scheme for conducting deduplication; and
  
  when the deduplication policy indicates deduplication to be controlled by both of the authorized party and the data owner, transmit in the data package a first cipherkey and a second cipherkey being not equal to each other, the first and second cipherkeys being generated by separating a data encryption key into a first data encryption key and a second data encryption key and encrypting the first and second data encryption keys respectively, the data encryption key being used for encrypting the data to obtain the ciphertext.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus according to claim 11, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit in the data package the index list and the hash chain information for verifying holdership of the data for an eligible data holder, the index list comprising a plurality of indexes each indicating a specific part of the data, the hash chain information comprising a plurality of hash information each corresponding to one index.
  - 13. The apparatus according to claim 11, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for storing a second data to the data center;
      
      in response to a request for a hash information corresponding to at least one index from the data center, transmit a calculated hash information corresponding to the at least one index to the data center for verifying the holdership of the second data.
  - 14. The apparatus according to claim 13, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive a re-encrypted first cipherkey for the second data from the data center;
      
      decrypt the re-encrypted first cipherkey with a private key of the user device to obtain a first data encryption key;
      
      receive the attribute secret key from an owner of the second data, and receiving a second cipherkey for the second data from the owner of the second data or the data center;
      
      decrypt the second cipherkey with the attribute secret key to obtain the second data encryption key K;
      
      combine the first and second data encryption keys to obtain a third data encryption key for deduplication.
  - 15. The apparatus according to claim 11, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when the deduplication policy indicates deduplication to be controlled by either of the authorized party or the data owner, transmit in the data package the first and second cipherkeys being equal to each other;
      
      when the deduplication policy indicates deduplication to be controlled by only the authorized party or only the data owner, transmit in the data package only the first cipherkey or only the second cipherkey; and
      
      when the deduplication policy indicates deduplication to be controlled by none of the authorized party and the data owner, transmit the plaintext in the data package.
  - 16. The apparatus according to claim 15, wherein the first data encryption key is encrypted with a public key of the authorized party according to a proxy re-encryption scheme;
    - andwherein the second data encryption key is encrypted based on an access policy, the access policy containing user identities of users eligible for holding the data.
  - 17. The apparatus according to claim 11, wherein the deduplication request for the data contains a user identity information;
    - wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to;
      
      verify whether the user identity information represents a user eligible for holding the data; and
      
      in response to a positive verification result, generate the attribute secret key based on the user identity information.
  - 18. The apparatus according to claim 11, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for deleting a data to the data center;
      
      in response to a request for a hash information corresponding to at least one index from the data center, transmit a calculated hash information corresponding to the at least one index to the data center for verifying the holdership of the data;
      
      in response to a request to update the ciphertext from the data center or at least one further data center, update the ciphertext according to a deduplication policy of the data.
  - 19. The apparatus according to claim 18, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when continuous deduplication control is needed, update the ciphertext according to an original deduplication policy of the data; and
      
      when no continuous deduplication control is needed, update the ciphertext according to a new deduplication policy, the new deduplication policy indicating deduplication to be controlled by only the authorized party.
  - 20. The apparatus according to claim 11, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for updating a ciphertext of a data to the data center, wherein a deduplication policy for the data is contained in the request or can be determined according to the request, the deduplication policy indicating deduplication to be controlled by both or either of an authorized party and an owner of the data, or only the authorized party, or only the data owner or none;
      
      when the deduplication policy indicates that data owner deduplication control is needed, issue an attribute secret key to an eligible data holder according to an attribute based encryption scheme for conducting deduplication when the attribute secret key is not sent before.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Technologies Oy (Nokia Corporation)
Inventors
Yan, Zheng
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
Little, Vance M

Application Number

US15/542,952
Publication Number

US 20180034819A1
Time in Patent Office

1,870 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 67/10   in which an application is ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

Method and apparatus for heterogeneous data storage management in cloud computing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for heterogeneous data storage management in cloud computing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links