Distributed security architecture for storage area networks

US 20030084290A1
Filed: 10/11/2002
Published: 05/01/2003
Est. Priority Date: 10/12/2001
Status: Abandoned Application

First Claim

Patent Images

1. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:

(a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;

(b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and

(c) a key management means for (i) obtaining a key and associated storage identity information from the security system after authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means, and (ii) providing the key to the encryption engine for encryption and decryption of data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method of transferring data between a host computer server and a secure network storage system via a data transfer architecture. The secure network storage system has a plurality of storage devices for storage of the data. The method comprises (a) authenticating the host computer server with a security system associated with the secure network storage system; (b) obtaining a storage key from the security system after authentication; and (c) performing an encryption/decryption operation comprising at least one of (i) encrypting and storing data on the secure network storage system, and (ii) retrieving and decrypting data stored on the secure network storage system.

170 Citations

19 Claims

1. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:
- (a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
  
  (b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
  
  (c) a key management means for (i) obtaining a key and associated storage identity information from the security system after authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means, and (ii) providing the key to the encryption engine for encryption and decryption of data.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The host-side encryption module of claim 1wherein the host-side encryption module is provided by a device card installed on the host computer.
  - 3. The host-side encryption module of claim 1wherein the host-side encryption module communicates with the security systems in accordance with a secure messaging protocol supported by the encryption engine.
  - 4. The host-side encryption module of claim 1further comprising a key erasing means for erasing the key from the host computer server following encryption and decryption.
  - 5. The host-side encryption module of claim 2 further comprising a network data transport means for receiving data from the secure network storage system and for transmitting data to the secure network storage system (not shown in drawings).
  - 6. The host-side encryption module of claim 1wherein the host-side encryption module is provided by a software module installed on the host computer.

7. A security system for providing restricted access to data stored on a secure network storage system having a plurality of storage means, the security system comprising:
- (a) data transfer means for communication with a host server computer and the secure network storage system;
  
  (b) a host computer authentication means for authenticating a host computer;
  
  (c) a key management means for issuing a storage key and associated storage identity information to the host computer following authentication, wherein the associated storage identity information designates an associated storage means for storing information encrypted using the storage key, and the associated storage means is in the plurality of storage means;
  
  (d) a key storage means for securely storing the storage key and the associated storage identity information.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The security system as defined in claim 7 wherein the key storage means is operable to store the storage key in the secure network storage system.
  - 9. The security system as defined in claim 8 further comprising a master key hardware component for securely storing a master key for encrypting the storage key before storage and for decrypting the storage key after retrieval from storage.
  - 10. The security system as defined in claim 7 wherein the storage key has an associated n shares, where n is a positive integer, is indeterminable given any t shares in the n shares, where t is a positive integer less than n, and is determinable given any t+1 shares in the n shares;
    - the key storage means is operable to store the storage key by storing each share of the n shares at an associated n locations in the plurality of storage devices and by associating the associated n locations with the host computer; and
      
      , the key management module is operable to retrieve the t+1 shares from the plurality of storage devices and comprises an associated key assembly means for assembling the storage key using the t+1 shares.
  - 11. The security system as defined in claim 8 wherein the key management module comprises an associated key erasing means for erasing the assembled symmetric key following storage of the symmetric key by the associated key storage means.
  - 12. The security system as defined in claim 10 further comprising a master key hardware component for securely storing a master key;
    - and, encryption/decryption means associated with the master key hardware component for encrypting each share of the n shares before storage and for decrypting each share of the n shares after retrieval from storage using the master key.
  - 13. The security system as defined in claim 7 further comprising host index means for recording, for each storage means in the secure network storage system, the host servers having access to the storage means, wherein the key management means is operable to issue a storage key after authentication of a host computer if the host computer is recorded in the host index means as having access to the associated storage means for the storage key.

14. A secure storage network system comprising (a) a host computer server;
- (b) a storage system connected to the host computer server by a data transfer architecture for transfer of data therebetween, the storage system having a plurality of storage devices for storage of the data;
  
  (c) a host-side encryption module installed on the host computer, and (d) a security system for providing restricted access to data stored on the storage system, wherein (e) the host-side encryption module has i) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
  
  (ii) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
  
  (iii) a key management means for obtaining a key from the security system after authentication, and providing the key to the encryption engine for encryption and decryption of data;
  
  (f) the security system includes (i) data transfer means for communication with the host server computer and the secure network storage system;
  
  (ii) a host computer authentication means for authenticating the host server computer;
  
  (iii) a key management means for issuing a storage key to the host computer following authentication;
  
  (iv) a key storage means for securely storing the storage key.

15. A computer program product for use on a host computer server, the computer program product comprising:
- a recording medium;
  
  means recorded on the medium for configuring the host computer server to provide (a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
  
  (b) an authentication module for authenticating the host computer server with a secure source associated with the secure network storage system; and
  
  (c) a key management means for (i) obtaining a key from the secure source after authentication, and (ii) providing the key to the encryption engine for encryption and decryption of data.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15 further comprising means recorded on the medium for configuring the host computer server to support communication with the security systems using a secure messaging protocol.
  - 17. The computer program product of claim 15 further comprising means recorded on the medium for providing a key erasing means for erasing the key from the host computer server following encryption and decryption.

18. A host-side encryption module for installation on a host computer server connected to a secure network storage system by a data transfer architecture for transfer of data therebetween, the secure network storage system having a plurality of storage devices for storage of the data, the host-side encryption module comprising:
- (a) an encryption/decryption means for encrypting data to be stored on the secure network storage system and for decrypting data received from the secure network storage system;
  
  (b) an authentication means for authenticating the host computer server with a security system associated with the secure network storage system; and
  
  (c) a key management means for (i) obtaining a key from the security system after authentication, and (ii) providing the key to the encryption engine for encryption and decryption of data.

19. A method of transferring data between a host computer server and a secure network storage system via a data transfer architecture, the secure network storage system having a plurality of storage devices for storage of the data, the method comprising:
- (a) authenticating the host computer server with a security system associated with the secure network storage system;
  
  (b) obtaining a storage key from the security system after authentication, (c) performing an encryption/decryption operation comprising at least one of (i) encrypting and storing data on the secure network storage system, and (ii) retrieving and decrypting data stored on the secure network storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kasten Chase Applied Research Limited
Original Assignee
Kasten Chase Applied Research Limited
Inventors
Kolesnikov, Vladimir, Thanos, Daniel, Murty, Kumar

Application Number

US10/269,934
Publication Number

US 20030084290A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 9/0894   Escrow, recovery or storing...

Distributed security architecture for storage area networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

170 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed security architecture for storage area networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links