Logical access block processing protocol for transparent secure file storage
First Claim
1. A method of securing a network data file, said method comprising the steps of:
- a) receiving a first network data packet including payload file data corresponding to a predetermined network data file stored on a predetermined network storage resource;
b) segmenting said payload file data into a plurality of data blocks;
c) processing each of said plurality of file data blocks through a block encryption unit, said processing step implementing a first function selected from the group consisting of i) generating digital signatures for each of said plurality of file data blocks, ii) encrypting each of said plurality of file data blocks, iii) encrypting and generating digital signatures for each of said plurality of file data blocks, iv) compressing and encrypting each of said plurality of file data blocks, and v) compressing, encrypting, and generating digital signatures for each of said plurality of file data blocks;
d) generating a second file network data packet including said plurality of file data blocks as processed by said processing step; and
e) forwarding said second file network data packet to said predetermined network storage resource for storage as a corresponding portion of said predetermined network data file.
3 Assignments
0 Petitions
Accused Products
Abstract
Network data files are secure through the operation of an infrastructure gateway-based network file access appliance. Network file data, corresponding to network pocket payload data, are further reduced to a sequence of data blocks that are secured through any combination of block encryption, compression, and digital signatures. File meta-data, including encryption, compression and block-level digital signatures are persistently stored with the file data, either in-band in the file as stored or out-of-band key as a separately stored file or file policy record. File meta-data is recovered with accesses of the file data to support bidirectional encryption and compression and to detect tampering with the file data by comparison against block-level digital signatures.
-
Citations
31 Claims
-
1. A method of securing a network data file, said method comprising the steps of:
-
a) receiving a first network data packet including payload file data corresponding to a predetermined network data file stored on a predetermined network storage resource;
b) segmenting said payload file data into a plurality of data blocks;
c) processing each of said plurality of file data blocks through a block encryption unit, said processing step implementing a first function selected from the group consisting of i) generating digital signatures for each of said plurality of file data blocks, ii) encrypting each of said plurality of file data blocks, iii) encrypting and generating digital signatures for each of said plurality of file data blocks, iv) compressing and encrypting each of said plurality of file data blocks, and v) compressing, encrypting, and generating digital signatures for each of said plurality of file data blocks;
d) generating a second file network data packet including said plurality of file data blocks as processed by said processing step; and
e) forwarding said second file network data packet to said predetermined network storage resource for storage as a corresponding portion of said predetermined network data file. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of encrypting network data files, said method comprising the steps of:
-
a) receiving a first network data packet including payload file data corresponding to a predetermined network data file stored on a predetermined network storage resource;
b) obtaining an encryption key associated with said predetermined network data file;
c) segmenting said payload file data into a plurality of file data blocks;
d) block encrypting each of said plurality of file data blocks with said encryption key;
e) generating a second file network data packet including said block encrypted plurality of file data blocks; and
f) forwarding said second file network data packet to said predetermined network storage resource. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of recovering encrypted file data from a network storage resource, said method comprising the steps of:
-
a) receiving a network file data read request by a network portal appliance, said network file data read request identifying a defined portion of a network file stored by a network storage resource;
b) determining a block file data portion encompassing said defined portion of said network file;
c) first retrieving an encryption key corresponding to said network file;
d) second retrieving said block file data portion from said network storage resource;
e) decrypting said block file data portion utilizing said encryption key; and
f) returning, in response to said network file data read request, said defined portion of said network file. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A network appliance providing for the secure transport and storage of encrypted file data by network storage resources, said network appliance comprising:
-
a) a network file access processor defining the storage of a network file by a network storage resource to include predefined encryption meta-data and a plurality of encrypted file data blocks, said network file access processor supporting a first network file access transaction with a client computer system and a second network file access transaction with said network storage resource, said second network file access transaction including retrieval of said predefined encryption meta-data and further corresponding to a modified said first network file access transaction based on said predefined encryption meta-data; and
b) a network protocol processor, responsive to said network file access processor, operative to selectively convert network packet payload data between a sequence of encrypted data blocks and a defined portion of said network file. - View Dependent Claims (21, 22, 23)
-
-
24. A network file access appliance provided as a gateway within a network infrastructure and implementing a storage protocol to transparently secure file as data stored by network storage resources, said network file access appliance comprising:
-
a) a network file transaction processor operative to responsively manage a first network file transaction for returning first network file data to a client computer system and execute a second network file transaction to retrieve second network file data from a network storage resource, wherein said second network file data includes a plurality of encrypted data blocks and file meta-data, including an encryption key identifier, said network file transaction processor being further operative to resolve said encryption key identifier into an encryption key specific to said plurality of encrypted data blocks; and
b) a network file data processor, responsive to said network file transaction processor and including a block decryptor, operative to decrypt said plurality of encrypted data blocks and selectively return said first network file data. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
Specification