Security system for replicated storage devices on computer networks

US 20040064729A1
Filed: 09/30/2002
Published: 04/01/2004
Est. Priority Date: 09/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method in a replicated networked storage domain of at least one original data partition and one or more replica data partitions, each partition being stored on a storage device having a network address, the method comprising:

associating with each partition a secret key;

sharing said secret keys between said storage devices and a file manager;

responsive to a request from a client for access to a partition, said file manager selecting a partition to which the client is to be directed and issuing a credential encrypted by the key associated with the selected partition and including a network address of the storage device which stores the selected partition; and

accessing said selected partition by said client using said credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Through associating each data partition within a replicated storage domain of networked storage devices with one of multiple secret keys shared with a file manager, a credential is issued from the file manager to a client requesting access to a partition. The credential includes a network address for the partition to which the client is to direct its actions. The storage device periodically confirms with the file manager the validity of the shared secret keys. Through logical process and evaluations applied to issuing the credential and determining the address of the partition to be included in each credential, the file manager may invalidate partitions individually, provide load balancing between access of original and replica partitions, and provide security functions such as isolation of partitions for access by and tracking of unauthorized users, or for testing purposes.

81 Citations

View as Search Results

32 Claims

1. A method in a replicated networked storage domain of at least one original data partition and one or more replica data partitions, each partition being stored on a storage device having a network address, the method comprising:
- associating with each partition a secret key;
  
  sharing said secret keys between said storage devices and a file manager;
  
  responsive to a request from a client for access to a partition, said file manager selecting a partition to which the client is to be directed and issuing a credential encrypted by the key associated with the selected partition and including a network address of the storage device which stores the selected partition; and
  
  accessing said selected partition by said client using said credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as set forth in claim 1 wherein said step of accessing said selected partition further comprises verifying validity of said credential by said storage device, and allowing said client access only if said credential is verified.
  - 3. The method as set forth in claim 2 wherein said step of verifying a credential further comprises denying access to said requesting client if the credential presented by the client is encrypted with a key which is subject to a condition selected from the group of invalidation, expiration, or compromisation.
  - 4. The method as set forth in claim 3 wherein said step of verifying a credential further comprises establishing a new shared key.
  - 5. The method as set forth in claim 4 wherein said step of establishing a new shared key comprises performing a Diffie-Hellman process.
  - 6. The method as set forth in claim 1 wherein said step of selecting a partition to which the client is to be directed comprises determining an existing load level among partition originals and replicas, and selecting a partition which is least loaded.
  - 7. The method as set forth in claim 1 wherein said step of selecting a partition to which the client is to be directed comprises selecting a valid, uncompromised partition original or replica.
  - 8. The method as set forth in claim 1 wherein said step of selecting a partition to which the client is to be directed comprises detecting attempted access to a partition by an unauthorized or unauthenticated user and isolating a partition for exclusive use by that user.
  - 9. The method as set forth in claim 1 wherein said step of selecting a partition to which the client is to be directed comprises detecting attempted access to a partition by an unauthorized or unauthenticated user and selecting a partition which is other than an original or true replica of the requested partition.
  - 10. The method as set forth in claim 1 wherein said step of selecting a partition to which the client is to be directed comprises detecting requested access to a partition by a designated test or development client, and isolating a partition for exclusive use by that client.
  - 11. The method as set forth in claim 10 further comprising synchronizing said isolated partition with its replicas upon completion of accessing by said test or development client.

12. A computer readable medium encoded with software for use in a replicated networked storage domain of a at least one original data partition and one or more replica data partitions, each partition being stored on a storage device having a network address, the software performing steps comprising:
- associating with each partition a secret key;
  
  sharing said secret keys between said storage devices and a file manager;
  
  responsive to a request from a client for access to a partition, said file manager selecting a partition to which the client is to be directed and issuing a credential encrypted by the key associated with the selected partition and including a network address of the storage device which stores the selected partition; and
  
  accessing said selected partition by said client using said credential.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The medium as set forth in claim 12 wherein said software for accessing said selected partition further comprises software for verifying validity of said credential by said storage device, and allowing said client access only if said credential is verified.
  - 14. The medium as set forth in claim 13 wherein said software for verifying a credential further comprises software for denying access to said requesting client if the credential presented by the client is encrypted with a key which is subject to a condition selected from the group of invalidation, expiration, or compromisation.
  - 15. The medium as set forth in claim 14 wherein said software for verifying a credential further comprises software for establishing a new shared key.
  - 16. The medium as set forth in claim 15 wherein said software for establishing a new shared key comprises software for performing a Diffie-Hellman process.
  - 17. The medium as set forth in claim 12 wherein said software for selecting a partition to which the client is to be directed comprises software for determining an existing load level among partition originals and replicas, and selecting a partition which is least loaded.
  - 18. The medium as set forth in claim 12 wherein said software for selecting a partition to which the client is to be directed comprises software for selecting a valid, uncompromised partition original or replica.
  - 19. The medium as set forth in claim 12 wherein said software for selecting a partition to which the client is to be directed comprises software for detecting attempted access to a partition by an unauthorized or unauthenticated user and isolating a partition for exclusive use by that user.
  - 20. The medium as set forth in claim 12 wherein said software for selecting a partition to which the client is to be directed comprises software for detecting attempted access to a partition by an unauthorized or unauthenticated user and selecting a partition which is other than an original or true replica of the requested partition.
  - 21. The medium as set forth in claim 12 wherein said software for selecting a partition to which the client is to be directed comprises software for detecting requested access to a partition by a designated test or development client, and isolating a partition for exclusive use by that client.
  - 22. The medium as set forth in claim 21 further comprising synchronizing said isolated partition with its replicas upon completion of accessing by said test or development client.

23. A security system in a replicated networked storage domain of at least one original data partition and one or more replica data partitions, each partition being stored on a storage device having a network address, the system comprising:
- a secret key associated with each partition, each key being shared between a file manager and a storage device on which a partition is stored;
  
  a partition selector operable by a file manager for selecting an original or replica partition to which a client is to be directed responsive to a request for access to a partition from said client;
  
  a credential generator and issuer configured to create a credential encrypted by the secret key shared with the selected partition'"'"'s storage device and the file manager, said credential including a network address corresponding to the storage device which stores the selected partition; and
  
  a partition access controller adapted to receive said issued credential from a client with a request for access to a partition, to evaluate the validity of the key used to sign the credential, and to allow access operations by the requesting client to the requested partition.
- View Dependent Claims (24, 25, 26, 27, 29, 30, 31, 32)
- - 24. The system as set forth in claim 23 wherein said access controller comprises a credential validity maintainer configured to corroborate key validity with said file manager.
  - 25. The system as set forth in claim 23 wherein said partition access controller further comprises a key establisher configured to acquire a new key associated with a partition shared between a storage device and a file manager.
  - 26. The system as set forth in claim 25 wherein said key establisher is adapted to perform a Diffie-Hellman process.
  - 27. The system as set forth in claim 23 wherein said partition selector comprises a load determiner for determining an existing load level among partition originals and replicas, and a least-loaded partition selector.
  - 29. The system as set forth in claim 23 wherein said partition selector is further adapted to detect attempted access to a partition by an unauthorized or unauthenticated user and to isolate a partition for exclusive use by that user.
  - 30. The system as set forth in claim 23 wherein said partition selector is further adapted to detect attempted access to a partition by an unauthorized or unauthenticated user and to select a partition which is other than an original or true replica of the requested partition.
  - 31. The system as set forth in claim 23 wherein said partition selector is adapted to detect a client request for access to a partition by a designated test or development client, and to isolate a partition for exclusive use by that client.
  - 32. The system as set forth in claim 31 further comprising a partition replica synchronizer for synchronizing the content of said isolated partition with its replicas upon completion of accessing by said test or development client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Yellepeddy, Krishna Kishore

Granted Patent

US 7,146,499 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 11/2069   Management of state, config...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2127   Bluffing

H04L 63/068   using time-dependent keys, ...

H04L 63/10   for controlling access to d...

Security system for replicated storage devices on computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Security system for replicated storage devices on computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others