Encryption based security system for network storage

US 20060136735A1
Filed: 02/07/2006
Published: 06/22/2006
Est. Priority Date: 05/14/2002
Status: Active Grant

First Claim

Patent Images

1. An encryption based security apparatus for network storage, comprising:

one or more storage devices;

one or more client devices; and

an encryption device for separating access to said one or more storage devices via said one or more client devices from access to client data stored on said one or more storage devices;

wherein said encryption device encrypts all client data that is stored on said one or more storage devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The presently preferred embodiment of the invention provides an encryption based security system for network storage that separates the ability to access storage from the ability to access the stored data. This is achieved by keeping all the data encrypted on the storage devices. Logically, the invention comprises a device that has two network interfaces: one is a clear text network interface that connects to one or more clients, and the other is a secure network interface that is connected to one or more persistent storage servers. Functionally, each network interface supports multiple network nodes. That is, the clear text network interface supports multiple client machines, and the secure network interface supports one or more storage servers.

151 Citations

View as Search Results

54 Claims

1. An encryption based security apparatus for network storage, comprising:
- one or more storage devices;
  
  one or more client devices; and
  
  an encryption device for separating access to said one or more storage devices via said one or more client devices from access to client data stored on said one or more storage devices;
  
  wherein said encryption device encrypts all client data that is stored on said one or more storage devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 45)
- - 2. The apparatus of claim 1, said encryption device comprising:
    - at least two network interfaces, comprising;
      
      a clear text network interface that is connected to said one or more clients; and
      
      a secure network interface that is connected to said one or more storage devices;
      
      wherein each network interface supports multiple network nodes.
  - 3. The apparatus of claim 1, wherein said encryption device is located in a network, on a path between said one or more client devices and said one or more storage devices.
  - 4. The apparatus of claim 1, wherein said encryption device intercepts all packets that flow between said one or more client devices and said one or more storage devices.
  - 5. The apparatus of claim 1, wherein said encryption device distinguishes between data, command, and status information.
  - 6. The apparatus of claim 1, wherein said encryption device encrypts said client data sent from said one or more client devices to said one or more storage devices using an encryption method;
    - wherein said encryption device decrypts said client data sent from said one or more client storage to said one or more client devices using said encryption method; and
      
      wherein said encryption device passes command and status information through without modification.
  - 7. The apparatus of claim 1, said encryption device comprising:
    - a plurality of keys for encrypting and decrypting said client data; and
      
      a selection module for selecting a particular one of said plurality of keys based upon at least one of client identification, data location on said one or more storage devices, file name, permission structure, and other factors.
  - 8. The apparatus of claim 7, wherein a plurality of encryption devices share keys and selection modules between them, wherein client data encrypted by one encryption device can be decrypted by another encryption device.
  - 9. The apparatus of claim 1, wherein said encryption device operates in a transparent fashion to both of said one or more client devices and said one or more storage systems;
    - wherein no modification is required to either of said one or more client devices and said one or more storage devices to enable storage of encrypted client data on said one or more storage devices, and to enable subsequent retrieval and decryption of said client data.
  - 10. The apparatus of claim 1, wherein said encryption device performs any of decoding device storage related traffic, extracting of a payload, and transparent encryption of said payload.
  - 11. The apparatus of claim 1, wherein said encryption device operates in any of SAN, NAS (NFS/CIFS), and HTML environments.
  - 12. The apparatus of claim 7, wherein said encryption keys are generated inside said encryption device and are not transmitted therefrom in cleartext form.
  - 13. The apparatus of claim 7, wherein said encryption keys are encrypted with a master key that is generated inside said encryption device.
  - 14. The apparatus of claim 13, wherein said master key is never transmitted from said encryption device.
  - 15. The apparatus of claim 13, wherein said master key is transmitted from said encryption device using a shared key, wherein said key is broken into a plurality of key parts, wherein possession of some subset of said plurality of key parts is sufficient to reconstruct said master key.
  - 16. The apparatus of claim 7, wherein a user is allowed to have an additional key, wherein said user key, a Cryptainer key, and a master key are required to encrypt said client data.
  - 17. The apparatus of claim 7, wherein keys are assigned to any of a region and a directory.
  - 18. The apparatus of claim 1, further comprising:
    - a client application; and
      
      a server comprising a server application;
      
      wherein user passwords are propagated to said encryption device; and
      
      wherein said server can not access client data except as permitted by said user.
  - 19. The apparatus of claim 1, wherein said encryption device comprises:
    - a module for initially encrypting and re-encrypting said client data without interrupting access to said one or more storage devices by said one or more client devices.
  - 20. The apparatus of claim 1, wherein said encryption device comprises:
    - a module for administrator management of said client data;
      
      wherein said client data are not readable by said administrator.
  - 21. The apparatus of claim 1, wherein said encryption device comprises:
    - a module for allowing a first user to control which other users may access said first user'"'"'s client data without explicitly sharing a first user'"'"'s key with said other users.
  - 22. The apparatus of claim 1, wherein said encryption device combines encryption with mirroring.
  - 23. The apparatus of claim 1, wherein said encryption device permits any of private and shared mirror configurations.
  - 24. The apparatus of claim 1, wherein said encryption device permits selective remote client data access.
  - 25. The apparatus of claim 1, wherein said encryption device permits a failover configuration in connection with encryption and decryption of storage device related traffic.
  - 26. The apparatus of claim 1, wherein said encryption device transparently forwards traffic that is not storage related.
  - 45. The method of claim 1, further comprising the steps of:
    - providing a client application; and
      
      providing a server comprising a server application;
      
      wherein user passwords are propagated to said encryption device; and
      
      wherein said server can not access client data except as permitted by said user.

27. An encryption based security apparatus for network storage, comprising:
- an encryption device, located in a network, on a path between one or more client devices and one or more storage devices, for separating access to said one or more storage devices via said one or more client devices from access to client data stored on said one or more storage devices;
  
  said encryption device comprising at least two network interfaces, comprising a clear text network interface that is connected to said one or more clients; and
  
  a secure network interface that is connected to said one or more storage devices;
  
  wherein each network interface supports multiple network nodes;
  
  wherein said encryption device encrypts all client data that is stored on said one or more storage devices.

28. An encryption based security method for network storage, comprising the steps of:
- providing one or more storage devices;
  
  providing one or more client devices; and
  
  separating access to said one or more storage devices via said one or more client devices from access to client data stored on said one or more storage devices with an encryption device;
  
  wherein said encryption device encrypts all client data that is stored on said one or more storage devices.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46, 47, 48, 49, 50, 51, 52, 53)
- - 29. The method of claim 28, said encryption device comprising:
    - at least two network interfaces, comprising;
      
      a clear text network interface that is connected to said one or more clients; and
      
      a secure network interface that is connected to said one or more storage devices;
      
      wherein each network interface supports multiple network nodes.
  - 30. The method of claim 28, wherein said encryption device is located in a network, on a path between said one or more client devices and said one or more storage devices.
  - 31. The method of claim 28, wherein said encryption device intercepts all packets that flow between said one or more client devices and said one or more storage devices.
  - 32. The method of claim 28, wherein said encryption device distinguishes between data, command, and status information.
  - 33. The method of claim 28, wherein said encryption device encrypts said client data sent from said one or more client devices to said one or more storage devices using an encryption method;
    - wherein said encryption device decrypts said client data sent from said one or more client storage to said one or more client devices using said encryption method; and
      
      wherein said encryption device passes command and status information through without modification.
  - 34. The method of claim 28, further comprising the steps of:
    - providing a plurality of keys for encrypting and decrypting said client data; and
      
      providing a selection module for selecting a particular one of said plurality of keys based upon at least one of client identification, data location on said one or more storage devices, file name, permission structure, and other factors.
  - 35. The method of claim 34, wherein a plurality of encryption devices share keys and selection modules between them, wherein client data encrypted by one encryption device can be decrypted by another encryption device.
  - 36. The method of claim 28, wherein said encryption device operates in a transparent fashion to both of said one or more client devices and said one or more storage systems;
    - wherein no modification is required to either of said one or more client devices and said one or more storage devices to enable storage of encrypted client data on said one or more storage devices, and to enable subsequent retrieval and decryption of said client data.
  - 37. The method of claim 28, wherein said encryption device performs any of decoding device storage related traffic, extracting of a payload, and transparent encryption of said payload.
  - 38. The method of claim 28, wherein said encryption device operates in any of SAN, NAS (NFS/CIFS), and HTML environments.
  - 39. The method of claim 34, wherein said encryption keys are generated inside said encryption device and are not transmitted therefrom in cleartext form.
  - 40. The method of claim 34, wherein said encryption keys are encrypted with a master key that is generated inside said encryption device.
  - 41. The method of claim 40, wherein said master key is never transmitted from said encryption device.
  - 42. The method of claim 40, wherein said master key is transmitted from said encryption device using a shared key, wherein said key is broken into a plurality of key parts, wherein possession of some subset of said plurality of key parts is sufficient to reconstruct said master key.
  - 43. The method of claim 34, wherein a user is allowed to have an additional key, wherein said user key, a Cryptainer key, and a master key are required to encrypt said client data.
  - 44. The method of claim 34, wherein keys are assigned to any of a region and a directory.
  - 46. The method of claim 28, further comprising the step of:
    - initially encrypting and re-encrypting said client data without interrupting access to said one or more storage devices by said one or more client devices.
  - 47. The method of claim 28, further comprising the step of:
    - providing a module for administrator management of said client data;
      
      wherein said client data are not readable by said administrator.
  - 48. The method of claim 28, further comprising the step of:
    - allowing a first user to control which other users may access said first user'"'"'s client data without explicitly sharing a first user'"'"'s key with said other users.
  - 49. The method of claim 28, wherein said encryption device combines encryption with mirroring.
  - 50. The method of claim 28, wherein said encryption device permits any of private and shared mirror configurations.
  - 51. The method of claim 28, wherein said encryption device permits selective remote client data access.
  - 52. The method of claim 28, wherein said encryption device permits a failover configuration in connection with encryption and decryption of storage device related traffic.
  - 53. The method of claim 28, wherein said encryption device transparently forwards traffic that is not storage related.

54. An encryption based security method for network storage, comprising the steps of:
- providing an encryption device, located in a network, on a path between one or more client devices and one or more storage devices;
  
  separating access to said one or more storage devices via said one or more client devices from access to client data stored on said one or more storage devices;
  
  said encryption device comprising at least two network interfaces, comprising a clear text network interface that is connected to said one or more clients; and
  
  a secure network interface that is connected to said one or more storage devices;
  
  wherein each network interface supports multiple network nodes;
  
  wherein said encryption device encrypts all client data that is stored on said one or more storage devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dan Avida, Serge Plotkin
Original Assignee
Dan Avida, Serge Plotkin
Inventors
Plotkin, Serge, Avida, Dan

Granted Patent

US 8,423,780 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/85   interconnection devices, e....

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 67/1097   for distributed storage of ...

H04L 69/329   in the application layer [O...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0897   involving additional device...

Encryption based security system for network storage

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption based security system for network storage

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links