System, Method and Computer Program Product for Secure Access Control to a Storage Device

US 20080022120A1
Filed: 06/05/2006
Published: 01/24/2008
Est. Priority Date: 06/05/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for accessing a storage device, the method comprises:

receiving, by storage device, a block based storage access command and cryptographically secured access control information;

wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size block of data and with a client;

processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and

selectively executing the block based storage access command in response to a result of the processing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for accessing a storage device, the method includes: receiving, by storage device, a block based storage access command and cryptographically secured access control information; wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size block of data and with a client; processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and selectively executing the block based storage access command in response to a result of the processing.

Citations

35 Claims

1. A method for accessing a storage device, the method comprises:
- receiving, by storage device, a block based storage access command and cryptographically secured access control information;
  
  wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size block of data and with a client;
  
  processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and
  
  selectively executing the block based storage access command in response to a result of the processing.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method according to claim 1 wherein the cryptographically secured access control information is associated with at least a portion of a logical unit that comprises the at least one fixed size block of data and additional fixed size blocks of data.
  - 3. The method according to claim 1 wherein the cryptographically secured access control information comprises capability information and a validation tag;
    - wherein the processing comprises authenticating at least the capability information by using the validation tag and the secret key.
  - 4. The method according to claim 1 further comprising receiving the secret key using a first link while receiving the block based storage access command over a second link.
  - 5. The method according to claim 1 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 6. The method according to claim 1 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

7. A method for accessing a storage device, the method comprises:
- sending to a security entity, a request to receive access control information associated with at least one fixed size logical block and with a client;
  
  receiving the access control information and capability key;
  
  generating a cryptographically secured access information based on the received access control information and capability key; and
  
  providing a block based storage access command associated with the cryptographically secured access control information.
- View Dependent Claims (8, 9, 10)
- - 8. The method according to claim 7 wherein the sending comprises utilizing a first link while the providing comprises utilizing a second link.
  - 9. The method according to claim 7 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 10. The method according to claim 7 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

11. A computer program product comprising a computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- receive a block based storage access command and cryptographically secured access control information;
  
  wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size logical block and with a client;
  
  process at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and
  
  selectively execute the block based storage access command in response to a result of the processing.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product according to claim 11, wherein the storage based access command is associated with at least one fixed size block of data and wherein the cryptographically secured access control information is associated with a logical unit that comprises the at least one fixed size block and additional fixed size blocks of data.
  - 13. The computer program product according to claim 11, wherein the cryptographically secured access control information comprises capability information and a validation tag;
    - wherein the computer readable program when executed on a computer causes the computer to authenticate at least the capability information by using the validation tag and the secret key.
  - 14. The computer program product according to claim 11, wherein the computer readable program when executed on a computer causes the computer to receive the secret key using a first link while receiving the block based storage access command over a second link.
  - 15. The computer program product according to claim 11 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 16. The computer program product according to claim 11 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

17. A computer program product comprising a computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- send to a security entity, a request to receive access control information associated with at least one fixed size block of data and with a client;
  
  receive the access control information and a capability key;
  
  generate a cryptographically secured access information based on the access control information and the capability key; and
  
  provide a block based storage access command associated with the cryptographically secured access control information.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product according to claim 17 wherein the computer readable program when executed on a computer causes the computer to send a request to receive access control information associated with at least one fixed size block of data over a first link and to provide a block based storage access command associated with the cryptographically secured access control information over a second link.
  - 19. The computer program product according to claim 17 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 20. The computer program product according to claim 17 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

21. A system having data access capabilities, the system comprises:
- a storage device that comprises a storage medium and a storage device interface that is adapted to receive, a block based storage access command and cryptographically secured access control information;
  
  wherein the block based storage access command and the cryptographically secured access control information are associated with at least one fixed size logical block and with a client;
  
  wherein the storage device is adapted to process at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity and to selectively execute the block based storage access command in response to a result of the processing.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system according to claim 21 wherein the cryptographically secured access control information is associated with at least a portion of a logical unit that comprises the at least one fixed size block and additional fixed size blocks.
  - 23. The system according to claim 21 wherein the cryptographically secured access control information comprises capability information and a validation tag;
    - wherein the storage device is adapted to authenticating at least the capability information by using the validation tag and the secret key.
  - 24. The system according to claim 21 adapted to receive the secret key using a first link while receive the block based storage access command over a second link.
  - 25. The system according to claim 21 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 26. The system according to claim 22 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

27. A system comprising a host computer and an interface;
- wherein the interface is adapted to receive access control information;
  
  wherein the host computer is adapted to host at least a portion of a client that is adapted to send to a security entity, a request to receive the access control information associated with at least one fixed size block of data and with a client, and a capability key;
  
  generate a cryptographically secured access information in response to the access control information and the capability key; and
  
  provide a block based storage access command associated with the cryptographically secured access control information.
- View Dependent Claims (28, 29, 30)
- - 28. The system according to claim 27 wherein the system is adapted to utilize a first link for sending the request and is further adapted to utilize a second link for providing the block based storage access command.
  - 29. The system according to claim 27 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 30. The system according to claim 27 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

31. A method for accessing a storage device, the method comprising:
- sending to a security entity, a request to receive access control information associated with at least one fixed size block of data and with a client;
  
  providing the access control information and a capability key;
  
  generating a cryptographically secured access information based on the access control information and the capability key;
  
  sending a block based storage access command associated with the cryptographically secured access control information to a storage device;
  
  receiving, by the storage device, the block based storage access command and the cryptographically secured access control information;
  
  processing at least a portion of the cryptographically secured access control information by using a secret key accessible to the storage device and to a security entity; and
  
  selectively executing the block based storage access command in response to a result of the processing.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The method according to claim 31 wherein the cryptographically secured access control information comprises capability information and a validation tag;
    - wherein the processing comprises authenticating at least the capability information by using the validation tag and the secret key.
  - 33. The method according to claim 31 further comprising receiving the secret key using a first link while receiving the block based storage access command over a second link.
  - 34. The method according to claim 31 wherein the block based storage access command is a block based Small Computer System Interface (SCSI) command.
  - 35. The method according to claim 31 wherein the block based storage access command is a block based General Parallel File System Virtual Shared Disk (GPFS/VSD) command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tal, Sivan, Naor, Dalit, Rodeh, Michael, Satran, Julian, Factor, Michael

Application Number

US11/422,096
Publication Number

US 20080022120A1
Time in Patent Office

Days
Field of Search
US Class Current

713/184
CPC Class Codes

G06F 21/62 Protecting access to data v...

G06F 21/80 in storage media based on m...

System, Method and Computer Program Product for Secure Access Control to a Storage Device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Computer Program Product for Secure Access Control to a Storage Device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links