Management of cryptographic keys for securing stored data

US 20090034733A1
Filed: 07/31/2007
Published: 02/05/2009
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1. A system for securing stored data, comprising:

at least one storage system adapted to receive storage and retrieval requests, each storage system further adapted to, in response to each storage request received at the storage system, obtain a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system, encrypt data from the storage request into encrypted data using the current cryptographic key, and store the encrypted data and the identifier in a storage media, and each storage system further adapted to, in response to each retrieval request received at the storage system, retrieve encrypted data and an identifier from the storage media, obtain a cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypt the encrypted data using the cryptographic key; and

a management system coupled to the at least one storage system and adapted to generate the sequence of cryptographic keys for each storage system, the management system further adapted for each storage system to provide the current cryptographic key and the identifier of the current cryptographic key within the sequence for the storage system, and provide the cryptographic key corresponding to an identifier within the sequence for the storage system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods secure data in storage. A management system generates a sequence of keys and an identifier of each key in the sequence. A current key in the sequence and the identifier of the current key are transferred from the management system to a storage system. The storage system encrypts the data into encrypted data using the current key. The storage system stores the identifier and the encrypted data. The identifier and the encrypted data are retrieved from the storage system. The key in the sequence identified by the identifier is transferred from the management system to the storage system. The storage system decrypts the encrypted data using the decryption key.

Citations

22 Claims

1. A system for securing stored data, comprising:
- at least one storage system adapted to receive storage and retrieval requests, each storage system further adapted to, in response to each storage request received at the storage system, obtain a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system, encrypt data from the storage request into encrypted data using the current cryptographic key, and store the encrypted data and the identifier in a storage media, and each storage system further adapted to, in response to each retrieval request received at the storage system, retrieve encrypted data and an identifier from the storage media, obtain a cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypt the encrypted data using the cryptographic key; and
  
  a management system coupled to the at least one storage system and adapted to generate the sequence of cryptographic keys for each storage system, the management system further adapted for each storage system to provide the current cryptographic key and the identifier of the current cryptographic key within the sequence for the storage system, and provide the cryptographic key corresponding to an identifier within the sequence for the storage system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising an authentication server, wherein each storage system and the management system obtain a credential from the authentication server during an authentication protocol, and the credential protects a first transfer from the management system to the storage system of the current cryptographic key and the identifier of the current cryptographic key with the sequence for the storage system, a second transfer from the storage system to the management system of an identifier, and a third transfer from the management system to the storage system of the cryptographic key corresponding to the identifier with the sequence for the storage system.
  - 3. The system of claim 1, wherein the at least one storage system includes a plurality of storage systems, and the management system is coupled to the plurality of storage systems via a computer network.
  - 4. The system of claim 3, wherein at least one of the plurality of storage systems is a desktop computer for a user, and an address of the desktop computer system includes an identifier that is at least one of an identifier of the desktop computer system and an identifier of the user.
  - 5. The system of claim 3, whereineach storage system is further adapted to, in response to each storage request received at the storage system, issue an encryption request including an address of the storage system and in response to the encryption request receive an encryption reply including the current cryptographic key and the identifier of the current cryptographic key within the sequence for the storage system, and each storage system is further adapted to, in response to each retrieval request received at the storage system, issue a decryption request including the identifier retrieved from the storage media and the address of the storage system and in response to the decryption request receive a decryption reply including the cryptographic key corresponding to the identifier within the sequence for the storage system;
    - andthe management system is further adapted to, in response to the encryption request, issue the encryption reply including the current cryptographic key and the identifier of the current cryptographic key within the sequence associated with the address from the encryption request, and, in response to the decryption request, issue the decryption reply including the cryptographic key corresponding to the identifier from the decryption request within the sequence associated with the address from the decryption request.

6. A method for securing first data in storage, comprising:
- generating a sequence of combinations at a management system, wherein each combination includes an encryption key, a decryption key, and an identifier that identifies the combination;
  
  transferring the identifier and the encryption key of a current one of the combinations from the management system to a storage system;
  
  encrypting the first data into second data at the storage system using the encryption key;
  
  storing the identifier and the second data in the storage system;
  
  retrieving the identifier and the second data from the storage system;
  
  transferring the decryption key of a combination identified in the sequence by the identifier from the management system to the storage system; and
  
  decrypting the second data into third data at the storage system using the decryption key, wherein the third data matches the first data.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 7. The method of claim 6, further comprising receiving a storage request at the storage system to store the first data.
  - 8. The method of claim 7, wherein the generating of the sequence of combinations includes generating a preceding combination to the current combination in the sequence and generating the current combination in response to the storage request occurring after a predetermined time interval following the generating of the preceding combination, and the generating of the sequence of combinations also includes generating the current combination in response to another request at the storage system with the storage request occurring after the another request and within a predetermined time interval following the generating of the current combination.
  - 9. The method of claim 7, wherein the transferring of the identifier and the encryption key includes transferring the identifier and the encryption key in response to the storage request, the encrypting of the first data includes encrypting the first data in response to the storage request, and the storing of the identifier and the second data includes storing the identifier and the second data in response to the storage request.
  - 10. The method of claim 9, further comprising receiving a retrieval request at the storage system to retrieve the first data.
  - 11. The method of claim 10, wherein the retrieving of the identifier and the second data includes retrieving the identifier and the second data in response to the retrieval request, the transferring of the decryption key includes transferring the decryption key in response to the retrieval request, and the decrypting of the second data includes decrypting the second data in response to the retrieval request.
  - 12. The method of claim 6, wherein the generating of the sequence of combinations at the management system includes periodically adding a new combination to the sequence, wherein the periodically adding of the new combination to the sequence includes updating the current combination to be the new combination and generating the new combination including incrementing a version number used for the identifier of the new combination and randomly generating the encryption key and the decryption key of the new combination.
  - 13. The method of claim 6, wherein the storing of the identifier and the second data in the storage system includes storing in the storage system a cryptographic hash of the identifier, the second data, and an address of the storage system;
    - and the retrieving of the identifier and the second data from the storage system includes retrieving and checking the cryptographic hash.
  - 14. The method of claim 6, wherein the storage system is one of a plurality of storage systems, each of the storage systems having a unique address, and the sequence of combinations is one of a plurality of sequences of combinations, each of the sequences associated with the unique address of one of the storage systems.
  - 15. The method of claim 14, further comprising receiving a storage request at the storage system to store the first data, and the storage system in response to the storage request issuing to the management system an encryption request that includes the unique address of the storage system, wherein the transferring of the identifier and the encryption key includes the management system in response to the encryption request transferring the identifier and the encryption key of the current combination in the sequence associated with the unique address.
  - 16. The method of claim 15, further comprising receiving a retrieval request at the storage system to retrieve the first data, and the storage system in response to the retrieval request issuing to the management system a decryption request that includes the identifier and the unique address of the storage system, wherein the transferring of the decryption key includes the management system in response to the decryption request transferring the decryption key of the combination identified by the identifier in the sequence associated with the unique address.
  - 17. The method of claim 6, further comprising storing the sequence of combinations in the management system, wherein the storing of each combination in the sequence includes encrypting the encryption and decryption keys of the combination using a management key of the management system, and the transferring of the encryption and decryption keys includes decrypting the encryption and decryption keys using the management key of the management system.
  - 18. The method of claim 6, further comprising authenticating the storage system with an enterprise authentication server, and authenticating the storage system to the management system using a credential from the authenticating of the storage system with the enterprise authentication server.
  - 19. The method of claim 18, wherein the credential secures the transferring of the identifier and the encryption key from the management system to the storage system and the transferring of the decryption key from the management system to the storage system.
  - 20. The method of claim 19, further comprising transferring a unique address of the storage system from the storage system to the management system and transferring the identifier from the storage system to the management system, wherein the unique address includes an identifier that is at least one of an identifier of the credential, an identifier of the storage system, and an identifier of a user of the storage system, and the credential secures the transferring of the unique address and the transferring of the identifier.
  - 21. The method of claim 6, wherein the encryption key and the decryption key of each combination in the sequence are a same symmetric key.

22. An article of manufacture, comprising:
- a processor-readable program storage medium configured with instructions for securing stored data, wherein execution of the instructions by a plurality of processors causes the processors to perform operations including,client operations including receiving a storage request with data, and in response to the storage request, issuing an encryption request including an address of one of a plurality of storage systems, receiving an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence for the storage system, encrypting the data into encrypted data using the current cryptographic key, storing the encrypted data and the identifier in the storage system, the client operations further including receiving a retrieval request, and in response to the retrieval request, retrieving encrypted data and an identifier from the storage system, issuing a decryption request including the identifier and the address of the storage system, receiving a decryption reply including the cryptographic key corresponding to the identifier within the sequence for the storage system, and decrypting the encrypted data using the cryptographic key; and
  
  management operations including generating the sequence of cryptographic keys for each of the plurality of storage systems, the management operations further including, in response to each encryption request from each storage system, issuing an encryption reply including the current cryptographic key and the identifier of the current cryptographic key within the sequence associated with the address from the encryption request, and, in response to each decryption request from each storage system, issuing the decryption reply including the cryptographic key corresponding to the identifier from the decryption request within the sequence associated with the address from the decryption request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Malle Gowda, Kiran Kumar, Raman, Shankar

Granted Patent

US 8,111,828 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

Management of cryptographic keys for securing stored data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Management of cryptographic keys for securing stored data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links