Method, Apparatus, and Product for Prohibiting Unauthorized Access of Data Stored on Storage Drives

US 20090063870A1
Filed: 11/13/2008
Published: 03/05/2009
Est. Priority Date: 06/23/2005
Status: Active Grant

First Claim

Patent Images

1-7. -7. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer program product are disclosed in a data processing system for prohibiting unauthorized access of data that is stored on storage drives. Multiple logical partitions are generated. A different unique randomizer seed is associated with each one of the logical partitions. In response to one of the logical partitions needing to access a storage drive, the logical partition transmits a seed to the storage drive. The transmitted seed is associated with the one of the logical partitions. A transmitting one of the logical partitions is unable to transmit a seed that is other than a seed that is associated with the transmitting one of the logical partitions. The storage drive utilizes the transmitted seed to randomize and de-randomize data for the one of the logical partitions. Data randomized for one of the logical partitions cannot be de-randomized for a different one of the logical partitions.

23 Citations

23 Claims

1-7. -7. (canceled)

8. A data processing system, which includes a host coupled to a disk drive, for prohibiting unauthorized access of data that is stored on said disk drive, wherein said disk drive communicates with said host using a disk drive controller that is included in the disk drive, and wherein said disk drive controller forwards read requests and write requests to a read/write channel that is included in the disk drive, and further wherein said read/write channel includes a randomizer and a de-randomizer;
- said data processing system comprising;
  
  first generating means for generating a plurality of logical partitions in said host;
  
  second associating means for associating a different unique randomizer seed with each one of said plurality of logical partitions;
  
  third keeping means for keeping said seed in a trusted platform module that is included in said host, wherein said trusted platform module does not exist within any of said plurality of logical partitions, and wherein said seed is not stored within said disk drive;
  
  fourth controlling means for controlling, by said trusted platform module, access to said different unique randomizer seed associated with each one of said plurality of logical partitions, wherein only one of said plurality of logical partitions associated with an associated seed can access said associated seed;
  
  fifth utilizing means for utilizing a first seed that is associated with a first one of said logical partitions to limit access to first data, which was stored by said first one of said plurality of logical partitions in the disk drive, to only said first one of said plurality of logical partitions, wherein other ones of said plurality of logical partitions that are not associated with said first seed are unable to access said first data;
  
  sixth sending means for sending, by an application in said first one of said plurality of logical partitions to a first operating system that is being executed by said first one of said plurality of logical partitions, a data access command to access data in said disk drive;
  
  seventh retrieving means for retrieving, by said first operating system, said first seed;
  
  eighth sending means for sending, by the host to said disk drive in a read request, a particular read seed to be used by said de-randomizer to attempt to de-randomize data, which is stored on said disk drive; and
  
  ninth sending means for sending, by the host to said disk drive in a write request, a particular write seed to be used by said randomizer to randomize data, wherein said particular write seed is provided to said randomizer by said disk drive controller.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The data processing system according to claim 8, further comprising:
    - tenth transmitting means for transmitting, by said first operating system using a first command, particular data to be stored in said disk drive;
      
      eleventh transmitting means for transmitting, by said first operating system using a second command, said first seed that is associated with said first one of said plurality of logical partitions;
      
      twelfth randomizing means for randomizing said transmitted particular data utilizing said first seed; and
      
      thirteenth storing means for storing said randomized data in said storage disk drive.
  - 11. The data processing system according to claim 10, further comprising:
    - fourteenth transmitting means for transmitting, by a second operating system that is being executed by a second one of said logical partitions, second data to be stored in said disk drive;
      
      fifteenth transmitting means for transmitting, by said second operating system to said disk drive, a second seed that is associated with said second one of said plurality of logical partitions;
      
      sixteenth randomizing means for randomizing said transmitted second data utilizing said second seed; and
      
      seventeenth storing means for storing said randomized second data in said disk drive.
  - 12. The data processing system according to claim 10, further comprising:
    - eighteenth transmitting means for transmitting a request, by said first operating system, to read said randomized data that is stored in said disk drive;
      
      nineteenth transmitting means for transmitting, by said first operating system, said first seed that is associated with said first one of said plurality of logical partitions;
      
      twentieth de-randomizing means for de-randomizing said randomized data utilizing said first seed; and
      
      twenty-first transmitting means for transmitting said de-randomized data to said first one of said plurality of logical partitions.
  - 13. The data processing system according to claim 10, further comprising:
    - twenty-second transmitting means for transmitting a request, by a third operating system that is being executed by a third one of said plurality of logical partitions, to read said randomized data that is stored in said disk drive;
      
      twenty-third transmitting means for transmitting, by said third operating system, a third seed that is associated with said third one of said plurality of logical partitions;
      
      twenty-fourth de-randomizing means for attempting to de-randomize said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions;
      
      in response to de-randomizing said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions, twenty-fifth transmitting means for transmitting, by said disk drive, said de-randomized data to said third one of said plurality of logical partitions, wherein said first seed is the same as said third seed; and
      
      in response to being unable to de-randomize said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions, twenty-sixth transmitting means for transmitting an error message to said third one of said plurality of logical partitions.
  - 14. The data processing system according to claim 8, further comprising:
    - twenty-seventh transmitting means for a transmitting one of said plurality of logical partitions being unable to transmit a seed that is not associated with said transmitting one of said plurality of logical partitions.

9. (canceled)

15. A computer program product in a computer recordable-type medium for prohibiting unauthorized access of data that is stored on a disk drive that is included in a computer system, wherein said disk drive communicates with a host coupled to a disk drive using a disk drive controller that is included in the disk drive, and wherein said disk drive controller forwards read requests and write requests to a read/write channel that is included in the disk drive, and further wherein said read/write channel includes a randomizer and a de-randomizer, said computer program product comprising:
- first instructions for generating a plurality of logical partitions in said host;
  
  second instructions for associating a different unique randomizer seed with each one of said plurality of logical partitions;
  
  third instructions for keeping said seed in a trusted platform module that is included in said host, wherein said trusted platform module does not exist within any of said plurality of logical partitions, and wherein said seed is not stored within said disk drive;
  
  fourth instructions for controlling, by said trusted platform module, access to said different unique randomizer seed associated with each one of said plurality of logical partitions, wherein only one of said plurality of logical partitions associated with an associated seed can access said associated seed;
  
  fifth instructions for utilizing a first seed that is associated with a first one of said logical partitions to limit access to first data, which was stored by said first one of said plurality of logical partitions in the disk drive, to only said first one of said plurality of logical partitions, wherein other ones of said plurality of logical partitions that are not associated with said first seed are unable to access said first data;
  
  sixth instructions for sending, by an application in said first one of said plurality of logical partitions to a first operating system that is being executed by said first one of said plurality of logical partitions, a data access command to access data in said disk drive;
  
  seventh instructions for retrieving, by said first operating system, said first seed;
  
  eighth instructions for sending, by the host to said disk drive in a read request, a particular read seed to be used by said de-randomizer to attempt to de-randomize data, which is stored on said disk drive; and
  
  ninth instructions for sending, by the host to said disk drive in a write request, a particular write seed to be used by said randomizer to randomize data, wherein said particular write seed is provided to said randomizer by said disk drive controller.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product according to claim 15, further comprising:
    - tenth instructions for transmitting, by said first operating system using a first command, particular data to be stored in said disk drive;
      
      eleventh instructions for transmitting, by said first operating system using a second command to said disk drive, said first seed that is associated with said first one of said plurality of logical partitions;
      
      twelfth instructions for randomizing, by said randomizer, said transmitted particular data utilizing said first seed; and
      
      thirteenth instructions for storing, by said disk drive, said randomized data in said disk drive.
  - 18. The computer program product according to claim 17, further comprising:
    - fourteenth instructions for transmitting a request, by said first operating system to said disk drive, to read said randomized data that is stored in said disk drive;
      
      fifteenth instructions for transmitting, by said first operating system, said first seed that is associated with said first one of said plurality of logical partitions;
      
      sixteenth instructions for de-randomizing, by said de-randomizer, said randomized data utilizing said first seed; and
      
      seventeenth instructions for transmitting, by said disk drive, said de-randomized data to said first one of said plurality of logical partitions.
  - 19. The computer program product according to claim 17, further comprising:
    - eighteenth instructions for transmitting, by a second operating system, second data to be stored in said disk drive;
      
      nineteenth instructions for transmitting, by said second operating system to said disk drive, a second seed that is associated with said second one of said plurality of logical partitions;
      
      twentieth instructions for randomizing, by said randomizer, said transmitted second data utilizing said second seed; and
      
      twenty-first instructions for storing, by said disk drive, said randomized second data in said disk drive.
  - 20. The computer program product according to claim 15, further comprising:
    - twenty-second instructions for transmitting a request, by a third operating system that is being executed by a third one of said plurality of logical partitions, to read said randomized data that is stored in said disk drive;
      
      twenty-third instructions for transmitting, by said third operating system, a third seed that is associated with said third one of said plurality of logical partitions;
      
      twenty-fourth instructions for attempting, by said de-randomizer, to de-randomize said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions;
      
      in response to de-randomizing said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions, twenty-fifth instructions for transmitting, by said storage drive, said de-randomized data to said third one of said plurality of logical partitions, wherein said first seed is the same as said third seed; and
      
      in response to being unable to de-randomize said randomized data utilizing said third seed that is associated with said third one of said plurality of logical partitions, twenty-sixth instruction for transmitting, by said disk drive, an error message to said third one of said plurality of logical partitions.

16. (canceled)

21. (canceled)

22. A data processing system, which includes a host coupled to a disk drive, for prohibiting unauthorized access of data that is stored on said disk drive, wherein said disk drive communicates with said host using a disk drive controller that is included in the disk drive, and wherein said disk drive controller forwards read requests and write requests to a read/write channel that is included in the disk drive, and further wherein said read/write channel includes a randomizer and a de-randomizer, the data processing system comprising:
- first means for generating a plurality of logical partitions in said host;
  
  second means for associating a different unique randomizer seed with each one of said plurality of logical partitions;
  
  third means for keeping said seed in a trusted platform module that is included in said host, wherein said trusted platform module does not exist within any of said plurality of logical partitions, and wherein said seed is not stored within said disk drive;
  
  fourth means for controlling, by said trusted platform module, access to said different unique randomizer seed associated with each one of said plurality of logical partitions, wherein only one of said plurality of logical partitions associated with an associated seed can access said associated seed;
  
  fifth means for utilizing a first seed that is associated with a first one of said logical partitions to limit access to first data, which was stored by said first one of said plurality of logical partitions in the disk drive, to only said first one of said plurality of logical partitions, wherein other ones of said plurality of logical partitions that are not associated with said first seed are unable to access said first data;
  
  sixth means for sending, by an application in said first one of said plurality of logical partitions to a first operating system that is being executed by said first one of said plurality of logical partitions, a data access command to access data in said disk drive;
  
  seventh means for retrieving, by said first operating system, said first seed;
  
  eighth means for using said de-randomizer to attempt to de-randomize data, which is stored on said disk drive, using a particular read seed that is provided to said de-randomizer in a read request; and
  
  ninth means for using said randomizer data, which is provided to said randomizer by said disk drive controller, using a particular write seed that is provided to said randomizer in a write request.

23. A computer program product in a computer recordable-type medium in a host coupled to a disk drive, for prohibiting unauthorized access of data that is stored on said disk drive, wherein said disk drive communicates with said host using a disk drive controller that is included in the disk drive, and wherein said disk drive controller forwards read requests and write requests to a read/write channel includes a randomizer and a de-randomizer, the computer program product comprising:
- first instructions for generating a plurality of logical partitions in said host;
  
  second instructions for associating a different unique randomizer seed with each one of said plurality of logical partitions;
  
  third instructions for keeping said seed in a trusted platform module that is included said host, wherein said trusted platform module does not exist within any of said plurality of logical partitions, and wherein said seed is not stored within said disk drive;
  
  fourth instructions for controlling, by said trusted platform module, access to said different unique randomizer seed associated with each one of said plurality of logical partitions, wherein only one of said plurality of logical partitions associated with an associated seed can access said associated seed;
  
  fifth instructions for utilizing a first seed that is associated with a first one of said logical partitions to limit access to first data, which was stored by said first one of said plurality of logical partitions in the disk drive, to only said first one of said plurality of logical partitions, wherein other ones of said plurality of logical partitions that are not associated with said first seed are unable to access said first data;
  
  sixth instructions for sending, by an application in said first one of said plurality of logical partitions to a first operating system that is being executed by said first one of said plurality of logical partitions, a data access command to access data in said disk drive;
  
  seventh instructions for retrieving, by said first operating system, said first seed;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Moore, Jason Eric, Forrer, Thomas Richard Jr., Zuzuarregui, Abel Enrique

Granted Patent

US 7,865,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 12/1466 Key-lock mechanism

Method, Apparatus, and Product for Prohibiting Unauthorized Access of Data Stored on Storage Drives

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Method, Apparatus, and Product for Prohibiting Unauthorized Access of Data Stored on Storage Drives

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others