BLOCK-LEVEL DATA STORAGE SECURITY SYSTEM

US 20100125730A1
Filed: 11/17/2008
Published: 05/20/2010
Est. Priority Date: 11/17/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of securely storing data in a network, the method comprising:

receiving a block of data from a client device;

splitting the block of data into a predetermined number of secondary blocks of data, each of the secondary blocks of data associated with one of a plurality of shares;

encrypting the plurality of shares with a corresponding number of different session keys, each of the session keys associated with a different physical storage device from among a plurality of physical storage devices; and

storing each secondary block of data and session key used to encrypt the secondary block of data in the share associated with the session key.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure storage appliance is disclosed, along with methods of storing and reading data in a secure storage network. The secure storage appliance is configured to present to a client a virtual disk, the virtual disk mapped to the plurality of physical storage devices. The secure storage appliance is capable of executing program instructions configured to generate a plurality of secondary blocks of data by performing splitting and encrypting operations on a block of data received from the client for storage on the virtual disk and reconstitute the block of data from at least a portion of the plurality of secondary blocks of data stored in shares on corresponding physical storage devices in response to a request from the client.

Citations

22 Claims

1. A method of securely storing data in a network, the method comprising:
- receiving a block of data from a client device;
  
  splitting the block of data into a predetermined number of secondary blocks of data, each of the secondary blocks of data associated with one of a plurality of shares;
  
  encrypting the plurality of shares with a corresponding number of different session keys, each of the session keys associated with a different physical storage device from among a plurality of physical storage devices; and
  
  storing each secondary block of data and session key used to encrypt the secondary block of data in the share associated with the session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising encrypting each session key with a workgroup key prior to storing the session key on the physical storage device associated with the session key.
  - 3. The method of claim 2, wherein the workgroup key is associated with a community of interest capable of accessing the data.
  - 4. The method of claim 2, wherein the workgroup key is stored on a key management server separate from the plurality of physical storage devices.
  - 5. The method of claim 1, wherein receiving data from the client device comprises receiving a write request from the client device, the write request associated with a virtual disk.
  - 6. The method of claim 1, wherein the virtual disk provides access to a volume mapped to a plurality of the physical storage devices.
  - 7. The method of claim 6, wherein the virtual disk appears to the client as a physical storage location.
  - 8. The method of claim 1, further comprising storing metadata defining the predetermined number of shares in a database accessible to the secure storage appliance.

9. A method of reading secured data in a network, the method comprising:
- receiving a request from a client device to read a block of data managed by a secure storage appliance;
  
  determining a number of secondary blocks of data required to reconstitute the block of data;
  
  transmitting a request for the number of secondary blocks of data to a plurality of shares located at a plurality of physical storage devices, the plurality of shares corresponding to the number of secondary blocks of data required to reconstitute the block of data, each of the secondary blocks of data representing a portion of the block of data encrypted by a different session key;
  
  receiving at least the number of secondary blocks of data required to reconstitute the block of data from the plurality of shares;
  
  reconstituting the block of data from the secondary blocks of data; and
  
  transmitting the reconstituted block of data to the client device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein reconstituting the block of data includes decrypting each of the shares received from the physical storage devices using session keys associated with each of the physical storage devices.
  - 11. The method of claim 10, further comprising decrypting each of the session keys with a workgroup key prior to decrypting the shares.
  - 12. The method of claim 11, wherein the workgroup key is associated with a community of interest capable of accessing the virtual disk.
  - 13. The method of claim 11, wherein the workgroup key is stored on a key management server separate from the physical storage devices.
  - 14. The method of claim 10, wherein each of the session keys is stored at the physical storage device associated with that session key.
  - 15. The method of claim 10, wherein the number of secondary blocks of data required to reconstitute the block of data is less than the number of secondary blocks of data stored on the physical storage devices.

16. A secure storage network comprising:
- a client,a plurality of physical storage devices having stored thereon a plurality of shares having associated therewith a corresponding plurality of session keys; and
  
  a secure storage appliance configured to present to the client a virtual disk, the virtual disk mapped to the plurality of physical storage devices, the secure storage appliance configured to;
  
  generate a plurality of secondary blocks of data by performing splitting and encrypting operations on a block of data received from the client for storage on the virtual disk; and
  
  reconstitute the block of data from at least a portion of the plurality of secondary blocks of data stored on corresponding physical storage devices in response to a request from the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The secure storage network of claim 16, wherein the secure storage appliance performs a cryptographic splitting operation to generate the plurality of shares.
  - 18. The secure storage network of claim 16, wherein each physical storage device is associated with a plurality of different session keys, each of the different session keys corresponding to a different virtual disk.
  - 19. The secure storage network of claim 16, further comprising a plurality of secure storage appliances.
  - 20. The secure storage network of claim 16, further comprising a key management server configured to store workgroup keys, wherein one of the workgroup keys is associated with the virtual disk.

21. A secure storage appliance configured to present to a client a virtual disk, the virtual disk mapped to the plurality of physical storage devices, the secure storage appliance capable of executing program instructions configured to:
- generating a plurality of secondary blocks of data by performing splitting and encrypting operations on a block of data received from the client for storage on the virtual disk; and
  
  reconstituting the block of data from at least a portion of the plurality of secondary blocks of data stored on corresponding physical storage devices in response to a request from the client.
- View Dependent Claims (22)
- - 22. The secure storage appliance of claim 21, wherein the secure storage appliance is configured to perform a cryptographic splitting operation to generate the plurality of shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Neill, Joseph P., Farina, Ralph R., Johnson, Robert, Summers, Scott, Dodgson, David, Chin, Edward, French, Albert

Application Number

US12/272,012
Publication Number

US 20100125730A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 67/1097   for distributed storage of ...

H04L 9/0833   involving conference or gro...

H04L 9/14   using a plurality of keys o...

BLOCK-LEVEL DATA STORAGE SECURITY SYSTEM

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

BLOCK-LEVEL DATA STORAGE SECURITY SYSTEM

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links