STORAGE SECURITY USING CRYPTOGRAPHIC SPLITTING

US 20100150341A1
Filed: 12/17/2008
Published: 06/17/2010
Est. Priority Date: 12/17/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of securing data in a data storage network, the method comprising:

receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices;

cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks;

cryptographically splitting the session key into a plurality of session key fragments;

encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and

encrypting each of the plurality of session key fragments with a workgroup key associated with a source of the block of data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for securing data in a data storage network are disclosed. One method includes receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices. The method further includes cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks, and cryptographically splitting the session key into a plurality of session key fragments. The method further includes encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares, and encrypting each of the plurality of session key fragments with a workgroup key associated with a source of the block of data.

198 Citations

22 Claims

1. A method of securing data in a data storage network, the method comprising:
- receiving at a secure storage appliance a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices;
  
  cryptographically splitting the block of data received by the secure storage appliance into a plurality of secondary data blocks;
  
  cryptographically splitting the session key into a plurality of session key fragments;
  
  encrypting each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and
  
  encrypting each of the plurality of session key fragments with a workgroup key associated with a source of the block of data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein encrypting each of the plurality of session key fragments is performed using a workgroup key.
  - 3. The method of claim 1, further comprising storing the plurality of encrypted session key fragments and the plurality of encrypted secondary data blocks on the plurality of physical storage devices.
  - 4. The method of claim 3, wherein storing the plurality of encrypted session key fragments includes storing the plurality of encrypted session key fragments in headers of a corresponding plurality of shares associated with the volume.
  - 5. The method of claim 3, further comprising:
    - accessing at least one of the plurality of encrypted session key fragments;
      
      decrypting the accessed encrypted session key fragments; and
      
      reconstituting the session key from the decrypted session key fragments.
  - 6. The method of claim 5, wherein the at least one of the plurality of encrypted session key fragments corresponds to fewer than all of the encrypted session key fragments stored on the plurality of shares.
  - 7. The method of claim 5, wherein encrypting each of the plurality of session key fragments is performed using a workgroup key, and wherein decrypting the accessed encrypted session key fragments is performed by the secure storage appliance using the workgroup key.
  - 8. The method of claim 7, wherein the workgroup key is associated with a virtual disk providing access to the volume.
  - 9. The method of claim 1, wherein the block of data is received from a client device.
  - 10. The method of claim 1, wherein the block of data is received from an application server via a storage area network connection.

11. A secure storage appliance comprising a programmable circuit configured to execute program instructions which, when executed, configure the secure storage appliance to:
- receive from a client device a block of data for storage on a volume, the volume associated with a plurality of shares distributed across a plurality of physical storage devices;
  
  cryptographically split the block of data into a plurality of secondary data blocks;
  
  cryptographically split the session key into a plurality of session key fragments;
  
  encrypt each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and
  
  encrypt each of the plurality of session key fragments with a workgroup key associated with a source of the block of data.
- View Dependent Claims (12, 13, 14)
- - 12. The secure storage appliance of claim 11, wherein the secure storage appliance is further configured to encrypt each of the plurality of session key fragments is performed using a workgroup key.
  - 13. The secure storage appliance of claim 12, wherein the workgroup key is stored on the secure storage appliance.
  - 14. The secure storage appliance of claim 11, wherein the secure storage appliance is farther configured to store the plurality of encrypted session key fragments and the plurality of encrypted secondary data blocks on the plurality of physical storage devices.

15. A secure data storage network comprising:
- a client device;
  
  a plurality of physical storage devices;
  
  a secure storage appliance communicatively connected to the client device and the plurality of physical storage devices, the secure storage appliance including a programmable circuit configured to execute program instructions which, when executed, cause the secure storage appliance to;
  
  receive from the client device a block of data for storage on a volume, the volume associated with a plurality of shares distributed across the plurality of physical storage devices;
  
  cryptographically split the block of data into a plurality of secondary data blocks;
  
  cryptographically split the session key into a plurality of session key fragments;
  
  encrypt each of the plurality of secondary data blocks with a different session key, each session key associated with at least one of the plurality of shares; and
  
  encrypt each of the plurality of session key fragments with a workgroup key associated with a source of the block of data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The secure data storage network of claim 15, further comprising a key server configured to store the workgroup key.
  - 17. The secure data storage network of claim 15, wherein the secure storage appliance is further configured to:
    - access at least one of the plurality of encrypted session key fragments;
      
      decrypt the accessed encrypted session key fragments; and
      
      reconstitute the session key from the decrypted session key fragments.
  - 18. The secure data storage network of claim 17, wherein fewer than all of the plurality of session key fragments are required to reconstitute the session key.
  - 19. The secure data storage network of claim 15, wherein the workgroup key is associated with a community of interest, the community of interest including a user of the client device.
  - 20. The secure data storage network of claim 19, wherein the client device is an application server.
  - 21. The secure data storage network of claim 15, wherein the secure storage appliance connects to the plurality of physical storage devices via a storage area network.
  - 22. The secure data storage network of claim 15, wherein the secure storage appliance connects to the client device via a storage area network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Albert French, David Dodgson, Edward Chin, Joseph Neill, Ralph Farina, Robert Johnson, Scott Summers
Original Assignee
Albert French, David Dodgson, Edward Chin, Joseph Neill, Ralph Farina, Robert Johnson, Scott Summers
Inventors
Johnson, Robert, Summers, Scott, Farina, Ralph, Dodgson, David, Chin, Edward, French, Albert, Neill, Joseph

Application Number

US12/336,568
Publication Number

US 20100150341A1
Time in Patent Office

Days
Field of Search
US Class Current

380/29
CPC Class Codes

G06F 21/805   using a security table for ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

STORAGE SECURITY USING CRYPTOGRAPHIC SPLITTING

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

198 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

STORAGE SECURITY USING CRYPTOGRAPHIC SPLITTING

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

198 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links