Data Repository and Method for Promoting Network Storage of Data

US 20100185855A1
Filed: 03/30/2010
Published: 07/22/2010
Est. Priority Date: 02/18/2000
Status: Active Grant

First Claim

Patent Images

1. A method for client programs communicating over a network with a data repository, to store encrypted data items in the data repository, wherein the client programs encrypt the data items but do not retain information needed to decrypt the data items, the method comprising:

generating a public key and a private key;

transmitting only the public key to a first client program running on a first client machine;

creating a data key, by the first client program;

encrypting a data item, by the first client program, using the data key as the encryption key;

depositing the encrypted data item in the data repository, in response to a request by the first client program;

encrypting the data key, by the first client program, using the public key as the encryption key;

storing the encrypted data key in association with the data item, in response to a request by the first client program;

erasing unencrypted information about the data key from storage on the first client machine;

erasing unencrypted information about the data item from storage on the first client machine;

retrieving the encrypted data key from the data repository, in response to a request by a second client program running on a second client machine that is different than the first client machine and that has access to the private key;

wherein the private key is needed to decrypt data encoded using the public key; and

wherein once both erasing steps have been completed, there is no information stored on the first client machine that would enable the unencrypted data item to be recovered, either from the first client machine or from the data repository.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the invention features methods by which more than one client program connected to a network stores the same data item on a storage device of a data repository connected to the network. In one aspect, the method comprises encrypting the data item using a key derived from the content of the data item, determining a digital fingerprint of the data item, and storing the data item on the storage device at a location or locations associated with the digital fingerprint. In a second aspect, the method comprises determining a digital fingerprint of the data item, testing for whether the data item is already stored in the repository by comparing the digital fingerprint of the data item to the digital fingerprints of data items already in storage in the repository, and challenging a client that is attempting to deposit a data item already stored in the repository, to ascertain that the client has the full data item.

Citations

11 Claims

1. A method for client programs communicating over a network with a data repository, to store encrypted data items in the data repository, wherein the client programs encrypt the data items but do not retain information needed to decrypt the data items, the method comprising:
- generating a public key and a private key;
  
  transmitting only the public key to a first client program running on a first client machine;
  
  creating a data key, by the first client program;
  
  encrypting a data item, by the first client program, using the data key as the encryption key;
  
  depositing the encrypted data item in the data repository, in response to a request by the first client program;
  
  encrypting the data key, by the first client program, using the public key as the encryption key;
  
  storing the encrypted data key in association with the data item, in response to a request by the first client program;
  
  erasing unencrypted information about the data key from storage on the first client machine;
  
  erasing unencrypted information about the data item from storage on the first client machine;
  
  retrieving the encrypted data key from the data repository, in response to a request by a second client program running on a second client machine that is different than the first client machine and that has access to the private key;
  
  wherein the private key is needed to decrypt data encoded using the public key; and
  
  wherein once both erasing steps have been completed, there is no information stored on the first client machine that would enable the unencrypted data item to be recovered, either from the first client machine or from the data repository.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the depositing and storing steps are part of a backup process that makes copies in the data repository of files stored on the first client machine, allowing recovery from accidental or malicious loss of data on the first client machine without exposing files that have been erased on the first client machine to an agency that gains access to the first client machine.
  - 3. The method of claim 1 wherein the depositing and storing steps are part of an automatic storage process in which, once the erasing steps have been completed, access to the private key is required to recover the unencrypted data item.
  - 4. The method of claim 3 wherein access to data items stored in the data repository can be given to a third party by giving them access to the data key in a form that they can decrypt.
  - 5. The method of claim 4 wherein the ability to read and decrypt the encrypted data item is transmitted from one party to another without retrieving the encrypted data item.
  - 6. The method of claim 1 wherein the data key is a hash of content of the data item.
  - 7. The method of claim 6 wherein the hash used to generate the data key is the same as the hash used by another storage client program storing an identical data item on behalf of a different user of the data repository.
  - 8. The method of claim 6 wherein the hash used to generate the data key is different than the hash used by another storage client program storing an identical data item on behalf of a different user of the data repository.
  - 9. The method of claim 1 wherein storage space in the data repository is shared for identical encrypted data items deposited by independent client programs.
  - 10. The method of claim 9 wherein the data repository is divided into two parts, a public repository and a private repository, and if the data item is identical to a data item already stored in the public repository, then depositing comprises relying on a data item already stored in the public repository for subsequent retrieval, and otherwise the data item is deposited in the private repository.
  - 11. The method of claim 1 wherein a one-way hash is used to link a user of the data repository to a collection of data items that have been stored by a client program operating on the user'"'"'s behalf, and wherein when the value of the hash is not available the information stored in the data repository does not allow the collection to be identified as belonging to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Permabit Technology Corporation (International Business Machines Corporation)
Inventors
Boghosian, Bruce M., Knight, Thomas F. JR., Hartman, Sam, Margolus, Norman H., Homsy, George E. II, Floyd, Jered J., Pratt, Gill A.

Granted Patent

US 9,177,175 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 16/137   Hash-based content-based in...

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6272   by registering files or doc...

G06F 21/64   Protecting data integrity, ...

G06F 21/645   using a third party

Y10S 707/959   Network

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99953   Recoverability

Data Repository and Method for Promoting Network Storage of Data

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Data Repository and Method for Promoting Network Storage of Data

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links