SECURE AND PRIVATE BACKUP STORAGE AND PROCESSING FOR TRUSTED COMPUTING AND DATA SERVICES

US 20100318782A1
Filed: 06/12/2009
Published: 12/16/2010
Est. Priority Date: 06/12/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for hosting backup data, comprising:

receiving, by at least one computing device in a first region of control from at least one computing device in a second region of control, encrypted data formed from encryption of full backup data for a defined data set of the at least one computing device in the second region of control according to at least one searchable encryption algorithm based on cryptographic key information;

receiving, by the at least one computing device in the first region of control from the at least one computing device in the second region of control, encrypted metadata formed from an analysis of the full backup data and encryption of an output of the analysis based on the cryptographic key information;

receiving trapdoor data enabling visible access to the encrypted data as defined by at least one cryptographic trapdoor of the trapdoor data; and

maintaining synthetic full data for the defined data set based on the encrypted data, encrypted metadata and trapdoor data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital escrow pattern is provided for backup data services including searchable encryption techniques for backup data, such as synthetic full backup data, stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, an operational synthetic full is maintained with encrypted data as a data service in a cryptographically secure manner that addresses integrity and privacy requirements for external or remote storage of potentially sensitive data. The storage techniques supported include backup, data protection, disaster recovery, and analytics on second copies of primary device data. Some examples of cost-effective cryptographic techniques that can be applied to facilitate establishing a high level of trust over security and privacy of backup data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof of Application, blind fingerprints, Proof of Retrievability, and others.

132 Citations

20 Claims

1. A method for hosting backup data, comprising:
- receiving, by at least one computing device in a first region of control from at least one computing device in a second region of control, encrypted data formed from encryption of full backup data for a defined data set of the at least one computing device in the second region of control according to at least one searchable encryption algorithm based on cryptographic key information;
  
  receiving, by the at least one computing device in the first region of control from the at least one computing device in the second region of control, encrypted metadata formed from an analysis of the full backup data and encryption of an output of the analysis based on the cryptographic key information;
  
  receiving trapdoor data enabling visible access to the encrypted data as defined by at least one cryptographic trapdoor of the trapdoor data; and
  
  maintaining synthetic full data for the defined data set based on the encrypted data, encrypted metadata and trapdoor data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving encrypted incremental data formed from encryption of incremental backup data for the defined data set according to at least one searchable encryption algorithm based on cryptographic key information.
  - 3. The method of claim 2, wherein the receiving includes receiving encrypted incremental data formed from at least one log generated by the at least one computing device in the second region of control, the at least one log generated since a most recent full backup or incremental backup operation.
  - 4. The method of claim 2, further comprising:
    - receiving encrypted incremental metadata formed from an analysis of the incremental backup data and encryption of an output of the analysis based on the cryptographic key information.
  - 5. The method of claim 2, further comprising:
    - receiving incremental trapdoor data enabling visible access to the encrypted incremental data as defined by at least one cryptographic trapdoor of the incremental trapdoor data.
  - 6. The method of claim 5, wherein the receiving includes receiving the incremental trapdoor data out of band of at least one network transmission.
  - 7. The method of claim 5, further comprising:
    - accessing the encrypted incremental data and encrypted incremental metadata with the trapdoor data.
  - 8. The method of claim 5, wherein the maintaining includes applying the at least one log to the synthetic full data based on the encrypted incremental data, encrypted incremental metadata and incremental trapdoor data.
  - 9. The method of claim 1, further comprising:
    - receiving a request to restore at least one data item from the defined data set;
      
      receiving at least one trapdoor for extracting the at least one data item from the encrypted data.
  - 10. The method of claim 9, further comprising:
    - packaging and transmitting the at least one at least one data item as encrypted by the cryptographic key information to at least one authorized computing device having access to the cryptographic key information.
  - 11. The method of claim 9, wherein the transmitting includes transmitting the at least one at least one data item to at least one authorized computing device having access to symmetric key data used to encrypt the at least one data item.

12. A method for publishing backup data, comprising:
- initiating, by at least one computing device in a first region of control, a full backup of primary data stored in memory of the at least one computing device to form full backup data, the full backup data for use in maintaining synthetic full backup data for the primary data by at least one remote computing device in a second region of control;
  
  generating structural metadata based on a traversal of the primary data;
  
  encrypting the primary data and the structural metadata to form encrypted data and encrypted metadata according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information; and
  
  generating at least one cryptographic trapdoor based on the cryptographic key information enabling traversal of the encrypted data as defined by the at least one cryptographic trapdoor.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein the encrypting includes encrypting the primary data in a size preserving manner.
  - 14. The method of claim 12, wherein the generating at least one cryptographic trapdoor includes enabling the at least one remote computing device to use the at least one cryptographic trapdoor to traverse the encrypted metadata.
  - 15. The method of claim 12, wherein the generating at least one cryptographic trapdoor includes enabling the at least one remote computing device to use the at least one cryptographic trapdoor to traverse the encrypted data.
  - 16. The method of claim 12, further comprising:
    - transmitting the encrypted data and encrypted metadata to a network service provider including the at least one remote computing device.
  - 17. The method of claim 16, wherein the transmitting includes transmitting to the network service provider such that the encrypted data is selectively accessible according to late binding of selected privileges granted to a requesting device based on identity information of the requesting device.
  - 18. The method of claim 12, further comprising:
    - transmitting the at least one cryptographic trapdoor to a network service provider including the at least one remote computing device.
  - 19. The method of claim 12, further comprising:
    - transmitting the encrypted data to a network service provider including the at least one remote computing device employing at least one algorithm to reduce duplicate data stored at both the at least one computing device and the at least one remote device.

20. A method for subscribing to backup data, comprising:
- requesting a restore of at least one data item of a data set of at least one subscribing computing device from a backup data service accessible via at least one network that maintains synthetic full data corresponding to the data set in a searchably encrypted format for synthetic full backup service by the backup data service;
  
  receiving the at least one data item in a searchably encrypted format; and
  
  based on cryptographic key information used to encrypt the data set accessible to the at least one subscribing device, restoring the at least one item of the data set in memory of the at least one subscribing computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Auradkar, Rahul V., D'Souza, Roy Peter

Application Number

US12/483,802
Publication Number

US 20100318782A1
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 11/1451   by selection of backup cont...

G06F 11/1464   for networked environments

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/04   Masking or blinding

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3271   using challenge-response

SECURE AND PRIVATE BACKUP STORAGE AND PROCESSING FOR TRUSTED COMPUTING AND DATA SERVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SECURE AND PRIVATE BACKUP STORAGE AND PROCESSING FOR TRUSTED COMPUTING AND DATA SERVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others