METHOD AND SYSTEM FOR IMPROVING STORAGE SECURITY IN A CLOUD COMPUTING ENVIRONMENT

US 20120131341A1
Filed: 11/22/2010
Published: 05/24/2012
Est. Priority Date: 11/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method of improving storage security in a cloud environment comprising:

interfacing a secure microcontroller with a storage controller associated with a client device in the cloud environment to authenticate a platform associated with the storage controller;

registering the storage controller with an authentication server configured to be set up in the cloud environment;

authenticating the storage controller based on a communication protocol between the client device, the authentication server and the storage controller; and

obtaining, at the client device, a signature data of the storage controller following the authentication thereof, the signature data being configured to be stored in the secure microcontroller interfaced with the storage controller.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of improving storage security in a cloud environment includes interfacing a secure microcontroller with a storage controller associated with a client device in the cloud environment to authenticate a platform associated with the storage controller and registering the storage controller with an authentication server configured to be set up in the cloud environment. The method also includes authenticating the storage controller based on a communication protocol between the client device, the authentication server and the storage controller, and obtaining, at the client device, a signature data of the storage controller following the authentication thereof. The signature data is configured to be stored in the secure microcontroller interfaced with the storage controller.

97 Citations

View as Search Results

29 Claims

1. A method of improving storage security in a cloud environment comprising:
- interfacing a secure microcontroller with a storage controller associated with a client device in the cloud environment to authenticate a platform associated with the storage controller;
  
  registering the storage controller with an authentication server configured to be set up in the cloud environment;
  
  authenticating the storage controller based on a communication protocol between the client device, the authentication server and the storage controller; and
  
  obtaining, at the client device, a signature data of the storage controller following the authentication thereof, the signature data being configured to be stored in the secure microcontroller interfaced with the storage controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein interfacing the secure microcontroller with the storage controller includes:
    - incorporating the secure microcontroller on a motherboard associated with the storage controller;
      
      rendering a Basic Input/Output System (BIOS) on the storage controller to be aware of a hardware associated with the secure microcontroller; and
      
      communicating with the authentication server through an application configured to be aware of the hardware associated with the secure microcontroller during the registration and the authentication of the storage controller, the application being configured to communicate with the secure microcontroller and the BIOS on the storage controller through an appropriate device driver.
  - 3. The method of claim 1, further comprising:
    - configuring the storage controller with a signature data of the authentication server, the authentication server also being configured to be interfaced with a secure microcontroller configured to store the signature data thereof; and
      
      configuring the authentication server with the signature data of the storage controllerprior to registering the storage controller with the authentication server.
  - 4. The method of claim 1, wherein the secure microcontroller is a Trusted Platform Module (TPM) chip.
  - 5. The method of claim 1, further comprising periodically transmitting, to the client device, the signature data of the storage controller following the authentication thereof.
  - 6. The method of claim 2, wherein the signature data of the storage controller includes a list of hashes of at least one of a version of the BIOS on the storage controller, a storage operating system version executing on the storage controller, a physical hardware identification attribute of the storage controller and a configuration information associated with the storage controller.
  - 7. The method of claim 3, wherein registering the storage controller with the authentication server includes:
    - transmitting a nonce as a challenge message from the storage controller to the authentication server;
      
      transmitting, from the authentication server to the storage controller, the signature data of the authentication server, the nonce received from the storage controller and a second nonce encrypted using a private key at the authentication server upon receipt of the challenge message from the storage controller;
      
      decrypting the message from the authentication server at the storage controller using a public portion of a key shared therebetween;
      
      transmitting, in a message, the signature data of the storage controller to the authentication server and the second nonce encrypted using a private key at the storage controller when the message from the authentication server includes the nonce transmitted from the storage controller as the challenge message, and when the authentication server is authenticated based on the signature data thereof;
      
      decrypting, at the authentication server, the message from the storage controller including the signature data thereof using the public portion of the key; and
      
      transmitting a confirmation message from the authentication server to the storage controller indicating that the storage controller is trusted when the second nonce is matched in the decrypted message, and when the signature data of the storage controller is matched in a database associated with the authentication server.
  - 8. The method of claim 7, wherein authenticating the storage controller based on the communication protocol between the client device, the authentication server and the storage controller includes:
    - requesting the authentication server to attest the storage controller through a cloud manager of the cloud environment configured to provision storage therein;
      
      transmitting an authentication request from the authentication server to the storage controller with a third nonce and the signature data of the authentication server encrypted using the private key;
      
      decrypting the encrypted third nonce and the signature data of the authentication server at the storage controller using the public portion of the key;
      
      transmitting, from the storage controller to the authentication server, the signature data of the storage controller and the third nonce encrypted using the private key after verification of the signature data of the authentication server following the decryption;
      
      decrypting the encrypted signature data of the storage controller and the third nonce at the authentication server using the public portion of the key;
      
      transmitting the signature data of the storage controller from the authentication server to the cloud manager when the signature data of the storage controller is matched in the database associated with the authentication server, and when the third nonce is matched in the decrypted content at the authentication server; and
      
      transmitting the signature data of the storage controller from the cloud manager to the client device.
  - 9. The method of claim 8, further comprising:
    - adding the storage controller to a list of trusted storage controllers associated with the authentication server following the authentication of the storage controller; and
      
      storing the appropriate key pair associated with the transmission between the authentication server and the storage controller at the authentication server.
  - 10. The method of claim 9, further comprising:
    - establishing a new key pair following rebooting of one of the storage controller and the authentication server; and
      
      registering the storage controller with the authentication server based on the new key pair.

11. A method of verifying integrity of a storage controller associated with a client device in a cloud environment comprising:
- configuring the storage controller with information associated with an authentication server set up in the cloud environment, the information being associated with a signature data of the authentication server;
  
  configuring the authentication server with a signature data associated with the storage controller;
  
  registering the storage controller with the authentication server to establish a trusted key pair therebetween;
  
  attesting the storage controller through the authentication server based on the established trusted key pair; and
  
  obtaining, at the client device, the signature data of the storage controller following the attestation thereof.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising interfacing a secure microcontroller with the storage controller to authenticate a platform associated with the storage controller,wherein the signature data of the storage controller is configured to be stored in the secure microcontroller interfaced with the storage controller.
  - 13. The method of claim 12, wherein interfacing the secure microcontroller with the storage controller includes:
    - incorporating the secure microcontroller on a motherboard associated with the storage controller;
      
      rendering a BIOS on the storage controller to be aware of a hardware associated with the secure microcontroller; and
      
      communicating with the authentication server through an application configured to be aware of the hardware associated with the secure microcontroller during the registration and the attestation of the storage controller, the application being configured to communicate with the secure microcontroller and the BIOS on the storage controller through an appropriate device driver.
  - 14. The method of claim 12, wherein the secure microcontroller is a TPM chip.
  - 15. The method of claim 12, wherein registering the storage controller with the authentication server includes:
    - transmitting a nonce as a challenge message from the storage controller to the authentication server;
      
      transmitting, from the authentication server to the storage controller, the signature data of the authentication server, the nonce received from the storage controller and a second nonce encrypted using a private key at the authentication server upon receipt of the challenge message from the storage controller;
      
      decrypting the message from the authentication server at the storage controller using a public portion of a key shared therebetween;
      
      transmitting, in a message, the signature data of the storage controller to the authentication server and the second nonce encrypted using a private key at the storage controller when the message from the authentication server includes the nonce transmitted from the storage controller as the challenge message, and when the authentication server is authenticated based on the signature data thereof;
      
      decrypting, at the authentication server, the message from the storage controller including the signature data thereof using the public portion of the key;
      
      transmitting a confirmation message from the authentication server to the storage controller indicating that the storage controller is trusted when the second nonce is matched in the decrypted message, and when the signature data of the storage controller is matched in a database associated with the authentication server; and
      
      storing the corresponding trusted key pair associated with the transmission between the authentication server and the storage controller in a memory associated with the authentication server.
  - 16. The method of claim 13, wherein the signature data of the storage controller includes a list of hashes of at least one of a version of the BIOS on the storage controller, a storage operating system version executing on the storage controller, a physical hardware identification attribute of the storage controller and a configuration information associated with the storage controller.
  - 17. The method of claim 15, wherein attesting the storage controller includes:
    - requesting the authentication server to attest the storage controller through a cloud manager of the cloud environment configured to provision storage therein;
      
      transmitting an authentication request from the authentication server to the storage controller with a third nonce and the signature data of the authentication server encrypted using the private key;
      
      decrypting the encrypted third nonce and the signature data of the authentication server at the storage controller using the public portion of the key;
      
      transmitting, from the storage controller to the authentication server, the signature data of the storage controller and the third nonce encrypted using the private key after verification of the signature data of the authentication server following the decryption;
      
      decrypting the encrypted signature data of the storage controller and the third nonce at the authentication server using the public portion of the key;
      
      transmitting the signature data of the storage controller from the authentication server to the cloud manager when the signature data of the storage controller is matched in the database associated with the authentication server, and when the third nonce is matched in the decrypted content at the authentication server; and
      
      transmitting the signature data of the storage controller from the cloud manager to the client device.
  - 18. The method of claim 17, further comprising:
    - adding the storage controller to a list of trusted storage controllers associated with the authentication server following the attestation of the storage controller.
  - 19. The method of claim 18, further comprising:
    - establishing a new trusted key pair following rebooting of one of the storage controller and the authentication server; and
      
      registering the storage controller with the authentication server based on the new key pair.

20. A cloud environment with improved storage security comprising:
- a client device;
  
  a cloud manager configured to provision storage associated with the client device in the cloud environment;
  
  a storage controller associated with the client device, the storage controller comprising a secure microcontroller interfaced therewith to authenticate a platform associated therewith; and
  
  an authentication server configured to register the storage controller and to authenticate the storage controller based on a communication protocol between the client device, the storage controller and the authentication server,wherein the client device is at least one of;
  
  automatically configured to obtain a signature data of the storage controller following the authentication thereof, andconfigured to obtain the signature data of the storage controller following the authentication thereof upon querying the storage controller, andwherein the secure microcontroller is configured to store the signature data of the storage controller therein.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The cloud environment of claim 20,wherein the secure microcontroller is incorporated on a motherboard associated with the storage controller,wherein a BIOS on the storage controller is configured to be aware of a hardware associated with the secure microcontroller,wherein the storage controller is configured to communicate with the authentication server through an application configured to be aware of the hardware associated with the secure microcontroller during the registration and the authentication of the storage controller, andwherein the application is configured to communicate with the secure microcontroller and the BIOS on the storage controller through an appropriate device driver.
  - 22. The cloud environment of claim 20, wherein, prior to registering the storage controller with the authentication server:
    - the storage controller is configured with a signature data of the authentication server, the authentication server also being configured to be interfaced with a secure microcontroller configured to store the signature data thereof, andthe authentication server is configured with the signature data of the storage controller.
  - 23. The cloud environment of claim 20, wherein the secure microcontroller is a TPM chip.
  - 24. The cloud environment of claim 20, further comprising a computer network configured to enable communication between the client device and the cloud manager.
  - 25. The cloud environment of claim 21, wherein the signature data of the storage controller includes a list of hashes of at least one of a version of the BIOS on the storage controller, a storage operating system version executing on the storage controller, a physical hardware identification attribute of the storage controller and a configuration information associated with the storage controller.
  - 26. The cloud environment of claim 22, wherein during registering the storage controller with the authentication server:
    - the storage controller is configured to transmit a nonce as a challenge message to the authentication server,the authentication server is configured to transmit the signature data thereof, the nonce received from the storage controller and a second nonce encrypted using a private key therein to the storage controller upon receipt of the challenge message from the storage controller,the storage controller is further configured to decrypt the message from the authentication server using a public portion of a key shared therebetween,the storage controller is further configured to transmit, in a message, the signature data thereof to the authentication server and the second nonce encrypted using a private key therein when the message from the authentication server includes the nonce transmitted therefrom as the challenge message, and when the authentication server is authenticated based on the signature data thereof,the authentication server is further configured to decrypt the message from the storage controller including the signature data thereof using the public portion of the key, andthe authentication server is further configured to transmit a confirmation message to the storage controller indicating that the storage controller is trusted when the second nonce is matched in the decrypted message, and when the signature data of the storage controller is matched in a database associated with the authentication server.
  - 27. The cloud environment of claim 26, wherein during authentication of the storage controller based on the communication protocol between the client device, the authentication server and the storage controller:
    - the cloud manager is configured to request the authentication server to attest the storage controller,the authentication server is further configured to transmit an authentication request to the storage controller with a third nonce and the signature data of the authentication server encrypted using the private key,the storage controller is further configured to decrypt the encrypted third nonce and the signature data of the authentication server using the public portion of the key,the storage controller is further configured to transmit, to the authentication server, the signature data thereof and the third nonce encrypted using the private key after verification of the signature data of the authentication server following the decryption,the authentication server is further configured to decrypt the encrypted signature data of the storage controller and the third nonce using the public portion of the key,the authentication server is further configured to transmit the signature data of the storage controller to the cloud manager when the signature data of the storage controller is matched in the database associated therewith, and when the third nonce is matched in the decrypted content thereat, andthe cloud manager is further configured to transmit the signature data of the storage controller to the client device.
  - 28. The cloud environment of claim 27, wherein:
    - the authentication server is further configured to add the storage controller to a list of trusted storage controllers associated therewith following the authentication of the storage controller, andthe authentication server is further configured to store the appropriate key pair associated with the transmission between the authentication server and the storage controller in a memory associated therewith.
  - 29. The cloud environment of claim 28, wherein:
    - a new key pair is established following rebooting of one of the storage controller and the authentication server, andthe authentication server is configured to register the storage controller based on the new key pair.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
Network Appliance Incorporated (NetApp, Inc.)
Inventors
MANE, Nandkumar Lalasaheb, ARASANAL, Rajashekhar Mallikarjun

Granted Patent

US 8,601,265 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 2209/127   Trusted platform modules [TPM]

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

METHOD AND SYSTEM FOR IMPROVING STORAGE SECURITY IN A CLOUD COMPUTING ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IMPROVING STORAGE SECURITY IN A CLOUD COMPUTING ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links