Cascaded Data Encryption Dependent on Attributes of Physical Memory

US 20150052370A1
Filed: 10/13/2014
Published: 02/19/2015
Est. Priority Date: 04/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

encrypting input data in relation to a first auxiliary data value to provide first level ciphertext;

subsequently encrypting the first level ciphertext in relation to a second auxiliary data value associated with one or more attributes of a first physical location in a non-volatile memory to provide second level ciphertext;

storing the second level ciphertext in the first physical location of the non-volatile memory; and

subsequently migrating the input data from the first physical location to a second physical location in the non-volatile memory by partially decrypting the second level ciphertext to recover the first level ciphertext from the first physical location without recovering the corresponding input data in an unencrypted form, re-encrypting the recovered first level ciphertext using a third auxiliary data value associated with the second physical location to provide third level ciphertext, and storing the third level ciphertext in the second selected physical location while maintaining the second level ciphertext in the first physical location.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

62 Citations

View as Search Results

20 Claims

1. A method comprising:
- encrypting input data in relation to a first auxiliary data value to provide first level ciphertext;
  
  subsequently encrypting the first level ciphertext in relation to a second auxiliary data value associated with one or more attributes of a first physical location in a non-volatile memory to provide second level ciphertext;
  
  storing the second level ciphertext in the first physical location of the non-volatile memory; and
  
  subsequently migrating the input data from the first physical location to a second physical location in the non-volatile memory by partially decrypting the second level ciphertext to recover the first level ciphertext from the first physical location without recovering the corresponding input data in an unencrypted form, re-encrypting the recovered first level ciphertext using a third auxiliary data value associated with the second physical location to provide third level ciphertext, and storing the third level ciphertext in the second selected physical location while maintaining the second level ciphertext in the first physical location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising a subsequent step of erasing the first physical location to remove the second level ciphertext stored therein.
  - 3. The method of claim 1, in which the second auxiliary data value comprises a physical block address (PBA) of the selected physical location in the non-volatile memory.
  - 4. The method of claim 1, in which the second auxiliary data value comprises an accumulated write count indicative of a total number of write events associated with the first physical location in the non-volatile memory.
  - 5. The method of claim 1, in which the first auxiliary data value comprises a logical block address (LBA) associated with the input data.
  - 6. The method of claim 1, in which the non-volatile memory comprises a flash memory array of flash memory cells.
  - 7. The method of claim 1, in which the non-volatile memory comprises a selected one of a disc memory, an array of spin-torque transfer random access memory (STRAM) cells, or an array of resistive random access memory (RRAM) cells.
  - 8. The method of claim 1, further comprising:
    - dividing the non-volatile memory into a plurality of bands each comprising a plurality of available physical locations for the storage of encrypted data;
      
      assigning a unique second auxiliary data value to each of the plurality of bands;
      
      identifying the second auxiliary data value assigned to the band which includes the first physical location; and
      
      using the identified second auxiliary data value to subsequently encrypt the first level ciphertext to provide the second level ciphertext.

9. A data storage device, comprising a memory module comprising a non-volatile solid-state memory, and a controller configured to store input data received from a host in a first physical address of the memory by applying multi-level encryption to the input data in relation to a first auxiliary data value associated with a first physical address in the non-volatile memory to generate a first set of ciphertext and by storing the first set of ciphertext to the first physical address in the non-volatile memory, the controller further configured to migrate the input user data from the first physical address to a second physical address in the non-volatile memory by decrypting the first set of ciphertext using the first auxiliary value to provide partially decrypted ciphertext that remains encrypted by at least one level of said multi-level encryption, by re-encrypting the partially decrypted ciphertext in relation to a different, second auxiliary data value associated with the second physical address in the non-volatile memory to generate a second set of ciphertext, and by writing the second set of ciphertext to the second physical address in the non-volatile memory while the first set of ciphertext remains stored in the first physical address in the non-volatile memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The data storage device of claim 9, in which the controller applies a first level of encryption using a logical block address (LBA) value associated with the input data, and applies a second level of encryption using a physical block address (PBA) value associated with the first physical address in the non-volatile memory.
  - 11. The data storage device of claim 10, in which the controller further applies the second level of encryption using an accumulated write count indicative of a total number of write operations to the first physical location.
  - 12. The data storage device of claim 9, in which memory is a flash memory, the first physical address in the non-volatile memory is disposed within a first erasure block of the flash memory, and the second physical address in the non-volatile memory is disposed within a different, second erasure block of the flash memory.
  - 13. The data storage device of claim 9, the controller migrating the data to the second physical location responsive to a garbage collection operation in which the first physical address in the non-volatile memory is prepared for an erasure operation.
  - 14. The data storage device of claim 9, in which the memory is a flash memory.
  - 15. The data storage device of claim 9, in which the memory is a spin torque transfer random access memory (STRAM).
  - 16. The data storage device of claim 9, in which the memory is a resistive random access memory (RRAM).
  - 17. The data storage device of claim 9, in which the respective first and second sets of ciphertext are respectively encrypted using a physical block address (PBA) and an accumulated write count value associated with the respective first and second physical locations.

18. A data storage device, comprising:
- a solid-state non-volatile memory module;
  
  a storage module adapted to, responsive to receipt of input data from a host device, store the input data to a first physical location in the memory module by applying multi-level encryption to the input data in relation to a first auxiliary data value associated with a first physical address in the non-volatile memory to generate a first set of ciphertext and by storing the first set of ciphertext to the first physical address in the non-volatile memory; and
  
  a migration module adapted to, responsive to a garbage collection operation, migrate the input user data from the first physical address to a second physical address in the non-volatile memory by decrypting the first set of ciphertext using the first auxiliary value to provide partially decrypted ciphertext that remains encrypted by at least one level of said multi-level encryption, by re-encrypting the partially decrypted ciphertext in relation to a different, second auxiliary data value associated with the second physical address in the non-volatile memory to generate a second set of ciphertext, and by writing the second set of ciphertext to the second physical address in the non-volatile memory while the first set of ciphertext remains stored in the first physical address in the non-volatile memory.
- View Dependent Claims (19, 20)
- - 19. The data storage device of claim 18, wherein the respective first and second sets of ciphertext are respectively encrypted using a physical block address (PBA) and an accumulated write count value associated with the respective first and second physical locations
  - 20. The data storage device of claim 18, the memory module comprising a flash memory array.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Hars, Laszlo, Matthews, Donald P. Jr.

Granted Patent

US 9,396,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/0246   in block erasable memory, e...

G06F 12/14   Protection against unauthor...

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

G06F 2212/7201   Logical to physical mapping...

G06F 2221/2107   File encryption

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0894   Escrow, recovery or storing...

Cascaded Data Encryption Dependent on Attributes of Physical Memory

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cascaded Data Encryption Dependent on Attributes of Physical Memory

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links