Cascaded Data Encryption Dependent on Attributes of Physical Memory
First Claim
1. A method comprising:
- encrypting input data in relation to a first auxiliary data value to provide first level ciphertext;
subsequently encrypting the first level ciphertext in relation to a second auxiliary data value associated with one or more attributes of a first physical location in a non-volatile memory to provide second level ciphertext;
storing the second level ciphertext in the first physical location of the non-volatile memory; and
subsequently migrating the input data from the first physical location to a second physical location in the non-volatile memory by partially decrypting the second level ciphertext to recover the first level ciphertext from the first physical location without recovering the corresponding input data in an unencrypted form, re-encrypting the recovered first level ciphertext using a third auxiliary data value associated with the second physical location to provide third level ciphertext, and storing the third level ciphertext in the second selected physical location while maintaining the second level ciphertext in the first physical location.
0 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.
62 Citations
20 Claims
-
1. A method comprising:
-
encrypting input data in relation to a first auxiliary data value to provide first level ciphertext; subsequently encrypting the first level ciphertext in relation to a second auxiliary data value associated with one or more attributes of a first physical location in a non-volatile memory to provide second level ciphertext; storing the second level ciphertext in the first physical location of the non-volatile memory; and subsequently migrating the input data from the first physical location to a second physical location in the non-volatile memory by partially decrypting the second level ciphertext to recover the first level ciphertext from the first physical location without recovering the corresponding input data in an unencrypted form, re-encrypting the recovered first level ciphertext using a third auxiliary data value associated with the second physical location to provide third level ciphertext, and storing the third level ciphertext in the second selected physical location while maintaining the second level ciphertext in the first physical location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
- 9. A data storage device, comprising a memory module comprising a non-volatile solid-state memory, and a controller configured to store input data received from a host in a first physical address of the memory by applying multi-level encryption to the input data in relation to a first auxiliary data value associated with a first physical address in the non-volatile memory to generate a first set of ciphertext and by storing the first set of ciphertext to the first physical address in the non-volatile memory, the controller further configured to migrate the input user data from the first physical address to a second physical address in the non-volatile memory by decrypting the first set of ciphertext using the first auxiliary value to provide partially decrypted ciphertext that remains encrypted by at least one level of said multi-level encryption, by re-encrypting the partially decrypted ciphertext in relation to a different, second auxiliary data value associated with the second physical address in the non-volatile memory to generate a second set of ciphertext, and by writing the second set of ciphertext to the second physical address in the non-volatile memory while the first set of ciphertext remains stored in the first physical address in the non-volatile memory.
-
18. A data storage device, comprising:
-
a solid-state non-volatile memory module; a storage module adapted to, responsive to receipt of input data from a host device, store the input data to a first physical location in the memory module by applying multi-level encryption to the input data in relation to a first auxiliary data value associated with a first physical address in the non-volatile memory to generate a first set of ciphertext and by storing the first set of ciphertext to the first physical address in the non-volatile memory; and a migration module adapted to, responsive to a garbage collection operation, migrate the input user data from the first physical address to a second physical address in the non-volatile memory by decrypting the first set of ciphertext using the first auxiliary value to provide partially decrypted ciphertext that remains encrypted by at least one level of said multi-level encryption, by re-encrypting the partially decrypted ciphertext in relation to a different, second auxiliary data value associated with the second physical address in the non-volatile memory to generate a second set of ciphertext, and by writing the second set of ciphertext to the second physical address in the non-volatile memory while the first set of ciphertext remains stored in the first physical address in the non-volatile memory. - View Dependent Claims (19, 20)
-
Specification