METHODS FOR CRYPTOGRAPHIC DELEGATION AND ENFORCEMENT OF DYNAMIC ACCESS TO STORED DATA

US 20170207910A1
Filed: 01/30/2017
Published: 07/20/2017
Est. Priority Date: 01/27/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for modifying a protected data object or a portion thereof stored in a memory of a computer, wherein the protected data object comprises a plurality of data blocks and one or more regions of data block metadata, each associated with one or more of the data blocks, comprising:

generating for a first modified data block, a new per-block hash value using as a hash function input data contained in the first modified data block or a new per-block hash message authentication code (HMAC) using as hash function inputs a new per-block hash key and data contained in the first modified data block;

writing the new per-block hash value or the new per-block HMAC to data block metadata associated with the modified data block in the protected data object; and

writing the first modified data block to one of the data blocks of the protected data object.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for cryptographic delegation and enforcement of dynamic access to stored data are disclosed. An example method includes generating for a first modified data block, a new per-block hash value using as a hash function input data contained in the first modified data block or a new per-block hash message authentication code (HMAC) using as hash function inputs a new per-block hash key and data contained in the first modified data block, writing the new per-block hash value or the new per-block HMAC to data block metadata associated with the modified data block in the protected data object, and writing the first modified data block to one of the data blocks of the protected data object.

15 Citations

View as Search Results

20 Claims

1. A computer implemented method for modifying a protected data object or a portion thereof stored in a memory of a computer, wherein the protected data object comprises a plurality of data blocks and one or more regions of data block metadata, each associated with one or more of the data blocks, comprising:
- generating for a first modified data block, a new per-block hash value using as a hash function input data contained in the first modified data block or a new per-block hash message authentication code (HMAC) using as hash function inputs a new per-block hash key and data contained in the first modified data block;
  
  writing the new per-block hash value or the new per-block HMAC to data block metadata associated with the modified data block in the protected data object; and
  
  writing the first modified data block to one of the data blocks of the protected data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer implemented method of claim 1 further comprising:
    - generating a new data object hash value for the data object using all or a portion of a hierarchical tree of hashes read from one or more of the regions of block metadata and/or the data object header associated with the protected data object (i) by substituting the new per-block hash value for the first modified data block for a prior per-block hash value for a corresponding first data block in a row of bottom nodes of the hash tree and recalculating all or a portion of the hash tree to produce the new data object hash value or (ii) by substituting the new per-block HMAC for the first modified data block for a prior per-block HMAC for the first corresponding data block in the row of bottom nodes of the tree of hashes and recalculating all or a portion of the tree of hashes to produce the new data object hash value.
  - 3. The computer implemented method of claim 2 further comprising:
    - generating a new data object HMAC for the data object using a data object hash key read from the data object header and the new data object hash value as inputs to a hash function, and writing the new data object HMAC to the data object header.
  - 4. The computer implemented method of claim 1 further comprising:
    - generating a new first path key for each of one or more first path keys on a first key path, including the new per-block hash key but excepting a data object decryption key, in a hierarchical key tree, wherein all keys on the key path other than the new per-block hash key are decryption keys, read from one or more of the regions of data block metadata and a data object header, and associated with the protected data object.
  - 5. The computer implemented method of claim 4 further comprising:
    - logically inserting the new per-block hash key into a node in a bottom row of the hierarchical key tree corresponding to the first modified data block and inserting the new first path keys into their respective nodes on the first key path; and
      
      starting with the new per-block hash key for the first modified data block, encrypting, using one or more encryption algorithms selected from a set of second encryption algorithms, each of the new first path keys on the first key path with a new encryption key that corresponds to the next of the new first path decryption.
  - 6. The computer implemented method of claim 5 further comprising:
    - writing the encrypted new first path keys to one or more regions of the data block metadata of the protected data object.
  - 7. The computer implemented method of claim 1 further comprising:
    - incrementing a version number of the data object.

8. A tangible computer readable storage device comprising instructions that, when executed modify a protected data object or a portion thereof stored in a memory of a computer, wherein the protected data object comprises a plurality of data blocks and one or more regions of data block metadata, each associated with one or more of the data blocks, the instructions, when executed, cause a machine to:
- generate for a first modified data block, a new per-block hash value using as a hash function input data contained in the first modified data block or a new per-block hash message authentication code (HMAC) using as hash function inputs a new per-block hash key and data contained in the first modified data block;
  
  write the new per-block hash value or the new per-block HMAC to data block metadata associated with the modified data block in the protected data object; and
  
  write the first modified data block to one of the data blocks of the protected data object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The tangible computer readable storage device of claim 8, wherein the instructions, when executed cause the machine to:
    - generate a new data object hash value for the data object using all or a portion of a hierarchical tree of hashes read from one or more of the regions of block metadata and/or the data object header associated with the protected data object (i) by substituting the new per-block hash value for the first modified data block for a prior per-block hash value for a corresponding first data block in a row of bottom nodes of the hash tree and recalculating all or a portion of the hash tree to produce the new data object hash value or (ii) by substituting the new per-block HMAC for the first modified data block for a prior per-block HMAC for the first corresponding data block in the row of bottom nodes of the tree of hashes and recalculating all or a portion of the tree of hashes to produce the new data object hash value.
  - 10. The tangible computer readable storage device of claim 9, wherein the instructions, when executed cause the machine to:
    - generate a new data object HMAC for the data object using a data object hash key read from the data object header and the new data object hash value as inputs to a hash function, and writing the new data object HMAC to the data object header.
  - 11. The tangible computer readable storage device of claim 8, wherein the instructions, when executed cause the machine to:
    - generate a new first path key for each of one or more first path keys on a first key path, including the new per-block hash key but excepting a data object decryption key, in a hierarchical key tree, wherein all keys on the key path other than the new per-block hash key are decryption keys, read from one or more of the regions of data block metadata and a data object header, and associated with the protected data object.
  - 12. The tangible computer readable storage device of claim 11, wherein the instructions, when executed cause the machine to:
    - logically insert the new per-block hash key into a node in a bottom row of the hierarchical key tree corresponding to the first modified data block and inserting the new first path keys into their respective nodes on the first key path; and
      
      start with the new per-block hash key for the first modified data block, encrypting, using one or more encryption algorithms selected from a set of second encryption algorithms, each of the new first path keys on the first key path with a new encryption key that corresponds to the next of the new first path decryption.
  - 13. The tangible computer readable storage device of claim 12, wherein the instructions, when executed cause the machine towrite the encrypted new first path keys to one or more regions of the data block metadata of the protected data object.
  - 14. The tangible computer readable storage device of claim 8, wherein the instructions, when executed cause the machine to:
    - increment a version number of the data object.

15. A computer implemented method for enforcing access rights changes for a protected data object or a portion thereof stored in a memory of a computer, wherein the protected data object comprises a plurality of data blocks and one or more regions of data block metadata, each associated with one or more of the data blocks, comprising:
- generating a new data object hash key associated with the data object;
  
  reading, from the memory, data object metadata associated with the data object containing one or more data values from the group consisting of a data object hash value, per-block hash values associated with the data blocks, per-block hash message authentication code (HMAC) values associated with the data blocks, a data object identifier, access right information, a data object version number, time information relating to the data object, data object encoding information, and data object cryptographic key information;
  
  generating a new data object hash message authentication code (HMAC) for the data object using, as inputs to a hash function, the new data object hash key and one or more data values selected from the group of data values; and
  
  writing the new data object HMAC to the data object metadata.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer implemented method of claim 15 wherein the data object hash value is generated using a hierarchical tree of hashes associated with the protected data object wherein the hierarchical tree of hashes comprises a row of nodes wherein each of the nodes comprises a per-data block hash value associated with one or more data blocks of the protected data object.
  - 17. The computer implemented method of claim 16 wherein the generation of the data object hash message authentication code directly involves the data object hash value computed using a tree of hashes but does not directly involve the per-block hash values or the per-block HMACs.
  - 18. The computer implemented method of claim 15, further comprising:
    - prior to generating the new data object hash message authentication code, incrementing the version number for the data object; and
      
      writing the incremented version number to the data object metadata.
  - 19. The computer implemented method of claim 15 wherein the generating of the new data object hash key associated with the data object is initiated by an entity having authority to modify access rights to the protected data object.

20. A tangible computer readable storage device comprising instructions that, when executed enforce access rights changes for a protected data object or a portion thereof stored in a memory of a computer, wherein the protected data object comprises a plurality of data blocks and one or more regions of data block metadata, each associated with one or more of the data blocks, the instructions, when executed, cause a machine to:
- generate a new data object hash key associated with the data object;
  
  reading, from the memory, data object metadata associated with the data object containing one or more data values from the group consisting of a data object hash value, per-block hash values associated with the data blocks, per-block hash message authentication code (HMAC) values associated with the data blocks, a data object identifier, access right information, a data object version number, time information relating to the data object, data object encoding information, and data object cryptographic key information;
  
  generate a new data object hash message authentication code (HMAC) for the data object using, as inputs to a hash function, the new data object hash key and one or more data values selected from the group of data values; and
  
  write the new data object HMAC to the data object metadata.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
McGregor, JR., John Patrick, White, Matthew N.

Granted Patent

US 9,992,014 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0836   using tree structure or hie...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/3242   involving keyed hash functi...

METHODS FOR CRYPTOGRAPHIC DELEGATION AND ENFORCEMENT OF DYNAMIC ACCESS TO STORED DATA

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS FOR CRYPTOGRAPHIC DELEGATION AND ENFORCEMENT OF DYNAMIC ACCESS TO STORED DATA

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links