METHOD AND APPARATUS FOR HETEROGENEOUS DATA STORAGE MANAGEMENT IN CLOUD COMPUTING

US 20180034819A1
Filed: 01/19/2015
Published: 02/01/2018
Est. Priority Date: 01/19/2015
Status: Active Grant

First Claim

Patent Images

65. An apparatus for managing data storage in a communication network, the apparatus comprising:

at least one processor; and

at least one memory including computer-executable code, wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;

receive from a first device, a request for storing a data in the apparatus;

check whether the same data has been stored in the apparatus;

in response to a check result that no same data has been stored in the apparatus, receive from the first device a data package containing at least the data in plaintext or ciphertext (CT);

in response to a check result that the same data has been stored in the apparatus, obtain a deduplication policy for the data;

when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner, contact both or either of the AP and the data owner, or only the AP, or only the data owner to conduct deduplication for the data; and

when the deduplication policy indicates deduplication to be controlled by none of the AP and the data owner, conduct deduplication for the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus are disclosed for heterogeneous data storage management in cloud computing. According to some embodiments, a method for managing data storage in a communication network comprises: receiving at a data center in the communication network from a first device, a request for storing a data in the data center; checking whether the same data has been stored in the data center; in response to a check result that no same data has been stored in the data center, receiving from the first device a data package containing at least the data in plaintext or ciphertext (CT) in response to a check result that the same data has been stored in the data center, obtaining a deduplication policy for the data; when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner, contacting both or either of the AP and the data owner, or only the AP, or only the data owner to conduct deduplication for the data; and when the deduplication policy indicates deduplication to be controlled by none of the AP and the data owner, conducting deduplication for the data at the data center. In some embodiments, the data package may contain or indicate the deduplication policy, and contain information for data holdership verification. The data center may challenge to ensure the data holdership before contacting to conduct deduplication or conducting deduplication at the data center.

Citations

84 Claims

65. An apparatus for managing data storage in a communication network, the apparatus comprising:
- at least one processor; and
  
  at least one memory including computer-executable code, wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;
  
  receive from a first device, a request for storing a data in the apparatus;
  
  check whether the same data has been stored in the apparatus;
  
  in response to a check result that no same data has been stored in the apparatus, receive from the first device a data package containing at least the data in plaintext or ciphertext (CT);
  
  in response to a check result that the same data has been stored in the apparatus, obtain a deduplication policy for the data;
  
  when the deduplication policy indicates deduplication to be controlled by both or either of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner, contact both or either of the AP and the data owner, or only the AP, or only the data owner to conduct deduplication for the data; and
  
  when the deduplication policy indicates deduplication to be controlled by none of the AP and the data owner, conduct deduplication for the data.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 76)
- - 66. The apparatus according to claim 65, wherein the data package further contains an index list and a hash chain information, the index list including a plurality of indexes each indicating a specific part of the data, the hash chain information including a plurality of hash information each corresponding to one index;
    - wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to;
      
      request the first device to transmit a hash information corresponding to at least one index from the index list;
      
      verify whether the first device holds the data based on the hash information from the first device corresponding to the requested at least one index; and
      
      in response to a positive verification result, contact to conduct deduplication or record a deduplication information of the data for the first device.
  - 67. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - read the deduplication policy stored in advance in the data center, or receive the deduplication policy from the data owner, or determine the deduplication policy according to the data package.
  - 68. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when the data package further contains a first cipherkey (CK) and a second CK being not equal to each other, determine deduplication to be controlled by both of the AP and the data owner, the first and second CKs being generated by separating a data encryption key (DEK) into a first DEK and a second DEK and encrypting the first and second DEKs respectively, the DEK being used for encrypting the data to obtain the CT;
      
      when the data package further contains the first and second CKs being equal to each other, determine deduplication to be controlled by either of the AP or the data owner;
      
      when the data package further contains only the first CK or only the second CK, determine deduplication to be controlled by only the AP or only the data owner; and
      
      when the data package contains no CK, determine deduplication to be controlled by none of the AP and the data owner.
  - 69. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive a re-encryption key from the AP when it is not available;
      
      re-encrypt the first CK with the re-encryption key according to a proxy re-encryption (PRE) scheme; and
      
      transmit the re-encrypted first CK to the first device such that the first device can decrypt the re-encrypted first CK with a secret key of the first device.
  - 70. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit an attribute identity (ID) of the first device to the data owner such that the data owner can issue an attribute secret key for the first device when it is eligible to decrypt the second CK according to an attribute based encryption (ABE) scheme.
  - 71. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - in response to a check result that no same data has been stored in the apparatus, request at least one further data center to check whether the same data has been stored in it;
      
      in response to a positive reply from the at least one further data center, record a deduplication information of the data for the first device,wherein the at least one further data center is able to conduct deduplication for the data;
      
      in responce to a negative reply from the at least one further data center, performing data storage accordingly .
  - 72. The apparatus according to claim 65, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive at the apparatus from a second device, a request for deleting a data;
      
      check whether the data is stored in the apparatus by the second device;
      
      in response to a positive check result, delete a record of storage of the data for the second device;
      
      delete the data when a deduplication record for the data is empty; and
      
      notify an owner of the datafor updating the CT when the deduplication record for the data is not empty; and
      
      in response to a negative check result, contact another data center that stores the data, wherein the another data center is able to delete a record of storage of the data for the second device.
  - 73. The apparatus according to claim 72, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - inquire whether the owner decides to continue deduplication control;
      
      in response to a positive decision, cooperate with the data owner to update the CT according to the deduplication policy of the data;
      
      in response to a negative decision, request another holder of the data for updating the CT, or cooperate with the data owner to update the CT according to a new deduplication policy, the new deduplication policy indicating deduplication to be controlled by only the AP.
  - 74. The apparatus according to claim 69, further comprising:
    - in response to a request for updating the CT of a data, obtain the deduplication policy for the data;
      
      when the deduplication policy indicates that AP deduplication control is needed, re-encrypt the updated first CK with the re-encryption key according to a PRE scheme; and
      
      transmit the re-encrypted updated first CK to the first device such that the first device can decrypt the re-encrypted updated first CK with a secret key of the first device;
      
      when the deduplication policy indicates that a deduplication control by the data owner is needed, informing the data owner the data identifier and the public key information of the data holder when necessary according to a ABE scheme in order to allow the data owner to perform data deduplication by issuing a secret key to the first device that can decrypt the updated second CK.
  - 76. The apparatus according to claim 74, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit in the data package an index list and a hash chain information for verifying holdership of the data for an eligible data holder, the index list including a plurality of indexes each indicating a specific part of the data, the hash chain information including a plurality of hash information each corresponding to one index.

75. An apparatus for managing data storage in a user device, the apparatus comprising:
- at least one processor; and
  
  at least one memory including computer-executable code, wherein the at least one memory and the computer-executable code are configured to, with the at least one processor, cause the apparatus to;
  
  transmit a request for storing a data to a data center;
  
  in response to a request for the data from the data center, transmit a data package containing at least the data in plaintext or ciphertext (CT) to the data center, wherein a deduplication policy for the data is contained in the data package or can be determined according to the data package, the deduplication policy indicating deduplication to be controlled by both or either or none of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner;
  
  in response to a deduplication request for the data from the data center or at least one further data center, issuing an attribute secret key to an eligible data holder according to an attribute based encryption (ABE) scheme for conducting deduplication.
- View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84)
- - 77. The apparatus according to claim 75, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for storing a second data to the data center;
      
      in response to a request for a hash information corresponding to at least one index from the data center, transmit a calculated hash information corresponding to the at least one index to the data center for verifying the holdership of the second data.
  - 78. The apparatus according to claim 75, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when the deduplication policy indicates deduplication to be controlled by both of the AP and the data owner, transmit in the data package a first cipherkey (CK) and a second CK being not equal to each other, the first and second CKs being generated by separating a data encryption key (DEK) into a first DEK and a second DEK and encrypting the first and second DEKs respectively, the DEK being used for encrypting the data to obtain the CT;
      
      when the deduplication policy indicates deduplication to be controlled by either of the AP or the data owner, transmit in the data package the first and second CKs being equal to each other;
      
      when the deduplication policy indicates deduplication to be controlled by only the AP or only the data owner, transmit in the data package only the first CK or only the second CK; and
      
      when the deduplication policy indicates deduplication to be controlled by none of the AP and the data owner, transmit the plaintext in the data package.
  - 79. The apparatus according to claim 78, wherein the first DEK is encrypted with a public key of the AP according to a proxy re-encryption (PRE) scheme;
    - andwherein the second DEK is encrypted based on an access policy, the access policy containing user identities (IDs) of users eligible for holding the data.
  - 80. The apparatus according to claim 75, wherein the deduplication request for the data contains a user ID information;
    - wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to;
      
      verify whether the user ID information represents a user eligible for holding the data; and
      
      in response to a positive verification result, generate the attribute secret key based on the user ID information.
  - 81. The apparatus according to claim 77, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - receive a re-encrypted first CK for the second data from the data center;
      
      decrypt the re-encrypted first CK with a private key of the user device to obtain the first DEK;
      
      receive an attribute secret key from an owner of the second data, and receiving the second CK for the second data from the owner of the second data or the data center;
      
      decrypt the second CK with the attribute secret key to obtain the second DEK;
      
      combine the first and second DEKs to obtain the DEK for deduplication.
  - 82. The apparatus according to claim 75, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for deleting a data to the data center;
      
      in response to a request for a hash information corresponding to at least one index from the data center, transmit a calculated hash information corresponding to the at least one index to the data center for verifying the holdership of the data;
      
      in response to a request to update the CT from the data center or at least one further data center, update the CT according to a deduplication policy of the data.
  - 83. The apparatus according to claim 82, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - when continuous deduplication control is needed, update the CT according to an original deduplication policy of the data; and
      
      when no continuous deduplication control is needed, update the CT according to a new deduplication policy, the new deduplication policy indicating deduplication to be controlled by only the AP.
  - 84. The apparatus according to claim 75, wherein the computer-executable code are further configured to, when executed by the at least one processor, cause the apparatus to:
    - transmit a request for updating a CT of a data to the data center, wherein a deduplication policy for the data is contained in the request or can be determined according to the request, the deduplication policy indicating deduplication to be controlled by both or either of an authorized party (AP) and an owner of the data, or only the AP, or only the data owner or none;
      
      when the deduplication policy indicates that data owner deduplication control is needed, issue an attribute secret key to an eligible data holder according to an attribute based encryption (ABE) scheme for conducting deduplication when the attribute secret key is not sent before.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Technologies Oy (Nokia Corporation)
Inventors
YAN, Zheng

Granted Patent

US 10,581,856 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 67/10   in which an application is ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

METHOD AND APPARATUS FOR HETEROGENEOUS DATA STORAGE MANAGEMENT IN CLOUD COMPUTING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

84 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR HETEROGENEOUS DATA STORAGE MANAGEMENT IN CLOUD COMPUTING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

84 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links