Storage controller conditioning host access to stored data according to security key stored in host-inaccessible metadata

US 6,446,209 B2
Filed: 04/03/2001
Issued: 09/03/2002
Est. Priority Date: 06/12/1998
Status: Expired due to Term

First Claim

Patent Images

1. A data storage method for use in a storage system including a storage controller serving one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:

the storage controller receiving a write request from one of the hosts, the request including target data and a security key;

the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;

requiring host provision of a security key with prescribed relationship to the stored security key as a condition to granting future host requests to access the target data in the digital data storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage controller conditions host access to stored data objects upon host provision of a proposed key with matching or other prescribed relation to a security key stored in host-inaccessible metadata that is associated with the stored data object. The security key may be established upon writing the data or allocating storage space, for example. This enables the storage controller or device to be attached directly to a network without compromising security or having to add an intermediate server to perform security functions. Another implementation concerns sound recording playback devices that only play sound tracks for which the user has purchased an appropriate security key.

80 Citations

View as Search Results

50 Claims

1. A data storage method for use in a storage system including a storage controller serving one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
- the storage controller receiving a write request from one of the hosts, the request including target data and a security key;
  
  the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
  
  requiring host provision of a security key with prescribed relationship to the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, the requiring operation comprising:
3. The method of claim 1, the requiring operation comprising:
- as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
4. The method of claim 1, the operation of the storage controller storing the target data comprising operations of:
- encrypting the target data with the security key and storing the encrypted target data.
5. The method of claim 1, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.

6. A data storage method for use in a storage system including a storage controller coupled to a digital data storage where the storage controller serves one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
- the storage controller receiving an allocation request from one of the hosts;
  
  the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, the requiring operation comprising:
8. The method of claim 6, the requiring operation comprising:
- as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
9. The method of claim 6, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.

10. A data security method for use in a storage system including a storage controller responsive to one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
- the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
  
  the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
  
  only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request.
- View Dependent Claims (11, 42, 43, 44)
- - 11. The method of claim 10, the method being implemented such that the storage controller comprises a sound recording player and the host is a user.
  - 42. The method of claim 10, where:
43. The method of claim 10, wherein the operations further comprise:
- the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
  
  the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
44. The method of claim 43, wherein:
- the access types including the following operations;
  
  reading data from the storage, and writing data to the storage; and
  
  each operation parameter designates one or more of the access types as being allowed.

12. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving data requests of one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
- the storage controller receiving a write request from one of the hosts, the request including target data and a security key;
  
  the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The medium of claim 12, the requiring operation comprising:
14. The medium of claim 12, the requiring operation comprising:
- as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
15. The medium of claim 12, the operation of the storage controller storing the target data comprising operations of:
- encrypting the target data with the security key and storing the encrypted target data.
16. The medium of claim 12, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.

17. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving data requests of one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
- the storage controller receiving an allocation request from one of the hosts;
  
  the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage.
- View Dependent Claims (18, 19)
- - 18. The medium of claim 17, the requiring operation comprising:
19. The medium of claim 17, the requiring operation comprising:
- as a condition to granting future host requests to access the target data from the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.

20. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
- the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
  
  the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit the prescribed relationship; and
  
  only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request.
- View Dependent Claims (45, 46, 47)
- - 45. The medium of claim 20, where:
46. The medium of claim 20, wherein the operations further comprise:
- the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
  
  the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
47. The medium of claim 46, wherein:
- the access types including the following operations;
  
  reading data from the storage, and writing data to the storage; and
  
  each operation parameter designates one or more of the access types as being allowed.

21. A data storage system accessible by one or more hosts, comprising:
- a digital data storage containing user data and describing the user data;
  
  the storage controller, coupled to the storage, and programmed to utilize the metadata to manage the user data while rendering the metadata inaccessible to hosts and to selectively access the user data on behalf of hosts by performing operations comprising;
  
  receiving a write request from one of the hosts, the request including target data and a security key;
  
  storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.
  - 23. The system of claim 21, where the storage controller is embodied by a digital data processing apparatus dedicated to managing one or more device controllers.
  - 24. The system of claim 21, where the storage controller comprises a disk drive controller and the storage comprises magnetic disk media.
  - 25. The system of claim 21, where the storage controller comprises a removable storage media controller.
  - 26. The system of claim 21, further comprising a computer network coupled to the storage controller and interconnecting the storage controller to the hosts.

27. A data storage system accessible by one or more hosts, comprising:
- a digital data storage containing user data and metadata describing the user data;
  
  a storage controller, coupled to the storage, and programmed to utilize the metadata to manage the user data while rendering the metadata inaccessible to hosts and to selectively access the user data on behalf of hosts and programmed to perform further operations comprising;
  
  the storage controller receiving an allocation request from one of the hosts;
  
  the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The system of claim 27, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.
  - 29. The system of claim 27, where the storage controller is embodied by a digital data processing apparatus dedicated to managing one or more device controllers.
  - 30. The system of claim 27, where the storage controller comprises a disk drive controller and the storage comprises magnetic disk media.
  - 31. The system of claim 27, where the storage controller comprises a controller for removable storage media.
  - 32. The system of claim 27, further comprising a computer network coupled to the storage controller and interconnecting the storage controller to the hosts.

33. A storage controller programmed to perform operations to manage access to digital data storage containing host-accessible user data accessible by the storage controller on behalf of hosts and also containing host-inaccessible metadata accessible by the storage controller to manage storage of the host-accessible data, the operations comprising:
- the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
  
  the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
  
  only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request.
- View Dependent Claims (34, 48, 49, 50)
- - 34. The storage controller of claim 33, the storage controller being programmed such that the execution of the storage access requests comprises playback of recorded sounds contained on the digital data storage.
  - 48. The storage controller of claim 33, where the storage controller is programmed such that:
49. The storage controller of claim 33, the storage controller being programmed such that the operations further comprise:
- the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
  
  the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
50. The controller of claim 49, wherein the controller is programmed such that:
- the access types including the following operations;
  
  reading data from the storage, and writing data to the storage; and
  
  each operation parameter designates one or more of the access types as being allowed.

35. A data storage system accessible by one or more hosts, comprising:
- digital data storage means for containing user data; and
  
  the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of host;
  
  receiving a write request from one of the hosts, the request including target data and a security key;
  
  storing the target data in the storage means and storing the security key in metadata in association with the target data;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the storage means.

36. A data storage system accessible by one or more hosts, comprising:
- digital data storage means for containing user data and metadata describing the user data;
  
  the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of hosts and managing access to the digital data storage by hosts by;
  
  the storage controller receiving an allocation request from one of the hosts;
  
  the storage controller allocating a region of the storage means and storing a security key in metadata associated with the allocated region;
  
  requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the storage means.

37. A data storage system accessible by one or more hosts, comprising:
- digital data storage means for containing user data and metadata describing the user data;
  
  the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of hosts and managing access to the digital data storage by hosts by;
  
  the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the storage means;
  
  the storage controller retrieving a security key stored in metadata of the requested data object in the storage means, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
  
  only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request.

38. A method of distributing sound recordings with selective playback characteristics, comprising operations of:
- distributing machine-readable data storage media to customers, each including numerous sound segments each segment including a sound recording and metadata including an associated security key;
  
  where the data storage media have a format that is unreadable by conventional playback devices, by including specific structure for use by playback devices requiring customer input of a security key with prescribed relationship to the stored security key as a condition to playback of the sound recording associated with the security key;
  
  selling security keys to customers.
- View Dependent Claims (39, 40, 41)
- - 39. The method of claim 38, where certain sound segments are associated with multiple security keys such that different keys provide access to different combinations of sound segments.
  - 40. The method of claim 39, where one security key provides access to all sound segments on a data storage medium.
  - 41. The method of claim 39, where some data storage media have sound segments that do not include any associated security key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sovik, Mark Anthony, Kern, Robert Frederic
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/825,456
Publication Number

US 20010052073A1
Time in Patent Office

518 Days
Field of Search

713/164, 713/165, 713/168, 713/200, 713/201, 713/193
US Class Current

713/193
CPC Class Codes

G06F 21/1077 Recurrent authorisation

Storage controller conditioning host access to stored data according to security key stored in host-inaccessible metadata

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

50 Claims

Specification

Use Cases

Quick Links

Others

Storage controller conditioning host access to stored data according to security key stored in host-inaccessible metadata

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

50 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others