Storage controller conditioning host access to stored data according to security key stored in host-inaccessible metadata
First Claim
1. A data storage method for use in a storage system including a storage controller serving one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
- the storage controller receiving a write request from one of the hosts, the request including target data and a security key;
the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
requiring host provision of a security key with prescribed relationship to the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
1 Assignment
0 Petitions
Accused Products
Abstract
A storage controller conditions host access to stored data objects upon host provision of a proposed key with matching or other prescribed relation to a security key stored in host-inaccessible metadata that is associated with the stored data object. The security key may be established upon writing the data or allocating storage space, for example. This enables the storage controller or device to be attached directly to a network without compromising security or having to add an intermediate server to perform security functions. Another implementation concerns sound recording playback devices that only play sound tracks for which the user has purchased an appropriate security key.
80 Citations
50 Claims
-
1. A data storage method for use in a storage system including a storage controller serving one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
-
the storage controller receiving a write request from one of the hosts, the request including target data and a security key;
the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
requiring host provision of a security key with prescribed relationship to the stored security key as a condition to granting future host requests to access the target data in the digital data storage. - View Dependent Claims (2, 3, 4, 5)
requiring host provision of a security key matching the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
-
-
3. The method of claim 1, the requiring operation comprising:
as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
-
4. The method of claim 1, the operation of the storage controller storing the target data comprising operations of:
encrypting the target data with the security key and storing the encrypted target data.
-
5. The method of claim 1, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.
-
6. A data storage method for use in a storage system including a storage controller coupled to a digital data storage where the storage controller serves one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
-
the storage controller receiving an allocation request from one of the hosts;
the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage. - View Dependent Claims (7, 8, 9)
requiring host provision of a security key matching the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
-
-
8. The method of claim 6, the requiring operation comprising:
as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
-
9. The method of claim 6, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.
-
10. A data security method for use in a storage system including a storage controller responsive to one or more hosts where the storage controller is coupled to a digital data storage, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the method comprising operations of:
-
the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request. - View Dependent Claims (11, 42, 43, 44)
if the storage access request is a read operation, the operation of executing the storage access request further comprises reading the requested data object and using at least one of the proposed security key and retrieved security key to decode the data object.
-
-
43. The method of claim 10, wherein the operations further comprise:
-
the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
-
-
44. The method of claim 43, wherein:
-
the access types including the following operations;
reading data from the storage, and writing data to the storage; and
each operation parameter designates one or more of the access types as being allowed.
-
-
12. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving data requests of one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
-
the storage controller receiving a write request from one of the hosts, the request including target data and a security key;
the storage controller storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the digital data storage. - View Dependent Claims (13, 14, 15, 16)
requiring host provision of a security key matching the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
-
-
14. The medium of claim 12, the requiring operation comprising:
as a condition to granting future host requests to access the target data in the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
-
15. The medium of claim 12, the operation of the storage controller storing the target data comprising operations of:
encrypting the target data with the security key and storing the encrypted target data.
-
16. The medium of claim 12, where the digital data storage comprises a storage device including a device controller, and the storage controller is embodied by the device controller.
-
17. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving data requests of one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
-
the storage controller receiving an allocation request from one of the hosts;
the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage. - View Dependent Claims (18, 19)
requiring host provision of a security key matching the stored security key as a condition to granting future host requests to access the target data in the digital data storage.
-
-
19. The medium of claim 17, the requiring operation comprising:
as a condition to granting future host requests to access the target data from the digital data storage, requiring host provision of a security key that matches the stored security key when processed by a predetermined encryption process.
-
20. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform data storage operations in a storage system including a storage controller coupled to a digital data storage and serving one or more hosts, the storage containing host-accessible user data accessed by the storage controller on behalf of hosts and host-inaccessible metadata used by the storage controller to manage storage of the host-accessible data, the operations comprising:
-
the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit the prescribed relationship; and
only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request. - View Dependent Claims (45, 46, 47)
if the storage access request is a read operation, the operation of executing the storage access request further comprises reading the requested data object and using at least one of the proposed security key and retrieved security key to decode the data object.
-
-
46. The medium of claim 20, wherein the operations further comprise:
-
the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
-
-
47. The medium of claim 46, wherein:
-
the access types including the following operations;
reading data from the storage, and writing data to the storage; and
each operation parameter designates one or more of the access types as being allowed.
-
-
21. A data storage system accessible by one or more hosts, comprising:
-
a digital data storage containing user data and describing the user data;
the storage controller, coupled to the storage, and programmed to utilize the metadata to manage the user data while rendering the metadata inaccessible to hosts and to selectively access the user data on behalf of hosts by performing operations comprising;
receiving a write request from one of the hosts, the request including target data and a security key;
storing the target data in the digital data storage and storing the security key in metadata in association with the target data;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the digital data storage. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A data storage system accessible by one or more hosts, comprising:
-
a digital data storage containing user data and metadata describing the user data;
a storage controller, coupled to the storage, and programmed to utilize the metadata to manage the user data while rendering the metadata inaccessible to hosts and to selectively access the user data on behalf of hosts and programmed to perform further operations comprising;
the storage controller receiving an allocation request from one of the hosts;
the storage controller allocating a region of the digital data storage and storing a security key in metadata associated with the allocated region;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the digital data storage. - View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. A storage controller programmed to perform operations to manage access to digital data storage containing host-accessible user data accessible by the storage controller on behalf of hosts and also containing host-inaccessible metadata accessible by the storage controller to manage storage of the host-accessible data, the operations comprising:
-
the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the digital data storage;
the storage controller retrieving a security key stored in metadata of the requested data object in the digital data storage, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request. - View Dependent Claims (34, 48, 49, 50)
if the storage access request is a read operation, the operation of executing the storage access request further comprises reading the requested data object and using at least one of the proposed security key and retrieved security key to decode the data object.
-
-
49. The storage controller of claim 33, the storage controller being programmed such that the operations further comprise:
-
the storage controller retrieving an operation parameter associated with the requested data object, said operation parameter identifying allowed access types for the requested data object;
the storage controller additionally requiring that the storage access request be allowed in order to execute the storage access request.
-
-
50. The controller of claim 49, wherein the controller is programmed such that:
-
the access types including the following operations;
reading data from the storage, and writing data to the storage; and
each operation parameter designates one or more of the access types as being allowed.
-
-
35. A data storage system accessible by one or more hosts, comprising:
-
digital data storage means for containing user data; and
the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of host;
receiving a write request from one of the hosts, the request including target data and a security key;
storing the target data in the storage means and storing the security key in metadata in association with the target data;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access the target data in the storage means.
-
-
36. A data storage system accessible by one or more hosts, comprising:
-
digital data storage means for containing user data and metadata describing the user data;
the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of hosts and managing access to the digital data storage by hosts by;
the storage controller receiving an allocation request from one of the hosts;
the storage controller allocating a region of the storage means and storing a security key in metadata associated with the allocated region;
requiring host provision of a security key with prescribed relation to the stored security key as a condition to granting future host requests to access data in the allocated region of the storage means.
-
-
37. A data storage system accessible by one or more hosts, comprising:
-
digital data storage means for containing user data and metadata describing the user data;
the storage controller means, coupled to the storage means, for utilizing the metadata to manage the user data while rendering the metadata inaccessible to hosts selectively accessing the user data on behalf of hosts and managing access to the digital data storage by hosts by;
the storage controller receiving a storage access request from one of the hosts, the request including a proposed security key and an identification of a requested data object contained on the storage means;
the storage controller retrieving a security key stored in metadata of the requested data object in the storage means, and then determining whether the stored security key and the proposed security key exhibit a prescribed relationship; and
only if the proposed and stored security keys exhibit the prescribed relationship, the storage controller executing the storage access request, otherwise aborting the storage access request.
-
-
38. A method of distributing sound recordings with selective playback characteristics, comprising operations of:
-
distributing machine-readable data storage media to customers, each including numerous sound segments each segment including a sound recording and metadata including an associated security key;
where the data storage media have a format that is unreadable by conventional playback devices, by including specific structure for use by playback devices requiring customer input of a security key with prescribed relationship to the stored security key as a condition to playback of the sound recording associated with the security key;
selling security keys to customers. - View Dependent Claims (39, 40, 41)
-
Specification