Light weight security for parallel access to multiple mirror sites
First Claim
1. A system for providing secured access to information on a network, comprising:
- a plurality of mirror servers; and
at least one trusted authority (TA) server comprising file partition means for partitioning a file into a plurality of elements;
combinatorial file dispersal means for permuting the elements of the file and assigning each of the permuted elements to at least one of a plurality of blocks;
distribution means for distributing the plurality of blocks to at least a portion of the plurality of mirror servers; and
key generation means for generating a combinatorial key comprising access information for accessing the mirror servers having blocks of the file and reconstruction information for reconstructing the file from at least a portion of the plurality of blocks.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for providing secured file dispersal and access control protocols based on combinatorial techniques to reduce the security overhead associated with information retrieval systems employing parallel access to mirror sites. In one aspect, a system for providing secured access to information on a network comprises a plurality of mirror servers; and at least one trusted authority (TA) server comprising file partition means for partitioning a file into a plurality of elements; combinatorial file dispersal means for permuting the elements of the file and assigning each of the permuted elements to at least one of a plurality of blocks; distribution means for distributing the plurality of blocks to at least a portion of the plurality of mirror servers; and key generation means for generating a combinatorial key comprising access information for accessing the mirror servers having blocks of the file and reconstruction information for reconstructing the file from at least a portion of the plurality of blocks.
77 Citations
25 Claims
-
1. A system for providing secured access to information on a network, comprising:
-
a plurality of mirror servers; and
at least one trusted authority (TA) server comprising file partition means for partitioning a file into a plurality of elements;
combinatorial file dispersal means for permuting the elements of the file and assigning each of the permuted elements to at least one of a plurality of blocks;
distribution means for distributing the plurality of blocks to at least a portion of the plurality of mirror servers; and
key generation means for generating a combinatorial key comprising access information for accessing the mirror servers having blocks of the file and reconstruction information for reconstructing the file from at least a portion of the plurality of blocks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for accessing information in a network comprising at least one trusted authority (TA) server and a plurality of mirror servers, the method comprising the steps of:
-
combinatorially dispersing a file into a plurality of blocks by the at least one TA server;
distributing the blocks to at least a portion of the plurality of mirror servers;
generating a combinatorial key by the at least one TA server, the combinatorial key comprising access information for accessing the mirror servers having blocks of the file and reconstruction information for reconstructing the file from at least a portion of the plurality of blocks; and
obtaining the combinatorial key by a client to access blocks of file and reconstruct the file. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
partitioning the file into a plurality of elements;
permuting the elements; and
assigning each of the permuted elements to at least one of the plurality of blocks.
-
-
13. The method of claim 12, wherein the step of permuting the elements is performed using a cloning-based process wherein the elements are randomly permuted and the same random permutation is used for each copy of the file.
-
14. The method of claim 12, wherein the step of permuting the elements is performed using a balanced incomplete block design (BIBD)-based process wherein the elements are permuted deterministically using a unique permutation for each copy of the file such that each block is unique in element content.
-
15. The method of claim 12, wherein the step of permuting the elements comprises the step of generating k blocks for the file such that (1) any k−
- 1 blocks are not sufficient for reconstructing the file and (2) there are k+1 combinations of blocks that can reconstruct the file using k blocks.
-
16. The method of claim 12, further comprising the step of inserting junk elements in the blocks to hide the content and size of the blocks.
-
17. The method of claim 12, further comprising the step of encrypting the blocks using a secret key to hide the content and size of the blocks.
-
18. The method of claim 11, wherein the combinatorial key comprises one of a file identifier (FID), an amount of elements associated with the file, an address of each mirror server holding at least one of the blocks, a n index and an offset location of each element of the file within the block held by a corresponding mirror server, and a combination thereof.
-
19. The method of claim 11, wherein the step of obtaining the combinatorial key by a client to access blocks and reconstruct the file comprises the steps of:
-
transmitting, by the client, a request (REQ) message to the at least one TA sever for requesting a file, the REQ message comprising a filename of the requested file and an address of the client;
retrieving, by the at least on TA server, a combinatorial key corresponding the requested file;
transmitting a confirmation (CONF) message to the client from the at least one TA server, the CONF message comprising the combinatorial key;
transmitting, by the client, a polling (POLL) message to at least a portion of the plurality of mirror servers based on access information comprising the combinatorial key to obtain blocks of the file, the POLL message comprising a file identifier (FID) of the requested file and an address of client;
transmitting, to the client, a reply (REP) message from each of the mirrors servers to which a POLL message was transmitted, wherein a given REP message comprises at least one block associated with the FID, if the corresponding server is a holder of valid blocks of the file; and
reconstructing the requested file from the blocks using the reconstruction information of the combinatorial key.
-
-
20. The method of claim 19, wherein a given REP message comprises a false reply if the corresponding mirror server in not a holder of valid blocks of the file.
-
21. The method of claim 20, wherein a false REP message comprises a junk block.
-
22. The method of claim 19, wherein the step of retrieving the combinatorial key comprises the steps of:
-
retrieving the combinatorial key from a directory of the at least one TA server, if the requested file is within a domain of the at least one TA server; and
forwarding the REQ message to at least one additional TA server, if the requested file is within a domain of the at least one additional TA server, to access the combinatorial key of the requested file from the at least one additional server.
-
-
23. The method of claim 19, further comprising the steps of:
-
generating, by the at least one TA server, a time stamp corresponding to a sequence number of a next successive time cycle of a time cycle in which the timestamp is generated, each time cycle comprising a predetermined number of successive time frames of a clock tick of a network clock;
transmitting the timestamp to the client in the CONF message;
transmitting the timestamp from the client to the mirror servers in the POLL message; and
determining, by each mirror server receiving the POLL message, whether the POLL message was received in a time cycle corresponding to the timestamp in the POLL message;
wherein the step of transmitting the REP message is performed by the mirror servers only if the POLL message was received in the time cycle corresponding to the timestamp.
-
-
24. The method of claim 11, wherein the step of obtaining the combinatorial key by a client to access blocks and reconstruct the file comprises the steps of:
-
transmitting, by the client, a request (REQ) message to the at least one TA sever for requesting a file, the REQ message comprising a filename of the requested file and an address of the client;
retrieving, by the at least on TA server, a combinatorial key corresponding the requested file;
transmitting a confirmation (CONF) message to the client from the at least one TA server, the CONF message comprising the combinatorial key;
transmitting, by the at least one TA server, a forward (FWD) message to at least a portion of the plurality of mirror servers based on access information comprising the combinatorial key, the FWD message comprising a file identifier (FID) of the requested file and an address of client;
transmitting, to the client, a reply (REP) message from each of the mirrors servers to which a FWD message was transmitted, wherein a given REP message comprises at least one block associated with the FID and an address of the mirror server;
accepting all REP messages having an address of a mirror server that corresponds with the access information of the combinatorial key of the CONF message;
reconstructing the requested file from the blocks of the accepted REP messages using the reconstruction information of the combinatorial key.
-
-
25. The method of claim 24, further comprising the steps of:
-
generating, by the at least one TA server, a timestamp based on a sequence number of a next successive time cycle of a time cycle in which the timestamp is generated, each time cycle comprising a predetermined number of time frames of a clock tick of a network clock;
transmitting the timestamp, by the at least one TA server, to the client in the CONF message and to each mirror server in the FWD message;
transmitting the timestamp received by the mirror servers in the FWD message to the client in the REP messages; and
accepting the REP messages having a timestamp that corresponds to the timestamp of the CONF message.
-
Specification