On-disk file format for a serverless distributed file system
First Claim
1. A method comprising:
- segmenting a file into multiple blocks;
computing hashes of each of the blocks to produce corresponding block hash values;
encrypting the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks;
storing the encrypted blocks as a primary data stream;
creating an indexing structure to index individual encrypted blocks, the indexing structure containing a leaf node for each corresponding encrypted block, the leaf node containing an access value formed by encrypting the block hash value for the corresponding encrypted block using an access key and a verification value formed by hashing the corresponding encrypted block;
storing the indexing structure in a separate metadata stream; and
encrypting the access key using a public key of a user who is granted access to the file.
2 Assignments
0 Petitions
Accused Products
Abstract
A file format for a serverless distributed file system is composed of two parts: a primary data stream and a metadata stream. The data stream contains a file that is divided into multiple blocks. Each block is encrypted using a hash of the block as the encryption key. The metadata stream contains a header, a structure for indexing the encrypted blocks in the primary data stream, and some user information. The indexing structure defines leaf nodes for each of the blocks. Each leaf node consists of an access value used for decryption of the associated block and a verification value used to verify the encrypted block independently of other blocks. In one implementation, the access value is formed by hashing the file block and encrypting the resultant hash value using a randomly generated key. The key is then encrypted using the user'"'"'s key as the encryption key. The verification value is formed by hashing the associated encrypted block using a one-way hash function. The file format supports verification of individual file blocks without knowledge of the randomly generated key or any user keys. To verify a block of the file, the file system traverses the tree to the appropriate leaf node associated with a target block to be verified. The file system hashes the target block and if the hash matches the access value contained in the leaf node, the block is authentic.
285 Citations
41 Claims
-
1. A method comprising:
-
segmenting a file into multiple blocks;
computing hashes of each of the blocks to produce corresponding block hash values;
encrypting the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks;
storing the encrypted blocks as a primary data stream;
creating an indexing structure to index individual encrypted blocks, the indexing structure containing a leaf node for each corresponding encrypted block, the leaf node containing an access value formed by encrypting the block hash value for the corresponding encrypted block using an access key and a verification value formed by hashing the corresponding encrypted block;
storing the indexing structure in a separate metadata stream; and
encrypting the access key using a public key of a user who is granted access to the file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more computer readable media comprising computer-executable instructions that, when executed, direct a computing device to:
-
segment a file into multiple blocks;
hash each of the blocks to produce block hash values;
encrypt the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks;
create an indexing structure to index individual encrypted blocks, the indexing structure containing a leaf node for each corresponding encrypted block, the leaf node containing an access value formed by encrypting the block hash value for the corresponding encrypted block using an access key and a verification value formed by hashing the corresponding encrypted block;
encrypt the access key using a public key of a user who is granted access to the file. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A component in a distributed file system in which file are stored across multiple distributed computers, the component comprising:
-
a segmenting module to divide a file into multiple blocks;
a hash module to hash each of the blocks to produce block hash values;
a cryptographic engine to encrypt the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks; and
an index builder to create an indexing structure for indexing individual encrypted blocks, the indexing structure containing a leaf node for each corresponding encrypted block, the leaf node containing an access value formed by encrypting the block hash value for the corresponding encrypted block using an access key and a verification value formed by hashing the corresponding encrypted block. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A data structure stored on a computer-readable medium, comprising:
-
multiple encrypted file blocks, each encrypted file block being encrypted by a symmetric cipher that uses a hash of the block as an encryption key; and
an indexing structure to index individual encrypted file blocks independently of other encrypted file blocks. - View Dependent Claims (38, 39, 40, 41)
-
Specification