System and method for computer storage security

US 7,093,127 B2
Filed: 08/09/2001
Issued: 08/15/2006
Est. Priority Date: 08/09/2001
Status: Active Grant

First Claim

Patent Images

1. A method carried out in a computer for providing periodic verification of the computer during requests from the computer to a second computer over a communications system, the method comprising:

establishing an authentication handshake with the second computer; and

periodically sending messages to the second computer,wherein the second computer services the requests if the messages are valid and are received within a predetermined time interval.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that improves security of a computer storage system by requiring an initiating computer to periodically reaffirm its identity by transmitting a message to a servicing computer. The message contains a previously established authentication message and a sequence value, established by and known only to the original participants. A message must be received by the servicing computer within a predetermined time interval in order to maintain data communications between the original participants.

Citations

67 Claims

1. A method carried out in a computer for providing periodic verification of the computer during requests from the computer to a second computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer; and
  
  periodically sending messages to the second computer,wherein the second computer services the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the authentication handshake comprises an exchange of a session key and a sequence value.
  - 3. The method of claim 2 wherein the messages further comprise the session key and the sequence value.
  - 4. The method of claim 3 wherein the session key and the sequence value are processed through a one-way hash function.
  - 5. The method of claim 1 wherein the requests are to send data.
  - 6. The method of claim 1 wherein the requests are to receive data.

7. A method carried out in a computer for providing periodic verification of a second computer during requests from the second computer to the computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer;
  
  periodically receiving messages from the second computer; and
  
  servicing the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein the authentication handshake comprises an exchange of a session key and a sequence value.
  - 9. The method of claim 8 wherein the messages further comprise the session key and the sequence value.
  - 10. The method of claim 9 wherein the session key and the sequence value are processed through a one-way hash function.
  - 11. The method of claim 7 wherein the requests are to send data.
  - 12. The method of claim 7 wherein the requests are to receive data.

13. A computer storage system comprising:
- a first computer coupled to a communications system; and
  
  a second computer coupled to the communications system,wherein;
  
  the first computer establishes an authentication handshake with the second computer and periodically sends messages to the second computer;
  
  the first computer sends requests to the second computer; and
  
  the second computer services the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13 wherein the authentication handshake comprises an exchange of a session key and a sequence value.
  - 15. The system of claim 14 wherein the messages further comprise the session key and the sequence value.
  - 16. The system of claim 15 wherein the session key and the sequence value are processed through a one-way hash function.
  - 17. The system of claim 13 wherein the requests are to send data.
  - 18. The system of claim 13 wherein the requests are to receive data.

19. A computer storage system comprising:
- a first computer coupled to a communications system; and
  
  a second computer coupled to the communications system,wherein;
  
  the first computer establishes an authentication handshake with the second computer and periodically receives messages from the second computer; and
  
  the first computer receives requests from the second computer and services the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 19 wherein the authentication handshake comprises an exchange of a session key and a sequence value.
  - 21. The system of claim 20 wherein the messages further comprise the session key and the sequence value.
  - 22. The system of claim 21 wherein the session key and the sequence value are processed through a one-way hash function.
  - 23. The system of claim 19 wherein the requests are to send data.
  - 24. The system of claim 19 wherein the requests are to receive data.

25. A method carried out in a computer for providing periodic verification of at least two second computers during requests from the at least two second computers to the computer over a communications system, the method comprising:
- establishing authentication handshakes with each of the at least two second computers;
  
  periodically receiving messages from the at least two second computers, wherein the messages are different from each other; and
  
  servicing the requests from the at least two second computers if their corresponding messages are valid and received within a predetermined time interval.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25 wherein the authentication handshakes comprise exchanges of at least two session keys and at least two sequence values.
  - 27. The method of claim 26 wherein the messages further comprise the at least two session keys and the at least two sequence values.
  - 28. The method of claim 27 wherein the at least two session keys and the at least two sequence values are processed through a one-way hash function.
  - 29. The method of claim 27 further comprising:
    - reading a table for information to use in determining expected messages for each of the at least two second computers, wherein the table includes identifiers associated with the at least two second computers, session keys associated with the at least two second computers, and sequence values associated with the at least two second computers;
      
      determining the expected messages for each of the at least two second computers; and
      
      validating that the expected messages for each of the at least two second computers are identical to each of their corresponding messages from the at least two second computers.

30. A method carried out in a computer for providing periodic verification of the computer during requests from the computer to a second computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer, wherein the authentication handshake includes a session key and a sequence value; and
  
  periodically sending messages to the second computer, wherein the messages include the session key and the sequence value,wherein the second computer services the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30 wherein the requests are to send data.
  - 32. The method of claim 30 wherein the requests are to receive data.

33. A method carried out in a computer for providing periodic verification of the computer during requests from the computer to a second computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer, wherein the authentication handshake includes a session key and a sequence value; and
  
  periodically sending messages to the second computer, wherein the messages include the session key and the sequence value which are processed through a one-way hash function,wherein the second computer services the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (34, 35)
- - 34. The method of claim 33 wherein the requests are to send data.
  - 35. The method of claim 33 wherein the requests are to receive data.

36. A method carried out in a computer for providing periodic verification of a second computer during requests from the second computer to the computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer, wherein the authentication handshake includes a session key and a sequence value;
  
  periodically receiving messages from the second computer, wherein the messages include the session key and the sequence value; and
  
  servicing the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (37, 38)
- - 37. The method of claim 36 wherein the requests are to send data.
  - 38. The method of claim 36 wherein the requests are to receive data.

39. A method carried out in a computer for providing periodic verification of a second computer during requests from the second computer to the computer over a communications system, the method comprising:
- establishing an authentication handshake with the second computer, wherein the authentication handshake includes a session key and a sequence value;
  
  periodically receiving messages from the second computer, wherein the messages include the session key and the sequence value which are processed through a one-way hash function; and
  
  servicing the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (40, 41)
- - 40. The method of claim 39 wherein the requests are to send data.
  - 41. The method of claim 39 wherein the requests are to receive data.

42. A computer-executable process stored on a computer-readable medium, the computer-executable process generating periodic verification of a computer during requests from the computer to a second computer over a communications system, the computer-executable process comprising:
- code to establish by the computer an authentication handshake with the second computer, wherein the authentication handshake includes a session key and a sequence value; and
  
  code to periodically generate and send messages to the second computer, wherein the messages include the session key and the sequence value which are processed through a one-way hash function.

43. A computer-executable process stored on a computer-readable medium, the computer-executable process generating periodic verification of a computer during requests from a second computer over a communications system, the computer-executable process comprising:
- code to establish by the computer an authentication handshake with the second computer;
  
  code to periodically receive messages from the second computer messages; and
  
  code to service the requests if the messages are valid and are received within a predetermined time interval.
- View Dependent Claims (44, 45)
- - 44. The computer-executable process of claim 43 wherein the requests are to send data.
  - 45. The computer-executable process of claim 43 wherein the requests are to receive data.

46. A method carried out in an intelligent storage device for providing periodic verification of a computer during requests from the computer to the intelligent storage device over a communications system, the method comprising:
- establishing an authentication handshake with the computer, wherein the authentication handshake includes a session key and a sequence value;
  
  periodically receiving messages from the computer, wherein the messages include the session key and the sequence value which are processed through a one-way hash function; and
  
  servicing the requests if the messages are valid and are received within a predetermined time interval.

47. A method carried out in a computer for providing periodic verification of the computer during requests from the computer to an intelligent storage device over a communications system, the method comprising:
- establishing an authentication handshake with the intelligent storage device, wherein the authentication handshake includes a session key and a sequence value; and
  
  periodically sending messages to the intelligent storage device, wherein the messages include the session key and the sequence value which are processed through a one-way hash function,wherein the intelligent storage device services the requests if the messages are valid and are received within a predetermined time interval.

48. A method to protect stored data, comprising:
- receiving from a device verification information verifying the identity of the device;
  
  verifying the validity of the verification information using common information known to the device and to the processor;
  
  determining an authorization status of the device based on (1) the validity of the verification information and (2) a time the verification information is received by the processor;
  
  receiving a request from the device to access the stored data; and
  
  allowing the device to access the stored data based, at least in part, on the authorization status at the time the request is received.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 49. The method of claim 48, comprising:
    - determining the authorization status of the device based on (1) the validity of the verification information and (2) whether the verification information is received during a predetermined time interval.
  - 50. The method of claim 48, further comprising:
    - updating the common information; and
      
      instructing the device to update the common information.
  - 51. The method of claim 48, comprising establishing an initial authorization status of the device based on a predefined authentication process.
  - 52. The method of claim 48, wherein the common information comprises a sequence value.
  - 53. The method of claim 52, wherein the common information further comprises a session key.
  - 54. The method of claim 53, wherein the verification information comprises a verification value.
  - 55. The method of claim 54, further comprising:
    - updating the sequence value according to a first predetermined algorithm to generate an updated value;
      
      applying a second predetermined algorithm to the updated value to generate an expected value;
      
      comparing the expected value to the verification value; and
      
      determining the verification value to be valid if the expected value is the same as the verification value.
  - 56. The method of claim 55, wherein the first predetermined algorithm comprises updating the stored value by a predetermined increment value.
  - 57. The method of claim 55, wherein the second predetermined algorithm comprises applying a hash function to the updated value and the session key to generate the expected value.
  - 58. The method of claim 54, comprising:
    - retrieving an expected value from a table;
      
      comparing the verification value to the expected value; and
      
      determining the validity of the verification value based on the comparison.
  - 59. The method of claim 48, further comprising:
    - performing one or more times, by a processor, the following;
      
      the receiving from a device verification information verifying the identity of the device;
      
      the verifying the validity of the verification information using common information known to the device and to the processor; and
      
      the determining an authorization status of the device based on (1) the validity of the verification information and (2) the time the verification information is received by the processor.
  - 60. The method of claim 48, further comprising:
    - ceasing to service requests received from the device when verification information is not received by the processor within a predetermined time interval.
  - 61. The method of claim 48, wherein the verification information is received by the processor within a heartbeat message.

62. A method to protect stored data, comprising:
- providing authentication information to a processor responsible for managing data processing requests relating to stored data;
  
  performing, at least once during one or more time intervals having predetermined durations, the following actions;
  
  retrieving from memory a value previously received from the processor;
  
  applying a predetermined algorithm to the value to generate an encoded value; and
  
  transmitting the encoded value to the processor; and
  
  transmitting to the processor at least one data processing request relating to the stored data.
- View Dependent Claims (63, 64, 65, 66)
- - 63. The method of claim 62, wherein the predetermined algorithm comprises updating the value by a predetermined increment value.
  - 64. The method of claim 63, wherein the predetermined algorithm further comprises encoding the updated value using a session key previously provided by the processor.
  - 65. The method of claim 64, wherein the predetermined algorithm comprises a hash function.
  - 66. The method of claim 62, further comprising:
    - receiving an acknowledgment message from the processor;
      
      in response to the acknowledgment message, updating the value.

67. A system to protect stored data, comprising:
- a device configured to;
  
  transmit verification information verifying the identity of the device; and
  
  transmit at least one request to access stored data; and
  
  a processor configured to;
  
  receive from the device the verification information;
  
  verify the validity of the verification information using common information known to the device and to the processor;
  
  determine an authorization status of the device based on (1) the validity of the verification information and (2) a time the verification information is received by the processor;
  
  receive the at least one request from the device; and
  
  allow the device to access the stored data based, at least in part, on the authorization status at the time the request is received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FalconStor, Inc (Hale Capital Management LP)
Original Assignee
FalconStor, Inc (Hale Capital Management LP)
Inventors
McNulty, Stephen Anthony, Gosden, Harry John, Lallier, John Christopher
Primary Examiner(s)
Smithers, Matthew

Application Number

US09/925,976
Publication Number

US 20030033523A1
Time in Patent Office

1,832 Days
Field of Search

713/168, 713/170, 713/201, 726/2
US Class Current

713/168
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 2221/2139   Recurrent verification

H04L 63/126   the source of the received ...

H04L 9/0844   with user authentication or...

System and method for computer storage security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for computer storage security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links