Trusted storage systems and methods
First Claim
Patent Images
1. A method for protecting the secrecy and integrity of data stored on a non-volatile storage medium, the method comprising:
- receiving a block of data for storage on the non-volatile storage medium;
generating at least one piece of meta-data relating to the block of data;
calculating a first cryptographic hash of at least a portion of the block of data;
calculating a second cryptographic hash of the meta-data;
encrypting the block of data and encrypting the meta-data to form one or more uniform blocks of encrypted data;
storing a cryptographic key in a substantially secret storage medium, the key being operable to decrypt the one or more uniform blocks of encrypted data;
storing the one or more uniform blocks of encrypted data on the non-volatile storage medium.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for providing a trusted database system that leverages a small amount of trusted storage to secure a larger amount of untrusted storage. Data are encrypted and validated to prevent unauthorized modification or access. Encryption and hashing are integrated with a low-level data model in which data and meta-data are secured uniformly. Synergies between data validation and log-structured storage are exploited.
-
Citations
15 Claims
-
1. A method for protecting the secrecy and integrity of data stored on a non-volatile storage medium, the method comprising:
-
receiving a block of data for storage on the non-volatile storage medium; generating at least one piece of meta-data relating to the block of data; calculating a first cryptographic hash of at least a portion of the block of data; calculating a second cryptographic hash of the meta-data; encrypting the block of data and encrypting the meta-data to form one or more uniform blocks of encrypted data; storing a cryptographic key in a substantially secret storage medium, the key being operable to decrypt the one or more uniform blocks of encrypted data; storing the one or more uniform blocks of encrypted data on the non-volatile storage medium. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of managing the storage of a plurality of data blocks on a storage medium, the method comprising:
-
storing the plurality of data blocks on the storage medium; generating a hierarchical location map for locating individual ones of said plurality of blocks, the hierarchical location map including a plurality of nodes, wherein a first node type includes; one or more hash values of subordinate nodes or data blocks; and one or more location indicators specifying the location at which subordinate nodes or data blocks are stored on said storage medium; and wherein a second node type includes; a hash value of a subordinate node; a location indicator specifying the location at which the subordinate node is stored on said storage medium; a cryptographic key for decrypting data contained in one or more subordinate nodes. - View Dependent Claims (8, 9, 10)
-
-
11. A secure database system, the system comprising:
-
an interface module for receiving data to be stored in the secure database; a data management module for generating indexing information relating to the data to be store in the secure database; a validation module operable to compute a hash of at least a portion of the data to be stored in the secure database and to compute a hash of at least a portion of the indexing information; a cryptographic module operable to encrypt at least a portion of the data to be stored in the secure database and to encrypt at least a portion of the indexing information; a storage medium operable to receive chunks of encrypted data and encrypted indexing information, and to store the chunks.
-
-
12. A data storage system, comprising:
-
a bulk storage device; a trusted processing environment; a computer-implemented database management system, comprising; computer code for authenticating an application program that attempts to interface with the database management system; computer code for receiving requests to store or retrieve data from an authenticated application program; computer code for generating indexing information pertaining to data received from the authenticated application program; computer code for generating hash values by hashing the data received from the authenticated application program, and for hashing the indexing information pertaining to the data received from the authenticated application program; computer code for encrypting the data received from the authenticated application program, and for encrypting the indexing information pertaining to the data received from the authenticated application program; computer code for storing the encrypted data and the encrypted indexing information on the bulk storage medium; computer code for retrieving the encrypted data and the encrypted indexing information from the bulk storage medium; computer code for decrypting the encrypted data and the encrypted indexing information; computer code for authenticating the decrypted data and the decrypted indexing information using said hash values; wherein the computer codes for said database management system are loaded into the trusted processing environment, and are used to manage the storage and retrieval of data received from the authenticated application program. - View Dependent Claims (13)
-
-
14. A computer program product for managing data received from an application program, the computer program product including:
-
computer code for receiving requests to store or retrieve data from the application program; computer code for generating indexing information pertaining to data received from the application program; computer code for generating hash values by hashing the data received from the application program, and for hashing the indexing information pertaining to the data received from the application program; computer code for encrypting the data received from the application program, and for encrypting the indexing information pertaining to the data received from the application program; computer code for storing the encrypted data and the encrypted indexing information on a storage medium; computer code for retrieving the encrypted data and the encrypted indexing information from the storage medium; computer code for decrypting the encrypted data and the encrypted indexing information; computer code for authenticating the decrypted data and the decrypted indexing information using said hash values; and a computer readable storage medium for containing said computer codes. - View Dependent Claims (15)
-
Specification