System for ensuring data privacy and user differentiation in a distributed file system

US 7,200,747 B2
Filed: 10/31/2001
Issued: 04/03/2007
Est. Priority Date: 10/31/2001
Status: Active Grant

First Claim

Patent Images

1. A method for protecting files on a storage system, comprising:

assigning at least one read key to a file in response to a creation of said file;

assigning at least one write key to said file;

encrypting said file with said at least one write key; and

restricting access to said encrypted file by distributing said at least one read key to a first plurality of users for read-only access to said encrypted file and distributing said at least one write key to a second plurality of users for read and write access to said encrypted file.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module is configured to provide an owner the capability to differentiate between users. In particular, the security module is configured to generate an asymmetric read/write key pair for respectively decrypting/encrypting data for storage on a disk. The owner of the file may distribute the read key of the asymmetric key pair to a group of users that the owner has assigned read-permission for the encrypted data.

155 Citations

27 Claims

1. A method for protecting files on a storage system, comprising:
- assigning at least one read key to a file in response to a creation of said file;
  
  assigning at least one write key to said file;
  
  encrypting said file with said at least one write key; and
  
  restricting access to said encrypted file by distributing said at least one read key to a first plurality of users for read-only access to said encrypted file and distributing said at least one write key to a second plurality of users for read and write access to said encrypted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprisingdiscarding said at least one write key in response to a concern of security;
    - encrypting said at least one read key with a long-term key; and
      
      storing said encrypted file and encrypted at least one read key.
  - 3. The method according to claim 2, wherein said storage of said encrypted file and encrypted at least one read key is in a central location.
  - 4. The method according to claim 2, wherein said storage of said encrypted file and encrypted at least one read key is in a local location.
  - 5. The method according to claim 2, further comprising:
    - requesting access to encrypted file;
      
      accessing a complementary long-term key to said long-term key;
      
      decrypting said encrypted at least one read key with said complementary long-term key; and
      
      providing read-only access to said file after decryption.
  - 6. The method according to claim 5, wherein the at least one read key being a first read key and the at least one write key being a first write key, the first read key and the first write key forming a first read-write key pair, and the method further comprising:
    - generating a second read-write key pair for an un-encrypted fragment of said file;
      
      encrypting said modified un-encrypted said file with a write key of said second read-write key pair;
      
      encrypting a read key of said at least one read-write key pair; and
      
      storing said encrypted modified file and said encrypted read key of said at least one read-write key pair.
  - 7. The method according to claim 1, wherein said file is a file fragment of a plurality of file fragments.
  - 8. The method according to claim 7, wherein said at least one read key being a plurality of read keys, each of said plurality of read keys being assigned a corresponding file fragment of said plurality of file fragments.
  - 9. The method according to claim 7, wherein said at least one write key being a plurality of write keys, each of said plurality of write keys being assigned a corresponding file fragment of said plurality of file fragments.
  - 10. The method according to claim 7, wherein said at least one read key being a first read key and said at least one write key being a first write key, the first read key and the first write key forming an asymmetric key pair.

11. A method for ensuring data privacy, comprising:
- dividing a file into a plurality of fragments;
  
  generating a set of read-write keys, a write key for read and write access and a read key for read-only access, for each fragment of said plurality of fragments;
  
  encrypting each fragment of plurality of fragments with a respective write key of said set of read-write keys; and
  
  restricting access to said plurality of file fragments by distributing a plurality of read keys from said plurality of read-write keys to a first plurality of users for read-only access for each fragment of said plurality of fragments and distributing a plurality of said write keys of said plurality of read-write keys to a second plurality of users for read and write access for each fragment of said plurality of fragments.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method according to claim 11, further comprising:
    - requesting access to one encrypted fragment of said plurality of encrypted fragments of said file, the one encrypted fragment having associated a read key and a write key from the set of read-write keys, the read key and the write key forming a first read-write key pair, with the read key being encrypted;
      
      accessing a complementary long-term key to a long-term key;
      
      decrypting said encrypted read key with said complementary long-term key; and
      
      providing read-only access to an un-encrypted fragment of said file.
  - 13. The method according to claim 12, further comprising:
    - generating a second read-write key pair for said un-encrypted fragment of said file;
      
      encrypting said un-encrypted fragment of said file with a write key of said second read-write key pair,encrypting a read key of said second read-write key pair; and
      
      storing said encrypted modified file and said encrypted read key of said second read-write key pair.
  - 14. The method according to claim 11, further comprising:
    - discarding said plurality of write keys of said plurality of read-write keys in response to a concern of security;
      
      encrypting said plurality of read keys of said plurality of read-write keys with a long-term key; and
      
      storing said encrypted plurality of fragments and encrypted plurality of read keys.
  - 15. The method according to claim 14, wherein said storage of said encrypted plurality of fragments and encrypted plurality of read keys is in a central location.
  - 16. The method according to claim 14, wherein said storage of said encrypted plurality of fragments and encrypted plurality of read keys is in a local location.

17. A method of increasing security and efficiency in a distributed file system, said method comprising:
- specifying a fragment size;
  
  fragmenting a file according to said fragment size into at least one fragment in response to a creation of a file;
  
  encrypting said at least one fragment with a write key, for read and write access of said file, of an asymmetric read/write key pair;
  
  encrypting a read key, for read-only access of said file, of said asymmetric read/write key pair with a long-term key;
  
  distributing the read key to a first plurality of users for read-only access to said encrypted at least one fragment;
  
  distributing the write key to a second plurality of users for read and write access to said encrypted at least one fragment; and
  
  storing said encrypted at least one fragment and said encrypted read key.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method according to claim 17, further comprising:
    - receiving a request for access to said encrypted at least one fragment;
      
      authorizing said request; and
      
      providing a complementary long-term key to said long-term key to decrypt said encrypted read key.
  - 19. The method according to claim 17, further comprising:
    - requesting access to said encrypted at least one fragment;
      
      decrypting said encrypted read key with a complementary long-term key to said long-term key; and
      
      re-encrypting said read key with said long-term key of a user.
  - 20. The method according to claim 19, further comprising:
    - decrypting said re-encrypted read key with said complementary long-term key to said long-term key of said user, anddecrypting said encrypted at least one fragment with said read key.
  - 21. The method according to claim 17, further comprising:
    - receiving access to said encrypted at least one fragment;
      
      decrypting said encrypted read key with a complementary long-term key to said long-term key;
      
      decrypting said encrypted at least one fragment with said read key; and
      
      providing read-only access to said at least one fragment.
  - 22. The method according to claim 21, further comprising:
    - generating another asymmetric read-write key pair;
      
      encrypting modified said at least one fragment with a write key of said another asymmetric read-write key pair; and
      
      encrypting said read key of said another asymmetric road-write key pair with said long-term key.

23. A system for ensuring data privacy, comprising:
- a file system;
  
  a user station; and
  
  a security module configured to be executable in said user station, wherein said security module is configured to assign a read key to a file in response to a creation of said file, is also configured to assign a write key, the read key for read-only access and the write key for read and write access comprising an asymmetric read-write key pair, to said file, is further configured to encrypt said file with said write key, and is yet further configured to restricting access to said encrypted file by distributing said read key to a first plurality of users and distributing said write key to a second plurality of users.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system according to claim 23, wherein said security module comprises:
    - a key generation module to generate said asymmetric read-write key pair;
      
      an encryption/decryption module configured to encrypt said read key with a long-term key; and
      
      an authentication module configured to grant access to an encrypted fragment stored on said file system.
  - 25. The system according to claim 23, wherein said file system comprises:
    - a file controller module configured to provide access to an encrypted fragment;
      
      at least one disk drive configured to provide storage of said encrypted fragment; and
      
      a fragmenter module configured to provide a fragment size to said security module.
  - 26. The system according to claim 23, further comprising:
    - a network configured to provide a communication channel between said user station and said file system.
  - 27. The system according to claim 23, further comprising:
    - a key distribution center configured to provide storage and distribution of a complementary long-term key to a long-term key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Riedel, Erik, Swaminathan, Ram, Karamanolis, Christos, Kallahalla, Mahesh
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Cervetti; David Garcia

Application Number

US09/984,926
Publication Number

US 20030081790A1
Time in Patent Office

1,980 Days
Field of Search

713165-166
US Class Current

713/165
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

System for ensuring data privacy and user differentiation in a distributed file system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System for ensuring data privacy and user differentiation in a distributed file system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links