Method for providing access control for data items in a data repository in which storage space used by identical content is shared

US 7,398,283 B2
Filed: 10/14/2004
Issued: 07/08/2008
Est. Priority Date: 02/18/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing access control for data items in a data repository in which storage space used by identical content is shared, the method comprising:

determining a digital fingerprint from a data item using a hash function that produces digital fingerprints having a pseudorandom distribution;

depositing the data item in the data repository in response to a request by a depositing client program acting on behalf of a user or group of users, the depositing includingcomparing the determined digital fingerprint from the deposited data item to digital fingerprints of data items already stored in the data repository;

determining from the comparing of digital fingerprints, without comparing the entire contents of the deposited data item to the entire contents of a data item already stored, whether a stored data item is identical to the deposited data item; and

storing the deposited data item in the data repository if the deposited data item is not identical with any stored data item;

wherein the stored data item identical to the deposited data item is associated with an access authorization credential in response to an access authorization request by a depositing client program;

wherein the access authorization credential is associated with a named object that comprises a diaital fingerprint;

wherein the stored data item identical to the deposited data item from the data repository is retrieved in response to a request from a retrieving client program by;

using the access authorization credential to select the stored named object;

retrieving the stored named object from a database; and

using the diaital fingerprint from the retrieved named object to return the stored data item identical to the deposited data item;

wherein the user or group of users is one of a plurality of users or groups of users associated with the data repository;

wherein the access authorization credential is uniquely associated with the user or group of users;

wherein the access authorization credential does not include the digital fingerprint or any other component determined solely from the content of the stored data item identical to the deposited data item; and

wherein the data repository uses the access authorization credential to determine that the retrieving client program is authorized to retrieve the stored data item identical to the deposited data item.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing naming and access control of data items in a data repository, the method comprising having a first client program deposit a data item in the data repository, the depositing including determining a digital fingerprint from the data item, and storing the data item in the data repository at a location or locations associated with the fingerprint, having the first client program specify an object name for an object that comprises a set of data items, storing in the repository an association between the name and the set of data items, and allowing the client program to retrieve a data item from the set of data items by specifying the object name and without providing the digital fingerprint of any data item or composite of data items.

Citations

14 Claims

1. A method for providing access control for data items in a data repository in which storage space used by identical content is shared, the method comprising:
- determining a digital fingerprint from a data item using a hash function that produces digital fingerprints having a pseudorandom distribution;
  
  depositing the data item in the data repository in response to a request by a depositing client program acting on behalf of a user or group of users, the depositing includingcomparing the determined digital fingerprint from the deposited data item to digital fingerprints of data items already stored in the data repository;
  
  determining from the comparing of digital fingerprints, without comparing the entire contents of the deposited data item to the entire contents of a data item already stored, whether a stored data item is identical to the deposited data item; and
  
  storing the deposited data item in the data repository if the deposited data item is not identical with any stored data item;
  
  wherein the stored data item identical to the deposited data item is associated with an access authorization credential in response to an access authorization request by a depositing client program;
  
  wherein the access authorization credential is associated with a named object that comprises a diaital fingerprint;
  
  wherein the stored data item identical to the deposited data item from the data repository is retrieved in response to a request from a retrieving client program by;
  
  using the access authorization credential to select the stored named object;
  
  retrieving the stored named object from a database; and
  
  using the diaital fingerprint from the retrieved named object to return the stored data item identical to the deposited data item;
  
  wherein the user or group of users is one of a plurality of users or groups of users associated with the data repository;
  
  wherein the access authorization credential is uniquely associated with the user or group of users;
  
  wherein the access authorization credential does not include the digital fingerprint or any other component determined solely from the content of the stored data item identical to the deposited data item; and
  
  wherein the data repository uses the access authorization credential to determine that the retrieving client program is authorized to retrieve the stored data item identical to the deposited data item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 in which the named object is deleted from the repository and information about references to the stored data item identical to the deposited data item is modified.
  - 3. The method of claim 2 in which a last named object which references the stored data item identical to the deposited data item is deleted and the stored data item is deleted from the repository.
  - 4. The method of claim 1 in which the stored data item identical to the deposited data item has been used as a component of a plurality of named objects, and each of the plurality of named objects has been either deleted or modified so that the stored data item identical to the deposited data item is no longer a component of it, and the stored data item is deleted from the data repository.
  - 5. The method of claim 1 wherein the stored data item identical to the deposited data item is retrieved by using the access authorization credential to determine an access identifier;
    - using the access identifier to locate the determined fingerprint; and
      
      using the determined fingerprint to return the stored data item identical to the deposited data item.
  - 6. The method of claim 1 wherein, at the time that the depositing client program deposits the data item, there is already a stored data item in the repository identical to the deposited data item, and the depositing request does not include the full data item being deposited, and the depositing client program is required to present a proof that it possesses the entirety of the data item.
  - 7. The method of claim 6 wherein the access authorization credential includes either the proof or an authentication code provided by the data repository that shows that the proof was presented during the depositing step.
  - 8. The method of claim 6 wherein the proof that the depositing client program is required to present is computed from the content of the deposited data item and depends upon which user or group of users the depositing client program is acting on behalf of.
  - 9. The method of claim 6 wherein, after the proof has been presented, the access authorization credential is associated with an object stored in the data repository, and the presence of this object records the fact that the proof has been presented.
  - 10. The method of claim 1, wherein the access authorization credential comprises information identifying the user or group of users, and information identifying the stored data item identical to the deposited data item.
  - 11. The method of claim 10 wherein the information identifying the user or group of users is sufficient to allow the retrieval client program to learn the full name of the user or the full name of a member of the group of users.
  - 12. The method of claim 10 wherein the information identifying the stored data item identical to the deposited data item is an identifier chosen by the depositing client program independently of the content of the stored data item.
  - 13. The method of claim 1, wherein the stored data item identical to the deposited data item is retrieved by operations performed by data-server software acting on behalf of the data repository and applying a cryptographic one-way hash function to to locate the stored data item identical to the deposited data item.
  - 14. The method of claim 1 wherein the depositing client program and the retrieving client program are separate programs that act on behalf of different repository users and the access authorization credential is transmitted directly from the depositing client program to the retrieving client program in order to transmit access to the stored data item identical to the deposited data item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Burnside Acquisition, LLC
Inventors
Margolus, Norman H., Homsy, George E. II, Floyd, Jered J., Knight, Thomas F. Jr.
Primary Examiner(s)
Pham; Hung Q

Application Number

US10/967,031
Publication Number

US 20050131904A1
Time in Patent Office

1,363 Days
Field of Search

707/2, 707/10, 713/165, 713/166, 713/167, 713/180
US Class Current

1/1
CPC Class Codes

G06F 16/137   Hash-based content-based in...

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6272   by registering files or doc...

G06F 21/64   Protecting data integrity, ...

G06F 21/645   using a third party

Y10S 707/959   Network

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99953   Recoverability

Method for providing access control for data items in a data repository in which storage space used by identical content is shared

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing access control for data items in a data repository in which storage space used by identical content is shared

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links