On-disk file format for a serverless distributed file system
First Claim
1. A method comprising:
- creating a primary data stream containing an encrypted file that is encrypted using at least one hash of some contents of the file as an encryption key; and
creating a metadata stream containing information pertaining to the encrypted file, the information including an indexing structure to index portions of the encrypted file, the indexing structure comprises a plurality of leaf nodes for corresponding portions of the file and a root having a single hash value of an array of the leaf nodes, wherein a leaf node contains an access value used to decrypt the corresponding encrypted portion and a verification value used to verify the corresponding encrypted portion.
1 Assignment
0 Petitions
Accused Products
Abstract
A file format for a serverless distributed file system is composed of two parts: a primary data stream and a metadata stream. The data stream contains a file that is divided into multiple blocks. Each block is encrypted using a hash of the block as the encryption key. The metadata stream contains a header, a structure for indexing the encrypted blocks in the primary data stream, and some user information. The indexing structure defines leaf nodes for each of the blocks. Each leaf node consists of an access value used for decryption of the associated block and a verification value used to verify the encrypted block independently of other blocks. In one implementation, the access value is formed by hashing the file block and encrypting the resultant hash value using a randomly generated key. The key is then encrypted using the user'"'"'s key as the encryption key. The verification value is formed by hashing the associated encrypted block using a one-way hash function. The file format supports verification of individual file blocks without knowledge of the randomly generated key or any user keys. To verify a block of the file, the file system traverses the tree to the appropriate leaf node associated with a target block to be verified. The file system hashes the target block and if the hash matches the access value contained in the leaf node, the block is authentic.
198 Citations
10 Claims
-
1. A method comprising:
-
creating a primary data stream containing an encrypted file that is encrypted using at least one hash of some contents of the file as an encryption key; and creating a metadata stream containing information pertaining to the encrypted file, the information including an indexing structure to index portions of the encrypted file, the indexing structure comprises a plurality of leaf nodes for corresponding portions of the file and a root having a single hash value of an array of the leaf nodes, wherein a leaf node contains an access value used to decrypt the corresponding encrypted portion and a verification value used to verify the corresponding encrypted portion.
-
-
2. A distributed file system comprising:
-
means for creating a primary data stream containing an encrypted file that is encrypted using at least one hash of some contents of the file as an encryption key; and means for creating a metadata stream containing information pertaining to the encrypted file, including means for constructing leaf nodes for corresponding blocks of the encrypted file, a leaf node containing an access value used to decrypt the corresponding block and a verification value used to verify the corresponding block. - View Dependent Claims (3, 4, 5)
-
-
6. One or more computer readable media, having computer-executable instructions that, when executed by a computer, perform a method, the method comprising:
-
creating a primary data stream containing an encrypted file composed of multiple encrypted blocks, each block being separately encrypted by a symmetric cipher that uses a hash of the block as an encryption key; and creating a metadata stream containing information pertaining to the encrypted file, the information comprising an indexing structure to index individual encrypted blocks, the indexing structure including leaf nodes for corresponding blocks, the leaf node containing an access value used to decrypt the corresponding encrypted block and a verification value used to verify the corresponding encrypted block. - View Dependent Claims (7, 8, 9, 10)
-
Specification