Key generation and retrieval using key servers

US 7,953,978 B2
Filed: 09/07/2006
Issued: 05/31/2011
Est. Priority Date: 09/07/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for key generation and retrieval, comprising:

storing, using a computer including a processor, unique identifiers of two or more key servers, wherein each key server generates keys for encryption of data and returns keys for decryption of data, and wherein a key request can be directed to any one of the two or more key servers;

in response to a data storage drive processing a first write to a data storage medium,receiving, from the data storage drive, a first key request asking for an encryption key to encrypt data;

identifying a first selection technique from a set of selection techniques for selecting one of the key servers to which the first key request is to be forwarded, wherein the set of selection techniques consists of a selection technique using an order of the IP addresses of the key servers, a selection technique based on local IP addresses and remote IP addresses, a selection technique using connection information, and a selection technique based on load balancing among the key servers;

selecting one of the key servers using the first selection technique by iterating through the two or more key servers until identifying a first key server;

sending, to the first key server, the first key requestin response to the first key request, receiving, from the first key server, a first response that includes an encrypted key and a protected key, wherein the protected key is decryptable by the first key server for key retrieval, and wherein the encrypted key is decrypted by the data storage drive to obtain the encryption key and used to encrypt the data; and

in response to the data storage drive processing a read to the data storage medium,receiving, from the data storage drive, a second key request asking for a decryption key to decrypt the data;

selecting another one of the key servers using a second selection technique from the set of selection techniques by iterating through the two or more key servers until identifying a second key server;

sending, to the second key server, the second key request that includes the protected key decryptable by the second key server; and

in response to the second key request, receiving, from the second key server, a second response that includes an encrypted decryption key, wherein the encrypted decryption key is decrypted by the data storage drive to obtain the decryption key and used to decrypt the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are techniques for key generation and retrieval. Unique identifiers of two or more key servers are stored, wherein each key server is capable of generating keys for encryption of data and of returning keys for decryption of data. A key request is received. A technique for selecting one of the key servers to which the key request is to be forwarded is identified. One of the key servers is selected using the identified technique. The key request is sent to the identified key server.

88 Citations

View as Search Results

24 Claims

1. A method for key generation and retrieval, comprising:
- storing, using a computer including a processor, unique identifiers of two or more key servers, wherein each key server generates keys for encryption of data and returns keys for decryption of data, and wherein a key request can be directed to any one of the two or more key servers;
  
  in response to a data storage drive processing a first write to a data storage medium,receiving, from the data storage drive, a first key request asking for an encryption key to encrypt data;
  
  identifying a first selection technique from a set of selection techniques for selecting one of the key servers to which the first key request is to be forwarded, wherein the set of selection techniques consists of a selection technique using an order of the IP addresses of the key servers, a selection technique based on local IP addresses and remote IP addresses, a selection technique using connection information, and a selection technique based on load balancing among the key servers;
  
  selecting one of the key servers using the first selection technique by iterating through the two or more key servers until identifying a first key server;
  
  sending, to the first key server, the first key requestin response to the first key request, receiving, from the first key server, a first response that includes an encrypted key and a protected key, wherein the protected key is decryptable by the first key server for key retrieval, and wherein the encrypted key is decrypted by the data storage drive to obtain the encryption key and used to encrypt the data; and
  
  in response to the data storage drive processing a read to the data storage medium,receiving, from the data storage drive, a second key request asking for a decryption key to decrypt the data;
  
  selecting another one of the key servers using a second selection technique from the set of selection techniques by iterating through the two or more key servers until identifying a second key server;
  
  sending, to the second key server, the second key request that includes the protected key decryptable by the second key server; and
  
  in response to the second key request, receiving, from the second key server, a second response that includes an encrypted decryption key, wherein the encrypted decryption key is decrypted by the data storage drive to obtain the decryption key and used to decrypt the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the unique identifiers are Internet Protocol (IP) addresses.
  - 3. The method of claim 2, wherein the local IP addresses are selected before the remote IP addresses.
  - 4. The method of claim 1, wherein a last key server to which there was a successful connection is selected before other key servers.
  - 5. The method of claim 1, further comprising:
    - returning the first response to the first key request to the data storage drive.
  - 6. The method of claim 5, wherein, in response to the data storage drive processing a key translate for the data storage medium, a third key request is received that asks to change a first encryption key and provides a second encryption key readable by each of the key servers, and wherein a third response includes a new encryption key readable by each of the key servers.
  - 7. The method of claim 5, wherein the data storage drive receives the first response, and wherein knowledge of the encryption key to encrypt the data is removed from the data storage drive once the data storage drive has used that encryption key to encrypt the data.

8. Computer-readable storage device storing a computer readable program, wherein the computer readable program, when executed by a processor on a computer, causes the computer to:
- store unique identifiers of two or more key servers, wherein each key server generates keys for encryption of data and returns keys for decryption of data, and wherein a key request can be directed to any one of the two or more key servers;
  
  in response to a data storage drive processing a first write to a data storage medium,receive, from the data storage drive, a first key request asking for an encryption key to encrypt data;
  
  identify a first selection technique from a set of selection techniques for selecting one of the key servers to which the first key request is to be forwarded, wherein the set of selection techniques consists of a selection technique using an order of the IP addresses of the key servers, a selection technique based on local IP addresses and remote IP addresses, a selection technique using connection information, and a selection technique based on load balancing among the key servers;
  
  select one of the key servers using the first selection technique by iterating through the two or more key servers until identifying a first key server;
  
  send, to the first key server, the first key request;
  
  in response to the first key request, receiving, from the first key server, a first response that includes an encrypted key and a protected key, wherein the protected key is decryptable by the first key server for key retrieval, and wherein the encrypted key is decrypted by the data storage drive to obtain the encryption key and used to encrypt the data; and
  
  in response to the data storage drive processing a read to the data storage medium,receive, from the data storage drive, a second key request asking for a decryption key to decrypt the data;
  
  select another one of the key servers using a second selection technique from the set of selection techniques by iterating through the two or more key servers until identifying a second key server;
  
  send, to the second key server, the second key request that includes the protected key decryptable by the second key server; and
  
  in response to the second key request, receive, from the second key server, a second response that includes an encrypted decryption key, wherein the encrypted decryption key is decrypted by the data storage drive to obtain the decryption key and used to decrypt the encrypted data.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage device of claim 8, wherein the unique identifiers are Internet Protocol (IP) addresses.
  - 10. The computer-readable storage device of claim 9, wherein the local IP addresses are selected before the remote IP addresses.
  - 11. The computer-readable storage device of claim 8, wherein a last key server to which there was a successful connection is selected before other key servers.
  - 12. The computer-readable storage device of claim 8, wherein the computer readable program when executed on a computer causes the computer to:
    - return the first response to the first key request to the data storage drive.
  - 13. The computer-readable storage device product of claim 12, wherein, in response to the data storage drive processing a key translate for the data storage medium, a third key request is received that asks to change a first encryption key and provides a second encryption key readable by each of the key servers, and wherein a third response includes a new encryption key readable by each of the key servers.
  - 14. The computer-readable storage device product of claim 12, wherein the data storage drive receives the first response, and wherein knowledge of the encryption key to encrypt the data is removed from the data storage drive once the data storage drive has used that encryption key to encrypt the data.

15. A system for key generation and retrieval, comprising:
- hardware logic performing operations, the operations comprising;
  
  storing unique identifiers of two or more key servers, wherein each key server generates keys for encryption of data and returns keys for decryption of data, and wherein a key request can be directed to any one of the two or more key servers;
  
  in response to a data storage drive processing a first write to a data storage medium,receiving, from the data storage drive, a first key request asking for an encryption key to encrypt data;
  
  identifying a first selection technique from a set of selection techniques for selecting one of the key servers to which the first key request is to be forwarded, wherein the set of selection techniques consists of a selection technique using an order of the IP addresses of the key servers, a selection technique based on local IP addresses and remote IP addresses, a selection technique using connection information, and a selection technique based on load balancing among the key servers;
  
  selecting one of the key servers using the first selection technique by iterating through the two or more key servers until identifying a first key server;
  
  sending, to the first key server, the first key request;
  
  in response to the first key request, receiving, from the first key server, a first response that includes an encrypted key and a protected key, wherein the protected key is decryptable by the first key server for key retrieval, and wherein the encrypted key is decrypted by the data storage drive to obtain the encryption key and used to encrypt the data; and
  
  in response to the data storage drive processing a read to the data storage medium,receiving, from the data storage drive, a second key request asking for a decryption key to decrypt the data;
  
  selecting another one of the key servers using a second selection technique from the set of selection techniques by iterating through the two or more key servers until identifying a second key server;
  
  sending, to the second key server, the second key request that includes the protected key decryptable by the second key server; and
  
  in response to the second key request, receiving, from the second key server, a second response that includes an encrypted decryption key, wherein the encrypted decryption key is decrypted by the data storage drive to obtain the decryption key and used to decrypt the encrypted data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15, wherein the unique identifiers are Internet Protocol (IP) addresses.
  - 17. The system of claim 16, wherein the local IP addresses are selected before the remote IP addresses.
  - 18. The system of claim 15, wherein a last key server to which there was a successful connection is selected before other key servers.
  - 19. The system of claim 15, wherein the operations further comprise:
    - returning the first response to the first key request to the data storage drive.
  - 20. The system of claim 19, wherein, in response to the data storage drive processing a key translate for the data storage medium, a third key request is received that asks to change a first encryption key and provides a second encryption key readable by each of the key servers, and wherein a third response includes a new encryption key readable each of the key servers.
  - 21. The system of claim 19, wherein the data storage drive receives the first response, and wherein knowledge of the encryption key to encrypt the data is removed from the data storage drive once the data storage drive has used that encryption key to encrypt the data.
  - 22. The system of claim 15, wherein the first key request is received from a tape drive in a tape library.
  - 23. The system of claim 15, wherein the hardware logic is implemented in a proxy server.
  - 24. The system of claim 15, wherein the hardware logic is implemented in the data storage drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hahn, Timothy James, Jaquette, Glen Alan, Greco, Paul Merrill
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
PHAM, LUU T

Application Number

US11/530,006
Publication Number

US 20080065889A1
Time in Patent Office

1,727 Days
Field of Search

713/171
US Class Current

713/171
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/062   for key distribution, e.g. ...

H04L 9/083   involving central third par...

Key generation and retrieval using key servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

88 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Key generation and retrieval using key servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links