Secure storage access using third party capability tokens

US 8,042,163 B1
Filed: 05/20/2004
Issued: 10/18/2011
Est. Priority Date: 05/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

a storage device negotiating a plurality of revocable token identifiers with an access server,wherein the access server, in response to receiving from a client an access request for one or more blocks in a specific storage volume, issues to the client an access token comprising;

one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and

the storage device, in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for revocable token identifiers may be employed in a shared storage environment. An access server may generate access tokens and include revocable token identifiers previously obtained from storage devices. When clients present access tokens to storage devices during storage requests, storage devices may check the validity of access tokens by verifying that the revocable token identifiers were previously issued to the access server. An access server may request that the storage device revoke revocable token identifiers. Storage devices may deny any future storage requests including revoked token identifiers. Additionally, an access token may include instructions specifying operations for a storage device to perform in conjunction with a storage request. A trusted server may issue grantor tokens granting permissions for access servers to use when issuing access tokens. An access server may then include such a grantor token in access tokens that it generates and issues to clients.

Citations

24 Claims

1. A method, comprising:
- a storage device negotiating a plurality of revocable token identifiers with an access server,wherein the access server, in response to receiving from a client an access request for one or more blocks in a specific storage volume, issues to the client an access token comprising;
  
  one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and
  
  the storage device, in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - the storage device associating the one or more revocable token identifiers with the access server;
      
      wherein the issued access token comprises information identifying the access server; and
      
      wherein the storage device granting the storage request comprises granting the storage request if the access token includes information identifying the access server and also includes one of the revocable token identifiers associated with the access server as identified by the information in the access token.
  - 3. The method of claim 1, further comprising:
    - the access server requesting that the storage device revoke one or more of the revocable token identifiers; and
      
      the storage device, in response to receiving from the client a storage request including the access token, denying the storage request if the access token includes the revoked token identifier.
  - 4. The method of claim 1, wherein the storage device receives the storage request as part of a client session, the method further comprising the storage device automatically revoking the issued token identifier at the end of the client session.
  - 5. The method of claim 1, wherein the access token comprises information indicating an expiration time, the method further comprising the storage device, in response to receiving from the client the storage request including the access token, denying the storage request if the expiration time of the access token indicates that the access token has expired.
  - 6. The method of claim 1, further comprising:
    - the storage device associating an expiration time with one or more of the revocable token identifiers;
      
      the storage device, in response to receiving from the client the storage request including the access token, denying the storage request if the access token includes a revocable token identifier that is associated with an expiration time that indicates that the token identifier as expired.
  - 7. The method of claim 1, further comprising:
    - the storage device maintaining a storage configuration identifier, wherein the access token comprises the storage configuration identifier, wherein the storage device granting the storage request comprises granting the storage request if the access token includes a storage configuration identifier matching the maintained storage configuration identifier; and
      
      revoking all issued access tokens by changing the value of the maintained storage configuration identifier.
  - 8. The method of claim 1, wherein the access token comprises information identifying one or more data block ranges on the storage device.
  - 9. The method of claim 1, further comprising the access server including information in the access token indicating additional operations to be performed by the storage device in conjunction with a storage request from the client including the issued access token.
  - 10. The method of claim 9, further comprising the storage device, in response to receiving the storage request from the client, performing the additional operations as indicated by the information of the issued access token.
  - 11. The method of claim 9, wherein the additional operations indicated by the information in the access token comprise instructions for the storage device to perform trigger snapshot related operations.
  - 12. The method of claim 9, wherein the additional operations indicated by the information in the access token comprise instructions for the storage device to redirect data to a second system.
  - 13. The method of claim 1, further comprising:
    - a trusted server issuing to the access server a grantor token, wherein the grantor token comprises information identifying the trusted server, wherein the issued access token comprises the grantor token, wherein the token for the specific volume is the grantor token; and
      
      wherein the storage device granting the storage request comprises granting the storage request if the access token includes one of the revocable token identifiers and if the access token includes a valid grantor token identifying the trusted server.
  - 14. The method of claim 13, further comprising the storage device sending the grantor token to the trusted server for validation, and wherein the storage device granting the storage request comprises granting the storage request if the trusted server successfully validates the grantor token.
  - 15. The method of claim 1, wherein the access token includes a non-forgeable validation key, and wherein the storage device granting the storage request comprises granting the storage request if the access token includes one of the revocable token identifiers and if the access token includes a valid non-forgeable validation key.

16. A device, comprising:
- a processor; and
  
  a memory comprising program instructions configured to;
  
  negotiate a plurality of revocable token identifiers with a storage device;
  
  in response to receiving from a client an access request for one or more blocks in a specific storage volume, issue to the client an access token comprising;
  
  one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission at both the volume-level and the block-level to the one or more blocks of data within the specific volume; and
  
  wherein the storage device is configured to in response to receiving from the client a storage request including the issued access token, grant the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The device of claim 16, wherein the program instructions are further configured to request that the storage device revoke one or more of the revocable token identifiers, wherein the storage device is configured to in response to receiving from the client an IO request including the issued access token, deny the storage request if the access token includes the revoked token identifier.
  - 18. The device of claim 16, wherein the access token comprises information identifying one or more data blocks on the storage device.
  - 19. The device of claim 16, wherein the access token comprises information identifying one or more data block ranges of a data object on the storage device.
  - 20. The device of claim 16, wherein as part of said issuing the program instructions are further configured to include information in the access token indicating additional operations to be performed by the storage device in conjunction with a storage request from the client including the issued access token, and wherein the storage device is configured to perform the additional operations in response to receiving from the client a storage request including the access token.
  - 21. The device of claim 16, wherein the program instructions are further configured to receive a grantor token from a trusted server, wherein the grantor token comprises information identifying the trusted server, wherein the issued access token comprises the grantor token, wherein the token for the specific volume is the grantor token, wherein the storage device is configured to grant the storage request the storage request if the access token includes one of the revocable token identifiers and if the access token includes a valid grantor token identifying the trusted server.
  - 22. The device of claim 16, wherein the program instructions are further configured to include an non-forgeable validation key in the access token, and wherein the storage device is configured to grant the storage request if the access token includes one of the revocable token identifiers and if the access token includes a valid unforgeable validation key.

23. A non-transitory computer accessible medium, comprising program instructions configured to implement:
- (emphasis added)receiving from a storage device one or more revocable token identifiers;
  
  in response to receiving from a client an access request for one or more blocks in a specific storage volume, issue to the client an access token comprising;
  
  one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission to the specific blocks or one or more ranges of blocks of data within the specific volume; and
  
  wherein the storage device is configured to in response to receiving from the client a storage request including the issued access token, grant the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.

24. A system, comprising one or more devices configured to implement:
- negotiating a plurality of revocable token identifiers with an access server;
  
  receiving from the storage device one or more revocable token identifiers;
  
  in response to receiving from a client an access request for one or more blocks in a specific storage volume, issuing to the client an access token comprising;
  
  one of the revocable token identifiers for the requested one or more blocks, anda token for the specific volume,such that the access token is a layered token granting access permission to the specific volume and to one or more specific blocks or one or more ranges of blocks of data within the specific volume; and
  
  in response to receiving from the client a storage request including the issued access token, granting the storage request if the access token includes the token for the specific volume and one of the revocable token identifiers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Operating Corporation (Gen Digital Inc.)
Inventors
Valiveti, Narasimha R., Joshi, Dhanesh V., Finlay, John R., Jonnala, Ramana, Karr, Ronald S.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Bayou; Yonas

Application Number

US10/850,466
Time in Patent Office

2,707 Days
Field of Search

729/9
US Class Current

726/9
CPC Class Codes

G06F 21/80   in storage media based on m...

G06F 3/062   Securing storage systems

G06F 3/0637   Permissions

G06F 3/067   Distributed or networked st...

H04L 63/123   received data contents, e.g...

Secure storage access using third party capability tokens

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage access using third party capability tokens

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links