Management of cryptographic keys for securing stored data

US 8,111,828 B2
Filed: 07/31/2007
Issued: 02/07/2012
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1. A system for securing stored data, comprising:

a storage system to;

receive storage and retrieval requests;

in response to the storage request received at the storage system, issue, to a management system, an encryption request including an address of the storage system;

in response to the encryption request, receive, from the management system, an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system;

encrypt data of the storage request into encrypted data using the current cryptographic key;

store the encrypted data and the identifier in a storage media;

in response to the retrieval request received at the storage system, retrieve encrypted data and a particular identifier from the storage media;

in response to the retrieval request received at the storage system, issue, to the management system, a decryption request including the particular identifier retrieved from the storage media and the address of the storage system;

receive, from the management system in response to the decryption request, a decryption reply including a cryptographic key corresponding to the particular identifier within the sequence for the storage system; and

decrypt the retrieved encrypted data using the cryptographic key in the decryption reply.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A management system generates a sequence of keys and an identifier of each key in the sequence. A current key in the sequence and the identifier of the current key are transferred from the management system to a storage system. The storage system encrypts the data into encrypted data using the current key. The storage system stores the identifier and the encrypted data. The identifier and the encrypted data are retrieved from the storage system. The key in the sequence identified by the identifier is transferred from the management system to the storage system. The storage system decrypts the encrypted data using the decryption key.

47 Citations

View as Search Results

12 Claims

1. A system for securing stored data, comprising:
- a storage system to;
  
  receive storage and retrieval requests;
  
  in response to the storage request received at the storage system, issue, to a management system, an encryption request including an address of the storage system;
  
  in response to the encryption request, receive, from the management system, an encryption reply including a current cryptographic key and an identifier of the current cryptographic key within a sequence of cryptographic keys for the storage system;
  
  encrypt data of the storage request into encrypted data using the current cryptographic key;
  
  store the encrypted data and the identifier in a storage media;
  
  in response to the retrieval request received at the storage system, retrieve encrypted data and a particular identifier from the storage media;
  
  in response to the retrieval request received at the storage system, issue, to the management system, a decryption request including the particular identifier retrieved from the storage media and the address of the storage system;
  
  receive, from the management system in response to the decryption request, a decryption reply including a cryptographic key corresponding to the particular identifier within the sequence for the storage system; and
  
  decrypt the retrieved encrypted data using the cryptographic key in the decryption reply.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further comprising an authentication server, wherein the storage system and the management system are to obtain a credential from the authentication server during an authentication procedure, where the credential protects a first transfer from the management system to the storage system of the current cryptographic key and the identifier of the current cryptographic key, a second transfer from the storage system to the management system of the particular identifier, and a third transfer from the management system to the storage system of the cryptographic key corresponding to the particular identifier.
  - 3. The system of claim 1, further comprising at least another storage system, wherein the management system is coupled to the storage systems via a computer network.
  - 4. The system of claim 3, wherein at least one of the storage systems is a desktop computer for a user, and an address of the desktop computer system includes an identifier that is at least one of an identifier of the desktop computer system and an identifier of the user.

5. A method for securing first data, comprising:
- receiving a storage request at a storage system to store the first data;
  
  in response to the storage request, issuing, by the storage system to a management system, an encryption request that includes a unique address of the storage system;
  
  receiving, at the storage system from the management system, a particular identifier and a particular encryption key in response to the encryption request, where the particular identifier and the particular encryption key are from a respective one of a sequence of combinations provided by the management system, and where each of the combinations includes a corresponding encryption key, a decryption key, and identifier of the corresponding combination;
  
  encrypting the first data into second data at the storage system using the particular encryption key;
  
  storing the particular identifier and the second data in the storage system;
  
  receiving a retrieval request at the storage system to retrieve the first data;
  
  in response to the retrieval request, retrieving the particular identifier and the second data, and issuing, by the storage system to the management system, a decryption request that includes the particular identifier and the unique address of the storage system;
  
  receiving, by the storage system from the management system in response to the decryption request, a decryption key of the combination identified in the sequence by the particular identifier; and
  
  decrypting the second data into third data at the storage system using the received decryption key, wherein the third data matches the first data.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The method of claim 5, wherein the storing of the particular identifier and the second data in the storage system includes storing in the storage system a cryptographic hash of the particular identifier, the second data, and the unique address of the storage system;
    - and the retrieving of the particular identifier and the second data from the storage system includes retrieving and checking the cryptographic hash.
  - 7. The method of claim 5, wherein the storage system is one of a plurality of storage systems, each of the storage systems having a respective unique address, and the sequence of combinations is one of a plurality of sequences of combinations, each of the sequences associated with the unique address of a corresponding one of the storage systems.
  - 8. The method of claim 5, further comprising storing the sequence of combinations in the management system, wherein the storing of each combination in the sequence includes encrypting the encryption and decryption keys of the combination using a management key of the management system, and wherein the encrypted encryption and decryption keys are decrypted using the management key of the management system prior to transfer to the storage system.
  - 9. The method of claim 5, further comprising authenticating the storage system with an enterprise authentication server, and authenticating the storage system to the management system using a credential from the authenticating of the storage system with the enterprise authentication server.
  - 10. The method of claim 9, wherein the credential secures transfer of the particular identifier and the particular encryption key from the management system to the storage system and transfer of the decryption key from the management system to the storage system.
  - 11. The method of claim 5, wherein the unique address includes an identifier that is at least one of an identifier of the credential, an identifier of the storage system, and an identifier of a user of the storage system.

12. An article of manufacture, comprising:
- a non-transitory computer-readable storage medium configured with instructions for securing first data, wherein execution of the instructions by a storage system causes the storage system to;
  
  receive a storage request to store the first data;
  
  in response to the storage request, issue, to a management system, an encryption request that includes a unique address of the storage system;
  
  receive, from the management system, a particular identifier and a particular encryption key in response to the encryption request, where the particular identifier and the particular encryption key are from a respective one of a sequence of combinations provided by the management system, and where each of the combinations includes a corresponding encryption key, a decryption key, and identifier of the corresponding combination;
  
  encrypt the first data into second data at the storage system using the particular encryption key;
  
  store the particular identifier and the second data in the storage system;
  
  receive a retrieval request at the storage system to retrieve the first data;
  
  in response to the retrieval request, retrieve the particular identifier and the second data, and issue, to the management system, a decryption request that includes the particular identifier and the unique address of the storage system;
  
  receive, from the management system in response to the decryption request, a decryption key of the combination identified in the sequence by the particular identifier; and
  
  decrypt the second data into third data at the storage system using the received decryption key, wherein the third data matches the first data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Raman, Shankar, Gowda, Kiran Kumar Malle
Primary Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/888,044
Publication Number

US 20090034733A1
Time in Patent Office

1,652 Days
Field of Search

380/42, 380/43, 380/277, 380/278
US Class Current

380/277
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

Management of cryptographic keys for securing stored data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Management of cryptographic keys for securing stored data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links