Security for RAID systems

US 8,209,551 B2
Filed: 02/15/2008
Issued: 06/26/2012
Est. Priority Date: 02/15/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A machine implemented method comprising:

accessing a redundant array of independent drives (RAID) storage device, comprising a first drive and a second drive;

segmenting a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment;

performing a cryptographic operation on the first unencrypted segment to generate a first encrypted segment;

computing a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment;

computing a first parity syndrome between the first encrypted segment and the second parity syndrome; and

striping the first encrypted segment and the second unencrypted segment on said first and said second drive respectively, the first drive being different from the second drive.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for accessing a redundant array of independent drives (RAID) storage device are disclosed. In some embodiments file data is broken into multiple segments. A cryptographic operation is performed on one or more segments to generate encrypted segment(s). One or more parity syndrome is computed from the encrypted segment(s) and the unencrypted segment(s). The encrypted segment(s), the unencrypted segment(s) and the parity syndrome(s) are striped onto different individual drives. Since the cryptographic operation is not performed on all the segments, it may also be performed concurrently with computing of parity syndrome(s) from other unencrypted segments.

Citations

14 Claims

1. A machine implemented method comprising:
- accessing a redundant array of independent drives (RAID) storage device, comprising a first drive and a second drive;
  
  segmenting a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment;
  
  performing a cryptographic operation on the first unencrypted segment to generate a first encrypted segment;
  
  computing a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment;
  
  computing a first parity syndrome between the first encrypted segment and the second parity syndrome; and
  
  striping the first encrypted segment and the second unencrypted segment on said first and said second drive respectively, the first drive being different from the second drive.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - striping the third unencrypted segment and the first parity syndrome on a third and a fourth drive respectively, the third drive being different from the fourth drive and both being different from the first and the second drives.
  - 3. The method of claim 1, further comprising:
    - computing a third parity syndrome between the first encrypted segment and at least the second unencrypted segment, wherein the third parity syndrome is a Reed-Solomon code.
  - 4. The method of claim 3, further comprising:
    - striping the first parity syndrome and the third parity syndrome on a third and a fourth drive respectively, the third drive being different from the fourth drive and both being different from the first and the second drives.
  - 5. The method of claim 1 wherein the file data is segmented into a plurality of segments, substantially all segments being 128-bit segments.
  - 6. An article of manufacture to implement the method of claim 5, the article comprisinga non-transitory machine-accessible medium including data that, when accessed by a machine, cause the machine to implement the method of claim 5.

7. An apparatus comprising:
- a RAID descriptor processing engine to segment a file data buffer into a plurality of segments including at least a first unencrypted segment, a second unencrypted segment, and a third unencrypted segment, and to direct memory access (DMA) transfer the plurality of segments from the file data buffer for processing;
  
  a cryptographic unit to receive a DMA transfer of the first unencrypted segment by the RAID descriptor processing engine and to perform a cryptographic operation on the first unencrypted segment to generate a first encrypted segment;
  
  a RAID processing engine to receive at least a DMA transfer of the second unencrypted segment by the RAID descriptor processing engine and to compute a second parity syndrome between the second unencrypted segment and at least the third unencrypted segment concurrent with the cryptographic operation on the first unencrypted segment,the RAID processing engine further configured to compute a first parity syndrome between the first encrypted segment and the second parity syndrome; and
  
  a destination storage having a plurality of drives including a first drive and a second drive different from the first drive, said RAID descriptor processing engine to stripe the first encrypted segment and the second unencrypted segment onto the first and the second drive respectively.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, said RAID descriptor processing engine to stripe the third unencrypted segment and the first parity syndrome on a third and a fourth drive respectively, the third drive being different from the fourth drive and both being different from the first and the second drives.
  - 9. The apparatus of claim 7, said RAID processing engine to compute a third parity syndrome between the first encrypted segment and at least the second unencrypted segment, wherein said third parity syndrome is a Reed-Solomon code.
  - 10. The apparatus of claim 9, said RAID descriptor processing engine to stripe the first parity syndrome and the third parity syndrome on a third and a fourth drive respectively, the third drive being different from the fourth drive and both being different from the first and the second drives.
  - 11. The apparatus of claim 7 wherein the file data is segmented into a plurality of segments, substantially all segments being 128-bit segments.

12. A RAID storage system comprising:
- a plurality of distinct drives including a first drive, a second drive, a third drive and a fourth drive;
  
  a RAID descriptor processing logic to segment a file data buffer into a plurality of segments including at least a first unencrypted segment A1, a second unencrypted segment A2 and a third unencrypted segment A3, and to transfer the plurality of segments from the file data buffer for processing;
  
  a cryptographic logic to receive a transfer of the segment A1 by the RAID descriptor processing logic and to perform a cryptographic operation on the unencrypted segment A1 to generate a first encrypted segment A1′
  
  ;
  
  a parity logic to receive transfers of the segment A2 and the segment A3 by the RAID descriptor processing logic, and to compute a second parity syndrome between the segment A2 and at least the segment A3 concurrent with said cryptographic operation on the segment A1, and to compute a first parity syndrome Ap′
  
  between the encrypted segment A1′ and
  
  the second parity syndrome; and
  
  said RAID descriptor processing logic to stripe the segment A1′
  
  , the segment A2, the segment A3 and the first parity syndrome Ap′
  
  onto the first drive, the second drive, the third drive and the fourth drive, respectively.
- View Dependent Claims (13, 14)
- - 13. The storage system of claim 12, said parity logic to compute a third parity syndrome for the segment A2 and at least the segment A3 concurrent with said cryptographic operation on the segment A1, and to compute a fourth parity syndrome Aq′
    - from the encrypted segment A1′ and
      
      the third parity syndrome, wherein said fourth parity syndrome Aq′
      
      is a Reed-Solomon code.
  - 14. The storage system of claim 13, said RAID descriptor processing logic to stripe the fourth parity syndrome Aq′
    - onto a fifth drive of the plurality of distinct drives.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chew, Yen Hsiang, Panda, Subhankar
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Mangialaschi, Tracy

Application Number

US12/032,554
Publication Number

US 20100031060A1
Time in Patent Office

1,593 Days
Field of Search

713/193, 714/6.22, 714/6.23, 714/6.24, 714/770
US Class Current

713/193
CPC Class Codes

G06F 21/80 in storage media based on m...

Security for RAID systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Security for RAID systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links