System and method for signature based data container recognition

US 8,219,821 B2
Filed: 03/27/2007
Issued: 07/10/2012
Est. Priority Date: 03/27/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for signature based recognition of a data container, the method comprising:

creating, by a storage system associated with a security appliance, the data container;

in response to creating the data container, generating, by the security appliance, a signature of the data container by examining encrypted contents of a plurality of the data blocks contained within the data container, wherein the signature is generated using a one-way function;

associating, by the security appliance, the generated signature with an encryption key by creating an entry in a data container signature structure;

storing, on the security appliance, the signature and associated encryption key for subsequent data container signature based recognition by storing the entry within the data;

generating a new signature, when data in any of the one or more blocks utilized as the signature is modified, wherein the new signature is stored by the security appliance.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for signature based data container recognition is provided. When a new data container, such as a lun, is created, a security appliance generates a signature of the data container, by, e.g., examining the contents of one or more data blocks of the data container. The generated signature is then associated with the appropriate encryption key for the data container and is stored either within a configuration database of the security appliance or on a key management system operating within a security appliance environment. To identify the encryption key associated with a data container, the security appliance generates a signature of the data container and compares the generated signature with the stored signatures. Should there be a matching signature, the security appliance utilizes the encryption key associated with the matching signature to process data access requests to/from the data container.

Citations

20 Claims

1. A computer-implemented method for signature based recognition of a data container, the method comprising:
- creating, by a storage system associated with a security appliance, the data container;
  
  in response to creating the data container, generating, by the security appliance, a signature of the data container by examining encrypted contents of a plurality of the data blocks contained within the data container, wherein the signature is generated using a one-way function;
  
  associating, by the security appliance, the generated signature with an encryption key by creating an entry in a data container signature structure;
  
  storing, on the security appliance, the signature and associated encryption key for subsequent data container signature based recognition by storing the entry within the data;
  
  generating a new signature, when data in any of the one or more blocks utilized as the signature is modified, wherein the new signature is stored by the security appliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the data container comprises a block addressable unit.
  - 3. The method of claim 1 wherein the signature of the data container comprises data contained in one of more blocks of the data container.
  - 4. The method of claim 1 wherein generating a signature of the data container further comprises processing data contained in the plurality of blocks contained within the data container.
  - 5. The method of claim 4 wherein processing data contained in the plurality of blocks contained within the data container comprises hashing the data contained in the plurality of blocks contained within the data container.
  - 6. The method of claim 1 wherein storing the signature and associated encryption key comprises storing a data container signature data structure.
  - 7. The method of claim 6 wherein the data container signature data structure comprises at least one block signature field and an encryption key field.
  - 8. The method of claim 1 further comprising:
    - identifying a new data container;
      
      generating a signature of the new data container;
      
      comparing the generated signature of the new data container with the stored signature.
  - 9. The method of claim 7 further comprising in response to the generated signature of the new data container matching the stored signature, utilizing the encryption key associated with the stored signature for operations directed to the new data container.

10. A non-transitory computer readable medium containing executable program instructions executed by a processor, comprising:
- program instructions that create, on a storage system associated with a security appliance, a data container;
  
  program instructions that generate a signature of the data container on the security appliance by examining encrypted contents of a plurality of the data blocks contained within the data container in response to the creation of the data container;
  
  wherein the signature is generated using a one-way function;
  
  program instructions that associate the generated, on the security appliance, signature with an encryption key by creating an entry in a data container signature structure;
  
  program instructions that store, on the security appliance, the signature and associated encryption key for subsequent data container signature based recognition by storing the entry within the data container signature data structure; and
  
  program instructions that generates a new signature, when data in any of the one or more blocks utilized as the signature is modified, wherein the new signature is stored by the security appliance.

11. A system for signature based recognition of a data container, the system comprising:
- a processor, a storage system configured to export and create the data container; and
  
  a security appliance operatively interconnected with the storage system, the security appliance configured to generate a signature of the data container by examining encrypted contents of a plurality of the data blocks contained within the data container in response to the creation of the data container, wherein the signature is generated using a one-way function;
  
  associate the generated signature with an encryption key by creating an entry in a data container signature structure and store the generated signature and associated encryption key for subsequent data container signature based recognition by storing the entry within the data container signature data structure;
  
  generating a new signature, when data in any of the one or more blocks utilized as the signature is modified, wherein the new signature is stored by the security appliance.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein the security appliance is further configured to store the generated signature and associated encryption key in a data container signature data structure.
  - 13. The system of claim 12 wherein the data container signature data structure is stored in a key management system.
  - 14. The system of claim 12 wherein the data container signature data container is stored in a configuration database.
  - 15. The system of claim 12 wherein the data container signature data structure comprises at least one block signature field and an encryption key field.
  - 16. The system of claim 11 wherein the data container comprises a block addressable unit.
  - 17. The system of claim 11 wherein the generated signature comprises data contained in one of more blocks of the data container.
  - 18. The system of claim 11 wherein the generated signature comprises processed data contained in the plurality of blocks contained within the data container.
  - 19. The system of claim 18 wherein the processed data contained in the plurality of blocks contained within the data container comprises a hash value associated with the data in the plurality of blocks contained within the data container.
  - 20. The system of claim 11 wherein the security appliance is further configured to identify a new data container, generate a signature of the new data container and compare the generated signature of the new data container with the stored signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Zimmels, Ori, Frandzel, Yuval
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US11/691,862
Publication Number

US 20080244270A1
Time in Patent Office

1,932 Days
Field of Search

713/176
US Class Current

713/181
CPC Class Codes

G06F 21/78 to assure secure storage of...

G06F 21/85 interconnection devices, e....

System and method for signature based data container recognition

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for signature based data container recognition

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links