Secure and private backup storage and processing for trusted computing and data services

US 8,321,688 B2
Filed: 06/12/2009
Issued: 11/27/2012
Est. Priority Date: 06/12/2009
Status: Active Grant

First Claim

Patent Images

1. A method for publishing backup data, comprising:

encrypting, by at least one computing device of a publisher, modification data to form encrypted modification data representing a set of modifications to a data set of the at least one computing device of the publisher, the encrypted modification data formed according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information;

transmitting, by the at least one computing device of the publisher, the encrypted modification data to at least one computing device of a backup data service provider for update of synthetic full backup data stored by the at least one computing device of the backup data service provider; and

proving, by the at least one computing device of the publisher, that the at least one computing device of the backup data service provider applied the set of modifications to the synthetic full backup data to update the synthetic full backup data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital escrow pattern is provided for backup data services including searchable encryption techniques for backup data, such as synthetic full backup data, stored at remote site or in a cloud service, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, an operational synthetic full is maintained with encrypted data as a data service in a cryptographically secure manner that addresses integrity and privacy requirements for external or remote storage of potentially sensitive data. The storage techniques supported include backup, data protection, disaster recovery, and analytics on second copies of primary device data. Some examples of cost-effective cryptographic techniques that can be applied to facilitate establishing a high level of trust over security and privacy of backup data include, but are not limited to, size-preserving encryption, searchable-encryption, or Proof of Application, blind fingerprints, Proof of Retrievability, and others.

107 Citations

View as Search Results

23 Claims

1. A method for publishing backup data, comprising:
- encrypting, by at least one computing device of a publisher, modification data to form encrypted modification data representing a set of modifications to a data set of the at least one computing device of the publisher, the encrypted modification data formed according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information;
  
  transmitting, by the at least one computing device of the publisher, the encrypted modification data to at least one computing device of a backup data service provider for update of synthetic full backup data stored by the at least one computing device of the backup data service provider; and
  
  proving, by the at least one computing device of the publisher, that the at least one computing device of the backup data service provider applied the set of modifications to the synthetic full backup data to update the synthetic full backup data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - generating, by the at least one computing device of the publisher, structural metadata describing the modification data;
      
      encrypting, by the at least one computing device of the publisher, the structural metadata to form encrypted structural metadata; and
      
      transmitting, by the at least one computing device of the publisher, the encrypted structural metadata to the at least one computing device of the backup data service provider, wherein the encrypted structural metadata is selectively accessible by the at least one computing device of the backup data service provider.
  - 3. The method of claim 1, further comprising:
    - generating, by the at least one computing device of the publisher, at least one cryptographic trapdoor based on the cryptographic key information for enabling selective access of the encrypted modification data by the at least one computing device of the backup data service provider as defined by the at least one cryptographic trapdoor.
  - 4. The method of claim 1, wherein the proving includes determining whether the synthetic full backup data is updated within a pre-specified performance requirement with respect to updating the synthetic full backup data.
  - 5. The method of claim 4, wherein the proving includes determining whether the synthetic full backup data is updated within a pre-specified time.
  - 6. The method of claim 4, wherein the proving includes determining whether the synthetic full backup data is updated according to a pre-specified rate of processing the encrypted modification data.
  - 7. The method of claim 1, wherein the proving includes determining that an analysis of the synthetic full backup data is identical to a corresponding analysis of the data set.
  - 8. The method of claim 7, wherein the proving includes determining that an analysis of the synthetic full backup data is identical to a corresponding analysis of the data set for a corresponding point in modification history.
  - 9. The method of claim 1, wherein the proving includes verifying that the synthetic full backup data includes auxiliary data supplied within the encrypted modification data at a specified location in the synthetic full backup data.
  - 10. The method of claim 1, wherein the encrypting of modification data includes encrypting at least one transaction log recorded by the at least one computing device of the publisher.
  - 11. A computer storage medium storing computer-executable instructions implementing the method of claim 1.

12. A method for publishing backup data, comprising:
- encrypting, by at least one computing device of a publisher, modification data to form encrypted modification data representing a set of modifications to a data set of at least one computing device of the publisher, the encrypted modification data formed according to at least one searchable encryption algorithm based on cryptographic key information received from a key generator that generates the cryptographic key information; and
  
  transmitting, by the at least one computing device of the publisher, the encrypted modification data to at least one computing device of a backup data service provider for update of synthetic full backup data stored by the at least one computing device of the backup data service provider, wherein to reduce transmitting redundant data, the transmitting includes fingerprinting at least one data segment represented in the data set to form at least one fingerprint for replacing actual modification data when the at least one data segment is determined to be represented in a local set of fingerprints representing data segments of the data set.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, further comprising:
    - comparing, by the at least one computing device of the publisher, the at least one fingerprint to the local set of fingerprints to determine actual modification data that can be replaced by the at least one fingerprint.
  - 14. The method of claim 12, wherein the encrypting includes encrypting the at least one fingerprint to form at least one encrypted fingerprint according to at least one searchable encryption algorithm.
  - 15. The method of claim 14, further comprising:
    - transmitting, by the at least one computing device of the publisher, the at least one encrypted fingerprint to the at least one computing device of the backup data service provider.
  - 16. The method of claim 12, further comprising:
    - receiving, by the at least one computing device of the publisher, at least one encrypted fingerprint from the at least one computing device of the backup data service provider; and
      
      decrypting, by the at least one computing device of the publisher, the at least one encrypted fingerprint based on the cryptographic key information.
  - 17. The method of claim 16, further comprising:
    - determining, by the at least one computing device of the publisher, a set of fingerprints not within the decrypted at least one encrypted fingerprint;
      
      encrypting, by the at least one computing device of the publisher, the set of fingerprints to form a set of encrypted fingerprints; and
      
      transmitting, by the at least one computing device of the publisher, the set of encrypted fingerprints to the at least one computing device of the backup data service provider.
  - 18. The method of claim 12, further comprising:
    - receiving, by the at least one computing device of the publisher, a set of encrypted fingerprints determined by the at least one computing device of the backup data service provider to be absent from the at least one computing device of the publisher.
  - 19. The method of claim 12, wherein the fingerprinting includes fingerprinting the at least one data segment at a block level.
  - 20. The method of claim 12, wherein the fingerprinting includes fingerprinting the at least one data segment at an object level.
  - 21. A computer storage medium storing computer-executable instructions implementing the method of claim 12.

22. A method for subscribing to backup data, comprising:
- after a failure of data of a data set of at least one computing device of a subscriber, requesting a restore of at least one data item of the data set from a backup data service that maintains synthetic full data corresponding to the data set in a searchably encrypted format;
  
  receiving, by the at least one computing device of the subscriber, at least a portion of the at least one data item in an encrypted format from the backup data service;
  
  restarting, by the at least one computing device of the subscriber, an application of the at least one computing device of the subscriber based on use of the at least a portion of the at least one data item; and
  
  subsequent to restarting the application, receiving any remaining data of the at least one data item not yet received by the at least one computing device of the subscriber.
- View Dependent Claims (23)
- - 23. A computer storage medium storing computer-executable instructions implementing the method of claim 22.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Auradkar, Rahul V., D'Souza, Roy Peter
Primary Examiner(s)
Lim, Krisna

Application Number

US12/483,817
Publication Number

US 20100318812A1
Time in Patent Office

1,264 Days
Field of Search

713189-193, 713/150, 380/44
US Class Current

713/189
CPC Class Codes

G06F 11/1464   for networked environments

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3073   involving pairings, e.g. id...

H04L 9/3271   using challenge-response

Secure and private backup storage and processing for trusted computing and data services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Secure and private backup storage and processing for trusted computing and data services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others