Method and apparatus for authenticated data storage

US 8,356,178 B2
Filed: 11/13/2006
Issued: 01/15/2013
Est. Priority Date: 11/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

computing a first message authentication code (MAC) for a set of data blocks of a data storage medium, wherein the first MAC is calculated based on data in the data blocks which are selected to be included in the calculation of the first MAC based on a physical arrangement of the data blocks in the data storage medium;

storing the set of data blocks and the first MAC to a data storage medium;

retrieving the set of data blocks and the first MAC from the data storage medium;

computing a second MAC for the set of data blocks, the second MAC calculated based on data in the data blocks retrieved from the data storage medium;

comparing the first MAC and second MAC;

determining if data in the set of data blocks has been changed based on the comparing the first MAC to a second MAC; and

providing access to data in the set of data blocks when the first MAC and the second MAC match.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes: computing a first message authentication code for each of a plurality of sets of data blocks on a data storage medium, and authenticating the sets of data blocks by computing a second message authentication code for each of the sets of data blocks to be authenticated and comparing the first and second message authentication codes. An apparatus that performs the method is also provided.

62 Citations

View as Search Results

19 Claims

1. A method comprising:
- computing a first message authentication code (MAC) for a set of data blocks of a data storage medium, wherein the first MAC is calculated based on data in the data blocks which are selected to be included in the calculation of the first MAC based on a physical arrangement of the data blocks in the data storage medium;
  
  storing the set of data blocks and the first MAC to a data storage medium;
  
  retrieving the set of data blocks and the first MAC from the data storage medium;
  
  computing a second MAC for the set of data blocks, the second MAC calculated based on data in the data blocks retrieved from the data storage medium;
  
  comparing the first MAC and second MAC;
  
  determining if data in the set of data blocks has been changed based on the comparing the first MAC to a second MAC; and
  
  providing access to data in the set of data blocks when the first MAC and the second MAC match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the set of data blocks are deemed to have been changed if the first MAC and second MAC are different.
  - 3. The method of claim 1, further comprising:
    - authenticating data of the data storage medium by performing MAC comparisons for multiple sets of data blocks, the authenticating including for each of the multiple sets of data blocks;
      
      calculating a first MAC for a selected set of data blocks;
      
      storing the first MAC and the selected set of data blocks to a data storage medium at a first point in time;
      
      retrieving the first MAC and the selected set of data blocks from the data storage medium at a second point in time that is later than the first point in time;
      
      calculating a second MAC for the selected set of data blocks;
      
      comparing the first MAC to the second MAC to determine if the first MAC and the second MAC match;
      
      storing results of the comparing for the selected set of data blocks in a list of indicators that indicate a MAC comparison result corresponding to the multiple sets of data blocks; and
      
      processing the list to determine if a MAC comparison result is in the list for the particular set of data blocks; and
      
      providing access to the specific data when an indicator associated with the particular set of data blocks corresponding to the read request is included in the list.
  - 4. The method of claim 3, further comprising:
    - computing an additional MAC for a selected group of the first MACs; and
      
      organizing the additional MAC and the selected group of the first MACs in a hierarchical tree structure.
  - 5. The method of claim 3, further comprising authenticating a set of data blocks only once in a power cycle, and storing an indicator of an authentication result in the list.
  - 6. The method of claim 3, further comprising:
    - the first MAC is computed and stored in a memory at the first point in time when the selected set of data is stored to a data storage medium and is determined via a first MAC calculation method; and
      
      the second MAC is computed and compared to the first MAC, which was previously stored in a memory, the second MAC computed when the selected set of data is retrieved from the data storage medium, the second MAC also calculated using the first MAC calculation method.
  - 7. The method of claim 6 further comprising when the second MAC does not match the first MAC, a warning is sent to a user.
  - 8. The method of claim 3, further comprising:
    - determining if more than one set of data blocks has been changed based on comparing a generated MAC with a stored MAC while a storage device containing the storage medium is in an idle state;
      
      storing in the list an indicator that a data block has been checked and the first MAC and the second MAC associated with the data block matched during the comparing the first MAC and second MAC;
      
      processing the list to determine if a set of data blocks corresponding to a read request has been changed; and
      
      providing access to the set of data blocks corresponding to the read request when an indicator associated with the set of data blocks corresponding to the read request is included in the list.

9. A method comprising:
- retrieving a selected set of data blocks from a data storage medium, the selected set of data blocks having a corresponding message authentication code (MAC);
  
  determining if the selected set of data blocks has been changed based on comparing a generated MAC with the corresponding MAC;
  
  storing in a table an indicator corresponding to the selected set of data blocks when the selected set of data blocks is determined not to have been changed; and
  
  upon a later request for data within the selected set of data blocks, providing access to the selected set of data blocks without comparing a stored MAC to another MAC when the indicator associated with the selected set of data blocks is in the table.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 further comprising during an idle state of a data storage device, repeating the method for at least one other set of data blocks that has a corresponding MAC wherein the repeating is not in response to a read request for data stored in the at least one other set of data blocks.
  - 11. The method of claim 9 further comprising during an idle state of a data storage device, repeating the method for every set of data blocks that has a corresponding MAC.
  - 12. The method of claim 9 further comprising wherein the generated MAC is generated after the selected set of data blocks is retrieved from the data storage medium and the determined MAC was stored prior to retrieving the selected set of data blocks.
  - 13. The method of claim 9 further comprising wherein providing access further comprises providing access to the selected set of data blocks in response to a read request corresponding to data stored in the selected set of data blocks.
  - 14. The method of claim 9 further comprising processing the list to determine if a selected set of data blocks has been changed instead of comparing a stored MAC to a generated MAC.
  - 15. The method of claim 9 further comprising only storing an indicator in the table when an indicator identifies a set of data blocks that has been determined not to be changed based on a MAC comparison.

16. A device comprising:
- a processor adapted to;
  
  retrieve a specific set of data blocks from a data storage medium;
  
  retrieve a stored authentication code associated with the specific set of data blocks;
  
  determine a second authentication code based on data stored in the specific set of data blocks;
  
  store in a table an indicator of whether the specific set of data blocks has been changed based on comparing the stored authentication code and the second authentication code;
  
  receive a read request to access data within the specific set of data blocks; and
  
  provide access to the data associated with the read request based on an indicator in the table without making another MAC comparison.
- View Dependent Claims (17, 18, 19)
- - 17. The device of claim 16 further comprising a data storage medium and the set of data blocks are selected to be included in a calculation of the stored authentication code based on a physical arrangement of the set of data blocks in the data storage medium, and the stored authentication code and the second authentication are each calculated based on data stored in the specific set of data blocks, wherein if data within the specific set of data blocks changes in-between when the stored authentication code is calculated and the second authentication code is calculated, access to the data within the specific set of data blocks is denied.
  - 18. The device of claim 17 wherein the data storage medium comprises a disc data storage medium and the physical arrangement of the set of data blocks is a track of a data storage device;
    - wherein the specific set of data blocks is selected because each data block of the specific set of data blocks reside on a single track of the disc data storage medium.
  - 19. The device of claim 16 further comprising the processor further adapted to:
    - during an idle time of the data storage medium, determine if multiple selected sets of data blocks on the data storage medium that have an associated authentication code have been changed, and store an indicators for each compared set of data blocks in the table that identify if the corresponding set of data blocks has been determined to have not been changed based on an associated authentication code for a compared set of data blocks; and
      
      provide access to data stored in a specific set of data blocks when the set of data blocks has a corresponding indicator in the table without requiring a MAC comparison for the set of data blocks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Original Assignee
Seagate Technology LLC (Seagate Technology Holdings Plc)
Inventors
Hars, Laszlo
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US11/598,409
Publication Number

US 20080114981A1
Time in Patent Office

2,255 Days
Field of Search

713161-179, 726 26- 29, 726/22, 726/2, 370469-470
US Class Current

713/170
CPC Class Codes

G06F 21/64 Protecting data integrity, ...

G06F 21/80 in storage media based on m...

Method and apparatus for authenticated data storage

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for authenticated data storage

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links