Re-keying based on pre-generated keys

US 8,369,529 B1
Filed: 07/01/2011
Issued: 02/05/2013
Est. Priority Date: 10/29/2007
Status: Active Grant

First Claim

Patent Images

1. A method for re-keying data, comprising:

pre-generating encryption keys by a first security appliance of a plurality of security appliances before a re-key command is received at the first security appliance having a processor;

generating a minimum count of unused pre-generated encryption keys;

distributing the pre-generated encryption keys and the minimum count to a second security appliance of the plurality of security appliances;

storing the pre-generated encryption keys and the minimum count;

receiving the re-key command at the first security appliance to re-key a data container served by a storage system;

in response to receiving the re-key command, re-keying the data container with a pre-generated encryption key of the pre-generated encryption keys; and

generating, by at least one security appliance of the plurality of security appliances, additional pre-generated keys, wherein the additional pre-generated encryption keys are generated in response to reaching the minimum count.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for pre-generating encryption keys for re-keying stored ciphertext. The encryption keys are illustratively distributed to LKMs and therefrom to the security appliances communicating with each other. A minimum number of un-used pre-generated encryption keys is established wherein when that number is reached more pre-generated encryption keys are created and distributed.

58 Citations

View as Search Results

16 Claims

1. A method for re-keying data, comprising:
- pre-generating encryption keys by a first security appliance of a plurality of security appliances before a re-key command is received at the first security appliance having a processor;
  
  generating a minimum count of unused pre-generated encryption keys;
  
  distributing the pre-generated encryption keys and the minimum count to a second security appliance of the plurality of security appliances;
  
  storing the pre-generated encryption keys and the minimum count;
  
  receiving the re-key command at the first security appliance to re-key a data container served by a storage system;
  
  in response to receiving the re-key command, re-keying the data container with a pre-generated encryption key of the pre-generated encryption keys; and
  
  generating, by at least one security appliance of the plurality of security appliances, additional pre-generated keys, wherein the additional pre-generated encryption keys are generated in response to reaching the minimum count.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - distributing a list of the pre-generated encryption keys to a lifetime key management (LKM) server operatively connected to the plurality of security appliances; and
      
      distributing the list to the second security appliance.
  - 3. The method of claim 1 further comprising:
    - following a re-keying policy by the first security appliance.
  - 4. The method of claim 3 wherein the re-keying policy comprises at least one of re-keying when a first encryption key is compromised and when the first encryption key is used for a set time that has elapsed.
  - 5. The method of claim 1 further comprising:
    - in response to receiving the re-key command, reading by the first security appliance a ciphertext from the storage system;
      
      using a previously generated encryption key previously used to form the ciphertext to create a clear text;
      
      using the pre-generated encryption key to encrypt the clear text and form a new ciphertext; and
      
      storing the new ciphertext at the storage system.
  - 6. The method of claim 5 further comprising updating a record of one or more unused pre-generated encryption keys and one or more used pre-generated encryption keys.
  - 7. The method of claim 1 further comprising communicating use of the pre-generated encryption keys to the second security appliance.

8. A system configured to re-key data, comprising:
- a first security appliance of a plurality of security appliances configured to pre-generate an encryption key before a re-key command is received at the first security appliance having a processor, wherein the first security appliance distributes the pre-generated encryption key to a second security appliance;
  
  at least one processor configured to generate a minimum count of unused pre-generated encrypted keys;
  
  the first security appliance further configured to receive the re-key command to re-key a data container of the system;
  
  the first security appliance further configured to, in response to receiving the re-key command, re-key the data container with the pre-generated encryption key; and
  
  at least one other security appliance of the plurality of security appliances to generate an additional pre-generated key in response to reaching the minimum count.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8 wherein the first security appliance is further configured to distribute a list of pre-generated encryption keys to a server configured to communicate with the first security appliance.
  - 10. The system of claim 8 wherein the first security appliance is further configured to follow a re-keying policy.
  - 11. The system of claim 10 wherein the re-keying policy comprises at least one of re-keying when a first encryption key is compromised and when the first encryption key is used for a set time that has elapsed.
  - 12. The system of claim 8 wherein the first security appliance is further configured to:
    - read, in response to receiving the re-key command, a ciphertext from the system;
      
      use a previously generated encryption key previously used to form the ciphertext to create a clear text; and
      
      use the pre-generated encryption key to encrypt the clear text and form a new ciphertext.
  - 13. The system of claim 12 wherein the first security appliance is further configured to update a record of one or more unused pre-generated encryption keys and one or more used pre-generated encryption keys.
  - 14. The system of claim 8 wherein the first security appliance is further configured to communicate use of the pre-generated encryption key to the second security appliance.

15. A non-transitory computer-readable storage medium stored with executable program instructions for execution by a processor, the computer-readable storage medium comprising:
- program instructions that pre-generate an encryption key by a first computer of a plurality of computers before a re-key command is received at the first computer;
  
  program instructions that generate a minimum count of unused pre-generated encryption keys;
  
  program instructions that distribute the generated key and the minimum count to a second computer of the plurality of computers;
  
  program instructions that receive the re-key command at the first computer to re-key a data container served by the plurality of computers;
  
  program instructions that, in response to receiving the re-key command, re-key the data container with the pre-generated encryption key; and
  
  program instructions that generate, for at least one computer of the plurality of computers, additional pre-generated keys, wherein the additional pre-generated encryption keys are generated in response to reaching the minimum count.
- View Dependent Claims (16)
- - 16. The non-transitory computer-readable storage medium of claim 15 further comprising program instructions that, in response to re-keying the data container with the pre-generated encryption key, update a record of one or more unused pre-generated encryption keys and one or more used pre-generated encryption keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Agarwal, Vaibhave, Ganhasri, Rajamohan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US13/175,378
Time in Patent Office

585 Days
Field of Search

380/278
US Class Current

380/278
CPC Class Codes

H04L 9/0891 Revocation or update of sec...

H04L 9/16 the keys or algorithms bein...

Re-keying based on pre-generated keys

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Re-keying based on pre-generated keys

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links