Systems and methods for securely deduplicating data owned by multiple entities

US 8,401,185 B1
Filed: 02/01/2010
Issued: 03/19/2013
Est. Priority Date: 02/01/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely deduplicating data owned by multiple entities, at least a portion of the method being performed by a client device comprising at least one processor, the method comprising:

identifying, at the client device, a plurality of data segments to store on a third-party storage system;

for each data segment, performing the following steps at the client device;

identifying a hash of the data segment;

transmitting the hash of the data segment to a central server;

receiving an encrypted string that is based on the hash of the data segment from the central server, wherein the encrypted string comprises an encryption of the hash of the data segment using a key that is derived from the hash of the data segment using a transformation function;

encrypting the data segment with the encrypted string;

transferring the encrypted data segment to the third-party storage system.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for securely deduplicating data owned by multiple entities may include identifying a plurality of data segments to store on a third-party storage system and, for each data segment: 1) identifying a hash of the data segment, 2) transmitting the hash of the data segment to a central server, 3) receiving an encrypted string that is based on the hash of the data segment from the central server, 4) encrypting the data segment with the encrypted string, and 5) transferring the encrypted data segment to the third-party storage system. Various other methods, systems, and computer-readable media are also disclosed.

Citations

18 Claims

1. A computer-implemented method for securely deduplicating data owned by multiple entities, at least a portion of the method being performed by a client device comprising at least one processor, the method comprising:
- identifying, at the client device, a plurality of data segments to store on a third-party storage system;
  
  for each data segment, performing the following steps at the client device;
  
  identifying a hash of the data segment;
  
  transmitting the hash of the data segment to a central server;
  
  receiving an encrypted string that is based on the hash of the data segment from the central server, wherein the encrypted string comprises an encryption of the hash of the data segment using a key that is derived from the hash of the data segment using a transformation function;
  
  encrypting the data segment with the encrypted string;
  
  transferring the encrypted data segment to the third-party storage system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein encrypting the data segment with the encrypted string comprises encrypting the data segment using the encrypted string as a symmetric key.
  - 3. The computer-implemented method of claim 1, further comprising:
    - identifying a hash of the encrypted data segment;
      
      saving a hash-string pair that comprises the hash of the encrypted data segment and the encrypted string.
  - 4. The computer-implemented method of claim 3, further comprising accessing the data segment from the third-party storage system.
  - 5. The computer-implemented method of claim 4, wherein accessing the data segment from the third-party storage system comprises performing the following steps at the client device:
    - retrieving the encrypted data segment from the third-party storage system;
      
      identifying the hash of the encrypted data segment;
      
      locating the hash-string pair using the hash of the encrypted data segment;
      
      identifying the encrypted string in the pair;
      
      decrypting the encrypted data segment with the encrypted string.
  - 6. The computer-implemented method of claim 1, wherein the transformation function comprises at least one of a hash function and a mapping function.
  - 7. The computer-implemented method of claim 1, further comprising identifying a policy restricting cross-client convergent encryption for the data segment.
  - 8. The computer-implemented method of claim 7, wherein the key that is based on the hash of the data segment comprises a client-specific key.
  - 9. The computer-implemented method of claim 7, wherein the policy comprises a limitation of the percentage of data segments in the plurality of data segments that may undergo cross-client convergent encryption.
  - 10. The computer-implemented method of claim 7, wherein the policy comprises an indicator that the data segment is too sensitive to undergo cross-client convergent encryption.

11. A system for securely deduplicating data owned by multiple entities, the system comprising:
- an identification module programmed to identify, at a client device, a plurality of data segments to store on a third-party storage system;
  
  a hash-to-key module programmed to perform the following steps at the client device for each data segment;
  
  identify a hash of the data segment;
  
  transmit the hash of the data segment to a central server;
  
  receive an encrypted string that is based on the hash of the data segment from the central server, wherein the encrypted string comprises an encryption of the hash of the data segment using a key that is derived from the hash of the data segment using a transformation function;
  
  an encryption module programmed to encrypt the data segment with the encrypted string;
  
  a storage module programmed to transfer the encrypted data segment to the third-party storage system;
  
  at least one processor configured to execute the identification module, the hash-to-key module, the encryption module, and the storage module.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the encryption module is programmed to encrypt the data segment with the encrypted string by encrypting the data segment using the encrypted string as a symmetric key.
  - 13. The system of claim 11, further comprising a pairing module programmed to:
    - identify a hash of the encrypted data segment;
      
      save a hash-string pair that comprises the hash of the encrypted data segment and the encrypted string.
  - 14. The system of claim 13, further comprising a retrieval module programmed to access the data segment from the third-party storage system.
  - 15. The system of claim 14, wherein the retrieval module is programmed to access the data segment from the third-party storage system by performing the following steps at the client device:
    - retrieving the encrypted data segment from the third-party storage system;
      
      identifying the hash of the encrypted data segment;
      
      locating the hash-string pair using the hash of the encrypted data segment;
      
      identifying the encrypted string in the pair;
      
      decrypting the encrypted data segment with the encrypted string.
  - 16. The system of claim 11, wherein the third-party storage system comprises a single-instance storage system.
  - 17. The system of claim 11, wherein the hash-to-key module is further programmed to identify a policy restricting cross-client convergent encryption for the data segment.

18. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing client device, cause the computing client device to:
- identify, at the client device, a plurality of data segments to store on a third-party storage system;
  
  for each data segment, perform the following steps at the client device;
  
  identify a hash of the data segment;
  
  transmit the hash of the data segment to a central server;
  
  receive an encrypted string that is based on the hash of the data segment from the central server, wherein the encrypted string comprises an encryption of the hash of the data segment using a key that is derived from the hash of the data segment using a transformation function;
  
  encrypt the data segment with the encrypted string;
  
  transfer the encrypted data segment to the third-party storage system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Telang, Nilesh
Primary Examiner(s)
Shan, April
Assistant Examiner(s)
Shepperd, Eric W

Application Number

US12/697,705
Time in Patent Office

1,142 Days
Field of Search

713/153, 713/160, 713/189, 713/193, 726/30, 726 26- 27, 380/277, 380259-262, 380 44- 46, 707/664, 707/687, 707/692
US Class Current

380/44
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1095   Replication or mirroring of...

H04L 67/1097   for distributed storage of ...

H04L 67/53   using third party service p...

H04L 9/083   involving central third par...

H04L 9/3236   using cryptographic hash fu...

Systems and methods for securely deduplicating data owned by multiple entities

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securely deduplicating data owned by multiple entities

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links