Encryption based security system for network storage

US 8,423,780 B2
Filed: 02/07/2006
Issued: 04/16/2013
Est. Priority Date: 05/14/2002
Status: Active Grant

First Claim

Patent Images

1. A security apparatus for accessing data in a data container stored on a storage system, comprising:

a secure interface;

a clear-text interface;

an encryption device configured to receive a first command using a first data storage protocol via the clear-text interface, wherein the first command includes a command information and a data payload, wherein the command information includes an instruction to store the data payload in the data container,the encryption device further configured to distinguish the command information from the data payload,the encryption device further configured to associate the data container with a first random value;

the encryption device further configured to encrypt the data payload using an encryption key and the first random value; and

the encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The presently preferred embodiment of the invention provides an encryption based security system for network storage that separates the ability to access storage from the ability to access the stored data. This is achieved by keeping all the data encrypted on the storage devices. Logically, the invention comprises a device that has two network interfaces: one is a clear text network interface that connects to one or more clients, and the other is a secure network interface that is connected to one or more persistent storage servers. Functionally, each network interface supports multiple network nodes. That is, the clear text network interface supports multiple client machines, and the secure network interface supports one or more storage servers.

Citations

24 Claims

1. A security apparatus for accessing data in a data container stored on a storage system, comprising:
- a secure interface;
  
  a clear-text interface;
  
  an encryption device configured to receive a first command using a first data storage protocol via the clear-text interface, wherein the first command includes a command information and a data payload, wherein the command information includes an instruction to store the data payload in the data container,the encryption device further configured to distinguish the command information from the data payload,the encryption device further configured to associate the data container with a first random value;
  
  the encryption device further configured to encrypt the data payload using an encryption key and the first random value; and
  
  the encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The apparatus of claim 1 wherein the encryption device is further configure to encrypt the first random value, and wherein the encryption device is further configured to transmit a second command via the secure interface to store the encrypted first random value in the data container.
  - 3. The apparatus of claim 1 wherein the encryption device is further configured to encrypt the data payload using a second random value.
  - 4. The apparatus of claim 1 wherein the encryption device is further configured to organize the data container into a set of blocks each having a block identifier, and wherein the encryption device is further configured to encrypt the data payload using the encryption key and the block identifier of a particular block of the set of blocks of the data container.
  - 5. The apparatus of claim 1, further comprising:
    - a plurality of encryption keys for encrypting the data payload; and
      
      a selection module for selecting a particular encryption key of the plurality of encryption keys based upon a parameter selected from a group consisting of a client identifier, a location of a data block on the storage system, a name of the data container, a permission data structure for the data container, and combinations thereof.
  - 6. The apparatus of claim 5, further comprising:
    - an additional encryption device, wherein the encryption device and the additional encryption device share the plurality of encryption keys, and wherein the additional encryption device includes an additional selection module identical to the selection module of the encryption device such that the data of the data container encrypted by the encryption device can be decrypted by the additional encryption device.
  - 7. The apparatus of claim 1, wherein the encryption device is further configured to operate in a transparent fashion to a first client device and to the storage system, and wherein no modification is required to the first client device and to the storage system to enable storage of the encrypted data payload on the storage system and to enable subsequent retrieval and decryption of the encrypted data payload.
  - 8. The apparatus of claim 1 wherein the encryption device is further configured to pad the data payload, and wherein the encryption device is further configured to encrypt the padded data payload.
  - 9. The apparatus of claim 5 whereinthe encryption device is further configured to generate the plurality of encryption keys, and wherein the encryption device is further configured to transmit the plurality of encryption keys securely.
  - 10. The apparatus of claim 5 wherein the plurality of encryption keys is encrypted with a master encryption key.
  - 11. The apparatus of claim 10 wherein the master key is not transmitted from the encryption device.
  - 12. The apparatus of claim 10 wherein the master encryption key is transmitted from the encryption device using a shared encryption key, and wherein the shared encryption key includes a plurality of key parts such that possession of a subset of the plurality of key parts is sufficient to reconstruct the master encryption key.
  - 13. The apparatus of claim 5 wherein the plurality of encryption keys includes:
    - a user encryption key, a data container encryption key, and a master encryption key all of which are used to encrypt the data payload.
  - 14. The apparatus of claim 5 wherein the plurality of encryption keys is assigned to a directory of the data container.
  - 15. The apparatus of claim 1 wherein the command information includes a checksum, and wherein the encryption device is further configured to recompute the checksum using the encrypted data payload.
  - 16. The apparatus of claim 7, further comprising:
    - the encryption device having a module for re-encrypting the data stored in the data container without interrupting access to the data container by a second client device.
  - 17. The apparatus of claim 1, further comprising:
    - the encryption device having a module for management of the data stored in the data container, wherein the data is not readable by an administrator.
  - 18. The apparatus of claim 1, further comprising:
    - the encryption device having a module for allowing a first user to grant a second user access to a first user'"'"'s data stored in the data container, wherein the encryption key used to encrypt the data is not explicitly shared with the second user.
  - 19. The apparatus of claim 1 wherein the encryption device is further configured to mirror the data payload via a minor interface.
  - 20. The apparatus of claim 8 wherein at least 15 bytes are padded on to the data payload.
  - 21. The apparatus of claim 7 wherein thethe encryption device is further configured to not permit a second client device access to data stored in the data container.
  - 22. The apparatus of claim 1 wherein:
    - the encryption device is further configured for failover of the first command received via the clear-text interface.
  - 23. The apparatus of claim 1 wherein the encryption device is configured to forward, without encryption, non-storage related traffic received via any of the interfaces.

24. A security apparatus for accessing data in a data container stored on a storage system, comprising:
- an encryption device having a clear text interface, and a secure interface, wherein the data container is accessible by the encryption device only via the secure interface; and
  
  the encryption device configured to receive via the clear-text interface a first command using a first data storage protocol, wherein the first command includes a data payload and command information, wherein the first command includes an instruction to store the data payload in the data container,the encryption device further configured to distinguish the command information from the data payload,the encryption device further configured to encrypt the data payload, andthe encryption device further configured to transmit via the secure interface a second command using a second data storage protocol, wherein the second command includes the encrypted data payload and the command information, wherein the command information is unencrypted, wherein the second data storage protocol is different than the first data storage protocol, and wherein the both first and second data storage protocols are selected from a group consisting of NFS, CIFS, iSCSI and Fibrechannel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Plotkin, Serge, Avida, Dan
Primary Examiner(s)
Moorthy, Aravind
Assistant Examiner(s)
Pan, Joseph

Application Number

US11/350,047
Publication Number

US 20060136735A1
Time in Patent Office

2,625 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/165, 713/182, 713/193, 380/200, 380/201, 380/255, 380/277, 380/44, 380/281, 726/2
US Class Current

713/182
CPC Class Codes

G06F 21/85   interconnection devices, e....

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 67/1097   for distributed storage of ...

H04L 69/329   in the application layer [O...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0897   involving additional device...

Encryption based security system for network storage

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption based security system for network storage

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links