Techniques for non repudiation of storage in cloud or shared storage environments
First Claim
Patent Images
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- authenticating a principal, via principal-supplied credentials within a cloud storage environment;
identifying the principal for a first access within the cloud storage environment;
generating a public key and a private key for the principal within the cloud storage environment;
storing the public key and private key in a secret store within the cloud storage environment;
receiving a write request from the principal for a file to be stored within the cloud storage environment while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment;
granting access to the public key and private key to the principal within the shared-storage environment and through the authenticated access session;
subsequently for each write request made by the principal within the cloud storage environment, the principal is re-authenticated;
receiving a signature for contents of the file from a file system, signed with the private key, within the shared-storage environment; and
storing the file and a control data structure for the file within the cloud storage environment, the control data structure including the public key and the signature.
8 Assignments
0 Petitions
Accused Products
Abstract
Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.
-
Citations
20 Claims
-
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
-
authenticating a principal, via principal-supplied credentials within a cloud storage environment; identifying the principal for a first access within the cloud storage environment; generating a public key and a private key for the principal within the cloud storage environment; storing the public key and private key in a secret store within the cloud storage environment; receiving a write request from the principal for a file to be stored within the cloud storage environment while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment; granting access to the public key and private key to the principal within the shared-storage environment and through the authenticated access session; subsequently for each write request made by the principal within the cloud storage environment, the principal is re-authenticated; receiving a signature for contents of the file from a file system, signed with the private key, within the shared-storage environment; and storing the file and a control data structure for the file within the cloud storage environment, the control data structure including the public key and the signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
-
detecting a file access request within a cloud storage environment from a principal; verifying the principal is authenticated for access in the cloud storage environment; accessing a control data structure for a file to which the file access request is directed; obtaining a public key and a signature for the file from the control data structure; using a private key housed in a secret store within the cloud storage environment for the principal to generate a new signature for the file, the private key provided to the principal while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment; subsequently for each file access request made by the principal within the cloud storage environment, the principal is re-authenticated; verifying the signature against the new signature; and permitting the file access request of the principal to proceed based on verifying the signature against the new signature. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A system, comprising:
-
a cloud storage environment; a storage controller implemented in a non-transitory machine-readable storage medium that processes on one or more processors of the cloud storage environment; and a secret store implemented in a non-transitory machine-readable storage medium of the cloud storage environment; the cloud storage environment configured to be remote mounted over a network with an application server of a principal when the principal authenticates with credentials, the storage controller configured to maintain isles for the principal within the cloud storage environment, each file having a control data structure and each control data structure having a public key for the principal and a signature for that file signed with a private key of the principal, the public key and private key housed in the secret store and the public and private key supplied to the principal each time an access request is made by the principal and while the principal is still authenticated, and only when the principal is authenticated for an access session with the cloud storage environment; subsequently for each file access request made by the principal within the cloud storage environment, the principal is re-authenticated; and the control data structures and the secret store used for providing storage non-repudiation. - View Dependent Claims (19, 20)
-
Specification