Incremental secure backup and restore of user settings and data

US 8,671,279 B2
Filed: 06/19/2012
Issued: 03/11/2014
Est. Priority Date: 06/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method of performing a secure full backup of user settings and data, comprising:

determining a set of objects to be backed up;

creating a manifest including a master encryption key (MEK);

encrypting, using an object encryption key (OEK), each object to be backed up, to form encrypted data;

forming a data stream for each object to be backed up to be sent to a host data processing system;

creating an object map for each object to be backed up, wherein creating the object map comprises;

computing a path hash of the object to be backed up, computing a contents hash of the data stream for the object, and mapping the path hash to the contents hash for the object to be backed up;

updating the manifest with the object map;

sending the data stream for each object to be backed up to the host data processing system, wherein the host data processing system is configured to save the data stream under the object'"'"'s respective path hash;

signing the manifest with a digital signature for authentication; and

sending the manifest to the host data processing system, wherein the host data processing system saves the signed manifest.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses for performing secure incremental backup and restore operations are disclosed.

Citations

22 Claims

1. A method of performing a secure full backup of user settings and data, comprising:
- determining a set of objects to be backed up;
  
  creating a manifest including a master encryption key (MEK);
  
  encrypting, using an object encryption key (OEK), each object to be backed up, to form encrypted data;
  
  forming a data stream for each object to be backed up to be sent to a host data processing system;
  
  creating an object map for each object to be backed up, wherein creating the object map comprises;
  
  computing a path hash of the object to be backed up, computing a contents hash of the data stream for the object, and mapping the path hash to the contents hash for the object to be backed up;
  
  updating the manifest with the object map;
  
  sending the data stream for each object to be backed up to the host data processing system, wherein the host data processing system is configured to save the data stream under the object'"'"'s respective path hash;
  
  signing the manifest with a digital signature for authentication; and
  
  sending the manifest to the host data processing system, wherein the host data processing system saves the signed manifest.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining the set of objects to be backed up comprises walking a whitelist.
  - 3. The method of claim 1, wherein the encrypting each object to be backed up comprises:
    - concatenating an object path with object bytes for each object to be backed up; and
      
      encrypting the object path concatenated with the object bytes using the OEK to form the encrypted data.
  - 4. The method of claim 3, further comprising forming a wrapped object encryption key (WOEK), wherein forming the WOEK comprises:
    - encrypting the MEK and saving the encrypted MEK in the manifest;
      
      obtaining an initialization vector (IV);
      
      concatenating the IV with the OEK; and
      
      encrypting the concatenated IV and OEK using the MEK.
  - 5. The method of claim 4, wherein forming the data stream for each object to be backed up comprises:
    - concatenating the IV with the WOEK; and
      
      concatenating the concatenated IV and WOEK with the encrypted data.
  - 6. The method of claim 4, wherein the MEK is a 16 byte value obtained from a randomized algorithm.
  - 7. The method of claim 3, wherein the OEK is a 16 byte value obtained from a randomized algorithm.
  - 8. The method of claim 4, wherein the IV is obtained from a randomized algorithm.
  - 9. The method of claim 1, wherein computing the path hash of the object comprises performing a hash function on a path of the object.
  - 10. The method of claim 1, wherein the object is a file, and computing the path hash of the object comprises performing a hash function on a path of the file.
  - 11. The method of claim 3, further comprising forming a wrapped object encryption key (WOEK), wherein forming the WOEK comprises:
    - encrypting the MEK; and
      
      saving the encrypted MEK in the manifest.

12. A non-transitory computer-readable medium for a computer system, the non-transitory computer-readable medium having stored thereon a series of instructions executable by a processor to perform a secure full backup of user settings and data, the series of instructions comprising:
- instructions that cause the processor to determine a set of objects to be backed up;
  
  instructions that cause the processor to create a manifest including a master encryption key (MEK);
  
  instructions that cause the processor to encrypt, using an object encryption key (OEK), each object to be backed up, to form encrypted data;
  
  instructions that cause the processor to form a data stream for each object to be backed up to be sent to a host data processing system;
  
  instructions that cause the processor to create an object map for each object to be backed up, wherein the instructions that cause the processor to create an object map comprise;
  
  instructions that cause the processor to compute a path hash of the object to be backed up,instructions that cause the processor to compute a contents hash of the data stream for the object, andinstructions that cause the processor to map the path hash to the contents hash for the object;
  
  instructions that cause the processor to update the manifest with the object map;
  
  instructions that cause the processor to send the data stream for each object to be backed up to the host data processing system, wherein the host data processing system saves the data stream under the object'"'"'s respective path hash;
  
  instructions that cause the processor to sign the manifest with a digital signature for authentication; and
  
  instructions that cause the processor to send the manifest to the host data processing system, wherein the host data processing system saves the signed manifest.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the instructions that cause the processor to determine the set of objects to be backed up comprise instructions that cause the processor to walk a whitelist.
  - 14. The non-transitory computer-readable medium of claim 12, wherein the instructions that cause the processor to encrypt each object to be backed up comprise:
    - instructions that cause the processor to concatenate an object path with object bytes for each object to be backed up; and
      
      instructions that cause the processor to encrypt the object path concatenated with the object bytes using the OEK to form the encrypted data.
  - 15. The non-transitory computer-readable medium of claim 14, further comprising instructions that cause the processor to form a wrapped object encryption key (WOEK), wherein the instructions that cause the processor to form the WOEK comprise:
    - instructions that cause the processor to encrypt the MEK and save the encrypted MEK in the manifest;
      
      instructions that cause the processor to obtain an initialization vector (IV);
      
      instructions that cause the processor to concatenate the IV with the OEK; and
      
      instructions that cause the processor to encrypt the concatenated IV and OEK using the MEK.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the instructions that cause the processor to form the data stream for each object to be backed up comprise:
    - instructions that cause the processor to concatenate the IV with the WOEK; and
      
      instructions that cause the processor to concatenate the concatenated IV and WOEK with the encrypted data.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the MEK is a 16 byte value obtained from a randomized algorithm.
  - 18. The non-transitory computer-readable medium of claim 14, wherein the OEK is a 16 byte value obtained from a randomized algorithm.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the IV is obtained from a randomized algorithm.
  - 20. The non-transitory computer-readable medium of claim 12, wherein the instructions that cause the processor to compute the path hash of the object comprise instructions that cause the processor to perform a hash function on a path of the object.
  - 21. The non-transitory computer-readable medium of claim 12, wherein the object is a file, and the instructions that cause the processor to compute the path hash of the object comprise instructions that cause the processor to perform a hash function on a path of the file.
  - 22. The non-transitory computer-readable medium of claim 14, further comprising instructions that cause the processor to form a wrapped object encryption key (WOEK), wherein the instructions that cause the processor to form the WOEK comprise:
    - instructions that cause the processor to encrypt the MEK; and
      
      instructions that cause the processor to save the encrypted MEK in the manifest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Brouwer, Michael Lambertus Hubertus, Adler, Mitchell D., Freedman, Gordon J.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US13/527,257
Publication Number

US 20120260099A1
Time in Patent Office

630 Days
Field of Search

713/165, 713/176, 713/180, 713/193, 713/187, 707/640, 707/646, 707/647, 707/679, 707/681, 711/161, 711/162
US Class Current

713/176
CPC Class Codes

G06F 11/10   Adding special bits or symb...

G06F 11/1451   by selection of backup cont...

G06F 11/1458   Management of the backup or...

G06F 11/1469   Backup restoration techniques

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

Incremental secure backup and restore of user settings and data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Incremental secure backup and restore of user settings and data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links