Mechanism for facilitating encryption-free integrity protection of storage data at computing systems

US 8,793,506 B2
Filed: 08/31/2012
Issued: 07/29/2014
Est. Priority Date: 08/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device, wherein the read task includes reading the first data block;

accessing a first reference cryptographic code at a first metadata cache associated with the first data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);

calculating a first new cryptographic code relating to the first data block, the first new cryptographic code including a new HMAC;

comparing the first new cryptographic code with the first reference cryptographic code;

accepting the read request if the first new cryptographic code matches the first reference cryptographic code, wherein accepting includes facilitating the read task;

denying the read request if the first new cryptographic code mismatches the first reference cryptographic code, wherein denying includes issuing an error message in response to the read request, wherein if a data block containing the first reference cryptographic code is missing from the first metadata cache, the read request is submitted to facilitate the read task to read the missing data block.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is described for facilitating encryption-free integrity protection of storage data at computing systems according to one embodiment. A method of embodiments of the invention includes receiving a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device. The read task may include reading the first data block. The method may further include accessing a first reference cryptographic code at a first metadata cache associated with the first data block, calculating a first new cryptographic code relating to the first data block, comparing the first new cryptographic code with the first reference cryptographic code, and accepting the read request if the first new cryptographic code matches the first reference cryptographic code. The accepting may further include facilitating the read task.

Citations

22 Claims

1. A method comprising:
- receiving a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device, wherein the read task includes reading the first data block;
  
  accessing a first reference cryptographic code at a first metadata cache associated with the first data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);
  
  calculating a first new cryptographic code relating to the first data block, the first new cryptographic code including a new HMAC;
  
  comparing the first new cryptographic code with the first reference cryptographic code;
  
  accepting the read request if the first new cryptographic code matches the first reference cryptographic code, wherein accepting includes facilitating the read task;
  
  denying the read request if the first new cryptographic code mismatches the first reference cryptographic code, wherein denying includes issuing an error message in response to the read request, wherein if a data block containing the first reference cryptographic code is missing from the first metadata cache, the read request is submitted to facilitate the read task to read the missing data block.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the software application comprises an operating system running at the computing device.
  - 3. The method of claim 1, further comprising:
    - receiving a write request, from the software application at a computing device, to perform a write task relating to a second data block, wherein the write task includes writing the second data block to the data stored at the storage device;
      
      accessing a second reference cryptographic code at a second metadata cache associated with the second data block;
      
      calculating a second new cryptographic code relating to the second data block;
      
      replacing the second reference cryptographic code by the second new cryptographic code in the second metadata cache; and
      
      accepting the write request, wherein accepting includes facilitating the write task.
  - 4. The method of claim 3, wherein the second metadata cache to maintain the second new cryptographic code such that the second new cryptographic code is used as a reference cryptographic code for future read requests.
  - 5. The method of claim 3, wherein the second reference cryptographic code includes another existing HMAC, wherein the second new cryptographic code includes another new HMAC.
  - 6. The method of claim 3, wherein the software application comprises an operating system running at the computing device.

7. An apparatus comprising:
- first logic, at least a portion of which is implemented as hardware, to receive a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device, wherein the read task includes reading the first data block;
  
  second logic, at least a portion of which is implemented as hardware, to access a first reference cryptographic code at a first metadata cache associated with the first data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);
  
  third logic, at least a portion of which is implemented as hardware, to calculate a first new cryptographic code relating to the first data block, the first new cryptographic code including a new HMAC;
  
  fourth logic, at least a portion of which is implemented as hardware, to compare the first new cryptographic code with the first reference cryptographic code;
  
  fifth logic, at least a portion of which is implemented as hardware, to accept the read request if the first new cryptographic code matches the first reference cryptographic code, wherein accepting includes facilitating the read task;
  
  wherein the fifth logic, at least a portion of which is implemented as hardware, is further to deny the read request if the first new cryptographic code mismatches the first reference cryptographic code, wherein denying includes issuing an error message in response to the read request, wherein if a data block containing the first reference cryptographic code is missing from the first metadata cache, the read request is submitted to facilitate the read task to read the missing data block.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the software application comprises an operating system running at the computing device.
  - 9. The apparatus of claim 7, wherein:
    - the first logic, at least a portion of which is implemented as hardware, is further to receive a write request, from the software application at a computing device, to perform a write task relating to a second data block, wherein the write task includes writing the second data block to the data stored at the storage device;
      
      the second logic, at least a portion of which is implemented as hardware, is further to access second reference cryptographic code at a second metadata cache associated with the second data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);
      
      the third logic, at least a portion of which is implemented as hardware, is further to calculate a second new cryptographic code relating to the second data block, the first new cryptographic code including a new HMAC;
      
      the fourth logic, at least a portion of which is implemented as hardware, is further to replace the second reference cryptographic code by the second new cryptographic code in the second metadata cache; and
      
      the fifth logic, at least a portion of which is implemented as hardware, is further to accept the write request, wherein accepting includes facilitating the write task.
  - 10. The apparatus of claim 9, wherein the second metadata cache to maintain the second new cryptographic code such that the second new cryptographic code is used as a reference cryptographic code for future read requests.
  - 11. The apparatus of claim 9, wherein the second reference cryptographic code includes another existing HMAC, wherein the second new cryptographic code includes another new HMAC.
  - 12. The apparatus of claim 9, wherein the software application comprises an operating system running at the computing device.

13. A system comprising:
- a computing device having a memory to store instructions, and a processing device to execute the instructions, the computing device further having a mechanism to;
  
  receive a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device, wherein the read task includes reading the first data block;
  
  access a first reference cryptographic code at a first metadata cache associated with the first data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);
  
  calculate a first new cryptographic code relating to the first data block, the first new cryptographic code including a new HMAC;
  
  compare the first new cryptographic code with the first reference cryptographic code;
  
  accept the read request if the first new cryptographic code matches the first reference cryptographic code, wherein accepting includes facilitating the read task; and
  
  deny the read request if the first new cryptographic code mismatches the first reference cryptographic code, wherein denying includes issuing an error message in response to the read request, wherein if a data block containing the first reference cryptographic code is missing from the first metadata cache, the read request is submitted to facilitate the read task to read the missing data block.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein the software application comprises an operating system running at the computing device.
  - 15. The system of claim 13, wherein the mechanism is further to:
    - receive a write request, from the software application at a computing device, to perform a write task relating to a second data block, wherein the write task includes writing the second data block to the data stored at the storage device;
      
      access second reference cryptographic code at a second metadata cache associated with the second data block;
      
      calculate a second new cryptographic code relating to the second data block;
      
      replace the second reference cryptographic code by the second new cryptographic code in the second metadata cache; and
      
      accept the write request, wherein accepting includes facilitating the write task.
  - 16. The system of claim 15, wherein the second metadata cache to maintain the second new cryptographic code such that the second new cryptographic code is used as a reference cryptographic code for future read requests.

17. At least one non-transitory machine-readable storage medium comprising a plurality of instructions that in response to being executed on a computing device, causes the computing device to carry out a method according to one or more operations comprising:
- receive a read request, from a software application at a computing device, to perform a read task relating to a first data block of data stored at a storage device coupled to the computing device, wherein the read task includes reading the first data block;
  
  access a first reference cryptographic code at a first metadata cache associated with the first data block, wherein accessing includes determining whether the first reference cryptographic code is associated with the first metadata cache being part of a plurality of integrity metadata data blocks, the first reference cryptographic code including an existing hash-based message authentication code (HMAC);
  
  calculate a first new cryptographic code relating to the first data block, the first new cryptographic code including a new HMAC;
  
  compare the first new cryptographic code with the first reference cryptographic code;
  
  accept the read request if the first new cryptographic code matches the first reference cryptographic code, wherein accepting includes facilitating the read task; and
  
  deny the read request if the first new cryptographic code mismatches the first reference cryptographic code, wherein denying includes issuing an error message in response to the read request, wherein if a data block containing the first reference cryptographic code is missing from the first metadata cache, the read request is submitted to facilitate the read task to read the missing data block.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The non-transitory machine-readable storage medium of claim 17, wherein the software application comprises an operating system running at the computing device.
  - 19. The non-transitory machine-readable storage medium of claim 17, wherein the one or more operations further comprise:
    - receive a write request, from the software application at a computing device, to perform a write task relating to a second data block, wherein the write task includes writing the second data block to the data stored at the storage device;
      
      access a second reference cryptographic code at a second metadata cache associated with the second data block;
      
      calculate a second new cryptographic code relating to the second data block;
      
      replace the second reference cryptographic code by the second new cryptographic code in the second metadata cache; and
      
      accept the write request, wherein accepting includes facilitating the write task.
  - 20. The non-transitory machine-readable storage medium of claim 19, wherein the second metadata cache to maintain the second new cryptographic code such that the second new cryptographic code is used as a reference cryptographic code for future read requests.
  - 21. The non-transitory machine-readable storage medium of claim 19, wherein the second reference cryptographic code includes another existing HMAC, wherein the second new cryptographic code includes another new HMAC.
  - 22. The non-transitory machine-readable storage medium of claim 19, wherein the software application comprises an operating system running at the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kasatkin, Dmitry
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US13/601,969
Publication Number

US 20140068274A1
Time in Patent Office

697 Days
Field of Search

713/189, 713/193, 713/155, 713/156, 713/194, 713/168, 713/190, 711/122, 709/219
US Class Current

713/189
CPC Class Codes

G06F 21/64 Protecting data integrity, ...

Mechanism for facilitating encryption-free integrity protection of storage data at computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism for facilitating encryption-free integrity protection of storage data at computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links