Master key generation and distribution for storage area network devices

US 8,855,318 B1
Filed: 04/02/2008
Issued: 10/07/2014
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a cryptographic node creation request;

determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request;

generating the master key by using a processor, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key;

splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and

distributing the N shares to different entities.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for generating a master key used to secure key objects associated with data blocks in a data center. A cryptographic node creation request is received. It is determined that a master key can not be obtained from another cryptographic node in the data center. A master key is generated. The master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), where the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier. The master key is split into N shares, with M shares required to recreate the master key, wherein M is less than N. The N shares are distributed to different entities.

76 Citations

View as Search Results

28 Claims

1. A method, comprising:
- receiving a cryptographic node creation request;
  
  determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request;
  
  generating the master key by using a processor, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key;
  
  splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and
  
  distributing the N shares to different entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the data center key object corresponds to a disk logical unit number (LUN).
  - 3. The method of claim 1, wherein the data center key object corresponds to a tape cartridge.
  - 4. The method of claim 1, wherein the key hierarchy includes the master key, a plurality of tape volume group keys, and a plurality of tape volume keys.
  - 5. The method of claim 4, wherein the data block is encrypted using a tape volume key.
  - 6. The method of claim 5, wherein the tape volume key is encrypted using a tape volume group key.
  - 7. The method of claim 6, wherein the tape volume group key is encrypted using the master key.
  - 8. The method of claim 1, wherein decryption comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center.
  - 9. The method of claim 1, wherein the unique identifier is a globally unique identifier.
  - 10. The method of claim 9, wherein the globally unique identifier is written to the storage area network medium.
  - 11. The method of claim 1, wherein the wrapper unique identifier references another data center key object having information for decrypting the encrypted key.
  - 12. The method of claim 1, wherein the unique identifier is unique at least within a particular Storage Area Network (SAN).
  - 13. The method of claim 1, wherein the data center key object further comprises a cluster identifier specifying a particular cluster of network devices to which the data center key object belongs.
  - 14. The method of claim 13, further comprising:
    - adding a cryptographic node to the particular cluster of network devices to which the data center key object belongs.
  - 15. The method of claim 1, further comprising:
    - adding a cryptographic node to a cluster of network devices to which the data center key object belongs, wherein the cryptographic node is implemented within a network device.

16. A system, comprising:
- an interface operable to receive a cryptographic node creation request; and
  
  a processor operable to determine whether a master key can be obtained from another cryptographic node in a data center in response to receiving the cryptographic node creation request, and generate the master key upon determining that a master key cannot be obtained from another cryptographic node in a data center, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object is used to decrypt the encrypted key;
  
  wherein the processor is further operable to split the master key into N shares, with M shares required to recreate the key, wherein M is less than N.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The system of claim 16, wherein the N shares are distributed to different entities.
  - 18. The system of claim 16, wherein the data center key object corresponds to a disk logical unit number (LUN).
  - 19. The system of claim 16, wherein the data center key object corresponds to a tape cartridge.
  - 20. The system of claim 16, wherein the key hierarchy includes the master key, a plurality of tape volume group keys, and a plurality of tape volume keys.
  - 21. The system of claim 20, wherein the data block is encrypted using a tape volume key.
  - 22. The system of claim 21, wherein the tape volume key is encrypted using a tape volume group key.
  - 23. The system of claim 22, wherein the tape volume group key is encrypted using the master key.
  - 24. The system of claim 16, wherein decryption comprises using keying material accessed using the wrapper unique identifier, the wrapper unique identifier referencing another key object at a key management center.
  - 25. The system of claim 16, wherein the unique identifier is a globally unique identifier.
  - 26. The system of claim 25, wherein the globally unique identifier is written to the storage area network medium.

27. An apparatus, comprising:
- means for receiving a cryptographic node creation request;
  
  means for determining that a master key cannot be obtained from another cryptographic node in a data center, in response to receiving the cryptographic node creation request;
  
  means for generating the master key, wherein the master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), wherein the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier, wherein the data center key object belongs to a cluster of network devices, the cluster of network devices including one or more cryptographic nodes, wherein the data center key object is used to decrypt the encrypted key;
  
  means for splitting the master key into N shares, with M shares required to recreate the key, wherein M is less than N; and
  
  means for distributing the N shares to different entities.
- View Dependent Claims (28)
- - 28. The apparatus of claim 27, wherein the cluster of network devices comprises one or more storage devices and one or more switches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Patnala, Praveen, Parthasarathy, Anand, Deshmukh, Makarand, Mellblom, Jason
Primary Examiner(s)
Chen, Shin-Hon
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US12/061,604
Time in Patent Office

2,379 Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0836   using tree structure or hie...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Master key generation and distribution for storage area network devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Master key generation and distribution for storage area network devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links