Content aware hierarchical encryption for secure storage systems

US 9,432,192 B1
Filed: 03/28/2014
Issued: 08/30/2016
Est. Priority Date: 03/28/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes;

traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprisesfor a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node,encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, andstoring the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and

storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, metadata of a data object to be stored in a storage system is received, where the metadata is in a hierarchical structure having multiple levels, each level having multiple nodes and each node being one of a root node, a leaf node and an intermediate node. Each leaf node represents a deduplicated segment associated with the data object. The hierarchical structure is traversed to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using different keys. A child key for encrypting content of a child node is stored in a parent node that references the child node, and the child key is encrypted by a parent key associated with the parent node. The encrypted content of the nodes are then stored in one or more storage units of the storage system in a deduplicated manner.

36 Citations

View as Search Results

24 Claims

1. A computer-implemented method, comprising:
- receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes;
  
  traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprisesfor a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node,encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, andstoring the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and
  
  storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein content data of the parent node and one or more child keys of one or more child nodes referenced by the parent node are stored together and encrypted using the parent key associated with the parent node.
  - 3. The method of claim 1, wherein the one or more second keys are derive from fingerprints of the one or more second nodes, respectively.
  - 4. The method of claim 1, further comprising iteratively performing obtaining the first fingerprint, encrypting using the first key, and storing the encrypted first node on a node-by-node and level-by-level basis based on the bottom-up approach.
  - 5. The method of claim 1, further comprising encrypting a root node of the hierarchical structure using a root key that is maintained separately from remaining encrypted content of the data object.
  - 6. The method of claim 5, wherein the root key is provided by a user who initiates encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 7. The method of claim 1, further comprising:
    - in response to a request for retrieving the data object that has been encrypted and stored in the storage system, deriving a root key from the request; and
      
      traversing the hierarchical structure of the metadata associated with the data object in a top-down approach to decrypt each of the nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes.
  - 8. The method of claim 7, wherein traversing the hierarchical structure of the metadata associated with the data object in a top-down approach comprises:
    - for a given third node as a parent node to one or more fourth nodes as child nodes, decrypting the third node using a third key associated with the third node to reveal one or more fourth keys corresponding to the one or more fourth nodes, respectively; and
      
      decrypting, using the fourth keys, the one or more fourth nodes, to reveal content of the one or more fourth nodes.

9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations, the operations comprising:
- receiving metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes;
  
  traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprisesfor a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node,encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, andstoring the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system; and
  
  storing the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory machine-readable medium of claim 9, wherein content data of the parent node and one or more child keys of one or more child nodes referenced by the parent node are stored together and encrypted using the parent key associated with the parent node.
  - 11. The non-transitory machine-readable medium of claim 9, wherein the one or more second keys are derive from fingerprints of the one or more second nodes, respectively.
  - 12. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise iteratively performing obtaining the first fingerprint, encrypting using the first key, and storing the encrypted first node on a node-by-node and level-by-level basis based on the bottom-up approach.
  - 13. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise encrypting a root node of the hierarchical structure using a root key that is maintained separately from remaining encrypted content of the data object.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the root key is provided by a user who initiates encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 15. The non-transitory machine-readable medium of claim 9, wherein the operations further comprise:
    - in response to a request for retrieving the data object that has been encrypted and stored in the storage system, deriving a root key from the request; and
      
      traversing the hierarchical structure of the metadata associated with the data object in a top-down approach to decrypt each of the nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes.
  - 16. The non-transitory machine-readable medium of claim 15, wherein traversing the hierarchical structure of the metadata associated with the data object in a top-down approach comprises:
    - for a given third node as a parent node to one or more fourth nodes as child nodes, decrypting the third node using a third key associated with the third node to reveal one or more fourth keys corresponding to the one or more fourth nodes, respectively; and
      
      decrypting, using the fourth keys, the one or more fourth nodes, to reveal content of the one or more fourth nodes.

17. A data processing system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor toreceive metadata of a data object to be stored in a storage system, wherein the metadata is represented in a hierarchical structure having a plurality of levels, each level having a plurality of nodes and each node being one of a root node, a leaf node and an intermediate node, and wherein each leaf node represents a deduplicated segment associated with the data object and each parent node stores metadata of its one or more child nodes,traverse the hierarchical structure to encrypt each of the nodes in a bottom-up approach, starting from leaf nodes, using a plurality of different keys, wherein a child key for encrypting content of a child node is stored in a parent node that references the child node, and wherein the child key is encrypted together with content of the parent node by a parent key associated with the parent node, wherein traversing the hierarchical structure to encrypt each of the nodes in a bottom-up approach comprisesfor a given first node as a parent node to one or more second nodes as child nodes, obtaining a first fingerprint of content of the first node,encrypting, using a first key derived from the first fingerprint, content of the first node and one or more second keys that encrypt the second nodes, andstoring the encrypted first node having content of the first node and the one or more second keys embedded therein in the storage system, andstore the encrypted content of the plurality of nodes in one or more storage units of the storage system in a deduplicated manner.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein content data of the parent node and one or more child keys of one or more child nodes referenced by the parent node are stored together and encrypted using the parent key associated with the parent node.
  - 19. The system of claim 17, wherein the one or more second keys are derive from fingerprints of the one or more second nodes, respectively.
  - 20. The system of claim 17, wherein the processor is to iteratively perform obtaining the first fingerprint, encrypting using the first key, and storing the encrypted first node on a node-by-node and level-by-level basis based on the bottom-up approach.
  - 21. The system of claim 17, wherein the instructions further cause the processor to encrypt a root node of the hierarchical structure using a root key that is maintained separately from remaining encrypted content of the data object.
  - 22. The system of claim 21, wherein the root key is provided by a user who initiates encryption of the data object, and wherein the root key is not stored within the storage system to prevent from being compromised.
  - 23. The system of claim 17, wherein the instructions further cause the processor to:
    - in response to a request for retrieving the data object that has been encrypted and stored in the storage system, derive a root key from the request; and
      
      traverse the hierarchical structure of the metadata associated with the data object in a top-down approach to decrypt each of the nodes in the hierarchical structure using a key provided from its parent node, starting from the root node to the leaf nodes.
  - 24. The system of claim 23, wherein traversing the hierarchical structure of the metadata associated with the data object in a top-down approach comprises:
    - for a given third node as a parent node to one or more fourth nodes as child nodes, decrypting the third node using a third key associated with the third node to reveal one or more fourth keys corresponding to the one or more fourth nodes, respectively; and
      
      decrypting, using the fourth keys, the one or more fourth nodes, to reveal content of the one or more fourth nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Pogde, Prashant, Botelho, Fabiano C., Garg, Nitin
Primary Examiner(s)
Henderson, Esther B

Application Number

US14/229,364
Time in Patent Office

886 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 2209/60   Digital content management,...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Content aware hierarchical encryption for secure storage systems

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Content aware hierarchical encryption for secure storage systems

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links