Receipt, data reduction, and storage of encrypted data

US 9,667,422 B1
Filed: 05/23/2016
Issued: 05/30/2017
Est. Priority Date: 08/27/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

separating a received encrypted data stream into one or more encrypted data chunks, including a first data chunk;

placing the first data chunk into a sub-stream, wherein the sub-stream corresponds with a first master key and a first owning entity;

decrypting the first data chunk into plaintext;

transforming the plaintext, including applying one or more advanced data functions to the plaintext;

organizing the transformed plaintext into a first data unit;

creating a first encryption unit from the first data unit, including encrypting the data unit with a first wrapped encryption key comprising the first master key and a first private key corresponding to the first encryption unit, wherein the first encryption unit has a space allocation in persistent storage and is a fixed size;

in response to the first encryption unit having available space, padding the first encryption unit with at least one byte to fill the available space;

storing the wrapped encryption key as metadata for the encryption unit; and

accessing the first encryption unit in response to a request to read data from the first owning entity, including retrieving the first encryption key, and decrypting the first encryption unit based on the first encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to processing streams of encrypted data received from multiple users. As a stream is received, smaller partitions in the form of data chunks, including a first data chunk, are created and subject to individual decryption. The first data chunk is placed into sub-stream according to a first master key associated with a first owning entity. Prior to processing, the first data chunk is decrypted into plaintext, and the plaintext is transformed by applying one or more advanced data functions. The transformed plaintext is organized into a first data unit, and a first encryption unit is created from the first data unit. The first encryption unit has a space allocation in persistent storage. Accordingly, confidentiality of data is maintained, and the ability of storage systems to perform data reduction functions is supported.

60 Citations

View as Search Results

12 Claims

1. A method comprising:
- separating a received encrypted data stream into one or more encrypted data chunks, including a first data chunk;
  
  placing the first data chunk into a sub-stream, wherein the sub-stream corresponds with a first master key and a first owning entity;
  
  decrypting the first data chunk into plaintext;
  
  transforming the plaintext, including applying one or more advanced data functions to the plaintext;
  
  organizing the transformed plaintext into a first data unit;
  
  creating a first encryption unit from the first data unit, including encrypting the data unit with a first wrapped encryption key comprising the first master key and a first private key corresponding to the first encryption unit, wherein the first encryption unit has a space allocation in persistent storage and is a fixed size;
  
  in response to the first encryption unit having available space, padding the first encryption unit with at least one byte to fill the available space;
  
  storing the wrapped encryption key as metadata for the encryption unit; and
  
  accessing the first encryption unit in response to a request to read data from the first owning entity, including retrieving the first encryption key, and decrypting the first encryption unit based on the first encryption key.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein decrypting the first encryption unit based on the first encryption key comprises decrypting the first encryption key with the first master key to generate an unwrapped first private key.
  - 3. The method of claim 2, further comprising:
    - decrypting the requested data into requested data plaintext with the unwrapped first private key;
      
      formatting the requested data plaintext, including applying an inverse of the one or more advanced data functions;
      
      encrypting the formatted plaintext; and
      
      sending the encrypted requested data plaintext to the first owning entity.
  - 4. The method of claim 1, further comprising:
    - decrypting the first encryption unit with the first private key;
      
      re-encrypting a data object to be sent, including one or more keys, one of the keys being the master key associated with the first owning entity; and
      
      sending the encrypted data.

5. A computer program product for data encryption, the computer program product comprising a computer readable storage device having program code embodied therewith, the program code executable by a processing unit to:
- separate a received encrypted data stream into one or more encrypted data chunks, including a first data chunk;
  
  place the first data chunk into a sub-stream, wherein the sub-stream corresponds with a first master key and a first owning entity;
  
  decrypt the first data chunk into plaintext;
  
  transform the plaintext, including program code to apply one or more advanced data functions to the plaintext;
  
  organize the transformed plaintext into a first data unit;
  
  create a first encryption unit from the first data unit, including the processing unit to encrypt the data unit with a first wrapped encryption key comprising the first master key and a first private key corresponding to the first encryption unit, wherein the first encryption unit has a space allocation in persistent storage and is a fixed size;
  
  in response to the first encryption unit having available space, the processing unit to pad the first encryption unit with at least one byte to fill the available space;
  
  store the wrapped encryption key as metadata for the encryption unit; and
  
  access the first encryption unit in response to a request to read data from the first owning entity, including program code to retrieve the first encryption key, and decrypt the first encryption unit based on the first encryption key.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product of claim 5, wherein the decryption of the first encryption unit based on the first encryption key comprises program code to decrypt the first encryption key with the first master key to generate an unwrapped first private key.
  - 7. The computer program product of claim 6, further comprising program code to:
    - decrypt the requested data into requested data plaintext with the unwrapped first private key;
      
      format the requested data plaintext, including program code to apply an inverse of the one or more advanced data functions;
      
      encrypt the formatted plaintext; and
      
      send the encrypted requested data plaintext to the first owning entity.
  - 8. The computer program product of claim 5, further comprising the processing unit to:
    - decrypt the first encryption unit with the first private key;
      
      re-encrypt a data object to be sent, including one or more keys, one of the keys being the master key associated with the first owning entity; and
      
      send the encrypted data.

9. A computer system comprising:
- a hardware processor;
  
  a gatekeeper; and
  
  a decrypter in communication with the processor, the gatekeeper and data storage for efficient storage of encrypted data;
  
  the decrypter to;
  
  separate a received encrypted data stream into one or more encrypted data chunks, including a first data chunk;
  
  place the first data chunk into a sub-stream, wherein the sub-stream corresponds to a first master key and a first owning entity;
  
  decrypt the first data chunk into plaintext;
  
  transform the plaintext, including the decrypter to apply one or more advanced data functions to the plaintext;
  
  organize the transformed plaintext into a first data unit;
  
  create a first encryption unit from the first data unit, including the decrypter to encrypt the data unit with a first wrapped encryption key comprising the first master key and a first private key corresponding to the first encryption unit, wherein the first encryption unit has a space allocation in persistent storage and is a fixed size;
  
  in response to the first encryption unit having available space, the decrypter to pad the first encryption unit with at least one byte to fill the available space;
  
  store the wrapped encryption key as metadata for the encryption unit; and
  
  access the first encryption unit in response to a request to read data from the first owning entity, including the decrypter to retrieve the first encryption key, and decrypt the first encryption unit based on the first encryption key.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein the decryption of the first encryption unit based on the first encryption key comprises the decrypter to decrypt the first encryption key with the first master key to generate an unwrapped first private key.
  - 11. The system of claim 10, further comprising the decrypter to:
    - decrypt the requested data into requested data plaintext with the unwrapped first private key;
      
      format the requested data plaintext, including the decrypter to apply an inverse of the one or more advanced data functions;
      
      encrypt the formatted plaintext; and
      
      send the encrypted requested data plaintext to the first owning entity.
  - 12. The computer system of claim 9, further comprising the decrypter to:
    - decrypt the first encryption unit with the first private key;
      
      re-encrypt a data object to be sent, including one or more keys, one of the keys being the master key associated with the first owning entity; and
      
      send the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Androulaki, Elli, Baracaldo, Nathalie, Glider, Joseph S., Sorniotti, Alessandro
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/161,881
Publication Number

US 20170134166A1
Time in Patent Office

372 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/16   the keys or algorithms bein...

Receipt, data reduction, and storage of encrypted data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Receipt, data reduction, and storage of encrypted data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links