Apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment

US 20060126850A1
Filed: 12/09/2004
Published: 06/15/2006
Est. Priority Date: 12/09/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:

a key generator configured to generate a random storage key for each storage construct associated with a storage session, the storage key uniquely associated with the storage construct;

an encryption module configured to encrypt the storage construct using the storage key and to encrypt the storage key using a transmission key known to a receiver; and

a communication interface configured to transmit the encrypted storage construct and the encrypted storage key to the receiver, the receiver configured to store the encrypted storage construct on a first storage device, decrypt the encrypted storage key using the transmission key, and store the storage key on a second storage device physically distinct from the first storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention includes one or more clients in communication with a server. The client desires to send a storage construct to the server for storage. The client negotiates a transmission key with the server. The client generates a storage key associated specifically with the storage construct. The client encrypts the storage construct using the storage key and encrypts the storage key using the transmission key. The encrypted storage construct and encrypted storage key are sent to the server. The server decrypts the storage key using the transmission key. The server stores the storage construct on a storage device separate from a storage device storing the storage key. Preferably, any changes to the storage construct location, the storage key location, or the storage construct name are tracked and proper modifications are made to an association relating the location of the storage construct and the location for the corresponding storage key.

60 Citations

View as Search Results

40 Claims

1. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
- a key generator configured to generate a random storage key for each storage construct associated with a storage session, the storage key uniquely associated with the storage construct;
  
  an encryption module configured to encrypt the storage construct using the storage key and to encrypt the storage key using a transmission key known to a receiver; and
  
  a communication interface configured to transmit the encrypted storage construct and the encrypted storage key to the receiver, the receiver configured to store the encrypted storage construct on a first storage device, decrypt the encrypted storage key using the transmission key, and store the storage key on a second storage device physically distinct from the first storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, further comprising an association module configured to manage an association between the encrypted storage construct on the first storage device and the encrypted storage key on the second storage device.
  - 3. The apparatus of claim 1, wherein the receiver comprises a security module configured to encrypt the decrypted storage key using a native key such that the storage key stored on the second storage device is encrypted, the native key known exclusively to the receiver.
  - 4. The apparatus of claim 1, further comprising a negotiation module configured to negotiate the transmission key between the sender and the receiver.
  - 5. The apparatus of claim 1, wherein the storage construct comprises a file within a file system of the sender.
  - 6. The apparatus of claim 1, further comprising a configuration module configured to define a symmetric transmission key identical to the transmission key used by the receiver.
  - 7. The apparatus of claim 1, wherein at least one of the storage key and the storage construct includes an indicator that identifies the encryption algorithm for decryption of the storage construct.

8. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
- a communication interface configured to receive an encrypted storage construct and an encrypted storage key from a sender, the storage construct encrypted by the sender using a storage key generated by the sender, the storage key uniquely associated with the storage construct, the storage construct encrypted using a transmission key shared with the sender;
  
  a storage module configured to store the encrypted storage construct on a first storage device and the storage key on a second storage device physically distinct from the first storage device; and
  
  an association module configured to manage an association between the encrypted storage construct on the first storage device and the encrypted storage key on the second storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, further comprising a security module configured to decrypt the storage key using the transmission key, such that the storage key stored by the storage module is a decrypted storage key.
  - 10. The apparatus of claim 8, further comprising a security module configured to decrypt the storage key using the transmission key and re-encrypt the storage key using a native key, such that the storage key stored by the storage module is a re-encrypted storage key.
  - 11. The apparatus of claim 8, further comprising a negotiation module configured to negotiate the transmission key with a sender.
  - 12. The apparatus of claim 8, wherein the transmission key is a symmetric encryption key suitable for use with symmetric encryption algorithms to encrypt and decrypt data.
  - 13. The apparatus of claim 8, further comprising a configuration module configured to define a symmetric transmission key identical to the transmission key used by the sender.
  - 14. The apparatus of claim 8, wherein one of the storage key and the storage construct includes an indicator that identifies the encryption algorithm for decryption of the storage construct.

15. A system for transparent end-to-end security of storage data in a client-server environment, the system comprising:
- a plurality of backup-archive clients, each client configured to generate a unique storage key for a specific storage construct, encrypt the storage construct using the storage key, encrypt the storage key using a shared transmission key, wherein the storage construct comprises a physical file defined on a host of at least one of the backup-archive clients;
  
  a storage server configured to receive the encrypted storage construct and the encrypted storage key from one of the clients, decrypt the storage key using the shared transmission key, store the encrypted storage construct on a first storage device separate from a second storage device that stores the storage key; and
  
  a network that operatively connects the clients and the server for network communications.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15, wherein the storage server comprises an association module configured to manage an association between the encrypted storage construct on the first storage device and the encrypted storage key on the second storage device.
  - 17. The system of claim 16, wherein the association comprises a storage key location and a storage construct location.
  - 18. The system of claim 16, wherein the association module is further configured to modify the association in response to relocation of at least one of the storage key and the encrypted storage construct.
  - 19. The system of claim 16, wherein the association module comprises a relational database.
  - 20. The system of claim 15, wherein the storage server comprises a security module configured to decrypt the storage key using the shared transmission key and re-encrypt the storage key using a native key, such that the storage key stored on the second storage device is encrypted, the native key known exclusively to the storage server.
  - 21. The system of claim 15, further comprising a negotiation module configured to negotiate the transmission key between one of the backup-archive clients and the storage server.
  - 22. The system of claim 15, wherein the transmission key is a symmetric encryption key suitable for use with symmetric encryption algorithms to encrypt and decrypt data.
  - 23. The system of claim 15, further comprising a configuration module configured to define an identical symmetric transmission key for use as the transmission key for both the backup-archive clients and the storage server.
  - 24. The system of claim 15, wherein one of the storage key and the storage construct includes an indicator that identifies the encryption algorithm for decryption of the storage construct.

25. A signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform operations for transparent end-to-end security of storage data in a client-server environment, the operations comprising:
- an operation to generate a unique storage key for a specific storage construct;
  
  an operation to encrypt the storage construct using the storage key;
  
  an operation to encrypt the storage key using a transmission key known to a sender and a receiver;
  
  an operation to transmit the encrypted storage construct and the encrypted storage key from the sender to the receiver;
  
  an operation to decrypt the storage key using the transmission key; and
  
  an operation to store the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The signal bearing medium of claim 25, further comprising an operation to negotiate the transmission key between the sender and the receiver.
  - 27. The signal bearing medium of claim 25, further comprising an operation to associate a storage key location and a storage construct location.
  - 28. The signal bearing medium of claim 25, further comprising an operation to modify an association that comprises a storage key location and a storage construct location in response to changing the location of at least one of the storage key and the encrypted storage construct.
  - 29. The signal bearing medium of claim 25, wherein the storage construct comprises a file within a file system of the sender.
  - 30. The signal bearing medium of claim 25, further comprising an operation to configure the sender and the receiver with an identical symmetric transmission key.
  - 31. The signal bearing medium of claim 25, wherein one of the storage key and the storage construct includes an indicator that identifies the encryption algorithm for decryption of the storage construct.
  - 32. The signal bearing medium of claim 25, further comprising an operation to determine at least one of a key size and an encryption algorithm based on a security policy associated with the storage construct.
  - 33. The signal bearing medium of claim 32, wherein the sender determines the key size based on a local security policy.
  - 34. The signal bearing medium of claim 25, wherein the sender generates the storage key based at least in part on data associated with the storage construct.
  - 35. The signal bearing medium of claim 25, wherein at least one of the first storage device and the second storage device comprises a removable computer-readable medium.
  - 36. The signal bearing medium of claim 25, further comprising, an operation to receive a request for the encrypted storage construct from a client;
    - an operation to retrieve the storage key from the first storage device and the encrypted storage construct from the second storage device;
      
      an operation to encrypt the storage key using the transmission key;
      
      an operation to transmit the encrypted storage key and encrypted storage device to the client;
      
      an operation to decrypt the storage key using the transmission key at the client; and
      
      an operation to decrypt the storage construct using the decrypted storage key and store the decrypted storage construct on the client without user interaction.

37. A method for deploying computing infrastructure, comprising integrating computer readable code into a computing system, wherein the code in combination with the computing system is capable of performing the following:
- generating a unique storage key for a specific storage construct;
  
  encrypting the storage construct using the storage key;
  
  encrypting the storage key using a transmission key known to a sender and a receiver;
  
  transmitting the encrypted storage construct and the encrypted storage key from the sender to the receiver;
  
  decrypting the storage key using the transmission key; and
  
  storing the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device.
- View Dependent Claims (38, 39)
- - 38. The method of claim 37, further comprising associating a storage key location and a storage construct location.
  - 39. The method of claim 37, further comprising modifying an association that defines a storage key location and a storage construct location in response to changing the location of at least one of the storage key and the encrypted storage construct.

40. An apparatus for transparent end-to-end security of storage data in a client-server environment, the apparatus comprising:
- means for generating a unique storage key for a specific storage construct;
  
  means for encrypting the storage construct using the storage key;
  
  means for encrypting the storage key using a transmission key known to a sender and a receiver;
  
  means for transmitting the encrypted storage construct and the encrypted storage key from the sender to the receiver;
  
  means for decrypting the storage key using the transmission key; and
  
  means for storing the encrypted storage construct on a first storage device and the decrypted storage key on a second storage device physically distinct from the first storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Warren, Donald, Dawson, Colin Scott, Hannigan, Kenneth Eugene, Zaremba, Christopher, Hochberg, Avishai H., Hattrup, Glen

Granted Patent

US 7,899,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/284
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 9/0894 Escrow, recovery or storing...

Apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links