Encryption key fragment distribution

US 8,538,029 B2
Filed: 03/24/2011
Issued: 09/17/2013
Est. Priority Date: 03/24/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:

fragmenting, by a computer, an encryption key into a number, n, of encryption key fragments such that a number, k<

n, of the encryption key fragments is sufficient for reconstructing the encryption key;

distributing, by the computer, a first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region;

distributing, by the computer, a second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and

in response to determining that the computer is unable to obtain at least k of the encryption key fragments from the first geographic region, requesting encryption key fragments from the second geographic region for reconstructing the encryption key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption key may be fragmented into n encryption key fragments such that k<n fragments are sufficient for reconstructing the encryption key. The encryption key fragments may be distributed across data stores located within first and second geographic regions. For example, at least k of the encryption key fragments may be distributed across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region. Similarly, at least k of the encryption key fragments may be distributed across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region.

52 Citations

View as Search Results

15 Claims

1. A method for distributing encryption key fragments across data stores located within a first geographic region and data stores located within a second geographic region that is different than and physically separated from the first geographic region, the method comprising:
- fragmenting, by a computer, an encryption key into a number, n, of encryption key fragments such that a number, k<
  
  n, of the encryption key fragments is sufficient for reconstructing the encryption key;
  
  distributing, by the computer, a first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region;
  
  distributing, by the computer, a second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and
  
  in response to determining that the computer is unable to obtain at least k of the encryption key fragments from the first geographic region, requesting encryption key fragments from the second geographic region for reconstructing the encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein:
    - distributing at least k of the encryption key fragments across the data stores realized at the N different availability zones within the first geographic region includes distributing encryption key fragments across the data stores realized at the N different availability zones such that at least k encryption key fragments collectively are distributed to the data stores realized at any combination of N-x availability zones within the first geographic region, where x is a predetermined number of availability zone failures within the first geographic region to be withstood; and
      
      distributing at least k of the encryption key fragments across the data stores realized at the M different availability zones within the second geographic region includes distributing encryption key fragments across the data stores realized at the M different availability zones such that at least k encryption key fragments collectively are distributed to the data stores realized at any combination of M-y availability zones within the second geographic region, where y is a predetermined number of availability zone failures within the second geographic region to be withstood.
  - 3. The method of claim 1 wherein:
    - fragmenting the encryption key into n encryption key fragments such that k of the encryption key fragments are sufficient for reconstructing the encryption key includes fragmenting the encryption key into n encryption key fragments such that n≧
      
      2k.
  - 4. The method of claim 1 wherein:
    - distributing the first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region includes distributing the first subset of at least k encryption key fragments across N data stores realized by N corresponding computing systems, each of the N computing systems being isolated from the other of the N computing systems; and
      
      distributing the second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region includes distributing the second subset of at least k encryption key fragments across M data stores realized by M corresponding computing systems, each of the M computing systems being isolated from the other of the M computing systems.
  - 5. The method of claim 1 wherein:
    - distributing the first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region includes balancing distribution of the at least k encryption key fragments in the first subset across the data stores realized at the N different availability zones; and
      
      distributing the second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region includes balancing distribution of the at least k encryption key fragments in the second subset across the data stores realized at the M different availability zones.
  - 6. The method of claim 1 wherein:
    - distributing the first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region includes, for each of multiple of the k encryption key fragments in the first subset;
      
      deterministically identifying a particular data store realized at one of the N different availability zones within the first geographic region at which to store the encryption key fragment, anddistributing the encryption key fragment to the particular data store realized at one of the N different availability zones; and
      
      distributing the second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region includes, for each of multiple of the k encryption key fragments in the second subset;
      
      deterministically identifying a particular data store realized at one of the M different availability zones within the second geographic region at which to store the encryption key fragment, anddistributing the encryption key fragment to the particular data store realized at one of the M different availability zones.
  - 7. The method of claim 1 further comprising:
    - encrypting a data object using the encryption key; and
      
      accessing an identifier associated with the encrypted data object, wherein;
      
      distributing the first subset of at least k of the encryption key fragments across data stores realized at N different availability zones within the first geographic region includes;
      
      accessing, for each of the data stores at the N different availability zones to which the at least k encryption key fragments in the first subset are to be distributed, an identifier for the data store,performing, for each of the data stores at the N different availability zones to which the at least k encryption key fragments in the first subset are to be distributed, a hashing algorithm on a combination of the identifier associated with the encrypted data object and the identifier for the data store that yields a result, andtransmitting, to each of the data stores at the N different availability zones to which the at least k encryption key fragments in the first subset are to be distributed, a request to store one or more of the k encryption key fragments as well as the result of performing the hashing algorithm for the data store; and
      
      distributing the second subset of at least k of the encryption key fragments across data stores realized at M different availability zones within the second geographic region includes;
      
      accessing, for each of the data stores at the M different availability zones to which the at least k encryption key fragments in the second subset are to be distributed, an identifier for the data store,performing, for each of the data stores at the M different availability zones to which the at least k encryption key fragments in the second subset are to be distributed, a hashing algorithm on a combination of the identifier associated with the encrypted data object and the identifier for the data store that yields a result, andtransmitting, to each of the data stores at the M different availability zones to which the at least k encryption key fragments in the second subset are to be distributed, a request to store one or more of the k encryption key fragments as well as the result of performing the hashing algorithm for the data store.

8. An encryption key fragment storage system comprising:
- computer hardware systems implementing N≧
  
  2 different data stores at N corresponding different availability zones located within a first geographic region;
  
  computer hardware systems implementing M≧
  
  2 different data stores at M corresponding different availability zones located within a second geographic region that is different from and physically separated from the first geographic region;
  
  an encryption key fragment distributor to;
  
  access a number, n, of fragments of an encryption key, where a number, k<
  
  n, of the encryption key fragments is sufficient for reconstructing the encryption key;
  
  distribute a first subset of at least k of the encryption key fragments across the N data stores at the N availability zones within the first geographic region such that less than k of the encryption key fragments are distributed to each of the N availability zones within the first geographic region; and
  
  distribute a second subset of at least k of the encryption key fragments across the M data stores at the M availability zones within the second geographic region such that less than k of the encryption key fragments are distributed to each of the M availability zones within the second geographic region, wherein the encryption key fragments in the first subset have no overlap with the encryption key fragments in the second subset; and
  
  an encryption key fragment retriever to;
  
  in response to determining that the encryption key fragment retriever is unable to obtain at least k of the encryption key fragments from the first geographic region, request encryption key fragments from the second geographic region for reconstructing the encryption key.
- View Dependent Claims (9, 10, 11)
- - 9. The system of claim 8 wherein:
    - the computer hardware systems implementing the N different data stores at the N availability zones located within the first geographic region are isolated from each other; and
      
      the computer hardware systems implementing the M different data stores at the M availability zones located within the second geographic region are isolated from each other.
  - 10. The system of claim 8 wherein the encryption key fragment distributor is further configured to:
    - balance distribution of the at least k encryption key fragments in the first subset across the N data stores at the N availability zones; and
      
      balance distribution of the at least k encryption key fragments in the second subset across the M data stores at the M availability zones.
  - 11. The system of claim 8 wherein:
    - the encryption key fragment distributor is configured to distribute at least k of the encryption key fragments in the first subset across the N data stores at the N different availability zones within the first geographic region by, for each of multiple of the k encryption key fragments in the first subset;
      
      deterministically identifying a particular data store at one of the N availability zones within the first geographic region at which to store the encryption key fragment, anddistributing the encryption key fragment to the particular data store realized at one of the N different availability zones; and
      
      the encryption key fragment distributor is configured to distribute at least k of the encryption key fragments in the second subset across the M data stores at the M different availability zones within the second geographic region by, for each of multiple of the k encryption key fragments in the second subset;
      
      deterministically identifying a particular data store at one of the M availability zones within the second geographic region at which to store the encryption key fragment, anddistributing the encryption key fragment to the particular data store realized at one of the M different availability zones.

12. A non-transitory computer-readable storage medium storing instructions that, when executed by a computing system, cause the computing system to:
- access a number, n, of fragments of an encryption key where a number, k<
  
  n, of the encryption key fragments is sufficient for reconstructing the encryption key;
  
  distribute a first set of at least k of the encryption key fragments across N≧
  
  2 different data stores realized at N corresponding different availability zones within a first geographic region such that no more than k−
  
  1 unique encryption key fragments are distributed to each of the availability zones within the first geographic region;
  
  distribute a second set of at least k of the encryption key fragments across M≧
  
  2 different data stores realized at M corresponding different availability zones within a second geographic region that is different than and physically separated from the first geographic region such that no more than k−
  
  1 unique encryption key fragments are distributed to each of the availability zones within the second geographic region, wherein the encryption key fragments in the first set have no overlap with the encryption key fragments in the second set; and
  
  in response to determining that the computing system is unable to obtain at least k of the encryption key fragments from the first geographic region, request encryption key fragments from the second geographic region for reconstructing the encryption key.
- View Dependent Claims (13, 14, 15)
- - 13. The computer readable storage medium of claim 12 wherein:
    - the N different availability zones within the first geographic region include N corresponding computing systems, each of the N computing systems being isolated from the other of the N computing systems; and
      
      the M different availability zones within the second geographic region include M corresponding computing systems, each of the M computing systems being isolated from the other of the M computing systems.
  - 14. The computer readable storage medium of claim 13 wherein:
    - distributing the first set of encryption key fragments across the N data stores realized at the N different availability zones within the first geographic region includes balancing distribution of the first set of encryption key fragments across the N data stores realized at the N different availability zones; and
      
      distributing the second set of encryption key fragments across the M data stores realized at the M different availability zones within the second geographic region includes balancing distribution of the second set of encryption key fragments across the M data stores realized at the M different availability zones.
  - 15. The computer readable storage medium of claim 12 wherein:
    - distributing the first set of encryption key fragments across the N data stores realized at the N different availability zones within the first geographic region includes for each of multiple of the first set of encryption key fragments;
      
      deterministically identify a particular data store realized at one of the N different availability zones within the first geographic region at which to store the encryption key fragment, anddistribute the encryption key fragment to the particular data store realized at one of the N different availability zones; and
      
      distributing the second set of encryption key fragments across the M data stores realized at the M different availability zones within the second geographic region includes for each of multiple of the second set of encryption key fragments;
      
      deterministically identify a particular data store realized at one of the M different availability zones within the second geographic region at which to store the encryption key fragment, anddistribute the encryption key fragment to the particular data store realized at one of the M different availability zones.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Li, Jun, Singhal, Sharad, Swaminathan, Ram, Stephenson, Bryan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/071,459
Publication Number

US 20120243687A1
Time in Patent Office

908 Days
Field of Search

380277-286, 713/150, 713/168, 713/171, 713/193
US Class Current

380/279
CPC Class Codes

H04L 9/085 Secret sharing or secret sp...

Encryption key fragment distribution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key fragment distribution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links