Techniques for non repudiation of storage in cloud or shared storage environments

US 8,544,070 B2
Filed: 05/16/2011
Issued: 09/24/2013
Est. Priority Date: 05/16/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:

authenticating a principal, via principal-supplied credentials within a cloud storage environment;

identifying the principal for a first access within the cloud storage environment;

generating a public key and a private key for the principal within the cloud storage environment;

storing the public key and private key in a secret store within the cloud storage environment;

receiving a write request from the principal for a file to be stored within the cloud storage environment while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment;

granting access to the public key and private key to the principal within the shared-storage environment and through the authenticated access session;

subsequently for each write request made by the principal within the cloud storage environment, the principal is re-authenticated;

receiving a signature for contents of the file from a file system, signed with the private key, within the shared-storage environment; and

storing the file and a control data structure for the file within the cloud storage environment, the control data structure including the public key and the signature.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.

10 Citations

View as Search Results

20 Claims

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- authenticating a principal, via principal-supplied credentials within a cloud storage environment;
  
  identifying the principal for a first access within the cloud storage environment;
  
  generating a public key and a private key for the principal within the cloud storage environment;
  
  storing the public key and private key in a secret store within the cloud storage environment;
  
  receiving a write request from the principal for a file to be stored within the cloud storage environment while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment;
  
  granting access to the public key and private key to the principal within the shared-storage environment and through the authenticated access session;
  
  subsequently for each write request made by the principal within the cloud storage environment, the principal is re-authenticated;
  
  receiving a signature for contents of the file from a file system, signed with the private key, within the shared-storage environment; and
  
  storing the file and a control data structure for the file within the cloud storage environment, the control data structure including the public key and the signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - authenticating the principal via the credentials for a second access to the shared-storage environment;
      
      receiving a read request from the principal for the file;
      
      obtaining the public key from the control data structure; and
      
      verifying the signature for the file via the public key before providing the principal access to the file.
  - 3. The method of claim 1 further comprising:
    - authenticating the principal via the credentials for a second access to the shared-storage environment;
      
      receiving a write request from the principal for the file;
      
      obtaining the public key from the control data structure;
      
      verifying the signature for the file via the public key before providing the principal access to the file; and
      
      updating the control data structure with a revised signature based on updated contents to the file after processing the write request and updating the file accordingly.
  - 4. The method of claim 1 further comprising:
    - generating an audit event for each access attempt to the file made by the principal, the principal authenticated for each access attempt;
      
      signing each audit event with the private key obtained from the secret store; and
      
      logging each audit event.
  - 5. The method of claim 4 further comprising, generating a custom report for the audit events of the principal.
  - 6. The method of claim 4 further comprising, generating a billing record for the principal based on the audit events.
  - 7. The method of claim 4 further comprising, providing a non-repudiation report based on the audit events to authorized entity based on policy evaluation and/or request from the authorized entity.
  - 8. The method of claim 1 further comprising, stripping the public key and signature from the control data structure and providing the file and control data structure to an authorized entity based on policy evaluation and request from the authorized entity.
  - 9. The method of claim 1, wherein storing further includes representing the control data structure as an mode.
  - 10. The method of claim 9, wherein representing further includes using a first reserved field of the mode to house the public key and using a second reserved field of the mode to house the signature.

11. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- detecting a file access request within a cloud storage environment from a principal;
  
  verifying the principal is authenticated for access in the cloud storage environment;
  
  accessing a control data structure for a file to which the file access request is directed;
  
  obtaining a public key and a signature for the file from the control data structure;
  
  using a private key housed in a secret store within the cloud storage environment for the principal to generate a new signature for the file, the private key provided to the principal while the principal is still authenticated and only when the principal is authenticated for an access session with the cloud storage environment;
  
  subsequently for each file access request made by the principal within the cloud storage environment, the principal is re-authenticated;
  
  verifying the signature against the new signature; and
  
  permitting the file access request of the principal to proceed based on verifying the signature against the new signature.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11 further comprising:
    - generating an audit event for the file access request;
      
      signing the audit event with the private key of the principal; and
      
      logging the audit event.
  - 13. The method of claim 12 further comprising, using the logged audit event to generate reports, generate billing records, and/or provide proof of storage non-repudiation.
  - 14. The method of claim 11 further comprising, updating the signature with a second signature within the control data structure when the file access request processes within the cloud storage environment as a file update.
  - 15. The method of claim 11 further comprising, processing the method as a portion of a storage controller for the cloud storage environment.
  - 16. The method of claim 11, wherein detecting further includes recognizing the principal as a process from a remote application server that has the cloud storage environment remote mounted over a network.
  - 17. The method of claim 16, wherein recognizing further includes identifying the network as the Internet.

18. A system, comprising:
- a cloud storage environment;
  
  a storage controller implemented in a non-transitory machine-readable storage mediumthat processes on one or more processors of the cloud storage environment;
  
  and a secret store implemented in a non-transitory machine-readable storage medium of the cloud storage environment;
  
  the cloud storage environment configured to be remote mounted over a network with an application server of a principal when the principal authenticates with credentials,the storage controller configured to maintain isles for the principal within the cloud storage environment,each file having a control data structure and each control data structure having a public key for the principal and a signature for that file signed with a private key of the principal,the public key and private key housed in the secret store and the public and private key supplied to the principal each time an access request is made by the principal and while the principal is still authenticated,and only when the principal is authenticated for an access session with the cloud storage environment;
  
  subsequently for each file access request made by the principal within the cloud storage environment, the principal is re-authenticated;
  
  and the control data structures and the secret store used for providing storage non-repudiation.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the storage controller generates an audit event for each file access attempt made by the principal for files within the cloud storage environment.
  - 20. The system of claim 19, wherein the storage controller signs and logs each audit event with the private key of the principal obtained from the secret store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Mukkara, Prakash Umasankar, Burch, Lloyd Leon, Earl, Douglas Garry
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US13/108,094
Publication Number

US 20120297183A1
Time in Patent Office

862 Days
Field of Search

726 1- 21, 726 26- 33, 709/225, 713155-159, 380247-250, 705/18
US Class Current

726/5
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3247   involving digital signatures

Techniques for non repudiation of storage in cloud or shared storage environments

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for non repudiation of storage in cloud or shared storage environments

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links