Methods and systems for storage of large data objects
First Claim
Patent Images
1. A method, comprising:
- receiving, by a storage service, a binary large object;
by a processor of the storage service, creating a first set of data chunks, wherein each of the data chunks in the first set is a subset of the object, and together the data chunks in the first set equal the object;
by the processor, assigning an encryption key to each data chunk in the first set;
encrypting each of the data chunks in the first set to form a set of encrypted data chunks;
by the processor, creating a second set of ciphertext chunks, wherein the ciphertext chunks in the second set will, taken together and decrypted, form the binary large object;
by the processor, assigning a message authentication code (MAC) to each data chunk in the second set;
storing the encrypted data chunks in one or more data stores;
storing the encryption keys and the MACs as metadata in a metadata memory, wherein the metadata memory is separate from the one or more data stores, and wherein storing the encryption keys and the MACs as metadata comprises assigning a key, encrypting the metadata with the assigned key, and wrapping the assigned key;
receiving, by the storage service, an access request from a user, wherein the access request includes a user authentication credential;
verifying, by the storage service, the user authentication credential based on the access request;
accessing the metadata to retrieve the encryption keys and the MACs for the binary large object, wherein accessing the metadata comprises unwrapping the wrapped key to yield an unwrapped key, andusing the unwrapped key to decrypt the metadata;
retrieving the encrypted data chunks from the data store;
using the MACs to verify integrity of the encrypted data chunks;
using the encryption keys to decrypt the encrypted data chunks; and
returning the binary large object to the user.
2 Assignments
0 Petitions
Accused Products
Abstract
A storage service receives a binary large object (blob) for storage, and the service creates first and second sets of data chunks from the blob. The chunks in the first set together equal the blob, and the service uses one or more encryption keys to encrypt each of the data chunks in the first set. The chunks in the second set also together equal the blob. The service assigns a message authentication code (MAC) to each data chunk in the second set. The service stores the encrypted data chunks in one or more data stores, and it stores the encryption keys and the MACs as metadata in a metadata memory.
55 Citations
16 Claims
-
1. A method, comprising:
-
receiving, by a storage service, a binary large object; by a processor of the storage service, creating a first set of data chunks, wherein each of the data chunks in the first set is a subset of the object, and together the data chunks in the first set equal the object; by the processor, assigning an encryption key to each data chunk in the first set; encrypting each of the data chunks in the first set to form a set of encrypted data chunks; by the processor, creating a second set of ciphertext chunks, wherein the ciphertext chunks in the second set will, taken together and decrypted, form the binary large object; by the processor, assigning a message authentication code (MAC) to each data chunk in the second set; storing the encrypted data chunks in one or more data stores; storing the encryption keys and the MACs as metadata in a metadata memory, wherein the metadata memory is separate from the one or more data stores, and wherein storing the encryption keys and the MACs as metadata comprises assigning a key, encrypting the metadata with the assigned key, and wrapping the assigned key; receiving, by the storage service, an access request from a user, wherein the access request includes a user authentication credential; verifying, by the storage service, the user authentication credential based on the access request; accessing the metadata to retrieve the encryption keys and the MACs for the binary large object, wherein accessing the metadata comprises unwrapping the wrapped key to yield an unwrapped key, and using the unwrapped key to decrypt the metadata; retrieving the encrypted data chunks from the data store; using the MACs to verify integrity of the encrypted data chunks; using the encryption keys to decrypt the encrypted data chunks; and returning the binary large object to the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
receiving, by a storage service, a binary large object; by a processor of the storage service, creating a first set of data chunks, wherein each of the data chunks in the first set is a subset of the object, and together the data chunks in the first set equal the object; by the processor, assigning an encryption key to each data chunk in the first set; encrypting each of the data chunks in the first set to form a set of encrypted data chunks; by the processor, creating a second set of ciphertext chunks, wherein the ciphertext chunks in the second set will, taken together and decrypted, form the binary large object; by the processor, assigning a message authentication code (MAC) to each ciphertext chunk in the second set; storing the encrypted data chunks in one or more data stores; determining a data store location, wherein the data store location corresponds to a storage location of one or more of the data chunks in the first set; storing the encryption keys, the data store location and the MACs as metadata in a metadata memory, wherein the metadata memory is separate from the one or more data stores, and wherein storing the metadata comprises assigning a metadata encryption key and using the metadata encryption key to encrypt the metadata; receiving, by the storage service, an access request from a user, wherein the access request includes a user authentication credential; verifying, by the storage service, the user authentication credential based on the access request; accessing the metadata to retrieve the encryption keys and the MACs for the binary large object, wherein accessing the metadata comprises unwrapping the wrapped key to yield an unwrapped key, and using the unwrapped key to decrypt the metadata; retrieving the encrypted data chunks from the data store; using the MACs to verify integrity of the encrypted data chunks; using the encryption keys to decrypt the encrypted data chunks; and returning the binary large object to the user. - View Dependent Claims (10, 11, 12)
-
-
13. A system, comprising:
-
a storage service comprising one or more processors, a non-transitory memory containing program instructions, one or more data stores, and a metadata memory that is separate from the one or more data stores, wherein the program instructions, when executed, instruct one or more of the processors to; receive a binary large object; create a first set of data chunks, wherein each of the data, chunks in the first set is a subset of the object, and together the data chunks in the first set equal the object; assign an encryption key to each data chunk in the first set; encrypt each of the data chunks in the first set to form a set of encrypted data chunks; create a second set of ciphertext chunks, wherein each of the ciphertext chunks in the second set is a subset of an encrypted form of the binary large object, and together the ciphertext chunks in the second set equal the binary large object; assign a message authentication code (MAC) to each ciphertext chunk in the second set; store the encrypted data chunks in one or more of the data stores; store the encryption keys and the MACs as metadata in the metadata memory wherein storing the metadata comprises assigning a metadata encryption key and using the metadata encryption key to encrypt the metadata; receive an access request from a user, wherein the access request includes a user authentication credential; verify the user authentication credential based on the access request; access the metadata to retrieve the encryption keys and the MACs for the binary large object, wherein accessing the metadata comprises unwrapping the wrapped key to yield an unwrapped key, and using the unwrapped key to decrypt the metadata retrieve the encrypted data chunks from the data store; use the MACs to verify integrity of the encrypted data chunks; use the encryption keys to decrypt the encrypted data chunks; and return the binary large object to the user. - View Dependent Claims (14, 15, 16)
-
Specification