Secure online distributed data storage services
First Claim
1. A system for the distributed storage of electronic data, the system comprising:
- a communications interface and a non-transitory memory coupled with a processor;
the communications interface configured to receive input data blocks and user storage constraints from a user;
the memory having stored thereon;
one or more input data blocks comprising data fields;
the user storage constraints; and
processor executable instructions that when executed by the processor comprise;
a shuffler configured to;
anonymize the data fields of each of the one or more input data blocks;
an encryptor configured to;
generate a cipher key and encrypt, using the cipher key, the anonymized data fields based on the user storage constraints to obtain a ciphertext file comprising ciphertext data blocks;
an erasure coder configured to;
generate coded chunks from the ciphertext data blocks and erasure coding details;
a distributor configured to;
distribute the coded chunks to a first set of two or more storage providers based on the user storage constraints; and
generate distribution details for the distributed coded chunks;
a metadata generator configured to;
generate secret shares of metadata for each of the coded chunks, wherein the secret shares of metadata includes decoding information for decoding each respective coded chunk including at least the cipher key;
a secret sharer configured to;
generate secret share keys for decoding the secret shares of metadata;
generate a secret sharing ratio X/Y that indicates a number of X storage providers out of Y storage providers used to reconstruct the secret shares of metadata; and
distribute fragments of the secret shares of metadata across a second set of two or more storage providers, wherein the fragments of the secret shares of metadata are distributed to the second set of two or more storage providers separately from corresponding coded chunks; and
a secret sharer distributor configured to;
distribute the secret share keys across a third set of two or more storage providers, wherein the secret share keys are distributed to the third set of two or more storage providers separately from corresponding coded chunks.
1 Assignment
0 Petitions
Accused Products
Abstract
The data vaporizer provides secure online distributed data storage services that securely store and retrieve data in a public distributed storage substrate such as public cloud. The data vaporizer vaporizes (e.g., fragmented into tiny chunks of configurable sizes) data and distributes the fragments to multiple storage nodes so that the data is not vulnerable to local disk failures, secures data so that even if some of the storage nodes are compromised, the data is undecipherable to the attacker, stores data across multiple cloud storage providers and/or parties using keys (e.g., tokens) provided by multiple parties (including the owners of the data) and maintains data confidentiality and integrity even where one or more data storage provider is compromised. The data vaporizer is configurable for different domain requirements including data privacy and anonymization requirements, encryption mechanisms, regulatory compliance of storage locations, and backup and recovery constraints.
-
Citations
21 Claims
-
1. A system for the distributed storage of electronic data, the system comprising:
-
a communications interface and a non-transitory memory coupled with a processor; the communications interface configured to receive input data blocks and user storage constraints from a user; the memory having stored thereon; one or more input data blocks comprising data fields; the user storage constraints; and processor executable instructions that when executed by the processor comprise; a shuffler configured to;
anonymize the data fields of each of the one or more input data blocks;an encryptor configured to;
generate a cipher key and encrypt, using the cipher key, the anonymized data fields based on the user storage constraints to obtain a ciphertext file comprising ciphertext data blocks;an erasure coder configured to;
generate coded chunks from the ciphertext data blocks and erasure coding details;a distributor configured to; distribute the coded chunks to a first set of two or more storage providers based on the user storage constraints; and generate distribution details for the distributed coded chunks; a metadata generator configured to; generate secret shares of metadata for each of the coded chunks, wherein the secret shares of metadata includes decoding information for decoding each respective coded chunk including at least the cipher key; a secret sharer configured to; generate secret share keys for decoding the secret shares of metadata; generate a secret sharing ratio X/Y that indicates a number of X storage providers out of Y storage providers used to reconstruct the secret shares of metadata; and distribute fragments of the secret shares of metadata across a second set of two or more storage providers, wherein the fragments of the secret shares of metadata are distributed to the second set of two or more storage providers separately from corresponding coded chunks; and a secret sharer distributor configured to; distribute the secret share keys across a third set of two or more storage providers, wherein the secret share keys are distributed to the third set of two or more storage providers separately from corresponding coded chunks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for the distributed storage of electronic data comprising:
-
receiving into a non-transitory memory coupled with a processor, using a communications interface; one or more input data blocks comprising data fields; user storage constraints; anonymizing the data fields of each of the one or more input data blocks; generating a cipher key; encrypting, using the cipher key, the anonymized data fields based on the user storage constraints to obtain a ciphertext file comprising ciphertext data blocks; generating coded chunks from the ciphertext data blocks and erasure coding details; distributing the coded chunks to a first set of two or more storage providers based on the user storage constraints; generating distribution details for the distributed coded chunks; generating, by a metadata generator, secret shares of metadata for each of the coded chunks, wherein the secret shares of metadata includes decoding information for decoding each respective coded chunk including at least the cipher key; generating, by a secret sharer, secret share keys for the secret shares of metadata; generating, by the secret sharer, a secret sharing ratio X/Y that indicates a number of X storage providers out of Y storage providers used to reconstruct the secret shares of metadata; distributing, by the secret sharer, fragments of the secret shares of metadata across a second set of two or more storage providers, wherein the fragments of the secret shares of metadata are distributed to the second set of two or more storage providers separately from corresponding coded chunks; and distributing the secret share keys across the two or more storage providers, wherein the secret share keys are distributed to the third set of two or more storage providers separately from corresponding coded chunks. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A product comprising:
-
a non-transitory computer readable medium with processor executable instructions stored thereon, wherein the instructions when executed by the processor cause the processor to; receive, using a communications interface; one or more input data blocks comprising data fields; user storage constraints; anonymize the data fields of each the one or more input data blocks; generate a cipher key and encrypt, using the cipher key, the anonymized data fields based on the user storage constraints to obtain a ciphertext file comprising ciphertext data blocks; generate coded chunks from the ciphertext data blocks and erasure coding details; distribute the coded chunks to a first set of two or more storage providers based on the user storage constraints; and generate distribution details for the distributed coded chunks; generate secret shares of metadata for each of the coded chunks, wherein the secret shares of metadata includes decoding information for decoding each respective coded chunk including at least the cipher key; generate, by a secret sharer, secret share keys for decoding the secret shares of metadata; generate a secret sharing ratio X/Y that indicates a number of X storage providers out of Y storage providers used to reconstruct the secret shares of metadata; distribute fragments of the secret shares of metadata across a second set of two or more storage providers, wherein the fragments of the secret shares of metadata are distributed to the second set of two or more storage providers separately from corresponding coded chunks; and distribute the secret share keys across the two or more storage providers, wherein the secret share keys are distributed to the third set of two or more storage providers separately from corresponding coded chunks. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification