The patent's assignee for patent number 8635461 is
News editors obtained the following quote from the background information supplied by the inventors: "The present invention relates to encrypting information on a storage cartridge and more particularly to attaching an identifier to a key certificate when encrypting information.
"Protecting and securing data is an important concern to be addressed when designing information management systems. It is common for data to be continually archived on various storage media, such as tape cartridges or optical disks. When archiving data on tape or other removable storage medium, one security concern is that the tape could be stolen to access the data it contains. Also, if the tape can be mounted into a tape drive through remote commands transmitted over a network, then there is a concern that someone may compromise the system, mount the tape or other storage medium in a drive, and then access the data.
"Known approaches to addressing these issues have included encrypting all or most of the data on the storage media. However, these approaches also have drawbacks that include security weaknesses, implementation challenges, and unwieldy complexity. For example, conventional solutions that store the data encryption key in unencrypted form on the same tape as the data it encrypts allow anyone with physical access to the tape to retrieve the data key from the tape and use it to decrypt the data. Furthermore, use of a single key to encrypt all of the data on one or more tape cartridges allows whoever has use of the key to decrypt all of the data comprising the tape cartridge, including data that doesn't belong to the user. Alternatively, multiple data keys can be stored on the tape drive, but key management becomes complicated when using multiple tape drives, as each tape drive has to be able to store all keys that are in use by all tape cartridges in the tape storage library. In addition, using multiple keys for one or more cartridges can lead to a proliferation of keys as the number of authorized users, tape drives, and tape cartridges grows. Known encryption systems also maintain the encryption and decryption keys in a central location, and the management and transfer of large numbers of such encryption keys can create additional issues.
"One approach to addressing these issues is to encrypt the data keys and store them on the tape cartridge itself. For example, when a tape drive requests an encryption key, a random symmetric data key (DK) is generated by an external key manager (EKM). Public/private cryptographic operations are then performed by the EKM to wrap the DK using a key encryption key (KEK), which is typically the public key of an asymmetric key pair. The wrapped data key, along with key label information about what private key is required to unwrap the symmetric key, forms an envelope generally known as an encryption encapsulated data key (EEDK). The EEDK is then typically stored in one or more places on the tape cartridge along with the data it encrypts. To facilitate key management, it is common to implement an encryption policy that assigns a key label, or alias, to a tape cartridge volume serial number (VOLSER) range encrypted by the EEDK. When an encrypted tape is to be read, the tape drive sends the EEDK to the EKM that contains its decryption key. The EKM determines from the EEDK's key label which private key from its keystore to use to unwrap the EEDK and recover the DK. Once the DK is recovered, it is then wrapped with a different key and sent to the tape drive, which decrypts the DK. The tape drive then decrypts the encrypted data on the tape cartridge using the decrypted DK. Similarly, a valid key label for the tape cartridge's VOLSER is retrieved if the tape is to be appended with encrypted data. Once retrieved, the same process is followed to decrypt the EEDK to retrieve the correct DK to encrypt the appended data. However, if multiple EKMs are implemented, each EKM has to be accessed to determine whether it produced the EEDK referenced by its key label.
"One issue relating to encrypting the data keys is that different certificates can have the same alias (whether they are in same EKM caused by versioning or different EKM), thus potentially confusing management of keys. Having the same certificates with different alias can also confuse management of certificates. This can create confusion if keystores, certificates and items like cartridges that contain aliases are not organized."
As a supplement to the background information on this patent, VerticalNews correspondents also obtained the inventors' summary information for this patent: "A method, system and program are disclosed in which a certificate identifier (ID) is attached to a certificate. In certain embodiments, the certificate ID is stored in a cartridge memory (CM). Thus, keystore or key manager administrators can trace keystore locations, versions of keystores, etc. when a cart cannot locate a correct key. This certificate ID, as it is stored on the cartridge memory, is viewable by all (i.e., is generally accessible).
"Such a system is generally not prone to human error. Additionally, such a system also provides an organized and efficient method for tracking the correct keystores and their corresponding certificates. Also, such a system can help prevent confusion of aliases, which can save both time and resources. Additionally, such a system can be more secure as this information does not contain information about the key.
"More specifically, in one embodiment the invention relates to a method for facilitating access to encryption information. The method comprises generating an encryption certificate; associating the encryption certificate with a certificate identifier; and, saving the certificate identifier and an alias to a non-volatile memory.
"In another embodiment, the invention relates to a data storage device. The data storage device includes a read/write drive for reading data from and writing data to a storage medium housed in a data storage cartridge loaded in the data storage drive; and a controller coupled to the read/write drive. The controller facilitates access to encryption information stored on the data storage cartridge by: generating an encryption certificate; associating the encryption certificate with a certificate identifier; and, saving the certificate identifier and an alias to a non-volatile memory.
"In another embodiment, the invention relates to a storage system for enabling secure access to data in a removable storage cartridge. The storage system includes a key manager for generating a data key; a tape storage library for generating a list of a plurality of key labels provided by the key manager; a tape drive for securely receiving the data key from the key manager and for encoding data with the data key to form encoded data; and a removable storage cartridge for storing the encoded data, the encrypted data key and the certificate identifier in locations on the removable storage cartridge. The plurality of key labels have a corresponding plurality of certificate identifiers where the corresponding plurality of certificate identifiers facilitate retrieval of an appropriate data key."
For additional information on this patent, see: Chang, Shannon H.; Ngo, Khanh V.. Retrieval and Display of Encryption Labels from an Encryption Key Manager Certificate ID Attached to Key Certificate. U.S. Patent Number 8635461, filed
Keywords for this news article include: Information Technology, Information and
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- SoCalGas Reaches Record Spend on Diversity Suppliers
- Senate Dems Pull All-Nighter on Global Warming
- Senators Reach Deal on Fannie Mae, Freddie Mac
- GM Recall Poses First Major Test for New CEO
- Deborah Hersman Quits NTSB
- Swedish Journalist Nils Horner Shot Dead in Kabul
- Dianne Feinstein Accuses CIA of Spying on Congress
- Job Openings Less Than Expected in January
- Bob Crow Remembered as Shrewd Champion of Union Workers
- El Empleo Rebota: La Columna Cohen