Patent number 8782441 is assigned to
The following quote was obtained by the news editors from the background information supplied by the inventors: "Data storage facilities face challenges when storing large data objects in a secured format. The facility will typically use an encryption technique to secure the data object. Encryption is the process of converting data from an unencrypted format to an encrypted format. The unencrypted format is readable and unsecured. The encrypted format, sometimes called ciphertext, is unreadable except to those who can decrypt the data using an encryption key.
"When multiple large objects are stored, duplication of those large objects can require significant amounts of storage memory. Thus, a facility may desire to avoid duplicating large objects in storage. However, de-duplication (i.e., the avoidance of duplication) can be difficult, especially when the original object is encrypted.
"This document describes methods and systems that are directed to addressing some of the problems described above, and/or other problems."
In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "In an embodiment, when receiving a binary large object (blob) for storage, a storage service may receive the blob and create a first set of one or more data chunks. Each of the data chunks in the first set is a subset of the blob, and together the data chunks in the first set equal the blob. The service may assign an encryption key to each data chunk in the first set and encrypt each of the data chunks in the first set to form a set of encrypted data chunks. The service also may create, from the first set, a second set of one or more ciphertext chunks. Each of the ciphertext chunks in the second set is a subset of the blob, and together the ciphertext data chunks in the second set equal the blob. The service may assign a message authentication code (MAC) to each ciphertext chunk in the second set. The service may store the encrypted data chunks in one or more data stores, and store the encryption keys and the MACs as metadata in a metadata memory. The metadata memory may be separate from the data stores.
"Optionally, when assigning the encryption key to at least one of the data chunks in the first set, the service may determine a content-derived key for one or more of the chunks. Alternatively, or in addition, the service may generate a randomly-generated key for at least one of the chunks. The service also may generate a metadata encryption key and use the metadata encryption key to encrypt the metadata.
"In some embodiments, the service may store, in the metadata, a data store location. The data store location corresponds to a storage location of one or more of the data chunks in the first or second set. The service also may receive first user authentication information corresponding to a first authorized user of the blob, and store a first access control list in a memory that is separate from the data store. The first access control list may include data relating to the first user authentication information. The memory in which the access control list is stored also may be separate from the metadata memory.
"In some embodiments, the service also may receive a second instance of the blob, receive second user authentication information corresponding to a second authorized user of the blob, discard the second instance of the blob without storing the second instance in the data store, and store data relating to the second user authentication information in a second access control list.
"In some embodiments, the service also may receive an access request from a user, wherein the access request includes a user authentication credential. The service may verify the user authentication credential based on the access request, access the metadata to retrieve the encryption keys and the MACs for the blob, retrieve the encrypted data chunks from the data store, use the MACs to verify integrity of the data chunks, use the encryption keys to decrypt the encrypted data chunks, and return the blob to the user. Storing the encryption keys and the MACs as metadata may include assigning a key, encrypting the metadata with the assigned key, and wrapping the assigned key. Accessing the metadata may include unwrapping the wrapped key to yield an unwrapped key, and using the unwrapped key to decrypt the metadata.
"Any or all of the actions described above may be performed by a storage service that includes one or more processors, a non-transitory memory containing program instructions, one or more data stores, and a metadata memory."
URL and more information on this patent, see:
Keywords for this news article include:
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Study: Recessions Can Postpone Motherhood Forever
- Hispanic Entrepreneurs Short-changed in Texas
- Hispanics Carry Big Clout: Census
- Washington's 'The Equalizer' Debuts With $35 Million
- Effort to Oust Assad Put on Hold
- Tim Cook Has Proved That Apple is His Baby
- Who Is Daniel Ivascyn?
- Qantas Puts World's Largest Plane on Longest Route
- Los Angeles Set to Host Small Business Summit
- Chicago Flight Delays: Questions Answered