News Column

Patent Application Titled "Secure Online Distributed Data Storage Services" Published Online

August 5, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- According to news reporting originating from Washington, D.C., by VerticalNews journalists, a patent application by the inventors Paul, Sanjoy (Bangalore, IN); Sengupta, Shubhashis (Bangalore, IN); Mohamedrasheed, Annervaz Karukapadath (Trichur, IN); Saxena, Amitabh (Bangalore, IN); Kaulgud, Vikrant (Pune, IN), filed on January 10, 2014, was made available online on July 24, 2014.

The assignee for this patent application is Accenture Global Services Limited.

Reporters obtained the following quote from the background information supplied by the inventors: "Many technology companies provide on-line storage solutions on the cloud. However, considerable skepticism exists regarding security, integrity and confidentiality of data in cloud-based storage. The real and perceived threats to security have been impediments to move data to the cloud. Cloud storage providers support data encryption, access control mechanisms to stored data, and various local failure protection mechanisms such as replication and redundant arrays of inexpensive disks (RAID). However, the solutions adopted in these sites are proprietary and not adaptable to client needs, and many storage sites are vulnerable to total technical failure or organized hacking attacks resulting in service unavailability and data breaches."

In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventors' summary information for this patent application: "Various embodiments of the present invention include a system and method that, among other capabilities, breaks data into fragments and distributes the fragments to multiple storage nodes in the cloud so that the data is not vulnerable to local disk failures. For purposes of discussion herein, this system and method are referred to generally as a Data Vaporizer (DV).

"In one embodiment, the DV system may be implemented on a platform that includes a communications interface and a non-transitory memory coupled with a processor, where the communications interface is configured to receive input data blocks that comprise data fields, and receive the user storage constraints from a user into the memory. The DV system may include computer executable instructions stored on the memory that when executed by the processor comprises a shuffler configured to anonymize the data fields of each of the one or more input data blocks, an encryptor configured to: generate a cipher key and encrypt, using the cipher key, the anonymized data fields based on the user storage constraints and/or encryption strength (e.g., key length) requirements to obtain a ciphertext file comprising ciphertext data blocks, an erasure coder configured to: generate coded chunks from the ciphertext data blocks and erasure coding details based on storage redundancy and fault tolerance constraints, and a distributor configured to: distribute the coded chunks to two or more cloud storage providers based on the user storage constraints; and generate distribution details for the distributed coded chunks. The encryptor may be configured to: generate an encryption key for the ciphertext file from the shuffle key, the cipher, the erasure coding details, and the distribution details, wherein the communications interface communicates the encryption key to the user. In another embodiment, the DV system may also include a secret sharer configured to: generate a set of secret shares of the encrypted combined metadata across multiple cloud storage locations and secret share keys from the encryption key; and a secret sharer distributor configured to: distribute the secret shares to the cloud storage providers, where the distributed coded chunks and secret shares stored together at each of the cloud storage providers are identified as cloud shares (storage shares), so that the cloud storage providers cannot collude together to decrypt and retrieve the data. Preferably, the user storage constraints may include: a customer type that identifies an industry of the user and a type of data from which the input data blocks are comprised; a domain compliance for the industry of the user that identifies a type of data compliance, the type of data compliance comprising Health Insurance Portability and Accountability Act (HIPAA), financial, or multi-media; a fault tolerance threshold; a security type, or a security threshold, or both; a retrievability threshold that identifies a probability of retrieving stored data blocks; a repairability threshold that identifies a probability of repairing stored data blocks; simultaneous provider attacks threshold that identifies a subset of the number of the cloud storage providers required to aggregate the cloud shares to re-generate the encryption key communicated to the user; or budget for storage and retrieval of the input data blocks; or any combination thereof. Thus, even if multiple storage providers (e.g., cloud storage) are unavailable (e.g., due to outage or corruption) and/or collusion is attempted between some number of storage providers (e.g., aggregating metadata such as security information necessary to retrieve the stored data), the system is able to retrieve and/or prevent service provider collusions regarding stored data based on a configurable threshold parameter. The system may be configured to minimize the number of service providers (e.g., cloud storage providers) required to retrieve the data to restore corrupted data, and maximize the number of service providers needed to collude (e.g., aggregate security metadata) in order to compromise the data.

"In yet another embodiment, the DV system may also include: a protector; a retriever; and a decoder. The protector is configured to: interrogate the cloud shares by executing a corrupt or modified block check to test the retrievability of the distributed coded chunks and secret shares of the cloud shares; mark the distributed coded chunks and secret shares that fail the corrupt or modified block check; and communicate the distributed coded chunks and secret shares that fail the corrupt or modified block check to the retriever. The retriever is configured to: retrieve a number of the uncorrupted cloud data shares from the cloud storage providers; re-generate the encryption key from the secret shares of the uncorrupted data shares; retrieve, using the re-generated encryption key, the uncorrupted data shares from the cloud storage providers; and communicate the retrieved uncorrupted distributed coded chunks to the decoder. The decoder is configured to: decode the retrieved uncorrupted distributed coded chunks to obtain the data fields of the input data blocks for the corrupted distributed coded chunks; re-code the data fields of the input data blocks for the corrupted distributed coded chunks; and communicate the re-coded chunks to the distributor to distribute the re-coded chunks to the cloud storage providers based on the user storage constraints; and generate distribution details for the distributed re-coded chunks. Preferably, the DV system may generate a new encryption key for the ciphertext file from the shuffle key, the cipher, the erasure coding details, and the distribution details for the distributed re-coded chunks, generate a new set of secret shares and new secret share keys from the new encryption key, and distribute the secret shares to the cloud storage providers, and communicate the new encryption key to the user.

"In preferred embodiments, the data vaporizer provides secure online distributed data storage services that securely store and retrieve data in a public distributed storage substrate such as public cloud. The data vaporizer: vaporizes (e.g., fragmented into tiny chunks of configurable sizes) data and distributes the fragments to multiple storage nodes so that the data is not vulnerable to local disk failures; secures data so that even if some of the storage nodes become compromised, the data is undecipherable to the attacker; stores data across multiple cloud storage providers and/or parties using keys (e.g., tokens) provided by multiple parties (including the owners of the data); and maintains data confidentiality and integrity even where one or more data storage providers is compromised. The data vaporizer is configurable for different domain requirements including data privacy and anonymization requirements, encryption mechanisms, regulatory compliance of storage locations, and backup and recovery constraints.

"In more preferred embodiments, the Data Vaporizer (DV) securely stores data in a fault tolerant manner across multiple cloud storage locations (e.g., one or more cloud service provider). The Data Vaporizer (DV) vaporizes the data (e.g., fragments the data into small encoded chunks and stores the chunks across multiple nodes) in the cloud in such a way that failure of a number of storage nodes (and/or corruption of data) up to a configurable threshold do not impact the data availability. The DV provides users a way to customize a security configuration for data in terms of anonymization, encryption strength (e.g., key length), and erasure coding ratio for fault-tolerance. The DV provides users a way to customize the distribution scheme for the data across storage providers (e.g., cloud storage providers). The DV creates message authentication codes (MAC) for each encoded portion of data. The MAC prevents malicious attackers from corrupting the data and the DV may preserve the integrity and authenticity of the shares using the MAC. Preferably, the DV also generates combined (e.g., composite) metadata (containing shuffle key, encryption key, erasure coding details, MAC details, and distribution details for the anonymized data). The DV secret shares encrypted composite (e.g., combined) metadata across multiple cloud storage services. The DV communicates the encryption key of the metadata to the user (e.g., customer).

"Other systems, methods, features and advantages will be, or will become, apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the embodiments, and be protected by the following claims and be defined by the following claims. Further aspects and advantages are discussed below in conjunction with the description.

BRIEF DESCRIPTION OF THE DRAWINGS

"The system and/or method may be better understood with reference to the following drawings and description. Non-limiting and non-exhaustive descriptions are described with reference to the following drawings. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating principles. In the figures, like referenced numerals may refer to like parts throughout the different figures unless otherwise specified.

"FIG. 1 is a block diagram of the data vaporizer (DV).

"FIG. 2 illustrates an exemplary vaporizer basic display generated by the data vaporizer.

"FIG. 3 illustrates an exemplary advance vaporizer configuration display generated by the data vaporizer.

"FIG. 4 illustrates an exemplary vaporizer summary display generated by the data vaporizer.

"FIG. 5 illustrates an exemplary restore basic display 500 generated by the data vaporizer.

"FIG. 6 is a flowchart that illustrates one embodiment of the logic instructions the data vaporizer system may execute to operate in an archival system.

"FIG. 7 is a block diagram that illustrates one embodiment of the logic and processing flow that the DV may use for data storage.

"FIG. 8 is another block diagram that illustrates one embodiment of the logic and processing flow that the DV may use for data storage.

"FIG. 9 is another block diagram that illustrates one embodiment of the logic and processing flow that the DV may use for data protection.

"FIG. 10 is a block diagram that illustrates one embodiment of the logic and processing flow that the DV may use to vaporize data.

"FIG. 11 is a block diagram that illustrates one embodiment of traditional erasure coding.

"FIG. 12 is a block diagram that illustrates one embodiment of the DV erasure coding for anonymization.

"FIG. 13 illustrates an exemplary DV data distribution chart that identifies a number of clouds per storage zones usable to ensure a tolerance level.

"FIG. 14 illustrates one embodiment of a general computer system that may be used to implement the DV system"

For more information, see this patent application: Paul, Sanjoy; Sengupta, Shubhashis; Mohamedrasheed, Annervaz Karukapadath; Saxena, Amitabh; Kaulgud, Vikrant. Secure Online Distributed Data Storage Services. Filed January 10, 2014 and posted July 24, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=337&p=7&f=G&l=50&d=PG01&S1=20140717.PD.&OS=PD/20140717&RS=PD/20140717

Keywords for this news article include: Information Technology, Information and Data Storage, Accenture Global Services Limited, Information and Data Encoding and Encryption.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters