-
公开(公告)号:US20210124504A1
公开(公告)日:2021-04-29
申请号:US16665334
申请日:2019-10-28
发明人: Naizhong Chiu , Ping Zhang , Xuan Tang
摘要: A technique rekeys information to maintain data security. The technique involves identifying a first storage drive as a source device available to a proactive copy service. The technique further involves identifying a set of second storage drives as a set of spare devices available to the proactive copy service. The technique further involves invoking the proactive copy service which, in response to being invoked, transfers information from the first storage drive to the set of second storage drives. The information is encrypted by a first key when residing on the first storage drive and is encrypted by a set of second keys when residing on the set of second storage drives, the first key being different from each second key.
-
公开(公告)号:US10764068B2
公开(公告)日:2020-09-01
申请号:US15883565
申请日:2018-01-30
发明人: Radia J. Perlman , Charles W. Kaufman , Xuan Tang
摘要: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.
-
公开(公告)号:US10439804B2
公开(公告)日:2019-10-08
申请号:US15795482
申请日:2017-10-27
发明人: Ping Zhang , Charlie Kaufman , Gregory W. Lazar , Yi Fang , Xuan Tang
摘要: In response to determining that an encryption operation request includes no indication of a cryptographic key, an encryption service module performs an encryption operation using a current cryptographic key retrieved by the encryption service module, and creates and stores an encrypted data object that includes the resulting ciphertext and a key identifier that uniquely identifies the cryptographic key and the associated cryptographic algorithm used to perform the encryption. A subsequent decryption operation request to the encryption service module that indicates the encrypted data object is processed by retrieving the cryptographic key and identifying the associated cryptographic using the key identifier contained in the encrypted data object. The encrypted data object may also include an initialization vector used to generate the ciphertext contained in the encrypted data object, as well as an integrity check value generated across the ciphertext and initialization vector.
-
公开(公告)号:US10298551B1
公开(公告)日:2019-05-21
申请号:US15378781
申请日:2016-12-14
发明人: Radia Perlman , Xuan Tang , Charles Kaufman
摘要: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device implements a messaging policy enforcement server that receives from a first client device metadata of an encrypted message to be sent from the first client device to a second client device. The received metadata comprises a first key utilized by the first client device to encrypt the message with the first key being encrypted utilizing a second key associated with the second client device. The messaging policy enforcement server processes the received metadata to determine one or more policies applicable to the encrypted message and to generate a further encrypted version of the encrypted first key utilizing one or more additional keys corresponding to the one or more policies. The further encrypted version of the encrypted first key is sent to the second client device in modified metadata of the encrypted message.
-
5.发明申请公开(公告)号:US20190238346A1
公开(公告)日:2019-08-01
申请号:US15883565
申请日:2018-01-30
发明人: Radia J. Perlman , Charles W. Kaufman , Xuan Tang
摘要: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.
-
公开(公告)号:US09684593B1
公开(公告)日:2017-06-20
申请号:US13795512
申请日:2013-03-12
发明人: Xiangping Chen , Xuan Tang , Qin Tao
IPC分类号: G06F12/0897 , G06F12/0811 , G06F11/14 , G06F12/128 , G06F12/14 , G06F12/02 , G06F12/08
CPC分类号: G06F12/0811 , G06F11/1469 , G06F12/02 , G06F12/08 , G06F12/0897 , G06F12/128 , G06F12/1441 , G06F21/602
摘要: Techniques are described for storing data. A command is issued from a client to a data storage system. The data storage system includes a plurality of storage tiers comprising a first storage tier of physical storage devices and a second storage tier of physical storage devices, wherein data stored on any physical storage device of the first storage tier is stored in an encrypted form and data stored on any physical storage device of the second storage tier is not stored in an encrypted form. The command includes a hint indicating whether data stored at a first logical address range of a first logical device is stored in an encrypted form. The command is received at the data storage system. First data written to the first logical device at the first logical address range is stored on one or more physical storage devices of any of said first storage tier and said second storage tier in accordance with the hint.
-
公开(公告)号:US11416450B1
公开(公告)日:2022-08-16
申请号:US17202531
申请日:2021-03-16
发明人: Lejin Du , Xuan Tang , Oleksandr Babiychuk , Yixuan Wang
摘要: An apparatus comprises a processing device configured to receive, at a given data management entity running on a given processing node, a request to create a given cluster of data management entities for a given client. The processing device is also configured to determine membership requirements for the given cluster, to discover additional data management entities running on additional processing nodes, and to select at least one of the additional data management entities for membership in the given cluster based at least in part on the membership requirements. The processing device is further configured to establish a replication relationship for automating sharing of metadata in the given cluster, the metadata comprising access information and location information for data stores where portions of data items of the given client are stored. The processing device is further configured to perform data management functions for the given client utilizing the metadata.
-
公开(公告)号:US11128460B2
公开(公告)日:2021-09-21
申请号:US16208790
申请日:2018-12-04
发明人: Radia J. Perlman , Charles Kaufman , Xuan Tang
摘要: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to identify a data item to be stored in the storage system, and to generate a data encryption key for the data item as a function of a first secret key and the data item. For example, the function may comprise hashing at least the data item. The client device is further configured to encrypt the data item using the data encryption key for the data item, and to send the encrypted data item to the storage system for storage therein. The client device in some embodiments is further configured to encrypt the data encryption key using a second secret key, and to send the encrypted data encryption key to the storage system for storage therein as metadata of the data item.
-
9.发明申请公开(公告)号:US20200177382A1
公开(公告)日:2020-06-04
申请号:US16208790
申请日:2018-12-04
发明人: Radia J. Perlman , Charles Kaufman , Xuan Tang
摘要: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to identify a data item to be stored in the storage system, and to generate a data encryption key for the data item as a function of a first secret key and the data item. For example, the function may comprise hashing at least the data item. The client device is further configured to encrypt the data item using the data encryption key for the data item, and to send the encrypted data item to the storage system for storage therein. The client device in some embodiments is further configured to encrypt the data encryption key using a second secret key, and to send the encrypted data encryption key to the storage system for storage therein as metadata of the data item.
-
公开(公告)号:US11595204B2
公开(公告)日:2023-02-28
申请号:US16431132
申请日:2019-06-04
发明人: Xuan Tang , Marion Meirlaen
摘要: Techniques for adaptive re-keying of encrypted data are provided. For example, a method comprises the following steps. Utilization information associated with a storage system is obtained, wherein the storage system comprises a set of storage devices. The method dynamically selects a re-keying process from a plurality of different re-keying processes based on at least a portion of the obtained utilization information. At least a portion of the set of storage devices are re-keyed in accordance with the selected re-keying process.
-
-
-
-
-
-
-
-
-
搜索结果
17 条记录 (耗时 0.019 秒)
