1. Field of the Invention
The present invention relates to controlling access to data storage, particularly canister-based storage systems including a plurality of storage elements.
2. Background Art
Increasing demands for data storage create the need for flexible storage solutions. One solution is to use highly flexible data storage canisters. Each canister includes a plurality of storage devices, such as disk drives, optical drives, solid-state memory, and the like. Each canister also includes at least one controller which provides interface functions such as protocol conversion, data formatting, RAID formatting, storage device control, and the like. One such canister-based storage system is disclosed in commonly assigned U.S. patent application Ser. No. 10/791,205, filed Mar. 2, 2004 and titled “Canister-Based Storage System,” which is hereby incorporated by reference in its entirety.
The storage canister in a canister-based system provides a wide variety of storage system options. Canisters may be inserted or removed, permitting storage archiving, rapid data transfer, disaster recovery, simple technology upgrading, and the like. Moreover, the same basic canister can be used in systems having vastly different complexity and operating characteristics. For example, a high-end system may have the capability of accessing multiple storage devices in multiple modules simultaneously for high data rate operation. Intermediate systems may include racks of canisters of which only one or a few are ever accessed at the same time. A low-end system may include a docking station accepting only one canister for access by an attached personal computer or work station.
The great flexibility offered by a canister-based storage system introduces security issues not typically encountered in traditional storage systems. For example, the ability to swap canisters into and out of a system requires a heightened amount of data security. Moreover, this security may have to extend to individual storage devices within a canister as well as to files or records held on one or more storage devices.
What is needed is a data security technique suited to the highly flexible nature of a canister-based storage system. Such a data security system should be readily implemented within a data storage canister and should hide security details from systems accessing the data storage canister.
The present invention implements canister security with a data storage controller performing security operations on received data generating secured data of greater size. Systems which access the canister are unaware of the additional supporting data created within the canister.
Accordingly, a data storage system is provided. The data storage system includes at least one data producer generating data for storage, a key server providing a data security key and at least one data storage canister. Each data storage canister includes a plurality of data storage devices and a controller. The controller receives data for storage within the canister having a set size, for example a size of N words. A data security key is received from the key server. The controller preforms at least one data security operation on the received data with the received data security key to generate secure data having a size of N+K words. The controller then stores the N+K words on at least one of the data storage devices. Throughout this process, the data producer is unaware that the N words of data are stored as N+K words within the canister.
In an embodiment of the present invention, the controller receives a data access request from a requesting data consumer to access N words of data. The controller retrieves N+K words of secure data corresponding to the data access request. The N+K words of secure data are converted into N words of data using the data security key. The N words of data are then transmitted to the requesting data consumer. Throughout this process, the requesting data consumer is unaware that the N words of data are stored as N+K words within the canister. The requesting data consumer may be the same system or a system different from the data producer.
In other embodiments of the present invention, security operations performed on received data include data encryption, authentication, and the like.
A method of operating a data storage canister is also provided. Data having a set data size is received for storage within the canister. At least one data security operation is performed on the received data to generate secure data having a secure data size different than the set data size. The secure data is stored on at least one data storage device within the canister. Any information about the secure data size is hid from the data producer.
A data storage canister is also provided. The canister includes data storage devices and a controller. The controller performs at least one security operation on data received by the canister for storage on the plurality of data storage devices. The received data, received from a producer data system, has a received data size. The security operation generates secure data having a secure data size different than the received data size. The controller hides information about the secure data size from the producer data system and hides information about the received data size from the data storage devices.
The above features, and other features and advantages of the present invention are readily apparent from the following detailed descriptions thereof when taken in connection with the accompanying drawings.
Referring to
Data storage canister 20 also includes one or more controllers, referenced as controller 24, controlling and interfacing data storage devices 22. Controller 24 interconnects with storage devices 22 through internal path 26 which may be one or more of a parallel bus, serial bus or wireless link. Controller 24 receives data from, and transmits data to, devices outside of canister 20 over link 28. Link 28 may be any one or more data communication medium and/or standard including Fibre Channel, SCSI, Ethernet, iSCSI, TCP/IP, cable, fiber, wireless connection, or the like. Controller 24 typically performs a wide variety of functions including protocol conversion, data formatting, data compaction, error correction and detection, and control of data storage devices 22.
Referring now to
Referring now to
Referring now to
Referring now to
Data storage system 60 also includes one or more key servers, referenced as key server 66, generating one or more security keys 68. Key 68 may be used in one or more cryptographic processes such as encryption, decryption, authentication, and the like. Management of key 68 may be handled locally, within canister 20, or in a location accessible to canister 20 such as a key management station implementing key server 66.
Local key management may be implemented by inserting a smart card into a smart card reader added as an additional modules within the canister 20 and accessible as a logical component of controller 24. This method incorporates a key designation variable that is stored with each data block or in a global table on each data storage device 22.
A network-based key management station may be used to avoid adding extra components to canister 20. In this embodiment, as a data write request is received by controller 24, the key designation variable is retrieved from the key management station and is stored with the data block. When a data read request is received by controller 24, the key designation variable is retrieved from data storage device 22 as the data block is read. It is then securely sent to the key management station, which returns cryptographic key 68.
Security processing 70, implemented within canister 20, implements one or more security operations such as encryption, decryption, authentication, and the like, using one or more well-known security algorithms During a data storage operation, canister 20 receives data set 72 having a fixed size, indicated by N, that may be measured in records, bytes, bits, or the like, which can be generally referred to as words. Security processing 70 operates on data set 72 to produce secure data 74. Secure data set 74 contains a greater number of words than data set 72, shown here as N+K, as a result of security processing. When data is retrieved from canister 20 a reverse process occurs. Secure data 74 is converted to data set 72 of smaller size prior to transmission over link 28. The present invention hides details of security processing from data producers 62 and data consumers 64. These details include the size of secure data 74 stored on one or more data storage devices 22.
One possible type of security processing 70 is data encryption/decryption. Data encryption secures the contents of canister 20 from unwanted viewers using any well known cryptographic mechanism. The general operation for data encryption within canister 20 can be totally transparent to data producer 62 and/or data consumer 64 since it occurs within canister 20. In one embodiment, cryptographic key 68 is obtained by and used within controller 24. As data set 72 flows into canister 20, it is encrypted by security processing 70 executing in controller 24. Once encrypted, secure data 74 is sent to particular data storage devices 22 incorporated within canister 20. As data is requested from canister 20, security processing 70 decrypts secure data 74 into data set 72 and passes data set 72 out link 28 to requesting data consumer 64.
In an embodiment of the present invention, a key designation variable is created with each logical unit of storage, such as block, sector, and the like, and is stored with the data. The key designation variable may be stored either with the actual data block or in a global table on one or more storage device 22.
Another type of security processing is data authentication. Data authentication includes a variety of algorithms In one type, for example, authentication verifies that a particular piece of data was written at a certain time and has not been modified. In essence, this implements a logical Write Once Read Many (WORM).
Preferably, the general operation for data authentication within canister 20 is essentially transparent to the user since it occurs within canister 20. For example, cryptographic key 68 is obtained by and used within controller 24. As data set 72 flows into canister 20 via link 28, a digital signature, such as a cryptographic hash of the data, is created by controller 24. With each logical unit of storage, such as data block, sector, or the like, a digital signature is created and stored with the data as secure data 74. The digital signature may be stored either with the actual data block or in a global table on one or more storage devices 22. This signature may be used to check the data before producing data set 72 to requesting data consumer 64.
Key designation variables and, if necessary, other cryptographic reference information, can stored directly with the data block. Security processing 70 intercepts read/write and block size request/modification commands. For example, a data write request is received by controller 24 specifying a block size such as, for example, 32 Kbytes. Security processing intercepts the request and resets the block size request to be 32 Kbytes plus some additional space for the key designation variable. The additional size can be of almost any length as necessary, and is preferably a predefined constant value such as, for example, 108 bytes. The modified data write request having the data with the new block size is then passed along to a receiving data write process, such as implemented in storage controller 42.
The process requesting data storage in data producer 62 thinks that it has successfully requesting 32 Kbytes. The one or more data storage devices 22 believe that 32 Kbytes+108 bytes have been requested. Both sides of this process are fooled while security processing 70 handles the size conversion. The equal but opposite process is conducted for data read requests received from data consumer 64.
Referring now to
With particular reference to
A check is made to determine if data is received, as in block 82. If data is received from data producer 62, the data is encrypted with key 68 to create secure data 74, as in block 84. The data and additional information are stored onto one or more storage devices 24 in canister 20, as in block 86. This additional information may be the key, a key designation variable, or the like. Data producer 62 is unaware of the amount of space required to store secure data 74.
A check is made to determine if a request for data is received, as in block 88. If so, secure data 74 including encrypted data are retrieved, as in block 90. This data may include the key designation variable and/or the key. The data is decrypted using key 68, as in block 92. The data is then sent to requesting data consumer 64, as in block 94. Requesting data consumer 64 is unaware of the amount of space required to store secure data 74.
Referring now to
A check is made to determine if data was received, as in block 102. If so, a digital signature for data set 72 is created with key 68, as in block 104. Secure data 74 including the digital signature, data and key 68 are stored in at least one data storage device 22, as in block 106. Data producer 62 sending data set 72 need be unaware of the amount of storage actually required to hold secure data 74.
A check is made to determine if a request for data is received, as in block 108. If so, secure data 74 corresponding to the request and including key 68 and the digital signature are retrieved, as in block 110. A check is made to determine if the data is authentic, as in block 112. This check may include generating a second digital signature using the retrieved data and key 68 and comparing the second digital signature with the retrieved digital signature. If the data is authenticated, data set 72 is sent to requesting data consumer 64, as in block 114. Requesting data consumer 64 need be unaware of the amount of storage actually required to hold secure data 74.
While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the invention.
Number | Date | Country | |
---|---|---|---|
Parent | 10934186 | Sep 2004 | US |
Child | 13196781 | US |