[go: up one dir, main page]

WO2020076404A2 - Initial vector value storage and derivation for encryption of segmented data - Google Patents

Initial vector value storage and derivation for encryption of segmented data Download PDF

Info

Publication number
WO2020076404A2
WO2020076404A2 PCT/US2019/045185 US2019045185W WO2020076404A2 WO 2020076404 A2 WO2020076404 A2 WO 2020076404A2 US 2019045185 W US2019045185 W US 2019045185W WO 2020076404 A2 WO2020076404 A2 WO 2020076404A2
Authority
WO
WIPO (PCT)
Prior art keywords
ivs
base
data
segment
segments
Prior art date
Application number
PCT/US2019/045185
Other languages
French (fr)
Other versions
WO2020076404A3 (en
Inventor
Vishnu Rangayyan
Feng Pan
Original Assignee
Thales Esecurity, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales Esecurity, Inc. filed Critical Thales Esecurity, Inc.
Publication of WO2020076404A2 publication Critical patent/WO2020076404A2/en
Publication of WO2020076404A3 publication Critical patent/WO2020076404A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • AES advanced encryption standard
  • Such techniques may be suitable for transient data, such as transmitting packets across a network.
  • such techniques may prove impractical, since modifying one 16-byte AES block of data may result in re-encrypting and re-writing all data from that point onwards. It may be useful to provide improved AES encryption techniques.
  • a method for providing an improved advanced encryption standard (AES) encryption system includes generating a base initialization vector (IV), in which the base IV includes a random value.
  • the method further includes storing the base IV along with data to be encrypted based at least in part thereon, and generating a plurality of segment initialization vectors (IVs) based at least in part on the base IV.
  • the plurality of segments of IV s each corresponds to a respective segment of the data.
  • the method further includes utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
  • FIG. 1 depicts internal processes of the storage system, in accordance with the present embodiments
  • FIG. 2 is a system block diagram, in accordance with the present embodiments.
  • FIG. 3 is a system diagram, in accordance with the present embodiments.
  • FIG. 4 is a system diagram, in accordance with the present embodiments.
  • FIG. 5 is a flow diagram of a method for encrypting data and metadata, in accordance with some embodiments
  • FIG. 6 is a system block diagram showing a data security management system, in accordance with the present embodiments.
  • FIG. 7 is an illustration showing an exemplary computing device which may implement the embodiments described herein.
  • FIG. 1 illustrates an improved AES system 200 useful in encrypting data that may be segmented based on, for example, the type of application, such as a page in memory, an extent in a file system layout or a sector on a hard disk, or an object blob in an object storage framework (e.g., cloud computing network).
  • the encryption portion 202 may be provided in conjunction with the tweak encryption portion 204 CBC to generate a fully random base IV, store the base IV with the associated data object, and to derive an IV per segment of the object.
  • the AES system 200 may include a CBC encryption portion 202 and a tweak encryption portion 204.
  • the operation of the CBC encryption portion 202 may include providing, for example, an TV-bit Initialization Vector (IV) segment 206 to combined via a summer 208 (e.g., Exclusive-OR [XOR] logical operation) with an TV-bit plaintext block 210 (e.g.,“Plain Text Data Pi”).
  • the combined value may be then encrypted utilizing an AES block cipher 214 with key 212 (e.g.,“Keyi”).
  • an TV-bit feed ciphertext block 216 may be provided to continue the CBC mode operation until, for example, plaintext blocks are processed.
  • the operation of the CBC encryption portion 202 may continue, for example, with the TV-bit feed ciphertext block 216 (e.g.,“Cipher Text Data Ci”) being combined via a summer 218 (e.g., Exclusive-OR [XOR] logical operation) with an TV-bit plaintext block 220 (e.g.,“Plain Text Data P 2 ”).
  • the combined value may be then encrypted utilizing an AES block cipher 222 with key 212 (e.g.,“Keyi”) to generate an TV-bit feed ciphertext block 224 (e.g., “Cipher Text Data C 2 ”), and so on and so forth.
  • key 212 e.g.,“Keyi”
  • TV-bit feed ciphertext block 224 e.g., “Cipher Text Data C 2 ”
  • the tweak encryption portion 204 may include a compute and storage mechanism that may be utilized to generate a random base IV 226 and storing the base IV 226, for example, with the data object to be encrypted. Additionally, it should be appreciated that the subsequent segment IV 206 may be generated for each data segment based on, for example, the AES algorithm and a variable Galois Field multiplication.
  • the operation of the CBC encryption portion 202 may include providing, for example, an base IV 226 to combined via a summer 228 (e.g., Exclusive- OR [XOR] logical operation) with a segment index 230 and constant segment index 236.
  • the combined value may be then encrypted utilizing an AES block cipher 232 with key 234 (e.g., “Key2”).
  • key 234 e.g., “Key2”.
  • the output of the AES block cipher 232 may be passed to a variable Galois Field multiplication block 238, and utilized to generate, for example, the subsequent IV segment 206.
  • an example of a derived IV segment in the XTS- AES standard may be defined as:
  • K 2 includes the tweak encryption Key
  • i includes the sector index in the device of the plain text
  • a includes a primitive element of Galois Field (GF) 2
  • US J includes the AES block index in the sector used as the power of a
  • (g) includes Galois Field multiplication
  • T includes the resulting segment IV (e.g.,“tweak”).
  • the AES block cipher 232 may be defined as:
  • the AES encryption algorithm may be utilized in various cipher modes of operation such as, for example, a cipher block chaining (CBC) mode, an output feedback (OFB) mode, a ciphertext feedback (CFB) mode, a counter (CTR) mode, a Galois counter mode (GCM), a cipher counter mode (CMM), an XEX-encryption with tweak and ciphertext stealing (XTS), an XTS advanced encryption standard (XTS-AES) mode, or other cipher mode of operation.
  • CBC cipher block chaining
  • OFFB output feedback
  • CTR ciphertext feedback
  • GCM Galois counter mode
  • CCM cipher counter mode
  • XTS XEX-encryption with tweak and ciphertext stealing
  • XTS-AES XTS advanced encryption standard
  • K includes the data encryption Key
  • P includes the plain text
  • T includes the segment IV (e.g.,“tweak”)
  • ® includes the binary XOR operator
  • C includes the resulting cipher text.
  • K 2 includes the tweak encryption Key
  • i includes the segment offset of the plain text data object
  • IVe ase includes the stored randomly generated base IV that is associated with the data object
  • a includes a primitive element of Galois Field (GF) 2 128
  • N includes an arbitrary constant number
  • (g) includes the Galois Field multiplication
  • IVs egme m includes the resulting segment IV (e.g., “tweak”).
  • FIGS. 2, 3, and 4 each illustrate example application of the present techniques.
  • FIG. 2 depicts a data object including one or more files 308 and 310 in a file system 306.
  • the file system 306 may include, for example, a partition or volume 304 provisioned on hard disk (HD) or solid state drive (SSD) 302.
  • the random 16-byte base IV 312 associated with each of the one or more files 308 and 310 may be stored as an extended attribute on the file system, for example.
  • FIG. 3 depicts the data object including one or more partitions 404 and 406 on a hard disk 402, in which the base IV 418 may be stored as a Globally Unique Identifier (GUID) of the one or more partitions 404 and 406 in the GUID Partition Table (GPT) of the hard disk 402.
  • FIG. 4 depicts the data object including one or more objects 512 and 514 stored in a data object store 510.
  • the data object store 510 may include a cloud based object storage service, in which, for example, clients 506 and 508 may be able to retrieve and modify or create data objects using Representational State Transfer (REST), Application Programming Interfaces (APIs), Hyper Text Transfer Protocol (HTTP), or similar development tool 504.
  • the base IV 516 may be generated and stored with the one or more objects 512 and 514 utilizing, for example, HTTP, REST, APIs, or other similar development tool.
  • FIG. 5 illustrates a flow diagram of a method 600 for generating a secret and random base IV and storing the secret and random base IV with the associated data to derive segment IVs for securely encrypting the data.
  • the method 600 may be performed by one or more host computing devices that may include hardware such as one or more computer processing devices, software (e.g., instructions running/executing on a computer processing device), firmware (e.g., microcode), or a combination thereof, such as the host computing device 110 discussed above with respect to FIG. 6.
  • the method 600 may begin with the host computing device 110 generating a base
  • the method 600 may then continue with the host computing device 110 storing the base IV along with data to be encrypted based at least in part thereon (Step 604).
  • the method 600 may then continue with the host computing device 110 generating plurality of segment initialization vectors (IVs) based at least in part on the base IV (Step 606).
  • the method 600 may then conclude with the host computing device 110 utilizing the base IV and the plurality of segment IVs to encrypt each respective segment of the data according to at least one cipher mode of operation (Step 608).
  • the present method 600 may provide techniques to encrypt data that may be segmented based on, for example, the type of application, such as a page in memory, an extent in a file system layout or a sector on a hard disk, or an object blob in an object storage framework (e.g., cloud computing network).
  • the type of application such as a page in memory, an extent in a file system layout or a sector on a hard disk, or an object blob in an object storage framework (e.g., cloud computing network).
  • FIG. 6 is a system block diagram showing a data security management system
  • Each host computing device 110 and each storage system 116 is equipped with one or more encryption/decryption modules 112, which could be implemented in software executing on a processor, firmware, hardware or combinations thereof, as combined encryption and decryption, or separate encryption and decryption, etc.
  • Each host computing device 110 and each storage system 116 stores the shared first key 108.
  • Each storage system 116 has a deduplication module 114 and/or a compression module 116, plus storage memory 118, and memory in which the storage local second key 120 is stored.
  • Deduplications module 114 and compression module 116 may be combined within module 115 in some embodiments as the illustration is meant to be an example and not limiting.
  • Key 120 is local to the storage system 116, for encryption and decryption of data stored in the storage memory 118, and is not available to any of the hosts 110 in this embodiment. All components of the system could be implemented in hardware, firmware, software executing on one or more processors, or various combinations thereof, which may be virtualized and implemented using physical computing and memory resources, in some embodiments.
  • the data security management system 102 which could be implemented in software executing on a processor, firmware, hardware or combinations thereof, has a policy manager 104 and a key manager 106, along with memory in which the shared first key 108 is stored. There are multiple versions of how the shared first key 108 is sourced and distributed. In a single host system, the host computing device 110 could generate or otherwise source the shared first key 108, and send the shared first key 108 to the data security management system 102, which distributes the shared first key 108 to one or more storage systems 116 in some embodiments.
  • one host computing device 110 could generate or otherwise source the shared first key 108, and send the shared first key 108 to the data security management system 102.
  • the data security management system 102 then sends the shared first key 108 to the other hosts 110 and to one or more storage systems 116.
  • the data security management system 102 could generate or otherwise source the shared first key 108, and send the shared first key 108 to one or more hosts 110 and one or more storage systems 116. Further variations of sourcing and distribution for the shared first key 108 are readily devised in keeping with the teachings described herein.
  • the storage system 116 could be implemented using various storage technologies, and could include various types of storage memory 118 such as hard disks, flash memory or other solid-state storage, optical storage, tape, etc., and could include redundancy, error correction or other reliability enhancing technology, such as one or more levels of RAID (redundant array of independent disks or other storage devices).
  • the storage system 116 includes one or more encrypted logical units (LUNs) implemented as virtualized storage memory using physical storage and computing components.
  • LUNs encrypted logical units
  • the storage system 116 has one or more encryption/decryption modules 112, or equivalently, one or more encryption modules and one or more decryption modules, a deduplication module 114, a compression module 116, storage memory 118, and memory for storing a shared first key 108 and a storage local second key 120.
  • the storage memory 118 could include one or more storage devices of various types as discussed above, in various configurations, and is not limited to a single device type or homogeneity.
  • the data security management system 102 coordinates distribution of a shared first key 108.
  • the key manager 106 cooperates with the policy manager 104, to distribute the shared first key 108 in accordance with one or more policies 122 of the policy manager 104.
  • the host computing device 110 encrypts data by way of the encryption/decryption module 112 of the host computing device 110.
  • the host computing device 110 sends first key encrypted data 114 to the storage system 116, for example via a network.
  • the storage system 116 Upon receipt of the first key encrypted data 114, the storage system 116 uses an encryption/decryption module 112 and the shared first key 108 that is received by the storage system 116 from the data security management system 102, or generated or otherwise sourced by the storage system 116 in some embodiments, to decrypt the first key encrypted data 114. Next, the storage system 116 deduplicates the decrypted data, using the deduplication module 114, or compresses the data using the compression module 116, or both deduplicates and compresses the decrypted data, in various embodiments.
  • the storage system 116 uses either the same or another encryption/decryption module 112, and the storage local second key 120, to encrypt the deduplicated and/or compressed data, and stores the second key encrypted, deduplicated and or compressed data in the storage memory 118.
  • the above describes the host computing device 110 writing data to the storage system 116, for example using a write request.
  • the reverse path is followed.
  • the host computing device 110 could send a read request to the storage system 116.
  • the storage system 116 reads the second key encrypted data from the storage memory 118, and applies the storage local second key 120 and the encryption/decryption module 116 to decrypt the data.
  • the storage system 116 uses the compression module 116 and/or the deduplication module 114 to decompress and/or reconstitute the data.
  • the storage system 116 uses the shared first key 108 and the same or another encryption/decryption module 112 to encrypt the data, and sends the first key encrypted data 114 to the host computing device 110.
  • the host computing device 110 uses the shared first key 108 and the encryption/decryption module 112 of the host computing device 110, to decrypt the first key encrypted data 114, and now has the desired read data in unencrypted or plaintext form.
  • Other hosts 110 can use their own copy of the shared first key 108, as managed by the data security management system 102, to encrypt data and send data to the storage system 116, or receive first key encrypted data 114 from the storage system 116 and decrypt the data.
  • FIG. 7 is an illustration showing an exemplary computing device which may implement the embodiments described herein.
  • the computing device of FIG. 7 may be used to perform embodiments of the functionality for managing keys and policies in accordance with some embodiments.
  • the computing device includes a central processing unit (CPU) 701, which is coupled through a bus 705 to a memory 703, and mass storage device 707.
  • Mass storage device 707 represents a persistent data storage device such as a floppy disc drive or a fixed disc drive, which may be local or remote in some embodiments.
  • Memory 703 may include read only memory, random access memory, etc. Applications resident on the computing device may be stored on or accessed via a computer readable medium such as memory 703 or mass storage device 707 in some embodiments. Applications may also be in the form of modulated electronic signals modulated accessed via a network modem or other network interface of the computing device. It should be appreciated that CPU 701 may be embodied in a general-purpose processor, a special purpose processor, or a specially programmed logic device in some embodiments.
  • a display 711 may be in communication with CPU 701, memory 703, and mass storage device 707, through bus 705.
  • Display 711 is configured to display any visualization tools or reports associated with the system described herein.
  • Input/output device 709 is coupled to bus 705 in order to communicate information in command selections to CPU 701. It should be appreciated that data to and from external devices may be communicated through the input/output device 709.
  • CPU 701 can be defined to execute the functionality described herein to enable the functionality described with reference to FIGS. 1-6.
  • the code embodying this functionality may be stored within memory 703 or mass storage device 707 for execution by a processor such as CPU 701 in some embodiments.
  • the operating system on the computing device may be MS DOSTM, MS-WINDOWSTM, OS/2TM, UNIXTM, LINUXTM, or other known operating systems. It should be appreciated that the embodiments described herein may be integrated with virtualized computing system also. In addition, the embodiments may be integrated or implemented as part of a cloud computing environment where remote computer resources and/or services are provisioned over a network.
  • the embodiments might employ various computer-implemented operations involving data stored in computer systems. These operations are those requiring physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. Further, the manipulations performed are often referred to in terms, such as producing, identifying, determining, or comparing. Any of the operations described herein that form part of the embodiments are useful machine operations.
  • the embodiments also relate to a device or an apparatus for performing these operations.
  • the apparatus can be specially constructed for the required purpose, or the apparatus can be a general-purpose computer selectively activated or configured by a computer program stored in the computer.
  • various general-purpose machines can be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations.
  • the embodiments can also be embodied as computer readable code on a computer readable medium.
  • the computer readable medium is any data storage device that can store data, which can be thereafter read by a computer system. Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices.
  • the computer readable medium can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion.
  • Embodiments described herein may be practiced with various computer system configurations including hand-held devices, tablets, microprocessor systems, microprocessor- based or programmable consumer electronics, minicomputers, mainframe computers and the like.
  • the embodiments can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a wire-based or wireless network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method for providing an improved advanced encryption standard (AES) encryption system is presented. The method includes generating a base initialization vector (IV), in which the base IV includes a random value. The method further includes storing the base IV along with data to be encrypted based at least in part thereon, and generating a plurality of segment initialization vectors (IVs) based at least in part on the base IV. The plurality of segments of IVs each corresponds to a respective segment of the data. The method further includes utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.

Description

INITIAL VECTOR VALUE STORAGE AND DERIVATION FOR ENCRYPTION OF
SEGMENTED DATA
CROSS REFERENCE
[0001] This application claims benefit of US Non-Provisional Application No. 16/056,106 filed August 6, 2018 and the entire content is hereby incorporated by reference.
BACKGROUND
[0002] Practical day-to-day use cases for data storage and retrieval for businesses involves software applications reading, modifying and writing data of arbitrary lengths to memory or persistent storage or transmitting the data over a network to another application that may process or store the data. Securing data by encrypting it with a secret key is a typical requirement in many use cases. The advanced encryption standard (AES) encryption technique is defined in the standard as operating on 16-byte blocks. Such techniques may be suitable for transient data, such as transmitting packets across a network. However, for certain other applications of data storage and retrieval, such techniques may prove impractical, since modifying one 16-byte AES block of data may result in re-encrypting and re-writing all data from that point onwards. It may be useful to provide improved AES encryption techniques.
SUMMARY
[0003] A method for providing an improved advanced encryption standard (AES) encryption system is presented. The method includes generating a base initialization vector (IV), in which the base IV includes a random value. The method further includes storing the base IV along with data to be encrypted based at least in part thereon, and generating a plurality of segment initialization vectors (IVs) based at least in part on the base IV. The plurality of segments of IV s each corresponds to a respective segment of the data. The method further includes utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
[0004] Other aspects and advantages of the embodiments will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments. BRIEF DESCRIPTION OF THE DRAWINGS
[0005] The described embodiments and the advantages thereof may best be understood by reference to the following description taken in conjunction with the accompanying drawings. These drawings in no way limit any changes in form and detail that may be made to the described embodiments by one skilled in the art without departing from the spirit and scope of the described embodiments.
[0006] FIG. 1 depicts internal processes of the storage system, in accordance with the present embodiments;
[0007] FIG. 2 is a system block diagram, in accordance with the present embodiments;
[0008] FIG. 3 is a system diagram, in accordance with the present embodiments;
[0009] FIG. 4 is a system diagram, in accordance with the present embodiments;
[0010] FIG. 5 is a flow diagram of a method for encrypting data and metadata, in accordance with some embodiments;
[0011] FIG. 6 is a system block diagram showing a data security management system, in accordance with the present embodiments; and
[0012] FIG. 7 is an illustration showing an exemplary computing device which may implement the embodiments described herein.
DETAILED DESCRIPTION
[0013] FIG. 1 illustrates an improved AES system 200 useful in encrypting data that may be segmented based on, for example, the type of application, such as a page in memory, an extent in a file system layout or a sector on a hard disk, or an object blob in an object storage framework (e.g., cloud computing network). Specifically, the encryption portion 202 may be provided in conjunction with the tweak encryption portion 204 CBC to generate a fully random base IV, store the base IV with the associated data object, and to derive an IV per segment of the object. As depicted, the AES system 200 may include a CBC encryption portion 202 and a tweak encryption portion 204. In certain embodiments, the operation of the CBC encryption portion 202 may include providing, for example, an TV-bit Initialization Vector (IV) segment 206 to combined via a summer 208 (e.g., Exclusive-OR [XOR] logical operation) with an TV-bit plaintext block 210 (e.g.,“Plain Text Data Pi”). The combined value may be then encrypted utilizing an AES block cipher 214 with key 212 (e.g.,“Keyi”).
[0014] In one embodiment, an TV-bit feed ciphertext block 216 (e.g.,“Cipher Text Data Ci”) may be provided to continue the CBC mode operation until, for example, plaintext blocks are processed. For example, the operation of the CBC encryption portion 202 may continue, for example, with the TV-bit feed ciphertext block 216 (e.g.,“Cipher Text Data Ci”) being combined via a summer 218 (e.g., Exclusive-OR [XOR] logical operation) with an TV-bit plaintext block 220 (e.g.,“Plain Text Data P2”). The combined value may be then encrypted utilizing an AES block cipher 222 with key 212 (e.g.,“Keyi”) to generate an TV-bit feed ciphertext block 224 (e.g., “Cipher Text Data C2”), and so on and so forth.
[0015] In certain embodiments, as further illustrated, the tweak encryption portion 204 may include a compute and storage mechanism that may be utilized to generate a random base IV 226 and storing the base IV 226, for example, with the data object to be encrypted. Additionally, it should be appreciated that the subsequent segment IV 206 may be generated for each data segment based on, for example, the AES algorithm and a variable Galois Field multiplication. For example, in certain embodiments, the operation of the CBC encryption portion 202 may include providing, for example, an base IV 226 to combined via a summer 228 (e.g., Exclusive- OR [XOR] logical operation) with a segment index 230 and constant segment index 236. The combined value may be then encrypted utilizing an AES block cipher 232 with key 234 (e.g., “Key2”). The output of the AES block cipher 232 may be passed to a variable Galois Field multiplication block 238, and utilized to generate, for example, the subsequent IV segment 206.
[0016] For example, in some embodiments, an example of a derived IV segment in the XTS- AES standard, and may be defined as:
T = AES (K2, (g) cc* [1]
[0017] In the above equation [1], K2 includes the tweak encryption Key, i includes the sector index in the device of the plain text, a includes a primitive element of Galois Field (GF) 2 USJ includes the AES block index in the sector used as the power of a, (g) includes Galois Field multiplication, and T includes the resulting segment IV (e.g.,“tweak”). Similarly, the AES block cipher 232 may be defined as:
C = AES (Ki, P 0 T) 0 T [2]
[0018] It should be appreciated that the AES encryption algorithm may be utilized in various cipher modes of operation such as, for example, a cipher block chaining (CBC) mode, an output feedback (OFB) mode, a ciphertext feedback (CFB) mode, a counter (CTR) mode, a Galois counter mode (GCM), a cipher counter mode (CMM), an XEX-encryption with tweak and ciphertext stealing (XTS), an XTS advanced encryption standard (XTS-AES) mode, or other cipher mode of operation. In the above equation [2], K includes the data encryption Key, P includes the plain text, T includes the segment IV (e.g.,“tweak”), ® includes the binary XOR operator, and C includes the resulting cipher text. Lastly, the per segment IV derivation may be computed as:
Figure imgf000006_0001
[0019] In the above equation [3], K2 includes the tweak encryption Key, i includes the segment offset of the plain text data object, IVease includes the stored randomly generated base IV that is associated with the data object, a includes a primitive element of Galois Field (GF) 2128, and j includes computed by the below function that is derived from the segment offset and used as the power of a: j = i modulo N. Similarly, N includes an arbitrary constant number, (g) includes the Galois Field multiplication, and IVsegmem includes the resulting segment IV (e.g., “tweak”).
[0020] FIGS. 2, 3, and 4 each illustrate example application of the present techniques. For example, FIG. 2 depicts a data object including one or more files 308 and 310 in a file system 306. The file system 306 may include, for example, a partition or volume 304 provisioned on hard disk (HD) or solid state drive (SSD) 302. The random 16-byte base IV 312 associated with each of the one or more files 308 and 310 may be stored as an extended attribute on the file system, for example. FIG. 3 depicts the data object including one or more partitions 404 and 406 on a hard disk 402, in which the base IV 418 may be stored as a Globally Unique Identifier (GUID) of the one or more partitions 404 and 406 in the GUID Partition Table (GPT) of the hard disk 402. Similarly, FIG. 4 depicts the data object including one or more objects 512 and 514 stored in a data object store 510. For example, the data object store 510 may include a cloud based object storage service, in which, for example, clients 506 and 508 may be able to retrieve and modify or create data objects using Representational State Transfer (REST), Application Programming Interfaces (APIs), Hyper Text Transfer Protocol (HTTP), or similar development tool 504. The base IV 516 may be generated and stored with the one or more objects 512 and 514 utilizing, for example, HTTP, REST, APIs, or other similar development tool.
[0021] Turning now to FIG. 5, which illustrates a flow diagram of a method 600 for generating a secret and random base IV and storing the secret and random base IV with the associated data to derive segment IVs for securely encrypting the data. In certain embodiments, the method 600 may be performed by one or more host computing devices that may include hardware such as one or more computer processing devices, software (e.g., instructions running/executing on a computer processing device), firmware (e.g., microcode), or a combination thereof, such as the host computing device 110 discussed above with respect to FIG. 6. The method 600 may begin with the host computing device 110 generating a base
initialization vector (IV) (Step 602).
[0022] The method 600 may then continue with the host computing device 110 storing the base IV along with data to be encrypted based at least in part thereon (Step 604). The method 600 may then continue with the host computing device 110 generating plurality of segment initialization vectors (IVs) based at least in part on the base IV (Step 606). The method 600 may then conclude with the host computing device 110 utilizing the base IV and the plurality of segment IVs to encrypt each respective segment of the data according to at least one cipher mode of operation (Step 608). Thus, the present method 600 may provide techniques to encrypt data that may be segmented based on, for example, the type of application, such as a page in memory, an extent in a file system layout or a sector on a hard disk, or an object blob in an object storage framework (e.g., cloud computing network).
[0023] FIG. 6 is a system block diagram showing a data security management system
102 managing a shared first key 108 for a host computing device 110 that encrypts data with the first key, and a storage system 116 that decrypts the data with the first key, deduplicates and compresses the decrypted data, re-encrypts the data with a storage local second key 120 and stores the second key encrypted deduplicated, compressed data in storage memory 118. Each host computing device 110 and each storage system 116 is equipped with one or more encryption/decryption modules 112, which could be implemented in software executing on a processor, firmware, hardware or combinations thereof, as combined encryption and decryption, or separate encryption and decryption, etc. Each host computing device 110 and each storage system 116 stores the shared first key 108. Each storage system 116 has a deduplication module 114 and/or a compression module 116, plus storage memory 118, and memory in which the storage local second key 120 is stored.
[0024] Deduplications module 114 and compression module 116 may be combined within module 115 in some embodiments as the illustration is meant to be an example and not limiting. Key 120 is local to the storage system 116, for encryption and decryption of data stored in the storage memory 118, and is not available to any of the hosts 110 in this embodiment. All components of the system could be implemented in hardware, firmware, software executing on one or more processors, or various combinations thereof, which may be virtualized and implemented using physical computing and memory resources, in some embodiments.
[0025] The data security management system 102, which could be implemented in software executing on a processor, firmware, hardware or combinations thereof, has a policy manager 104 and a key manager 106, along with memory in which the shared first key 108 is stored. There are multiple versions of how the shared first key 108 is sourced and distributed. In a single host system, the host computing device 110 could generate or otherwise source the shared first key 108, and send the shared first key 108 to the data security management system 102, which distributes the shared first key 108 to one or more storage systems 116 in some embodiments.
[0026] In a multiple host computing device 110 system, one host computing device 110 could generate or otherwise source the shared first key 108, and send the shared first key 108 to the data security management system 102. The data security management system 102 then sends the shared first key 108 to the other hosts 110 and to one or more storage systems 116. In some embodiments, the data security management system 102 could generate or otherwise source the shared first key 108, and send the shared first key 108 to one or more hosts 110 and one or more storage systems 116. Further variations of sourcing and distribution for the shared first key 108 are readily devised in keeping with the teachings described herein.
[0027] The storage system 116 could be implemented using various storage technologies, and could include various types of storage memory 118 such as hard disks, flash memory or other solid-state storage, optical storage, tape, etc., and could include redundancy, error correction or other reliability enhancing technology, such as one or more levels of RAID (redundant array of independent disks or other storage devices). In one embodiment, the storage system 116 includes one or more encrypted logical units (LUNs) implemented as virtualized storage memory using physical storage and computing components. The storage system 116 has one or more encryption/decryption modules 112, or equivalently, one or more encryption modules and one or more decryption modules, a deduplication module 114, a compression module 116, storage memory 118, and memory for storing a shared first key 108 and a storage local second key 120. The storage memory 118 could include one or more storage devices of various types as discussed above, in various configurations, and is not limited to a single device type or homogeneity.
[0028] In operation, the data security management system 102 coordinates distribution of a shared first key 108. In one embodiment, the key manager 106 cooperates with the policy manager 104, to distribute the shared first key 108 in accordance with one or more policies 122 of the policy manager 104. Using the shared first key 108 that is generated or otherwise sourced by the host computing device 110, or received by the host computing device 110 from the data security management system 102 in some embodiments, the host computing device 110 encrypts data by way of the encryption/decryption module 112 of the host computing device 110.
Following such encryption, the host computing device 110 sends first key encrypted data 114 to the storage system 116, for example via a network.
[0029] Upon receipt of the first key encrypted data 114, the storage system 116 uses an encryption/decryption module 112 and the shared first key 108 that is received by the storage system 116 from the data security management system 102, or generated or otherwise sourced by the storage system 116 in some embodiments, to decrypt the first key encrypted data 114. Next, the storage system 116 deduplicates the decrypted data, using the deduplication module 114, or compresses the data using the compression module 116, or both deduplicates and compresses the decrypted data, in various embodiments. After that, the storage system 116 uses either the same or another encryption/decryption module 112, and the storage local second key 120, to encrypt the deduplicated and/or compressed data, and stores the second key encrypted, deduplicated and or compressed data in the storage memory 118. The above describes the host computing device 110 writing data to the storage system 116, for example using a write request.
[0030] For the host computing device 110 to read data from the storage system 116, the reverse path is followed. For example, the host computing device 110 could send a read request to the storage system 116. The storage system 116 reads the second key encrypted data from the storage memory 118, and applies the storage local second key 120 and the encryption/decryption module 116 to decrypt the data. Then, the storage system 116 uses the compression module 116 and/or the deduplication module 114 to decompress and/or reconstitute the data.
[0031] Finally the storage system 116 uses the shared first key 108 and the same or another encryption/decryption module 112 to encrypt the data, and sends the first key encrypted data 114 to the host computing device 110. The host computing device 110 uses the shared first key 108 and the encryption/decryption module 112 of the host computing device 110, to decrypt the first key encrypted data 114, and now has the desired read data in unencrypted or plaintext form. Other hosts 110 (in embodiments with more than one host computing device 110) can use their own copy of the shared first key 108, as managed by the data security management system 102, to encrypt data and send data to the storage system 116, or receive first key encrypted data 114 from the storage system 116 and decrypt the data.
[0032]
[0033] It should be appreciated that the methods described herein may be performed with a digital processing system, such as a conventional, general-purpose computer system. Special purpose computers, which are designed or programmed to perform only one function may be used in the alternative. FIG. 7 is an illustration showing an exemplary computing device which may implement the embodiments described herein. The computing device of FIG. 7 may be used to perform embodiments of the functionality for managing keys and policies in accordance with some embodiments. The computing device includes a central processing unit (CPU) 701, which is coupled through a bus 705 to a memory 703, and mass storage device 707. Mass storage device 707 represents a persistent data storage device such as a floppy disc drive or a fixed disc drive, which may be local or remote in some embodiments. Memory 703 may include read only memory, random access memory, etc. Applications resident on the computing device may be stored on or accessed via a computer readable medium such as memory 703 or mass storage device 707 in some embodiments. Applications may also be in the form of modulated electronic signals modulated accessed via a network modem or other network interface of the computing device. It should be appreciated that CPU 701 may be embodied in a general-purpose processor, a special purpose processor, or a specially programmed logic device in some embodiments.
[0034] A display 711 may be in communication with CPU 701, memory 703, and mass storage device 707, through bus 705. Display 711 is configured to display any visualization tools or reports associated with the system described herein. Input/output device 709 is coupled to bus 705 in order to communicate information in command selections to CPU 701. It should be appreciated that data to and from external devices may be communicated through the input/output device 709. CPU 701 can be defined to execute the functionality described herein to enable the functionality described with reference to FIGS. 1-6. The code embodying this functionality may be stored within memory 703 or mass storage device 707 for execution by a processor such as CPU 701 in some embodiments. The operating system on the computing device may be MS DOS™, MS-WINDOWS™, OS/2™, UNIX™, LINUX™, or other known operating systems. It should be appreciated that the embodiments described herein may be integrated with virtualized computing system also. In addition, the embodiments may be integrated or implemented as part of a cloud computing environment where remote computer resources and/or services are provisioned over a network.
[0035] With the above embodiments in mind, it should be understood that the embodiments might employ various computer-implemented operations involving data stored in computer systems. These operations are those requiring physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. Further, the manipulations performed are often referred to in terms, such as producing, identifying, determining, or comparing. Any of the operations described herein that form part of the embodiments are useful machine operations. The embodiments also relate to a device or an apparatus for performing these operations. The apparatus can be specially constructed for the required purpose, or the apparatus can be a general-purpose computer selectively activated or configured by a computer program stored in the computer. In particular, various general-purpose machines can be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations.
[0036] The embodiments can also be embodied as computer readable code on a computer readable medium. The computer readable medium is any data storage device that can store data, which can be thereafter read by a computer system. Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices. The computer readable medium can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion. Embodiments described herein may be practiced with various computer system configurations including hand-held devices, tablets, microprocessor systems, microprocessor- based or programmable consumer electronics, minicomputers, mainframe computers and the like. The embodiments can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a wire-based or wireless network.
[0037] Although the method operations were described in a specific order, it should be understood that other operations may be performed in between described operations, described operations may be adjusted so that they occur at slightly different times or the described operations may be distributed in a system which allows the occurrence of the processing operations at various intervals associated with the processing.
[0038] The foregoing description, for the purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the embodiments and its practical applications, to thereby enable others skilled in the art to best utilize the embodiments and various modifications as may be suited to the particular use contemplated. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope and equivalents of the appended claims.

Claims

CLAIMS What is claimed is:
1. A method, comprising:
generating, via a host computing device, a base initialization vector (IV), the base IV comprising a random value;
storing, via the host computing device, the base IV along with data to be encrypted based at least in part thereon;
generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV, each of the plurality of segments of IV s corresponding to a respective segment of the data; and
utilizing, via the host computing device, the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
2. The method of claim 1, wherein generating the plurality of segment initialization vector IVs comprises generating the plurality of segment initialization vector IVs utilizing an advanced encryption standard (AES) algorithm.
3. The method of claim 2, wherein the AES algorithm is expressed as:
C = AES (Ki, P 0 T) 0 T.
4. The method of claim 3, wherein generating the plurality of segment initialization vector IVs comprises generating the plurality of segment initialization vector IVs utilizing a Galois filed algorithm.
5. The method of claim 4, wherein each of the plurality of segments of IVs is expressed as:
IV Segment = AES (K2, ί 0 IVBasc) 0 CC*.
6. The method of claim 4, wherein each of the plurality of segments of IVs is expressed as:
T = AES (K2, i) (0 (V
7. The method of claim 1, wherein utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data comprises utilizing the base IV and the plurality of segments of IVs to encrypt plaintext data in each of the plurality of segments of IVs.
8. The method of claim 1, wherein utilizing the base IV and the plurality of segments of IV s to encrypt each respective segment of the data according to at least one cipher mode of operation comprises encrypting each respective segment of the data according to a cipher block chaining (CBC) mode, an output feedback (OFB) mode, a ciphertext feedback (CFB) mode, a counter (CTR) mode, a Galois counter mode (GCM), a cipher counter mode (CMM), an XEX- encryption with tweak and ciphertext stealing (XTS), an XTS advanced encryption standard (XTS-AES) mode, or a combination thereof.
9. A computing device, comprising:
a storage device of the computing device configured to store data; and
a processing device of the computing device and operatively coupled to the storage device, the processing device to:
generate a base initialization vector (IV), the base IV comprising a random value; store to the storage device the base IV together with the data, the data to be encrypted based at least in part the base IV;
generate a plurality of segment initialization vectors (IVs) based at least in part on the base IV, each of the plurality of segments of IVs corresponding to a respective segment of the data; and
utilize the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
10. The computing device of claim 9, wherein to generate the plurality of segment initialization vector IVs, the processing device is to generate the plurality of segment initialization vector IVs utilizing an advanced encryption standard (AES) algorithm.
11. The computing device of claim 10, wherein the processing device is to generate the AES algorithm as expressed by: C = AES (Kl P 0 T) ® T.
12. The computing device of claim 11, wherein to generate the plurality of segment initialization vector IVs, the processing device is to generate the plurality of segment initialization vector IVs utilizing a Galois filed algorithm.
13. The computing device of claim 12, wherein the processing device is to generate each of the plurality of segments of IVs as expressed by: IVsegmem = AES (K2, i 0 IV Base) <8> a1.
14. The computing device of claim 12, wherein the processing device is to generate each of the plurality of segments of IVs as expressed by: T = AES (K2, i) (g) a1.
15. The computing device of claim 9, wherein to utilize the base IV and the plurality of segments of IVs to encrypt each respective segment of the data, the processing device is to utilize the base IV and the plurality of segments of IVs to encrypt plaintext data in each of the plurality of segments of IVs.
16. A non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to:
generate a base initialization vector (IV), the base IV comprising a random value;
store the base IV together with the data, the data to be encrypted based at least in part the base IV;
generate a plurality of segment initialization vectors (IVs) based at least in part on the base IV, each of the plurality of segments of IVs corresponding to a respective segment of the data; and
utilize the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
17. The non-transitory computer-readable storage medium of claim 16, wherein to generate the plurality of segment initialization vector IVs, the processing device is to generate the plurality of segment initialization vector IVs utilizing an advanced encryption standard (AES) algorithm.
18. The non-transitory computer-readable storage medium of claim 16, wherein to generate the plurality of segment initialization vector IVs, the processing device is to generate the plurality of segment initialization vector IVs utilizing a Galois filed algorithm.
19. The non-transitory computer-readable storage medium of claim 16, wherein the processing device is to generate each of the plurality of segments of IVs as expressed by:
IV Segment = AES (K2, i 0 IV Base) Q CC*.
20. The non-transitory computer-readable storage medium of claim 16, wherein to utilize the base IV and the plurality of segments of IV s to encrypt each respective segment of the data, the processing device is to utilize the base IV and the plurality of segments of IV s to encrypt plaintext data in each of the plurality of segments of IVs.
PCT/US2019/045185 2018-08-06 2019-08-06 Initial vector value storage and derivation for encryption of segmented data WO2020076404A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201816056106A 2018-08-06 2018-08-06
US16/056,106 2018-08-06

Publications (2)

Publication Number Publication Date
WO2020076404A2 true WO2020076404A2 (en) 2020-04-16
WO2020076404A3 WO2020076404A3 (en) 2020-07-02

Family

ID=67660018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/045185 WO2020076404A2 (en) 2018-08-06 2019-08-06 Initial vector value storage and derivation for encryption of segmented data

Country Status (1)

Country Link
WO (1) WO2020076404A2 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101612518B1 (en) * 2009-11-26 2016-04-15 삼성전자주식회사 Endecryptor enabling parallel processing and en/decryption method thereof
US9537657B1 (en) * 2014-05-29 2017-01-03 Amazon Technologies, Inc. Multipart authenticated encryption
US20180034787A1 (en) * 2016-08-01 2018-02-01 Vormetric, Inc. Data encryption key sharing for a storage system

Also Published As

Publication number Publication date
WO2020076404A3 (en) 2020-07-02

Similar Documents

Publication Publication Date Title
US9430659B2 (en) Locating cryptographic keys stored in a cache
US20180034787A1 (en) Data encryption key sharing for a storage system
US8892907B2 (en) Storage and recovery of cryptographic key identifiers
Li et al. Secure deduplication with efficient and reliable convergent key management
US9667422B1 (en) Receipt, data reduction, and storage of encrypted data
US7865741B1 (en) System and method for securely replicating a configuration database of a security appliance
US8369529B1 (en) Re-keying based on pre-generated keys
US8621240B1 (en) User-specific hash authentication
US8751789B2 (en) General purpose distributed encrypted file system
US9195851B1 (en) Offloading encryption to the client
US8397083B1 (en) System and method for efficiently deleting a file from secure storage served by a storage system
US9774445B1 (en) Host based rekeying
US8898536B2 (en) Multi-core engine for detecting bit errors
WO2016010604A2 (en) Systems and methods for security hardening of data in transit and at rest via segmentation, shuffling and multi-key encryption
US11930099B2 (en) Implementing resilient deterministic encryption
US8190905B1 (en) Authorizing administrative operations using a split knowledge protocol
US9430278B2 (en) System having operation queues corresponding to operation execution time
US10733305B2 (en) System and method for implementing cryptography in a storage system
EP4302218A1 (en) Multi-key secure deduplication using locked fingerprints
US20170288861A1 (en) Data encryption
CN114521260A (en) Method and system for data deduplication and compression in untrusted storage systems
WO2020076404A2 (en) Initial vector value storage and derivation for encryption of segmented data
Adamu A Secure Approach for Deduplication using Hybrid Cloud
Hambarde et al. Distributed Data into Deduplication System with Security to Improve Reliability

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19870673

Country of ref document: EP

Kind code of ref document: A2