IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0014491
(2004-12-16)
|
등록번호 |
US-7401220
(2008-07-15)
|
발명자
/ 주소 |
- Bolosky,William J.
- Cermak,Gerald
- Adya,Atul
- Douceur,John R.
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
56 인용 특허 :
80 |
초록
▼
A file format for a serverless distributed file system is composed of two parts: a primary data stream and a metadata stream. The data stream contains a file that is divided into multiple blocks. Each block is encrypted using a hash of the block as the encryption key. The metadata stream contains a
A file format for a serverless distributed file system is composed of two parts: a primary data stream and a metadata stream. The data stream contains a file that is divided into multiple blocks. Each block is encrypted using a hash of the block as the encryption key. The metadata stream contains a header, a structure for indexing the encrypted blocks in the primary data stream, and some user information. The indexing structure defines leaf nodes for each of the blocks. Each leaf node consists of an access value used for decryption of the associated block and a verification value used to verify the encrypted block independently of other blocks. In one implementation, the access value is formed by hashing the file block and encrypting the resultant hash value using a randomly generated key. The key is then encrypted using the user's key as the encryption key. The verification value is formed by hashing the associated encrypted block using a one-way hash function. The file format supports verification of individual file blocks without knowledge of the randomly generated key or any user keys. To verify a block of the file, the file system traverses the tree to the appropriate leaf node associated with a target block to be verified. The file system hashes the target block and if the hash matches the access value contained in the leaf node, the block is authentic.
대표청구항
▼
The invention claimed is: 1. A method comprising: segmenting a file into multiple blocks; computing hashes of each of the blocks to produce corresponding block hash values; encrypting the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks; and construc
The invention claimed is: 1. A method comprising: segmenting a file into multiple blocks; computing hashes of each of the blocks to produce corresponding block hash values; encrypting the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks; and constructing an indexing structure to index individual encrypted blocks, wherein the constructing includes: creating a leaf node for each corresponding encrypted block, the leaf node containing an access value used to decrypt the corresponding encrypted block and a verification value used to verify the corresponding encrypted block, and hashing an array of the leaf nodes to produce a single hash value for a root. 2. A method as recited in claim 1, wherein the segmenting comprises dividing the file into equal size blocks. 3. A method as recited in claim 1, wherein the encrypting comprises encrypting each block using a symmetric cryptographic cipher and the corresponding block hash value as the symmetric encryption key. 4. A method as recited in claim 1, further comprising storing the encrypted blocks as a primary data stream. 5. A method as recited in claim 4, further comprising storing header information in a separate metadata stream. 6. A method as recited in claim 1, further comprising verifying an authenticity of the encrypted blocks independently of one another. 7. A method as recited in claim 1, further comprising modifying content of a block in the file independent of other blocks. 8. A method as recited in claim 1, further comprising digitally signing at least a portion of the file. 9. A method as recited in claim 1, further comprising generating a delegation certificate that grants other entities permission to collectively authenticate the file in absence of the signature of a last writer to the file. 10. A method as recited in claim 1, wherein the file comprises a sparse file. 11. A method as recited in claim 1, wherein the constructing further comprising digitally signing at least the root. 12. A method as recited in claim 1, further comprising: storing the root together with header information and per user information; and digitally signing a composite including the root, the header information, and the per user information. 13. A method comprising segmenting a file into multiple blocks; computing hashes of each of the blocks to produce corresponding block hash values; encrypting the blocks using their corresponding block hash values as encryption keys to produce encrypted blocks; constructing an indexing structure to index individual encrypted blocks, wherein the constructing includes: creating a leaf node for each corresponding encrypted block, the leaf node containing an access value used to decrypt the corresponding encrypted block and a verification value used to verify the corresponding encrypted block, grouping leaf nodes into multiple groups; hashing each group of leaf nodes to form intermediate nodes; and hashing an array of the intermediate nodes to produce a root. 14. A method as recited in claim 13, wherein the constructing further comprises digitally signing at least the root. 15. A method as recited in claim 13, further comprising digitally signing at least a portion of the file. 16. A method as recited in claim 13, further comprising generating a delegation certificate that grants other entities permission to collectively authenticate the file in absence of the signature of a last writer to the file. 17. A method as recited in claim 13, wherein the file comprises a sparse file. 18. A method as recited in claim 1, further comprising: encrypting the block hash values with one or more access keys; and encrypting the one or more access keys using one or more keys of users who are granted access to the file. 19. A method as recited in claim 18, wherein the one or more keys of users comprise one or more public keys. 20. One or more computer storage media comprising computer-executable instructions that, when executed, perform the method as recited in claim 1. 21. A distributed file system comprising: a client component resident at a first computer to facilitate creation of a file by segmenting the file into multiple blocks and encrypting each block using its own hash value as an encryption key to produce encrypted blocks, and constructing an indexing structure to index individual encrypted blocks, wherein the constructing includes: creating a leaf node for each corresponding encrypted block, the leaf node containing an access value used to decrypt the corresponding encrypted block and a verification value used to verify the corresponding encrypted block, and hashing an array of the leaf nodes to produce a root; and a server component resident at a second computer to store the encrypted file. 22. A distributed file system as recited in claim 21, wherein the client component divides the file into equal size blocks. 23. A distributed file system as recited in claim 21, wherein the encrypted blocks are stored as a primary data stream. 24. A distributed file system as recited in claim 23, wherein the client component creates header information that is stored as a separate metadata stream. 25. A distributed file system as recited in claim 21, wherein the client component verifies an authenticity of the encrypted blocks independently of one another. 26. A distributed file system as recited in claim 21, wherein the client component modifies content of a block in the file independent of other blocks. 27. A distributed file system as recited in claim 21, wherein the client component digitally signs the file.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.