Secure file system server architecture and methods
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-009/32
G06F-017/30
H04K-001/00
G06F-007/04
G06F-007/02
출원번호
UP-0584971
(2006-10-23)
등록번호
US-7565532
(2009-07-29)
발명자
/ 주소
Pham, Duc
Nguyen, Tien Le
Zhang, Pu Paul
Lo, Mingchen
출원인 / 주소
Vormetric, Inc.
대리인 / 주소
NewTechLaw
인용정보
피인용 횟수 :
9인용 특허 :
109
초록▼
A data server platform includes a security file system layer interposed between the platform operating system kernel and file system. The secure file system layer is structured to implement a file access control function that selectively constrains data transfer operations initiated through the ope
A data server platform includes a security file system layer interposed between the platform operating system kernel and file system. The secure file system layer is structured to implement a file access control function that selectively constrains data transfer operations initiated through the operating system kernel by an application program to transfer file data through the file system with respect to a persistent data store. A file access controller, implemented independent of the operating system kernel, is coupled to the security file system layer and supports the file access control function by defining permitted file data transfers through the file system. Management of the file access controller separate from the data server platform ensures that any security breach of the platform operating system kernel cannot compromise the function of the security file system layer.
대표청구항▼
The invention claimed is: 1. A method of securing the transfer of persistently stored data between a computer system and a persistent data store, wherein said computer system includes a processor supporting the execution of an operating system kernel and a file system to transfer data with respect
The invention claimed is: 1. A method of securing the transfer of persistently stored data between a computer system and a persistent data store, wherein said computer system includes a processor supporting the execution of an operating system kernel and a file system to transfer data with respect to said persistent data store, said method comprising the steps of: a) associating user session information with data transfer requests provided from said operating system kernel; b) providing said user session information and said data transfer requests to a security processor system, external to and secured independent of said computer system, to determine permitted data transfer operations; c) routing, between said operating system and said file system, the persistently stored data corresponding to said permitted data transfer operations exclusively through said independent security processor system d) acquiring said user session information through said operating system kernel; and e) decrypting, by said independent security processor system, persistently stored data retrieved through said file system, said step of decrypting utilizing decryption keys identified only by reference by said data transfer requests. 2. The method of claim 1 wherein said step of decrypting includes retrieving a predetermined decryption key in correspondence with a predetermined data transfer request, wherein said predetermined decryption key is retrieved independent of said computer system. 3. The method of claim 2 wherein, in performance of said step of decrypting, said predetermined decryption key is held by said security processor system inaccessible from said computer system. 4. A method of securing persistently stored file data stored by a persistent storage device and accessible through a computer server system including a processor, an operating system executable by said processor including an operating system kernel providing a first file system interface and a second file system interface to said persistent storage device, said method comprising the steps of: a) coupling an independently operating encryption processor server system supporting the transparent encryption and decryption of persistent file data to said computer server system through a defined communications channel; b) associating session information obtained through said operating system kernel with a predetermined persistent file data transfer request identifying predetermined persistent file data; c) providing said predetermined persistent file data transfer request and said session information to said independently operating encryption processor server system through said defined communications channel; d) routing said predetermined persistent file data as transferred between said first and second file system interfaces through said independently operating encryption processor server system e) maintaining inaccessible, by said independently operating encryption processor server system from said computer server system through said defined communications channel, an encryption key associated with said predetermined persistent file data transfer request; and f) determining, by said independently operating encryption processor server system, said encryption key from said predetermined persistent file data transfer request, wherein said step of determining predetermines the access authorization of said predetermined persistent file data transfer request with respect to said session information and an access policy store maintained by said independently operating encryption processor server system. 5. The method of claim 4 wherein said step of maintaining further maintains inaccessible, by said independently operating encryption processor server system from said computer server system through said defined communications channel, said access policy store. 6. The method of claim 5 wherein said step of maintaining inaccessible prevents access to said encryption key and said access policy store through said defined communications channel independent of a security breach of said computer server system. 7. A computer system providing for the secure transfer of persistently stored data with respect to a persistent data store, said computer system comprising: a) a secured computer system including a memory, a data persistence interface coupleable to a persistent data store, a network security interface, and a processor coupled to said memory, to said data persistence interface, and to said network security interface, said processor being operative to execute, within said memory, an operating system kernel, a file system coupled to said data persistence interface to transfer secured data with respect to said persistent data store, and a security interposer layer coupled between said operating system kernel and said file system, wherein execution of said security interposer layer is operative to associate user session information with data transfer requests provided from said operating system kernel and to transfer said secured data between said operating system kernel and said file system; and b) a security processor system external to and secured independent of said secured computer system, said security processor system including a policy data store providing for the storage of data operation policies and corresponding data cipher keys, wherein said security processor system is coupleable to said network security interface to interoperate with said secured computer system to determine permitted data transfer operations through said interposer layer, including decryption and transfer of said secured data retrieved through said file system, utilizing cipher keys identified only by reference by said data transfer and said user session information. 8. The computer system of claim 7 wherein decryption and transfer of said secured data includes retrieving a predetermined cipher key in correspondence with a predetermined data transfer request, wherein said predetermined cipher key is retrieved independent of said operating system kernel and said file system. 9. The method of claim 8 wherein, in decryption and transfer of said secured data, said predetermined cipher key is held inaccessible from said operating system kernel and said file system. 10. The computer system of claim 9 wherein said predetermined cipher key is held inaccessible by said security processor system through said network security interface independent of a security breach of said secured computer server system.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (109)
Wobber Edward (Menlo Park CA) Abadi Martin (Palo Alto CA) Birrell Andrew (Los Altos CA) Lampson Butler (Cambridge MA), Access control subsystem and method for distributed computer system using locally cached authentication credentials.
Lloyd Brian ; McGregor Glenn, Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types.
Lin Cher-Wen ; Ramaswamy Kumar ; Rahman Mizanur Mohammed ; Rettberg Randall David ; Doolittle Robert Arthur, Computer data packet switching and load balancing system using a general-purpose multiprocessor architecture.
Brownlie Michael,CAX ; Hillier Stephen,CAX ; Van Oorschot Paul C.,CAX, Computer network security system and method having unilateral enforceable security policy provision.
Fischer Addison M. (60 14th Ave. South Naples FL 33942), Computer system security method and apparatus having program authorization information data structures.
Carlson Brent A. (Rochester MN) Huss Frederic L. (Rochester MN) Schmucki Nancy M. (Rochester MN) Zelenski Richard E. (Rochester MN), Connection authorizer for controlling access to system resources.
Peirce, Jr., Kenneth L.; Xu, Yingchun; Mortsolf, Timothy Glenn; Harper, Matthew, Control and coordination of encryption and compression between network entities.
Engel, Robert; Barzilai, Tsipora P.; Kandlur, Dilip Dinkar; Mehra, Ashish, Efficient classification, manipulation, and control of network transmissions by associating network flows with rule based functions.
Brundrett Peter ; Garg Praerit ; Gu Jianrong ; Kelly ; Jr. James W. ; Kaplan Keith S. ; Reichel Robert P. ; Andrew Brian ; Kimura Gary D. ; Miller Thomas J., Encrypting file system and method.
Pi-Yu Chung ; Om P. Damani ; Yennun Huang ; Chandra M. Kintala ; Yi-Min Wang, Hosting a network service on a cluster of servers using a single-address image.
Allon David (Jerusalem ILX) Bach Moshe (Haifa ILX) Moatti Yosef (Haifa ILX) Teperman Abraham (Haifa ILX), Load balancing of network by maintaining in each computer information regarding current load on the computer and load on.
Adelman Kenneth Allen ; Kashtan David Lyon ; Palter William L. ; Piper ; II Derrell D., Method and apparatus for an internet protocol (IP) network clustering system.
Timothy E. Moses CA; Glenn C. Langford CA, Method and apparatus for facilitating information security policy control on a per security engine user basis.
Schibler Ross M. (San Mateo CA) Topol A. Mitchell (Mountain View CA) Duffie P. Kingston (Palo Alto CA), Method and apparatus for generating route information for asynchronous transfer mode cell processing.
Crichton Joseph M. ; Garvin Peter F. ; Staten Jeffrey W. ; Wright Waiki L., Method and apparatus for lightweight secure communication tunneling over the internet.
Watson Colin (Issaquah WA) Herron Andrew M. (Issaquah WA), Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a cl.
Peirce Kenneth L. ; Calhoun Patrick ; Harper Matthew H. ; Schoo Daniel L. ; Vakil Sumit, Method and system for coordination and control of data streams that terminate at different termination units using virtual tunneling.
Takashima Youichi (Kanagawaken JPX) Ishii Shinji (Kanagawaken JPX) Yamanaka Kiyoshi (Kanagawaken JPX), Method and system for digital information protection.
Gorczyca Robert ; Rashid Aamir Arshad ; Rodgers Kevin Forress ; Warnsman Stuart ; Weaver Thomas Van, Method and system for dynamically reconfiguring a cluster of computer systems.
Chan, Shannon; Jensenworth, Gregory; Goertzel, Mario C.; Shah, Bharat; Swift, Michael M.; Ward, Richard B., Method and system for secure running of untrusted content.
Theimer Marvin M. (Mountain View CA) Nichols David A. (Mountain View CA) Terry Douglas B. (San Carlos CA), Method for delegating access rights through executable access control program without delegating access rights not in a.
Bass Walter E. (Sunnyvale CA) Matyas Stephen M. (Kingston NY) Oseas Jonathan (Hurley NY), Method for establishing user authenication with composite session keys among cryptographically communicating nodes.
Witte Martin (Ulm DEX) Oehlerich Joerg (Stockdorf DEX) Held Walter (Geretsried DEX), Method for load balancing in a multi-processor system where arising jobs are processed by a plurality of processors unde.
Puhl Larry C. (Sleepy Hollow IL) Finkelstein Louis D. (Wheeling IL) Dabbish Ezzat A. (Cary IL), Method for providing blind access to an encryption key.
Lin David Dah-Haur ; Shaheen Amal Ahmed ; Yellepeddy Krishna Kishore, Multiple remote data access security mechanism for multitiered internet computer networks.
Narad Charles E. ; Fall Kevin ; MacAvoy Neil ; Shankar Pradip ; Rand Leonard M. ; Hall Jerry J., Packet processing system including a policy engine having a classification unit.
Kumar Ramaswamy ; Cher-Wen Lin ; Randall David Rettberg ; Mizanur Mohammed Rahman, Software interface between switching module and operating system of a data packet switching and load balancing system.
Wright Tim ; Marconi Peter ; Conlin Richard ; Opalka Zbigniew, System architecture for and method of dual path data processing and management of packets and/or cells and the like.
Opalka Zbigniew ; Aggarwal Vijay ; Kong Thomas ; Firth Christopher ; Costantino Carl, System architecture for and method of processing packets and/or cells in a common switch.
East, Jeffrey A.; Walker, James J.; Jenness, Steven M.; Ozur, Mark C.; Kelly, Jr., James W., System for determining the rights of object access for a server process by combining them with the rights of the client process.
Choquier Philippe,FRX ; Peyroux Jean-Francios ; Griffin William J., System for on-line service in which gateway computer uses service map which includes loading condition of servers broad.
Berger David A. ; Weber Jay C. ; Madapurmath Vilas I., System, method and article of manufacture for virtual point of sale processing utilizing an extensible, flexible archite.
Chipman Richard R. ; Mankofsky Alan ; Karandikar Harshavardhan M.,DEX ; Warren Gary, System, method, and medium for retrieving, organizing, and utilizing networked data.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for the secure transaction management and electronic rights protection.
Chen James F. ; Wang Jieh-Shan, Token distribution, registration, and dynamic configuration of user entitlement for an application level security system.
Morris C. Carson (Broad Run VA) Bielsker Barry H. (Vienna VA) Cole Donald A. (Rockville MD), Two-tiered communication security employing asymmetric session keys.
Peirce, Jr., Kenneth L.; Harper, Matthew; Mortsolf, Timothy G.; Xu, Yingchun; Dynarski, Richard J., Virtual home agent service using software-replicated home agents.
Khosravi, Hormuzd M.; Edwards, David A.; Gokulrangan, Venkat R.; Rasheed, Yasser, Method and apparatus for secure scan of data storage device from remote server.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.