Field of the Invention
The present invention relates generally to methods for securely storing data on one or more networks. More particularly, the invention relates to a system, method and apparatus for securely storing files and data streams using a combination of storage policy rules and quantum event-based, cryptographic keys.
Description of the Related Art
Personal and organizational data security, as applied to the Internet, is a rapidly evolving domain whose capabilities and weaknesses are closely tied to both the current state of cloud computing and the volume, velocity and variety of a person's or organization's data.
Cloud computing, a form of data center computing, is best understood in terms of virtualization, that is, the ability to allocate and scale virtualized compute, store and network resources on demand. Public cloud computing vendors such as Amazon, Google, Rackspace, IBM, HP and Microsoft each use virtualization to manage tens to hundreds of thousands of servers in the service of their customers. Because resources are available and scalable on demand, each person or organization only pays for the resources used. When compared to traditional server-based computing, the lower cost and flexibility of cloud computing allows both individuals and organizations to quickly and cost-effectively implement software applications and services in private clouds, public clouds, or, using a hybrid model, in any combination of the two.
Another trend that effects the decision to move to cloud computing is the continuing and rapid increase in the amount of data generated by individuals and organizations. Such data now includes, in addition to structured application data, unstructured data in the forms of email, text messages and text documents, images, voice communications, videos, video conferences, web site data, social media data and server logs. “Big data” is a term commonly used to refer to this collection of unstructured information. Initially defined by Douglas Laney of the analyst firm Gartner, “Big data is high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimization,” Laney, Douglas. “3D Data Management: Controlling Data Volume, Velocity and Variety.”
These two trends, cloud computing and big data, have led computer users to adopt a hybrid approach to cloud data storage in an effort to protect their data assets. The person's or organization's private storage contains the structured data, software, applications and a subset of frequently accessed files. The bulk of the unstructured data is stored in one or more public clouds.
There are, however, several problems associated with the use of a public cloud as a storage service. One is the fact that, once a person's or organization's data has been stored in a public cloud, the data security and management of the stored data becomes dependent on the cloud provider. Because of the liabilities associated with data breaches and data loss, the major cloud storage providers are not willing to assume responsibility for the security and loss of a customer's data. A second problem is that clouds operate in virtualized environments. Virtualized environments are more complex than traditional server and network environments and provide greater opportunities to attackers who can target any or all of the virtual compute, store and network resources used by a cloud storage provider's customers without directly accessing the hardware and firmware underlying those same virtual resources.
The best way to deal with these problems is for the person or organization to assume full control over access, encryption and storage of the data. This data-centric approach first requires that the data is protected both in transit and at rest using file level encryption. Kelly, Diana, “How Data-Centric Protection Increases Security in Cloud Computing and Virtualization,” SecurityCurve. 2011. The second major requirement is to provide a method whereby the data can be stored and retrieved using a variety of policies that control the choice of storage location. The combination of file level encryption and flexible storage policy rules guarantees that a person's or organization's encryption and storage of data is fully portable and works transparently across private, public and hybrid cloud computing environments.
To solve these problems, the present invention describes a single-party, symmetric key encryption method that is used for the storage and retrieval of data and that creates a unique symmetric key for use in encrypting file data, whether that file data is an entire file, a section of a file or part of a data stream. The present invention also describes the use of a hashing algorithm such as a SHA-2 or SHA-3 hash of the file data storage instance concatenated with a random number, the result encrypted with a symmetric key, to publicly identify the stored file data. To increase the security of these encryption methods, the present invention also describes an apparatus able to generate random binary data using the output from quantum events, said random binary data used to create random numbers and cryptographic keys. The present invention also describes a method for defining a variety of storage policy rules that can be used to control the choice of storage location or locations for each file data storage instance. These storage policy rules guarantee that a person's or organization's encryption and storage of data is fully portable and works transparently across any combination of private, public and hybrid cloud computing environments.
Although many companies provide cloud storage services, their data protection methods, especially as they relate to the encryption and policy based storage and retrieval of file data, remain subject to the above stated problems, problems remedied by the present invention.
In U.S. Pat. No. 8,620,879, Cairns generally describes a method and system for storing files on a server using a hash value as an identifier. The server determines whether a file exists on the server having the designated hash value. If the hash value exists on the server, the server grants access to the file on the server. If the hash value does not exist on the server, the server requests the file from the user and stores it. The server can control access to the server's copy of the file by requesting that the user provide a file password or a portion of the file for purposes of authentication. There is however, no reference to a single-party or two-party, symmetric key method for accessing the file that removes any requirement on the part of the server to receive either a password or portion of the file from the user. Furthermore, the invention set forth does not provide for single-party or two-party encryption and decryption of the data using quantum event generated, random binary data. Furthermore, the invention set forth does not provide for the enablement of storage policy rules that provide for the storage of file data in multiple storage locations or with multiple storage providers. As a result, the cited reference is deficient.
In U.S. Pat. No. 8,566,362, Mason, Robert, Rodriguez and Andrew generally describe a method and system for storing unstructured data originating in a file system on a public cloud storage service. There is, however, no reference to the ability to store unstructured data from non-filesystem sources. Furthermore, the invention set forth does not provide for single-party or two-party, symmetric key encryption of the data using quantum event generated, random binary data. Furthermore, the invention set forth does not provide for the enablement of storage policy rules that provide for the storage of file data in multiple storage locations or with multiple storage providers. As with the prior cited references, this one, too, is deficient.
In U.S. Pat. No. 8,595,512, Liu generally describes a method for the data control of cloud storage using single-party or two-party, n-bit data blocks generated from the file data and, as an alternative, combining that data with pseudorandom data to create one-time pads. This method is used in an attempt to provide perfect secrecy where the encrypted file data is concerned. Claude Shannon proved that a one-time pad has perfect secrecy only if its key is purely random, that is, given the encrypted message, it is mathematically impossible to derive any additional information about the original file data apart from its length in bits, Shannon, Claude, “Communication Theory of Secrecy Systems,” Bell System Technical Journal 28(4): 656-715, 1949.
Although high entropy data can be generated in a number of ways, including the use of a computer's clock data, cpu data and network packet arrival times, all of which are referenced in Liu, the results remain pseudorandom by definition since all of these data results are generated by deterministic means. The only perfectly random events known to science are quantum mechanical in nature. Because the method described in the invention as set forth is used to generate a one-time pad that is actually pseudorandom in nature, that is, it does not rely on quantum events as a source of input in the generation of the one-time pad, the invention as set forth does not meet the Shannon definition for perfect secrecy. Furthermore, the invention as set forth does not provide for the enablement of storage policy rules that in turn provide for the storage of file data in multiple storage locations or with multiple storage providers. As with the prior cited references, this one, too, is deficient.
In U.S. Pat. No. 8,601,265, Mane and Arasanal generally describe a method, system and apparatus for improving storage security in a cloud environment. An interface between a secure microcontroller and a storage controller associated with a client device is used to authenticate a platform associated with the storage controller and to register the storage controller with an authentication server configured to be setup in the cloud environment. The storage controller is authenticated based on a communication protocol between the client device, the authentication server and the storage controller, and by obtaining, at the client device, a signature data of the storage controller following the authentication process. The signature data is configured and stored in the secure microcontroller that is interfaced with the storage controller. The communication between the storage controller and the authentication server is authenticated using a nonce (a pseudorandom or otherwise arbitrary number used once in a cryptographic communication) used in combination with a public key mechanism to secure the communications between the authentication server and the storage controller. Although both the authentication server and storage controller use a nonce in combination with a public key mechanism to secure communication between the two server side devices, the method offers no cloud storage benefits that could not be provided by the use of a single-party, symmetric key mechanism used by the client for accessing data stored in the cloud. Furthermore, the invention set forth does not provide for the enablement of storage policy rules that in turn provide for the storage of file data in multiple storage locations or with multiple storage providers. As with the prior cited references, this one, too, is deficient.
Finally, in an article published by Ozcan, A., Demirci, U., “Ultra wide-field lens-free monitoring of cells on-chip,” Lab Chip, 2008 January; 8(1):98-106, Epub 2007 Nov. 1, generally describe the use of an optical sensor in a lens-free apparatus the purpose of which is to view and monitor cells in much the same way that a microscope can be used to view and monitor cells. Their approach is based on a technique generally referred to as LUCAS (Lensless Ultra-wide-field Cell monitoring Array platform based on Shadow imaging). In their apparatus, light from a light source passes through a transparent material such as a glass microfluidic device containing cells in a solution. The fluid container is placed on an optical sensor array such as a CCD or CMOS chip. The shadows of the cells are captured by the chip and transmitted as digital information to a computing device that interprets the data for purposes of health diagnostics and patient point-of-care. There is, however, no reference in this or any other source to the use of a similar apparatus to capture the Brownian random motion of inert particles in a suspension medium and to use that information to create quantum event-based, random binary data.
None of the current methodologies for encrypting file data prior to storing that file data in a private or public cloud use an apparatus operating in the same physical location as the file data, the purpose of which is to generate quantum event-based, binary data for purposes of encryption. Specifically, the prior art fails to demonstrate any system, method or apparatus for generating cryptographic data from a physically present, quantum event-based binary data generation apparatus, said binary data to be used in the creation of random numbers and cryptographic keys.
Furthermore, the prior art also fails to demonstrate any system, method or apparatus whereby file data can be stored in one or more private or public cloud storage provider locations using policies that provide for the storage of files and streaming data originating from multiple data sources, said files and streaming data to be stored in whole or in part in any combination of storage locations and storage providers based on policy rules that use attributes from each storage instance that include but are not limited to the data source, content type, user, user group, user organization, creation date and time, last access date and time and the frequency with which the file data is updated or accessed.
There is, therefore, a present need to provide an improved paradigm, system, method and apparatus for managing the secure, distributed, real-time encryption and storage of data using a quantum event-based, random binary data generator in combination with a single-party or two-party, symmetric and/or asymmetric key storage system that overcomes the aforementioned constraints of existing cloud storage techniques, and that exploits the enhancements of the new technologies offered.