WO2015194937A1 - System and method for distributed secure data storage in torus network topology - Google Patents

System and method for distributed secure data storage in torus network topology

Info

Publication number
WO2015194937A1
WO2015194937A1 PCT/MY2015/050060 MY2015050060W WO2015194937A1 WO 2015194937 A1 WO2015194937 A1 WO 2015194937A1 MY 2015050060 W MY2015050060 W MY 2015050060W WO 2015194937 A1 WO2015194937 A1 WO 2015194937A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
node
storage
data
client
key
Prior art date
Application number
PCT/MY2015/050060
Other languages
French (fr)
Inventor
KARIM Mohd Bazli AB
Jing Yuan Luke
Hong Hoe ONG
RAMANATHAN Thillai Raj T
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • G06F11/3433Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment for load management
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3485Performance evaluation by tracing or monitoring for I/O devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/10Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network
    • H04L67/1002Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers, e.g. load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/10Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network
    • H04L67/1097Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network for distributed storage of data in a network, e.g. network file system [NFS], transport mechanisms for storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/2053Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where persistent mass storage functionality or persistent mass storage control functionality is redundant
    • G06F11/2094Redundant storage or storage space
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2206/00Indexing scheme related to dedicated interfaces for computers
    • G06F2206/10Indexing scheme related to storage interfaces for computers, indexing schema related to group G06F3/06
    • G06F2206/1012Load balancing

Abstract

The present invention relates to an improved system for distributed secure data storage over a torus network topology and to the method thereof. The system comprises a plurality of storage nodes (100), client nodes (101) and master node (102). The plurality of storage nodes (100) each comprises a read and write head configured to read data from and write data as requested by the client nodes (101). The master node (102) which may be selected from among the plurality of storage nodes (100) is configured for managing the data. The master node (102) can be characterized by a storage manager unit (103), a data balancer unit (104), a key registry unit (105) and a master data logger (106) that may dynamically continuously rebalance the data based on the availability of a storage node and access frequency of data, and may protect and secure the data using a striped master key through node authentication mechanism.

Description

SYSTEM AND METHOD FOR DISTRIBUTED SECURE DATA STORAGE IN TORUS NETWORK TOPOLOGY

FIELD OF THE INVENTION

The present invention relates generally to arrangement and method for data monitoring, distribution and maintenance over a computer network. More particularly, the present invention relates to an improved system for distributed secure data storage over a torus network topology and to the method thereof.

BACKGROUND OF THE INVENTION

There has been a growing interest and an area of intense research around the world in network data storage for large-scale information sharing. A distributed data store is usually utilized as a computer network that stores data or information on more than one node, often in a replicated fashion.

Data replication for the access of distributed users has progressed from mirroring file servers, to commercial content-distribution networks, then to peer-to- peer type of networks. From the traditional file management and memory usage model, the trend has been shifted to jointly storing many individual owners' files in the same distributed network and to the formation of a network of memories owned by many individuals that can be publicly accessed and utilized from the traditional server-client service model. Centralized storage and cache mechanisms have been used in order to increase performance of data storing over the network. The trend is believed to have had the greatest influence of the increasingly wide sharing of information and the very large number of freely available memories of ordinary users. A problem with the known technique is that the distributed data store is incapable of managing and utilizing the storage nodes as well as distributing the data including data replication and data placement efficiently within a distributed environment that contains various network topologies, which creates imbalance and biased data distribution among the storage nodes available in the network topology. Another problem of the known technique is that the data stored in the storage nodes can be compromised or faulty. Without a proper data protection and security, the data is at risk to of irretrievably lost, stolen or mislaid.

Therefore, a need exists for an improved system for distributed secure data storage over a torus network topology and for an improved method thereof.

SUMMARY OF THE INVENTION

The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention . Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.

Accordingly, the present invention provides a system for distributed secure data storage over a torus network topology. The system comprises a plurality of storage nodes and a master node. The plurality of storage nodes comprises a read and write head that is configured to read data from and write data to a storage disk, as requested by client nodes. In the context of the present invention, the read and write head can include read head, write head and combination thereof. The master node may be selected from among the plurality of storage nodes and can be configured for managing the data stored in the storage disk.

The system of the present invention can be characterized by the master node that comprises a storage manager unit, a data balancer unit and a key registry unit. The storage manager unit comprises a network storage map with status information pertaining to the plurality of storage nodes for monitoring the data storage. Preferably, the status information may include availability of a storage node. The data balancer unit comprises a storage analyzer that can be configured for examining the availability of a storage node. The data balancer unit further comprises a data frequency analyzer that is configured for determining access frequency of data. The data balancer unit may be configured to continuously facilitating balance allocation of the data among the plurality of storage nodes through data striping and replication based on the availability of a storage node and the access frequency of data.

The key registry unit may be configured for authenticating the plurality of storage nodes and the client nodes each using a master key. The master key is preferably striped into a first portion key which is retained in the key registry unit and a second portion key that is assigned to the storage node or the client node. If the portion keys match, the storage node or the client node is allowed to register, add and remove over the torus network topology.

Preferably, the data balancer unit may be configured for assigning the data to a next available storage node with sufficient memory capacity to perform the balance allocation of the data.

Preferably, the data balancer unit may be configured for assigning a frequently accessed data to a next available storage node with a least node hop count based on corresponding node location on the network storage map.

Preferably, the master node further comprises a master data logger in communication with a client data logger that is disposed at the client node configured for logging and arranging the data in a most frequently accessed first basis. The client data logger may supply the master data logger with a client data access frequency log that cooperates with the data frequency analyzer for performing the balance allocation of the data.

Preferably, the client node further comprises a file system (FS) client unit in communication with the key registry unit and the master data logger, and may be configured to store the second portion key which can be assigned by the master node. Preferably, the storage node further comprises a secure object storage daemon unit in communication with the key registry unit and may be configured to store the second portion key which can be assigned by the master node. Preferably, the key registry unit constructs the master key upon receiving an authentication request from the storage node or the client node. The authentication request may include a register request, an add request and a remove request. In accordance with another aspect, the present invention provides a method of configuring distributed secure data storage over a torus network topology. The method comprises the steps of issuing, by a client node, a request to read data from and write data to a storage disk of a plurality of storage nodes; and assigning, by a master node, one of the plurality of storage nodes for storing the data in response to the request.

The method of the present invention can be characterized by the steps of transmitting an authentication request made by the storage node or the client node to the master node, wherein the authentication request including a register request, an add request and a remove request; authenticating the storage node or the client node by matching a first portion key stored in the master node with a second portion key assigned to the storage node or the client node, wherein if the portion keys match, allowing the storage node or the client node to register, add and remove, wherein if otherwise, discarding the storage node or the client node; and upon authentication, performing on a continuous manner monitoring and balance allocation of the data among the plurality of storage nodes through data striping and replication, wherein the monitoring and balance allocation including: obtaining a network storage map with status information pertaining to the plurality of storage node or the client node, wherein the status information including availability of a storage node; assigning the data to a next available storage node with sufficient memory capacity; determining access frequency of data by logging and arranging the data in a most frequently accessed first basis; and assigning a frequently accessed data to a next available storage node with a least node hop count based on corresponding node location in the network storage map. Preferably, the method can include the steps of receiving the authentication request and the second portion key from the storage node or the client node; in response to the authentication request, matching the second portion key with the first portion key; transmitting an authentication reply to the storage node or the client node; and processing the authentication reply, wherein if the portion keys match, assigning the storage node or the client node to the torus network topology and updating the network storage map, wherein if otherwise, discarding the storage node or the client node. Preferably, if the authentication request is the register request for registering the storage node or the client node: generating the master key using a predefined algorithm; striping the master key into the first portion key and the second portion key; retaining the first portion key by storing the same in the key registry unit; and assigning the second portion key to the storage node or the client node.

Preferably, if the authentication request is the add request for adding the storage node or the client node: retrieving the first portion key from the key registry unit to match the second portion key; and processing the portion keys and transmitting the authentication reply to the storage node or the client node.

Preferably, if the authentication request is the remove request for removing the storage node or the client node: revoking the master key including the first portion key and the second portion key; deleting the first portion key stored in the key registry unit and the second portion key stored in the storage node or client node; and dismissing the storage node or the client node.

It is therefore an advantage of the present invention that dynamically continuously rebalances the data among the storage nodes in a torus network topology based on the status information, i.e. availability of a storage node and access frequency of data, in that the present invention efficiently utilizes the storage nodes available in the network storage map to perform balance allocation of the data. It is therefore another advantage of the present invention that protects and secures the data stored in the storage nodes of the torus network topology using a striped master key through node authentication mechanism which is monitored by the master node.

The foregoing and other objects, features, aspects and advantages of the present invention will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the invention and many of the attendant advantages thereof will be readily as the same becomes better understood by reference to the following detailed description when considered in connection with the accompanying drawings, wherein:

Figure 1 is a diagram showing generally the torus network topology according to one embodiment of the present invention;

Figure 2 is a diagram showing the system for distributed secure data storage over a torus network topology according to one embodiment of the present invention;

Figure 3 is a flow diagram depicting the method of configuring distributed secure data storage over a torus network according to one embodiment of the present invention;

Figure 4 is a flow diagram depicting the step of authenticating the storage node or the client node in the key registry unit according to one embodiment of the present invention;

Figure 5 is a flow diagram depicting the step of authenticating the storage node in the secure object storage daemon unit according to one embodiment of the present invention; Figure 6 is a flow diagram depicting the step of authenticating the client node and the step of determining access frequency of data according to one embodiment of the present invention; and Figure 7 is a flow diagram depicting the step of issuing a request to read data from and write data to a storage disk of the storage node according to one embodiment of the present invention;

It is noted that the drawings may not be to scale. The drawings are intended to depict only typical aspects of the invention, and therefore should not be considered as limiting the scope of the invention.

DETAILED DESCRIPTION OF THE INVENTION It is an object of the present invention to provide a system and method for distributed secure data storage over a torus network topology that dynamically continuously rebalances the data among the storage nodes available in the torus network topology based on status information, i.e. availability of a storage node and access frequency of data, and that protects and secures the data stored in the respective storage nodes using a striped master key through node authentication mechanism.

The term "torus network topology" used herein may refer to the network topology for connecting processing nodes in a parallel computer system that can be visualized as a mesh interconnect with nodes arranged in a rectilinear array of n=2, 3, or more dimensions.

The term "node" used herein may refer to any device, computer, processing unit, etc., that is addressable within a torus network.

The term "storage node" used herein may refer to a node that stores information using directly or locally attached storage disks in a network. The term "client node" used herein may refer to a node that performs read and write operations (e.g., PC workstation, laptop, computing tablet, smartphone, etc.). The term "master node" used herein may refer to a node selected from among storage nodes comprising a network storage map and configured to manage a torus network.

The term "quorum" used herein may refer to a group of master nodes that is formed to establish agreement based on a predetermined minimum number (e.g. 3) in order to provide high availability to storage system.

The term "data" (e.g., stored data) as used herein may include any type of information such as audio and video content, text, images, etc.

Figure 1 is a torus network topology showing how a plurality of storage nodes 100, client nodes 101 and a master node 102 are connected to each other, according to one preferred embodiment of the present invention. The torus network topology is preferably configured such that it can prevent network partitioning and have short distance between node pairs, i.e. short torus network communication path. It is essential that the torus network communication path forms wrap-around connections in the torus network topology. The wrap-around connections in the torus network topology delivers better performance in data replication and data placement process due to their symmetricity. For instance, a storage node 100 can comprise north, south, east and west neighboring nodes symmetrically.

The system for distributed secure data storage of the present invention will now be described in greater detail below, with reference to Figure 2.

Each of the plurality of storage nodes 100 comprises a read and write head that is configured to read data from and write data to a storage disk 100a, as requested by the client nodes 101 , and a secure object storage daemon unit 100b. The data may be subject to data striping and data replication prior to storing in the storage disk 100a. Data striping may include segmentation of sequential data so that every segment of the data can be stored on different storage disks 100a. Data replication may include sharing information to ensure consistency between redundant resources, i.e. the storage disks 100a. The secure object storage daemon unit 100b preferably connects to the master node 102 that ultimately allow register, add and remove of the storage node 100 in the torus network topology using a key, namely a second portion key. The second portion key may be stored in the secure object storage daemon unit 100b.

The plurality of storage nodes 100 (or also referred to as storage nodes) can be arranged according to a predetermined dimension number, for example, two-dimensional space. Each storage node 100 may be identified and distinguished from other storage nodes 100 by using a node coordinate. For example, a storage node 100 which is located within a two-dimensional space has a node coordinate of (0,0), where it means the storage node is positioned at '0' of x -axis and Ό' of y-axis. The storage nodes 100 can be further connected to various client nodes 101 through a client node communication path (see dotted line 1 in Figure 1 ).

Each client node 101 is preferably comprised of a client data logger 101a and a file system (FS) client unit 101 b. The client data logger 101 a in communication with the master node 102 is preferably configured to log and arrange the data in a most frequently accessed first basis to produce a client data access frequency log, the log of which is submitted to master node 102 for performing the balance allocation of the data. The FS client unit 101 b preferably connects to the master node 102 which ultimately allow register, add and remove of the client node 101 in the torus network topology using a key, namely a second portion key. The second portion key may be stored in the FS client unit 101 b.

According to Figure 1 , the master node 102, which can be selected from among the plurality of storage nodes 100, is employed at the torus network topology to monitor and manage the plurality of storage nodes generally, particularly for managing and performing balance allocation of the data that may be stored in the storage disks 100a of the plurality of storage nodes 100. The master node 102 is preferably a storage management node for a distributed file system that holds the entire storage information of the torus network topology in a form of a network storage map.

In various embodiments, the system of the present invention can comprise more than one master node 102. Number of master nodes 102 may be predefined to establish and to form a quorum. The quorum which refers to a number of master nodes can have any number of master nodes 102. For instance, a quorum may comprise three master nodes 102 that are governed by a predetermined agreement in order to provide high availability to the system. Among these three master nodes 102 in the quorum, only one master node 102 is configured to operate in active mode, whereas the others are operating in passive mode. The master node 102 which is active can substantially monitor and manage the plurality of storage nodes 100 that are located within environment of the quorum in the torus network topology. The passive master nodes 102, on the other hand, may regularly update any necessary point of information in respective nodes upon receipt of the same from the active master node 102, this may include the network storage map.

Essentially, the client node 101 performs read and write operations to the storage node 100 upon receiving confirmation on location of the storage node 100 where the operations can be performed from the master node 102. For such location confirmation, the client node 101 may connect to the master node 102 to obtain authentication and to retrieve some relevant information. To ensure distributed secure data storage over the torus network topology, the master node 102 of the present invention can comprise a storage manager unit 103, a data balancer unit 104, a key registry unit 105 and a master data logger 106, as shown in Figure 2. The storage manager unit 103 can be configured to monitor the data storage in the torus network topology. The storage manager unit 103 preferably stores a network storage map and status information pertaining to the storage nodes 100 which may include availability of a storage node. The network storage map is preferably torus sensitive and may be regularly updated by any environment changes especially in respect to the storage nodes 100. For example, when a storage node 100 is attached to the system, a master node 102 maps the storage node 100 into the torus network topology based on the total number of existing storage nodes 100 plus the newly attached storage node 100, and the network storage map is immediately being updated with the same information due to its torus sensitivity. Thus, by mapping all the storage nodes 100 availably connected to the torus network topology, every storage node 100 can advantageously know their respective neighboring nodes, i.e. north, south, east and west neighboring nodes. The data balancer unit 104 comprises a storage analyzer 104a and a data frequency analyzer 104b. The storage analyzer 104a is preferably configured to examine and analyze the status information that is retrieved from the storage manager unit 103. More preferably, the storage analyzer 104a monitors the availability of a storage node and rebalances the data among the storage nodes 100 in the system based on the network storage map. The data frequency analyzer 104b is preferably configured to determine and generate access frequency of data for the system. More preferably, the data frequency analyzer 104b tracks and identifies the frequently accessed data by the client node 101 based on the client data access frequency log as produced by the client data logger 101a and reallocates the same to another suitable storage node 100 based on the network storage map.

The outputs from the storage analyzer 104a and the data frequency analyzer 104b may be used by the data balancer unit 104 to perform balance allocation of the data among the plurality of storage nodes 100 connected in the torus network topology.

Preferably, the data balancer unit 104 makes use of the status information including availability of a storage node for performing balance allocation of the data through data striping and replication. For example, based on the reported availability of a storage node, the master node 102 through the data balancer unit 104 may allocate or transfer the data in order to create balance in the torus network topology to another storage node 100 if the initial storage node 100 has been removed by an administrator. According to one preferred embodiment, the data balancer unit 104 can assign, allocate or transfer the data to a next available storage node with sufficient memory capacity in order to maintain the balance distributed secure data storage in the torus network topology.

Preferably, the data balancer unit 104 makes use of the access frequency of data for performing balance allocation of the data through data striping and replication. For example, based on the reported access frequency of data, the master node 102 through the data balancer unit 104 may allocate or transfer the frequently accessed data in order to create balance in the torus network topology to a storage node 100 which the frequently accessed data is stored therein. According to one preferred embodiment, the data balancer unit 104 can assign, allocate or transfer the data to a next available storage node with a least node hop count based on corresponding node location on the network storage map in order to maintain the balance distributed secure data storage in the torus network topology. The node hop count preferably indicates a number of hops to the at least one timing reference node. This is also may reveal relevant hop count information to determine the neighboring nodes.

In accordance with one preferred embodiment, besides can be executed in parallel, the data balancer unit 104 of the present invention may also be configured to perform the balance allocation of the data simultaneously based on both the availability of a storage node and the access frequency of data.

The key registry unit 105 of the master node 102 is essentially configured to authenticate the plurality of storage nodes 100 and the client nodes 101 each using a master key. The master key can be generated using any algorithm such as RSA, DSA, SHA, DES1 and the like. Preferably, the master key is striped into a first portion key and a second portion key. The first portion key is retained or maintained in the key registry unit 105 and the second portion key is assigned and returned to the storage node 100 or the client node 101 which has initiated the authentication. For example, the master key is key.client, and the first portion key and the second portion key are key.client. 1 and key.client.2, respectively.

Upon the authentication, if the portion keys match where the first portion key and the second portion key are perfectly coupled together or unstriped to form the master key, the storage node 100 or the client node 101 may be allowed to register, add to and remove from the system.

While the first portion key is retained in the key registry unit 105, the second portion key can be held in reserve by the secure object storage daemon unit 100b if the storage node 100 initiated the authentication or by the FS client unit 101 b if the client node 101 initiated the authentication.

The key registry unit 105 receives an authentication request from the storage node 100 or the client node 101 . The authentication request may include a register request, an add request and a remove request.

The master data logger 106 deployed in the master node 102 is preferably in communication with the client data logger 101a that can also be configured for logging and arranging the data accessed by the client node 101 in a most frequently accessed first basis, so as to conform to the client data access frequency log reported by the client data logger 101 a. The master data logger 106 processes the client data access frequency log and provides the same as an input to the data frequency analyzer 104b.

The method of configuring distributed secure data storage over the torus network topology will now be described in connection with the accompanying Figures 3-7. With reference to Figure 3, in step 200, the master node 102 including the storage manager unit 103, data balancer unit 104, key registry unit 105 and master data logger 106 is first initialized. Following that, in steps 201a and 202a, an authentication request transmitted by the storage node 100 or the client node 101 is received at the master node 102. The master node 102 can be configured to receive any number of authentication requests at a time, regardless the request is issued by the storage node 100 or the client node 101. The authentication request may include a register request, an add request, and a remove request. The register request may be generated when the storage node 100 or the client node 101 requires registration. The add request may be generated for adding the storage node 100 or the client node 101 into the torus network topology. The remove request may be generated for removing the storage node 100 or the client node 101 from the torus network topology.

Upon receiving the authentication request, the master node 102 identifies and processes the same by matching the first portion key stored in the key registry unit 105 with the second portion key accompanied the authentication request (that stored in the storage node 100 or the client node 101 ) and next transmits an authentication reply to the storage node 100 or the client node 101 which has initiated the authentication request, as in steps 201 b and 202b. If the authentication reply is positive, i.e. the portion keys are validated, the master node 102 allows the storage node 100 or the client node 101 to register, add or remove based on type of authentication request. However, if the authentication reply is negative, i.e. the portion keys are invalidated, the master node 102 forbids the storage node 100 or the client node 101 to register, add to or remove from the torus network topology and the administrator shall be notified.

Accordingly, the master node 102 monitors status information of the storage node 100 including availability of a storage node, and determines access frequency of data in step 203. Preferably, upon the earlier steps, the master node 102 obtains a network storage map with status information pertaining to the storage nodes 100 or the client nodes 101 , and the access frequency of data in a most frequently accessed first basis. Balance allocation of the data among the storage nodes 100 is next performed by the master node 102 through assigning, allocating or transferring the data to a next available storage node 100 with sufficient memory capacity or with a least node hop count as in step 204, in order to maintain the balance distributed secure data storage in the torus network topology.

Figure 4 shows torus network communication paths between the storage node 100 or the client node 101 and the key registry unit 105 of the master node 102. In steps 201 a and 202a, the storage node 100 or the client node 101 issues and transmits an authentication request to the master node 102 which is immediately forwarded to the key registry unit 105. The key registration unit 105 receives the authentication request and thus identifies the type of authentication request whether register request, add request or remove request. Figures 5 and 6, on the other hand, show torus network communication paths for authentication between the secure object storage daemon unit 100b and the key registry unit 105, and the FS client unit 101 b and the key registry unit 105, respectively. In step 300, if the authentication request is the register request for registering the storage node 100 or the client node 101 , the master node 102 generates a master key using a predefined algorithm such as RSA, DSA, SHA, DES1 and the like. The master key is then striped into two previously-mentioned portion keys, namely the first portion key and the second portion key. The first portion key is retained in the key registry unit 105 by storing the same in the key registry unit 105. The second portion key is assigned to the storage node 100 or the client node 101 possibly by storing the same in the secure object storage daemon unit 100b or the FS client unit 101 b. The administrator is notified upon the successful or unsuccessful of the node registration (steps 201 b/202b) and the network storage map may be updated accordingly.

In step 301 , if the authentication request is the add request for adding the storage node 100 or the client node 101 , the master node 102 retrieves the first portion key from the key registry unit 105 to match the second portion key that is accompanied the add request. The portion keys are processed by matching with each other to form the master key, and next an authentication reply is transmitted to the storage node 100 or the client node 101. If the portion keys match and the master key is valid, i.e. the portion keys are validated, the key registry unit 105 notifies the administrator upon the successful node addition (steps 201 b/202b). If the portion keys unmatched and the master key in invalid, the key registry unit 105 notifies the administrator upon the unsuccessful node addition (steps 201 b/202b). The network storage map may then be updated accordingly.

In step 302, if the authentication request is the remove request for removing the storage node 100 or the client node 101 , the master node 102 revokes the master key by deleting the first portion key stored in the key registry unit 105 and the second portion key stored in the storage node 100 or the client node 101. Upon that, the master node 102 dismisses the storage node 100 or the client node 101 and the administrator is notified upon the successful or unsuccessful of the node removal (steps 201 b/202b). The network storage map may then be updated accordingly.

Particularly, with reference to Figure 6, if the authentication request is the register request for registering the client node 101 , the master node 102 generates the master key including the first portion key that is maintained in the key registry unit 105 and the second portion key that is assigned and returned to the FS client unit 101 b. If the authentication request is the add request for adding the client node 101 , the master node 102 adds in the client node 101 into the torus network topology upon authentication of the master key and the client data logger 101 a reports a client data access frequency log to the master data logger 106, as shown in step 400. If the authentication request is the remove request for removing the client node 101 , the master node 102 detaches the client node 101 from the system if connected and revokes the master key accordingly.

Figure 7 schematically shows read and write operations performed by the client node 101 in respect to the storage node 101 according to one exemplary embodiment of the present invention. The read and write operations can be exemplified by the steps a-d in Figure 7. The client node 101 preferably issues a request to read data from and write data to a storage disk deployed in the storage node 100. The master node 102 then selects one storage node 100 that will be used by the client node 101 to perform read and write operations, for example, to read and write particular data in the storage node 100. Preceding that, the client node 101 has to be authenticated by the master node 102 before joining the torus network topology, as depicted by first two steps, i.e. steps a and b.

The FS client unit 101 b then communicates with the secure object storage daemon unit 100b in the storage node 100 assigned by the master node 102 in step c. The secure object storage daemon unit 100b obtains a client's key and to check its access level. If the access verification is not granted, the client node 101 is not allow to access files system and error code is transmitted to the client node 101 via a failure notification. However, if the access verification is granted, a client's requested file together with its permission and access mode is obtained and accessible by the FS client unit 101 b, as depicted in step d. Subsequently, a policy of the client node 101 is now subject to be verified. If the policy is allowed, then the client node 101 may allow to perform the read and write operations in the storage node 100. However, if the policy is not allowed, the secure object storage daemon unit 100b issues a policy error code and returning the same to the client node 101 via another failure notification.

The client node 101 is preferably provided with two access mode, namely write mode and read mode. In the write mode, the secure object storage daemon unit 100b encrypts the (incoming) data. The data is striped or segmented into a plurality of objects or sequential data so that each of the objects can be stored on different storage disks 100a, i.e. different storage nodes 100. After performing the write operation step, a predefined policy is applied or imposed to the data and every object is replicated to other storage nodes 100 for sharing information to avoid redundancy. Following that, a success write notification comprising a success status code is generated and transmitted to the client node 101 .

In the read mode, the secure object storage daemon unit 100b determines placement of the (striped) objects. After performing the read operation step, the secure object storage daemon unit 100b reconstructs the objects by gathering all related objects stored the storage nodes 100 into a final encrypted data. The final encrypted data is next subjected to decryption. Upon that, a success read notification that comprises the decrypted data is generated and transmitted to the client node 101 .

Throughout the description and claims of the present invention, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise. While this invention has been particularly shown and described with reference to the exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention as defined by the appended claims.

Claims

A system for distributed secure data storage over a torus network topology, comprising:
a plurality of storage nodes (100) comprising a read and write head configured to read data from and write data to a storage disk (100a) as requested by client nodes (101 ); and
a master node (102) selected from among the plurality of storage nodes
(100) configured for managing the data stored in the storage disk (100a); characterized in that,
the master node (102) comprising:
a storage manager unit (103) comprising a network storage map with status information pertaining to the plurality of storage nodes (100) configured for monitoring the data storage, wherein the status information including availability of a storage node;
a data balancer unit (104) comprising a storage analyzer (104a) for examining the availability of a storage node and a data frequency analyzer (104b) for determining access frequency of data, wherein the data balancer unit (104) continuously facilitating balance allocation of the data among the plurality of storage nodes (100) through data striping and replication based on the availability of a storage node and the access frequency of data; and
a key registry unit (105) configured for authenticating the plurality of storage nodes (100) and the client nodes (101 ) each using a master key striped into a first portion key retained in the key registry unit (105) and a second portion key assigned to the storage node (100) or the client node (101 ) such that if the portion keys match, the storage node (100) or the client node
(101 ) is allowed to register, add and remove.
The system according to Claim 1 , wherein the data balancer unit (104) configured for assigning the data to a next available storage node (100) with sufficient memory capacity for performing the balance allocation of the data.
The system according to Claim 1 , wherein the data balancer unit (104) configured for assigning a frequently accessed data to a next available storage node (100) with a least node hop count based on corresponding node location on the network storage map.
The system according to Claim 1 , wherein the master node (102) further comprising a master data logger (106) in communication with a client data logger (101 a) disposed at the client node (101 ) configured for logging and arranging the data in a most frequently accessed first basis, wherein the client data logger (101 a) supplying the master data logger (106) with a client data access frequency log that cooperates with the data frequency analyzer (104b) for performing the balance allocation of the data.
The system according to Claim 4, wherein the client node (101 ) further comprising a file system (FS) client unit (101 b) in communication with the key registry unit (105) and the master data logger (106) and configured to store the second portion key assigned by the master node (102).
The system according to Claim 1 , wherein the storage node (100) further comprising a secure object storage daemon unit (100b) in communication with the key registry unit (105) and configured to store the second portion key assigned by the master node (102).
The system according to Claim 1 , wherein the key registry unit (105) constructing the master key upon receiving an authentication request from the storage node (100) or the client node (101 ), wherein the authentication request including a register request, an add request and a remove request.
A method of configuring distributed secure data storage over a torus network topology, comprising:
issuing, by a client node (101 ), a request to read data from and write data to a storage disk of a plurality of storage nodes (100); and
assigning, by a master node (102), one of the plurality of storage nodes (100) for storing the data in response to the request;
characterized in that,
the method further comprising the steps of: transmitting an authentication request made by the storage node (100) or the client node (101 ) to the master node (102), wherein the authentication request including a register request, an add request and a remove request; authenticating the storage node (100) or the client node (101 ) by matching a first portion key stored in the master node (102) with a second portion key assigned to the storage node (100) or the client node (101 ), wherein if the portion keys match, allowing the storage node (100) or the client node (101 ) to register, add and remove, wherein if otherwise, discarding the storage node (100) or the client node (101 ); and
performing, on a continuous manner, monitoring and balance allocation of the data among the plurality of storage nodes (100) through data striping and replication including:
obtaining a network storage map with status information pertaining to the plurality of storage node (100) or the client node (101 ), wherein the status information including availability of a storage node;
assigning the data to a next available storage node (100) with sufficient memory capacity;
determining access frequency of data by logging and arranging the data in a most frequently accessed first basis; and
assigning a frequently accessed data to a next available storage node (100) with a least node hop count based on corresponding node location in the network storage map.
The method according to Claim 8 including the steps of:
receiving the authentication request and the second portion key from the storage node (100) or the client node (101 );
matching the second portion key with the first portion key in response to the authentication request;
transmitting an authentication reply to the storage node (100) or the client node (101 ); and
processing the authentication reply, wherein if the portion keys match, assigning the storage node (100) or the client node (101 ) to the torus network topology and updating the network storage map, wherein if otherwise, discarding the storage node (100) or the client node (101 ). The method according to Claim 9, wherein:
if the authentication request is the register request for registering the storage node (100) or the client node (101 ):
generating the master key using a predefined algorithm;
striping the master key into the first portion key and the second portion key;
retaining the first portion key by storing the same in the key registry unit (105); and
assigning the second portion key to the storage node (100) or the client node (101 );
if the authentication request is the add request for adding the storage node (100) or the client node (101 ):
retrieving the first portion key from the key registry unit (105) to match the second portion key; and
processing the portion keys and transmitting the authentication reply to the storage node (100) or the client node (101 );
if the authentication request is the remove request for removing the storage node (100) or the client node (101 ):
revoking the master key including the first portion key and the second portion key;
deleting the first portion key stored in the key registry unit (105) and the second portion key stored in the storage node (100) or client node (101 ); and
dismissing the storage node (100) or the client node (101 ).
PCT/MY2015/050060 2014-06-19 2015-06-19 System and method for distributed secure data storage in torus network topology WO2015194937A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
MYPI2014701657 2014-06-19
MYPI2014701657 2014-06-19

Publications (1)

Publication Number Publication Date
WO2015194937A1 true true WO2015194937A1 (en) 2015-12-23

Family

ID=54015158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2015/050060 WO2015194937A1 (en) 2014-06-19 2015-06-19 System and method for distributed secure data storage in torus network topology

Country Status (1)

Country Link
WO (1) WO2015194937A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5612897A (en) * 1996-03-21 1997-03-18 Digital Equipment Corporation Symmetrically switched multimedia system
EP1662388A1 (en) * 2004-11-17 2006-05-31 Raytheon Company On-demand instantiation in a high-performance computing (HPC) system
US20070022122A1 (en) * 2005-07-25 2007-01-25 Parascale, Inc. Asynchronous file replication and migration in a storage network
US20120331088A1 (en) * 2011-06-01 2012-12-27 Security First Corp. Systems and methods for secure distributed storage
US20140164551A1 (en) * 2007-10-09 2014-06-12 Cleversafe, Inc. Encoded data slice caching in a distributed storage network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5612897A (en) * 1996-03-21 1997-03-18 Digital Equipment Corporation Symmetrically switched multimedia system
EP1662388A1 (en) * 2004-11-17 2006-05-31 Raytheon Company On-demand instantiation in a high-performance computing (HPC) system
US20070022122A1 (en) * 2005-07-25 2007-01-25 Parascale, Inc. Asynchronous file replication and migration in a storage network
US20140164551A1 (en) * 2007-10-09 2014-06-12 Cleversafe, Inc. Encoded data slice caching in a distributed storage network
US20120331088A1 (en) * 2011-06-01 2012-12-27 Security First Corp. Systems and methods for secure distributed storage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Similar Documents

Publication Publication Date Title
US6421711B1 (en) Virtual ports for data transferring of a data storage system
US8086911B1 (en) Method and apparatus for distributed reconstruct in a raid system
US20100150341A1 (en) Storage security using cryptographic splitting
US20100153670A1 (en) Storage security using cryptographic splitting
US20080005334A1 (en) System and method for perennial distributed back up
US20100153703A1 (en) Storage security using cryptographic splitting
US20090034733A1 (en) Management of cryptographic keys for securing stored data
US20100154053A1 (en) Storage security using cryptographic splitting
US20100125730A1 (en) Block-level data storage security system
US7590672B2 (en) Identification of fixed content objects in a distributed fixed content storage system
US20130326494A1 (en) System and method for distributed patch management
AlZain et al. Cloud computing security: from single to multi-clouds
US8005227B1 (en) Key information consistency checking in encrypting data storage system
US20110289383A1 (en) Retrieving data from a dispersed storage network in accordance with a retrieval threshold
US20120272012A1 (en) Distributed shared memory
US20040243769A1 (en) Tree based memory structure
US20120204030A1 (en) Method and system for cloud based storage
US8473566B1 (en) Methods systems, and computer program products for managing quality-of-service associated with storage shared by computing grids and clusters with a plurality of nodes
WO2010057181A2 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
US20110131645A1 (en) Load balancing and failover of gateway devices
US20050165972A1 (en) File input/output control device and method for the same
US20080022120A1 (en) System, Method and Computer Program Product for Secure Access Control to a Storage Device
US20140032595A1 (en) Contention-free multi-path data access in distributed compute systems
US8862847B2 (en) Distributed storage method, apparatus, and system for reducing a data loss that may result from a single-point failure
US8266433B1 (en) Method and system for automatically migrating encryption keys between key managers in a network storage system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15757015

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15757015

Country of ref document: EP

Kind code of ref document: A1