Abstract: A system and method for secure generation and distribution of digital encryption keys is disclosed. The system may also be used to protect and distribute other types of secure information, including digital, audio, video, or analog data, or physical objects. The system may include a tamper-respondent secure token device, which may be configured to destroy or disable access to the secure information contained therein in response to attempts to physically or electronically breach the device. Outputs may be provided in a secure manner through various interfaces without using electricity (wires) or electromagnetic radiation. Inputs may be provided in a secure manner, including through the use of a gesture-based input interface. Destruction or disablement of the device and/or its secure contents may be provided upon detection of tamper attempts or upon input of a self-destruct command. Proof of the destruction or disablement of the device or its contents may be provided.

Abstract: A system and method for secure generation and distribution of digital encryption keys is disclosed. The system may also be used to protect and distribute other types of secure information, including digital, audio, video, or analog data, or physical objects. The system may include a tamper-respondent secure token device, which may be configured to destroy or disable access to the secure information contained therein in response to attempts to physically or electronically breach the device. Outputs may be provided in a secure manner through various interfaces without using electricity (wires) or electromagnetic radiation. Inputs may be provided in a secure manner, including through the use of a gesture-based input interface. Destruction or disablement of the device and/or its secure contents may be provided upon detection of tamper attempts or upon input of a self-destruct command. Proof of the destruction or disablement of the device or its contents may be provided.

Abstract: A system and method for secure generation and distribution of digital encryption keys is disclosed. The system may also be used to protect and distribute other types of secure information, including digital, audio, video, or analog data, or physical objects. The system may include a tamper-respondent secure token device, which may be configured to destroy or disable access to the secure information contained therein in response to attempts to physically or electronically breach the device. Outputs may be provided in a secure manner through various interfaces without using electricity (wires) or electromagnetic radiation. Inputs may be provided in a secure manner, including through the use of a gesture-based input interface. Destruction or disablement of the device and/or its secure contents may be provided upon detection of tamper attempts or upon input of a self-destruct command. Proof of the destruction or disablement of the device or its contents may be provided.

Abstract: A system and method for secure generation and distribution of digital encryption keys is disclosed. The system may also be used to protect and distribute other types of secure information, including digital, audio, video, or analog data, or physical objects. The system may include a tamper-respondent secure token device, which may be configured to destroy or disable access to the secure information contained therein in response to attempts to physically or electronically breach the device. Outputs may be provided in a secure manner through various interfaces without using electricity (wires) or electromagnetic radiation. Inputs may be provided in a secure manner, including through the use of a gesture-based input interface. Destruction or disablement of the device and/or its secure contents may be provided upon detection of tamper attempts or upon input of a self-destruct command. Proof of the destruction or disablement of the device or its contents may be provided.

Abstract: An external security device is provided in the communication path between devices of different security levels. A higher security device needs only to trust the security of the external device, rather than relying on operating system and file system software that cannot be assured. The external security device blocks access requests that may be using covert channels, but returns status information that indicates that the request is successful. The external security device may then audit access requests to provide a higher level of accountability. The external security device also handles data duplication to prevent or significantly reduce the threat of traffic analysis.

Abstract: A system and method for storing data in a virtual file system using write once read many (WORM) protection includes a WORM server in communication with one or more storage devices and a controller in communication with the WORM server. A first time stamping process for creating a first time stamp for a data object based on instructions applied by the controller for storage on the WORM server. A second time stamping process for creating a second time stamp for the data object for storage on the WORM server. The second time stamping process creates the second time stamp for the data object and first time stamp to ensure the integrity of the data object stored on the system.

Abstract: A system for object-based data storage includes a plurality of object-based storage nodes having respective data storage devices, at least one file presentation node, a virtual cluster file server (VFS), and a scalable interconnect to couple the virtual cluster file server to the storage nodes, and to the at least one file presentation node. The VFS mirrors a same data object for a data file across the plurality of data storage devices.

Abstract: A system and method for error detection in a data storage array includes one or more storage medium interconnected with a controller through a network. A data integrity engine in the controller applies a first error detection process to a data object to create one or more data blocks and associated parity codes. First and second error detection processes are applied to detect and repair errors in the data object.

Abstract: A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.

Abstract: A method for encrypting data includes receiving a block of plaintext for a data set at one or more computers, acquiring a cryptographic key for the data set, generating an initialization vector for the block of plaintext based on the block of plaintext, and encrypting the block of plaintext using the cryptographic key and the initialization vector.

Abstract: Security is provided for a data set stored in a data storage canister. The data set has a data size when received for storage within the canister. At least one data security operation is performed on the received data set to generate secure data having a secure data size that may be different than the set data size. The secure data is stored on at least one data storage device within the canister. Any information about the secure data size is kept from the data producer sending the data set for storage.

Abstract: A system that securely registers components in a first system is presented. During operation, the first system receives a request from an intermediary system to obtain configuration information related to the components in the first system. In response to the request, the first system: (1) encrypts configuration information for the first system using a first encryption key; (2) encrypts the first encryption key using a second encryption key; and (3) sends the encrypted configuration information and the encrypted first encryption key to the intermediary system so that the intermediary system can forward the encrypted configuration information and the encrypted first encryption key to the second system, whereby the encrypted configuration information is cryptographically opaque to the intermediary system. Next, the second system uses the configuration information to register the components in the first system.

Abstract: A method of protecting a media key including obtaining the media key, obtaining an auxiliary key, calculating a split key using the media key and the auxiliary key, encrypting the split key using a wrap key to generate an encrypted split key, assembling the encrypted split key and a communication key to obtain a data bundle, and sending the data bundle to a token, where the media key is extracted from the data bundle on the token to protect data on a storage device.

Abstract: A method of protecting a media key including obtaining the media key, obtaining an auxiliary key, calculating a split key using the media key and the auxiliary key, encrypting the split key using a wrap key to generate an encrypted split key, assembling the encrypted split key and a communication key to obtain a data bundle, and sending the data bundle to a token, where the media key is extracted from the data bundle on the token to protect data on a storage device.

Abstract: A hand-held token for secure conveyance of encryption keys includes memory for holding a media key and at least one device key. Control logic reads the media key from memory, encrypts the media key based on the device key, and transmits the encrypted media key to a data storage device. The data storage device decrypts the encrypted media key using its own device key, which may have previously been downloaded from a token.

Abstract: One embodiment of the present invention provides a system that parallelizes the TCP-related actions of a network connection between two computer systems during a data transfer between the two computer systems. During operation, the first computer system partitions the data into two or more data segments, and assigns the data segments to multiple processing elements. These multiple processing elements subsequently prepare and send their assigned data segments to the second computer system in parallel using TCP.

Abstract: A method for encrypting data includes receiving a block of plaintext for a data set at one or more computers, acquiring a cryptographic key for the data set, generating an initialization vector for the block of plaintext based on the block of plaintext, and encrypting the block of plaintext using the cryptographic key and the initialization vector.

Abstract: A data encryption system with encryption integrity verification includes an encryption engine configured to receive an unencrypted data packet and generate an encrypted data packet based at least in part on the unencrypted data packet. The system also includes a decryption engine in electronic communication with the encryption engine, the decryption engine configured to receive the encrypted data packet and generate a decrypted data packet based at least in part on the encrypted data packet. The system further includes a comparator in electronic communication with the encryption engine and the decryption engine, the comparator configured to receive the unencrypted and decrypted data packets, determine whether the unencrypted and decrypted data packets are identical, and present the encrypted data packet as an output when the unencrypted and decrypted data packets are identical.

Abstract: A multiple field nonce particularly suited for use in encryption algorithms associated with data storage has at least one field unique to each data storage device to avoid the possibility of the same nonce value being used to store more than one data string. Additional fields may be based on the number of times at least one encryption key is associated with the storage device and on a number assigned to the particular string of data.

Abstract: A system, method and data storage device for encrypting data to provide at-rest data encryption of data in the data storage device. The system includes a compression engine for receiving a host data stream packet and selectively generating a compressed data packet, and an encryption engine in electronic communication with the compression engine for receiving an unencrypted data packet from the compression engine. The unencrypted data packet comprises the compressed data packet when the compression engine generates the compressed data packet. The unencrypted data packet comprises the host data packet when the compression engine does not generate the compressed data packet. The encryption engine generates an encrypted data packet having an encrypted component corresponding to the unencrypted data packet and a set of meta data indicative of one or more characteristic of the encrypted data packet.