Abstract: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.

Abstract: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to identify a data item to be stored in the storage system, and to generate a data encryption key for the data item as a function of a first secret key and the data item. For example, the function may comprise hashing at least the data item. The client device is further configured to encrypt the data item using the data encryption key for the data item, and to send the encrypted data item to the storage system for storage therein. The client device in some embodiments is further configured to encrypt the data encryption key using a second secret key, and to send the encrypted data encryption key to the storage system for storage therein as metadata of the data item.

Abstract: Techniques for synchronizing configuration information in a clustered storage environment. The techniques allow a system administrator or other user to make additions and/or updates to configuration information in one or more configuration files, which are automatically propagated for storage in multiple data storage appliances within a storage domain. By allowing a user to make changes to configuration files associated with a primary appliance within the storage domain, and automatically propagating the configuration files in a background process from the primary appliance to multiple secondary appliances within the storage domain, the user can more readily assure consistency of the configuration information, not only among the primary and secondary appliances within the storage domain, but also among previously unavailable or unreachable data storage appliance(s) that may be recovered and brought back on line within the storage domain.

Abstract: In response to determining that an encryption operation request includes no indication of a cryptographic key, an encryption service module performs an encryption operation using a current cryptographic key retrieved by the encryption service module, and creates and stores an encrypted data object that includes the resulting ciphertext and a key identifier that uniquely identifies the cryptographic key and the associated cryptographic algorithm used to perform the encryption. A subsequent decryption operation request to the encryption service module that indicates the encrypted data object is processed by retrieving the cryptographic key and identifying the associated cryptographic using the key identifier contained in the encrypted data object. The encrypted data object may also include an initialization vector used to generate the ciphertext contained in the encrypted data object, as well as an integrity check value generated across the ciphertext and initialization vector.

Abstract: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device implements a messaging policy enforcement server that receives from a first client device metadata of an encrypted message to be sent from the first client device to a second client device. The received metadata comprises a first key utilized by the first client device to encrypt the message with the first key being encrypted utilizing a second key associated with the second client device. The messaging policy enforcement server processes the received metadata to determine one or more policies applicable to the encrypted message and to generate a further encrypted version of the encrypted first key utilizing one or more additional keys corresponding to the one or more policies. The further encrypted version of the encrypted first key is sent to the second client device in modified metadata of the encrypted message.

Abstract: An apparatus comprises a storage system, a key manager incorporated in or otherwise associated with the storage system, and an input-output controller coupled to the key manager and configured to control storage of data items in the storage system. The key manager is configured to determine a controller key accessible to the input-output controller and a plurality of data encryption keys utilizable by the input-output controller to encrypt the data items for storage in the storage system. A given one of the data items is encrypted using a particular one of the data encryption keys and has associated metadata that includes the particular data encryption key encrypted using the controller key. The metadata may comprise an inner wrapping of the particular data encryption key using the controller key and at least one outer wrapping of the inner wrapping using at least one additional key.

Abstract: In response to determining that an encryption operation request includes no indication of a cryptographic key, an encryption service module performs an encryption operation using a current cryptographic key retrieved by the encryption service module, and creates and stores an encrypted data object that includes the resulting ciphertext and a key identifier that uniquely identifies the cryptographic key and the associated cryptographic algorithm used to perform the encryption. A subsequent decryption operation request to the encryption service module that indicates the encrypted data object is processed by retrieving the cryptographic key and identifying the associated cryptographic using the key identifier contained in the encrypted data object. The encrypted data object may also include an initialization vector used to generate the ciphertext contained in the encrypted data object, as well as an integrity check value generated across the ciphertext and initialization vector.

Abstract: Described are techniques for processing requests. A profile is recorded comprising a plurality of prior requests from a client to a server. The plurality of prior requests associated with first data. A cached copy of the first data is stored in a cache of the server. A quality of service associated with the received request is determined for affecting when the update is applied to the cached copy of first data. The quality of service associated with the received request is dependent on the prior requests in the profile. The first update is applied to the first data. In accordance with the quality of service, the first update is applied to the cached copy of the first data.

Abstract: Embodiments of the present invention disclose an inversion-type package structure for a flip chip and a flip chip having the same, which relate to the technical field of chip packaging, and solve the defect that the existing manners for measuring chip temperature cannot accurately measure the temperature when a die of the flip chip works. The inversion-type package structure for the chip as provided by the present invention comprises a package substrate, a die welded on the package substrate in an inversion manner, a package housing and at least one temperature measuring element, which is characterized in that the at least one temperature measuring element is arranged in a first space below the die in the package substrate, and a residual space except for the space occupied by the at least one temperature measuring element in the first space is filled with an insulating heat conductive substance.

Abstract: The techniques presented herein provide for initializing and upgrading data encryption capability in a data storage system. The data storage system in initialized to encrypt data writes using a system wide encryption key. A request is received to upgrade the encryption functionality in the data storage system. A data slice is identified for encryption, wherein the data slice is stored in a RAID group in the data storage system. The data slice is pinned in a first cache memory of a first storage processor and persisted in a second cache memory of a second storage processor. The data slice encrypted and a write operation is initiated to write the encrypted data slice back to the RAID group. If the write operation was successful, the data slice is unpinned the first and second cache memory associated with the data slice is freed, else if the write operation was unsuccessful, the data slice is unpinned and the first and second cache memory associated with the data slice are flushed.

Abstract: An apparatus comprises a storage system and a key manager incorporated in or otherwise associated with the storage system. The storage system comprises first storage of a first type and second storage of a second type with the first storage providing enhanced data protection relative to the second storage. The key manager is configured to maintain a master key hierarchy for the storage system. The master key hierarchy comprises a plurality of levels each including one or more master keys, with an uppermost level of the master key hierarchy comprising a root master key that is stored in the first storage and at least one lower level of the master key hierarchy comprising a plurality of master keys that are stored in the second storage under encryption by the root master key. Keys of a lowermost level of the master key hierarchy are associated with respective groups of data items.

Abstract: A method is used in managing multi-step storage management operations. A policy is defined for a task of a multi-step storage management operation. The multi-step storage management operation includes multiple tasks. The policy for the task indicates directions for reacting to results of the task of the multi-step storage management operation. The task is invoked. The policy for the task is invoked based on results of the task.

Abstract: Techniques are described for storing data. A command is issued from a client to a data storage system. The data storage system includes a plurality of storage tiers comprising a first storage tier of physical storage devices and a second storage tier of physical storage devices, wherein data stored on any physical storage device of the first storage tier is stored in an encrypted form and data stored on any physical storage device of the second storage tier is not stored in an encrypted form. The command includes a hint indicating whether data stored at a first logical address range of a first logical device is stored in an encrypted form. The command is received at the data storage system. First data written to the first logical device at the first logical address range is stored on one or more physical storage devices of any of said first storage tier and said second storage tier in accordance with the hint.

Abstract: An apparatus comprises a storage system and a key manager incorporated in or otherwise associated with the storage system. The storage system is configured to store data items across a plurality of dimensions with each such dimension comprising a plurality of classes. The key manager is configured to assign class keys to respective ones of the classes of each of the dimensions. A given one of the data items associated with at least one of the classes in each of two or more of the dimensions is encrypted for storage in the storage system using a multidimensional key determined as a function of the class keys corresponding to respective ones of the classes with which that data item is associated. Such an arrangement allows all of the data items associated with a given one of the classes to be deleted by deleting the class key assigned to the given class.

Abstract: Described are techniques for processing requests. A request is received at a server from a client to apply a first update to first data. A cached copy of the first data is stored in a cache of the server. A quality of service is associated with the request. The quality of service affects when the first update is applied to the cached copy of the first data. The first update is applied to the first data. In accordance with the quality of service, the first update is applied to the cached copy of the first data.

Abstract: Techniques are described for storing data. A plurality of storage tiers are provided including a first set and a second set of storage tiers of physical devices. Data stored on any physical device in the first set is stored in an encrypted form. Data stored on any physical device in the second set is not stored in an encrypted form. A first value is specified for a first setting that is any of a tiering preference and tiering requirement indicating that at least one data portion of a logical device is to be stored on physical device(s) of a storage tier storing data in an encrypted form. Responsive to specifying the first value as the first setting, the at least one data portion of the logical device currently stored on physical device(s) of the second set are relocated to physical device(s) of the first set.

Abstract: Techniques are directed to a method performed by a computing device. The method includes (a) receiving, from a client via a network connection of the computing device, a first management request to manage a data storage system, the first management request being in a RESTful style, (b) generating, by the computing device, a second management request formatted in a non-RESTful style compliant with a back-end storage management protocol, (c) sending the second management request to a back-end storage management server, (d) receiving a first management response from the back-end storage management server in response to the second management request, the first management response being formatted in the non-RESTful style compliant with the back-end storage management protocol, (e) converting, by the computing device, the first management response into a second management response in the RESTful style, and (f) sending the second management response to the client via the network connection.

Abstract: A cloud black box (CBB) subsystem in a cloud computing infrastructure includes CBB storage and computer processing circuitry executing a CBB application having first and second operating modes. In a depository mode information messages are continually received from hardware computing devices during normal operation and device information from the messages is stored into the CBB storage. The information messages are generated by CBB agents executing on the hardware computing devices, which continually collect the device information and generate the information messages according to a common information transfer protocol. In a retrieval mode, device information in the CBB storage is provided to a requestor such as a data analysis application, which may be part of or external to the CBB subsystem. The CBB subsystem operates independently and remains available upon failure of hardware or software components in the cloud infrastructure, providing a centralized source of information for diagnosis or other analysis.

Abstract: The subject disclosure is generally directed towards an automated mechanism in a computer network or system that controls resource access to any resource designated as needing multiparty authorization. In one aspect, a resource that needs multiparty authorization before access is allowed is identified, along with policy that specifies an authorizer (or multiple authorizers) for the resource. An access control list may contain metadata that indicates the need for multiparty authorization. Authorization may be provided via a token, which may be cached for future use.