Abstract: Techniques for providing increased support for deduplication and compression of encrypted storage volumes. The techniques include receiving, at a storage virtual machine (VM), a data encryption key (DEK) associated with encrypted volume data, in which the DEK is wrapped in a key encryption key (KEK). The techniques include receiving, at the storage VM from a client virtual machine (VM), a write request specifying the encrypted volume data. The techniques include obtaining, by the storage VM, the KEK from a key management system (KMS) embedded on the storage VM. The techniques include unwrapping, by the storage VM, the DEK using the KEK, and decrypting, by an IO decryptor hosted by the storage VM, the encrypted volume data using the DEK. The techniques include performing, by the storage VM, data reduction operations on the decrypted volume data, and storing, by the storage VM, the data-reduced volume data on a storage array.

Abstract: A technique for managing communications between a server and multiple clients includes configuring the server to support multiple sets of certificates for respective clients having respective root certificates. The technique further includes determining an indicator associated with a client root certificate during an initial handshake between a client and the server and providing the client with a server certificate associated with the indicator.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm. In some examples a compression algorithm ID is tied to an encryption key version to enable refresh of blocks compressed with old algorithm.

Abstract: One example method includes sending, by a sender, a commitment message, wherein the commitment message is digitally signed by the sender but is not verifiable by a recipient until a public key is revealed by the sender, transmitting, by the sender, the commitment message to the recipient, confirming, by the sender, that the commitment message has been received by the recipient, and only after receipt of the commitment message has been confirmed by the recipient, revealing in a second message, by the sender, the public key, wherein the public key is usable by the recipient to verify that the commitment message was validly signed by the sender.

Abstract: Methods, apparatus, and processor-readable storage media for prioritizing patching of vulnerable components are provided herein. An example computer-implemented method includes obtaining information indicative of a first set of components embedded in a software package; determining risk levels for respective ones of the components in the first set based on a data flow representation of the software package; and assigning a priority for patching a software vulnerability in a given component of the first set based at least in part on the risk level of the given component.

Abstract: In a cloud-based multiple client encryption and deduplication environment, secret plaintext data of a client is encrypted to produce ciphertext in an enclave comprising a trusted execution environment which is inaccessible by unauthorized entities and processes even with administrator privileges. Encryption is performed with an initialization vector and an encryption key calculated in the enclave. The encrypted ciphertext is deduplicated prior to storage by comparing a hash of the corresponding plaintext data to hashes of previously stored plaintext data.

Abstract: One example method includes generating a biometric of a user, requesting, and receiving, biometric data from a card, comparing the biometric data with the biometric, and when the biometric data matches data of the biometric, authorizing a transaction requested by a user using the card. The request for biometric data may identify what particular type of biometric data is compatible with the device making the request, and the biometric data may be a subset of the data that makes up the biometric.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm.

Abstract: A technique for managing communications between a server and multiple clients includes configuring the server to support multiple sets of certificates for respective clients having respective root certificates. The technique further includes determining an indicator associated with a client root certificate during an initial handshake between a client and the server and providing the client with a server certificate associated with the indicator.

Abstract: A method, computer program product, and computing system for coupling password-resetting content to an IT computing device. The password-resetting content is validated on the IT computing device. The password-resetting content is processed to reset one or more passwords associated with the IT computing device.

Abstract: Embodiments are described for re-keying encrypted data with a new encryption key. A server maintains a ClientBlocks list comprising (handle, hash) pairs for each client, a deduplication table, and encrypted data for one or more clients. Each client stores handles and encryption keys. The server goes through the ClientBlocks list looking for blocks that need to be re-encrypted, due to issuance of new encryption key. When the server finds a block that needs to be re-encrypted, it sends the ciphertext with its key ID to the client with a request to re-encrypt the data. The client then decrypts the data and re-encrypt it with a newer key identified by the newer key version. The server then writes newer key version, and new ciphertext someplace in physical storage, and replaces the pointer in the deduplication table with a pointer to the newly stored ciphertext block.

Abstract: Techniques for providing secure deduplication in a data storage system using smaller hash values. The techniques employ a keyed hash function to generate keyed hash values for data blocks received at the data storage system. The keyed hash function can generate keyed hash values having an acceptable probability of accidental collision, in which each keyed hash value requires a reduced number of bits to represent them. By representing each keyed hash value with a number of bits less than the number required for a cryptographic hash value, the impact that an index table in main memory has on the amount of free memory space available can be reduced, while still providing an acceptable probability of accidental collision. The keyed hash function can be implemented as a keyed universal hash function, which can reduce the number of processor cycles required to generate a keyed hash value for each received data block.

Abstract: In a cloud-based multiple client encryption and deduplication environment, secret plaintext data of a client is encrypted to produce ciphertext in an enclave comprising a trusted execution environment which is inaccessible by unauthorized entities and processes even with administrator privileges. Encryption is performed with an initialization vector and an encryption key calculated in the enclave. The encrypted ciphertext is deduplicated prior to storage by comparing a hash of the corresponding plaintext data to hashes of previously stored plaintext data.

Abstract: Methods, apparatus, and processor-readable storage media for prioritizing patching of vulnerable components are provided herein. An example computer-implemented method includes obtaining information indicative of a first set of components embedded in a software package; determining risk levels for respective ones of the components in the first set based on a data flow representation of the software package; and assigning a priority for patching a software vulnerability in a given component of the first set based at least in part on the risk level of the given component.

Abstract: Techniques for synchronizing configuration information in a clustered storage environment. The techniques allow a system administrator or other user to make additions and/or updates to configuration information in one or more configuration files, which are automatically propagated for storage in multiple data storage appliances within a storage domain. By allowing a user to make changes to configuration files associated with a primary appliance within the storage domain, and automatically propagating the configuration files in a background process from the primary appliance to multiple secondary appliances within the storage domain, the user can more readily assure consistency of the configuration information, not only among the primary and secondary appliances within the storage domain, but also among previously unavailable or unreachable data storage appliance(s) that may be recovered and brought back on line within the storage domain.

Abstract: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.

Abstract: Providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: A method, computer program product, and computing system for coupling password-resetting content to an IT computing device. The password-resetting content is validated on the IT computing device. The password-resetting content is processed to reset one or more passwords associated with the IT computing device.

Abstract: Techniques for providing secure deduplication in a data storage system using smaller hash values. The techniques employ a keyed hash function to generate keyed hash values for data blocks received at the data storage system. The keyed hash function can generate keyed hash values having an acceptable probability of accidental collision, in which each keyed hash value requires a reduced number of bits to represent them. By representing each keyed hash value with a number of bits less than the number required for a cryptographic hash value, the impact that an index table in main memory has on the amount of free memory space available can be reduced, while still providing an acceptable probability of accidental collision. The keyed hash function can be implemented as a keyed universal hash function, which can reduce the number of processor cycles required to generate a keyed hash value for each received data block.

Abstract: Techniques for synchronizing configuration information in a clustered storage environment. The techniques allow a system administrator or other user to make additions and/or updates to configuration information in one or more configuration files, which are automatically propagated for storage in multiple data storage appliances within a storage domain. By allowing a user to make changes to configuration files associated with a primary appliance within the storage domain, and automatically propagating the configuration files in a background process from the primary appliance to multiple secondary appliances within the storage domain, the user can more readily assure consistency of the configuration information, not only among the primary and secondary appliances within the storage domain, but also among previously unavailable or unreachable data storage appliance(s) that may be recovered and brought back on line within the storage domain.