Ananthan S Subramanian

US Patent:

7971234, Jun 28, 2011

Filed:

Sep 15, 2006

Appl. No.:

11/532468

Inventors:

Robert Sussland - Redwood City CA, US
Lawrence Chang - Redwood City CA, US
Ananthan Subramanian - Redwood City CA, US
Joshua Silberman - Redwood City CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

G06F 15/16

US Classification:

726 5, 726 7, 713168

Abstract:

The invention provides an authentication scheme that allows networked devices to establish trust in connection with the exchange of keys pursuant to an asymmetrical cryptographic technique, such as Diffie-Hellman. The invention provides a technique, referred to as offline key establishment, that establishes a trust relationship between two networked devices that use Diffie-Helman. Offline key sharing provides for the exchange of authentication information using a separate channel which, in the preferred embodiment does not constitute an IP connection. Thus, while communications between networked devices may ultimately proceed via a network connection, trust between the networked devices is established via a separate, offline channel, such as a telephone call or email message. The use of offline key establishment allows for such features as one way key sharing; and addresses situations where one party to the exchange does not want to share all of his keys, but just one or two keys.

US Patent:

8042155, Oct 18, 2011

Filed:

Sep 29, 2006

Appl. No.:

11/540331

Inventors:

Lawrence Wen-Hao Chang - San Francisco CA, US
Ananthan Subramanian - Menlo Park CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

H04L 29/06
H04L 29/00
H04L 29/12

US Classification:

726 3, 726 2, 726 4, 726 6, 726 18, 726 20, 726 21, 713150, 713168, 713171, 713172, 713176, 709225, 709224, 709227, 709217

Abstract:

A system and method which generates a single use password based on a challenge/response protocol. A box manager module executing within a security appliance identifies a public key (P) and salt value (S) associated with an administrator's smart card and generates a random nonce (N). The box manager transmits a challenge comprising the following elements: . Upon receiving the challenge, the administration card decrypts P[N, BM_ID] using the private key contained within the card and computes SHA1(N). The administration card then compares its computed values with the received values from the box manager. If the values match, then to the administration card returns a response comprising the following elements: HMAC_N[user, SHA1 (password, S)], where HMAC_N represents the SHA1 keyed hash message authentication check of the response elements using the nonce N as the key.

US Patent:

8116455, Feb 14, 2012

Filed:

Sep 29, 2006

Appl. No.:

11/540300

Inventors:

Robert Jan Sussland - San Francisco CA, US
Ananthan Subramanian - Menlo Park CA, US
Lawrence Wen-Hao Chang - San Francisco CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

H04L 9/00
H04L 9/08
H04L 9/14
H04L 29/06

US Classification:

380277, 380 45, 380 44, 380278, 380282, 713171, 713168, 726 2, 726 16, 726 17, 726 20, 726 34

Abstract:

A system and method provides for secure initialization and booting of a security appliance. The security appliance cooperates with a “smart” system card to provide cryptographic information needed to boot the security appliance in accordance with a secure boot procedure. The initialization procedure commences once the security appliance detects the presence of the smart card. The smart card and an encryption processor perform an authentication and key exchange procedure to establish a secure communication channel between them. The system card then loads a twice wrapped master key from a configuration database and decrypts the master key using a key associated with the system card. The wrapped master key is then forwarded via the secure communication channel to the encryption processor, which decrypts the wrapped key using a key associated therewith and enters an operating state using the decrypted master key.

US Patent:

8190905, May 29, 2012

Filed:

Sep 29, 2006

Appl. No.:

11/541024

Inventors:

Lawrence Wen-Hao Chang - San Francisco CA, US
Ananthan Subramanian - Menlo Park CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713180, 709229, 380 30, 380286, 705 7

Abstract:

A system and method for authorizing administrative operations in a computer is provided. The computer initiates the split knowledge protocol upon an attempt by an administrator to invoke the operations. The administrator identifies a predetermined number of entities designated to authorize the operation. The computer creates a bit sequence and splits the bit sequence into a number of segments equal to the predetermined number of entities. Each entity thereafter decrypts a respective element to essentially authorize invocation of the operations. In response, the computer processes the decrypted segments to re-create the bit sequence. As an added level of security, the computer coma) pares the re-created bit sequence with the originally created sequence and, if they match, performs the operations.

US Patent:

8196182, Jun 5, 2012

Filed:

Aug 21, 2008

Appl. No.:

12/195507

Inventors:

Robert J. Sussland - San Francisco CA, US
Joshua Oran Silberman - Sunnyvale CA, US
Ananthan Subramanian - Menlo Park CA, US
Lawrence Wen-Hao Chang - San Francisco CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

G06F 7/04
G06F 15/16
G06F 17/30
H04L 29/06

US Classification:

726 3, 380 44, 380283, 380286, 713155, 713157, 713161, 713168, 726 4, 726 18, 726 21, 726 27, 455518, 709223, 709224

Abstract:

An apparatus and method for managing the distribution and expansion of public keys held by a group or array of systems in white lists. The addition of a new system to the array entails a manual input to authorize the introduction of the new system to one trusted system in the array. After the introduction the new system is trusted by the one member and the white list of the one member is loaded into the white list of the new system. The new system then requests joining each of the other systems in the array. For each system in the array asked by the new system, the systems in the array ask if any other systems in the array already trust the new member. In response, a system of the array that trusts the new system responds by sending its white list (containing the public key of the new system) to the requesting system. Eventually the public key of the new system is in the white lists of all the systems in the array. In practice this trusts expansion occurs in the background with respect to running applications.

US Patent:

8245050, Aug 14, 2012

Filed:

Sep 29, 2006

Appl. No.:

11/540440

Inventors:

Ananthan Subramanian - Menlo Park CA, US
Lawrence Wen-Hao Chang - San Francisco CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713183, 713182, 713184, 713150, 713151, 713168, 726 2, 726 3, 726 27, 380278, 380281, 380277

Abstract:

A split knowledge protocol adapted to establish an initial key for use in authenticating a first computer to a second computer. The second computer initiates the split knowledge protocol by generating a bit sequence and splitting the sequence into a predetermined number of segments. The second computer then encrypts each segment with a predetermined key associated with each segment before transmitting each encrypted segment to the first computer. In response, the first computer decrypts each encrypted segment using the associated key. The first computer then recovers the bit sequence from the decrypted segments. Accordingly, the first and second computers have knowledge of (i. e. , access to) the same bit sequence, which may thus be used as the initial key.

US Patent:

8285993, Oct 9, 2012

Filed:

Apr 22, 2011

Appl. No.:

13/092371

Inventors:

Ananthan Subramanian - Menlo Park CA, US
Robert Jan Sussland - San Francisco CA, US
Lawrence Wen-Hao Chang - San Francisco CA, US

Assignee:

NetApp, Inc. - Sunnyvale CA

International Classification:

H04L 29/06

US Classification:

713171, 713150, 713162, 713163, 713168, 713181, 713182, 380229, 380 28, 380 30, 380277, 380278, 380282, 709223, 709224, 709225

Abstract:

A method for distributing a shared secret key among a plurality of nodes is described. Each node establishes a secret key, the number of nodes being more than two nodes. A node distributes by a ring protocol executing over computer network connections an encrypted version of the secret key of each node to other nodes of the plurality of nodes. Each node decrypts the secret keys of other nodes so that each node has the secret key of other nodes. Each node combines the secret keys of other nodes to form a shared secret key available to other nodes.

US Patent:

8364985, Jan 29, 2013

Filed:

Dec 11, 2009

Appl. No.:

12/636536

Inventors:

Ananthan Subramanian - Menlo Park CA, US

Assignee:

Network Appliance, Inc. - Sunnyvale CA

International Classification:

H04L 9/32

US Classification:

713193, 711164, 709223

Abstract:

Encryption using copy-on-encrypt determines that plaintext data stored in a plaintext buffer is to be written out to an encrypted storage resource. In response to the determining, an encryption buffer is allocated. The plaintext data is copied from the plaintext buffer to the encryption buffer and the encryption buffer is encrypted. Encrypted data from the encryption buffer is written to the encrypted storage resource. The encryption buffer is de-allocated. Read or write requests from a client are satisfied by retrieving the plaintext data from the plaintext buffer.