End-to-end secure data retrieval in a dispersed storage network

US 10,095,441 B2
Filed: 08/16/2016
Issued: 10/09/2018
Est. Priority Date: 09/24/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A method for secure data retrieval in a dispersed storage network (DSN), the method comprises:

retrieving, by an interface of a first computing device of the DSN, a decode threshold number of encrypted encoded data slices of a set of encrypted encoded data slices from at least some storage units of a set storage units of the DSN, wherein the set of storage units encrypt a set of encoded data slices using a set of encryption keys to produce the set of encrypted encoded data slices, and wherein a first encoded data slice of the set of encoded data slices is encrypted based on a first encryption key of the set of encryption keys to produce a first encrypted encoded data slice of the set of encrypted encoded data slices;

generating, by the first computing device, a decoding matrix based on pillar numbers of the decode threshold number of encrypted encoded data slices and an encoding matrix;

dispersed storage error decoding, by the first computing device, the decode threshold number of encrypted encoded data slices based on the decoding matrix to produce an encrypted data segment;

sending, by the interface of the first computing device, the encrypted data segment and the pillar numbers to a second computing device of the DSN;

identifying, by the second computing device, a particular subset of encryption keys of the set of encryption keys based on the pillar numbers; and

decrypting, by the second computing device, the encrypted data segment based on the particular subset of encryption keys.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes a first computing device retrieving a decode threshold number of encrypted encoded data slices. The method further includes the first computing device generating a decoding matrix based on pillar numbers of the decode threshold number of encrypted encoded data slices and an encoding matrix. The method further includes the first computing device dispersed storage error decoding the decode threshold number of encrypted encoded data slices based on the decoding matrix to produce an encrypted data segment. The method further includes the first computing device sending the encrypted data segment and the pillar numbers to a second computing device. The method further includes the second computing device identifying a particular subset of encryption keys of the set of encryption keys based on the pillar numbers. The method further includes the second computing device decrypting the encrypted data segment based on the particular subset of encryption keys.

82 Citations

View as Search Results

14 Claims

1. A method for secure data retrieval in a dispersed storage network (DSN), the method comprises:
- retrieving, by an interface of a first computing device of the DSN, a decode threshold number of encrypted encoded data slices of a set of encrypted encoded data slices from at least some storage units of a set storage units of the DSN, wherein the set of storage units encrypt a set of encoded data slices using a set of encryption keys to produce the set of encrypted encoded data slices, and wherein a first encoded data slice of the set of encoded data slices is encrypted based on a first encryption key of the set of encryption keys to produce a first encrypted encoded data slice of the set of encrypted encoded data slices;
  
  generating, by the first computing device, a decoding matrix based on pillar numbers of the decode threshold number of encrypted encoded data slices and an encoding matrix;
  
  dispersed storage error decoding, by the first computing device, the decode threshold number of encrypted encoded data slices based on the decoding matrix to produce an encrypted data segment;
  
  sending, by the interface of the first computing device, the encrypted data segment and the pillar numbers to a second computing device of the DSN;
  
  identifying, by the second computing device, a particular subset of encryption keys of the set of encryption keys based on the pillar numbers; and
  
  decrypting, by the second computing device, the encrypted data segment based on the particular subset of encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the retrieving the decode threshold number of encrypted encoded data slices comprises:
    - receiving, by the first computing device, a data retrieval request for the set of encoded data slices from the second computing device;
      
      sending, by the first computing device, a set of data retrieval requests to the set of storage units regarding the set of encoded data slices; and
      
      receiving, by the first computing device, the decode threshold number of encrypted encoded data slices from the at least some of the storage units.
  - 3. The method of claim 1, wherein the generating the decoding matrix comprises:
    - determining the pillar numbers of encoded data slices of the decode threshold number of encrypted encoded data slices; and
      
      reducing the encoding matrix to include rows corresponding to the pillar numbers to produce the decoding matrix.
  - 4. The method of claim 1 further comprises:
    - generating a first key stream from the first encryption key; and
      
      finite field adding the first key stream with the first encoded data slices to produce the first encrypted encoded data slice.
  - 5. The method of claim 4, wherein the finite field adding comprises:
    - exclusive ORing the first key stream with the first encoded data slices to produce the first encrypted encoded data slice.
  - 6. The method of claim 1, wherein the identifying the particular subset of encryption keys comprises:
    - generating the decoding matrix based on the pillar numbers; and
      
      determining the particular subset of encryption keys based on rows of the decoding matrix.
  - 7. The method of claim 1, wherein the decrypting the encrypted data segment based on the particular subset of encryption keys further comprises:
    - generating a subset of key streams from the particular subset of encryption keys;
      
      converting the encrypted data segment into an encrypted data matrix in accordance with the decoding matrix;
      
      a finite field adding the subset of key streams with rows of the encrypted data matrix to produce a data matrix; and
      
      converting the data matrix into the encrypted data segment.

8. A computer readable memory comprises:
- a first memory element that stores operational instructions, which, when executed by a first computing device of a dispersed storage network (DSN), causes the first computing device to;
  
  retrieve a decode threshold number of encrypted encoded data slices of a set of encrypted encoded data slices from at least some storage units of a set storage units of the DSN, wherein the set of storage units encrypt a set of encoded data slices using a set of encryption keys to produce the set of encrypted encoded data slices, and wherein a first encoded data slice of the set of encoded data slices is encrypted based on a first encryption key of the set of encryption keys to produce a first encrypted encoded data slice of the set of encrypted encoded data slices;
  
  generate a decoding matrix based on pillar numbers of the decode threshold number of encrypted encoded data slices and an encoding matrix;
  
  dispersed storage error decode the decode threshold number of encrypted encoded data slices based on the decoding matrix to produce an encrypted data segment;
  
  send the encrypted data segment and the pillar numbers to a second computing device of the DSN; and
  
  a second memory element that stores operational instructions, which, when executed by the second computing device, causes the second computing device to;
  
  identify a particular subset of encryption keys of the set of encryption keys based on the pillar numbers; and
  
  decrypt the encrypted data segment based on the particular subset of encryption keys.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable memory of claim 8, wherein the first memory element further stores operational instructions, which, when executed by the first computing device, causes the first computing device to retrieve the decode threshold number of encrypted encoded data slices by:
    - receiving a data retrieval request for the set of encoded data slices from the second computing device;
      
      sending a set of data retrieval requests to the set of storage units regarding the set of encoded data slices; and
      
      receiving the decode threshold number of encrypted encoded data slices from the at least some of the storage units.
  - 10. The computer readable memory of claim 8, wherein the first memory element further stores operational instructions, which, when executed by the first computing device, causes the first computing device to generate the decoding matrix by:
    - determining the pillar numbers of encoded data slices of the decode threshold number of encrypted encoded data slices; and
      
      reducing the encoding matrix to include rows corresponding to the pillar numbers to produce the decoding matrix.
  - 11. The computer readable memory of claim 8 further comprises:
    - a third memory element that stores operational instructions, which, when executed by a first storage unit of the set of storage units, causes the first storage unit to;
      
      generate a first key stream from the first encryption key; and
      
      finite field add the first key stream with the first encoded data slices to produce the first encrypted encoded data slice.
  - 12. The computer readable memory of claim 11, wherein the third memory element further stores operational instructions, which, when executed by a first storage unit of the set of storage units, causes the first storage unit to finite field adding by:
    - exclusive ORing the first key stream with the first encoded data slices to produce the first encrypted encoded data slice.
  - 13. The computer readable memory of claim 8, wherein the second memory element further stores operational instructions, which, when executed by the second computing device, causes the second computing device to identifying the particular subset of encryption keys by:
    - generating the decoding matrix based on the pillar numbers; and
      
      determining the particular subset of encryption keys based on rows of the decoding matrix.
  - 14. The computer readable memory of claim 8, wherein the second memory element further stores operational instructions, which, when executed by the second computing device, causes the second computing device to decrypt the encrypted data segment based on the particular subset of encryption keys further by:
    - generating a subset of key streams from the particular subset of encryption keys;
      
      converting the encrypted data segment into an encrypted data matrix in accordance with the decoding matrix;
      
      afinite field adding the subset of key streams with rows of the encrypted data matrix to produce a data matrix; and
      
      converting the data matrix into the encrypted data segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Dhuse, Greg R., Resch, Jason K., Vossberg, Trevor J.
Primary Examiner(s)
LAMARRE, GUY J

Application Number

US15/237,874
Publication Number

US 20170091031A1
Time in Patent Office

784 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 3/0611   in relation to response time

G06F 3/0614   Improving the reliability o...

G06F 3/0619   in relation to data integri...

G06F 3/064   Management of blocks

G06F 3/0653   Monitoring storage devices ...

G06F 3/0659   Command handling arrangemen...

G06F 3/0661   Format or protocol conversi...

G06F 3/067   Distributed or networked st...

G06F 8/65   Updates security arrangemen...

H03M 13/1515   Reed-Solomon codes

H03M 13/154   Error and erasure correctio...

H03M 13/3761   using code combining, i.e. ...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/1097   for distributed storage of ...

H04L 67/34   involving the movement of s...

H04L 67/60   Scheduling or organising th...

End-to-end secure data retrieval in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

End-to-end secure data retrieval in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links