Securely recovering stored data in a dispersed storage network

US 10,126,961 B2
Filed: 07/27/2016
Issued: 11/13/2018
Est. Priority Date: 08/31/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a hardware processor, the method comprises:

receiving a slice pre-image request from a computing device via a network, wherein the slice pre-image request indicates a data slice, a requesting entity, and a plurality of storage units;

generating a data pre-image by performing a pre-image function on the data slice based on the plurality of storage units; and

generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with the requesting entity;

wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;

wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and

wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for execution by a dispersed storage and task (DST) execution unit that includes a processor includes receiving a slice pre-image request from a computing device via a network that indicates a data slice, a requesting entity and a plurality of storage units. A data pre-image is generated by performing a pre-image function on the data slice based on the plurality of storage units. An encrypted data pre-image is generated for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with the requesting entity.

Citations

14 Claims

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a hardware processor, the method comprises:
- receiving a slice pre-image request from a computing device via a network, wherein the slice pre-image request indicates a data slice, a requesting entity, and a plurality of storage units;
  
  generating a data pre-image by performing a pre-image function on the data slice based on the plurality of storage units; and
  
  generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with the requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the pre-image function includes creating a vector that includes the data slice, creating a decode matrix based on the plurality of storage units, and performing matrix multiplication on the vector and the decode matrix.
  - 3. The method of claim 1, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 4. The method of claim 1, further comprising generating a message authentication code based on the data slice for transmission to the computing device via the network.
  - 5. The method of claim 1, wherein the key is established based on at least one of:
    - a public-key system or a key agreement protocol.

6. A processing system of a dispersed storage and task (DST) execution unit comprises:
- at least one hardware processor;
  
  a memory that stores operational instructions, that when executed by the at least one hardware processor cause the processing system to;
  
  receive a slice pre-image request from a computing device via a network, wherein the slice pre-image request indicates a data slice, a requesting entity, and a plurality of storage units;
  
  generate a data pre-image by performing a pre-image function on the data slice based on the plurality of storage units; and
  
  generate an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with the requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The processing system of claim 6, wherein the pre-image function includes creating a vector that includes the data slice, creating a decode matrix based on the plurality of storage units, and performing matrix multiplication on the vector and the decode matrix.
  - 8. The processing system of claim 6, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 9. The processing system of claim 6, wherein the operational instructions, when execution by the at least one hardware processor, further cause the processing system to generate a message authentication code based on the data slice for transmission to the computing device via the network.
  - 10. The processing system of claim 6, wherein the key is established based on at least one of:
    - a public-key system or a key agreement protocol.

11. A non-transitory computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by a processing system of a dispersed storage network (DSN) that includes a hardware processor and a memory, causes the processing system to;
  
  receive a slice pre-image request from a computing device via a network, wherein the slice pre-image request indicates a data slice, a requesting entity, and a plurality of storage units;
  
  generate a data pre-image by performing a pre-image function on the data slice based on the plurality of storage units; and
  
  generate an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with) the requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer readable storage medium of claim 11, wherein the pre-image function includes creating a vector that includes the data slice, creating a decode matrix based on the plurality of storage units, and performing matrix multiplication on the vector and the decode matrix.
  - 13. The non-transitory computer readable storage medium of claim 11, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 14. The non-transitory computer readable storage medium of claim 11, wherein the operational instructions, when executed by the processing system, further cause the non-transitory computer readable storage medium to generate a message authentication code based on the data slice for transmission to the computing device via the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K.
Primary Examiner(s)
Chai, Longbit

Application Number

US15/221,299
Publication Number

US 20170060778A1
Time in Patent Office

839 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/3034   where the computing system ...

G06F 11/3409   for performance assessment

G06F 12/1408   by using cryptography for d...

G06F 2212/1052   Security improvement

G06F 3/061   Improving I/O performance

G06F 3/0611   in relation to response time

G06F 3/0619   in relation to data integri...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/064   Management of blocks

G06F 3/0644   Management of space entitie...

G06F 3/0659   Command handling arrangemen...

G06F 3/0665   at area level, e.g. provisi...

G06F 3/067   Distributed or networked st...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H03M 13/1515   Reed-Solomon codes

H03M 13/3761   using code combining, i.e. ...

H04L 67/1097 : for distributed storage of ...

View All

Securely recovering stored data in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Securely recovering stored data in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links