Self-validating request message structure and operation

US 10,171,243 B2
Filed: 06/02/2017
Issued: 01/01/2019
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A storage unit (SU) comprising:

an interface configured to interface and communicate with a dispersed or distributed storage network (DSN);

memory that stores operational instructions; and

a processing module operably coupled to the interface and to the memory, wherein the processing module, when operable within the SU based on the operational instructions, is configured to;

receive, via the DSN and from a computing device, a self-validating request message, wherein the self-validating request message is generated by the computing device to include a first message authentication code of the computing device, and the self-validating request message is generated by the computing device based on the computing device creating a master key of the computing device, creating a message encryption key based on the master key of the computing device and a secret function, encrypting a message using the message encryption key to generate an encrypted message, encrypting the master key of the computing device using a public key of the SU to generate an encrypted master key;

process the self-validating request message to verify the first message authentication code of the computing device that is included within the self-validating request message, and when the first message authentication code of the computing device is verified;

decrypt the encrypted master key that is included within the self-validating request message using a private key of the SU to recover the master key of the computing device;

generate the message encryption key based on the master key of the computing device and the secret function; and

decrypt the encrypted message that is included within the self-validating request message to recover the message; and

generate, in response to the self-validating request message, a self-validating response message that includes a second message authentication code and an encrypted response including to;

generate a responder encryption key based on the master key and another secret function; and

encrypt a response to the message based on the responder encryption key to generate the encrypted response; and

transmit, via the DSN and to the computing device, the self-validating response message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a first device generating a self-validating message by creating a master key, using the master key to create a message encryption key, encrypting a message using the message encryption key to produce an encrypted message, encrypting the master key using a public key of a second device to produce an encrypted master key, and including a message authentication code of the first device in the self-validating message. The method continues by the second device receiving and decoding the self-validating message by verifying the message authentication code of the first device, and when the message authentication code of the first device is verified, decrypting the encrypted master key using a private key of the second device to recover the master key, using the master key to create the message encryption key, and decrypting the encrypted message using the message encryption key to recover the message.

157 Citations

20 Claims

1. A storage unit (SU) comprising:
- an interface configured to interface and communicate with a dispersed or distributed storage network (DSN);
  
  memory that stores operational instructions; and
  
  a processing module operably coupled to the interface and to the memory, wherein the processing module, when operable within the SU based on the operational instructions, is configured to;
  
  receive, via the DSN and from a computing device, a self-validating request message, wherein the self-validating request message is generated by the computing device to include a first message authentication code of the computing device, and the self-validating request message is generated by the computing device based on the computing device creating a master key of the computing device, creating a message encryption key based on the master key of the computing device and a secret function, encrypting a message using the message encryption key to generate an encrypted message, encrypting the master key of the computing device using a public key of the SU to generate an encrypted master key;
  
  process the self-validating request message to verify the first message authentication code of the computing device that is included within the self-validating request message, and when the first message authentication code of the computing device is verified;
  
  decrypt the encrypted master key that is included within the self-validating request message using a private key of the SU to recover the master key of the computing device;
  
  generate the message encryption key based on the master key of the computing device and the secret function; and
  
  decrypt the encrypted message that is included within the self-validating request message to recover the message; and
  
  generate, in response to the self-validating request message, a self-validating response message that includes a second message authentication code and an encrypted response including to;
  
  generate a responder encryption key based on the master key and another secret function; and
  
  encrypt a response to the message based on the responder encryption key to generate the encrypted response; and
  
  transmit, via the DSN and to the computing device, the self-validating response message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The SU of claim 1, wherein the self-validating request message includes a self-validating request header, the first message authentication code of the computing device, and an encrypted request that is generated by using a requester encryption key to process a request message that corresponds to a write request, a delete request, a list request, or a read request.
  - 3. The SU of claim 2, wherein request message corresponds to the write request, the delete request, the list request, or the read request to be applied to at least one encoded data slice (EDS) stored within the SU, wherein a data object is segmented into a plurality of data segments, wherein a data segment of the plurality of data segments is dispersed error encoded in accordance with dispersed error encoding parameters to produce a set of encoded data slices (EDSs) that includes the at least one EDS, and wherein the set of EDSs are distributedly stored among a plurality of storage units (SUs) that includes the SU.
  - 4. The SU of claim 2, wherein the self-validating request header includes a timestamp, a universally unique identifier (UUID) associated with the self-validating request message, the encrypted master key, a certificate chain of the computing device, and a header signature.
  - 5. The SU of claim 4, wherein the certificate chain of the computing device is generated by the computing device when generating the self-validating request header using another private key of a public/private key pair associated with the computing device that includes another private key of the computing device and a another public key of the computing device, and wherein the certificate chain of the computing device includes one or more certificates chained to a certificate authority of the DSN.
  - 6. The SU of claim 1, wherein the SU is located at a first location that is remotely located from another SU that is located at a second location within the DSN.
  - 7. The SU of claim 1, wherein the computing device includes a social networking device, a gaming device, a cell phone, a smart phone, a personal digital assistant, a digital music player, a digital video player, a laptop computer, a handheld computer, a tablet, or a video game controller.
  - 8. The SU of claim 1, wherein the DSN includes at least one of a wireless communication system, a wire lined communication system, a private intranet system, a public internet system, a local area network (LAN), or a wide area network (WAN).

9. A storage unit (SU) comprising:
- an interface configured to interface and communicate with a dispersed or distributed storage network (DSN);
  
  memory that stores operational instructions; and
  
  a processing module operably coupled to the interface and to the memory, wherein the processing module, when operable within the SU based on the operational instructions, is configured to;
  
  receive, via the DSN and from a computing device, a self-validating request message that is generated by the computing device and that includes a self-validating request header and a first message authentication code of the computing device, wherein the self-validating request header includes a timestamp, a universally unique identifier (UUID) associated with the self-validating request message, an encrypted master key, a certificate chain of the computing device, and a header signature, and wherein the self-validating request message is generated by the computing device based on the computing device creating a master key of the computing device, creating a message encryption key based on the master key of the computing device and a secret function, encrypting a message using the message encryption key to generate an encrypted message, encrypting the master key of the computing device using a public key of the SU to generate the encrypted master key;
  
  process the self-validating request message to verify the first message authentication code of the computing device that is included within the self-validating request message, and when the first message authentication code of the computing device is verified;
  
  decrypt the encrypted master key that is included within the self-validating request message using a private key of the SU to recover the master key of the computing device;
  
  generate the message encryption key based on the master key of the computing device and the secret function; and
  
  decrypt the encrypted message that is included within the self-validating request message to recover the message; and
  
  generate, in response to the self-validating request message, a self-validating response message that includes a second message authentication code and an encrypted response including to;
  
  generate a responder encryption key based on the master key and another secret function; and
  
  encrypt a response to the message based on the responder encryption key to generate the encrypted response; and
  
  transmit, via the DSN and to the computing device, the self-validating response message.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The SU of claim 9, wherein the self-validating request message also includes an encrypted request that is generated by using a requester encryption key to process a request message that corresponds to a write request, a delete request, a list request, or a read request.
  - 11. The SU of claim 10, wherein request message corresponds to the write request, the delete request, the list request, or the read request to be applied to at least one encoded data slice (EDS) stored within the SU, wherein a data object is segmented into a plurality of data segments, wherein a data segment of the plurality of data segments is dispersed error encoded in accordance with dispersed error encoding parameters to produce a set of encoded data slices (EDSs) that includes the at least one EDS, and wherein the set of EDSs are distributedly stored among a plurality of storage units (SUs) that includes the SU.
  - 12. The SU of claim 9, wherein the certificate chain of the computing device is generated by the computing device when generating the self-validating request header using another private key of a public/private key pair associated with the computing device that includes another private key of the computing device and another public key of the computing device, and wherein the certificate chain of the computing device includes one or more certificates chained to a certificate authority of the DSN.
  - 13. The SU of claim 9, wherein the DSN includes at least one of a wireless communication system, a wire lined communication system, a private intranet system, a public internet system, a local area network (LAN), or a wide area network (WAN).

14. A method for execution by a storage unit (SU), the method comprising:
- receiving, via an interface of the SU configured to interface and communicate with a dispersed or distributed storage network (DSN) and from a computing device, a self-validating request message, wherein the self-validating request message is generated by the computing device to include a first message authentication code of the computing device, and the self-validating request message is generated by the computing device based on the computing device creating a master key of the computing device, creating a message encryption key based on the master key of the computing device and a secret function, encrypting a message using the message encryption key to generate an encrypted message, encrypting the master key of the computing device using a public key of the SU to generate an encrypted master key;
  
  processing the self-validating request message to verify the first message authentication code of the computing device that is included within the self-validating request message, and when the first message authentication code of the computing device is verified;
  
  decrypting the encrypted master key that is included within the self-validating request message using a private key of the SU to recover the master key of the computing device;
  
  generating the message encryption key based on the master key of the computing device and the secret function; and
  
  decrypting the encrypted message that is included within the self-validating request message to recover the message; and
  
  generating, in response to the self-validating request message, a self-validating response message that includes a second message authentication code and an encrypted response including to;
  
  generating a responder encryption key based on the master key and another secret function; and
  
  encrypting a response to the message based on the responder encryption key to generate the encrypted response; and
  
  transmitting, via the interface of the SU and to the computing device, the self-validating response message.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the self-validating request message includes a self-validating request header, the first message authentication code of the computing device, and an encrypted request that is generated by using a requester encryption key to process a request message that corresponds to a write request, a delete request, a list request, or a read request.
  - 16. The method of claim 15, wherein request message corresponds to the write request, the delete request, the list request, or the read request to be applied to at least one encoded data slice (EDS) stored within the SU, wherein a data object is segmented into a plurality of data segments, wherein a data segment of the plurality of data segments is dispersed error encoded in accordance with dispersed error encoding parameters to produce a set of encoded data slices (EDSs) that includes the at least one EDS, and wherein the set of EDSs are distributedly stored among a plurality of storage units (SUs) that includes the SU.
  - 17. The method of claim 15, wherein the self-validating request header includes a timestamp, a universally unique identifier (UUID) associated with the self-validating request message, the encrypted master key, a certificate chain of the computing device, and a header signature.
  - 18. The method of claim 17, wherein the certificate chain of the computing device is generated by the computing device when generating the self-validating request header using another private key of a public/private key pair associated with the computing device that includes another private key of the computing device and another public key of the computing device, and wherein the certificate chain of the computing device includes one or more certificates chained to a certificate authority of the DSN.
  - 19. The method of claim 14, wherein at least one of:
    - the SU is located at a first location that is remotely located from another SU that is located at a second location within the DSN;
      
      orthe computing device includes a social networking device, a gaming device, a cell phone, a smart phone, a personal digital assistant, a digital music player, a digital video player, a laptop computer, a handheld computer, a tablet, or a video game controller.
  - 20. The method of claim 14, wherein the DSN includes at least one of a wireless communication system, a wire lined communication system, a private intranet system, a public internet system, a local area network (LAN), or a wide area network (WAN).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Leggette, Wesley, Resch, Jason K.
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Malinowski, Walter J

Application Number

US15/612,885
Publication Number

US 20170272252A1
Time in Patent Office

578 Days
Field of Search

713181
US Class Current
CPC Class Codes

G06F 11/07   Responding to the occurrenc...

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0754   by exceeding limits

G06F 11/076   by exceeding a count or rat...

G06F 11/2058   using more than 2 mirrored ...

G06F 11/2094   Redundant storage or storag...

G06F 2211/1004   Adaptive RAID, i.e. RAID sy...

G06F 3/06   Digital input from, or digi...

G06F 3/0619   in relation to data integri...

G06F 3/0653   Monitoring storage devices ...

G06F 3/067   Distributed or networked st...

G06F 3/0685   Hybrid storage combining he...

H04L 63/0435   wherein the sending and rec...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/14   using a plurality of keys o...

H04L 9/3242   involving keyed hash functi...

Self-validating request message structure and operation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Self-validating request message structure and operation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links