Dispersed storage network with customized security and methods for use therewith

US 10,180,884 B2
Filed: 06/26/2014
Issued: 01/15/2019
Est. Priority Date: 09/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method comprises:

receiving an access request corresponding to a data segment of a data object stored in the DSN, wherein the data segment is dispersed storage error encoded into a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment, wherein the decoded threshold number is greater than one, and wherein the set of encoded data slices is stored or is to be stored in a plurality of dispersed storage units of the DSN;

determining connection security requirements corresponding to the access request;

determining a subset of the plurality of dispersed storage units based on the connection security requirements, wherein the subset includes at least the decode threshold number of dispersed storage units of the plurality of dispersed storage units;

determining, based on the connection security requirements, a connection security level for communicating with the subset of the plurality of dispersed storage units regarding the access request; and

communicating respective portions of the access request to corresponding dispersed storage units of the subset of the plurality of dispersed storage units in accordance with the connection security level for processing by the subset of the plurality of dispersed storage units;

wherein determining the connection security level includes determining a first connection security level for one of the subset of the plurality of dispersed storage units based on a first proximity of the one of the subset of the plurality of dispersed storage units from the one or more computing devices, and further includes determining a second connection security level for another one of the subset of the plurality of dispersed storage units based on a second proximity of the another one of the subset of the plurality of dispersed storage units from the one or more computing devices.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins with a processing module receiving an access request and determining security requirements corresponding to the access request. The method continues with the processing module determining a subset of a plurality of dispersed storage units based on the security requirements. The method continues with the processing module determining, based on the security requirements, a connection security level for communicating with the subset of the plurality of dispersed storage units regarding the access request. The method continues with the processing module communicating the access request to the subset of the plurality of dispersed storage units in accordance with the connection security level for processing by the subset of the plurality of dispersed storage units.

85 Citations

17 Claims

1. A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method comprises:
- receiving an access request corresponding to a data segment of a data object stored in the DSN, wherein the data segment is dispersed storage error encoded into a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment, wherein the decoded threshold number is greater than one, and wherein the set of encoded data slices is stored or is to be stored in a plurality of dispersed storage units of the DSN;
  
  determining connection security requirements corresponding to the access request;
  
  determining a subset of the plurality of dispersed storage units based on the connection security requirements, wherein the subset includes at least the decode threshold number of dispersed storage units of the plurality of dispersed storage units;
  
  determining, based on the connection security requirements, a connection security level for communicating with the subset of the plurality of dispersed storage units regarding the access request; and
  
  communicating respective portions of the access request to corresponding dispersed storage units of the subset of the plurality of dispersed storage units in accordance with the connection security level for processing by the subset of the plurality of dispersed storage units;
  
  wherein determining the connection security level includes determining a first connection security level for one of the subset of the plurality of dispersed storage units based on a first proximity of the one of the subset of the plurality of dispersed storage units from the one or more computing devices, and further includes determining a second connection security level for another one of the subset of the plurality of dispersed storage units based on a second proximity of the another one of the subset of the plurality of dispersed storage units from the one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the connection security level includes a first key employed for one of the subset of the plurality of dispersed storage units and a second key employed for another one of the subset of the plurality of dispersed storage units.
  - 3. The method of claim 1 wherein the connection security level includes a first cipher employed for one of the subset of the plurality of dispersed storage units and a second cipher employed for another of the subset of the plurality of dispersed storage units.
  - 4. The method of claim 1 wherein the connection security level includes at least one of:
    - a transmission control protocol connection that is based on a user identifier and security credentials;
      
      a transport layer security null cipher connection that is based on the user identifier and the security credentials;
      
      ora transport layer security cipher connection that is based on the user identifier and the security credentials.
  - 5. The method of claim 1 wherein the connection security level includes one of:
    - a first level with no tampering protection and with no eaves dropping protection;
      
      a second level with the tampering protection and with the no eaves dropping protection; and
      
      a third level with the tampering protection and with the eaves dropping protection.
  - 6. The method of claim 1 wherein the connection security level is determined for the subset of the plurality of dispersed storage units further based on security capabilities of the subset of the plurality of dispersed storage units.

7. A dispersed storage (DS) processing unit for use in a dispersed storage network (DSN) comprises:
- an interface;
  
  memory; and
  
  a processing module operably coupled to the interface and the memory, wherein the processing module is operable to;
  
  receive an access request corresponding to a data segment of a data object stored in the DSN, wherein the data segment is dispersed storage error encoded into a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment, wherein the decoded threshold number is greater than one, and wherein the set of encoded data slices is stored or is to be stored in a plurality of dispersed storage units of the DSN;
  
  determine connection security requirements corresponding to the access request;
  
  determine a subset of the plurality of dispersed storage units based on the connection security requirements, wherein the subset includes at least the decode threshold number of dispersed storage units of the plurality of dispersed storage units;
  
  determine, based on the connection security requirements, a connection security level for communicating with the subset of the plurality of dispersed storage units regarding the access request; and
  
  communicate respective portions of the access request to corresponding dispersed storage units of the subset of the plurality of dispersed storage units in accordance with the connection security level for processing by the subset of the plurality of dispersed storage units;
  
  wherein determining the connection security level includes determining a first connection security level for one of the subset of the plurality of dispersed storage units based on a first proximity of the one of the subset of the plurality of dispersed storage units from the DS processing unit, and further includes determining a second connection security level for another one of the subset of the plurality of dispersed storage units based on a second proximity of the another one of the subset of the plurality of dispersed storage units from the DS processing unit.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The DS processing unit of claim 7 wherein the connection security level includes a first key employed for one of the subset of the plurality of dispersed storage units and a second key employed for another one of the subset of the plurality of dispersed storage units.
  - 9. The DS processing unit of claim 7 wherein the connection security level includes a first cipher employed for one of the subset of the plurality of dispersed storage units and a second cipher employed for another of the subset of the plurality of dispersed storage units.
  - 10. The DS processing unit of claim 7 wherein the connection security level includes at least one of:
    - a transmission control protocol connection that is based on a user identifier and security credentials;
      
      a transport layer security null cipher connection that is based on the user identifier and the security credentials;
      
      ora transport layer security cipher connection that is based on the user identifier and the security credentials.
  - 11. The DS processing unit of claim 7 wherein the connection security level includes one of:
    - a first level with no tampering protection and with no eaves dropping protection;
      
      a second level with the tampering protection and with the no eaves dropping protection; and
      
      a third level with the tampering protection and with the eaves dropping protection.
  - 12. The DS processing unit of claim 7 wherein the connection security level is determined for the subset of the plurality of dispersed storage units further based on security capabilities of the subset of the plurality of dispersed storage units.

13. A non-transitory computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), causes the one or more computing devices to;
  
  receive an access request corresponding to a data segment of a data object stored in the DSN, wherein the data segment is dispersed storage error encoded into a set of encoded data slices, wherein a decode threshold number of encoded data slices of the set of encoded data slices is needed to recover the data segment, wherein the decoded threshold number is greater than one, and wherein the set of encoded data slices is stored or is to be stored in a plurality of dispersed storage units of the DSN;
  
  determine connection security requirements corresponding to the access request;
  
  determine a subset of the plurality of dispersed storage units based on the connection security requirements, wherein the subset includes at least the decode threshold number of dispersed storage units of the plurality of dispersed storage units;
  
  determine, based on the connection security requirements, a connection security level for communicating with the subset of the plurality of dispersed storage units regarding the access request; and
  
  communicate respective portions of the access request to corresponding dispersed storage units of the subset of the plurality of dispersed storage units in accordance with the connection security level for processing by the subset of the plurality of dispersed storage units;
  
  wherein determining the connection security level includes determining a first connection security level for one of the subset of the plurality of dispersed storage units based on a first proximity of the one of the subset of the plurality of dispersed storage units from the one or more computing devices, and further includes determining a second connection security level for another one of the subset of the plurality of dispersed storage units based on a second proximity of the another one of the subset of the plurality of dispersed storage units from the one or more computing devices.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable storage medium of claim 13 wherein the connection security level includes a first cipher employed for one of the subset of the plurality of dispersed storage units and a second cipher employed for another of the subset of the plurality of dispersed storage units.
  - 15. The non-transitory computer readable storage medium of claim 13 wherein the connection security level includes at least one of:
    - a transmission control protocol connection that is based on a user identifier and security credentials;
      
      a transport layer security null cipher connection that is based on the user identifier and the security credentials;
      
      ora transport layer security cipher connection that is based on the user identifier and the security credentials.
  - 16. The non-transitory computer readable storage medium of claim 13 wherein the connection security level includes one of:
    - a first level with no tampering protection and with no eaves dropping protection;
      
      a second level with the tampering protection and with the no eaves dropping protection; and
      
      a third level with the tampering protection and with the eaves dropping protection.
  - 17. The non-transitory computer readable storage medium of claim 13 wherein connection security level is determined for the subset of the plurality of dispersed storage units further based on security capabilities of the subset of the plurality of dispersed storage units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Hoffman, Brandon S
Assistant Examiner(s)
Corum, Jr., William A

Application Number

US14/315,775
Publication Number

US 20140310775A1
Time in Patent Office

1,664 Days
Field of Search

726 2
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0751   Error or fault detection no...

G06F 11/1076   Parity data used in redunda...

G06F 11/1464   for networked environments

G06F 11/2038   with a single idle spare pr...

G06F 11/2048   where the redundant compone...

G06F 11/2094   Redundant storage or storag...

G06F 16/172   Caching, prefetching or hoa...

G06F 16/9535   Search customisation based ...

G06F 2201/80   Database-specific techniques

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/0617   in relation to availability

G06F 3/0619   in relation to data integri...

G06F 3/0635   by changing the path, e.g. ...

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

H04L 63/10   for controlling access to d...

H04L 67/1097   for distributed storage of ...

Dispersed storage network with customized security and methods for use therewith

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dispersed storage network with customized security and methods for use therewith

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links