Storing access information in a dispersed storage network

US 10,193,689 B2
Filed: 08/04/2011
Issued: 01/29/2019
Est. Priority Date: 05/19/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

encoding, in accordance with a share encoding function, an access information packet to produce a first encoded share and a second encoded share;

obtaining a set of personalized authenticating values regarding user access of a user device to the access information packet, wherein each of at least some of the personalized authenticating values of the set of personalized authenticating values is unique;

generating a first hidden password from the set of personalized authenticating values based on a first function;

generating a second hidden password from the set of personalized authenticating values based on a second function;

generating a first encryption key from the first hidden password and a first random number;

generating a second encryption key from the second hidden password and a second random number;

encrypting the first encoded share with the first encryption key to produce a first encrypted encoded share;

encrypting the second encoded share using the second encryption key to produce a second encrypted encoded share;

sending the first encrypted encoded share and the first random number to a first dispersed storage (DS) processing unit, wherein the first DS processing unit generates a first encoded data slice based on the first encrypted encoded share and the first random number; and

sending the second encrypted encoded share and the second random number to a second DS processing unit, wherein the second DS processing unit generates a second encoded data slice based on the second encrypted encoded share and the second random number.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module applying a share encoding function on data to produce a plurality of encoded shares and generating a plurality of random numbers. The method continues with the processing module obtaining a set of personalized authenticating values regarding user access to the data and generating a plurality of hidden passwords based on the set of personalized authenticating values. The method continues with the processing module generating an encryption key based on a corresponding one of the plurality of hidden passwords and a corresponding one of the plurality of random numbers and encrypting the encoded share utilizing the encryption key to produce an encrypted share for each encoded share of the plurality of encoded shares. The method continues with the processing module facilitating storage of the plurality of random numbers and each of the encrypted shares.

89 Citations

View as Search Results

18 Claims

1. A method comprises:
- encoding, in accordance with a share encoding function, an access information packet to produce a first encoded share and a second encoded share;
  
  obtaining a set of personalized authenticating values regarding user access of a user device to the access information packet, wherein each of at least some of the personalized authenticating values of the set of personalized authenticating values is unique;
  
  generating a first hidden password from the set of personalized authenticating values based on a first function;
  
  generating a second hidden password from the set of personalized authenticating values based on a second function;
  
  generating a first encryption key from the first hidden password and a first random number;
  
  generating a second encryption key from the second hidden password and a second random number;
  
  encrypting the first encoded share with the first encryption key to produce a first encrypted encoded share;
  
  encrypting the second encoded share using the second encryption key to produce a second encrypted encoded share;
  
  sending the first encrypted encoded share and the first random number to a first dispersed storage (DS) processing unit, wherein the first DS processing unit generates a first encoded data slice based on the first encrypted encoded share and the first random number; and
  
  sending the second encrypted encoded share and the second random number to a second DS processing unit, wherein the second DS processing unit generates a second encoded data slice based on the second encrypted encoded share and the second random number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the share encoding function comprises at least one of:
    - a dispersed storage error encoding function; and
      
      a secret sharing function.
  - 3. The method of claim 1, wherein the generating a random number of the first and second random numbers comprises:
    - obtaining a base random number; and
      
      expanding the base random number based on security parameters to produce the the random number.
  - 4. The method of claim 1, wherein the set of personalized authenticating values includes at least one of:
    - a user device identifier (ID);
      
      a user ID;
      
      a personal information number (PIN);
      
      a badge ID;
      
      a district ID;
      
      a work-shift ID;
      
      an assignment ID;
      
      a mission ID;
      
      a passcode;
      
      a password;
      
      a picture file;
      
      a video file;
      
      an audio file;
      
      a retinal scan;
      
      a facial scan;
      
      a fingerprint scan;
      
      a personal secret; and
      
      a password index number.
  - 5. The method of claim 1, wherein the generating a hidden password of the first and second hidden passwords comprises:
    - transforming the set of personalized authenticating values in accordance with a set of transformation functions to produce a set of transformed personalized authenticating values; and
      
      for each hidden password of the first and second hidden passwords;
      
      combining, in accordance with a combining function of a plurality of combining functions, one of the set of transformed personalized authenticating values with at least one of a constant and another one of the set of transformed personalized authenticating values to produce the hidden password.
  - 6. The method of claim 5, wherein the set of transformation functions includes at least one of:
    - a null function;
      
      a concatenation function;
      
      an inverting function;
      
      a hashing function;
      
      an encryption function;
      
      a compressing function; and
      
      a mask generating function.
  - 7. The method of claim 5, wherein the plurality of combining functions includes at least two of:
    - an addition function;
      
      a subtraction function;
      
      a multiplication function;
      
      a division function;
      
      a logical exclusive OR function;
      
      a logical OR function; and
      
      a logical AND function.
  - 8. The method of claim 1, wherein the generating an encryption key of the first and second encryption keys comprises:
    - transforming a corresponding one of the first and second hidden passwords utilizing a mask generating function, security parameters, and a corresponding one of the first and second random numbers to produce the encryption key.
  - 9. The method of claim 1, wherein the access information packet includes access information and an access information hash digest, wherein the access information hash digest is generated from the access information in accordance with a hashing function.

10. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operably coupled to the interface and the memory, wherein the processing module is operable to;
  
  encode, in accordance with a share encoding function, an access information packet to produce a first encoded share and a second encoded share;
  
  obtain a set of personalized authenticating values regarding user access of a user device to the access information packet, wherein each of at least some of the personalized authenticating values of the set of personalized authenticating values is unique;
  
  generate a first hidden password from the set of personalized authenticating values based on a first function;
  
  generate a second hidden password from the set of personalized authenticating values based on a second function;
  
  generate a first encryption key from the first hidden password and a first random number;
  
  generate a second encryption key from the second hidden password and a second random number;
  
  encrypt the first encoded share with the first encryption key to produce a first encrypted encoded share;
  
  encrypt the second encoded share using the second encryption key to produce a second encrypted encoded share;
  
  send, via the interface, the first encrypted encoded share and the first random number to a first dispersed storage (DS) processing unit, wherein the first DS processing unit generates a first encoded data slice based on the first encrypted encoded share and the first random number; and
  
  send, via the interface, the second encrypted encoded share and the second random number to a second DS processing unit, wherein the second DS processing unit generates a second encoded data slice based on the second encrypted encoded share and the second random number.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer of claim 10, wherein the share encoding function comprises at least one of:
    - a dispersed storage error encoding function; and
      
      a secret sharing function.
  - 12. The computer of claim 10, wherein the processing module functions to generate a random number of the first and second random numbers by:
    - obtaining a base random number; and
      
      expanding the base random number based on security parameters to produce the random number.
  - 13. The computer of claim 10, wherein the set of personalized authenticating values includes at least one of:
    - a user device identifier (ID);
      
      a user ID;
      
      a personal information number (PIN);
      
      a badge ID;
      
      a district ID;
      
      a work-shift ID;
      
      an assignment ID;
      
      a mission ID;
      
      a passcode;
      
      a password;
      
      a picture file;
      
      a video file;
      
      an audio file;
      
      a retinal scan;
      
      a facial scan;
      
      a fingerprint scan;
      
      a personal secret; and
      
      a password index number.
  - 14. The computer of claim 10, wherein the processing module functions to generate a hidden password of the first and second hidden passwords by:
    - transforming the set of personalized authenticating values in accordance with a set of transformation functions to produce a set of transformed personalized authenticating values; and
      
      for each hidden password of the first and second hidden passwords;
      
      combining, in accordance with a combining function of a plurality of combining functions, one of the set of transformed personalized authenticating values with at least one of a constant and another one of the set of transformed personalized authenticating values to produce the hidden password.
  - 15. The computer of claim 14, wherein the set of transformation functions includes at least one of:
    - a null function;
      
      a concatenation function;
      
      an inverting function;
      
      a hashing function;
      
      an encryption function;
      
      a compressing function; and
      
      a mask generating function.
  - 16. The computer of claim 14, wherein the plurality of combining functions includes at least two of:
    - an addition function;
      
      a subtraction function;
      
      a multiplication function;
      
      a division function;
      
      a logical exclusive OR function;
      
      a logical OR function; and
      
      a logical AND function.
  - 17. The computer of claim 10, wherein the processing module functions to generate an encryption key of the first and second encryption keys by:
    - transforming a corresponding one of the first and second hidden passwords utilizing a mask generating function, security parameters, and a corresponding one of the first and second random numbers to produce the encryption key.
  - 18. The computer of claim 10, wherein the access information packet includes access information and an access information hash digest, wherein the processing module functions to generate the access information hash digest from the access information in accordance with a hashing function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Grube, Gary W., Gladwin, S. Christopher, Shirley, Jr., Thomas Franklin, Markison, Timothy W.
Primary Examiner(s)
Henning, Matthew T

Application Number

US13/198,078
Publication Number

US 20110286595A1
Time in Patent Office

2,735 Days
Field of Search

380 46
US Class Current
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/0894   Escrow, recovery or storing...

Storing access information in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Storing access information in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links