Efficient secret-key encrypted secure slice

US 10,326,740 B2
Filed: 01/19/2017
Issued: 06/18/2019
Est. Priority Date: 02/29/2016
Status: Expired due to Fees

First Claim

Patent Images

1. A method for use in a dispersed storage network (DSN) the method comprising:

providing a random key to both an encryption module and a masking module;

at the encryption module;

encrypting starting data using the random key to produce encrypted data;

transmitting the encrypted data to a keyed-hash module and to a combining module;

at the keyed-hash module;

performing a secure hash function on the encrypted data using a secret key to produce a hash value;

transmitting the hash value to the masking module;

at the masking module;

masking the random key using the hash value to produce a masked random key;

transmitting the masked random key to the combining module;

at the combining module;

combining the encrypted data and the masked random key to produce a secure package;

transmitting the secure package to a client module;

at the client module;

encoding the secure package to produce a set of encoded data slices, wherein the secret key and a decode threshold number of encoded data slices included in the set of encoded data slices are sufficient to recover the secure package and the starting data, and wherein the decode threshold number is greater than one and less than a total number of encoded data slices in the set of encoded data slices;

transmitting the set of encoded data slices to a DSN memory; and

at the DSN memory, storing the set of encoded data slices in a set of storage units.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption module encrypts starting data using a random key to produce encrypted data. A hash module performs a secure hash function on the encrypted data using a secret key to produce a hash value. Processing circuitry masks the random key using the hash value to produce a masked random key, and combines the encrypted data and the masked random key to produce a secure package. A distributed storage and task module encodes the secure package to produce a set of encoded data slices. The secret key and a decode threshold number of the encoded data slices included in the set of encoded data slices are sufficient to recover the secure package and the starting data. The set of encoded data slices is stored in a set of storage units.

86 Citations

View as Search Results

20 Claims

1. A method for use in a dispersed storage network (DSN) the method comprising:
- providing a random key to both an encryption module and a masking module;
  
  at the encryption module;
  
  encrypting starting data using the random key to produce encrypted data;
  
  transmitting the encrypted data to a keyed-hash module and to a combining module;
  
  at the keyed-hash module;
  
  performing a secure hash function on the encrypted data using a secret key to produce a hash value;
  
  transmitting the hash value to the masking module;
  
  at the masking module;
  
  masking the random key using the hash value to produce a masked random key;
  
  transmitting the masked random key to the combining module;
  
  at the combining module;
  
  combining the encrypted data and the masked random key to produce a secure package;
  
  transmitting the secure package to a client module;
  
  at the client module;
  
  encoding the secure package to produce a set of encoded data slices, wherein the secret key and a decode threshold number of encoded data slices included in the set of encoded data slices are sufficient to recover the secure package and the starting data, and wherein the decode threshold number is greater than one and less than a total number of encoded data slices in the set of encoded data slices;
  
  transmitting the set of encoded data slices to a DSN memory; and
  
  at the DSN memory, storing the set of encoded data slices in a set of storage units.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - recovering the secure package by decoding the decode threshold number of the encoded data slices; and
      
      recovering the starting data from the secure package using the secret key.
  - 3. The method of claim 2, wherein recovering the starting data further comprises:
    - de-combining the secure package into the encrypted data and the masked random key.
  - 4. The method of claim 3, further comprising:
    - using the secret key to recover the hash value;
      
      using the hash value to de-mask the masked random key and generate a recovered random key; and
      
      decrypting the encrypted data using the recovered random key.
  - 5. The method of claim 1, wherein masking the random key includes:
    - performing one of an exclusive OR (XOR) function or a modulo addition.
  - 6. The method of claim 1, wherein combining includes:
    - one of appending, prepending, inserting, or interleaving.
  - 7. The method of claim 1, wherein encoding the secure package to produce the set of encoded data slices includes using an erasure code algorithm.

8. A dispersed storage network (DSN) comprising:
- an encryption module implemented using a processor and associated memory, the encryption module configured to;
  
  receive a random key provided to both the encryption module and to a masking module;
  
  encrypt starting data using the random key to produce encrypted data;
  
  transmit the encrypted data to a hash module and to a combining module;
  
  the hash module implemented using the processor and the associated memory, the hash module configured to;
  
  perform a secure hash function on the encrypted data using a secret key to produce a hash value;
  
  transmit the hash value to the masking module;
  
  processing circuitry configured to implement the masking module, the masking module configured to;
  
  receive the random key;
  
  mask the random key using the hash value to produce a masked random key;
  
  transmit the masked random key to the combining module;
  
  the processing circuitry further configured to implement the combining module, the combining module configured to;
  
  combine the encrypted data and the masked random key to produce a secure package;
  
  transmit the secure package to a distributed storage and task module;
  
  the distributed storage and task module configured to;
  
  encode the secure package to produce a set of encoded data slices, wherein the secret key and a decode threshold number of encoded data slices included in the set of encoded data slices are sufficient to recover the secure package and the starting data, and wherein the decode threshold number is greater than one and less than a total number of encoded data slices in the set of encoded data slices;
  
  transmit the set of encoded data slices to a DSN memory; and
  
  processing circuitry configured to implement the DSN memory, the DSN memory configured to store the set of encoded data slices in a set of storage units.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The dispersed storage network of claim 8, further comprising processing circuitry configured to:
    - recover the secure package by decoding the decode threshold number of the encoded data slices; and
      
      recover the starting data from the secure package using the secret key.
  - 10. The dispersed storage network of claim 9, wherein the processing circuitry configured to recover the starting data is further configured to:
    - de-combine the secure package into the encrypted data and the masked random key.
  - 11. The dispersed storage network of claim 10, wherein the processing circuitry configured to recover the starting data is further configured to:
    - use the secret key to recover the hash value;
      
      use the hash value to de-mask the masked random key and generate a recovered random key; and
      
      decrypt the encrypted data using the recovered random key.
  - 12. The dispersed storage network of claim 8, wherein the processing circuitry configured to mask the random key is further configured to:
    - perform one of an exclusive OR (XOR) function or a modulo addition.
  - 13. The dispersed storage network of claim 8, wherein the processing circuitry configured to combine is further configured to perform one of the following:
    - append the masked random key to the encrypted data;
      
      prepend the masked random key to the encrypted data;
      
      insert the masked random key to the encrypted data;
      
      orinterleave the masked random key within the encrypted data.
  - 14. The dispersed storage network of claim 8, wherein the distributed storage and task module uses an erasure code algorithm to encode the secure package to produce the set of encoded data slices.

15. A method for use in a dispersed storage network (DSN) the method comprising:
- providing a random key to both an encryption module and a masking module;
  
  at the encryption module;
  
  encrypting starting data using the random key to produce encrypted data;
  
  transmitting the encrypted data to a keyed-hash module and to a combining module;
  
  at the keyed-hash module;
  
  performing a secure hash function on the encrypted data using a secret key to produce a hash value;
  
  transmitting the hash value to the masking module;
  
  at the masking module;
  
  masking the random key using the hash value to produce a masked random key;
  
  transmitting the masked random key to the combining module;
  
  at the combining module;
  
  combining the encrypted data and the masked random key to produce a secure package;
  
  transmitting the secure package to a client module;
  
  at the client module;
  
  encoding the secure package to produce a set of encoded data slices, wherein the secret key and a decode threshold number of encoded data slices included in the set of encoded data slices are sufficient to recover the secure package and the starting data, and wherein the decode threshold number is greater than one and less than a total number of encoded data slices in the set of encoded data slices;
  
  transmitting the set of encoded data slices to a DSN memory;
  
  at the DSN memory, storing the set of encoded data slices in a set of storage units; and
  
  recovering the starting data using at least the decode threshold number of the encoded data slices and the secret key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - recovering the secure package by decoding the decode threshold number of the encoded data slices; and
      
      recovering the starting data from the secure package using the secret key.
  - 17. The method of claim 16, wherein recovering the starting data further comprises:
    - de-combining the secure package into the encrypted data and the masked random key.
  - 18. The method of claim 17, further comprising:
    - using the secret key to recover the hash value;
      
      using the hash value to de-mask the masked random key and generate a recovered random key; and
      
      decrypting the encrypted data using the recovered random key.
  - 19. The method of claim 15, wherein combining includes:
    - one of appending, prepending, inserting, or interleaving.
  - 20. The method of claim 15, wherein encoding the secure package to produce the set of encoded data slices includes using an erasure code algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Seaborn, Mark D., Volvovski, Ilya
Primary Examiner(s)
Naghdali, Khalil
Assistant Examiner(s)
Wade, Shaqueal D

Application Number

US15/410,329
Publication Number

US 20170250965A1
Time in Patent Office

880 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0751   Error or fault detection no...

G06F 11/0781   Error filtering or prioriti...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/0793   Remedial or corrective acti...

G06F 11/1076   Parity data used in redunda...

G06F 11/1451   by selection of backup cont...

G06F 11/2094   Redundant storage or storag...

G06F 11/3034   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3055   Monitoring arrangements for...

G06F 11/327   Alarm or error message display

G06F 13/4022   using switching circuits, e...

G06F 13/4282   on a serial bus, e.g. I2C b...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 3/0604   Improving or facilitating a...

G06F 3/0605   by facilitating the interac...

G06F 3/0619   in relation to data integri...

G06F 3/0623   in relation to content

G06F 3/0629 : Configuration or reconfigur...

G06F 3/064 : Management of blocks

G06F 3/0644 : Management of space entitie...

G06F 3/0653 : Monitoring storage devices ...

G06F 3/0659 : Command handling arrangemen...

G06F 3/067 : Distributed or networked st...

G06F 30/20 : Design optimisation, verifi...

G06N 3/04 : Architecture, e.g. intercon...

G06N 3/084 : Backpropagation, e.g. using...

G06N 3/10 : Interfaces, programming lan...

G06Q 10/063116 : Schedule adjustment for a p...

G06Q 10/06316 : Sequencing of tasks or work

G06Q 10/20 : Administration of product r...

H03M 13/1515 : Reed-Solomon codes

H03M 13/2909 : Product codes

H03M 13/3761 : using code combining, i.e. ...

H03M 13/616 : Matrix operations, especial...

H04L 63/0428 : wherein the data content is...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/101 : Access control lists [ACL]

H04L 9/0869 : involving random numbers or...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/14 : using a plurality of keys o...

H04L 9/3242 : involving keyed hash functi...

View All

Efficient secret-key encrypted secure slice

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Efficient secret-key encrypted secure slice

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others