Securing data in a dispersed storage network

US 10,360,097 B2
Filed: 08/29/2016
Issued: 07/23/2019
Est. Priority Date: 05/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a storage unit of a dispersed storage network (DSN), the method comprises:

receiving, from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number;

partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks;

partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks;

partially decrypting the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and

sending the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices. The method further includes partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector. The method further includes partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector. The method further includes partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector. The method further includes sending the partially decrypted and encoded data vector to the requesting computing device.

86 Citations

View as Search Results

10 Claims

1. A method for execution by a storage unit of a dispersed storage network (DSN), the method comprises:
- receiving, from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number;
  
  partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks;
  
  partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks;
  
  partially decrypting the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and
  
  sending the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprises:
    - converting an encryption key into the key stream.
  - 3. The method of claim 1, wherein the partially dispersed storage error decoding the encoded and encrypted data slice to produce the partially decoded and encrypted data vector comprises:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded and encrypted data vector based on the square matrix and the encoded and encrypted data slice.

4. A storage unit of a dispersed storage network (DSN), the storage unit comprises:
- a network interface;
  
  memory; and
  
  a processing module operably coupled to the network interface and the memory, wherein the processing module is operable to;
  
  receive, via the network interface and from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number;
  
  partially dispersed storage error decode the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks;
  
  partially dispersed storage error decode the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks;
  
  partially decrypt the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and
  
  send the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set.
- View Dependent Claims (5, 6)
- - 5. The storage unit of claim 4, wherein the processing module is further operable to:
    - receive, via the network interface, the encoded key stream slice, wherein an encryption key is converted into the key stream.
  - 6. The storage unit of claim 4, wherein the processing module is further operable to partially dispersed storage error decode the encoded and encrypted data slice to produce the partially decoded and encrypted data vector by:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded and encrypted data vector based on the square matrix and the encoded and encrypted data slice.

7. A computer readable memory comprises:
- a first memory element that stores operational instructions that, when executed by a first storage unit of a dispersed storage network (DSN), causes the first storage unit to;
  
  receive, from a requesting computing device of the DSN, a first retrieval request regarding a first encoded key stream slice of a set of encoded key stream slices and a first encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number;
  
  partially dispersed storage error decode the first encoded key stream slice to produce a first partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks;
  
  partially dispersed storage error decode the first encoded and encrypted data slice to produce a first partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks;
  
  partially decrypt the first partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and
  
  send the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set; and
  
  a second memory element that stores operational instructions that, when executed by a second storage unit of the DSN, causes the second storage unit to;
  
  receive, from the requesting computing device of the DSN, a second retrieval request regarding a second encoded key stream slice of the set of encoded key stream slices and a second encoded and encrypted data slice of the set of encoded and encrypted data slices;
  
  partially dispersed storage error decode the second encoded key stream slice to produce a second partially decoded key stream vector that includes a second plurality of partially decoded key stream vector blocks;
  
  partially dispersed storage error decode the second encoded and encrypted data slice to produce a second partially decoded and encrypted data vector that includes a second plurality of partially decoded and encrypted data vector blocks;
  
  partially decrypt the second partially decoded and encrypted data vector based on the function in accordance with the encryption function and based on the second partially decoded key stream vector to produce a second partially decrypted and decoded data vector, wherein the function includes the exclusive OR that is performed on corresponding blocks of the second plurality of partially decoded key stream vector blocks and the second plurality of partially decoded and encrypted data vector blocks; and
  
  send the second partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream.
- View Dependent Claims (8, 9, 10)
- - 8. The computer readable memory of claim 7, wherein an encryption key is converted into the key stream.
  - 9. The computer readable memory of claim 7, wherein the first memory element further stores operational instructions that, when executed by the first storage unit, causes the first storage unit to partially dispersed storage error decode the first encoded and encrypted data slice by:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the first partially decoded and encrypted data vector based on the square matrix and the first encoded and encrypted data slice.
  - 10. The computer readable memory of claim 7, wherein the second memory element further stores operational instructions that, when executed by the second storage unit, causes the second storage unit to partially dispersed storage error decode the second encoded and encrypted data slice by:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the second partially decoded and encrypted data vector based on the square matrix and the second encoded and encrypted data slice.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Dhuse, Greg
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Little, Vance M

Application Number

US15/249,905
Publication Number

US 20160371143A1
Time in Patent Office

1,058 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/1096   Parity calculation or recal...

G06F 11/2094   Redundant storage or storag...

G06F 21/602   Providing cryptographic fac...

G06F 21/80   in storage media based on m...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2221/2107   File encryption

H04L 1/0042   Encoding specially adapted ...

H04L 1/0047   Decoding adapted to other s...

H04L 63/0457   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1097   for distributed storage of ...

H04L 69/14   Multichannel or multilink p...

Securing data in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Securing data in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links