Securing data in a dispersed storage network
First Claim
1. A method for execution by a storage unit of a dispersed storage network (DSN), the method comprises:
- receiving, from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number;
partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks;
partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks;
partially decrypting the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and
sending the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set.
4 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices. The method further includes partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector. The method further includes partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector. The method further includes partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector. The method further includes sending the partially decrypted and encoded data vector to the requesting computing device.
86 Citations
10 Claims
-
1. A method for execution by a storage unit of a dispersed storage network (DSN), the method comprises:
-
receiving, from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number; partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks; partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks; partially decrypting the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and sending the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set. - View Dependent Claims (2, 3)
-
-
4. A storage unit of a dispersed storage network (DSN), the storage unit comprises:
-
a network interface; memory; and a processing module operably coupled to the network interface and the memory, wherein the processing module is operable to; receive, via the network interface and from a requesting computing device of the DSN, a retrieval request regarding an encoded key stream slice of a set of encoded key stream slices and an encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number; partially dispersed storage error decode the encoded key stream slice to produce a partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks; partially dispersed storage error decode the encoded and encrypted data slice to produce a partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks; partially decrypt the partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and send the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set. - View Dependent Claims (5, 6)
-
-
7. A computer readable memory comprises:
-
a first memory element that stores operational instructions that, when executed by a first storage unit of a dispersed storage network (DSN), causes the first storage unit to; receive, from a requesting computing device of the DSN, a first retrieval request regarding a first encoded key stream slice of a set of encoded key stream slices and a first encoded and encrypted data slice of a set of encoded and encrypted data slices, wherein a plurality of data elements of a data element set of a data object is encrypted using a plurality of keystream characters of a key stream and an encryption function to produce a plurality of encrypted data elements, wherein the plurality of encrypted data elements are arranged to produce an encrypted data element set, wherein the encrypted data element set is dispersed storage error encoded in accordance with dispersed data storage parameters to produce the set of encoded and encrypted data slices, wherein the set of encoded and encrypted data slices are stored in a set of storage units of the DSN, wherein the key stream is dispersed storage error encoded in accordance with the dispersed data storage parameters to produce the set of encoded key stream slices, wherein the set of encoded key stream slices are stored in the set of storage units, wherein the set of storage units includes the storage unit, and wherein the dispersed data storage parameters include a decode threshold number; partially dispersed storage error decode the first encoded key stream slice to produce a first partially decoded key stream vector that includes a plurality of partially decoded key stream vector blocks; partially dispersed storage error decode the first encoded and encrypted data slice to produce a first partially decoded and encrypted data vector that includes a plurality of partially decoded and encrypted data vector blocks; partially decrypt the first partially decoded and encrypted data vector based on a function in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector, wherein the function includes an exclusive OR that is performed on corresponding blocks of the plurality of partially decoded key stream vector blocks and the plurality of partially decoded and encrypted data vector blocks; and send the partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream, and wherein the decode threshold number of partially decrypted and decoded data vectors are required to reconstruct the data element set; and a second memory element that stores operational instructions that, when executed by a second storage unit of the DSN, causes the second storage unit to; receive, from the requesting computing device of the DSN, a second retrieval request regarding a second encoded key stream slice of the set of encoded key stream slices and a second encoded and encrypted data slice of the set of encoded and encrypted data slices; partially dispersed storage error decode the second encoded key stream slice to produce a second partially decoded key stream vector that includes a second plurality of partially decoded key stream vector blocks; partially dispersed storage error decode the second encoded and encrypted data slice to produce a second partially decoded and encrypted data vector that includes a second plurality of partially decoded and encrypted data vector blocks; partially decrypt the second partially decoded and encrypted data vector based on the function in accordance with the encryption function and based on the second partially decoded key stream vector to produce a second partially decrypted and decoded data vector, wherein the function includes the exclusive OR that is performed on corresponding blocks of the second plurality of partially decoded key stream vector blocks and the second plurality of partially decoded and encrypted data vector blocks; and send the second partially decrypted and decoded data vector to the requesting computing device, wherein the requesting computing device is without access to the key stream. - View Dependent Claims (8, 9, 10)
-
Specification