Securely recovering stored data in a dispersed storage network

US 10,372,357 B2
Filed: 08/14/2018
Issued: 08/06/2019
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a hardware processor, the method comprises:

generating, based on a slice pre-image request from a computing device, a data pre-image by performing a pre-image function on a data slice based on a plurality of storage units indicated in the request; and

generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with a requesting entity;

wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;

wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and

wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for execution by a dispersed storage and task (DST) execution unit that includes a processor includes receiving a slice pre-image request from a computing device via a network that indicates a data slice, a requesting entity and a plurality of storage units. A data pre-image is generated by performing a pre-image function on the data slice based on the plurality of storage units. An encrypted data pre-image is generated for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with the requesting entity.

81 Citations

20 Claims

1. A method for execution by a dispersed storage and task (DST) execution unit that includes a hardware processor, the method comprises:
- generating, based on a slice pre-image request from a computing device, a data pre-image by performing a pre-image function on a data slice based on a plurality of storage units indicated in the request; and
  
  generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with a requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the slice pre-image request indicates the data slice, the requesting entity, and the plurality of storage units.
  - 3. The method of claim 1, wherein the pre-image function includes creating a vector that includes the data slice.
  - 4. The method of claim 3, wherein the pre-image function further includes creating a decode matrix based on the plurality of storage units.
  - 5. The method of claim 4, wherein the pre-image function further includes performing matrix multiplication on the vector and the decode matrix.
  - 6. The method of claim 1, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 7. The method of claim 1, further comprising generating a message authentication code based on the data slice for transmission to the computing device.
  - 8. The method of claim 1, wherein the key is established based on at least one of:
    - a public-key system or a key agreement protocol.

9. A processing system of a dispersed storage and task (DST) execution unit comprises:
- at least one hardware processor;
  
  a memory that stores operational instructions, that when executed by the at least one hardware processor cause the processing system to perform operations including;
  
  generating, based on a slice pre-image request from a computing device, a data pre-image by performing a pre-image function on a data slice based on a plurality of storage units indicated in the request; and
  
  generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a key associated with a requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The processing system of claim 9, wherein the pre-image function includes creating a vector that includes the data slice, creating a decode matrix based on the plurality of storage units, and performing matrix multiplication on the vector and the decode matrix.
  - 11. The processing system of claim 9, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 12. The processing system of claim 9, wherein the operations further include:
    - generating a message authentication code based on the data slice for transmission to the computing device.
  - 13. The processing system of claim 9, wherein the key is established based on at least one of:
    - a public-key system or a key agreement protocol.
  - 14. The processing system of claim 9, wherein the slice pre-image request indicates the data slice, the requesting entity, and the plurality of storage units.

15. A non-transitory computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by a processing system of a dispersed storage and task (DST) execution unit that includes a hardware processor and a memory, causes the processing system to perform operations including;
  
  generating, based on a slice pre-image request from a computing device, a data pre-image by performing a pre-image function on a data slice based on a plurality of storage units indicated in the request; and
  
  generating an encrypted data pre-image for transmission to the computing device by performing an encryption function on the data pre-image based on a Key associated with a requesting entity;
  
  wherein the computing device receives a plurality of encrypted data pre-images from a plurality of storage units that includes the DST execution unit for transmission to the requesting entity for decoding;
  
  wherein the requesting entity receives a plurality of storage unit identifiers corresponding to the plurality of storage units from the computing device, and wherein the requesting entity decodes the plurality of encrypted data pre-images by utilizing a plurality of unique keys, each associated with one of the plurality of storage units; and
  
  wherein the requesting entity receives a sum of the encrypted data pre-images from the computing device, and wherein decoding includes subtracting each of the plurality of unique keys from the sum of the encrypted data pre-images.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage medium of claim 15, wherein the pre-image function includes creating a vector that includes the data slice.
  - 17. The computer readable storage medium of claim 16, wherein the pre-image function further includes creating a decode matrix based on the plurality of storage units, and performing matrix multiplication on the vector and the decode matrix.
  - 18. The computer readable storage medium of claim 15, wherein generating the encryption function includes applying the key additively to the data pre-image.
  - 19. The computer readable storage medium of claim 15, wherein the operations further include generating a message authentication code based on the data slice for transmission to the computing device.
  - 20. The computer readable storage medium of claim 15, wherein the slice pre-image request indicates the data slice, the requesting entity, and the plurality of storage units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Pure Storage, Inc.
Inventors
Resch, Jason K.
Primary Examiner(s)
Chai, Longbit

Application Number

US16/102,940
Publication Number

US 20180356999A1
Time in Patent Office

357 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/3034   where the computing system ...

G06F 11/3409   for performance assessment

G06F 12/1408   by using cryptography for d...

G06F 2212/1052   Security improvement

G06F 3/061   Improving I/O performance

G06F 3/0611   in relation to response time

G06F 3/0619   in relation to data integri...

G06F 3/0622   in relation to access

G06F 3/0635   by changing the path, e.g. ...

G06F 3/0637   Permissions

G06F 3/064   Management of blocks

G06F 3/0644   Management of space entitie...

G06F 3/0659   Command handling arrangemen...

G06F 3/0665   at area level, e.g. provisi...

G06F 3/067   Distributed or networked st...

G06F 3/0689   Disk arrays, e.g. RAID, JBOD

H03M 13/1515   Reed-Solomon codes

H03M 13/3761   using code combining, i.e. ...

H04L 67/1097 : for distributed storage of ...

View All

Securely recovering stored data in a dispersed storage network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securely recovering stored data in a dispersed storage network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links