Hardware authentication in a dispersed storage network

US 10,409,771 B2
Filed: 08/06/2014
Issued: 09/10/2019
Est. Priority Date: 06/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:

receiving by the DS management unit, a device list and a hardware certificate authority (HCA) public key originating from a separate element of the DSN;

validating the device list by calculating a hash of the device list and comparing the hash to a decrypted signature;

receiving a hardware certificate from the node in the dispersed storage network (DSN);

based on a comparison of the hardware certificate to the device list,determining whether the hardware certificate is valid;

when the hardware certificate is determined to be valid, encrypting a challenge message using a public key associated with the node;

sending the challenge message to the node;

receiving a challenge response message from the node;

determining if the challenge response message is valid; and

receiving, from the node, a certificate signing request relating to the hardware certificate; and

if the challenge response message is valid, providing a signed certificate for use in authenticating the node to perform dispersed storage operations within the DSN.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a node of a dispersed storage network (DSN). In various embodiments, a dispersed storage (DS) management unit receives a device list originating from a hardware certificate authority (HCA). The HCA also provides a hardware certificate to the node. Upon receiving the hardware certificate from the node, the DS management unit determines if the certificate is valid by comparing it to information contained in the device list (such as a device ID or a serial number associated with the node). If the certificate is valid, the DS management unit sends a challenge message to the node and analyzes the resulting challenge message response to determine if it is valid. If the response is valid, the DS management unit provides a signed certificate to the node for use in authenticating the node to perform dispersed storage operations within the DSN.

86 Citations

20 Claims

1. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:
- receiving by the DS management unit, a device list and a hardware certificate authority (HCA) public key originating from a separate element of the DSN;
  
  validating the device list by calculating a hash of the device list and comparing the hash to a decrypted signature;
  
  receiving a hardware certificate from the node in the dispersed storage network (DSN);
  
  based on a comparison of the hardware certificate to the device list,determining whether the hardware certificate is valid;
  
  when the hardware certificate is determined to be valid, encrypting a challenge message using a public key associated with the node;
  
  sending the challenge message to the node;
  
  receiving a challenge response message from the node;
  
  determining if the challenge response message is valid; and
  
  receiving, from the node, a certificate signing request relating to the hardware certificate; and
  
  if the challenge response message is valid, providing a signed certificate for use in authenticating the node to perform dispersed storage operations within the DSN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
- - 2. The method of claim 1, wherein at least a portion of the signed certificate is encrypted utilizing a private key associated with the DS managing unit.
  - 3. The method of claim 2, wherein the certificate signing request includes at least one of a device identification (ID) associated with the node, a serial number associated with the node, a public key associated with the node, registration information, or a signature.
  - 4. The method of claim 1, wherein the hardware certificate includes at least one of a device ID or a device serial number associated with the node, wherein comparing the hardware certificate to the device list includes determining if the device list contains a corresponding device ID or device serial number.
  - 5. The method of claim 4, wherein the hardware certificate further includes an HCA signature encrypted with a private key associated with the HCA, wherein determining if the hardware certificate is valid further comprises:
    - receiving a public key associated with the HCA;
      
      generating a hash of the hardware certificate;
      
      decrypting the HCA signature utilizing the HCA public key to produce a decrypted HCA signature; and
      
      comparing the hash of the hardware certificate to the decrypted HCA signature.
  - 6. The method of claim 4, wherein the device ID provides a unique virtual identifier for hardware associated with the node, and wherein the device serial number is a unique permanent value associated with the node.
  - 7. The method of claim 1, wherein generating the challenge message includes encrypting at least a portion of the challenge message using a public key associated with the node.
  - 8. The method of claim 1, wherein the challenge message includes instructions to encrypt a portion of the challenge message utilizing a private key associated with the node.
  - 19. The method of claim 1, wherein the device list includes one or more device IDs and one or more paired device serial numbers.
  - 20. The dispersed storage (DS) managing unit of claim 8, wherein the device list includes one or more device IDs and one or more paired device serial numbers.

9. A dispersed storage (DS) managing unit comprises:
- at least one communication interface to communicate with nodes of a dispersed storage network (DSN);
  
  a memory; and
  
  a processing module coupled to the at least one communication interface and the memory, the processing module when operable in a device, causes the device to;
  
  receive, via the at least one communication interface, a device list and a hardware certificate authority (HCA) public key originating from a separate element of the DSNvalidate the device list by calculating a hash of the device list and comparing the hash to a decrypted signature;
  
  store the device list in the memory;
  
  receive, via the at least one communication interface, a hardware certificate from a node of the DSN;
  
  compare the hardware certificate to the device list to determine if the hardware certificate is valid;
  
  determine whether the hardware certificate is valid;
  
  when the hardware certificate is determined to be valid, encrypt a challenge message using a public key associated with the node; and
  
  send the challenge message to the node of the DSN.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The DS managing unit of claim 9, wherein the processing module is further configured to:
    - receive, via the at least one communication interface, a challenge response message from the node of the DSN;
      
      determine if the challenge response message is valid;
      
      receive, via the at least one communication interface, a certificate signing request relating to the hardware certificate; and
      
      if the challenge response message is valid, send a signed certificate to the node of the DSN for use in authenticating the node within the DSN.
  - 11. The DS managing unit of claim 10, wherein at least a portion of the signed certificate is encrypted utilizing a private key associated with the DS managing unit.
  - 12. The DS managing unit of claim 9, the hardware certificate includes at least one of a device identification (ID) or a device serial number associated with the node of the DSN, wherein the processing module determines that the hardware certificate is valid if the device list includes a corresponding device ID or device serial number.
  - 13. The DS managing unit of claim 12, the hardware certificate further includes an HCA signature for use in validating the hardware certificate, the HCA signature encrypted with a HCA private key, wherein the processing module is further configured to:
    - generate a hash of the hardware certificate;
      
      decrypt the HCA signature utilizing a HCA public key to produce a decrypted HCA signature; and
      
      compare the hash of the hardware certificate to the decrypted HCA signature to determine if the HCA signature is valid.
  - 14. The DS managing unit of claim 12, wherein the device ID provides a unique virtual identifier for hardware associated with the node of the DSN, and wherein the device serial number is a unique permanent value associated with the node of the DSN.
  - 15. The DS managing unit of claim 9, the processing module further configured to:
    - encrypt the challenge message using a public key associated with the node of the DSN prior to sending the challenge message to the node.
  - 16. The DS managing unit of claim 9, wherein at least a portion of the challenge message is encrypted utilizing a public key associated with the node of the DSN.
  - 17. The DS managing unit of claim 9, wherein the challenge message includes instructions to encrypt a portion of the challenge message utilizing a private key associated with the node of the DSN.

18. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:
- receiving, by the node, a hardware certificate from a separate element of the DSN;
  
  validating the hardware certificate and encrypting at least a portion of the hardware certificate utilizing a private key associated with the node;
  
  providing the hardware certificate to the DS management unit;
  
  receiving a challenge message from the DS management unit;
  
  decrypting at least a portion of the challenge message;
  
  generating a challenge response message based on the challenge message;
  
  providing the challenge response message to the DS management unit; and
  
  requesting a signed certificate from the DS management unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Pure Storage, Inc.
Inventors
Leggette, Wesley, Resch, Jason K.
Primary Examiner(s)
Harper, Eliyah S.

Application Number

US14/452,791
Publication Number

US 20140351579A1
Time in Patent Office

1,861 Days
Field of Search

707781, 707783
US Class Current
CPC Class Codes

G06F 11/0727   in a storage system, e.g. i...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/141   for bus or memory accesses

G06F 11/167   Error detection by comparin...

G06F 16/13   File access structures, e.g...

G06F 16/137   Hash-based content-based in...

G06F 21/31   User authentication

G06F 21/6209   to a single file or object,...

G06F 2211/1028   Distributed, i.e. distribut...

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/12   Applying verification of th...

H04L 67/06   specially adapted for file ...

H04L 67/1097   for distributed storage of ...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247 : involving digital signatures

H04L 9/3263 : involving certificates, e.g...

H04L 9/3271 : using challenge-response

H04W 12/041 : Key generation or derivation

H04W 12/0431 : Key distribution or pre-dis...

H04W 12/10 : Integrity

H04W 12/35 : Protecting application or s...

View All

Hardware authentication in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware authentication in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links