SECURING DATA IN A DISPERSED STORAGE NETWORK USING SECURITY SENTINAL VALUE

US 20100268938A1
Filed: 04/14/2010
Published: 10/21/2010
Est. Priority Date: 04/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method for use in a pre-data manipulator, the method comprising:

receiving a data segment at the pre-data manipulator;

combining the data segment with a sentinel value to generate a combined data segment;

encrypting the combined data segment and sentinel value using an encryption key to generate an encrypted combined data segment;

calculating a digest of the encrypted combined data segment;

generating a masked key based on the digest and the encryption key;

appending the masked key to the encrypted combined data segment to generate an encrypted package; and

transmitting the encrypted package to an encoder.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.

Citations

26 Claims

1. A method for use in a pre-data manipulator, the method comprising:
- receiving a data segment at the pre-data manipulator;
  
  combining the data segment with a sentinel value to generate a combined data segment;
  
  encrypting the combined data segment and sentinel value using an encryption key to generate an encrypted combined data segment;
  
  calculating a digest of the encrypted combined data segment;
  
  generating a masked key based on the digest and the encryption key;
  
  appending the masked key to the encrypted combined data segment to generate an encrypted package; and
  
  transmitting the encrypted package to an encoder.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - selecting both a sentinel value and an encryption key based on a security parameter.
  - 3. The method of claim 1, further comprising:
    - pre-encrypting the data segment using a private key associated with the pre-data manipulator prior to combining the data segment with the sentinel value.
  - 4. The method of claim 1, further comprising:
    - removing a portion of the encrypted package; and
      
      storing the portion in a data store.
  - 5. The method of claim 4, further comprising:
    - padding the encrypted package to replace the portion of the encrypted package.
  - 6. The method of claim 4, further comprising:
    - shrinking a size of the encrypted package by a size of the portion of the encrypted package.
  - 7. The method of claim 4, further comprising;
    - determining whether to remove the portion of the encrypted package, a size of the portion, and a location of the portion within the encrypted package

8. A method for use in a pre-data de-manipulator, the method comprising:
- receiving an encrypted package from a decoder;
  
  extracting a masked key from the encrypted package to produce an encrypted data segment;
  
  calculating a digest of the encrypted data segment;
  
  generating a recovered key using the masked key and the digest of the encrypted data segment;
  
  decrypting the encrypted data segment using the recovered key to generate a recovered data segment and a recovered sentinel value;
  
  determining an integrity of the recovered sentinel value; and
  
  outputting the recovered data segment in response to determining a favorable integrity of the recovered sentinel value.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising:
    - discarding the recovered data segment in response to determining an unfavorable integrity of the recovered sentinel value; and
      
      generating a flag indicating that the recovered data segment is unreliable.
  - 10. The method of claim 8, further comprising:
    - determining that a withheld portion of the encrypted package was withheld;
      
      obtaining the withheld portion; and
      
      reinserting the withheld portion into the encrypted package prior to extracting the masked key.
  - 11. The method of claim 8, further comprising:
    - determining that a withheld portion of the encrypted package was withheld;
      
      sending a request to receive the withheld portion;
      
      receiving an unfavorable response to the request; and
      
      determining that the integrity of the encrypted package is unfavorable based on the unfavorable response.
  - 12. The method of claim 8, further comprising:
    - determining that a withheld portion of the encrypted package was withheld;
      
      sending a request to receive the withheld portion;
      
      failing to receive a response to the request within a threshold amount of time; and
      
      marking the encrypted package as unavailable based on the failing to receive a response.
  - 13. The method of claim 8, further comprising:
    - decrypting the recovered data segment using a private key associated with the pre-data de-manipulator prior to outputting the recovered data segment.

14. A pre-data manipulator comprising:
- processing circuitry to;
  
  combine a data segment with a sentinel value to generate a combined data segment;
  
  encrypt the combined data segment using an encryption key to generate an encrypted combined data segment;
  
  calculate a digest of the encrypted combined data segment;
  
  generate a masked key based on the digest and the encryption key;
  
  append the masked key to the encrypted combined data segment to generate an encrypted package; and
  
  an output to transmit the encrypted package to an encoder.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The pre-data manipulator of claim 14, further comprising:
    - the processor further to select both a sentinel value and an encryption key based on a security parameter.
  - 16. The pre-data manipulator of claim 14, further comprising:
    - the processor further to pre-encrypt the data segment using a private key associated with the apparatus prior to combining the data segment with the sentinel value.
  - 17. The pre-data manipulator of claim 14, further comprising:
    - the processor further to;
      
      remove a portion of the encrypted package; and
      
      store the portion in a data store.
  - 18. The pre-data manipulator of claim 17, further comprising:
    - the processor further to pad the encrypted package to replace the portion of the encrypted package.
  - 19. The pre-data manipulator of claim 17, further comprising:
    - the processor further to shrink a size of the encrypted package by a size of the portion of the encrypted package.
  - 20. The pre-data manipulator of claim 17, further comprising:
    - the processor further to determine whether to remove the portion of the encrypted package, a size of the portion to be removed, and a location of the portion within the encrypted package

21. A pre-data de-manipulator comprising:
- processing circuitry to;
  
  extract a masked key from the encrypted package to produce an encrypted data segment;
  
  calculate a digest of the encrypted data segment;
  
  generate a recovered key using the masked key and the digest of the encrypted data segment;
  
  decrypt the encrypted data segment using the recovered key to generate a recovered data segment and a recovered sentinel value;
  
  determine an integrity of the recovered sentinel value; and
  
  an output to provided the recovered data segment in response to a favorable integrity of the recovered sentinel value.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The pre-data de-manipulator of claim 21, further comprising:
    - the processing circuitry to;
      
      discard the recovered data segment in response to an unfavorable integrity of the recovered sentinel value; and
      
      generate a flag indicating that the recovered data segment is unreliable.
  - 23. The pre-data de-manipulator of claim 21, further comprising:
    - the processing circuitry to determine that a withheld portion of the encrypted package was withheld;
      
      an input to obtain the withheld portion; and
      
      the processing circuitry further to reinsert the withheld portion into the encrypted package prior to extracting the masked key.
  - 24. The pre-data de-manipulator of claim 21, further comprising:
    - the processing circuitry to determine that a withheld portion of the encrypted package was withheld;
      
      a communications interface to send a request to receive the withheld portion, and receive an unfavorable response to the request; and
      
      the processing circuitry further to determine the integrity of the encrypted package is unfavorable based on the unfavorable response.
  - 25. The pre-data de-manipulator of claim 21, further comprising:
    - the processing circuitry to determine that a withheld portion of the encrypted package was withheld;
      
      a communications interface to send a request to receive the withheld portion;
      
      the processing circuitry further to;
      
      determine that a response to the request was not received within a threshold amount of time; and
      
      mark the encrypted package as unavailable.
  - 26. The pre-data de-manipulator of claim 21, further comprising:
    - a decryption engine to decrypt the recovered data segment using a private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
RESCH, JASON K.

Granted Patent

US 8,601,259 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 2209/20   Manipulating the length of ...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/603   Digital right managament [DRM]

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/0897   involving additional device...

H04L 9/3236   using cryptographic hash fu...

SECURING DATA IN A DISPERSED STORAGE NETWORK USING SECURITY SENTINAL VALUE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING DATA IN A DISPERSED STORAGE NETWORK USING SECURITY SENTINAL VALUE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links