VERIFICATION OF DISPERSED STORAGE NETWORK ACCESS CONTROL INFORMATION

US 20110055578A1
Filed: 04/14/2010
Published: 03/03/2011
Est. Priority Date: 08/27/2009
Status: Active Grant

First Claim

Patent Images

1. A method for protecting access control list information when the access control list information is communicated from a dispersed storage managing unit that is adapted to be coupled to a network, the method comprising the steps of:

combining access control list store information and clock information to create combined information, the access control list store information containing data that allows for authentication of at least one of;

system users;

user transactions; and

user access to system resources across the network;

processing the combined information via a hash function to create a hash output;

processing the hash output and security key data via an encryption algorithm to create an encrypted signature output;

combining the encrypted signature output and the combined information to create an access control list publish object; and

preparing to distribute the access control list publish object external to the dispersed storage managing unit for processing by external system elements over the network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a dispersed storage network access control list information must be occasionally written out to system units across the network. A dispersed storage (DS) managing unit (18) combines (204) the access control list information with a clock stamp and hashes (206) that combined output. An encryptor (208) encrypts a security key (210) and the hash output to obtain a signature. A combiner (212) combines the signature and the output of combiner (204) and outputs to a publisher (214). Upon receipt of the output of the publisher (214) a dispersed storage unit (44) can reverse process and securely validate the access control list information provided by the publisher (214) to receive and store updated and valid access control list information. This processing is performed by the unit (44) using parsers (216), caches (218 and 228), hash operations (224), decryptors (222), comparators (226), logic (230), and key stores (220).

Citations

20 Claims

1. A method for protecting access control list information when the access control list information is communicated from a dispersed storage managing unit that is adapted to be coupled to a network, the method comprising the steps of:
- combining access control list store information and clock information to create combined information, the access control list store information containing data that allows for authentication of at least one of;
  
  system users;
  
  user transactions; and
  
  user access to system resources across the network;
  
  processing the combined information via a hash function to create a hash output;
  
  processing the hash output and security key data via an encryption algorithm to create an encrypted signature output;
  
  combining the encrypted signature output and the combined information to create an access control list publish object; and
  
  preparing to distribute the access control list publish object external to the dispersed storage managing unit for processing by external system elements over the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the dispersed storage managing unit prepares to output the access control list publish object to a publisher external to the storage manager control unit, the publisher being used to further route the access control list publish object across the network.
  - 3. The method of claim 2 wherein the publisher is a one to many switch that is coupled to but separate from the dispersed storage managing unit and has no data access path back into the dispersed storage managing unit.
  - 4. The method of claim 2 wherein the publisher is coupled outside of a firewall protection layer of the dispersed storage managing unit.
  - 5. The method of claim 2 wherein the publisher is not granted access to certain private and public security keys used across the network by external system elements.
  - 6. The method of claim 1 wherein access control list store information is used over the network to process a plurality of data slices in a hierarchical memory structure accessible over the network to assist external system elements to perform one of either:
    - (i) a read of user data where the data slices are authorized to be extracted from across the network and reassembled from multiple memory locations across the network into unified and useable user data for the user;
      
      or (ii) a write of user data across the network where the data slices are authorized to be processed for data recovery and authorized to be written across the network across multiple different memory devices.

7. A method for processing incoming access control list information communicated into a dispersed storage unit that is adapted to be coupled to a network, the method comprising the steps of:
- receiving input information containing an encrypted signature and access control list information and parsing the encrypted signature from the access control list information;
  
  decrypting the encrypted signature to obtain decrypted signature information;
  
  hash processing the access control list information, which contains both access control list information and clock information, to obtain a hash output;
  
  comparing the hash output to the decrypted signature information to output data validation signals;
  
  processing the data validation signals along with the clock information and the access control list information to ensure the validity of the access control list information upon receipt by the dispersed storage unit; and
  
  storing the access control list information in memory associated with the dispersed storage unit if the access control list information is valid, the access control list information allowing users to process dispersed data storage transactions over the network, where dispersed storage transactions are designed to process user data via data slices that are dispersed across a plurality of storage devices over the network.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7 wherein the dispersed storage unit caches encrypted signatures over time.
  - 9. The method of claim 7 wherein the dispersed storage unit caches access control list information over time to create cached information.
  - 10. The method of claim 9 wherein each entry of the cached information contains access control list information and the clock information in a hashed format.
  - 11. The method of claim 7 wherein access control list information is used over the network by the dispersed storage unit to process a plurality of data slices in a hierarchical memory structure accessible over the network to assist in performing one of either:
    - (i) a read of user data where the data slices are authorized to be extracted from across the network and reassembled from multiple memory locations across the network into unified and useable user data for the user;
      
      or (ii) a write of user data across the network where the data slices are authorized to be processed for data recovery and authorized to be written across the network across multiple different memory devices.

12. A dispersed storage (DS) unit comprising:
- a network interface adapted to be coupled to a network; and
  
  a processing module having a computing core coupled to memory, the processing module being coupled to the network interface and being operable to;
  
  receiving an access control publish list;
  
  parsing the access control publish list to obtain a signature and an access control list information and clock information, the access control list information allowing users that have access to the dispersed storage unit to process dispersed data storage transactions over the network interface, where dispersed storage transactions are designed to process user data that has been sliced into slices and dispersed across a plurality of storage devices, at least one of the plurality of storage devices being accessible via the network interface;
  
  decrypting the signature to obtain a decrypted signature;
  
  hash processing the access control list information and clock information to obtain a hash output;
  
  comparing the decrypted signature to the hash output; and
  
  storing the access control list information in memory associated with the dispersed storage unit if the access control list information is determined to be valid via the step of comparing.
- View Dependent Claims (13, 14, 15)
- - 13. The dispersed storage (DS) unit of claim 12 wherein the dispersed storage unit caches signatures over time in a signature cache.
  - 14. The dispersed storage (DS) unit of claim 12 wherein the dispersed storage unit caches access control list information and clock information in a data cache.
  - 15. The dispersed storage (DS) unit of claim 12 wherein access control list information is used by the dispersed storage unit to process a plurality of data slices in a hierarchical memory structure accessible through the network interface to assist in performing one of either:
    - (i) a read of user data where the data slices are authorized to be extracted using the network interface and reassembled from multiple memory locations across the network into unified and useable user data for the user;
      
      or (ii) a write of user data using the network where the data slices are authorized to be processed for data recovery and authorized to be written through the network interface across multiple different memory devices.

16. A dispersed storage (DS) managing unit adapted to be coupled to a network, the dispersed storage managing unit comprising:
- a network interface adapted to be coupled to the network; and
  
  a processing module having a computing core coupled to memory, the processing module being coupled to the network interface and being operable to;
  
  combining access control list information and clock information to create a combined output, the access control list information being created to allow user transactions to process dispersed data storage slices over the network interface and across the network;
  
  hash processing the combined output to create a hash output;
  
  encrypting a security key to create a signature using the security key and the hash output;
  
  combining the signature and the combined output to create a network output; and
  
  transmitting the network output over through the network interface.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The dispersed storage (DS) managing unit of claim 16 wherein access control list information is used by the dispersed storage unit to process a plurality of data slices in a hierarchical memory structure accessible through the network interface to assist in performing one of either:
    - (i) a read of user data where the data slices are authorized to be extracted using the network interface and reassembled from multiple memory locations across the network into unified and useable user data for the user;
      
      or (ii) a write of user data using the network where the data slices are authorized to be processed for data recovery and authorized to be written through the network interface across multiple different memory devices.
  - 18. The dispersed storage (DS) managing unit of claim 16 wherein the wherein the dispersed storage managing unit prepares to output the network output to a publisher external to the storage manager control unit for routing to a plurality of external slice storage system elements via the publisher.
  - 19. The dispersed storage (DS) managing unit of claim 18 wherein the publisher does not have access to the security key in a non-encrypted format.
  - 20. The dispersed storage (DS) managing unit of claim 18 wherein the wherein the publisher is located outside firewall protection of the dispersed storage (DS) managing unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
RESCH, JASON K.

Granted Patent

US 8,560,855 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1024   Identification of the type ...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 12/1483   using an access-table, e.g....

G06F 13/00   Interconnection of, or tran...

G06F 15/16   Combinations of two or more...

G06F 16/00   Information retrieval; Data...

G06F 21/44   Program or device authentic...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 9/32   including means for verifyi...

H04L 9/3297   involving time stamps, e.g....

VERIFICATION OF DISPERSED STORAGE NETWORK ACCESS CONTROL INFORMATION

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VERIFICATION OF DISPERSED STORAGE NETWORK ACCESS CONTROL INFORMATION

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links