VERIFICATION OF DISPERSED STORAGE NETWORK ACCESS CONTROL INFORMATION
First Claim
1. A method for protecting access control list information when the access control list information is communicated from a dispersed storage managing unit that is adapted to be coupled to a network, the method comprising the steps of:
- combining access control list store information and clock information to create combined information, the access control list store information containing data that allows for authentication of at least one of;
system users;
user transactions; and
user access to system resources across the network;
processing the combined information via a hash function to create a hash output;
processing the hash output and security key data via an encryption algorithm to create an encrypted signature output;
combining the encrypted signature output and the combined information to create an access control list publish object; and
preparing to distribute the access control list publish object external to the dispersed storage managing unit for processing by external system elements over the network.
5 Assignments
0 Petitions
Accused Products
Abstract
In a dispersed storage network access control list information must be occasionally written out to system units across the network. A dispersed storage (DS) managing unit (18) combines (204) the access control list information with a clock stamp and hashes (206) that combined output. An encryptor (208) encrypts a security key (210) and the hash output to obtain a signature. A combiner (212) combines the signature and the output of combiner (204) and outputs to a publisher (214). Upon receipt of the output of the publisher (214) a dispersed storage unit (44) can reverse process and securely validate the access control list information provided by the publisher (214) to receive and store updated and valid access control list information. This processing is performed by the unit (44) using parsers (216), caches (218 and 228), hash operations (224), decryptors (222), comparators (226), logic (230), and key stores (220).
-
Citations
20 Claims
-
1. A method for protecting access control list information when the access control list information is communicated from a dispersed storage managing unit that is adapted to be coupled to a network, the method comprising the steps of:
-
combining access control list store information and clock information to create combined information, the access control list store information containing data that allows for authentication of at least one of;
system users;
user transactions; and
user access to system resources across the network;processing the combined information via a hash function to create a hash output; processing the hash output and security key data via an encryption algorithm to create an encrypted signature output; combining the encrypted signature output and the combined information to create an access control list publish object; and preparing to distribute the access control list publish object external to the dispersed storage managing unit for processing by external system elements over the network. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for processing incoming access control list information communicated into a dispersed storage unit that is adapted to be coupled to a network, the method comprising the steps of:
-
receiving input information containing an encrypted signature and access control list information and parsing the encrypted signature from the access control list information; decrypting the encrypted signature to obtain decrypted signature information; hash processing the access control list information, which contains both access control list information and clock information, to obtain a hash output; comparing the hash output to the decrypted signature information to output data validation signals; processing the data validation signals along with the clock information and the access control list information to ensure the validity of the access control list information upon receipt by the dispersed storage unit; and storing the access control list information in memory associated with the dispersed storage unit if the access control list information is valid, the access control list information allowing users to process dispersed data storage transactions over the network, where dispersed storage transactions are designed to process user data via data slices that are dispersed across a plurality of storage devices over the network. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A dispersed storage (DS) unit comprising:
-
a network interface adapted to be coupled to a network; and a processing module having a computing core coupled to memory, the processing module being coupled to the network interface and being operable to; receiving an access control publish list; parsing the access control publish list to obtain a signature and an access control list information and clock information, the access control list information allowing users that have access to the dispersed storage unit to process dispersed data storage transactions over the network interface, where dispersed storage transactions are designed to process user data that has been sliced into slices and dispersed across a plurality of storage devices, at least one of the plurality of storage devices being accessible via the network interface; decrypting the signature to obtain a decrypted signature; hash processing the access control list information and clock information to obtain a hash output; comparing the decrypted signature to the hash output; and storing the access control list information in memory associated with the dispersed storage unit if the access control list information is determined to be valid via the step of comparing. - View Dependent Claims (13, 14, 15)
-
-
16. A dispersed storage (DS) managing unit adapted to be coupled to a network, the dispersed storage managing unit comprising:
-
a network interface adapted to be coupled to the network; and a processing module having a computing core coupled to memory, the processing module being coupled to the network interface and being operable to; combining access control list information and clock information to create a combined output, the access control list information being created to allow user transactions to process dispersed data storage slices over the network interface and across the network; hash processing the combined output to create a hash output; encrypting a security key to create a signature using the security key and the hash output; combining the signature and the combined output to create a network output; and transmitting the network output over through the network interface. - View Dependent Claims (17, 18, 19, 20)
-
Specification