AUTHENTICATING USE OF A DISPERSED STORAGE NETWORK

US 20110055903A1
Filed: 04/14/2010
Published: 03/03/2011
Est. Priority Date: 08/27/2009
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating, through use of a dispersed storage managing unit, a user transaction initiated within a dispersed storage network, the method comprising:

receiving a first authentication request from external to the dispersed storage managing unit, the first authentication request containing information pertaining to a user that is requesting the user transaction;

accessing a realm authentication list among a plurality of realm authentication lists stored in association with the dispersed storage managing unit;

using realm information from the realm authentication list within the dispersed storage managing unit to validate the user as a valid user of the dispersed storage network;

receiving a second authentication request from external to the dispersed storage managing unit, the second authentication request seeking authentication to process user data in a certain manner to further the user transaction;

accessing access control list store information and user permission information to validate if the valid user can properly engage in the user transaction; and

authorizing the continuation of the user transaction if the user is a valid user and the user transaction is a valid transaction for the valid user.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At least one dispersed storage (DS) processing unit (14), at least one dispersed storage managing unit (18), and at least one dispersed storage unit (44) communicate with each other over a network (20) to authenticate and process a user data transaction within dispersed memory in a dispersed storage network. In a data operation, the DS processing unit (14) first received the request. The unit (14) uses stored security information (80 and 84) to validate that the user requesting the user transaction is a valid user. The unit (18) processes the user transaction to further authenticate that the user is valid and the user transaction requested by the user is proper. Finally, the unit (44) again received user transaction information and performs another authentication to ensure that the distributed network data slices can be properly processed by this user and this user transaction.

Citations

26 Claims

1. A method for authenticating, through use of a dispersed storage managing unit, a user transaction initiated within a dispersed storage network, the method comprising:
- receiving a first authentication request from external to the dispersed storage managing unit, the first authentication request containing information pertaining to a user that is requesting the user transaction;
  
  accessing a realm authentication list among a plurality of realm authentication lists stored in association with the dispersed storage managing unit;
  
  using realm information from the realm authentication list within the dispersed storage managing unit to validate the user as a valid user of the dispersed storage network;
  
  receiving a second authentication request from external to the dispersed storage managing unit, the second authentication request seeking authentication to process user data in a certain manner to further the user transaction;
  
  accessing access control list store information and user permission information to validate if the valid user can properly engage in the user transaction; and
  
  authorizing the continuation of the user transaction if the user is a valid user and the user transaction is a valid transaction for the valid user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the realm authentication list is organized within the plurality of realm authentication lists such that the realm authentication list is accessed using user identification information and the realm authentication list can identify what memory areas of the dispersed storage network are available to the user.
  - 3. The method of claim 1 wherein the dispersed storage managing unit contains a permissions list containing user permission information that indicates which of the plurality of realm authentication lists is associated with the user.
  - 4. The method of claim 1 wherein step of the authorizing the continuation of the user transaction involves authorizing that one of either:
    - (i) a read of user data can occur where slices of data are authorized to be extracted from the dispersed storage network and reassembled from multiple memory locations into unified and useable user data for the user;
      
      or (ii) a write of user data into the dispersed storage network can occur where slices of data are authorized to be processed for data recovery and authorized to be written into the dispersed storage network across multiple different memory devices.
  - 5. The method of claim 1 wherein the step of authorizing the continuation of the user transaction if the user is a valid user and the user transaction is a valid transaction for the valid user is performed by the dispersed storage managing unit.
  - 6. The method of claim 1 wherein the step of authorizing the continuation of the user transaction if the user is a valid user and the user transaction is a valid transaction for the valid user is performed external to the dispersed storage managing unit.

7. A dispersed storage managing unit adapted to be coupled to a network, the dispersed storage managing unit comprising:
- input/output interface circuitry adapted to be coupled to the network;
  
  at least one realm authentication list stored in memory within the dispersed storage managing unit, wherein the at least one realm authentication list stores user information for at least one user that has registered for dispersed storage (DS) services, the user information being processed in response to user authentication requests that are received from the input/output interface circuitry to validate the at least one user as a valid dispersed storage user when the at least one user initiates dispersed data transactions;
  
  a certificate authority unit programmed to authenticate at least one dispersed storage unit on the network in response to a signal received via the input/output interface circuitry; and
  
  at least one permissions list coupled for communicating with the certificate authority unit and the input/output interface circuitry, the at least one permissions list containing permission information for the at least one user to allow the dispersed storage managing unit to authorize the continuation of dispersed data transactions requested by a valid dispersed storage user when the dispersed data transactions are deemed valid operations for the valid dispersed storage user.
- View Dependent Claims (8, 9, 10)
- - 8. The dispersed storage management unit of claim 7 wherein the dispersed storage managing unit outputs the permission information to the input/output interface circuitry for local storage external to the dispersed storage management unit in response to a dispersal request received by the input/output interface circuitry.
  - 9. The dispersed storage management unit of claim 7 wherein the at least one realm authentication list is organized within a plurality of distinct realm authentication lists whereby one realm authentication list is accessed using a user identification code and each realm authentication list within the plurality of distinct realm authentication lists can identify what memory portions of the dispersed storage network are available to the at least one user associated with that realm authentication list.
  - 10. The dispersed managing unit of claim 7 wherein dispersed managing unit authorizes that one of either:
    - (i) a read of user data can occur where slices of data are authorized to be extracted from the dispersed storage network and reassembled from multiple memory locations into unified and useable user data for the user;
      
      or (ii) a write of user data into the dispersed storage network can occur where slices of data are authorized to be processed for data recovery and authorized to be written into the dispersed storage network across multiple different memory devices.

11. A method for authenticating, through use of a dispersed storage processing unit, a user transaction initiated within a dispersed storage network, the method comprising:
- receiving a transaction request from external to the dispersed storage processing unit, the transaction request containing user information pertaining to a user that is requesting the user transaction;
  
  using the user information to reference locally stored permissions to determine if the user is a valid user;
  
  outputting, from the dispersed storage processing unit, an authentication request to further validate the user and the user transaction;
  
  receiving either favorable or unfavorable validation from external to the dispersed storage processing unit;
  
  determining, when validation is favorable, one or more distributed storage network addresses that allow for further processing of the user transaction and outputting a user transaction continuation request to enable continued processing of the user transaction using the one or more distributed storage network addresses; and
  
  generating, when validation is unfavorable, and error message and outputting the error message external to the dispersed storage processing unit and engaging security check measures in response to the validation that was unfavorable.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 wherein the request of the user transaction results in the dispersed storage processing unit authorizing that one of either:
    - (i) a read of user data can occur where slices of data are authorized to be extracted from the dispersed storage network and reassembled from multiple memory locations into unified and useable user data for the user;
      
      or (ii) a write of user data into the dispersed storage network can occur where slices of data are authorized to be processed for data recovery and authorized to be written into the dispersed storage network across multiple different memory devices.
  - 13. The method of claim 11 wherein the transaction request contains a user identifier, a filename, and a user password.
  - 14. The method of claim 11 wherein the transaction request contains a source IP identifier, a block number, and a block device identifier.

15. A dispersed storage processing unit adapted to be coupled to a network, the dispersed storage processing unit comprising:
- at least one interface circuitry adapted to be coupled to the network;
  
  a computing core and program memory for receiving incoming user transactions, enabling security checks within the dispersed storage processing unit associated with the incoming user transactions, creating and outputting authentication requests to the at least one interface circuitry for the incoming user transactions, receiving and processing authentication request responses from external to the incoming user transactions, and collecting dispersed storage network authentication and addressing information for output via the at least one interface circuitry for use by external dispersed storage network resources; and
  
  local memory for storing a local permissions list received from external to the dispersed storage processing unit, where the local permissions list allows the dispersed storage processing unit to validate incoming user transactions and output valid addressing information to the at least one interface circuitry to enable continuation of incoming user transactions.
- View Dependent Claims (16, 17, 18)
- - 16. The dispersed storage processing unit of claim 15 wherein one of the incoming user transaction results in the dispersed storage processing unit authorizing that one of either:
    - (i) a read of user data can occur where slices of data are authorized to be extracted from the dispersed storage network and reassembled from multiple memory locations into unified and useable user data for the user;
      
      or (ii) a write of user data into the dispersed storage network can occur where slices of data are authorized to be processed for data recovery and authorized to be written into the dispersed storage network across multiple different memory devices.
  - 17. The dispersed storage processing unit of claim 15 wherein the incoming user transactions are enabled by an incoming user transaction request into the at least one interface circuitry wherein the incoming user transaction request contains a user identifier, a filename and a user password.
  - 18. The dispersed storage processing unit of claim 15 wherein the incoming user transactions are enabled by an incoming user transaction request into the at least one interface circuitry wherein the incoming user transaction request contains a source IP identifier, a block number, and a block device identifier.

19. A method for authenticating, through use of a dispersed storage unit, a user transaction initiated within a dispersed storage network, the method comprising:
- receiving a transaction request from external to the dispersed storage unit, the transaction request containing user information pertaining to the user transaction that was previously subject to authentication processing by another unit within the dispersed storage network;
  
  using the user information to reference a locally stored permissions to determine at least one of;
  
  (i) if the user is a valid user; and
  
  (ii) the user transaction is a valid transaction for the user;
  
  outputting from the dispersed storage unit an authentication request to further validate the user and the user transaction;
  
  receiving either favorable or unfavorable validation from external to the dispersed storage unit;
  
  processing, when validation is favorable, a plurality of data slices in a hierarchical memory structure accessible by the dispersed storage unit to enable one of either;
  
  (i) a read of user data where the data slices are authorized to be extracted from the dispersed storage network and reassembled from multiple memory locations in the dispersed storage network into unified and useable user data for the user;
  
  or (ii) a write of user data into the dispersed storage network where the data slices are authorized to be written into the dispersed storage network across multiple different memory devices; and
  
  generating, when validation is unfavorable, and error message and outputting the error message external to the dispersed storage unit and engaging security check measures in response to the validation that was unfavorable.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19 wherein the dispersed storage unit uses encryption/decryption operations, hash operations, and time stamp information to perform the step of processing.
  - 21. The method of claim 19 wherein the transaction request contains a user identifier, at least one data storage network address associated with the user transaction, a user password, and at least one certification of a prior unit that processed the user transaction, whereby this information is used to process the user transaction within the dispersed storage unit.
  - 22. The method of claim 19 wherein the dispersed storage unit requests and stores at least one permission list in local memory associated with the dispersed storage unit, the at least one permission list containing information that allows the dispersed storage until to perform at least one of:
    - (i) locally authenticating a portion of the user transaction; and
      
      (ii) outputting the authentication request in a proper manner.

23. A dispersed storage unit adapted to be coupled to a network, the dispersed storage unit comprising:
- at least one interface circuitry adapted to be coupled to a network;
  
  a computing core and program memory for receiving incoming user transaction information, enabling security checks within the dispersed storage unit associated with incoming user transactions, creating and outputting authentication requests to the at least one interface circuitry for the incoming user transactions, receiving and processing authentication request responses from external to the incoming user transactions, and collecting dispersed storage network authentication and addressing information that enables processing of user data slices read from or written to storage within the dispersed storage network; and
  
  local memory for storing a local permissions list received from external to the dispersed storage unit, where the local permissions list allows the dispersed storage unit to validate incoming user transactions and output valid addressing information to the at least one interface circuitry to enable secure reading and writing of user data to the dispersed storage network.
- View Dependent Claims (24, 25, 26)
- - 24. The dispersed storage unit of claim 23 wherein the dispersed storage unit uses encryption/decryption operations, hash operations, and time stamp information to authenticate and further process the incoming user transactions once authenticated.
  - 25. The dispersed storage unit of claim 23 wherein the incoming user transactions contain a user identifier, at least one data storage network address associated with the incoming user transaction, a user password, and at least one certification of a prior unit that processed the incoming user transaction, whereby this information is used to process the incoming user transaction within the dispersed storage unit.
  - 26. The dispersed storage unit of claim 23 wherein the dispersed storage unit requests and stores at least one permission list in local memory associated with the dispersed storage unit, the at least one permission list containing information that allows the dispersed storage unit to perform at least one of:
    - (i) locally authenticating a portion of the user transaction; and
      
      (ii) outputting the authentication request in a proper manner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
LEGGETTE, WESLEY

Granted Patent

US 8,468,609 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1024   Identification of the type ...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 12/1483   using an access-table, e.g....

G06F 13/00   Interconnection of, or tran...

G06F 15/16   Combinations of two or more...

G06F 16/00   Information retrieval; Data...

G06F 21/44   Program or device authentic...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 9/32   including means for verifyi...

H04L 9/3297   involving time stamps, e.g....

AUTHENTICATING USE OF A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATING USE OF A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links