SECURING DATA IN A DISPERSED STORAGE NETWORK

US 20140359276A1
Filed: 04/18/2014
Published: 12/04/2014
Est. Priority Date: 05/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

a first set of steps performed by a first computing unit of a dispersed storage network (DSN) includes;

converting an encryption key into a key stream;

encrypting data based on the key stream and an encryption function to produce encrypted data;

dispersed storage error encoding the key stream to produce a set of encoded key stream slices;

dispersed storage error encoding the encrypted data to produce a set of encoded and encrypted data slices; and

outputting the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein;

a second set of steps performed by one of the storage units includes;

receiving a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices;

partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector;

partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and

partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and

a third set of steps performed by a second computing unit of the DSN includes;

receiving partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and

reproducing, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a source processing module securing data based on a key stream to produce secured data, where the key stream is derived from a unilateral encryption key accessible only to the source processing module, and sending the secure data to an intermediator processing module, where desecuring the secured data is divided into two partial desecuring stages. The method continues with the intermediator processing module partially desecuring the secure data in accordance with a first partial desecuring stage to produce partially desecured data and sending the partially desecured data to a destination processing module. The method continues with the destination processing module further partially desecuring the partially desecured data in accordance with a second desecuring stage to recover the data, where the destination processing module does not have access to the encryption key or to the key stream.

Citations

20 Claims

1. A method comprises:
- a first set of steps performed by a first computing unit of a dispersed storage network (DSN) includes;
  
  converting an encryption key into a key stream;
  
  encrypting data based on the key stream and an encryption function to produce encrypted data;
  
  dispersed storage error encoding the key stream to produce a set of encoded key stream slices;
  
  dispersed storage error encoding the encrypted data to produce a set of encoded and encrypted data slices; and
  
  outputting the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein;
  
  a second set of steps performed by one of the storage units includes;
  
  receiving a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices;
  
  partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector;
  
  partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and
  
  partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and
  
  a third set of steps performed by a second computing unit of the DSN includes;
  
  receiving partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and
  
  reproducing, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the encryption function comprises:
    - an exclusive OR function.
  - 3. The method of claim 1, wherein the partially dispersed storage error decoding the encoded key stream slice to produce the partially decoded key stream vector comprises:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded key stream vector based on the square matrix and the encoded key stream slice.
  - 4. The method of claim 1, wherein the partially dispersed storage error decoding the encoded and encrypted data slice to produce the partially decoded and encrypted data vector comprises:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded and encrypted data vector based on the square matrix and the encoded and encrypted data slice.
  - 5. The method of claim 1, wherein the partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce the partially decrypted and decoded data vector comprises:
    - exclusive ORing the partially decoded and encrypted data vector with the partially decoded key stream vector to produce the partially decrypted and decoded data vector.
  - 6. The method of claim 1, wherein the reproducing, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on the function in accordance with the encryption function comprises:
    - exclusive ORing the partially decrypted and decoded data vectors to reproduce the data.

7. A method comprises:
- securing, by a source processing module, data based on a key stream and in accordance with at least one securing function to produce secured data, wherein the key stream is derived from a unilateral encryption key accessible only to the source processing module;
  
  sending, by the source processing module, the secure data to an intermediator processing module, wherein desecuring the secured data is divided into two partial desecuring stages;
  
  partially desecuring, by the intermediator processing module, the secure data in accordance with a first partial desecuring stage of the two partial desecuring stages to produce partially desecured data;
  
  sending, by the intermediator processing module, the partially desecured data to a destination processing module; and
  
  further partially desecuring, by the destination processing module, the partially desecured data in accordance with a second desecuring stage of the two partial desecuring stages to recover the data, wherein the destination processing module does not have access to the encryption key or to the key stream.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein the securing the data comprises:
    - exclusive ORing the data with the key stream to produce encrypted data; and
      
      dispersed storage error encoding the encrypted data to produce a set of encoded data slices as the secure data.
  - 9. The method of claim 7, wherein the partially desecuring the secure data comprises:
    - partially decoding the secure data to produce partially desecured data;
      
      partially decoding secured information regarding the key stream to produce partially desecured key stream; and
      
      exclusive ORing the partially desecured data and the partially desecured key stream to produce the partially desecured data.
  - 10. The method of claim 7, wherein the further partially desecuring the partially desecured data comprises:
    - separating the partially desecured data into partially desecured data vectors; and
      
      exclusive ORing the partially desecured data vectors to produce the recovered data.

11. A computer readable storage medium comprises:
- a first memory section that stores operational instructs that, when executed by one or more processing modules of a first computing device of a dispersed storage network (DSN), causes the first computing device to;
  
  convert an encryption key into a key stream;
  
  encrypt data based on the key stream and an encryption function to produce encrypted data;
  
  dispersed storage error encode the key stream to produce a set of encoded key stream slices;
  
  dispersed storage error encode the encrypted data to produce a set of encoded and encrypted data slices; and
  
  output the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein;
  
  a second memory section that stores operational instructs that, when executed by one or more processing modules of one of the storage units of the DSN, causes the one of the storage units to;
  
  receive a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices;
  
  partially dispersed storage error decode the encoded key stream slice to produce a partially decoded key stream vector;
  
  partially dispersed storage error decode the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and
  
  partially decrypt the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and
  
  a third memory section that stores operational instructs that, when executed by one or more processing modules of a second computing device of the DSN, causes the second computing device to;
  
  receive partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and
  
  reproduce, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer readable storage medium of claim 11, wherein the encryption function comprises:
    - an exclusive OR function.
  - 13. The computer readable storage medium of claim 11, wherein the one or more processing modules of the one of the storage units functions to execute the operational instructions stored by the second memory section to cause the one of the storage units to partially dispersed storage error decode the encoded key stream slice to produce the partially decoded key stream vector by:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded key stream vector based on the square matrix and the encoded key stream slice.
  - 14. The computer readable storage medium of claim 11, wherein the one or more processing modules of the one of the storage units functions to execute the operational instructions stored by the second memory section to cause the one of the storage units to partially dispersed storage error decode the encoded and encrypted data slice to produce the partially decoded and encrypted data vector by:
    - obtaining a square matrix, wherein the square matrix is derived from an encoding matrix of the dispersed storage error encoding; and
      
      generating the partially decoded and encrypted data vector based on the square matrix and the encoded and encrypted data slice.
  - 15. The computer readable storage medium of claim 11, wherein the one or more processing modules of the one of the storage units functions to execute the operational instructions stored by the second memory section to cause the one of the storage units to partially decrypt the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce the partially decrypted and decoded data vector by:
    - exclusive ORing the partially decoded and encrypted data vector with the partially decoded key stream vector to produce the partially decrypted and decoded data vector.
  - 16. The computer readable storage medium of claim 11, wherein the one or more processing modules of the second computing device functions to execute the operational instructions stored by the third memory section to cause the second computing device to reproduce, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on the function in accordance with the encryption function by:
    - exclusive ORing the partially decrypted and decoded data vectors to reproduce the data.

17. A computer readable storage medium comprises:
- a first memory section that stores operational instructs that, when executed by a source processing module of one or more processing modules of one or more computing devices of a dispersed storage network (DSN), causes the one or more computing devices to;
  
  secure data based on a key stream and in accordance with at least one securing function to produce secured data, wherein the key stream is derived from a unilateral encryption key accessible only to the source processing module; and
  
  send the secure data to an intermediator processing module of the one or more processing modules, wherein desecuring the secured data is divided into two partial desecuring stages;
  
  a second memory section that stores operational instructs that, when executed by the intermediator processing module of the one or more computing devices of the DSN, causes the one or more computing devices to;
  
  partially desecure the secure data in accordance with a first partial desecuring stage of the two partial desecuring stages to produce partially desecured data; and
  
  send the partially desecured data to a destination processing module of the one or more processing modules; and
  
  a third memory section that stores operational instructs that, when executed by the destination processing module of the one or more computing devices of the DSN, causes the one or more computing devices to;
  
  further partially desecure the partially desecured data in accordance with a second desecuring stage of the two partial desecuring stages to recover the data, wherein the destination processing module does not have access to the encryption key or to the key stream.
- View Dependent Claims (18, 19, 20)
- - 18. The computer readable storage medium of claim 17, wherein the source processing module functions to execute the operational instructions stored by the first memory section to cause the one or more computing devices of the DSN to secure the data by:
    - exclusive ORing the data with the key stream to produce encrypted data; and
      
      dispersed storage error encoding the encrypted data to produce a set of encoded data slices as the secure data.
  - 19. The computer readable storage medium of claim 17, wherein the intermediator processing module functions to execute the operational instructions stored by the second memory section to cause the one or more computing devices of the DSN to partially desecure the secure data by:
    - partially decoding the secure data to produce partially desecured data;
      
      partially decoding secured information regarding the key stream to produce partially desecured key stream; and
      
      exclusive ORing the partially desecured data and the partially desecured key stream to produce the partially desecured data.
  - 20. The computer readable storage medium of claim 17, wherein the destination processing module functions to execute the operational instructions stored by the third memory section to cause the one or more computing devices of the DSN to further partially desecure the partially desecured data by:
    - separating the partially desecured data into partially desecured data vectors; and
      
      exclusive ORing the partially desecured data vectors to produce the recovered data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Dhuse, Greg

Granted Patent

US 9,432,341 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/1096   Parity calculation or recal...

G06F 11/2094   Redundant storage or storag...

G06F 21/602   Providing cryptographic fac...

G06F 21/80   in storage media based on m...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2221/2107   File encryption

H04L 1/0042   Encoding specially adapted ...

H04L 1/0047   Decoding adapted to other s...

H04L 63/0457   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 67/1097   for distributed storage of ...

H04L 69/14   Multichannel or multilink p...

SECURING DATA IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING DATA IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links