Authenticating use of a dispersed storage network

US 8,468,609 B2
Filed: 04/14/2010
Issued: 06/18/2013
Est. Priority Date: 08/27/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating, through use of a dispersed storage managing unit, a user device request to access a dispersed storage network (DSN), the method comprising:

receiving, from a first proxy system element of the DSN, a first authentication request regarding executing a first portion of the user device request;

verifying the first authentication request by;

verifying that the first proxy system element is an authenticated proxy; and

when the first proxy system element is an authenticated proxy, verifying the user device is an authenticated user device;

when the first authentication request is validated, sending, to the first proxy system element, a first favorable response such that the first proxy system element is allowed to execute the first portion of the user device request when a permissions list authorizes the user device request;

receiving, from a second proxy system element, a second authentication request regarding executing a second portion of the user device request;

verifying the second authentication request by;

verifying that the second proxy system element is an authenticated proxy; and

when the second proxy system element is an authenticated proxy, verifying the user device is an authenticated user device; and

when the second authentication request is validated, sending, to the second proxy system element, a second favorable response such that the second proxy system element is allowed to execute the second portion of the user device request when the permissions list authorizes the user device request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At least one dispersed storage (DS) processing unit (14), at least one dispersed storage managing unit (18), and at least one dispersed storage unit (44) communicate with each other over a network (20) to authenticate and process a user data transaction within dispersed memory in a dispersed storage network. In a data operation, the DS processing unit (14) first received the request. The unit (14) uses stored security information (80 and 84) to validate that the user requesting the user transaction is a valid user. The unit (18) processes the user transaction to further authenticate that the user is valid and the user transaction requested by the user is proper. Finally, the unit (44) again received user transaction information and performs another authentication to ensure that the distributed network data slices can be properly processed by this user and this user transaction.

95 Citations

View as Search Results

16 Claims

1. A method for authenticating, through use of a dispersed storage managing unit, a user device request to access a dispersed storage network (DSN), the method comprising:
- receiving, from a first proxy system element of the DSN, a first authentication request regarding executing a first portion of the user device request;
  
  verifying the first authentication request by;
  
  verifying that the first proxy system element is an authenticated proxy; and
  
  when the first proxy system element is an authenticated proxy, verifying the user device is an authenticated user device;
  
  when the first authentication request is validated, sending, to the first proxy system element, a first favorable response such that the first proxy system element is allowed to execute the first portion of the user device request when a permissions list authorizes the user device request;
  
  receiving, from a second proxy system element, a second authentication request regarding executing a second portion of the user device request;
  
  verifying the second authentication request by;
  
  verifying that the second proxy system element is an authenticated proxy; and
  
  when the second proxy system element is an authenticated proxy, verifying the user device is an authenticated user device; and
  
  when the second authentication request is validated, sending, to the second proxy system element, a second favorable response such that the second proxy system element is allowed to execute the second portion of the user device request when the permissions list authorizes the user device request.
- View Dependent Claims (2, 3, 4, 5, 6, 11, 12)
- - 2. The method of claim 1, wherein the verifying the user device is an authenticated user device comprises:
    - identifying a realm authentication list of a plurality of realm authentication lists, wherein the DSN is divided into a plurality of realms and wherein the plurality of realm authentication lists corresponds to the plurality of realms;
      
      using realm information from the realm authentication list to validate a user device associated with the user device request is authorized to access one of the plurality of realms corresponding to the realm authentication list.
  - 3. The method of claim 1 further comprises:
    - verifying that the first proxy system element is an authenticated proxy based on a first signed certificate of the first proxy system element that is contained in the first authentication request; and
      
      verifying that the second proxy system element is an authenticated proxy based on a second signed certificate of the second proxy system element that is contained in the second authentication request.
  - 4. The method of claim 1 further comprises:
    - the first proxy system element including a dispersed storage (DS) processing module and wherein the executing the first portion of the user device request includes identifying a set of DS units of the DSN; and
      
      the second proxy system element including a DS unit of the set of DS units and wherein the executing the second portion of the user device request includes reading or writing a data slice from or to memory of the DS unit.
  - 5. The method of claim 1 further comprises:
    - the first proxy system element including a first DS unit of a set of DS units and wherein the executing the first portion of the user device request includes reading or writing a first data slice from or to memory of the first DS unit; and
      
      the second proxy system element including a second DS unit of the set of DS units and wherein the executing the second portion of the user device request includes reading or writing a second data slice from or to memory of the second DS unit.
  - 6. The method of claim 1 further comprises:
    - the first proxy system element including a dispersed storage (DS) processing module and wherein the executing the first portion of the user device request includes identifying a set of DS units of the DSN;
      
      receiving, from the set of DS units, a plurality of second authentication requests regarding executing a plurality of second portions of the user device request, wherein the second proxy element is one of the set of DS units;
      
      verifying each of the plurality of second authentication request by;
      
      verifying that a corresponding one of the set of DS units is an authenticated proxy; and
      
      when the corresponding one of the set of DS units is an authenticated proxy, verifying the user device is an authenticated user device; and
      
      when the plurality of second authentication requests is validated, sending, to the set of DS units, a second favorable response such that each of the set of DS units is allowed to execute a corresponding one of the plurality of second portions of the user device request when the permissions list authorizes the user device request.
  - 11. The method of claim 1 further comprises:
    - receiving, from the first proxy system element, a request for the permissions lists prior to receiving the first authentication request;
      
      verifying the first proxy system element based on a signed certificate of the first proxy system element; and
      
      when the first proxy system element is verified, sending the permissions list to the first proxy system element, wherein the first proxy system element determines a universal user identifier of a user device associated with the user device request and generates the first authentication request to include the universal user identifier.
  - 12. The method of claim 1 further comprises:
    - receiving, from the second proxy system element, a request for the permissions lists prior to receiving the second authentication request;
      
      verifying the second proxy system element based on a signed certificate of the second proxy system element; and
      
      when the second proxy system element is verified, sending the permissions list to the second proxy system element, wherein the second proxy system element determines a universal user identifier of a user device associated with the user device request and generates the second authentication request to include the universal user identifier.

7. A dispersed storage managing unit adapted to be coupled to a network, the dispersed storage managing unit comprising:
- input/output interface circuitry adapted to be coupled to the network;
  
  memory; and
  
  a processing module operably coupled to the memory and to the input/output interface circuitry, wherein the processing module is operable to;
  
  receive, from a first proxy system element of the DSN via the input/output interface circuitry, a first authentication request regarding executing a first portion of the user device request;
  
  verify the first authentication request by;
  
  verify that the first proxy system element is an authenticated proxy; and
  
  when the first proxy system element is an authenticated proxy, verify the user device is an authenticated user device;
  
  when the first authentication request is validated, send, to the first proxy system element via the input/output interface circuitry, a first favorable response such that the first proxy system element is allowed to execute the first portion of the user device request when a permissions list authorizes the user device request;
  
  receive, from a second proxy system element via the input/output interface circuitry, a second authentication request regarding executing a second portion of the user device request;
  
  verify the second authentication request by;
  
  verify that the second proxy system element is an authenticated proxy; and
  
  when the second proxy system element is an authenticated proxy, verify the user device is an authenticated user device; and
  
  when the second authentication request is validated, send, to the second proxy system element via the input/output interface circuitry, a second favorable response such that the second proxy system element is allowed to execute the second portion of the user device request when the permissions list authorizes the user device request.
- View Dependent Claims (8, 9, 10, 13, 14, 15, 16)
- - 8. The dispersed storage management unit of claim 7, wherein the processing module is further operable to verify the user device is an authenticated user device by:
    - identifying a realm authentication list of a plurality of realm authentication lists, wherein the DSN is divided into a plurality of realms and wherein the plurality of realm authentication lists corresponds to the plurality of realms;
      
      using realm information from the realm authentication list to validate a user device associated with the user device request is authorized to access one of the plurality of realms corresponding to the realm authentication list.
  - 9. The dispersed storage management unit of claim 7, wherein the processing module is further operable toverify that the first proxy system element is an authenticated proxy based on a first signed certificate of the first proxy system element that is contained in the first authentication request;
    - andverify that the second proxy system element is an authenticated proxy based on a second signed certificate of the second proxy system element that is contained in the second authentication request.
  - 10. The dispersed storage management unit of claim 7 further comprises:
    - the first proxy system element including a dispersed storage (DS) processing module and wherein the executing the first portion of the user device request includes identifying a set of DS units of the DSN; and
      
      the second proxy system element including a DS unit of the set of DS units and wherein the executing the second portion of the user device request includes reading or writing a data slice from or to memory of the DS unit.
  - 13. The dispersed storage management unit of claim 7 further comprises:
    - the first proxy system element including a first DS unit of a set of DS units and wherein the executing the first portion of the user device request includes reading or writing a first data slice from or to memory of the first DS unit; and
      
      the second proxy system element including a second DS unit of the set of DS units and wherein the executing the second portion of the user device request includes reading or writing a second data slice from or to memory of the second DS unit.
  - 14. The dispersed storage management unit of claim 7 further comprises:
    - the first proxy system element including a dispersed storage (DS) processing module and wherein the executing the first portion of the user device request includes identifying a set of DS units of the DSN;
      
      wherein the processing module is further operable to;
      
      receive, from the set of DS units via the input/output interface circuitry, a plurality of second authentication requests regarding executing a plurality of second portions of the user device request, wherein the second proxy element is one of the set of DS units;
      
      verify each of the plurality of second authentication request by;
      
      verifying that a corresponding one of the set of DS units is an authenticated proxy; and
      
      when the corresponding one of the set of DS units is an authenticated proxy, verifying the user device is an authenticated user device; and
      
      when the plurality of second authentication requests is validated, send, to the set of DS units via the input/output interface circuitry, a second favorable response such that each of the set of DS units is allowed to execute a corresponding one of the plurality of second portions of the user device request when the permissions list authorizes the user device request.
  - 15. The dispersed storage management unit of claim 7, wherein the processing module is further operable to:
    - receive, from the first proxy system element via the input/output interface circuitry, a request for the permissions lists prior to receiving the first authentication request;
      
      verify the first proxy system element based on a signed certificate of the first proxy system element; and
      
      when the first proxy system element is verified, send the permissions list to the first proxy system element, wherein the first proxy system element determines a universal user identifier of a user device associated with the user device request and generates the first authentication request to include the universal user identifier.
  - 16. The dispersed storage management unit of claim 7, wherein the processing module is further operable to:
    - receive, from the second proxy system element via the input/output interface circuitry, a request for the permissions lists prior to receiving the second authentication request;
      
      verify the second proxy system element based on a signed certificate of the second proxy system element; and
      
      when the second proxy system element is verified, send the permissions list to the second proxy system element, wherein the second proxy system element determines a universal user identifier of a user device associated with the user device request and generates the second authentication request to include the universal user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US12/759,948
Publication Number

US 20110055903A1
Time in Patent Office

1,161 Days
Field of Search

726/27, 709/216
US Class Current

726/27
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1024   Identification of the type ...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 12/1483   using an access-table, e.g....

G06F 13/00   Interconnection of, or tran...

G06F 15/16   Combinations of two or more...

G06F 16/00   Information retrieval; Data...

G06F 21/44   Program or device authentic...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 9/32   including means for verifyi...

H04L 9/3297   involving time stamps, e.g....

Authenticating use of a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticating use of a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links