Securing data in a dispersed storage network using security sentinel value
First Claim
Patent Images
1. A method for use in a pre-data manipulator of a computing device, the method comprising:
- receiving a data segment at the pre-data manipulator;
combining the data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;
a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;
encrypting the combined data segment using an encryption key to generate an encrypted combined data segment;
calculating a digest of the encrypted combined data segment;
encrypting the encryption key using the digest to produce a masked key;
appending the masked key to the encrypted combined data segment to generate an encrypted package; and
transmitting at least some of the encrypted package to an encoder.
5 Assignments
0 Petitions
Accused Products
Abstract
A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.
81 Citations
24 Claims
-
1. A method for use in a pre-data manipulator of a computing device, the method comprising:
-
receiving a data segment at the pre-data manipulator; combining the data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;
a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;encrypting the combined data segment using an encryption key to generate an encrypted combined data segment; calculating a digest of the encrypted combined data segment; encrypting the encryption key using the digest to produce a masked key; appending the masked key to the encrypted combined data segment to generate an encrypted package; and transmitting at least some of the encrypted package to an encoder. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for use in a pre-data de-manipulator of a computing device, the method comprising:
-
receiving an encrypted package from a decoder; separating the encrypted package into a masked key and an encrypted data segment; calculating a digest of the encrypted data segment; decrypting the masked key using the digest to produce a recovered encryption key; decrypting the encrypted data segment using the recovered encryption key to generate a recovered data segment and a recovered sentinel value, wherein a sentinel value is based on one or more of;
a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with a data segment, and an encrypted number;verifying the recovered sentinel value corresponds to the sentinel value; and outputting the recovered data segment as the data segment when the recovered sentinel value corresponds to the sentinel value. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A pre-data manipulator comprising:
-
processing circuitry to; combine a data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;
a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;encrypt the combined data segment using an encryption key to generate an encrypted combined data segment; calculate a digest of the encrypted combined data segment; encrypt the encryption key using the digest to produce a masked key; append the masked key to the encrypted combined data segment to generate an encrypted package; and an output to transmit at least some of the encrypted package to an encoder. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A pre-data de-manipulator comprising:
-
processing circuitry to; separate the encrypted package into a masked key and an encrypted data segment; calculate a digest of the encrypted data segment; decrypt the masked key using the digest to produce a recovered encryption key; decrypt the encrypted data segment using the recovered encryption key to generate a recovered data segment and a recovered sentinel value, wherein a sentinel value is based on one or more of;
a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with a data segment, and an encrypted number;verify the recovered sentinel value corresponds to the sentinel value; and an output to provided the recovered data segment as the data segment when the recovered sentinel value corresponds to the sentinel value. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification