Securing data in a dispersed storage network using security sentinel value

US 8,601,259 B2
Filed: 04/14/2010
Issued: 12/03/2013
Est. Priority Date: 04/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method for use in a pre-data manipulator of a computing device, the method comprising:

receiving a data segment at the pre-data manipulator;

combining the data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;

a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;

encrypting the combined data segment using an encryption key to generate an encrypted combined data segment;

calculating a digest of the encrypted combined data segment;

encrypting the encryption key using the digest to produce a masked key;

appending the masked key to the encrypted combined data segment to generate an encrypted package; and

transmitting at least some of the encrypted package to an encoder.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A sentinel value is combined with a data segment, and encrypted. A digest of the encrypted combined data segment is calculated, and used in conjunction with an encryption key to generate a masked key. This masked key is then appended to the encrypted combined data segment and transmitted to an encoder. When the data segment is retrieved, the original encryption key can be recovered and used to decrypt the data segment. The sentinel value can then be extracted from the data segment and checked for integrity. The data segment can then be delivered, discarded, flagged, or otherwise handled based on the integrity of the sentinel value.

81 Citations

View as Search Results

24 Claims

1. A method for use in a pre-data manipulator of a computing device, the method comprising:
- receiving a data segment at the pre-data manipulator;
  
  combining the data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;
  
  a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;
  
  encrypting the combined data segment using an encryption key to generate an encrypted combined data segment;
  
  calculating a digest of the encrypted combined data segment;
  
  encrypting the encryption key using the digest to produce a masked key;
  
  appending the masked key to the encrypted combined data segment to generate an encrypted package; and
  
  transmitting at least some of the encrypted package to an encoder.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - selecting the encryption key based on one or more of;
      
      the security parameter associated with the user vault and the DSN-wide security parameter.
  - 3. The method of claim 1, further comprising:
    - pre-encrypting the data segment using a private key associated with the pre-data manipulator prior to combining the data segment with the sentinel value.
  - 4. The method of claim 1, further comprising:
    - removing a portion of the encrypted package;
      
      storing the portion in a data store; and
      
      transmitting, as the at least some of the encrypted package, the encrypted package less the portion.
  - 5. The method of claim 4, further comprising:
    - padding the at least some of the encrypted package to replace the portion of the encrypted package.
  - 6. The method of claim 4, further comprising;
    - determining a size of the portion and a location of the portion within the encrypted package.

7. A method for use in a pre-data de-manipulator of a computing device, the method comprising:
- receiving an encrypted package from a decoder;
  
  separating the encrypted package into a masked key and an encrypted data segment;
  
  calculating a digest of the encrypted data segment;
  
  decrypting the masked key using the digest to produce a recovered encryption key;
  
  decrypting the encrypted data segment using the recovered encryption key to generate a recovered data segment and a recovered sentinel value, wherein a sentinel value is based on one or more of;
  
  a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with a data segment, and an encrypted number;
  
  verifying the recovered sentinel value corresponds to the sentinel value; and
  
  outputting the recovered data segment as the data segment when the recovered sentinel value corresponds to the sentinel value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - discarding the recovered data segment when the recovered sentinel value does not correspond to the sentinel value; and
      
      generating a flag indicating that the recovered data segment is unreliable.
  - 9. The method of claim 7, further comprising:
    - prior to separating the encrypted package;
      
      determining that a portion of the encrypted package was withheld;
      
      obtaining the portion; and
      
      reinserting the portion into the encrypted package prior to.
  - 10. The method of claim 7, further comprising:
    - prior to separating the encrypted package;
      
      determining that a portion of the encrypted package was withheld;
      
      sending a request to receive the portion;
      
      receiving an unfavorable response to the request; and
      
      determining that the encrypted package is unrecoverable based on the unfavorable response.
  - 11. The method of claim 7, further comprising:
    - prior to separating the encrypted package;
      
      determining that a portion of the encrypted package was withheld;
      
      sending a request to receive the portion;
      
      failing to receive a response to the request within a threshold amount of time; and
      
      marking the encrypted package as unavailable based on the failing to receive a response.
  - 12. The method of claim 7, wherein the outputting the recovered data segment comprising:
    - decrypting the recovered data segment using a private key associated with the pre-data de-manipulator prior to outputting.

13. A pre-data manipulator comprising:
- processing circuitry to;
  
  combine a data segment with a sentinel value to generate a combined data segment, wherein the sentinel value is based on one or more of;
  
  a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number;
  
  encrypt the combined data segment using an encryption key to generate an encrypted combined data segment;
  
  calculate a digest of the encrypted combined data segment;
  
  encrypt the encryption key using the digest to produce a masked key;
  
  append the masked key to the encrypted combined data segment to generate an encrypted package; and
  
  an output to transmit at least some of the encrypted package to an encoder.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The pre-data manipulator of claim 13, further comprising:
    - the processor further to select the encryption key based on one or more of;
      
      the security parameter associated with the user vault and the DSN-wide security parameter.
  - 15. The pre-data manipulator of claim 13, further comprising:
    - the processor further to pre-encrypt the data segment using a private key associated with the apparatus prior to combining the data segment with the sentinel value.
  - 16. The pre-data manipulator of claim 13, further comprising:
    - the processor further to;
      
      remove a portion of the encrypted package;
      
      store the portion in a data store; and
      
      transmit, as the at least some of the encrypted package, the encrypted package less the portion.
  - 17. The pre-data manipulator of claim 16, further comprising:
    - the processor further to pad the at least some of the encrypted package to replace the portion of the encrypted package.
  - 18. The pre-data manipulator of claim 16, further comprising:
    - the processor further to determine a size of the portion to be removed and a location of the portion within the encrypted package.

19. A pre-data de-manipulator comprising:
- processing circuitry to;
  
  separate the encrypted package into a masked key and an encrypted data segment;
  
  calculate a digest of the encrypted data segment;
  
  decrypt the masked key using the digest to produce a recovered encryption key;
  
  decrypt the encrypted data segment using the recovered encryption key to generate a recovered data segment and a recovered sentinel value, wherein a sentinel value is based on one or more of;
  
  a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with a data segment, and an encrypted number;
  
  verify the recovered sentinel value corresponds to the sentinel value; and
  
  an output to provided the recovered data segment as the data segment when the recovered sentinel value corresponds to the sentinel value.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The pre-data de-manipulator of claim 19, further comprising:
    - the processing circuitry to;
      
      discard the recovered data segment when therecovered sentinel value does not correspond to the sentinel value; and
      
      generate a flag indicating that the recovered data segment is unreliable.
  - 21. The pre-data de-manipulator of claim 19, further comprising:
    - the processing circuitry to;
      
      prior to separating the encrypted package;
      
      determine that a portion of the encrypted package was withheld;
      
      obtain, via an input, the portion; and
      
      reinsert the portion into the encrypted package.
  - 22. The pre-data de-manipulator of claim 19, further comprising:
    - the processing circuitry to, prior to separating the encrypted package;
      
      determine that a portion of the encrypted package was withheld;
      
      send, via a communication interface, a request to receive the portion;
      
      receive, via the communication interface, an unfavorable response to the request; and
      
      determine that the encrypted package is unrecoverable based on the unfavorable response.
  - 23. The pre-data de-manipulator of claim 19, further comprising:
    - the processing circuitry to prior to separating the encrypted package;
      
      determine that a portion of the encrypted package was withheld;
      
      send, via a communication interface, a request to receive the portion;
      
      determine that a response to the request was not received within a threshold amount of time; and
      
      mark the encrypted package as unavailable.
  - 24. The pre-data de-manipulator of claim 19, further comprising:
    - a decryption engine to decrypt the recovered data segment using a private key prior to the output providing the recovered data segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US12/760,066
Publication Number

US 20100268938A1
Time in Patent Office

1,329 Days
Field of Search

713/153, 713/160, 380/4, 380/40
US Class Current

713/153
CPC Class Codes

H04L 2209/04   Masking or blinding

H04L 2209/20   Manipulating the length of ...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/603   Digital right managament [DRM]

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/0897   involving additional device...

H04L 9/3236   using cryptographic hash fu...

Securing data in a dispersed storage network using security sentinel value

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Securing data in a dispersed storage network using security sentinel value

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links