Obtaining a signed certificate for a dispersed storage network

US 8,776,186 B2
Filed: 08/17/2012
Issued: 07/08/2014
Est. Priority Date: 10/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

generating a certificate signing request (CSR) that includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device;

outputting the CSR to a certificate authority of a DSN;

receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certification signature of the certificate authority authenticating the certificate and the certificate extension; and

storing the signed certificate for use when generating a DSN access request, wherein the DSN access request is requesting access to dispersed storage error encoded data in the DSN at an address within the accessible DSN address range.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module generating a certificate signing request (CSR) that includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device. The method continues with the DS processing module outputting the CSR to a certificate authority of a DSN and receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certification signature of the certificate authority authenticating the certificate and the certificate extension. The method continues with the DS processing module storing the signed certificate for use when generating a DSN access request, wherein the DSN access request is requesting access to dispersed storage error encoded data in the DSN at an address within the accessible DSN address range.

Citations

18 Claims

1. A method comprises:
- generating a certificate signing request (CSR) that includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device;
  
  outputting the CSR to a certificate authority of a DSN;
  
  receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certification signature of the certificate authority authenticating the certificate and the certificate extension; and
  
  storing the signed certificate for use when generating a DSN access request, wherein the DSN access request is requesting access to dispersed storage error encoded data in the DSN at an address within the accessible DSN address range.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the generating the CSR further comprises:
    - receiving the certificate extension from the certificate authority or a DSN managing device;
      
      orretrieving the certificate extension from local memory; and
      
      generating the certificate to include at least one of;
      
      a version, a serial number, an algorithm identifier (ID), an issuer name, a time validity indicator, a subject ID, a public key algorithm, a public key, an issuer universal unique identifier (UUID), and a subject UUID.
  - 3. The method of claim 1, wherein the certificate extension comprises:
    - a first private enterprise number (PEN);
      
      a second PEN;
      
      a first extension value; and
      
      a second extension value, wherein the first PEN is associated with the first extension value that defines a starting address of the accessible DSN address range and wherein the second PEN is associated with the second extension value that defines an ending address of the accessible DSN address range.
  - 4. The method of claim 1, wherein the certificate extension further comprises at least one of:
    - information regarding a unique identifier of the requesting device, wherein the certificate authority generated the unique identifier of the requesting device;
      
      information regarding a unique identifier of the DSN, wherein the certificate authority generated the unique identifier of the DSN;
      
      information regarding a device type of the requesting device;
      
      information regarding account permissions of the requesting device; and
      
      information regarding credential permissions of the requesting device.
  - 5. The method of claim 4, wherein the certificate extension comprises:
    - a first private enterprise number (PEN);
      
      a second PEN;
      
      a third PEN;
      
      a fourth PEN;
      
      a fifth PEN;
      
      a first extension value;
      
      a second extension value;
      
      a third extension value;
      
      a fourth extension value; and
      
      a fifth extension value, wherein;
      
      the first PEN is associated with the first extension value that includes the unique identifier of the requesting device;
      
      the second PEN is associated with the second extension value that includes the unique identifier of the DSN;
      
      the third PEN is associated with the third extension value that includes the device type;
      
      the fourth PEN is associated with the fourth extension value that includes the account permissions; and
      
      the fifth PEN is associated with the fifth extension value that includes the credential permissions.
  - 6. The method of claim 1 further comprises:
    - prior to storing the signed certificate, indicating that the signed certificate is valid when a device universal unique identifier (UUID) of the certificate extension compares favorably to a device UUID contained in the signed certificate.

7. A method comprises:
- receiving, from a requesting device, a dispersed storage network (DSN) access request that includes a DSN address and a signed certificate, wherein the signed certificate includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device, and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device;
  
  determining whether the DSN address is within the accessible DSN address range for the requesting device; and
  
  when the DSN address is within the accessible DSN address range for the requesting device, processing the DSN access request.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein the receiving the DSN access request comprises:
    - validating the signed certificate by one or more of;
      
      indicating that the signed certificate is valid when validation of a certificate signature of the signed certificate utilizing a public key of the signed certificate is favorable;
      
      indicating that the signed certificate is valid when a certificate issuer identifier (ID) of the signed certificate compares favorably to a validated certificate issuer ID; and
      
      indicating that the signed certificate is valid when a time of validity indicator of the signed certificate compares favorably to a current time.
  - 9. The method of claim 7 further comprises:
    - determining whether the DSN access request is authorized by at least one of;
      
      indicating that the DSN access request is authorized when a device identifier (ID) of the certificate extension compares favorably to a requesting entity ID of the DSN access request;
      
      indicating that the DSN access request is authorized when a DSN ID of the certificate extension compares favorably to a retrieved DSN ID; and
      
      indicating that the DSN access request is authorized when a device type of the certificate extension compares favorably to an allowable device type associated with the DSN access request.

10. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  generate a certificate signing request (CSR) that includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  output the CSR to a certificate authority of a DSN;
  
  a third module, when operable within the computing device, causes the computing device to;
  
  receive a signed certificate from the certificate authority, wherein the signed certificate includes a certification signature of the certificate authority authenticating the certificate and the certificate extension; and
  
  a fourth module, when operable within the computing device, causes the computing device to;
  
  store the signed certificate for use when generating a DSN access request, wherein the DSN access request is requesting access to dispersed storage error encoded data in the DSN at an address within the accessible DSN address range.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The DS module of claim 10, wherein the first module further functions to generate the CSR by:
    - receiving the certificate extension from the certificate authority or a DSN managing device;
      
      orretrieving the certificate extension from local memory; and
      
      generating the certificate to include at least one of;
      
      a version, a serial number, an algorithm identifier (ID), an issuer name, a time validity indicator, a subject ID, a public key algorithm, a public key, an issuer universal unique identifier (UUID), and a subject UUID.
  - 12. The DS module of claim 10, wherein the certificate extension comprises:
    - a first private enterprise number (PEN);
      
      a second PEN;
      
      a first extension value; and
      
      a second extension value, wherein the first PEN is associated with the first extension value that defines a starting address of the accessible DSN address range and wherein the second PEN is associated with the second extension value that defines an ending address of the accessible DSN address range.
  - 13. The DS module of claim 10, wherein the certificate extension further comprises at least one of:
    - information regarding a unique identifier of the requesting device, wherein the certificate authority generated the unique identifier of the requesting device;
      
      information regarding a unique identifier of the DSN, wherein the certificate authority generated the unique identifier of the DSN;
      
      information regarding a device type of the requesting device;
      
      information regarding account permissions of the requesting device; and
      
      information regarding credential permissions of the requesting device.
  - 14. The DS module of claim 13, wherein the certificate extension comprises:
    - a first private enterprise number (PEN);
      
      a second PEN;
      
      a third PEN;
      
      a fourth PEN;
      
      a fifth PEN;
      
      a first extension value;
      
      a second extension value;
      
      a third extension value;
      
      a fourth extension value; and
      
      a fifth extension value, wherein;
      
      the first PEN is associated with the first extension value that includes the unique identifier of the requesting device;
      
      the second PEN is associated with the second extension value that includes the unique identifier of the DSN;
      
      the third PEN is associated with the third extension value that includes the device type;
      
      the fourth PEN is associated with the fourth extension value that includes the account permissions; and
      
      the fifth PEN is associated with the fifth extension value that includes the credential permissions.
  - 15. The DS module of claim 10, wherein the fourth module further functions to:
    - prior to storing the signed certificate, indicate that the signed certificate is valid when a device universal unique identifier (UUID) of the certificate extension compares favorably to a device UUID contained in the signed certificate.

16. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  receive, from a requesting device, a dispersed storage network (DSN) access request that includes a DSN address and a signed certificate, wherein the signed certificate includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device, and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  determine whether the DSN address is within the accessible DSN address range for the requesting device; and
  
  a third module, when operable within the computing device, causes the computing device to;
  
  when the DSN address is within the accessible DSN address range for the requesting device, process the DSN access request.
- View Dependent Claims (17, 18)
- - 17. The DS module of claim 16, wherein the first module functions to receive the DSN access request by:
    - validating the signed certificate by one or more of;
      
      indicating that the signed certificate is valid when validation of a certificate signature of the signed certificate utilizing a public key of the signed certificate is favorable;
      
      indicating that the signed certificate is valid when a certificate issuer identifier (ID) of the signed certificate compares favorably to a validated certificate issuer ID; and
      
      indicating that the signed certificate is valid when a time of validity indicator of the signed certificate compares favorably to a current time.
  - 18. The DS module of claim 16, wherein the first module further functions to:
    - determine whether the DSN access request is authorized by at least one of;
      
      indicating that the DSN access request is authorized when a device identifier (ID) of the certificate extension compares favorably to a requesting entity ID of the DSN access request;
      
      indicating that the DSN access request is authorized when a DSN ID of the certificate extension compares favorably to a retrieved DSN ID; and
      
      indicating that the DSN access request is authorized when a device type of the certificate extension compares favorably to an allowable device type associated with the DSN access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley, Baptist, Andrew
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/588,259
Publication Number

US 20130086642A1
Time in Patent Office

690 Days
Field of Search

726/4, 713/156, 713/175
US Class Current

726/4
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 11/1076   Parity data used in redunda...

G06F 11/1446   Point-in-time backing up or...

G06F 15/17331   Distributed shared memory [...

G06F 21/33   using certificates

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/06   Digital input from, or digi...

G06F 3/0604   Improving or facilitating a...

G06F 3/067   Distributed or networked st...

H04L 2209/04   Masking or blinding

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/0823   using certificates cryptogr...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

Obtaining a signed certificate for a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Obtaining a signed certificate for a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links