Deleting encoded data slices in a dispersed storage network

US 8,856,549 B2
Filed: 11/21/2012
Issued: 10/07/2014
Est. Priority Date: 11/28/2011
Status: Active Grant

First Claim

Patent Images

1. A distributed storage (DS) unit comprises:

a plurality of memory devices operable to store a plurality of collections of encrypted and encoded data slices, wherein a collection of encrypted and encoded data slices of the plurality of collections of encrypted and encoded data slices includes a common data aspect, wherein encrypted and encoded data slices of the collection of encrypted and encoded data slices are produced by individually encrypting corresponding encoded data slices using a common encrypting character string and representations of the corresponding encoded data slices, and wherein the corresponding encoded data slices are dispersed storage error encoded portions of a plurality of data segments;

local memory operable to store the common encrypting character string regarding the collection of encrypted and encoded data slices and to store the representations of the corresponding encoded data slices; and

a processing module operable to;

receive a request regarding at least a portion of the corresponding encoded data slices;

identify the common encrypting character string of the corresponding encoded data slices; and

when the request is to delete the corresponding encoded data slices, obfuscate the common encrypting character string in the local memory such that the collection of encrypted and encoded data slices are effectively incomprehensible.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving a request regarding at least a portion of corresponding encoded data slices, wherein a collection of encrypted and encoded data slices of a plurality of collections of encrypted and encoded data slices includes a common data aspect, wherein encrypted and encoded data slices of the collection of encrypted and encoded data slices are produced by individually encrypting corresponding encoded data slices using a common encrypting character string and representations of the corresponding encoded data slices. The method continues with the DS processing module identifying the common encrypting character string of the corresponding encoded data slices. When the request is to delete the corresponding encoded data slices, the method continues with the DS processing module obfuscating the common encrypting character string in a local memory such that the collection of encrypted and encoded data slices are effectively incomprehensible.

Citations

19 Claims

1. A distributed storage (DS) unit comprises:
- a plurality of memory devices operable to store a plurality of collections of encrypted and encoded data slices, wherein a collection of encrypted and encoded data slices of the plurality of collections of encrypted and encoded data slices includes a common data aspect, wherein encrypted and encoded data slices of the collection of encrypted and encoded data slices are produced by individually encrypting corresponding encoded data slices using a common encrypting character string and representations of the corresponding encoded data slices, and wherein the corresponding encoded data slices are dispersed storage error encoded portions of a plurality of data segments;
  
  local memory operable to store the common encrypting character string regarding the collection of encrypted and encoded data slices and to store the representations of the corresponding encoded data slices; and
  
  a processing module operable to;
  
  receive a request regarding at least a portion of the corresponding encoded data slices;
  
  identify the common encrypting character string of the corresponding encoded data slices; and
  
  when the request is to delete the corresponding encoded data slices, obfuscate the common encrypting character string in the local memory such that the collection of encrypted and encoded data slices are effectively incomprehensible.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is to read the at least a portion of the corresponding encoded data slices, retrieve the common encrypting character string and the representations of the corresponding encoded data slices from the local memory;
      
      decrypt each of at least a portion of the collection of encrypted and encoded data slices using the common encrypting character string and a corresponding one of the representations of the corresponding encoded data slices to recapture the at least a portion of the corresponding encoded data slices; and
      
      output the recaptured at least a portion of the corresponding encoded data slices.
  - 3. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is to write the at least a portion of the corresponding encoded data slices, determine whether the collection of encrypted and encoded data slices exists; and
      
      when the collection of encrypted and encoded data slices exists;
      
      retrieve the common encrypting character string;
      
      encrypt the at least a portion of the corresponding encoded data slices using the common encrypting character string and the representations of the at least a portion of the corresponding encoded data slices to produce at least a portion of the collection of encrypted and encoded data slices; and
      
      write the at least a portion of the collection of encrypted and encoded data slices to one or more of the plurality of memory devices.
  - 4. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is to write the at least a portion of the corresponding encoded data slices, determine whether the collection of encrypted and encoded data slices exists; and
      
      when the collection of encrypted and encoded data slices does not exist;
      
      generate the common encrypting character string;
      
      encrypt the at least a portion of the corresponding encoded data slices using the common encrypting character string and the representations of the at least a portion of the corresponding encoded data slices to produce at least a portion of the collection of encrypted and encoded data slices; and
      
      write the at least a portion of the collection of encrypted and encoded data slices to one or more of the plurality of memory devices.
  - 5. The DS unit of claim 1, wherein the processing module is further operable to individually encrypt the corresponding encoded data slices by:
    - transforming the common encrypting character string and a representation of representations of the corresponding encoded data slices using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the corresponding encoded data slice, a hash of the corresponding encoded data slice, the corresponding encoded data slice; and
      
      encrypting an individual encoded data slice of the corresponding encoded data slices using the individual encryption key to produce an individual encrypted and encoded data slice of the collection of encrypted and encoded data slices.
  - 6. The DS unit of claim 1, wherein the processing module is further operable to obfuscate the common encrypting character string by at least one of:
    - deleting the common encrypting character string;
      
      altering the common encrypting character string, wherein the common encrypting character string includes one or more of a random number, a series of characters, a passcode, and a random string of characters; and
      
      masking the common encrypting character string to include;
      
      transforming the common encrypting character string using a deterministic function and a secret key to produce a masked key; and
      
      overwriting the common encrypting character string with the masked key.

7. A distributed storage (DS) unit comprises:
- a plurality of memory devices operable to store a plurality of encoded data slices as a plurality of encrypted and encoded data slices,wherein groups of the plurality of encoded data slices are arranged into first tier collections of slices based on common first tier data aspects,wherein groups of the first tier collections are arranged into second tier collections of slices based on common second tier data aspects, andwherein encoded data slices of one of the second tier collections of slices are individually encrypted using first tier common encrypting character strings relating to the common first tier data aspects of the group of first tier collections of slices in the second tier collection of slices, a second tier common encrypting character string relating to the common second tier data aspect of the one of the second tier collections of slices, and representations of the encoded data slices;
  
  local memory operable to store the first tier common encrypting character strings relating to the common first tier data aspects of the group of first tier collections of slices in the second tier collection of slices, the second tier common encrypting character string relating to the common second tier data aspect of the one of the second tier collections of slices, and the representations of the encoded data slices; and
  
  a processing module operable to;
  
  receive a request regarding encoded data slices having a common data aspect; and
  
  when the request is a second tier delete request;
  
  identify the second tier common encrypting character string corresponding to a second tier collection of slices having the common data aspect; and
  
  obfuscate the second tier common encrypting character string in the local memory such that the second tier collection of slices is effectively incomprehensible.
- View Dependent Claims (8, 9, 10)
- - 8. The DS unit of claim 7, wherein the processing module is further operable to:
    - when the request is a first tier delete request;
      
      identify a first tier common encrypting character string corresponding to one of the first tier collections of slices of one of the second tier collections of slices having the common data aspect; and
      
      obfuscate the first tier common encrypting character string in the local memory such that the one of the first tier collections of slices is effectively incomprehensible while other first tier collections of slices of the one of the second tier collections of slices are substantially unaffected.
  - 9. The DS unit of claim 7 further comprises:
    - a plurality of data segments is encoded using a dispersed storage error encoding function to produce a plurality of sets of encoded data slices; and
      
      the plurality of encoded data slices is a subset of the plurality of sets of encoded data slices.
  - 10. The DS unit of claim 7, wherein the processing module is further operable to individually encrypt an encoded data slice of the encoded data slices by:
    - transforming the first tier common encrypting character string, the second tier common encrypting character string, and a representation of the encoded data slice using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the encoded data slice, a hash of the encoded data slice, the encoded data slice; and
      
      encrypting the encoded data slice using the individual encryption key to produce an individual encrypted and encoded data slice of the one of the second tier collections of slices.

11. A computer readable storage memory comprises:
- a first section for storing operational instructions that, when executed by a processing module, causes the processing module to receive a request regarding at least a portion of corresponding encoded data slices, wherein a collection of encrypted and encoded data slices of a plurality of collections of encrypted and encoded data slices includes a common data aspect, wherein encrypted and encoded data slices of the collection of encrypted and encoded data slices are produced by individually encrypting corresponding encoded data slices using a common encrypting character string and representations of the corresponding encoded data slices, and wherein the corresponding encoded data slices are dispersed storage error encoded portions of a plurality of data segments;
  
  a second section for storing operational instructions that, when executed by the processing module, causes the processing module to identify the common encrypting character string of the corresponding encoded data slices; and
  
  a third section for storing operational instructions that, when executed by the processing module, causes the processing module to, when the request is to delete the corresponding encoded data slices, obfuscate the common encrypting character string in a local memory such that the collection of encrypted and encoded data slices are effectively incomprehensible.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer readable storage memory of claim 11 further comprises:
    - when the request is to read the at least a portion of the corresponding encoded data slices, the third section further including operational instructions that cause the processing module to;
      
      retrieve the common encrypting character string and the representations of the corresponding encoded data slices from the local memory;
      
      decrypt each of at least a portion of the collection of encrypted and encoded data slices using the common encrypting character string and a corresponding one of the representations of the corresponding encoded data slices to recapture the at least a portion of the corresponding encoded data slices; and
      
      output the recaptured at least a portion of the corresponding encoded data slices.
  - 13. The computer readable storage memory of claim 11 further comprises:
    - when the request is to write the at least a portion of the corresponding encoded data slices, the third section further including operational instructions that cause the processing module to;
      
      determine whether the collection of encrypted and encoded data slices exists; and
      
      when the collection of encrypted and encoded data slices exists;
      
      retrieve the common encrypting character string;
      
      encrypt the at least a portion of the corresponding encoded data slices using the common encrypting character string and the representations of the at least a portion of the corresponding encoded data slices to produce at least a portion of the collection of encrypted and encoded data slices; and
      
      write the at least a portion of the collection of encrypted and encoded data slices to one or more memory devices of a plurality of memory devices.
  - 14. The computer readable storage memory of claim 11 further comprises:
    - when the request is to write the at least a portion of the corresponding encoded data slices, the third section further including operational instructions that cause the processing module to;
      
      determine whether the collection of encrypted and encoded data slices exists; and
      
      when the collection of encrypted and encoded data slices does not exist;
      
      generate the common encrypting character string;
      
      encrypt the at least a portion of the corresponding encoded data slices using the common encrypting character string and the representations of the at least a portion of the corresponding encoded data slices to produce at least a portion of the collection of encrypted and encoded data slices; and
      
      write the at least a portion of the collection of encrypted and encoded data slices to one or more memory devices of a plurality of memory devices.
  - 15. The computer readable storage memory of claim 11, wherein the third section further comprises operational instructions that cause the processing module to individually encrypt the corresponding encoded data slices by:
    - transforming the common encrypting character string and a representation of representations of the corresponding encoded data slices using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the corresponding encoded data slice, a hash of the corresponding encoded data slice, the corresponding encoded data slice; and
      
      encrypting an individual encoded data slice of the corresponding encoded data slices using the individual encryption key to produce an individual encrypted and encoded data slice of the collection of encrypted and encoded data slices.
  - 16. The computer readable storage memory of claim 11, wherein the third section further comprises operational instructions that cause the processing module to obfuscate the common encrypting character string by at least one of:
    - deleting the common encrypting character string;
      
      altering the common encrypting character string, wherein the common encrypting character string includes one or more of a random number, a series of characters, a passcode, and a random string of characters; and
      
      masking the common encrypting character string to include;
      
      transforming the common encrypting character string using a deterministic function and a secret key to produce a masked key; and
      
      overwriting the common encrypting character string with the masked key.

17. A computer readable storage memory comprises:
- a first section for storing operational instructions that, when executed by a processing module, causes the processing module to receive a request regarding encoded data slices having a common data aspect, wherein a plurality of data segments is encoded using a dispersed storage error encoding function to produce a plurality of sets of encoded data slices, wherein groups of a plurality of encoded data slices are arranged into first tier collections of slices based on common first tier data aspects, wherein the plurality of encoded data slices is a subset of the plurality of sets of encoded data slices, wherein groups of the first tier collections are arranged into second tier collections of slices based on common second tier data aspects, and wherein encoded data slices of one of the second tier collections of slices are individually encrypted using first tier common encrypting character strings relating to the common first tier data aspects of the group of first tier collections of slices in the second tier collection of slices, a second tier common encrypting character string relating to the common second tier data aspect of the one of the second tier collections of slices, and representations of the encoded data slices;
  
  a second section for storing operational instructions that, when executed by the processing module, causes the processing module to, when the request is a second tier delete request, identify the second tier common encrypting character string corresponding to a second tier collection of slices having the common data aspect; and
  
  a third section for storing operational instructions that, when executed by the processing module, causes the processing module to, when the request is a second tier delete request, obfuscate the second tier common encrypting character string in a local memory such that the second tier collection of slices is effectively incomprehensible.
- View Dependent Claims (18, 19)
- - 18. The computer readable storage memory of claim 17 further comprises:
    - when the request is a first tier delete request;
      
      the second section further including operational instructions that cause the processing module to identify a first tier common encrypting character string corresponding to one of the first tier collections of slices of one of the second tier collections of slices having the common data aspect; and
      
      the third section further including operational instructions that cause the processing module to obfuscate the first tier common encrypting character string in the local memory such that the one of the first tier collections of slices is effectively incomprehensible while other first tier collections of slices of the one of the second tier collections of slices are substantially unaffected.
  - 19. The computer readable storage memory of claim 17, wherein the third section further comprises operational instructions that cause the processing module to individually encrypt an encoded data slice of the encoded data slices by:
    - transforming the first tier common encrypting character string, the second tier common encrypting character string, and a representation of the encoded data slice using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the encoded data slice, a hash of the encoded data slice, the encoded data slice; and
      
      encrypting the encoded data slice using the individual encryption key to produce an individual encrypted and encoded data slice of the one of the second tier collections of slices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Motwani, Manish
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/684,009
Publication Number

US 20130138970A1
Time in Patent Office

685 Days
Field of Search

713/189, 726/3
US Class Current

713/189
CPC Class Codes

G06F 11/108   Parity data distribution in...

G06F 12/0607   Interleaved addressing

G06F 12/1408   by using cryptography for d...

G06F 16/182   Distributed file systems

G06F 21/00   Security arrangements for p...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/0608   Saving storage space on sto...

G06F 3/0641   De-duplication techniques

G06F 3/067   Distributed or networked st...

H04L 63/0428   wherein the data content is...

H04L 65/10   Architectures or entities

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3236   using cryptographic hash fu...

Deleting encoded data slices in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Deleting encoded data slices in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links