Distributed storage network and method for encrypting and decrypting data using hash functions

US 9,009,491 B2
Filed: 01/08/2013
Issued: 04/14/2015
Est. Priority Date: 10/30/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing a data segment within a portion of a distributed storage network, the method comprising:

segmenting data into a plurality of data segments;

determining a data segment partitioning scheme for the plurality of data segments, wherein the data segment partitioning scheme partitions each of at least some data segments of the plurality of data segments into a plurality of portions and wherein size of portions of the plurality of portions of a first data segment of the at least some data segments is different than size of portions of the plurality of portions of a second data segment of the at least some data segments;

partitioning, in accordance with the data segment partitioning scheme, the plurality of data segments into a multitude of pluralities of portions;

for one of the multitude of pluralities of portions, entering a loop that includes;

generating an encryption key based on a portion of the one of the multitude of pluralities of portions or on an encrypted portion;

encrypting another portion of the one of the multitude of pluralities of portions using the encryption key to produce another encrypted portion;

when at least one portion of the one of the multitude of pluralities of portions is to be encrypted, repeating the loop for one of the at least one portion of the one of the multitude of pluralities of portions, wherein the other encrypted portion is the encrypted portion for generating the encryption key; and

exiting the loop when the one of the multitude of pluralities of portions have been encrypted into a plurality of encrypted portions;

encoding, in accordance with an error-coding dispersal storage function, the plurality of encrypted portions to produce a set of encoded data slices; and

outputting a plurality of sets of encoded data slices for storage in the distributed storage network, wherein the plurality of sets of encoded data slices includes the set of encoded data slices.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A DS processing unit includes a grid module and a DSN interface. The grid module is operable to encrypt a data segment and to decrypt an encrypted data segment. To encrypt the data segment, the grid module partitions the data segment into portions and encrypts the portions using encryption keys generated from other portions to produce encrypted portions. The grid module then dispersed storage error encodes the encrypted portions to produce a set of encoded data slices, which the DSN interface outputs to a DSN. The DSN interface also receives a set of encoded data slices, which the grid module disperse storage error decodes to produce the encrypted data segment. The grid module then partitions the encrypted data segment into encrypted data portions and decrypts the encrypted data portions using decryption keys generated from other encrypted data portions to produce decrypted portions of a recovered data segment.

50 Citations

View as Search Results

17 Claims

1. A method for processing a data segment within a portion of a distributed storage network, the method comprising:
- segmenting data into a plurality of data segments;
  
  determining a data segment partitioning scheme for the plurality of data segments, wherein the data segment partitioning scheme partitions each of at least some data segments of the plurality of data segments into a plurality of portions and wherein size of portions of the plurality of portions of a first data segment of the at least some data segments is different than size of portions of the plurality of portions of a second data segment of the at least some data segments;
  
  partitioning, in accordance with the data segment partitioning scheme, the plurality of data segments into a multitude of pluralities of portions;
  
  for one of the multitude of pluralities of portions, entering a loop that includes;
  
  generating an encryption key based on a portion of the one of the multitude of pluralities of portions or on an encrypted portion;
  
  encrypting another portion of the one of the multitude of pluralities of portions using the encryption key to produce another encrypted portion;
  
  when at least one portion of the one of the multitude of pluralities of portions is to be encrypted, repeating the loop for one of the at least one portion of the one of the multitude of pluralities of portions, wherein the other encrypted portion is the encrypted portion for generating the encryption key; and
  
  exiting the loop when the one of the multitude of pluralities of portions have been encrypted into a plurality of encrypted portions;
  
  encoding, in accordance with an error-coding dispersal storage function, the plurality of encrypted portions to produce a set of encoded data slices; and
  
  outputting a plurality of sets of encoded data slices for storage in the distributed storage network, wherein the plurality of sets of encoded data slices includes the set of encoded data slices.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises at least one of:
    - utilizing an encryption function for each pass through the loop to encrypt the other portion of the one of the multitude of pluralities of portions; and
      
      utilizing different encryption functions for at least some passes through the loop to encrypt the other portion of the one of the multitude of pluralities of portions.
  - 3. The method of claim 1, wherein generating the encryption key comprises:
    - for a first pass through the loop;
      
      generating a hash value from the portion of the one of the multitude of pluralities of portions using a hash function; and
      
      generating the encryption key based on the hash value; and
      
      for subsequent passes through the loop;
      
      generating another hash value from the encrypted portion using the hash function or a second hash function; and
      
      generating the encryption key based on the other hash value.
  - 4. The method of claim 3 further comprises:
    - setting the encryption key to the hash value or to the other hash value.
  - 5. The method of claim 3 further comprises:
    - combining the hash value or the other hash value with a second value to produce a combined value; and
      
      generating the encryption key based on the combined value.

6. A method for processing an encrypted data segment within a portion of a distributed storage network, the method comprising:
- decoding, in accordance with an error-coding dispersal storage function, a set of encoded data slices to produce encrypted data;
  
  segmenting encrypted data into a plurality of encrypted data segments;
  
  determining a data segment partitioning scheme for the plurality of encrypted data segments, wherein the data segment partitioning scheme partitions each of at least some encrypted data segments of the plurality of encrypted data segments into a plurality of encrypted portions and wherein size of encrypted portions of the plurality of encrypted portions of a first encrypted data segment of the at least some encrypted data segments is different than size of encrypted portions of the plurality of encrypted portions of a second encrypted data segment of the at least some encrypted data segments;
  
  partitioning, in accordance with the data segment partitioning scheme, the plurality of encrypted data segments into a multitude of pluralities of encrypted portions;
  
  for one of the multitude of pluralities of encrypted portions, entering a loop that includes;
  
  generating an encryption key based on an encrypted portion of the one of the multitude of pluralities of encrypted portions or on a decrypted portion;
  
  decrypting another encrypted portion of the one of the multitude of pluralities of encrypted portions using the encryption key to produce another decrypted portion;
  
  when at least one portion of the one of the multitude of pluralities of encrypted portions is to be decrypted, repeating the loop for one of the at least one encrypted portion of the one of the multitude of pluralities of encrypted portions, wherein the other decrypted portion is the decrypted portion for generating the encryption key; and
  
  exiting the loop when the one of the multitude of pluralities of encrypted portions have been decrypted into a plurality of decrypted portions; and
  
  combining multitudes of pluralities of decrypted portions to produce a plurality of decrypted data segments, wherein the multitude of pluralities of decrypted portions includes the plurality of decrypted portions.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6 further comprises at least one of:
    - utilizing a decryption function for each pass through the loop to decrypt the other encrypted portion of the one of the multitude of pluralities of encrypted portions; and
      
      utilizing different decryption functions for at least some passes through the loop to decrypt the other encrypted portion of the one of the multitude of pluralities of encrypted portions.
  - 8. The method of claim 6, wherein generating the encryption key comprises:
    - for a first pass through the loop;
      
      generating a hash value from the encrypted portion of the one of the multitude of pluralities of encrypted portions using a hash function; and
      
      generating the encryption key based on the hash value; and
      
      for subsequent passes through the loop;
      
      generating another hash value from the decrypted portion using the hash function or a second hash function; and
      
      generating the encryption key based on the other hash value.
  - 9. The method of claim 8 further comprises:
    - setting the encryption key to the hash value or to the other hash value.
  - 10. The method of claim 8 further comprises:
    - combining the hash value or the other hash value with a second value to produce a combined value; and
      
      generating the encryption key based on the combined value.

11. A distributed storage (DS) processing unit comprises:
- a distributed storage network (DSN) interface; and
  
  a grid module operable to encrypt data by;
  
  segmenting the data into a plurality of data segments;
  
  determining a data segment partitioning scheme for the plurality of data segments, wherein the data segment partitioning scheme partitions each of at least some data segments of the plurality of data segments into a plurality of portions and wherein size of portions of the plurality of portions of a first data segment of the at least some data segments is different than size of portions of the plurality of portions of a second data segment of the at least some data segments;
  
  partitioning, in accordance with the data segment partitioning scheme, the plurality of data segments into a multitude of pluralities of portions;
  
  encrypting the multitude of pluralities of portions using encryption keys generated from other portions of the multitude of pluralities of portions to produce a multitude of pluralities of encrypted portions; and
  
  encoding, in accordance with an error-coding dispersal storage function, the multitude of pluralities of encrypted portions to produce a plurality of sets of encoded data slices; and
  
  outputting, via the DSN interface, the plurality of sets of encoded data slices for storage in DSN;
  
  the grid module is further operable to decrypt encrypted data by;
  
  receiving, via the DSN interface, a plurality of sets of encoded encrypted data slices;
  
  decode, in accordance with the error-coding dispersal storage function, the plurality of sets of encoded encrypted data slices to produce the encrypted data;
  
  segmenting encrypted data into a plurality of encrypted data segments;
  
  determining a data segment partitioning scheme for the plurality of encrypted data segments, wherein the data segment partitioning scheme partitions each of at least some encrypted data segments of the plurality of encrypted data segments into a plurality of encrypted portions and wherein size of encrypted portions of the plurality of encrypted portions of a first encrypted data segment of the at least some encrypted data segments is different than size of encrypted portions of the plurality of encrypted portions of a second encrypted data segment of the at least some encrypted data segments;
  
  partitioning, in accordance with the data segment partitioning scheme, the plurality of encrypted data segments into a multitude of pluralities of encrypted data portions;
  
  decrypting the multitude of pluralities of encrypted data portions using decryption keys generated from other encrypted data portions of the multitude of pluralities of encrypted data portions to produce a multitude of pluralities of decrypted portions; and
  
  combining the multitude of pluralities of decrypted portions to produce decrypted data.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The DS processing unit of claim 11, wherein the grid module is further operable to decrypt the encrypted data by:
    - entering a loop that includes;
      
      generating a unique decryption key based on an encrypted portion of the one of the multitude of pluralities of encrypted portions or on a decrypted portion;
      
      decrypting another encrypted portion of the one of the multitude of pluralities of encrypted portions using the unique decryption key to produce another decrypted portion;
      
      when at least one portion of the one of the multitude of pluralities of encrypted portions is to be decrypted, repeating the loop for one of the at least one encrypted portion of the one of the multitude of pluralities of encrypted portions, wherein the other decrypted portion is the decrypted portion for generating the unique decryption key; and
      
      exiting the loop when the one of the multitude of pluralities of encrypted portions have been decrypted into a plurality of decrypted portions.
  - 13. The DS processing unit of claim 12, wherein the grid module is further operable to generate the unique decryption key by:
    - for a first pass through the loop;
      
      generating a hash value from the portion of the one of the multitude of pluralities of portions using a hash function; and
      
      generating the unique decryption key based on the hash value; and
      
      for subsequent passes through the loop;
      
      generating another hash value from the encrypted portion using the hash function or a second hash function; and
      
      generating the unique decryption key based on the other hash value.
  - 14. The DS processing unit of claim 13, wherein the grid module is further operable to generate the unique encryption key by at least one of:
    - setting the unique decryption key to the hash value or to the other hash value; and
      
      combining the hash value or the other hash value with a second value to produce a combined value and generating the unique decryption key based on the combined value.
  - 15. The DS processing unit of claim 11, wherein the grid module is further operable to encrypt the data by:
    - for one of the multitude of pluralities of portions, entering a loop that includes;
      
      generating a unique encryption key based on a portion of the one of the multitude of pluralities of portions or on an encrypted portion;
      
      encrypting another portion of the one of the multitude of pluralities of portions using the unique encryption key to produce another encrypted portion;
      
      when at least one portion of the one of the multitude of pluralities of portions is to be encrypted, repeating the loop for one of the at least one portion of the one of the multitude of pluralities of portions, wherein the other encrypted portion is the encrypted portion for generating the unique encryption key; and
      
      exiting the loop when the one of the multitude of pluralities of portions have been encrypted into a plurality of encrypted portions, wherein the encryption keys includes the unique encryption keys generated while executing the loop.
  - 16. The DS processing unit of claim 15, wherein the grid module is further operable to generate the unique encryption key by:
    - for a first pass through the loop;
      
      generating a hash value from the portion of the one of the multitude of pluralities of portions using a hash function; and
      
      generating the unique encryption key based on the hash value; and
      
      for subsequent passes through the loop;
      
      generating another hash value from the encrypted portion using the hash function or a second hash function; and
      
      generating the unique encryption key based on the other hash value.
  - 17. The DS processing unit of claim 16, wherein the grid module is further operable to generate the unique encryption key by at least one of:
    - setting the unique encryption key to the hash value or to the other hash value; and
      
      combining the hash value or the other hash value with a second value to produce a combined value and generating the unique encryption key based on the combined value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K.
Primary Examiner(s)
Lipman, Jacob

Application Number

US13/736,848
Publication Number

US 20130124875A1
Time in Patent Office

826 Days
Field of Search

713/189
US Class Current

713/189
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 12/1408   by using cryptography for d...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2151   Time stamp

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 69/04   Protocols for data compress...

H04L 9/0819   Key transport or distributi...

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

Distributed storage network and method for encrypting and decrypting data using hash functions

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed storage network and method for encrypting and decrypting data using hash functions

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links