Secure data access in a dispersed storage network

US 9,021,263 B2
Filed: 07/17/2013
Issued: 04/28/2015
Est. Priority Date: 08/31/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method for execution by one or more processing modules of a storage device, the method comprises:

receiving an access request regarding a data object, wherein the access request includes a data object identifier, requestor information, and addressing information;

determining a base key identifier based on the access request;

determining content specific information based on the access request;

retrieving a set of base key slices utilizing the base key identifier;

decoding the set of base key slices in accordance with an error encoding function to recover a base key;

generating an access specific key based on the recovered base key and the content specific information; and

executing the access request regarding the data object utilizing the access specific key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving an access request regarding a data object, where the access request includes a data object identifier, requestor information, and addressing information. The method continues with the DS processing module determining a base key identifier based on the access request and determining content specific information based on the access request. The method continues with the DS processing module retrieving a set of base key slices utilizing the base key identifier and decoding the set of base key slices in accordance with an error encoding function to recover a base key. The method continues with the DS processing module generating an access specific key based on the recovered base key and the content specific information and executing the access request regarding the data object utilizing the access specific key.

Citations

20 Claims

1. A method for execution by one or more processing modules of a storage device, the method comprises:
- receiving an access request regarding a data object, wherein the access request includes a data object identifier, requestor information, and addressing information;
  
  determining a base key identifier based on the access request;
  
  determining content specific information based on the access request;
  
  retrieving a set of base key slices utilizing the base key identifier;
  
  decoding the set of base key slices in accordance with an error encoding function to recover a base key;
  
  generating an access specific key based on the recovered base key and the content specific information; and
  
  executing the access request regarding the data object utilizing the access specific key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the determining the base key identifier comprises:
    - determining a domain based on at least one of the addressing information and the requestor information, wherein the domain is one of a plurality of domains of memory of a dispersed storage network (DSN), wherein a plurality of base keys is assigned to the plurality of domains, and wherein a plurality of base key identifiers are associated with the plurality of base keys; and
      
      determining the base key identifier from the plurality of base key identifiers based on the domain.
  - 3. The method of claim 1, wherein the determining the content specific information comprises one or more of:
    - utilizing the data object identifier as at least part of the content specific information;
      
      determining, as the at least part of the content specific information, one or more physical addresses of memory of the storage device from the addressing information;
      
      determining, as the at least part of the content specific information, one or more logical addresses regarding the data object from the addressing information;
      
      determining, as the at least part of the content specific information, data type of the data object;
      
      determining, as the at least part of the content specific information, a timestamp of the access request; and
      
      determining, as the at least part of the content specific information, identity of a requesting device based on the requestor information.
  - 4. The method of claim 1, wherein the retrieving the set of base key slices comprises:
    - determining identity of a set of other storage devices based on the base key identifier;
      
      sending a set of key slice retrieval requests to the set of other storage devices; and
      
      receiving, in response to the set of key slice retrieval requests, at least a decode threshold number of base key slices to recover the base key.
  - 5. The method of claim 1, wherein the error encoding function comprises one or more of:
    - a dispersed storage error encoding function;
      
      a Shamir shared secret encoding function; and
      
      an encryption function using a public key of public/private key pair of the storage device to produce an encrypted base key and dividing the encrypted based key into encrypted base key portions to produce the set of base key slices.
  - 6. The method of claim 1, wherein the executing the access request comprises:
    - sending a read instruction to memory of the storage device;
      
      retrieving an encrypted data object from the memory in accordance with the read instruction;
      
      decrypting the encrypted data object using the access specific key to recover the data object; and
      
      outputting the recovered data object.
  - 7. The method of claim 1, wherein the executing the access request comprises:
    - encrypting the data object using the access specific key to produce an encrypted data object;
      
      sending a write instruction to memory of the storage device; and
      
      storing the encrypted data object in the memory in accordance with the write instruction.
  - 8. The method of claim 1, wherein the generating the access specific key comprises one or more of:
    - performing a deterministic function on the recovered base key and the content specific information to produce the access specific key;
      
      performing a logical function on the recovered base key and the content specific information to produce the access specific key;
      
      performing a mathematical function on the recovered base key and the content specific information to produce the access specific key;
      
      encrypting the recovered base key utilizing the content specific information to produce the access specific key; and
      
      encrypting the content specific information utilizing the recovered base key to produce the access specific key.
  - 9. The method of claim 1 further comprises:
    - receiving a plurality of access requests, wherein the plurality of access requests include the access request;
      
      determining the base key identifier for the plurality of access requests;
      
      determining a plurality of content specific information based on the plurality of access requests;
      
      for the plurality of access requests;
      
      retrieving the set of base key slices utilizing the base key identifier; and
      
      decoding the set of base key slices in accordance with the error encoding function to recover the base key; and
      
      for one of the plurality of access requests;
      
      generating another unique access specific key based on the recovered base key and a corresponding one of the plurality of content specific information; and
      
      executing the one of the plurality of access requests utilizing the other unique access specific key.
  - 10. The method of claim 1, wherein the determining the base key identifier comprises:
    - sending a domain request to a managing unit, wherein the domain request includes at least a portion of the access request; and
      
      receiving, in response to the domain request, the base key identifier.

11. A dispersed storage (DS) module of a storage device, the DS module comprises:
- a processing module, when operable within the storage device, causes the storage device to;
  
  receive an access request regarding a data object, wherein the access request includes a data object identifier, requestor information, and addressing information;
  
  determine a base key identifier based on the access request; and
  
  determine content specific information based on the access request;
  
  a key provision module, when operable within the storage device, causes the storage device to;
  
  retrieve a set of base key slices utilizing the base key identifier; and
  
  decode the set of base key slices in accordance with an error encoding function to recover a base key;
  
  a key generator module, when operable within the storage device, causes the storage device to;
  
  generate an access specific key based on the recovered base key and the content specific information; and
  
  the processing module is further operable to cause the storage device to;
  
  execute the access request regarding the data object utilizing the access specific key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The DS module of claim 11, wherein the processing module functions to determine the base key identifier by:
    - determining a domain based on at least one of the addressing information and the requestor information, wherein the domain is one of a plurality of domains of memory of a dispersed storage network (DSN), wherein a plurality of base keys is assigned to the plurality of domains, and wherein a plurality of base key identifiers are associated with the plurality of base keys; and
      
      determining the base key identifier from the plurality of base key identifiers based on the domain.
  - 13. The DS module of claim 11, wherein the processing module functions to determine the content specific information by one or more of:
    - utilizing the data object identifier as at least part of the content specific information;
      
      determining, as the at least part of the content specific information, one or more physical addresses of memory of the storage device from the addressing information;
      
      determining, as the at least part of the content specific information, one or more logical addresses regarding the data object from the addressing information;
      
      determining, as the at least part of the content specific information, data type of the data object;
      
      determining, as the at least part of the content specific information, a timestamp of the access request; and
      
      determining, as the at least part of the content specific information, identity of a requesting device based on the requestor information.
  - 14. The DS module of claim 11, wherein the key provision module functions to retrieve the set of base key slices by:
    - determining identity of a set of other storage devices based on the base key identifier;
      
      sending a set of key slice retrieval requests to the set of other storage devices; and
      
      receiving, in response to the set of key slice retrieval requests, at least a decode threshold number of base key slices to recover the base key.
  - 15. The DS module of claim 11, wherein the error encoding function comprises one or more of:
    - a dispersed storage error encoding function;
      
      a Shamir shared secret encoding function; and
      
      an encryption function using a public key of public/private key pair of the storage device to produce an encrypted base key and dividing the encrypted based key into encrypted base key portions to produce the set of base key slices.
  - 16. The DS module of claim 11, wherein the processing module functions to execute the access request by:
    - sending a read instruction to memory of the storage device;
      
      facilitating retrieving an encrypted data object from the memory in accordance with the read instruction;
      
      facilitating decrypting the encrypted data object using the access specific key to recover the data object; and
      
      outputting the recovered data object.
  - 17. The DS module of claim 11, wherein the processing module functions to execute the access request by:
    - facilitating encrypting the data object using the access specific key to produce an encrypted data object;
      
      sending a write instruction to memory of the storage device; and
      
      facilitating storing the encrypted data object in the memory in accordance with the write instruction.
  - 18. The DS module of claim 11, wherein the key generator module functions to generate the access specific key by one or more of:
    - performing a deterministic function on the recovered base key and the content specific information to produce the access specific key;
      
      performing a logical function on the recovered base key and the content specific information to produce the access specific key;
      
      performing a mathematical function on the recovered base key and the content specific information to produce the access specific key;
      
      encrypting the recovered base key utilizing the content specific information to produce the access specific key; and
      
      encrypting the content specific information utilizing the recovered base key to produce the access specific key.
  - 19. The DS module of claim 11 further comprises:
    - the processing module further functions to;
      
      receive a plurality of access requests, wherein the plurality of access requests include the access request;
      
      determine the base key identifier for the plurality of access requests;
      
      determine a plurality of content specific information based on the plurality of access requests;
      
      for the plurality of access requests, the key provision module further functions to;
      
      retrieve the set of base key slices utilizing the base key identifier; and
      
      decode the set of base key slices in accordance with the error encoding function to recover the base key; and
      
      for one of the plurality of access requests;
      
      the key generator module further functions to generate another unique access specific key based on the recovered base key and a corresponding one of the plurality of content specific information; and
      
      the processing module further functions to execute the one of the plurality of access requests utilizing the other unique access specific key.
  - 20. The DS module of claim 11, wherein the processing module functions to determine the base key identifier by:
    - sending a domain request to a managing unit, wherein the domain request includes at least a portion of the access request; and
      
      receiving, in response to the domain request, the base key identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US13/944,118
Publication Number

US 20140068259A1
Time in Patent Office

650 Days
Field of Search

713/167
US Class Current

713/167
CPC Class Codes

G06F 11/0712   in a virtual computing plat...

G06F 11/0784   Routing of error reports, e...

G06F 11/0787   Storage of error reports, e...

G06F 11/1004   to protect a block of data ...

G06F 11/1044   with specific ECC/EDC distr...

G06F 11/1076   Parity data used in redunda...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/142   Reconfiguring to eliminate ...

G06F 11/2094   Redundant storage or storag...

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/6272   by registering files or doc...

H03M 13/611   Specific encoding aspects, ...

H03M 13/616   Matrix operations, especial...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

Secure data access in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data access in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links