Validating a certificate chain in a dispersed storage network

US 9,065,820 B2
Filed: 09/18/2013
Issued: 06/23/2015
Est. Priority Date: 11/09/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:

receiving the certificate chain from a requesting device, wherein the certificate chain includes a plurality of signed certificates that includes a signed certificate of the requesting device, a signed certificate of a root certificate authority, and one or more signed certificates of one or more intervening certificate authorities, wherein the certificate chain corresponds to a set of error coded (EC) data slices, wherein a data segment is dispersed error encoded to produce the set of EC data slices, and wherein the plurality of sets of EC data slices are stored among a plurality of distributed storage (DS) units within the DSN;

validating signature of one of the plurality of signed certificates based on a public key of a corresponding certificate authority and a verification algorithm affiliated with the one of the plurality of signed certificates;

when the signature of the one of the plurality of signed certificates is validated, validating remaining signatures of the plurality of signed certificates based on registry information that includes a list of trusted network certificates and vault information; and

when the remaining signatures of the plurality of signed certificates are validated, generating certificate chain validation information to include a realm identifier, a list of trusted certificate authorities that have signed one or more of the plurality of signed certificates, and an indication of the validity of the certificate chain that indicates authorization for the requesting device to retrieve a minimum number of EC data slices within the set of EC data slices required to reconstruct the data segment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module receiving a certificate chain and determining whether at least one of one or more signed certificates of the chain has a valid signature. When the at least one of the one or more signed certificates has a valid signature, the method continues with the processing module identifying one or more certificate authorities (CA) to produce identified CAs, accessing registry information that includes one or more realm identifiers (IDs) and a plurality of trusted CA IDs, determining whether one or more of the identified CAs is a trusted CA, and when the one or more of the identified CAs is a trusted CA, indicating that the certificate chain is valid, identifying a realm ID based on a trusted CA ID, and generating certificate chain validation information to include the realm ID, trusted CAs, and the indication of the validity of the certificate chain.

Citations

12 Claims

1. A method for authenticating a certificate chain within a dispersed storage network (DSN) by one or more computing devices of the DSN, wherein the method comprises:
- receiving the certificate chain from a requesting device, wherein the certificate chain includes a plurality of signed certificates that includes a signed certificate of the requesting device, a signed certificate of a root certificate authority, and one or more signed certificates of one or more intervening certificate authorities, wherein the certificate chain corresponds to a set of error coded (EC) data slices, wherein a data segment is dispersed error encoded to produce the set of EC data slices, and wherein the plurality of sets of EC data slices are stored among a plurality of distributed storage (DS) units within the DSN;
  
  validating signature of one of the plurality of signed certificates based on a public key of a corresponding certificate authority and a verification algorithm affiliated with the one of the plurality of signed certificates;
  
  when the signature of the one of the plurality of signed certificates is validated, validating remaining signatures of the plurality of signed certificates based on registry information that includes a list of trusted network certificates and vault information; and
  
  when the remaining signatures of the plurality of signed certificates are validated, generating certificate chain validation information to include a realm identifier, a list of trusted certificate authorities that have signed one or more of the plurality of signed certificates, and an indication of the validity of the certificate chain that indicates authorization for the requesting device to retrieve a minimum number of EC data slices within the set of EC data slices required to reconstruct the data segment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the validating the signature of one of the plurality of signed certificates comprises:
    - extracting the public key from another signed certificate of the plurality of signed certificates, wherein the other signed certificate is for the corresponding certificate authority;
      
      extracting a digital signature algorithm as the verification from the one of the plurality of signed certificates;
      
      generating a signature result based on the public key extracted from the other signed certificate and the signature algorithm extracted from the one of the plurality of signed certificates; and
      
      when the signature result is favorable, indicating that the signature of one of the plurality of signed certificates is valid.
  - 3. The method of claim 1, wherein the validating the signature of one of the plurality of signed certificates comprises:
    - extracting the public key from another signed certificate of the plurality of signed certificates, wherein the other signed certificate is for the corresponding certificate authority;
      
      decrypting the signature of the one of the plurality of signed certificates using the public key to produce a decrypted signature;
      
      performing, as at least part of the verification algorithm, a hash function on the one of the plurality of signed certificates to produce a representation of the one of the plurality of signed certificates;
      
      comparing the decrypted signature to the representation of the one of the plurality of signed certificates; and
      
      when the comparing is favorable, indicating that the one of the plurality of signed certificates is valid.
  - 4. The method of claim 1 further comprises:
    - the certificate chain is sequentially ordered with the signed certificate of the requesting device at one end of the sequential order, the signed certificate of the root certificate authority at another end of the sequential order, and the one or more signed certificates of one or more intervening certificate authorities sequenced there between, wherein the corresponding certificate authority of the one of the plurality of signed certificates is a certificate authority of a next ordered adjacent signed certificate in the sequential order.
  - 5. The method of claim 1, wherein the validating remaining signatures of the plurality of signed certificates comprises:
    - identifying remaining certificate authorities (CA) associated with the remaining signatures to produce identified CAs;
      
      determining whether the identified CAs are listed as trusted CAs in the registry information; and
      
      when the identified CAs are trusted CAs, indicating that the certificate chain is valid.
  - 6. The method of claim 1 further comprises:
    - sending the certificate chain validation information to the requesting device.

7. A computing device comprises:
- an interface;
  
  a memory; and
  
  a processing module coupled to the memory and the interface, wherein the processing module is configured to;
  
  receive, via the interface, a certificate chain from a requesting device, wherein the certificate chain includes a plurality of signed certificates that includes a signed certificate of the requesting device, a signed certificate of a root certificate authority, and one or more signed certificates of one or more intervening certificate authorities, wherein the certificate chain corresponds to a set of error coded (EC) data slices, wherein a data segment is dispersed error encoded to produce the set of EC data slices, and wherein the plurality of sets of EC data slices are stored among a plurality of distributed storage (DS) units within a dispersed storage network (DSN);
  
  validate signature of one of the plurality of signed certificates based on a public key of a corresponding certificate authority and a verification algorithm affiliated with the one of the plurality of signed certificates;
  
  when the signature of the one of the plurality of signed certificates is validated, validate remaining signatures of the plurality of signed certificates based on registry information that includes a list of trusted network certificates and vault information; and
  
  when the remaining signatures of the plurality of signed certificates are validated, generate certificate chain validation information to include a realm identifier, a list of trusted certificate authorities that have signed one or more of the plurality of signed certificates, and an indication of the validity of the certificate chain that indicates authorization for the requesting device to retrieve a minimum number of EC data slices within the set of EC data slices required to reconstruct the data segment.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computing device of claim 7, wherein the processing module is further configured to validate the signature of one of the plurality of signed certificates by:
    - extracting the public key from another signed certificate of the plurality of signed certificates, wherein the other signed certificate is for the corresponding certificate authority;
      
      extracting a digital signature algorithm as the verification from the one of the plurality of signed certificates;
      
      generating a signature result based on the public key extracted from the other signed certificate and the signature algorithm extracted from the one of the plurality of signed certificates; and
      
      when the signature result is favorable, indicating that the signature of one of the plurality of signed certificates is valid.
  - 9. The computing device of claim 7, wherein the processing module is further configured to validate the signature of one of the plurality of signed certificates by:
    - extracting the public key from another signed certificate of the plurality of signed certificates, wherein the other signed certificate is for the corresponding certificate authority;
      
      decrypting the signature of the one of the plurality of signed certificates using the public key to produce a decrypted signature;
      
      performing, as at least part of the verification algorithm, a hash function on the one of the plurality of signed certificates to produce a representation of the one of the plurality of signed certificates;
      
      comparing the decrypted signature to the representation of the one of the plurality of signed certificates; and
      
      when the comparing is favorable, indicating that the one of the plurality of signed certificates is valid.
  - 10. The computing device of claim 7 further comprises:
    - the certificate chain is sequentially ordered with the signed certificate of the requesting device at one end of the sequential order, the signed certificate of the root certificate authority at another end of the sequential order, and the one or more signed certificates of one or more intervening certificate authorities sequenced there between, wherein the corresponding certificate authority of the one of the plurality of signed certificates is a certificate authority of a next ordered adjacent signed certificate in the sequential order.
  - 11. The computing device of claim 7, wherein the processing module is further configured to validate the remaining signatures of the plurality of signed certificates by:
    - identifying remaining certificate authorities (CA) associated with the remaining signatures to produce identified CAs;
      
      determining whether the identified CAs are listed as trusted CAs in the registry information; and
      
      when the identified CAs are trusted CAs, indicating that the certificate chain is valid.
  - 12. The computing device of claim 7, wherein the processing module is further is further configured to:
    - send, via the interface, the certificate chain validation information to the requesting entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley, Resch, Jason K., Cilfone, Bart
Primary Examiner(s)
WANG, HARRIS C

Application Number

US14/030,354
Publication Number

US 20140020082A1
Time in Patent Office

643 Days
Field of Search

726/10
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 12/06   Addressing a physical block...

G06F 2211/1057   Parity-multiple bits-RAID6,...

G06F 3/0605   by facilitating the interac...

G06F 3/0614   Improving the reliability o...

G06F 3/0643   Management of files

G06F 3/0647   Migration mechanisms

G06F 3/067   Distributed or networked st...

H04L 63/0823   using certificates cryptogr...

Validating a certificate chain in a dispersed storage network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Validating a certificate chain in a dispersed storage network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links