Facilitating access of a dispersed storage network

US 9,092,385 B2
Filed: 08/16/2012
Issued: 07/28/2015
Est. Priority Date: 08/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a managing unit of a dispersed storage network (DSN), wherein the method comprises:

generating a temporary public-private key pair for a device;

generating, for the device, a restricted use certificate that includes a temporary public key of the temporary public-private key pair and a restriction indicator for indicating one or more restrictions regarding the restricted use certificate;

generating a temporary password for the device;

encoding, in accordance with a distributed authentication protocol and using the temporary password, a temporary private key of the temporary public-private key pair to produce a set of encoded private key shares;

encoding, in accordance with the distributed authentication protocol and using the temporary password, the restricted use certificate to produce a set of encoded certificate shares;

outputting the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units for storage therein; and

outputting the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares from the set of authentication units based on the temporary password, the device is able to recapture the temporary private key and the restricted use certificate to obtain a signed certificate for accessing a dispersed storage network (DSN).

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module generating a temporary public-private key pair, a restricted use certificate, and a temporary password for a device. The method continues with the DS processing encoding a temporary private key to produce a set of encoded private key shares and encoding the restricted use certificate to produce a set of encoded certificate shares. The method continues with the DS processing module outputting the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units. The method continues with the DS processing module outputting the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares, the device is able to recapture the temporary private key and the restricted use certificate for accessing a dispersed storage network (DSN).

Citations

20 Claims

1. A method for execution by a managing unit of a dispersed storage network (DSN), wherein the method comprises:
- generating a temporary public-private key pair for a device;
  
  generating, for the device, a restricted use certificate that includes a temporary public key of the temporary public-private key pair and a restriction indicator for indicating one or more restrictions regarding the restricted use certificate;
  
  generating a temporary password for the device;
  
  encoding, in accordance with a distributed authentication protocol and using the temporary password, a temporary private key of the temporary public-private key pair to produce a set of encoded private key shares;
  
  encoding, in accordance with the distributed authentication protocol and using the temporary password, the restricted use certificate to produce a set of encoded certificate shares;
  
  outputting the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units for storage therein; and
  
  outputting the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares from the set of authentication units based on the temporary password, the device is able to recapture the temporary private key and the restricted use certificate to obtain a signed certificate for accessing a dispersed storage network (DSN).
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the generating the restricted use certificate comprises:
    - generating the restricted use certificate to include the temporary public key of the temporary public-private key pair and at least one of;
      
      a subject identifier (ID) field value that includes an authenticating device ID;
      
      a number of uses field value;
      
      a time validity indicator;
      
      an issuer universally unique identifier (UUID);
      
      an algorithm ID;
      
      an issuer name; and
      
      public key algorithm.
  - 3. The method of claim 1, wherein the encoding the temporary private key comprises:
    - applying a share encoding function on the temporary private key to produce a set of encoded shares;
      
      generating a set of random numbers;
      
      generating a set of hidden passwords based on the temporary password;
      
      for each encoded share of the set of encoded shares;
      
      generating an encryption key based on a corresponding one of the set of hidden passwords and a corresponding one of the set of random numbers; and
      
      encrypting the encoded share utilizing the encryption key to produce an encrypted share; and
      
      grouping the set of random numbers and a set of the encrypted shares to produce the set of encoded private key shares.
  - 4. The method of claim 1, wherein the encoding the restricted use certificate comprises:
    - applying a share encoding function on the restricted use certificate to produce a set of encoded shares;
      
      generating a set of random numbers;
      
      generating a set of hidden passwords based on the temporary password;
      
      for each encoded share of the set of encoded shares;
      
      generating an encryption key based on a corresponding one of the set of hidden passwords and a corresponding one of the set of random numbers; and
      
      encrypting the encoded share utilizing the encryption key to produce an encrypted share; and
      
      grouping the set of random numbers and a set of the encrypted shares to produce the set of encoded certificate shares.

5. A method comprises:
- obtaining a temporary password associated with a temporary public-private key pair;
  
  retrieving a set of encoded private key shares and a set of encoded certificate shares from a set of authentication units based on the temporary password, wherein a temporary private key of the temporary public-private key pair is encoded using a distributed authentication protocol and the temporary password to produce the set of encoded private key shares and a restricted use certificate is encoded using the distributed authentication protocol and the temporary password to produce the set of encoded certificate shares;
  
  decoding, based on the temporary password, the set of encoded certificate shares to recover the restricted use certificate;
  
  decoding, based on the temporary password, the set of encoded private key shares to recover the temporary private key;
  
  requesting authentication with a certificate authority based on the restricted use certificate and the temporary private key;
  
  when authenticated by the certificate authority, generating a public-private key pair based on the recovered temporary private key and the restricted use certificate;
  
  outputting a certificate signing request (CSR) to the certificate authority (CA), wherein the CSR includes a certificate, which in turn, includes a public key of the public-private key pair; and
  
  receiving, from the certificate authority, a CA signed certificate of the certificate.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5 further comprises:
    - generating a device password for a device;
      
      encoding, in accordance with a distributed authentication protocol and using the device password, a private key of the public-private key pair to produce a set of encoded private key shares;
      
      encoding, in accordance with the distributed authentication protocol and using the device password, the CA signed certificate to produce a set of encoded certificate shares; and
      
      outputting the set of encoded private key shares and the set of encoded certificate shares to the set of authentication units.
  - 7. The method of claim 5 further comprises:
    - generating a request to access a dispersed storage network (DSN) utilizing the CA signed certificate.
  - 8. The method of claim 5, wherein the retrieving the set of encoded private key shares comprises:
    - generating a set of hidden passwords based on the temporary password;
      
      generating a set of blinded passwords based on the set of hidden passwords and a set of blinded random numbers;
      
      outputting the set of blinded passwords to the set of authentication units;
      
      receiving a set of passkeys from the set of authentication units, wherein each authentication unit of the set of authentication units generates a passkey of the set of passkeys based on a corresponding blinded password of the set of blinded passwords and a recovered random number of a set of recovered random numbers;
      
      generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
      
      retrieving a set of encrypted shares from the set of authentication units;
      
      decrypting the set of encrypted shares utilizing the set of decryption keys to produce a set of shares; and
      
      decoding the set of shares to reproduce the temporary private key.
  - 9. The method of claim 5, wherein the retrieving the set of encoded certificate shares comprises:
    - generating a set of hidden passwords based on the temporary password;
      
      generating a set of blinded passwords based on the set of hidden passwords and a set of blinded random numbers;
      
      outputting the set of blinded passwords to the set of authentication units;
      
      receiving a set of passkeys from the set of authentication units, wherein each authentication unit of the set of authentication units generates a passkey of the set of passkeys based on a corresponding blinded password of the set of blinded passwords and a recovered random number of a set of recovered random numbers;
      
      generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
      
      retrieving a set of encrypted shares from the set of authentication units;
      
      decrypting the set of encrypted shares utilizing the set of decryption keys to produce a set of shares; and
      
      decoding the set of shares to reproduce the restricted use certificate.
  - 10. The method of claim 5, wherein the requesting authentication with the certificate authority comprises:
    - generating a certification signature of the restricted use certificate utilizing the temporary private key to produce a signed restricted use certificate;
      
      outputting the signed restricted use certificate to the certificate authority; and
      
      receiving an authentication confirmation from the certificate authority.

11. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  generate a temporary public-private key pair for a device;
  
  generate, for the device, a restricted use certificate that includes a temporary public key of the temporary public-private key pair and a restriction indicator for indicating one or more restrictions regarding the restricted use certificate; and
  
  generate a temporary password for the device;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  encode, in accordance with a distributed authentication protocol and using the temporary password, a temporary private key of the temporary public-private key pair to produce a set of encoded private key shares;
  
  a third module, when operable within the computing device, causes the computing device to;
  
  encode, in accordance with the distributed authentication protocol and using the temporary password, the restricted use certificate to produce a set of encoded certificate shares; and
  
  a fourth module, when operable within the computing device, causes the computing device to;
  
  output the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units for storage therein; and
  
  output the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares from the set of authentication units based on the temporary password, the device is able to recapture the temporary private key and the restricted use certificate to obtain a signed certificate for accessing a dispersed storage network (DSN).
- View Dependent Claims (12, 13, 14)
- - 12. The DS module of claim 11, wherein the first module, when operable, generates the restricted use certificate by:
    - generating the restricted use certificate to include the temporary public key of the temporary public-private key pair and at least one of;
      
      a subject identifier (ID) field value that includes an authenticating device ID;
      
      a number of uses field value;
      
      a time validity indicator;
      
      an issuer universally unique identifier (UUID);
      
      an algorithm ID;
      
      an issuer name; and
      
      public key algorithm.
  - 13. The DS module of claim 11, wherein the second module, when operable, encodes the temporary private key by:
    - applying a share encoding function on the temporary private key to produce a set of encoded shares;
      
      generating a set of random numbers;
      
      generating a set of hidden passwords based on the temporary password;
      
      for each encoded share of the set of encoded shares;
      
      generating an encryption key based on a corresponding one of the set of hidden passwords and a corresponding one of the set of random numbers; and
      
      encrypting the encoded share utilizing the encryption key to produce an encrypted share; and
      
      grouping the set of random numbers and a set of the encrypted shares to produce the set of encoded private key shares.
  - 14. The DS module of claim 11, wherein the third module, when operable, encodes the restricted use certificate by:
    - applying a share encoding function on the restricted use certificate to produce a set of encoded shares;
      
      generating a set of random numbers;
      
      generating a set of hidden passwords based on the temporary password;
      
      for each encoded share of the set of encoded shares;
      
      generating an encryption key based on a corresponding one of the set of hidden passwords and a corresponding one of the set of random numbers; and
      
      encrypting the encoded share utilizing the encryption key to produce an encrypted share; and
      
      grouping the set of random numbers and a set of the encrypted shares to produce the set of encoded certificate shares.

15. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  obtain a temporary password associated with a temporary public-private key pair;
  
  retrieve a set of encoded private key shares and a set of encoded certificate shares from a set of authentication units based on the temporary password, wherein a temporary private key of the temporary public-private key pair is encoded using a distributed authentication protocol and the temporary password to produce the set of encoded private key shares and a restricted use certificate is encoded using the distributed authentication protocol and the temporary password to produce the set of encoded certificate shares;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  decode, based on the temporary password, the set of encoded certificate shares to recover the restricted use certificate;
  
  decode, based on the temporary password, the set of encoded private key shares to recover the temporary private key;
  
  request authentication with a certificate authority based on the restricted use certificate and the temporary private key; and
  
  a third module, when operable within the computing device, causes the computing device to;
  
  when authenticated by the certificate authority, generate a public-private key pair based on the recovered temporary private key and the restricted use certificate;
  
  output a certificate signing request (CSR) to the certificate authority (CA), wherein the CSR includes a certificate, which in turn, includes a public key of the public-private key pair; and
  
  receive, from the certificate authority, a CA signed certificate of the certificate.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The DS module of claim 15 further comprises:
    - a fourth module, when operable within the computing device, causes the computing device to;
      
      generate a device password for the device;
      
      encode, in accordance with a distributed authentication protocol and using the device password, a private key of the public-private key pair to produce a set of encoded private key shares;
      
      encode, in accordance with the distributed authentication protocol and using the password, the CA signed certificate to produce a set of encoded certificate shares; and
      
      output the set of encoded private key shares and the set of encoded certificate shares to the set of authentication units.
  - 17. The DS module of claim 15 further comprises:
    - the third module is further operable to generate a request to access a dispersed storage network (DSN) utilizing the CA signed certificate.
  - 18. The DS module of claim 15, wherein the first module, when operable, retrieves the set of encoded private key shares by:
    - generating a set of hidden passwords based on the temporary password;
      
      generating a set of blinded passwords based on the set of hidden passwords and a set of blinded random numbers;
      
      outputting the set of blinded passwords to the set of authentication units;
      
      receiving a set of passkeys from the set of authentication units, wherein each authentication unit of the set of authentication units generates a passkey of the set of passkeys based on a corresponding blinded password of the set of blinded passwords and a recovered random number of a set of recovered random numbers;
      
      generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
      
      retrieving a set of encrypted shares from the set of authentication units;
      
      decrypting the set of encrypted shares utilizing the set of decryption keys to produce a set of shares; and
      
      decoding the set of shares to reproduce the temporary private key.
  - 19. The DS module of claim 15, wherein the first module, when operable, retrieves the set of encoded certificate shares by:
    - generating a set of hidden passwords based on the temporary password;
      
      generating a set of blinded passwords based on the set of hidden passwords and a set of blinded random numbers;
      
      outputting the set of blinded passwords to the set of authentication units;
      
      receiving a set of passkeys from the set of authentication units, wherein each authentication unit of the set of authentication units generates a passkey of the set of passkeys based on a corresponding blinded password of the set of blinded passwords and a recovered random number of a set of recovered random numbers;
      
      generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
      
      retrieving a set of encrypted shares from the set of authentication units;
      
      decrypting the set of encrypted shares utilizing the set of decryption keys to produce a set of shares; and
      
      decoding the set of shares to reproduce the restricted use certificate.
  - 20. The DS module of claim 15, wherein the second module, when operable, requests authentication with the certificate authority by:
    - generating a certification signature of the restricted use certificate utilizing the temporary private key to produce a signed restricted use certificate;
      
      outputting the signed restricted use certificate to the certificate authority; and
      
      receiving an authentication confirmation from the certificate authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US13/587,224
Publication Number

US 20130046973A1
Time in Patent Office

1,076 Days
Field of Search

713/156, 713/173, 713/175, 726/4
US Class Current

1/1
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 11/1446   Point-in-time backing up or...

G06F 11/1612   where the redundant compone...

G06F 15/17331   Distributed shared memory [...

G06F 21/00   Security arrangements for p...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/06   Digital input from, or digi...

G06F 3/0604   Improving or facilitating a...

G06F 3/067   Distributed or networked st...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/00   Cryptographic mechanisms or...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/40   Network security protocols

Facilitating access of a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating access of a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links