Securing a data segment for storage

US 9,110,593 B2
Filed: 07/15/2014
Issued: 08/18/2015
Est. Priority Date: 06/06/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method for execution by a computer, the method comprises:

retrieving a plurality of sets of encoded data slices, wherein a set of encoded data slices corresponds to a dispersed storage error encoded combined partition of a plurality of combined partitions;

dispersed storage error decoding the plurality of sets of encoded data slices to reproduce the plurality of combined partitions;

separating the plurality of combined partitions into a plurality of masked key partitions and a plurality of encrypted data segment partitions;

combining the plurality of masked key partitions to produce a masked key;

combining the plurality of encrypted data segment partitions to produce an encrypted data segment;

performing a deterministic function on the encrypted data segment to produce a transformed representation of the encrypted data segment;

unmasking the masked key utilizing the transformed representation of the encrypted data segment to recover an encryption key; and

decrypting the encrypted data segment using the encryption key to recover a data segment.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module encrypting a data segment utilizing an encryption key to produce an encrypted data segment and performing a deterministic function on the encrypted data to produce a transformed representation of the encrypted data. The method continues with the DS processing module masking the encryption key utilizing the transformed representation of the encrypted data to produce a masked key, partitioning the masked key into a plurality masked key partitions, partitioning the encrypted data segment into a plurality of encrypted data segment partitions, and combining the plurality of masked key partitions with the plurality of encrypted data segment partitions to produce a plurality of combined partitions. For a combined partition of the plurality of combined partitions, the method continues with the DS processing module encoding the combined partition using a dispersed storage error coding function to produce a set of encoded data slices.

4 Citations

View as Search Results

15 Claims

1. A method for execution by a computer, the method comprises:
- retrieving a plurality of sets of encoded data slices, wherein a set of encoded data slices corresponds to a dispersed storage error encoded combined partition of a plurality of combined partitions;
  
  dispersed storage error decoding the plurality of sets of encoded data slices to reproduce the plurality of combined partitions;
  
  separating the plurality of combined partitions into a plurality of masked key partitions and a plurality of encrypted data segment partitions;
  
  combining the plurality of masked key partitions to produce a masked key;
  
  combining the plurality of encrypted data segment partitions to produce an encrypted data segment;
  
  performing a deterministic function on the encrypted data segment to produce a transformed representation of the encrypted data segment;
  
  unmasking the masked key utilizing the transformed representation of the encrypted data segment to recover an encryption key; and
  
  decrypting the encrypted data segment using the encryption key to recover a data segment.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprises:
    - determining a partitioning scheme based on a desired level of security; and
      
      separating the plurality of combined partitions in accordance with the partitioning scheme.
  - 3. The method of claim 1, wherein the separating the plurality of masked key partitions from the plurality of encrypted data segment partitions comprises:
    - determining a pseudo random combining process that was used to combine the plurality of masked key partitions and the plurality of encrypted data segment partitions; and
      
      separating the plurality of masked key partitions from the plurality of encrypted data segment partitions in accordance with the pseudo random combining process.
  - 4. The method of claim 1, wherein the separating the plurality of masked key partitions from the plurality of encrypted data segment partitions further comprises:
    - separating the plurality of masked key partitions with the plurality of encrypted data segment partitions in accordance with an interleaving process.
  - 5. The method of claim 1 further comprises:
    - for a set of encoded data slices of the plurality of sets of encoded data slices;
      
      dispersed storage error decoding the set of encoded data slices to produce a further combined partition;
      
      separating a second masked key and an encrypted combined partition from the further combined partition;
      
      performing a deterministic function on the encrypted combined partition to produce a transformed representation of the encrypted combined partition;
      
      unmasking the second masked key utilizing the transformed representation of the encrypted combined partition to produce a second encryption key; and
      
      decrypting the encrypted combined partition utilizing the second encryption key to produce a combined partition of the plurality of combined partitions.

6. A computer readable storage device comprises:
- a first memory section that stores operational instructions that, when executed by a computing device, causes the computing device to;
  
  retrieve a plurality of sets of encoded data slices, wherein a set of encoded data slices corresponds to a dispersed storage error encoded combined partition of a plurality of combined partitions;
  
  a second memory section that stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  dispersed storage error decode the plurality of sets of encoded data slices to reproduce the plurality of combined partitions;
  
  a third memory section that stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  separate the plurality of combined partitions into a plurality of masked key partitions and a plurality of encrypted data segment partitions;
  
  combine the plurality of masked key partitions to produce a masked key;
  
  combine the plurality of encrypted data segment partitions to produce an encrypted data segment;
  
  perform a deterministic function on the encrypted data segment to produce a transformed representation of the encrypted data segment;
  
  unmask the masked key utilizing the transformed representation of the encrypted data segment to recover an encryption key; and
  
  a fourth memory section that stores operational instructions that, when executed by the computing device, causes the computing device to;
  
  decrypt the encrypted data segment using the encryption key to recover a data segment.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer readable storage device of claim 6, wherein the third memory section further stores operational instructions that, when executed by the computing device, causes the computing device to:
    - determine a partitioning scheme based on a desired level of security; and
      
      separate the plurality of combined partitions in accordance with the partitioning scheme.
  - 8. The computer readable storage device of claim 6, wherein the third memory section further stores operational instructions that, when executed by the computing device, causes the computing device to separate the plurality of masked key partitions from the plurality of encrypted data segment partitions by:
    - determining a pseudo random combining process that was used to combine the plurality of masked key partitions and the plurality of encrypted data segment partitions; and
      
      separating the plurality of masked key partitions from the plurality of encrypted data segment partitions in accordance with the pseudo random combining process.
  - 9. The computer readable storage device of claim 6, wherein the third memory section further stores operational instructions that, when executed by the computing device, causes the computing device to separate the plurality of masked key partitions from the plurality of encrypted data segment partitions by:
    - separating the plurality of masked key partitions with the plurality of encrypted data segment partitions in accordance with an interleaving process.
  - 10. The computer readable storage device of claim 6, wherein the first memory section further stores operational instructions that, when executed by the computing device, causes the computing device to:
    - for a set of encoded data slices of the plurality of sets of encoded data slices;
      
      dispersed storage error decode the set of encoded data slices to produce a further combined partition;
      
      separate a second masked key and an encrypted combined partition from the further combined partition;
      
      perform a deterministic function on the encrypted combined partition to produce a transformed representation of the encrypted combined partition;
      
      unmask the second masked key utilizing the transformed representation of the encrypted combined partition to produce a second encryption key; and
      
      decrypt the encrypted combined partition utilizing the second encryption key to produce a combined partition of the plurality of combined partitions.

11. A computer comprises:
- an interface;
  
  memory; and
  
  a processing module operably coupled to the interface and to the processing module, wherein the processing module is operable to;
  
  retrieve a plurality of sets of encoded data slices, wherein a set of encoded data slices corresponds to a dispersed storage error encoded combined partition of a plurality of combined partitions;
  
  dispersed storage error decode the plurality of sets of encoded data slices to reproduce the plurality of combined partitions;
  
  separate the plurality of combined partitions into a plurality of masked key partitions and a plurality of encrypted data segment partitions;
  
  combine the plurality of masked key partitions to produce a masked key;
  
  combine the plurality of encrypted data segment partitions to produce an encrypted data segment;
  
  perform a deterministic function on the encrypted data segment to produce a transformed representation of the encrypted data segment;
  
  unmask the masked key utilizing the transformed representation of the encrypted data segment to recover an encryption key; and
  
  decrypt the encrypted data segment using the encryption key to recover a data segment.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer of claim 11, wherein the processing module is further operable to:
    - determine a partitioning scheme based on a desired level of security; and
      
      separate the plurality of combined partitions in accordance with the partitioning scheme.
  - 13. The computer of claim 11, wherein the processing module is further operable to separate the plurality of masked key partitions from the plurality of encrypted data segment partitions by:
    - determining a pseudo random combining process that was used to combine the plurality of masked key partitions and the plurality of encrypted data segment partitions; and
      
      separating the plurality of masked key partitions from the plurality of encrypted data segment partitions in accordance with the pseudo random combining process.
  - 14. The computer of claim 11, wherein the processing module is further operable to separate the plurality of masked key partitions from the plurality of encrypted data segment partitions by:
    - separating the plurality of masked key partitions with the plurality of encrypted data segment partitions in accordance with an interleaving process.
  - 15. The computer of claim 11, wherein the processing module is further operable to:
    - for a set of encoded data slices of the plurality of sets of encoded data slices;
      
      dispersed storage error decode the set of encoded data slices to produce a further combined partition;
      
      separate a second masked key and an encrypted combined partition from the further combined partition;
      
      perform a deterministic function on the encrypted combined partition to produce a transformed representation of the encrypted combined partition;
      
      unmask the second masked key utilizing the transformed representation of the encrypted combined partition to produce a second encryption key; and
      
      decrypt the encrypted combined partition utilizing the second encryption key to produce a combined partition of the plurality of combined partitions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K.
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US14/331,676
Publication Number

US 20140331065A1
Time in Patent Office

399 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/10   Adding special bits or symb...

G06F 11/1076   Parity data used in redunda...

G06F 11/2089   Redundant storage control f...

G06F 12/1408   by using cryptography for d...

G06F 15/17331   Distributed shared memory [...

G06F 16/27   Replication, distribution o...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/64   Protecting data integrity, ...

G06F 2212/263   Network storage, e.g. SAN o...

G06F 2221/2107   File encryption

G06F 3/0604   Improving or facilitating a...

G06F 3/0644   Management of space entitie...

G06F 3/067   Distributed or networked st...

G06F 8/65   Updates security arrangemen...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

Securing a data segment for storage

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Securing a data segment for storage

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links