Dispersed storage network with encrypted portion withholding and methods for use therewith

US 9,203,812 B2
Filed: 05/30/2014
Issued: 12/01/2015
Est. Priority Date: 04/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method for use in a pre-data manipulator of a computing device, the method comprising:

receiving a data segment at the pre-data manipulator;

combining the data segment with a sentinel value to generate a combined data segment;

encrypting the combined data segment;

calculating a digest of the encrypted combined data segment;

encrypting an encryption key using the digest to produce a masked key;

appending the masked key to the encrypted combined data segment to generate an encrypted package;

determining when to withhold a portion of the encrypted package;

removing the portion of the encrypted package when the portion of the encrypted package is to be withheld; and

transmitting the encrypted package less the portion to be withheld.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrity record is appended to data slices prior to being sent to multiple slice storage units. Each of the data slices includes a different encoded version of the same data segment. An integrity indicator of each data slice is computed, and the integrity record is generated based on each of the individual integrity indicators, and may be, for example, list or a hash of the combined integrity indicators. When retrieving data slices from storage, the integrity record can be stripped off, a new integrity indicator of the data slice calculated, and a new integrity record created. The new integrity record can be compared to the original integrity record, and used to verify the integrity of the data slices.

80 Citations

View as Search Results

20 Claims

1. A method for use in a pre-data manipulator of a computing device, the method comprising:
- receiving a data segment at the pre-data manipulator;
  
  combining the data segment with a sentinel value to generate a combined data segment;
  
  encrypting the combined data segment;
  
  calculating a digest of the encrypted combined data segment;
  
  encrypting an encryption key using the digest to produce a masked key;
  
  appending the masked key to the encrypted combined data segment to generate an encrypted package;
  
  determining when to withhold a portion of the encrypted package;
  
  removing the portion of the encrypted package when the portion of the encrypted package is to be withheld; and
  
  transmitting the encrypted package less the portion to be withheld.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - storing the portion of the encrypted package.
  - 3. The method of claim 1, further comprising:
    - padding at least some of the encrypted package to replace the portion of the encrypted package.
  - 4. The method of claim 1, further comprising:
    - determining a size of the portion of the encrypted package and a location of the portion of the encrypted package.
  - 5. The method of claim 1, further comprising:
    - selecting the encryption key based on one or more of;
      
      a security parameter associated with a user vault and a DSN-wide security parameter.
  - 6. The method of claim 1, further comprising:
    - pre-encrypting the data segment using a private key associated with the pre-data manipulator prior to combining the data segment with the sentinel value.
  - 7. The method of claim 1, wherein the sentinel value is based on one or more of:
    - a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number.

8. A processing unit adapted to be coupled to a dispersed storage network (DSN), the processing unit comprising:
- input/output interface circuitry adapted to be coupled to the DSN;
  
  memory; and
  
  a processing module operably coupled to the memory and to the input/output interface circuitry, wherein the processing module is operable to;
  
  receive a data segment at the processing unit;
  
  combine the data segment with a sentinel value to generate a combined data segment;
  
  encrypt the combined data segment;
  
  calculate a digest of the encrypted combined data segment;
  
  encrypt an encryption key using the digest to produce a masked key;
  
  append the masked key to the encrypted combined data segment to generate an encrypted package;
  
  determine when to withhold a portion of the encrypted package;
  
  remove the portion of the encrypted package when the portion of the encrypted package is to be withheld; and
  
  transmit the encrypted package less the portion to be withheld.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The processing unit of claim 8, wherein the processing module is further operable to:
    - store the portion of the encrypted package.
  - 10. The processing unit of claim 8, wherein the processing module is further operable to:
    - pad at least some of the encrypted package to replace the portion of the encrypted package.
  - 11. The processing unit of claim 8, wherein the processing module is further operable to:
    - determine a size of the portion of the encrypted package and a location of the portion of the encrypted package.
  - 12. The processing unit of claim 8, wherein the processing module is further operable to:
    - select the encryption key based on one or more of;
      
      a security parameter associated with a user vault and a DSN-wide security parameter.
  - 13. The processing unit of claim 8, wherein the processing module is further operable to:
    - pre-encrypt the data segment using a private key associated with the processing unit prior to combining the data segment with the sentinel value.
  - 14. The processing unit of claim 8, wherein the sentinel value is based on one or more of:
    - a security parameter associated with a user vault, a dispersed storage network (DSN)-wide security parameter, a unique number associated with the data segment, and an encrypted number.

15. A computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), causes the one or more computing devices to;
  
  receive a data segment at the one or more processing modules;
  
  combine the data segment with a sentinel value to generate a combined data segment;
  
  encrypt the combined data segment;
  
  calculate a digest of the encrypted combined data segment;
  
  encrypt an encryption key using the digest to produce a masked key;
  
  append the masked key to the encrypted combined data segment to generate an encrypted package;
  
  determine when to withhold a portion of the encrypted package;
  
  remove the portion of the encrypted package when the portion of the encrypted package is to be withheld; and
  
  transmit the encrypted package less the portion to be withheld.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage medium of claim 15, wherein the at least one memory section stores further operational instructions that, when executed by the one or more processing modules of the one or more computing devices of the DSN, causes the one or more computing devices to:
    - store the portion of the encrypted package.
  - 17. The computer readable storage medium of claim 15, wherein the at least one memory section stores further operational instructions that, when executed by the one or more processing modules of the one or more computing devices of the DSN, causes the one or more computing devices to:
    - pad at least some of the encrypted package to replace the portion of the encrypted package.
  - 18. The computer readable storage medium of claim 15, wherein the at least one memory section stores further operational instructions that, when executed by the one or more processing modules of the one or more computing devices of the DSN, causes the one or more computing devices to:
    - determine a size of the portion of the encrypted package and a location of the portion of the encrypted package.
  - 19. The computer readable storage medium of claim 15, wherein the at least one memory section stores further operational instructions that, when executed by the one or more processing modules of the one or more computing devices of the DSN, causes the one or more computing devices to:
    - select the encryption key based on one or more of;
      
      a security parameter associated with a user vault and a DSN-wide security parameter.
  - 20. The computer readable storage medium of claim 15, wherein the at least one memory section stores further operational instructions that, when executed by the one or more processing modules of the one or more computing devices of the DSN, causes the one or more computing devices to:
    - pre-encrypt the data segment using a private key associated with the one or more processing modules prior to combining the data segment with the sentinel value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Jacob, Ajith

Application Number

US14/292,132
Publication Number

US 20140337622A1
Time in Patent Office

550 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1044   with specific ECC/EDC distr...

G06F 16/1748   De-duplication implemented ...

G06F 16/2365   Ensuring data consistency a...

G06F 21/64   Protecting data integrity, ...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2211/1059   Parity-single bit-RAID5, i....

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/12   Details relating to cryptog...

H04L 2209/603   Digital right managament [DRM]

H04L 2209/608   Watermarking

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3236   using cryptographic hash fu...

Dispersed storage network with encrypted portion withholding and methods for use therewith

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dispersed storage network with encrypted portion withholding and methods for use therewith

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links