Utilizing a deterministic all or nothing transformation in a dispersed storage network

US 9,231,768 B2
Filed: 06/07/2011
Issued: 01/05/2016
Est. Priority Date: 06/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method for execution by a computing device, the method comprises:

performing a function to generate a deterministic key from a data segment, in which the data segment is one of a plurality of data segments generated by segmenting a data object and in which the data segments are processed separately for storage to store the data object;

encrypting the data segment using the deterministic key to produce encrypted data;

performing a transform function on the encrypted data to produce transformed data;

performing a masking function on the deterministic key and the transformed data to generate a masked key;

combining the masked key and the encrypted data to produce a secure package; and

error encoding the secure package to generate a plurality of data slices for storage, wherein a threshold number of data slices of the secure package are needed to reconstruct the secure package when retrieved, the threshold number of data slices being less than the plurality of data slices generated.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module generating a deterministic key from data and encrypting the data using the deterministic key to produce encrypted data. The method continues with the processing module generating transformed data from the encrypted data and generating a masked key from the deterministic key and the transformed data. The method continues with the processing module combining the masked key and the encrypted data to produce a secure package.

84 Citations

View as Search Results

22 Claims

1. A method for execution by a computing device, the method comprises:
- performing a function to generate a deterministic key from a data segment, in which the data segment is one of a plurality of data segments generated by segmenting a data object and in which the data segments are processed separately for storage to store the data object;
  
  encrypting the data segment using the deterministic key to produce encrypted data;
  
  performing a transform function on the encrypted data to produce transformed data;
  
  performing a masking function on the deterministic key and the transformed data to generate a masked key;
  
  combining the masked key and the encrypted data to produce a secure package; and
  
  error encoding the secure package to generate a plurality of data slices for storage, wherein a threshold number of data slices of the secure package are needed to reconstruct the secure package when retrieved, the threshold number of data slices being less than the plurality of data slices generated.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprises:
    - outputting the plurality of data slices to a wireless communication device for wireless communication of the plurality of data slices.
  - 3. The method of claim 1 further comprises:
    - outputting the plurality of data slices to a dispersed storage network (DSN) memory for storage therein.
  - 4. The method of claim 1 further comprises:
    - receiving a second plurality of data slices to recover a second secure package from a dispersed storage network (DSN) memory; and
      
      facilitating storage of the plurality of data slices in the DSN memory when the secure package compares favorably to the second secure package.
  - 5. The method of claim 1, wherein the performing the function to generate the deterministic key comprises:
    - performing one or more of a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function on the data segment to produce the deterministic key.
  - 6. The method of claim 1, wherein the transform function comprises at least one of:
    - a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function.
  - 7. The method of claim 1, wherein the performing the masking function to generate the masked key comprises at least one of:
    - exclusive ORing (XOR) the deterministic key and the transformed data;
      
      adding the deterministic key and a modulo conversion of the transformed data; and
      
      modifying the deterministic key to produce a modified key and exclusive ORing the modified key and the transformed data.

8. A method for execution by a computing device, the method comprises:
- retrieving a threshold number of data slices to recover a secure package, in which the secure package was initially error encoded to generate a plurality of data slices for storage, wherein the threshold number of data slices of the plurality of data slices are needed to reconstruct the secure package when retrieved, the threshold number of data slices being less than the plurality of data slices generated;
  
  extracting a masked key and encrypted data from the secure package;
  
  performing a transform function on the encrypted data to produce transformed data;
  
  performing a de-masking function on the masked key and the transformed data to generate a deterministic key; and
  
  decrypting the encrypted data based on the deterministic key to recover a data segment of a data object, in which the data segment is one of a plurality of data segments generated by segmenting the data object, wherein the data segments were processed separately for storage to store the data object.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the transform function comprises at least one of:
    - a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function.
  - 10. The method of claim 8, wherein the generating the deterministic key comprises at least one of:
    - exclusive ORing (XOR) the masked key and the transformed data;
      
      subtracting a modulo conversion of the transformed data from the masked key; and
      
      exclusive ORing the transformed data and the masked key to produce a modified key; and
      
      modifying the modified key to produce the deterministic key.
  - 11. The method of claim 8 further comprises:
    - transforming the data segment into a validation key utilizing a hashing function; and
      
      indicating that the data segment is valid when the validation key compares favorably to the deterministic key.

12. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operably coupled to the memory and the interface, wherein the processing module is operable to;
  
  perform a function to generate a deterministic key from a data segment, in which the data segment is one of a plurality of data segments generated by segmenting a data object and in which the data segments are processed separately for storage to store the data object;
  
  encrypt the data segment using the deterministic key to produce encrypted data;
  
  perform a transform function on the encrypted data produce transformed data;
  
  perform a masking function on the deterministic key and the transformed data to generate a masked key;
  
  combine the masked key and the encrypted data to produce a secure package; and
  
  error encode the secure package to generate a plurality of data slices for storage, wherein a threshold number of data slices of the secure package are needed to reconstruct the secure package when retrieved, the threshold number of data slices being less than the plurality of data slices generated.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer of claim 12, wherein the processing module further functions to:
    - output, via the interface, the plurality of data slices to a wireless communication device for wireless communication of the plurality of data slices.
  - 14. The computer of claim 12, wherein the processing module further functions to:
    - output, via the interface, the plurality of data slices to a dispersed storage network (DSN) memory for storage therein.
  - 15. The computer of claim 12, wherein the processing module further functions to:
    - receive, via the interface, a second plurality of data slices to recover a second secure package from a dispersed storage network (DSN) memory; and
      
      facilitate storage of the plurality of data slices in the DSN memory when the secure package compares favorably to the second secure package.
  - 16. The computer of claim 12, wherein the processing module functions to perform the function to generate the deterministic key by:
    - performing one or more of a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function on the data segment to produce the deterministic key.
  - 17. The computer of claim 12, wherein the transform function comprises at least one of:
    - a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function.
  - 18. The computer of claim 12, wherein the processing module functions to perform the masking function to generate the masked key by at least one of:
    - exclusive ORing (XOR) the deterministic key and the transformed data;
      
      adding the deterministic key and a modulo conversion of the transformed data; and
      
      modifying the deterministic key to produce a modified key and exclusive ORing the modified key and the transformed data.

19. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operably coupled to the memory and the interface, the processing module is operable to;
  
  retrieve, via the interface, a threshold number of data slices to recover a secure package, in which the secure package was initially error encoded to generate a plurality of data slices for storage, wherein the threshold number of data slices of the plurality of data slices are needed to reconstruct the secure package when retrieved, the threshold number of data slices being less than the plurality of data slices generated;
  
  extract a masked key and encrypted data from the secure package;
  
  perform a transform function on the encrypted data to produce transformed data;
  
  perform a de-masking function on the masked key and the transformed data to generate a deterministic key; and
  
  decrypt the encrypted data based on the deterministic key to recover a data segment of a data object, in which the data segment is one of a plurality of data segments generated by segmenting the data object, wherein the data segments were processed separately for storage to store the data object.
- View Dependent Claims (20, 21, 22)
- - 20. The computer of claim 19, wherein the transform function comprises at least one of:
    - a hashing function, a checksum function, a hash-based message authentication code (HMAC), a mask generating function (MGF), and a compression function.
  - 21. The computer of claim 19, wherein the processing module functions to generate the deterministic key by at least one of:
    - exclusive ORing (XOR) the masked key and the transformed data;
      
      subtracting a modulo conversion of the transformed data from the masked key; and
      
      exclusive ORing the transformed data and the masked key to produce a modified key and modifying the modified key to produce the deterministic key.
  - 22. The computer of claim 19, wherein the processing module further functions to:
    - transform the data segment into a validation key utilizing a hashing function; and
      
      indicate that the data segment is valid when the validation key compares favorably to the deterministic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/154,740
Publication Number

US 20110311051A1
Time in Patent Office

1,673 Days
Field of Search

380/270, 380/273, 713/165, 713/171
US Class Current

1/1
CPC Class Codes

G06F 11/0727   in a storage system, e.g. i...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/141   for bus or memory accesses

G06F 11/167   Error detection by comparin...

G06F 16/13   File access structures, e.g...

G06F 16/137   Hash-based content-based in...

G06F 21/31   User authentication

G06F 21/6209   to a single file or object,...

G06F 2211/1028   Distributed, i.e. distribut...

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/12   Applying verification of th...

H04L 67/06   specially adapted for file ...

H04L 67/1097   for distributed storage of ...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247 : involving digital signatures

H04L 9/3263 : involving certificates, e.g...

H04L 9/3271 : using challenge-response

H04W 12/041 : Key generation or derivation

H04W 12/0431 : Key distribution or pre-dis...

H04W 12/10 : Integrity

H04W 12/35 : Protecting application or s...

View All

Utilizing a deterministic all or nothing transformation in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Utilizing a deterministic all or nothing transformation in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others