Distributed storage network and method for storing and retrieving encryption keys

US 9,413,529 B2
Filed: 05/30/2014
Issued: 08/09/2016
Est. Priority Date: 10/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:

receiving an encryption key to store;

determining an encryption method;

encrypting the encryption key with the determined encryption method to produce an encrypted key;

determining a pillar width of a DSN user storage vault as a parameter of a dispersed storage error coding function;

encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and

storing in a distributed manner across the DSN user storage vault the set of encoded encrypted key slices in DSN memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a distributed storage (DS) managing unit receiving an encryption key to store. The method continues by determining an encryption method and encrypting the encryption key with the determined encryption method to produce an encrypted key. The method continues by encoding and storing the encrypted key in accordance with a dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices are required to reconstruct the encrypted key. Retrieval of the stored encryption key includes retrieving and decoding at least a decode threshold number of the encoded encrypted key slices of a set of encoded encrypted key slices from storage units of the DSN. The method may include raising or lowering the decode threshold or modifying the retrieval order to increase/decrease security.

88 Citations

View as Search Results

20 Claims

1. A method for processing an encryption key within a portion of a distributed storage network (DSN), the method comprises:
- receiving an encryption key to store;
  
  determining an encryption method;
  
  encrypting the encryption key with the determined encryption method to produce an encrypted key;
  
  determining a pillar width of a DSN user storage vault as a parameter of a dispersed storage error coding function;
  
  encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and
  
  storing in a distributed manner across the DSN user storage vault the set of encoded encrypted key slices in DSN memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprises one or more of:
    - increasing the decode threshold to increase a level of security; and
      
      decreasing the decode threshold to decrease a level of security.
  - 3. The method of claim 1 further comprises:
    - performing the encrypting an encryption key for a plurality of pillars within the DSN user storage vault.
  - 4. The method of claim 1, wherein the determining an encryption method further comprises:
    - a public key method or a password method.
  - 5. The method of claim 4, wherein the public key method includes:
    - retrieving a public key from a user storage vault to use as a key for encrypting the encryption key.
  - 6. The method of claim 4, wherein the password method includes:
    - retrieving a password from the DSN user storage vault and hashing the password to produce a hashed password, wherein the password or the hashed password is used as a key for encrypting the encryption key; and
      
      retrieving the hashed password.
  - 7. The method of claim 1, wherein the encryption method includes at least an encryption algorithm.
  - 8. The method of claim 7, wherein the encryption algorithm is based on one or more of:
    - user device connectivity type;
      
      a setting of the DSN user storage vault;
      
      a command;
      
      an operational parameter;
      
      availability of a public encryption key; and
      
      availability of a password.
  - 9. The method of claim 1 further comprising:
    - controlling access to the encryption key based on one or more of;
      
      a user ID;
      
      a system element ID; and
      
      a permissions list lookup.
  - 10. The method of claim 9 further comprising:
    - the permissions list includes one or more permissions to retrieve and store one or more of;
      
      private encryption keys;
      
      public encryption keys;
      
      secret encryption keys; and
      
      all encryption keys.

11. A method for processing encrypted data within a distributed storage network (DSN), the method comprises:
- receiving a retrieve encryption key request from a requester;
  
  determining a width of a DSN user storage vault, the width including a number of storage pillars;
  
  determining a decode threshold number of storage pillars for successful retrieval;
  
  retrieving, in response to the retrieve encryption key request, at least the decode threshold number of encoded encrypted key slices of a set of encoded encrypted key slices from the storage pillars of the DSN;
  
  decoding the at least the decode threshold number of the encoded encrypted key slices to produce an encrypted encryption key;
  
  determining a decryption method;
  
  decrypting the encrypted encryption key with the determined decryption method to produce an encryption key; and
  
  sending the encryption key to the requester to decrypt one or more portions of the encrypted data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the decryption method includes at least a decryption algorithm based on one or more of:
    - user device connectivity type;
      
      a user vault setting;
      
      a command;
      
      an operational parameter;
      
      availability of a public encryption key; and
      
      availability of a password.
  - 13. The method of claim 11 further comprises:
    - a permissions list including one or more permissions to retrieve and store one or more of;
      
      private encryption keys;
      
      public encryption keys;
      
      secret encryption keys; and
      
      all encryption keys.
  - 14. The method of claim 11 further comprises:
    - performing the retrieving an encrypted key for each of the storage pillars within the DSN user storage vault.
  - 15. The method of claim 11, wherein the retrieving is any of:
    - ordered;
      
      random; and
      
      iterative.
  - 16. The method of claim 11, wherein the decryption method comprises a public key method or a password method.
  - 17. The method of claim 16, wherein the public key method includes:
    - retrieving a public key from the DSN user storage vault, to use as a key for encrypting the encryption key.
  - 18. The method of claim 16, wherein the password method further comprises one or more of:
    - retrieving a password from the DSN user storage vault and hashing the password to produce a hashed password, wherein the password or the hashed password is used as a key for encrypting the encryption key; and
      
      retrieving the hashed password.

19. A distributed storage (DS) managing unit comprises:
- a first module operable to;
  
  store an encryption key by;
  
  receiving an encryption key to store;
  
  determining an encryption method;
  
  encrypting the encryption key with the determined encryption method to produce an encrypted key;
  
  determining a pillar width of a distributed storage network (DSN) user storage vault as a parameter of a dispersed storage error coding function;
  
  encoding the encrypted key in accordance with the dispersed storage error coding function to produce a set of encoded encrypted key slices, wherein a number of encoded encrypted key slices in the set of encoded encrypted key slices is equal to the pillar width, wherein a decode threshold number of the encoded encrypted key slices of the set of encoded encrypted key slices is required to reconstruct the encrypted key; and
  
  storing the set of encoded encrypted key slices in DSN memory; and
  
  a second module operable to;
  
  retrieve an encryption key by;
  
  receiving a retrieve encryption key request from a requester;
  
  determining the pillar width;
  
  determining a decode threshold number of storage pillars for successful retrieval in accordance with the dispersed storage error coding function;
  
  retrieving, in response to the retrieve encryption key request, at least the decode threshold number of the encoded encrypted key slices of a set of encoded encrypted key slices from storage units of the DSN;
  
  decoding the at least the decode threshold number of the encoded encrypted key slices to produce an encrypted encryption key;
  
  determining a decryption method;
  
  decrypting the encrypted encryption key with the determined decryption method to produce the encryption key; and
  
  sending the encryption key to the requester to decrypt one or more portions of encrypted data.
- View Dependent Claims (20)
- - 20. The distributed storage (DS) managing unit of claim 19 further comprising:
    - when storing the encryption key, the determining an encryption method further comprises retrieving a public key either from the DSN user storage vault or the encryption key to store; and
      
      when retrieving the encryption key, the determining an encryption method further comprises retrieving a private key for a user or unit, wherein the private key is retrieved either from the DSN user storage vault or the retrieve encryption key request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K.
Primary Examiner(s)
Lipman, Jacob

Application Number

US14/292,727
Publication Number

US 20140281550A1
Time in Patent Office

802 Days
Field of Search

713/171
US Class Current

1/1
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1068   in sector programmable memo...

G06F 11/1076   Parity data used in redunda...

G06F 12/1408   by using cryptography for d...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2151   Time stamp

G06F 3/0619   in relation to data integri...

G06F 3/064   Management of blocks

G06F 3/067   Distributed or networked st...

G11C 29/52   Protection of memory conten...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04N 21/2347   involving video stream encr...

H04N 21/23476 : by partially encrypting, e....

H04N 21/26613 : for generating or managing ...

H04N 21/4405 : involving video stream decr...

H04N 21/44055 : by partially decrypting, e....

H04N 21/8456 : by decomposing the content ...

View All

Distributed storage network and method for storing and retrieving encryption keys

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed storage network and method for storing and retrieving encryption keys

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links