Securing data in a dispersed storage network
First Claim
1. A method comprises:
- a first set of steps performed by a first computing unit of a dispersed storage network (DSN) includes;
converting an encryption key into a key stream;
encrypting data based on the key stream and an encryption function to produce encrypted data;
dispersed storage error encoding the key stream to produce a set of encoded key stream slices;
dispersed storage error encoding the encrypted data to produce a set of encoded and encrypted data slices; and
outputting the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein;
a second set of steps performed by one of the storage units includes;
receiving a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices;
partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector;
partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and
partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and
a third set of steps performed by a second computing unit of the DSN includes;
receiving partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and
reproducing, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function, wherein the function includes an exclusive OR.
4 Assignments
0 Petitions
Accused Products
Abstract
A method begins by a source processing module securing data based on a key stream to produce secured data, where the key stream is derived from a unilateral encryption key accessible only to the source processing module, and sending the secure data to an intermediator processing module, where desecuring the secured data is divided into two partial desecuring stages. The method continues with the intermediator processing module partially desecuring the secure data in accordance with a first partial desecuring stage to produce partially desecured data and sending the partially desecured data to a destination processing module. The method continues with the destination processing module further partially desecuring the partially desecured data in accordance with a second desecuring stage to recover the data, where the destination processing module does not have access to the encryption key or to the key stream.
-
Citations
16 Claims
-
1. A method comprises:
-
a first set of steps performed by a first computing unit of a dispersed storage network (DSN) includes; converting an encryption key into a key stream; encrypting data based on the key stream and an encryption function to produce encrypted data; dispersed storage error encoding the key stream to produce a set of encoded key stream slices; dispersed storage error encoding the encrypted data to produce a set of encoded and encrypted data slices; and outputting the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein; a second set of steps performed by one of the storage units includes; receiving a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices; partially dispersed storage error decoding the encoded key stream slice to produce a partially decoded key stream vector; partially dispersed storage error decoding the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and partially decrypting the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and a third set of steps performed by a second computing unit of the DSN includes; receiving partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and reproducing, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function, wherein the function includes an exclusive OR. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprises:
-
securing, by a source processing module, data based on a key stream and in accordance with at least one securing function to produce secured data, wherein the key stream is derived from a unilateral encryption key accessible only to the source processing module; sending, by the source processing module, the secure data to an intermediator processing module, wherein desecuring the secured data is divided into two partial desecuring stages; partially desecuring, by the intermediator processing module, the secure data in accordance with a first partial desecuring stage of the two partial desecuring stages to produce partially desecured data; sending, by the intermediator processing module, the partially desecured data to a destination processing module; and further partially desecuring, by the destination processing module, the partially desecured data in accordance with a second desecuring stage of the two partial desecuring stages to recover the data, wherein the destination processing module does not have access to the unilateral encryption key or to the key stream, and wherein the further partially desecuring the partially desecured data includes;
separating the partially desecured data into partially desecured data vectors; andexclusive ORing the partially desecured data vectors to produce the recovered data. - View Dependent Claims (7, 8)
-
-
9. A non-transitory computer readable storage medium comprises:
-
a first memory section that stores operational instructions that, when executed by one or more processing modules of a first computing device of a dispersed storage network (DSN), causes the first computing device to; convert an encryption key into a key stream; encrypt data based on the key stream and an encryption function to produce encrypted data; dispersed storage error encode the key stream to produce a set of encoded key stream slices; dispersed storage error encode the encrypted data to produce a set of encoded and encrypted data slices; and output the set of encoded key stream slices and the set of encoded and encrypted data slices to storage units of the DSN for storage therein; a second memory section that stores operational instructions that, when executed by one or more processing modules of one of the storage units of the DSN, causes the one of the storage units to; receive a retrieval request regarding an encoded key stream slice of the set of encoded key stream slices and an encoded and encrypted data slice of the set of encoded and encrypted data slices; partially dispersed storage error decode the encoded key stream slice to produce a partially decoded key stream vector; partially dispersed storage error decode the encoded and encrypted data slice to produce a partially decoded and encrypted data vector; and partially decrypt the partially decoded and encrypted data vector in accordance with the encryption function and based on the partially decoded key stream vector to produce a partially decrypted and decoded data vector; and a third memory section that stores operational instructions that, when executed by one or more processing modules of a second computing device of the DSN, causes the second computing device to; receive partially decrypted and decoded data vectors in response to sent retrieval requests that includes the retrieval request; and reproduce, without access to the encryption key and without access to the key stream, the data from the partially decrypted and decoded data vectors based on a function in accordance with the encryption function, wherein the function includes an exclusive OR. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage medium comprises:
-
a first memory section that stores operational instructions that, when executed by a source processing module of one or more processing modules of one or more computing devices of a dispersed storage network (DSN), causes the one or more computing devices to; secure data based on a key stream and in accordance with at least one securing function to produce secured data, wherein the key stream is derived from a unilateral encryption key accessible only to the source processing module; and send the secure data to an intermediator processing module of the one or more processing modules, wherein desecuring the secured data is divided into two partial desecuring stages; a second memory section that stores operational instructions that, when executed by the intermediator processing module of the one or more computing devices of the DSN, causes the one or more computing devices to; partially desecure the secure data in accordance with a first partial desecuring stage of the two partial desecuring stages to produce partially desecured data; and send the partially desecured data to a destination processing module of the one or more processing modules; and a third memory section that stores operational instructions that, when executed by the destination processing module of the one or more computing devices of the DSN, causes the one or more computing devices to; further partially desecure the partially desecured data in accordance with a second desecuring stage of the two partial desecuring stages to recover the data, wherein the destination processing module does not have access to the unilateral encryption key or to the key stream, and wherein the further partially desecuring the partially desecured data includes;
separating the partially desecured data into partially desecured data vectors; andexclusive ORing the partially desecured data vectors to produce the recovered data. - View Dependent Claims (15, 16)
-
Specification