Deleting encoded data slices in a dispersed storage network

US 9,509,514 B2
Filed: 09/10/2014
Issued: 11/29/2016
Est. Priority Date: 11/28/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A distributed storage (DS) unit comprises:

an interface;

a plurality of memory devices for storing, in an encrypted format, an encoded data slice from each of at least some sets of encoded data slices of a first, second, third, and fourth pluralities of sets of encoded data slices, wherein;

a first data object is dispersed storage error encoded into the first plurality of sets of encoded data slices;

a second data object is dispersed storage error encoded into the second plurality of sets of encoded data slices;

a third data object is dispersed storage error encoded into the third plurality of sets of encoded data slices;

a fourth data object is dispersed storage error encoded into the fourth plurality of sets of encoded data slices;

the first and second data objects share a first common data aspect;

the third and fourth data objects share a second common data aspect; and

encoded data slices of the first and second pluralities of sets of encoded data slices form a first collection of encoded data slices and encoded data slices of the third and fourth pluralities of sets of encoded data slices form a second collection of encoded data slices; and

a processing module operable to;

receive, via the interface, a request regarding encoded data slices of at least one of the first and second plurality of sets of encoded data slices;

identify, based on the request, a first common encrypting character string associated with the first common data aspect; and

process the request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices based on the first common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices is done based on the first common encrypting character string.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving a request regarding at least a portion of corresponding encoded data slices, wherein a collection of encrypted and encoded data slices of a plurality of collections of encrypted and encoded data slices includes a common data aspect, wherein encrypted and encoded data slices of the collection of encrypted and encoded data slices are produced by individually encrypting corresponding encoded data slices using a common encrypting character string and representations of the corresponding encoded data slices. The method continues with the DS processing module identifying the common encrypting character string of the corresponding encoded data slices. When the request is to delete the corresponding encoded data slices, the method continues with the DS processing module obfuscating the common encrypting character string in a local memory such that the collection of encrypted and encoded data slices are effectively incomprehensible.

5 Citations

View as Search Results

16 Claims

1. A distributed storage (DS) unit comprises:
- an interface;
  
  a plurality of memory devices for storing, in an encrypted format, an encoded data slice from each of at least some sets of encoded data slices of a first, second, third, and fourth pluralities of sets of encoded data slices, wherein;
  
  a first data object is dispersed storage error encoded into the first plurality of sets of encoded data slices;
  
  a second data object is dispersed storage error encoded into the second plurality of sets of encoded data slices;
  
  a third data object is dispersed storage error encoded into the third plurality of sets of encoded data slices;
  
  a fourth data object is dispersed storage error encoded into the fourth plurality of sets of encoded data slices;
  
  the first and second data objects share a first common data aspect;
  
  the third and fourth data objects share a second common data aspect; and
  
  encoded data slices of the first and second pluralities of sets of encoded data slices form a first collection of encoded data slices and encoded data slices of the third and fourth pluralities of sets of encoded data slices form a second collection of encoded data slices; and
  
  a processing module operable to;
  
  receive, via the interface, a request regarding encoded data slices of at least one of the first and second plurality of sets of encoded data slices;
  
  identify, based on the request, a first common encrypting character string associated with the first common data aspect; and
  
  process the request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices based on the first common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices is done based on the first common encrypting character string.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is a read request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identify the first common encrypting character string associated with the first common data aspect;
      
      decrypt the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices using the first common encrypting character string to recapture the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices; and
      
      output, via the interface, the recaptured encoded data slices of the first and second plurality of sets of encoded data slices.
  - 3. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is a write request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identify the first common encrypting character string associated with the first common data aspect;
      
      encrypt the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices using the first common encrypting character string to produce the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices; and
      
      write the at least one of the encoded data slices of the first and second plurality of sets of encoded data slices to one or more of the plurality of memory devices.
  - 4. The DS unit of claim 1, wherein the processing module is further operable to:
    - when the request is a delete request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identify the first common encrypting character string associated with the first common data aspect; and
      
      obfuscate the first common encrypting character string such that the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices are effectively incomprehensible.
  - 5. The DS unit of claim 1, wherein the processing module is further operable to:
    - receive, via the interface, a request regarding the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices;
      
      identify, based on the request, a second common encrypting character string associated with the second common data aspect; and
      
      process the request regarding the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices based on the second common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices is done based on the second common encrypting character string.
  - 6. The DS unit of claim 1, wherein the processing module is further operable to:
    - receive, via the interface, a request regarding the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices, wherein the first and third data objects share a third common data aspect;
      
      identify, based on the request, a third common encrypting character string associated with the third common data aspect; and
      
      process the request regarding the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices based on the third common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices is done based on the third common encrypting character string.
  - 7. The DS unit of claim 1, wherein the processing module is further operable to individually encrypt the encoded data slices of at least one of the first and second plurality of sets of encoded data slices by:
    - transforming the first common encrypting character string and a representation of the encoded data slices of at least one of the first and second plurality of sets of encoded data slices using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the corresponding encoded data slice, a hash of the corresponding encoded data slice, the corresponding encoded data slice, a vault identifier (ID); and
      
      encrypting an individual encoded data slice of the encoded data slices of at least one of the first and second plurality of sets of encoded data slices using the individual encryption key to produce an individual encrypted and encoded data slice of the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices.
  - 8. The DS unit of claim 1, wherein the first common encrypting character string includes one or more of:
    - a random number, a series of characters, a passcode, and a random string of characters.

9. A method for execution by a storage unit, the method comprises:
- storing, in an encrypted format, an encoded data slice from each of at least some sets of encoded data slices of a first, second, third, and fourth pluralities of sets of encoded data slices, wherein;
  
  a first data object is dispersed storage error encoded into the first plurality of sets of encoded data slices;
  
  a second data object is dispersed storage error encoded into the second plurality of sets of encoded data slices;
  
  a third data object is dispersed storage error encoded into the third plurality of sets of encoded data slices;
  
  a fourth data object is dispersed storage error encoded into the fourth plurality of sets of encoded data slices;
  
  the first and second data objects share a first common data aspect;
  
  the third and fourth data objects share a second common data aspect; and
  
  encoded data slices of the first and second pluralities of sets of encoded data slices form a first collection of encoded data slices and encoded data slices of the third and fourth pluralities of sets of encoded data slices form a second collection of encoded data slices; and
  
  receiving a request regarding encoded data slices of at least one of the first and second plurality of sets of encoded data slices;
  
  identifying, based on the request, a first common encrypting character string associated with the first common data aspect; and
  
  processing the request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices based on the first common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices is done based on the first common encrypting character string.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 further comprises:
    - when the request is a read request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identifying the first common encrypting character string associated with the first common data aspect;
      
      decrypting the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices using the first common encrypting character string to recapture the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices; and
      
      outputting the recaptured encoded data slices of the first and second plurality of sets of encoded data slices.
  - 11. The method of claim 9 further comprises:
    - when the request is a write request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identifying the first common encrypting character string associated with the first common data aspect;
      
      encrypting the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices using the first common encrypting character string to produce the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices; and
      
      writing the at least one of the encoded data slices of the first and second plurality of sets of encoded data slices to one or more of a plurality of memory devices.
  - 12. The method of claim 9 further comprises:
    - when the request is a delete request regarding the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices, identifying the first common encrypting character string associated with the first common data aspect; and
      
      obfuscating the first common encrypting character string such that the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices are effectively incomprehensible.
  - 13. The method of claim 9 further comprises:
    - receiving a request regarding the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices;
      
      identifying, based on the request, a second common encrypting character string associated with the second common data aspect; and
      
      processing the request regarding the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices based on the second common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the third and fourth plurality of sets of encoded data slices is done based on the second common encrypting character string.
  - 14. The method of claim 9 further comprises:
    - receiving a request regarding the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices, wherein the first and third data objects share a third common data aspect;
      
      identifying a third common encrypting character string associated with the third common data aspect; and
      
      processing the request regarding the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices based on the third common encrypting character string, wherein encrypting of the encoded data slices of the at least one of the first and third plurality of sets of encoded data slices is done based on the third common encrypting character string.
  - 15. The method of claim 9 further comprises individually encrypting the encoded data slices of at least one of the first and second plurality of sets of encoded data slices by:
    - transforming the first common encrypting character string and a representation of the encoded data slices of at least one of the first and second plurality of sets of encoded data slices using a deterministic function to produce an individual encryption key, wherein the representation includes one or more of distributed storage network (DSN) address, a slice name of the corresponding encoded data slice, a hash of the corresponding encoded data slice, the corresponding encoded data slice, a vault identifier (ID); and
      
      encrypting an individual encoded data slice of the encoded data slices of at least one of the first and second plurality of sets of encoded data slices using the individual encryption key to produce an individual encrypted and encoded data slice of the encoded data slices of the at least one of the first and second plurality of sets of encoded data slices.
  - 16. The method of claim 9, wherein the first common encrypting character string includes one or more of:
    - a random number, a series of characters, a passcode, and a random string of characters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K., Motwani, Manish
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/482,320
Publication Number

US 20140380064A1
Time in Patent Office

811 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/108   Parity data distribution in...

G06F 12/0607   Interleaved addressing

G06F 12/1408   by using cryptography for d...

G06F 16/182   Distributed file systems

G06F 21/00   Security arrangements for p...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 3/0608   Saving storage space on sto...

G06F 3/0641   De-duplication techniques

G06F 3/067   Distributed or networked st...

H04L 63/0428   wherein the data content is...

H04L 65/10   Architectures or entities

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3236   using cryptographic hash fu...

Deleting encoded data slices in a dispersed storage network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Deleting encoded data slices in a dispersed storage network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links