Encrypting segmented data in a distributed computing system

US 9,674,155 B2
Filed: 06/13/2013
Issued: 06/06/2017
Est. Priority Date: 12/12/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A dispersed storage (DS) module comprises:

a first module, when operable within a computing device, causes the computing device to;

segment a data partition into a plurality of data segments; and

for each of at least some data segments of the plurality of data segments;

divide the data segment into a set of data sub-segments;

a second module, when operable within the computing device, causes the computing device to;

for the data segment of the plurality of data segments;

generate a set of sub keys for the set of data sub-segments based on a master key;

encrypt the set of data sub-segments using the set of sub keys to produce a set of encrypted data sub-segments;

aggregate the set of encrypted data sub-segments into encrypted data; and

generate a masked key based on the encrypted data and the master key; and

a third module, when operable within the computing device, causes the computing device to;

for the data segment of the plurality of data segments;

combine the encrypted data and the masked key to produce an encrypted data segment, wherein encryption of the data partition includes encrypted data segments for the each of the at least some of the data segments, wherein the combining the encrypted data and the masked key includes at least one of;

interleaving the masked key with the encrypted data to produce the encrypted data segment;

appending the masked key to the encrypted data to produce the encrypted data segment; and

distributing, in accordance with a pattern, portions of the masked key within the encrypted data to produce the encrypted data segment.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module segmenting a data partition into a plurality of data segments. For a data segment of the plurality of data segments, the method continues with the DS processing module dividing the data segment into a set of data sub-segments and generating a set of sub keys for the set of data sub-segments based on a master key. The method continues with the DS processing module encrypting the set of data sub-segments using the set of sub keys to produce a set of encrypted data sub-segments and aggregating the set of encrypted data sub-segments into encrypted data. The method continues with the DS processing module generating a masked key based on the encrypted data and the master key and combining the encrypted data and the masked key to produce an encrypted data segment.

Citations

8 Claims

1. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  segment a data partition into a plurality of data segments; and
  
  for each of at least some data segments of the plurality of data segments;
  
  divide the data segment into a set of data sub-segments;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  for the data segment of the plurality of data segments;
  
  generate a set of sub keys for the set of data sub-segments based on a master key;
  
  encrypt the set of data sub-segments using the set of sub keys to produce a set of encrypted data sub-segments;
  
  aggregate the set of encrypted data sub-segments into encrypted data; and
  
  generate a masked key based on the encrypted data and the master key; and
  
  a third module, when operable within the computing device, causes the computing device to;
  
  for the data segment of the plurality of data segments;
  
  combine the encrypted data and the masked key to produce an encrypted data segment, wherein encryption of the data partition includes encrypted data segments for the each of the at least some of the data segments, wherein the combining the encrypted data and the masked key includes at least one of;
  
  interleaving the masked key with the encrypted data to produce the encrypted data segment;
  
  appending the masked key to the encrypted data to produce the encrypted data segment; and
  
  distributing, in accordance with a pattern, portions of the masked key within the encrypted data to produce the encrypted data segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The DS module of claim 1 further comprises:
    - the first module further functions to divide the data segment into the set of data sub-segments based a decode threshold of a dispersed storage error encoding function; and
      
      a fourth module functions to encode the encrypted data segment in accordance with the dispersed storage error encoding function to produce a set of encoded data slices.
  - 3. The DS module of claim 1, wherein the second module functions to generate the set of sub keys by:
    - generating a first sub key of the set of sub keys by performing a deterministic function on the master key and a descriptor of a first data sub-segment of the set of data sub-segments; and
      
      generating a second sub key of the set of sub keys by performing the deterministic function on the master key and a descriptor of a second data sub-segment of the set of data sub-segments.
  - 4. The DS module of claim 1, wherein the second module functions to generate the set of sub keys by:
    - generating a first sub key of the set of sub keys by performing at least one of a mathematical function and a logical function on the master key, a descriptor of a first data sub-segment of the set of data sub-segments, and a first shared secret; and
      
      generating a second sub key of the set of sub keys by performing at least one of the mathematical function and the logical function on the master key, a descriptor of a second data sub-segment of the set of data sub-segments, and a second shared secret.
  - 5. The DS module of claim 1, wherein the second module functions to generate the masked key by:
    - performing a deterministic function on the encrypted data to produce transformed data; and
      
      performing a masking function on the master key using the transformed data to produce the masked key.
  - 6. The DS module of claim 1 further comprises:
    - for another data segment of the plurality of data segments;
      
      the first module further functions to divide the other data segment into a second set of data sub-segments;
      
      the second module further functions to;
      
      generate a second set of sub keys for the second set of data sub-segments based on the master key;
      
      encrypt the second set of data sub-segments using the second set of sub keys to produce a second set of encrypted data sub-segments;
      
      aggregate the second set of encrypted data sub-segments into second encrypted data; and
      
      generate a second masked key based on the second encrypted data and the master key; and
      
      the third module further functions to combine the second encrypted data and the second masked key to produce a second encrypted data segment.
  - 7. The DS module of claim 6 further comprises:
    - the second module further functions to;
      
      generate a first slice group from a first encrypted data sub-segment of the encrypted data segment and a first encrypted data sub-segment of the second encrypted data segment; and
      
      generate a second slice group from a second encrypted data sub-segment of the encrypted data segment and a second encrypted data sub-segment of the second encrypted data segment.
  - 8. The DS module of claim 1 further comprises:
    - the second module further functions to;
      
      obtain a first master key for a first data segment of the plurality of data segments; and
      
      obtain a second master key for a second data segment of the plurality of data segments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Resch, Jason K.
Primary Examiner(s)
Blair, April Y
Assistant Examiner(s)
GANDHI, DIPAKKUMAR B

Application Number

US13/917,017
Publication Number

US 20130275744A1
Time in Patent Office

1,454 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 12/1408   by using cryptography for d...

G06F 2211/1028   Distributed, i.e. distribut...

G06F 2212/1052   Security improvement

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

Encrypting segmented data in a distributed computing system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting segmented data in a distributed computing system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links