Self-validating request message structure and operation

US 9,735,967 B2
Filed: 03/03/2015
Issued: 08/15/2017
Est. Priority Date: 04/30/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprises:

generating, by a first device, a self-validating message by;

creating a master key;

using the master key and a secret function to create a message encryption key;

encrypting a message using the message encryption key to produce an encrypted message;

encrypting the master key using a public key of a second device to produce an encrypted master key; and

including a message authentication code of the first device in the self-validating message;

receiving, by the second device, the self-validating message; and

decoding, by the second device, the self-validating message by;

verifying the message authentication code of the first device; and

when the message authentication code of the first device is verified;

decrypting the encrypted master key using a private key of the second device to recover the master key;

using the master key and the secret function to create the message encryption key; and

decrypting the encrypted message using the message encryption key to recover the message,creating, by the second device, a self-validating response message by;

creating a responder encryption key from the master key and a second secret function;

encrypting a response to the message using the responder encryption key to produce an encrypted response; and

including a second message authentication code of the second device in the self-validating response message; and

sending, by the second device, the self-validating response message to the first device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a first device generating a self-validating message by creating a master key, using the master key to create a message encryption key, encrypting a message using the message encryption key to produce an encrypted message, encrypting the master key using a public key of a second device to produce an encrypted master key, and including a message authentication code of the first device in the self-validating message. The method continues by the second device receiving and decoding the self-validating message by verifying the message authentication code of the first device, and when the message authentication code of the first device is verified, decrypting the encrypted master key using a private key of the second device to recover the master key, using the master key to create the message encryption key, and decrypting the encrypted message using the message encryption key to recover the message.

115 Citations

12 Claims

1. A method comprises:
- generating, by a first device, a self-validating message by;
  
  creating a master key;
  
  using the master key and a secret function to create a message encryption key;
  
  encrypting a message using the message encryption key to produce an encrypted message;
  
  encrypting the master key using a public key of a second device to produce an encrypted master key; and
  
  including a message authentication code of the first device in the self-validating message;
  
  receiving, by the second device, the self-validating message; and
  
  decoding, by the second device, the self-validating message by;
  
  verifying the message authentication code of the first device; and
  
  when the message authentication code of the first device is verified;
  
  decrypting the encrypted master key using a private key of the second device to recover the master key;
  
  using the master key and the secret function to create the message encryption key; and
  
  decrypting the encrypted message using the message encryption key to recover the message,creating, by the second device, a self-validating response message by;
  
  creating a responder encryption key from the master key and a second secret function;
  
  encrypting a response to the message using the responder encryption key to produce an encrypted response; and
  
  including a second message authentication code of the second device in the self-validating response message; and
  
  sending, by the second device, the self-validating response message to the first device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprises:
    - creating, by the first device, the message authentication code based on the master key and a second secret function; and
      
      verifying, by the second device, the message authentication code based on the master key and the second secret function.
  - 3. The method of claim 1, wherein the self-validating message comprises:
    - a header section that includes the encrypted master key and one or more of;
      
      a time stamp, a first device identifier, a certificate chain, and a header signature;
      
      the encrypted message; and
      
      the message authentication code.
  - 4. The method of claim 1 further comprises:
    - encrypting, as the message, a read request using the message encryption key to produce the encrypted message;
      
      decrypting, by the second device, the encrypted message to recover the read request;
      
      generating, by the second device, a read response corresponding to the read request;
      
      creating, by the second device, a responder encryption key from the master key and a second secret function;
      
      encrypting, by the second device, the read response using the responder encryption key to produce an encrypted read response;
      
      receiving, by the first device, the encrypted read response;
      
      creating, by the first device, the responder encryption key from the master key and the second secret function; and
      
      decrypting, by the first device, the encrypted read response based on the responder encryption key to recover the read response.
  - 5. The method of claim 1 further comprises:
    - encrypting, as the message, a write request using the message encryption key to produce the encrypted message;
      
      decrypting, by the second device, the encrypted message to recover the write request;
      
      executing, by the second device, the write request;
      
      generating, by the second device, a write response corresponding to the executing of the write request;
      
      creating, by the second device, a responder encryption key from the master key and a second secret function;
      
      encrypting, by the second device, the write response using the responder encryption key to produce an encrypted write response;
      
      receiving, by the first device, the encrypted write response;
      
      creating, by the first device, the responder encryption key from the master key and the second secret function;
      
      decrypting, by the first device, the encrypted write response based on the responder encryption key to recover the write response;
      
      generating, by the first device, a second message encryption key from the master key and a third secret function;
      
      encrypting, by the first device, a write commit message using the second message encryption key to produce an encrypted write commit message;
      
      receiving, by the second device, the encrypted write commit message;
      
      creating, by the second device, the second message encryption key from the master key and the third secret function; and
      
      decrypting, by the second device, the encrypted write commit message based on the second message encryption key to recover the write commit message.
  - 6. The method of claim 1 further comprises:
    - creating, by the second device, the second message authentication code based on the master key and a third secret function;
      
      verifying, by the first device, the second message authentication code based on the master key and the third secret function;
      
      when the second message authentication code is verified;
      
      creating, by the first device, the responder encryption key from the master key and the second secret function; and
      
      decrypting the encrypted response using the responder encryption key to recover the response.

7. A non-transitory computer readable storage medium comprises:
- at least one memory section that stores operational instructions that, when executed by one or more processing modules of one or more devices of a dispersed storage network (DSN), causes the one or more devices to;
  
  generate, by a first device of the one or more devices, a self-validating message by;
  
  creating a master key;
  
  using the master key and a secret function to create a message encryption key;
  
  encrypting a message using the message encryption key to produce an encrypted message;
  
  encrypting the master key using a public key of a second device to produce an encrypted master key; and
  
  including a message authentication code of the first device in the self-validating message;
  
  receive, by the second device of the one or more devices, the self-validating message; and
  
  decode, by the second device, the self-validating message by;
  
  verifying the message authentication code of the first device; and
  
  when the message authentication code of the first device is verified;
  
  decrypting the encrypted master key using a private key of the second device to recover the master key;
  
  using the master key and the secret function to create the message encryption key; and
  
  decrypting the encrypted message using the message encryption key to recover the message,the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more devices of the DSN to;
  
  create, by the second device, a self-validating response message by;
  
  creating a responder encryption key from the master key and a second secret function;
  
  encrypting a response to the message using the responder encryption key to produce an encrypted response; and
  
  including a second message authentication code of the second device in the self-validating response message; and
  
  send, by the second device, the self-validating response message to the first device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable storage medium of claim 7 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more devices of the DSN to;
      
      create, by the first device, the message authentication code based on the master key and a second secret function; and
      
      verify, by the second device, the message authentication code based on the master key and the second secret function.
  - 9. The non-transitory computer readable storage medium of claim 7, wherein the self-validating message comprises:
    - a header section that includes the encrypted master key and one or more of;
      
      a time stamp, a first device identifier, a certificate chain, and a header signature;
      
      the encrypted message; and
      
      the message authentication code.
  - 10. The non-transitory computer readable storage medium of claim 7 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more devices of the DSN to;
      
      encrypt, as the message, a read request using the message encryption key to produce the encrypted message;
      
      decrypt, by the second device, the encrypted message to recover the read request;
      
      generate, by the second device, a read response corresponding to the read request;
      
      create, by the second device, a responder encryption key from the master key and a second secret function;
      
      encrypt, by the second device, the read response using the responder encryption key to produce an encrypted read response;
      
      receive, by the first device, the encrypted read response;
      
      create, by the first device, the responder encryption key from the master key and the second secret function; and
      
      decrypt, by the first device, the encrypted read response based on the responder encryption key to recover the read response.
  - 11. The non-transitory computer readable storage medium of claim 7 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more devices of the DSN to;
      
      encrypt, as the message, a write request using the message encryption key to produce the encrypted message;
      
      decrypt, by the second device, the encrypted message to recover the write request;
      
      execute, by the second device, the write request;
      
      generate, by the second device, a write response corresponding to the executing of the write request;
      
      create, by the second device, a responder encryption key from the master key and a second secret function;
      
      encrypt, by the second device, the write response using the responder encryption key to produce an encrypted write response;
      
      receive, by the first device, the encrypted write response;
      
      create, by the first device, the responder encryption key from the master key and the second secret function;
      
      decrypt, by the first device, the encrypted write response based on the responder encryption key to recover the write response;
      
      generate, by the first device, a second message encryption key from the master key and a third secret function;
      
      encrypt, by the first device, a write commit message using the second message encryption key to produce an encrypted write commit message;
      
      receive, by the second device, the encrypted write commit message;
      
      create, by the second device, the second message encryption key from the master key and the third secret function; and
      
      decrypt, by the second device, the encrypted write commit message based on the second message encryption key to recover the write commit message.
  - 12. The non-transitory computer readable storage medium of claim 7 further comprises:
    - the at least one memory section stores further operational instructions that, when executed by the one or more processing modules, causes the one or more devices of the DSN to;
      
      create, by the second device, the second message authentication code based on the master key and a third secret function;
      
      verify, by the first device, the second message authentication code based on the master key and the third secret function;
      
      when the second message authentication code is verified;
      
      create, by the first device, the responder encryption key from the master key and the second secret function; and
      
      decrypt the encrypted response using the responder encryption key to recover the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Leggette, Wesley, Resch, Jason K.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Malinowski, Walter

Application Number

US14/637,348
Publication Number

US 20150318995A1
Time in Patent Office

896 Days
Field of Search

713181, 714E11034, 711114, 707999202
US Class Current
CPC Class Codes

G06F 11/07   Responding to the occurrenc...

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0754   by exceeding limits

G06F 11/076   by exceeding a count or rat...

G06F 11/2058   using more than 2 mirrored ...

G06F 11/2094   Redundant storage or storag...

G06F 2211/1004   Adaptive RAID, i.e. RAID sy...

G06F 3/06   Digital input from, or digi...

G06F 3/0619   in relation to data integri...

G06F 3/0653   Monitoring storage devices ...

G06F 3/067   Distributed or networked st...

G06F 3/0685   Hybrid storage combining he...

H04L 63/0435   wherein the sending and rec...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/14   using a plurality of keys o...

H04L 9/3242   involving keyed hash functi...

Self-validating request message structure and operation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Self-validating request message structure and operation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links