Resharing of a split secret

US 9,768,953 B2
Filed: 09/30/2015
Issued: 09/19/2017
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A processor-based method for secret sharing in a computing system, comprising:

encrypting, by an encryption/decryption unit, shares of a new secret, using a previous secret;

distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system;

decrypting, by the encryption/decryption unit, at least a subset of the encrypted shares of the new secret, using the previous secret; and

regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret, wherein each member of the computing system receives an unencrypted share of the new secret and an encrypted, differing share of the new secret.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.

276 Citations

19 Claims

1. A processor-based method for secret sharing in a computing system, comprising:
- encrypting, by an encryption/decryption unit, shares of a new secret, using a previous secret;
  
  distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system;
  
  decrypting, by the encryption/decryption unit, at least a subset of the encrypted shares of the new secret, using the previous secret; and
  
  regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret, wherein each member of the computing system receives an unencrypted share of the new secret and an encrypted, differing share of the new secret.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - regenerating the previous secret from shares of the previous secret.
  - 3. The method of claim 1, further comprising:
    - determining whether all members of the computing system have received the distributed shares of the new secret; and
      
      encrypting a key, using the new secret, in response to determining that all of the members of the computing system have received the distributed shares of the new secret.
  - 4. The method of claim 1, further comprising:
    - encrypting data, using a data encryption key; and
      
      decrypting the data encryption key, using the new secret.
  - 5. The method of claim 1, further comprising:
    - regenerating at least one share of the new secret from the new secret; and
      
      distributing the at least one regenerated share of the new secret to at least one member of the computing system that does not have a share of the new secret.
  - 6. The method of claim 1, further comprising:
    - determining whether all of the members of the computing system have received shares of the new secret; and
      
      deleting the previous secret, responsive to a positive result of the determining.
  - 7. The method of claim 1, further comprising:
    - iterating the encrypting, distributing, decrypting and regenerating for a plurality of further new secrets.

8. A tangible, non-transitory, computer-readable media having instructions thereupon which, when executed by a processor, cause the processor to perform a method comprising:
- encrypting, with a previous secret, shares of a new secret;
  
  distributing encrypted shares and unencrypted shares of the new secret;
  
  decrypting, with the previous secret, available encrypted shares of the new secret; and
  
  reproducing the new secret from at least a subset of available unencrypted shares of the new secret and the decrypted shares of the new secret, wherein each member of the computing system receives an unencrypted share of the new secret and an encrypted, differing share of the new secret.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer-readable media of claim 8, wherein the method further comprises:
    - reproducing the previous secret from previously generated shares of the previous secret.
  - 10. The computer-readable media of claim 8, wherein the method further comprises:
    - repeating the encrypting, distributing, decrypting and reproducing in an iterative manner for further new secrets.
  - 11. The computer-readable media of claim 8, wherein the method further comprises:
    - encrypting and decrypting data, with a data encryption key; and
      
      encrypting and decrypting the data encryption key, with the new secret.
  - 12. The computer-readable media of claim 8, wherein the method further comprises:
    - determining that all members of a system have received the shares of the new secret; and
      
      deleting the previous secret, responsive to the determining.
  - 13. The computer-readable media of claim 8, wherein the method further comprises:
    - determining whether members of a system have received the encrypted and unencrypted shares of the new secret; and
      
      encrypting a key with the new secret, responsive to the determining.
  - 14. The computer-readable media of claim 8, wherein the distributing includes sending at least one share of the new secret to off-site storage.
  - 15. The computer-readable media of claim 8, wherein the method further comprises:
    - verifying that all of the shares of the new secret are stored; and
      
      deleting shares of the previous secret, responsive to the verifying.

16. A computing system with a shared secret, comprising:
- a secret generator, configured to generate and regenerate secrets;
  
  a share splitter, configured to split a secret into a plurality of shares;
  
  an encryption/decryption unit, configured to encrypt and decrypt; and
  
  one or more processors, configured to perform actions comprising;
  
  encrypting shares of a second secret, using a first secret and the encryption/decryption unit;
  
  sending encrypted shares and unencrypted shares of the second secret to members of the computing system;
  
  decrypting at least a subset of the encrypted shares of the second secret, using the encryption/decryption unit and the first secret; and
  
  regenerating the second secret, using the secret generator and unencrypted shares and decrypted shares of the second secret,wherein each member of the computing system receives an unencrypted share of the second secret and an encrypted, differing share of the second secret.
- View Dependent Claims (17, 18, 19)
- - 17. The computing system of claim 16, further comprising:
    - a memory having a header section configured to store keys and shares of secrets; and
      
      the memory further having a data storage configured for storage of encrypted data, distinct from the header section.
  - 18. The computing system of claim 16, wherein the actions further comprise:
    - regenerating the first secret from shares of the first secret, using the secret generator, so that the first secret can be used for encrypting the shares of the second secret.
  - 19. The computing system of claim 16, wherein the actions further comprise:
    - regenerating at least one share of the second secret; and
      
      updating at least one member of the computing system that is missing the at least one share of the second secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Pure Storage, Inc.
Inventors
Bernat, Andrew R., Miller, Ethan L.
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/871,662
Publication Number

US 20170093564A1
Time in Patent Office

720 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0891   Revocation or update of sec...

Resharing of a split secret

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

276 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Resharing of a split secret

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

276 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others