Encrypting data for storage in a dispersed storage network

US 9,842,063 B2
Filed: 11/07/2016
Issued: 12/12/2017
Est. Priority Date: 11/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method for retrieving data, the method comprises:

retrieving, by a computing device of a dispersed storage network (DSN), a plurality of secure data packages from storage units of the DSN;

separating, by the computing device, the plurality of secure data packages into a plurality of masked keys and a plurality of encrypted data units in accordance with a data intermingling pattern, wherein the data intermingling pattern insures that, when a threshold number of encrypted data units are available, the plurality of masked keys is retrievable regardless of which encrypted data units of the plurality of encrypted data units are included in the threshold number of encrypted data units;

generating, by the computing device, a plurality of deterministic values from the plurality of encrypted data units;

generating, by the computing device, a plurality of encryption keys based on the plurality of masked keys and the plurality of deterministic values;

decrypting, by the computing device, the plurality of encrypted data units using the plurality of encryption keys to produce a plurality of data units; and

recovering, by the computing device, a first portion of the data from a threshold number of the plurality of data units.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes retrieving a plurality of secure data packages from storage units. The method further includes separating the secure data packages into masked keys and encrypted data units in accordance with a data intermingling pattern. The method further includes generating deterministic values from the encrypted data units and generating encryption keys based on the masked keys and the deterministic values. The method further includes decrypting the encrypted data units using the encryption keys to produce data units. The method further includes recovering a first portion of the data from a threshold number of the data units.

Citations

14 Claims

1. A method for retrieving data, the method comprises:
- retrieving, by a computing device of a dispersed storage network (DSN), a plurality of secure data packages from storage units of the DSN;
  
  separating, by the computing device, the plurality of secure data packages into a plurality of masked keys and a plurality of encrypted data units in accordance with a data intermingling pattern, wherein the data intermingling pattern insures that, when a threshold number of encrypted data units are available, the plurality of masked keys is retrievable regardless of which encrypted data units of the plurality of encrypted data units are included in the threshold number of encrypted data units;
  
  generating, by the computing device, a plurality of deterministic values from the plurality of encrypted data units;
  
  generating, by the computing device, a plurality of encryption keys based on the plurality of masked keys and the plurality of deterministic values;
  
  decrypting, by the computing device, the plurality of encrypted data units using the plurality of encryption keys to produce a plurality of data units; and
  
  recovering, by the computing device, a first portion of the data from a threshold number of the plurality of data units.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the retrieving the plurality of secure data packages comprises:
    - retrieving a plurality of sets of encoded data slices; and
      
      performing a dispersed storage error decoding function on the plurality of sets of encoded data slices to produce the plurality of secure data packages.
  - 3. The method of claim 1, wherein the generating the plurality of encryption keys comprises:
    - selecting one or more of the plurality of deterministic values in accordance with the data intermingling pattern; and
      
      selecting one or more of the plurality of masked keys in accordance with the data intermingling pattern.
  - 4. The method of claim 1 further comprises:
    - separating a first secure data package of the plurality of secure data packages into a first masked key of the plurality of masked keys and a first encrypted data unit of the plurality of encrypted data units;
      
      generating a first deterministic value of the plurality of deterministic values from the first encrypted data unit;
      
      generating a first encryption key of the plurality of encryption keys based on the first deterministic value; and
      
      decrypting the first encrypted data unit using the first encryption key to produce a first data unit of the plurality of data units.
  - 5. The method of claim 4, wherein the generating the first encryption key comprises:
    - selecting a first masked key of the plurality of masked keys in accordance with a decode selecting approach; and
      
      exclusive ORing the first masked key with the first deterministic value to produce the first encryption key.
  - 6. The method of claim 1 further comprises:
    - separating a second secure data package of the plurality of secure data packages into a second masked key of the plurality of masked keys and a second encrypted data unit of the plurality of encrypted data units;
      
      generating a second deterministic value of the plurality of deterministic values from the second encrypted data unit;
      
      generating a second encryption key of the plurality of encryption keys based on the plurality of masked keys and the second deterministic value; and
      
      decrypting the second encrypted data unit using the second encryption key to produce a second data unit of the plurality of data units.
  - 7. The method of claim 6, wherein the generating the second encryption key comprises:
    - selecting a second masked key of the plurality of masked keys in accordance with a decode selecting approach; and
      
      exclusive ORing the second masked key with the second deterministic value to produce the second encryption key.

8. A computing device of a dispersed storage network (DSN), wherein the computing device comprises:
- an interface;
  
  memory; and
  
  a processing module operably coupled to the interface and the memory, wherein the processing module is configured to;
  
  retrieve, via the interface, a plurality of secure data packages from storage units of the DSN;
  
  separate the plurality of secure data packages into a plurality of masked keys and a plurality of encrypted data units in accordance with a data intermingling pattern, wherein the data intermingling pattern insures that, when a threshold number of encrypted data units are available, the plurality of masked keys is retrievable regardless of which encrypted data units of the plurality of encrypted data units are included in the threshold number of encrypted data units;
  
  generate a plurality of deterministic values from the plurality of encrypted data units;
  
  generate a plurality of encryption keys based on the plurality of masked keys and the plurality of deterministic values;
  
  decrypt the plurality of encrypted data units using the plurality of encryption keys to produce a plurality of data units; and
  
  recover a first portion of the data from a threshold number of the plurality of data units.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing device of claim 8, wherein the processing module is further configured to retrieve the plurality of secure data packages by:
    - retrieving a plurality of sets of encoded data slices; and
      
      performing a dispersed storage error decoding function on the plurality of sets of encoded data slices to produce the plurality of secure data packages.
  - 10. The computing device of claim 8, wherein the processing module is further configured to generate the plurality of encryption keys by:
    - selecting one or more of the plurality of deterministic values in accordance with the data intermingling pattern; and
      
      selecting one or more of the plurality of masked keys in accordance with the data intermingling pattern.
  - 11. The computing device of claim 8, wherein the processing module is further configured to:
    - separate a first secure data package of the plurality of secure data packages into a first masked key of the plurality of masked keys and a first encrypted data unit of the plurality of encrypted data units;
      
      generate a first deterministic value of the plurality of deterministic values from the first encrypted data unit;
      
      generate a first encryption key of the plurality of encryption keys based on the first deterministic value; and
      
      decrypt the first encrypted data unit using the first encryption key to produce a first data unit of the plurality of data units.
  - 12. The computing device of claim 11, wherein the processing module is further configured to generate the first encryption key by:
    - selecting a first masked key of the plurality of masked keys in accordance with a decode selecting approach; and
      
      exclusive ORing the first masked key with the first deterministic value to produce the first encryption key.
  - 13. The computing device of claim 8, wherein the processing module is further configured to:
    - separate a second secure data package of the plurality of secure data packages into a second masked key of the plurality of masked keys and a second encrypted data unit of the plurality of encrypted data units;
      
      generate a second deterministic value of the plurality of deterministic values from the second encrypted data unit;
      
      generate a second encryption key of the plurality of encryption keys based on the plurality of masked keys and the second deterministic value; and
      
      decrypt the second encrypted data unit using the second encryption key to produce a second data unit of the plurality of data units.
  - 14. The computing device of claim 13, wherein the processing module is further configured to generate the second encryption key by:
    - selecting a second masked key of the plurality of masked keys in accordance with a decode selecting approach; and
      
      exclusive ORing the second masked key with the second deterministic value to produce the second encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Grube, Gary W., Markison, Timothy W.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Nipa, Wasika

Application Number

US15/345,262
Publication Number

US 20170091121A1
Time in Patent Office

400 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 12/1408   by using cryptography for d...

G06F 2212/1052   Security improvement

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/1097   for distributed storage of ...

H04L 67/306   User profiles

H04L 9/14   using a plurality of keys o...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3263   involving certificates, e.g...

Encrypting data for storage in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting data for storage in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links