Securely rebuilding an encoded data slice

US 9,842,222 B2
Filed: 05/04/2012
Issued: 12/12/2017
Est. Priority Date: 08/25/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprises:

issuing, by a requesting entity, a rebuild request regarding an encoded data slice to a set of distributed storage (DS) units, wherein a data segment of data is dispersed storage error encoded to produce a set of encoded data slices, wherein the set of encoded data slices includes the encoded data slice, wherein the data segment is reconstructable from a decode threshold number of encoded data slices of the set of encoded data slices, and wherein the encoded data slice is corrupted or lost;

in response to the rebuild request, generating, by each of at least some of the DS units of the set of DS units, a partial slice corresponding to the encoded data slice based on another encoded data slice of the set of encoded data slices stored by the respective DS unit to produce an array of partial slices;

encrypting, by the at least some of the DS units, the array of partial slices using a set of encryption keys, wherein each encryption key of the set of encryption keys is used 2*n times to produce an array of encrypted partial slices, where n is an integer greater than or equal to 1; and

rebuilding, by the requesting entity, the encoded data slice from the array of encrypted partial slices.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a requesting entity issuing a rebuild request regarding an encoded data slice to at least some of a set of distributed storage (DS) units. In response to the rebuild request, the method continues with each of at least some of the DS units of the set of DS units generating a partial slice corresponding to the encoded data slice to be rebuilt based on one of a set of encoded data slices stored by the respective DS unit to produce an array of partial slices. The method continues with the at least some of the DS units encrypting the array of partial slices using a set of encryption keys to produce an array of encrypted partial slices. The method continues with the requesting entity rebuilding the encoded data slice from the array of encrypted partial slices.

87 Citations

View as Search Results

15 Claims

1. A method comprises:
- issuing, by a requesting entity, a rebuild request regarding an encoded data slice to a set of distributed storage (DS) units, wherein a data segment of data is dispersed storage error encoded to produce a set of encoded data slices, wherein the set of encoded data slices includes the encoded data slice, wherein the data segment is reconstructable from a decode threshold number of encoded data slices of the set of encoded data slices, and wherein the encoded data slice is corrupted or lost;
  
  in response to the rebuild request, generating, by each of at least some of the DS units of the set of DS units, a partial slice corresponding to the encoded data slice based on another encoded data slice of the set of encoded data slices stored by the respective DS unit to produce an array of partial slices;
  
  encrypting, by the at least some of the DS units, the array of partial slices using a set of encryption keys, wherein each encryption key of the set of encryption keys is used 2*n times to produce an array of encrypted partial slices, where n is an integer greater than or equal to 1; and
  
  rebuilding, by the requesting entity, the encoded data slice from the array of encrypted partial slices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the encrypting comprises:
    - arranging, when n equals 1, the at least some of DS units into DS unit pairings, wherein each DS unit of a DS unit pairing uses a same encryption key of the set of encryption keys.
  - 3. The method of claim 2 further comprises:
    - for the DS unit pairing;
      
      generating, by the DS units of the DS unit pairing, a shared secret; and
      
      generating, by each of the DS units of the DS unit pairing, the same encryption key based on the shared secret.
  - 4. The method of claim 1, wherein the encrypting comprises:
    - pairing, when n equals 1 and the at least some of the DS units includes an odd number of DS units, one of the at least some of DS units with two other DS units of the at least some of DS units to use a first encryption key of the set of encryption keys; and
      
      arranging remaining DS units of the at least some of DS units into DS unit pairings, wherein each DS unit of a DS unit pairing uses a same encryption key of the set of encryption keys, wherein the remaining DS units includes the two other DS units.
  - 5. The method of claim 1, wherein the encrypting comprises:
    - exclusive ORing, by a DS unit of the at least some of the DS units, a partial slice of the array of partial slices with an encryption key of the set of encryption keys to produce an encrypted partial slice of the array of encrypted partial slices.
  - 6. The method of claim 5, wherein the rebuilding comprises:
    - exclusive ORing the array of encrypted partial slices to produce the encoded data slice.
  - 7. The method of claim 1, wherein the rebuilding comprises:
    - decrypting the array of encrypted partial slices based on the set of encryption keys to produce the array of partial slices; and
      
      decoding the array of partial slices to rebuild the encode data slice.
  - 8. The method of claim 1, wherein the requesting entity comprises:
    - a DS unit of the set of DS units, wherein the DS unit is to store the encoded data slice to be rebuilt.
  - 9. The method of claim 1, wherein the encrypting comprises:
    - assigning multiple encryption keys of the set of encryption keys to a DS unit of the at least some of DS units; and
      
      assigning each of the multiple encryption keys to another DS unit of the at least some of DS units.
  - 10. The method of claim 1, wherein the encrypting comprises:
    - encrypting, by a first DS unit of the at least some of the DS units, a first partial slice of the array of partial slices using a first encryption key of the set of encryption keys to produce a first encrypted partial slice;
      
      encrypting, by a second DS unit of the at least some of the DS units, a second partial slice of the array of partial slices using a second encryption key of the set of encryption keys to produce a second encrypted partial slice; and
      
      exclusive ORing, by the first or the second DS unit, the first encrypted partial slice and the second encrypted partial slice to produce a combined encrypted partial slice.

11. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to receive a rebuild request regarding an encoded data slice, wherein a data segment of data is dispersed storage error encoded to produce a set of encoded data slices, wherein the set of encoded data slices includes the encoded data slice, wherein the data segment is reconstructable from a decode threshold number of encoded data slices of the set of encoded data slices, and wherein the encoded data slice is corrupted or lost;
  
  a second module, when operable within the computing device, causes the computing device to generate a partial slice corresponding to the encoded data slice based on another encoded data slice of the set of encoded data slices stored by a DS unit that includes the DS module; and
  
  a third module, when operable within the computing device, causes the computing device to encrypt the partial slice using an encryption key of a set of encryption keys to produce an encrypted partial slice, wherein the encryption key is used by another DS module of another DS unit to produce another encrypted partial slice.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The DS module claim 11, wherein the third module is further operable to:
    - generate, in conjunction with the other DS module, a shared secret; and
      
      generate the encryption key based on the shared secret.
  - 13. The DS module claim 11, wherein the third module is further operable to:
    - exclusive OR the partial slice with the encryption key of the set of encryption keys to produce the encrypted partial slice.
  - 14. The DS module claim 11, wherein the third module is further operable to:
    - assign multiple encryption keys of the set of encryption keys to the DS module, wherein each of the multiple encryption keys is used by another DS unit of a plurality of DS units.
  - 15. The DS module claim 11, wherein the third module is further operable to:
    - encrypt a first partial slice of an array of partial slices using a first encryption key of the set of encryption keys to produce a first encrypted partial slice; and
      
      exclusive OR the first encrypted partial slice and a second encrypted partial slice to produce a combined encrypted partial slice, wherein another DS module encrypts a second partial slice of the array of partial slices using a second encryption key of the set of encryption keys to produce the second encrypted partial slice.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Dhuse, Greg, Resch, Jason K.
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/463,991
Publication Number

US 20120311345A1
Time in Patent Office

2,048 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 11/10   Adding special bits or symb...

G06F 11/1076   Parity data used in redunda...

G06F 11/2089   Redundant storage control f...

G06F 12/1408   by using cryptography for d...

G06F 15/17331   Distributed shared memory [...

G06F 16/27   Replication, distribution o...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/64   Protecting data integrity, ...

G06F 2212/263   Network storage, e.g. SAN o...

G06F 2221/2107   File encryption

G06F 3/0604   Improving or facilitating a...

G06F 3/0644   Management of space entitie...

G06F 3/067   Distributed or networked st...

G06F 8/65   Updates security arrangemen...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0861   Generation of secret inform...

Securely rebuilding an encoded data slice

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Securely rebuilding an encoded data slice

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links