STORAGE OF SENSITIVE DATA IN A DISPERSED STORAGE NETWORK

US 20110286594A1
Filed: 04/29/2011
Published: 11/24/2011
Est. Priority Date: 05/19/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

applying a share encoding function on data to produce a plurality of encoded shares;

generating a corresponding plurality of random numbers for the plurality of encoded shares;

for each encoded share of the plurality of encoded shares;

generating an encryption key based on a common password and a corresponding one of the corresponding plurality of random numbers; and

encrypting the encoded share utilizing the encryption key to produce an encrypted share; and

facilitating storage of the corresponding plurality of random numbers and each of the encrypted shares.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module applying a share encoding function on data to produce a plurality of encoded shares and generating a corresponding plurality of random numbers for the plurality of encoded shares. The method continues with the processing module generating an encryption key based on a common password and a corresponding one of the corresponding plurality of random numbers and encrypting the encoded share utilizing the encryption key to produce an encrypted share for each encoded share of the plurality of encoded shares. The method continues with the processing module facilitating storage of the corresponding plurality of random numbers and each of the encrypted shares.

53 Citations

View as Search Results

28 Claims

1. A method comprises:
- applying a share encoding function on data to produce a plurality of encoded shares;
  
  generating a corresponding plurality of random numbers for the plurality of encoded shares;
  
  for each encoded share of the plurality of encoded shares;
  
  generating an encryption key based on a common password and a corresponding one of the corresponding plurality of random numbers; and
  
  encrypting the encoded share utilizing the encryption key to produce an encrypted share; and
  
  facilitating storage of the corresponding plurality of random numbers and each of the encrypted shares.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method claim 1, wherein the share encoding function comprises at least one of:
    - a dispersed storage error encoding function; and
      
      a secret sharing function.
  - 3. The method of claim 1, wherein the generating the corresponding plurality of random numbers comprises:
    - obtaining a plurality of base random numbers; and
      
      expanding each base random number of the plurality of base random numbers based on security parameters to produce the corresponding plurality of random numbers.
  - 4. The method of claim 1, wherein the generating the encryption key comprises:
    - transforming the common password utilizing a mask generating function, security parameters, and the corresponding one of the corresponding plurality of random numbers.
  - 5. The method of claim 1, wherein the facilitating storage of the corresponding plurality of random numbers and the encrypted shares comprises at least one of:
    - sending the encrypted share and the corresponding one of the corresponding plurality of random numbers to a dispersed storage (DS) processing unit;
      
      dispersed storage error encoding the encrypted share to produce a plurality of encoded share slices and outputting the plurality of encoded share slices for storage; and
      
      dispersed storage error encoding the corresponding one of the corresponding plurality of random numbers to produce a plurality of encoded random number slices and outputting the plurality of encoded random number slices for storage.

6. A method comprises:
- retrieving at least a decode threshold number of stored random numbers to produce a set of stored random numbers;
  
  retrieving at least a decode threshold number of encrypted shares to produce a set of encrypted shares, wherein the set of encrypted shares corresponds to the set of stored random numbers;
  
  generating a set of blinded passwords based on a common password and a set of blinded random numbers;
  
  generating a set of passkeys based on the set of blinded passwords and the set of stored random numbers;
  
  generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
  
  decrypting each encrypted share of the set of encrypted shares utilizing a corresponding decryption key of the set of decryption keys to produce a set of shares; and
  
  decoding the set of shares to reproduce data.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method of claim 6, wherein the generating the set of decryption keys comprises:
    - generating a set of values based on the set of blinded random numbers; and
      
      generating the set of decryption keys based on the set of values and the set of passkeys.
  - 8. The method of claim 7 further comprises:
    - for each blinded random number of the set of blinded random numbers, transforming the blinded random number utilizing a modulo function based on security parameters to produce a value of the set of values.
  - 9. The method of claim 7, wherein the generating the set of decryption keys further comprises:
    - for each passkey of the set of passkeys, transforming the passkey utilizing a modulo function based on security parameters and a corresponding value of the set of values to produce a decryption key of the set of decryption keys.
  - 10. The method of claim 6, wherein the retrieving the at least the decode threshold number of stored random numbers comprises at least one of:
    - outputting at least one stored random number retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of stored random numbers from a dispersed storage network (DSN) memory; and
      
      for each stored random number of the set of stored random numbers;
      
      retrieving a set of encoded stored random number slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded stored random number slices to produce the stored random number.
  - 11. The method of claim 6, wherein the retrieving the at least the decode threshold number of encrypted shares comprises at least one of:
    - outputting at least one encrypted share retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of encrypted shares from a dispersed storage network (DSN) memory; and
      
      for each encrypted share of the set of encrypted shares;
      
      retrieving a set of encoded encrypted share slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded encrypted share slices to produce the encrypted share.
  - 12. The method of claim 6 further comprises:
    - the generating the set of blinded random numbers including;
      
      obtaining a set of base random numbers; and
      
      expanding each base random number of the set of base random numbers based on security parameters to produce the set of blinded random numbers; and
      
      the generating the set of blinded passwords including;
      
      for each blinded random number of the set of blinded random numbers, transforming the common password utilizing a mask generating function and the blinded random number to produce a blinded password of the set of blinded passwords.
  - 13. The method of claim 6, wherein the generating the set of passkeys comprises at least one of:
    - for each blinded password of the set of blinded passwords, transforming the blinded password utilizing a modulo function based on a corresponding stored random number of the set of stored random numbers and security parameters to produce a passkey of the set of passkeys; and
      
      outputting the set of blinded passwords to a dispersed storage (DS) processing unit and receiving the set of passkeys.
  - 14. The method of claim 6, wherein the decoding the set of shares to reproduce data comprises at least one of:
    - dispersed storage error decoding the set of shares to produce the data; and
      
      decoding the set of shares utilizing a secret sharing function to produce the data.

15. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  apply a share encoding function on data to produce a plurality of encoded shares;
  
  generate a corresponding plurality of random numbers for the plurality of encoded shares;
  
  for each encoded share of the plurality of encoded shares;
  
  generate an encryption key based on a common password and a corresponding one of the corresponding plurality of random numbers; and
  
  encrypt the encoded share utilizing the encryption key to produce an encrypted share; and
  
  facilitate storage of the corresponding plurality of random numbers and each of the encrypted shares.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer claim 15, wherein the share encoding function comprises at least one of:
    - a dispersed storage error encoding function; and
      
      a secret sharing function.
  - 17. The computer of claim 15, wherein the processing module further functions to generate the corresponding plurality of random numbers by:
    - obtaining a plurality of base random numbers; and
      
      expanding each base random number of the plurality of base random numbers based on security parameters to produce the corresponding plurality of random numbers.
  - 18. The computer of claim 15, wherein the processing module further functions to generate the encryption key by:
    - transforming the common password utilizing a mask generating function, security parameters, and the corresponding one of the corresponding plurality of random numbers.
  - 19. The computer of claim 15, wherein the processing module functions to facilitate storage of the corresponding plurality of random numbers and the encrypted shares by at least one of:
    - sending, via the interface, the encrypted share and the corresponding one of the corresponding plurality of random numbers to a dispersed storage (DS) processing unit;
      
      dispersed storage error encoding the encrypted share to produce a plurality of encoded share slices and outputting, via the interface, the plurality of encoded share slices for storage; and
      
      dispersed storage error encoding the corresponding one of the corresponding plurality of random numbers to produce a plurality of encoded random number slices and outputting, via the interface, the plurality of encoded random number slices for storage.

20. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  retrieve, view the interface, at least a decode threshold number of stored random numbers to produce a set of stored random numbers;
  
  retrieve, via the interface, at least a decode threshold number of encrypted shares to produce a set of encrypted shares, wherein the set of encrypted shares corresponds to the set of stored random numbers;
  
  generate a set of blinded passwords based on a common password and a set of blinded random numbers;
  
  generate a set of passkeys based on the set of blinded passwords and the set of stored random numbers;
  
  generate a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
  
  decrypt each encrypted share of the set of encrypted shares utilizing a corresponding decryption key of the set of decryption keys to produce a set of shares; and
  
  decode the set of shares to reproduce data.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The computer of claim 20, wherein the processing module further functions to generate the set of decryption keys by:
    - generating a set of values based on the set of blinded random numbers; and
      
      generating the set of decryption keys based on the set of values and the set of passkeys.
  - 22. The computer of claim 21, wherein the processing module further functions to:
    - for each blinded random number of the set of blinded random numbers, transform the blinded random number utilizing a modulo function based on security parameters to produce a value of the set of values.
  - 23. The computer of claim 21, wherein the processing module further functions to generate the set of decryption keys by:
    - for each passkey of the set of passkeys, transforming the passkey utilizing a modulo function based on security parameters and a corresponding value of the set of values to produce a decryption key of the set of decryption keys.
  - 24. The computer of claim 20, wherein the processing module functions to retrieve the at least the decode threshold number of stored random numbers by at least one of:
    - outputting, via the interface, at least one stored random number retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of stored random numbers from a dispersed storage network (DSN) memory; and
      
      for each stored random number of the set of stored random numbers;
      
      retrieving, via the interface, a set of encoded stored random number slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded stored random number slices to produce the stored random number.
  - 25. The computer of claim 20, wherein the processing module functions to retrieve the at least the decode threshold number of encrypted shares by at least one of:
    - outputting, via the interface, at least one encrypted share retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of encrypted shares from a dispersed storage network (DSN) memory; and
      
      for each encrypted share of the set of encrypted shares;
      
      retrieving, via the interface, a set of encoded encrypted share slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded encrypted share slices to produce the encrypted share.
  - 26. The computer of claim 20, wherein the processing module further functions to:
    - generate the set of blinded random numbers by;
      
      obtaining a set of base random numbers; and
      
      expanding each base random number of the set of base random numbers based on security parameters to produce the set of blinded random numbers; and
      
      generate the set of blinded passwords by;
      
      for each blinded random number of the set of blinded random numbers, transforming the common password utilizing a mask generating function and the blinded random number to produce a blinded password of the set of blinded passwords.
  - 27. The computer of claim 20, wherein the processing module further functions to generate the set of passkeys by at least one of:
    - for each blinded password of the set of blinded passwords, transforming the blinded password utilizing a modulo function based on a corresponding stored random number of the set of stored random numbers and security parameters to produce a passkey of the set of passkeys; and
      
      outputting, via the interface, the set of blinded passwords to a dispersed storage (DS) processing unit and receiving the set of passkeys.
  - 28. The computer of claim 20, wherein the processing module functions to decode the set of shares to reproduce data by at least one of:
    - dispersed storage error decoding the set of shares to produce the data; and
      
      decoding the set of shares utilizing a secret sharing function to produce the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Dhuse, Greg, Resch, Jason K., Leggette, Wesley, Baptist, Andrew

Granted Patent

US 8,861,727 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/46
CPC Class Codes

G06F 11/10   Adding special bits or symb...

G06F 11/1076   Parity data used in redunda...

G06F 3/0619   in relation to data integri...

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

H04L 2209/04   Masking or blinding

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

STORAGE OF SENSITIVE DATA IN A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

STORAGE OF SENSITIVE DATA IN A DISPERSED STORAGE NETWORK

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links