HARDWARE AUTHENTICATION IN A DISPERSED STORAGE NETWORK

US 20140351579A1
Filed: 08/06/2014
Published: 11/27/2014
Est. Priority Date: 06/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:

receiving a device list originating from a hardware certificate authority (HCA);

receiving a hardware certificate from the node;

comparing the hardware certificate to the device list to determine if the hardware certificate is valid;

if the hardware certificate is valid, generating a challenge message and sending the challenge message to the node;

receiving a challenge response message from the node; and

determining if the challenge response message is valid.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a node of a dispersed storage network (DSN). In various embodiments, a dispersed storage (DS) management unit receives a device list originating from a hardware certificate authority (HCA). The HCA also provides a hardware certificate to the node. Upon receiving the hardware certificate from the node, the DS management unit determines if the certificate is valid by comparing it to information contained in the device list (such as a device ID or a serial number associated with the node). If the certificate is valid, the DS management unit sends a challenge message to the node and analyzes the resulting challenge message response to determine if it is valid. If the response is valid, the DS management unit provides a signed certificate to the node for use in authenticating the node to perform dispersed storage operations within the DSN.

10 Citations

View as Search Results

20 Claims

1. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:
- receiving a device list originating from a hardware certificate authority (HCA);
  
  receiving a hardware certificate from the node;
  
  comparing the hardware certificate to the device list to determine if the hardware certificate is valid;
  
  if the hardware certificate is valid, generating a challenge message and sending the challenge message to the node;
  
  receiving a challenge response message from the node; and
  
  determining if the challenge response message is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprises:
    - receiving, from the node, a certificate signing request relating to the hardware certificate; and
      
      if the challenge response message is valid, providing a signed certificate for use in authenticating the node to perform dispersed storage operations within the DSN.
  - 3. The method of claim 2, wherein at least a portion of the signed certificate is encrypted utilizing a private key associated with the DS managing unit.
  - 4. The method of claim 2, wherein the certificate signing request includes at least one of a device identification (ID) associated with the node, a serial number associated with the node, a public key associated with the node, registration information, or a signature.
  - 5. The method of claim 1, the hardware certificate includes at least one of a device ID or a device serial number associated with the node, wherein comparing the hardware certificate to the device list includes determining if the device list contains a corresponding device ID or device serial number.
  - 6. The method of claim 5, the hardware certificate further includes an HCA signature encrypted with a private key associated with the HCA, wherein determining if the hardware certificate is valid further comprises:
    - receiving a public key associated with the HCA;
      
      generating a hash of the hardware certificate;
      
      decrypting the HCA signature utilizing the HCA public key to produce a decrypted HCA signature; and
      
      comparing the hash of the hardware certificate to the decrypted HCA signature.
  - 7. The method of claim 5, wherein the device ID provides a unique virtual identifier for hardware associated with the node, and wherein the device serial number is a unique permanent value associated with the node.
  - 8. The method of claim 1, wherein generating the challenge message includes encrypting at least a portion of the challenge message using a public key associated with the node.
  - 9. The method of claim 1, wherein the challenge message includes instructions to encrypt a portion of the challenge message utilizing a private key associated with the node.

10. A dispersed storage (DS) managing unit comprises:
- at least one communication interface to communicate with nodes of a dispersed storage network (DSN);
  
  a memory; and
  
  a processing module coupled to the at least one communication interface and the memory, the processing module configured to;
  
  receive, via the at least one communication interface, a device list originating from a hardware certificate authority (HCA);
  
  store the device list in the memory;
  
  receive, via the at least one communication interface, a hardware certificate from a node of the DSN;
  
  compare the hardware certificate to the device list to determine if the hardware certificate is valid;
  
  if the hardware certificate is valid, generate a challenge message; and
  
  send the challenge message to the node of the DSN.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The DS managing unit of claim 10, wherein the processing module is further configured to:
    - receive, via the at least one communication interface, a challenge response message from the node of the DSN;
      
      determine if the challenge response message is valid;
      
      receive, via the at least one communication interface, a certificate signing request relating to the hardware certificate; and
      
      if the challenge response message is valid, send a signed certificate to the node of the DSN for use in authenticating the node within the DSN.
  - 12. The DS managing unit of claim 11, wherein at least a portion of the signed certificate is encrypted utilizing a private key associated with the DS managing unit.
  - 13. The DS managing unit of claim 10, the hardware certificate includes at least one of a device identification (ID) or a device serial number associated with the node of the DSN, wherein the processing module determines that the hardware certificate is valid if the device list includes a corresponding device ID or device serial number.
  - 14. The DS managing unit of claim 13, the hardware certificate further includes an HCA signature for use in validating the hardware certificate, the HCA signature encrypted with a HCA private key, wherein the processing module is further configured to:
    - generate a hash of the hardware certificate;
      
      decrypt the HCA signature utilizing a HCA public key to produce a decrypted HCA signature; and
      
      compare the hash of the hardware certificate to the decrypted HCA signature to determine if the HCA signature is valid.
  - 15. The DS managing unit of claim 13, wherein the device ID provides a unique virtual identifier for hardware associated with the node of the DSN, and wherein the device serial number is a unique permanent value associated with the node of the DSN.
  - 16. The DS managing unit of claim 10, the processing module further configured to:
    - encrypt the challenge message using a public key associated with the node of the DSN prior to sending the challenge message to the node.
  - 17. The DS managing unit of claim 10, wherein at least a portion of the challenge message is encrypted utilizing a public key associated with the node of the DSN.
  - 18. The DS managing unit of claim 10, wherein the challenge message includes instructions to encrypt a portion of the challenge message utilizing a private key associated with the node of the DSN.

19. A method to authenticate a node in a dispersed storage network (DSN) having a dispersed storage (DS) management unit, the method comprises:
- receiving, by the node, a hardware certificate from a hardware certificate authority (HCA) or a separate element of the DSN;
  
  providing the hardware certificate to the DS management unit;
  
  receiving a challenge message from the DS management unit;
  
  generating a challenge response message based on the challenge message;
  
  providing the challenge response message to the DS management unit; and
  
  requesting a signed certificate from the DS management unit.
- View Dependent Claims (20)
- - 20. The method of claim 19 further comprises:
    - prior to providing the hardware certificate to the DS management unit, validating the hardware certificate and encrypting at least a portion of the hardware certificate utilizing a private key associated with the node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Leggette, Wesley, Resch, Jason K.

Granted Patent

US 10,409,771 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 11/0727   in a storage system, e.g. i...

G06F 11/1092   Rebuilding, e.g. when physi...

G06F 11/141   for bus or memory accesses

G06F 11/167   Error detection by comparin...

G06F 16/13   File access structures, e.g...

G06F 16/137   Hash-based content-based in...

G06F 21/31   User authentication

G06F 21/6209   to a single file or object,...

G06F 2211/1028   Distributed, i.e. distribut...

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/12   Applying verification of th...

H04L 67/06   specially adapted for file ...

H04L 67/1097   for distributed storage of ...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247 : involving digital signatures

H04L 9/3263 : involving certificates, e.g...

H04L 9/3271 : using challenge-response

H04W 12/041 : Key generation or derivation

H04W 12/0431 : Key distribution or pre-dis...

H04W 12/10 : Integrity

H04W 12/35 : Protecting application or s...

View All

HARDWARE AUTHENTICATION IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HARDWARE AUTHENTICATION IN A DISPERSED STORAGE NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links