DECRYPTING SEGMENTED DATA IN A DISTRIBUTED COMPUTING SYSTEM

US 20170019253A1
Filed: 09/30/2016
Published: 01/19/2017
Est. Priority Date: 12/12/2011
Status: Abandoned Application

First Claim

Patent Images

1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:

receiving at least a decode threshold number of encoded data slices of a set of encoded data slices;

decoding the at least a decode threshold number of encoded data slices to reproduce a secure data segment;

de-combining the secure data segment to reproduce encrypted data and a masked key;

performing a deterministic function on the encrypted data to produce transformed data;

de-masking the masked key based on the transformed data to produce a master key;

de-aggregating the encrypted data to reproduce a decode threshold number of encrypted data sub-segments;

for each of at least a decode threshold number of encrypted data sub-segments, generating a sub-key based on the master key;

outputting a decode threshold number of sub-keys to a corresponding decode threshold number of distributed storage and task execution units;

for each encrypted data sub-segment, decrypting the encrypted data sub-segment utilizing a corresponding sub-key; and

de-partitioning the decode threshold number of data sub-segments to re-produce a data segment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a dispersed storage (DS) processing module receiving encoded data slices and decoding encoded data slices to reproduce a secure data segment, followed by de-combining the secure data segment to reproduce encrypted data and a masked key. The method continues by performing a deterministic function on the encrypted data to produce transformed data, de-masking the masked key based on the transformed data to produce a master key and de-aggregating the encrypted data to reproduce encrypted data sub-segments. A sub-key is generated based on the master key and a decode threshold number of sub-keys are output to a corresponding number of distributed storage and task execution units, followed by decrypting the encrypted data sub-segment utilizing a corresponding sub-key for each encrypted data sub-segment and de-partitioning the decode threshold number of data sub-segments to re-produce a data segment.

9 Citations

View as Search Results

18 Claims

1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:
- receiving at least a decode threshold number of encoded data slices of a set of encoded data slices;
  
  decoding the at least a decode threshold number of encoded data slices to reproduce a secure data segment;
  
  de-combining the secure data segment to reproduce encrypted data and a masked key;
  
  performing a deterministic function on the encrypted data to produce transformed data;
  
  de-masking the masked key based on the transformed data to produce a master key;
  
  de-aggregating the encrypted data to reproduce a decode threshold number of encrypted data sub-segments;
  
  for each of at least a decode threshold number of encrypted data sub-segments, generating a sub-key based on the master key;
  
  outputting a decode threshold number of sub-keys to a corresponding decode threshold number of distributed storage and task execution units;
  
  for each encrypted data sub-segment, decrypting the encrypted data sub-segment utilizing a corresponding sub-key; and
  
  de-partitioning the decode threshold number of data sub-segments to re-produce a data segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the at least a decode threshold number of encoded data slices include a decode threshold number of encrypted data sub-segments.
  - 3. The method of claim 1 wherein the receiving the at least a decode threshold number of encoded data slices of a set of encoded data slices includes at least one of generating read slice requests, sending the read slice requests to a decode threshold number of distributed storage and task execution units, or receiving the decode threshold number of encoded data slices from the decode threshold number of distributed storage and task execution units.
  - 4. The method of claim 1, wherein the de-masking the masked key is based on a processing module performing an exclusive OR function on the masked key and the transformed data to reproduce the master key.
  - 5. The method of claim 1, wherein the generating a sub-key based on the master key includes generating a descriptor associated with the encrypted data sub-segment.
  - 6. The method of claim 1, wherein the outputting the decode threshold number of sub-keys to a corresponding decode threshold number of distributed storage and task execution units includes each distributed storage and task execution unit obtaining a corresponding encrypted data sub-segment.
  - 7. The method of claim 6, wherein the corresponding encrypted data sub-segment is a locally stored slice.
  - 8. The method of claim 1, wherein the deterministic function is at least one of a hashing function, a hash-based message authentication code function, a mask generating function, or a sponge function.
  - 9. The method of claim 1, wherein the de-combining includes at least one of de-interleaving or de-appending.

10. A dispersed storage (DS) module comprises:
- a first module, when operable within a computing device, causes the computing device to;
  
  receive encoded data slices; and
  
  unsecure each encoded data slice for a partition based on slice de-security information to generate sliced encoded data;
  
  a second module, when operable within the computing device, causes the computing device to;
  
  de-slice the sliced encoded data into encoded data segments;
  
  a third module, when operable within the computing device, causes the computing device to;
  
  decode the encoded data segments to produce secure data segments;
  
  a fourth module, when operable within the computing device, causes the computing device to;
  
  unsecure the secured data segments to produce data segments; and
  
  a fifth module, when operable within the computing device, causes the computing device to;
  
  de-segment the data segments into one or more data partitions.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The DS module of claim 10, wherein the first module slice de-security information is based on at least one of data decompression, decryption, de-watermarking, or integrity check.
  - 12. The DS module of claim 10 further comprises:
    - the first module further functions to verify integrity information of each encoded data slice of retrieve slices, decrypt each verified encoded data slice, and decompresses each decrypted encoded data slice.
  - 13. The DS module of claim 10, wherein the first module is bypassed such that the received encoded data slices are provided as sliced encoded data when the first module is not enabled.
  - 14. The DS module of claim 10, wherein the second module further functions to de-slice the sliced encoded data into encoded data segments according to the pillar width of error correction encoding parameters.
  - 15. The DS module of claim 10, wherein the third module further functions to decode the encoded data segments in accordance with error correction decoding parameters received from a control module.
  - 16. The DS module of claim 15, wherein the error correction decoding parameters include identifying an error correction encoding scheme based on at least one of a forward error correction algorithm, a Reed-Salomon based algorithm, an information dispersal algorithm, a pillar width, a decode threshold, a read threshold, or a write threshold.
  - 17. The DS module of claim 10, wherein the fourth module further functions to unsecure the secured data segments to produce data segments based on segment security information and partitioning information received from a control module.
  - 18. The DS module of claim 10, wherein the fourth module further functions to unsecure the secured data segments to produce data segments based on segment security information including at least one of data decompression, decryption, de-watermarking, or integrity check verification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Baptist, Andrew D., Dhuse, Greg R., Leggette, Wesley B., Resch, Jason K.

Application Number

US15/281,317
Publication Number

US 20170019253A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/1076   Parity data used in redunda...

G06F 2211/1028   Distributed, i.e. distribut...

H04L 2209/046   of operations, operands or ...

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/085   Secret sharing or secret sp...

DECRYPTING SEGMENTED DATA IN A DISTRIBUTED COMPUTING SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

DECRYPTING SEGMENTED DATA IN A DISTRIBUTED COMPUTING SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links