Storage of sensitive data in a dispersed storage network

US 8,861,727 B2
Filed: 04/29/2011
Issued: 10/14/2014
Est. Priority Date: 05/19/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprises:

applying a share encoding function on data to produce a plurality of encoded shares;

generating a corresponding plurality of random numbers for the plurality of encoded shares;

for an encoded share of the plurality of encoded shares;

generating an encryption key based on a common password and a random number of the corresponding plurality of random numbers;

encrypting the encoded share utilizing the encryption key to produce an encrypted share;

dispersed storage error encoding the encrypted share to produce a group of encoded share slices;

sending the group of encoded share slices to a dispersed storage network (DSN) memory for storage therein; and

for the random number;

dispersed storage error encoding the random number to produce a group of encoded random number slices; and

sending the group of encoded random number slices to the DSN memory or another DSN memory for storage therein.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module applying a share encoding function on data to produce a plurality of encoded shares and generating a corresponding plurality of random numbers for the plurality of encoded shares. The method continues with the processing module generating an encryption key based on a common password and a corresponding one of the corresponding plurality of random numbers and encrypting the encoded share utilizing the encryption key to produce an encrypted share for each encoded share of the plurality of encoded shares. The method continues with the processing module facilitating storage of the corresponding plurality of random numbers and each of the encrypted shares.

91 Citations

View as Search Results

28 Claims

1. A method comprises:
- applying a share encoding function on data to produce a plurality of encoded shares;
  
  generating a corresponding plurality of random numbers for the plurality of encoded shares;
  
  for an encoded share of the plurality of encoded shares;
  
  generating an encryption key based on a common password and a random number of the corresponding plurality of random numbers;
  
  encrypting the encoded share utilizing the encryption key to produce an encrypted share;
  
  dispersed storage error encoding the encrypted share to produce a group of encoded share slices;
  
  sending the group of encoded share slices to a dispersed storage network (DSN) memory for storage therein; and
  
  for the random number;
  
  dispersed storage error encoding the random number to produce a group of encoded random number slices; and
  
  sending the group of encoded random number slices to the DSN memory or another DSN memory for storage therein.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method claim 1 further comprises:
    - the share encoding function including comprises at least one of;
      
      a dispersed storage error encoding function; and
      
      a secret sharing function, andthe data including a credential package that includes at least one of;
      
      a credential and a credential hash digest, wherein the credential includes one or more of a private key, a public key, a signed certificate, confidential user information, a password, and sensitive confidential information.
  - 3. The method of claim 1, wherein the generating the corresponding plurality of random numbers comprises:
    - obtaining a plurality of base random numbers; and
      
      expanding each base random number of the plurality of base random numbers based on security parameters to produce the corresponding plurality of random numbers.
  - 4. The method of claim 1, wherein the generating the encryption key comprises:
    - transforming the common password utilizing a mask generating function, security parameters, and the corresponding one of the corresponding plurality of random numbers.
  - 5. The method of claim 1 further comprises:
    - for a second encoded share of the plurality of encoded shares;
      
      generating a second encryption key based on the common password and a second random number of the corresponding plurality of random numbers;
      
      encrypting the second encoded share utilizing the second encryption key to produce a second encrypted share;
      
      dispersed storage error encoding the second encrypted share to produce a second group of encoded share slices;
      
      sending the second group of encoded share slices to a second DSN memory for storage therein; and
      
      for the second random number;
      
      dispersed storage error encoding the second random number to produce a second group of encoded random number slices; and
      
      sending the second group of encoded random number slices to the second DSN memory or a second other DSN memory for storage therein.

6. A method comprises:
- retrieving at least a decode threshold number of stored random numbers to produce a set of stored random numbers;
  
  retrieving at least a decode threshold number of encrypted shares to produce a set of encrypted shares, wherein the set of encrypted shares corresponds to the set of stored random numbers;
  
  generating a set of blinded passwords based on a common password and a set of blinded random numbers;
  
  generating a set of passkeys based on the set of blinded passwords and the set of stored random numbers;
  
  generating a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
  
  decrypting each encrypted share of the set of encrypted shares utilizing a corresponding decryption key of the set of decryption keys to produce a set of shares; and
  
  decoding the set of shares to reproduce data.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method of claim 6, wherein the generating the set of decryption keys comprises:
    - generating a set of values based on the set of blinded random numbers; and
      
      generating the set of decryption keys based on the set of values and the set of passkeys.
  - 8. The method of claim 7 further comprises:
    - for each blinded random number of the set of blinded random numbers, transforming the blinded random number utilizing a modulo function based on security parameters to produce a value of the set of values.
  - 9. The method of claim 7, wherein the generating the set of decryption keys further comprises:
    - for each passkey of the set of passkeys, transforming the passkey utilizing a modulo function based on security parameters and a corresponding value of the set of values to produce a decryption key of the set of decryption keys.
  - 10. The method of claim 6, wherein the retrieving the at least the decode threshold number of stored random numbers comprises at least one of:
    - outputting at least one stored random number retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of stored random numbers from a dispersed storage network (DSN) memory; and
      
      for each stored random number of the set of stored random numbers;
      
      retrieving a set of encoded stored random number slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded stored random number slices to produce the stored random number.
  - 11. The method of claim 6, wherein the retrieving the at least the decode threshold number of encrypted shares comprises at least one of:
    - outputting at least one encrypted share retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of encrypted shares from a dispersed storage network (DSN) memory; and
      
      for each encrypted share of the set of encrypted shares;
      
      retrieving a set of encoded encrypted share slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded encrypted share slices to produce the encrypted share.
  - 12. The method of claim 6 further comprises:
    - the generating the set of blinded random numbers including;
      
      obtaining a set of base random numbers; and
      
      expanding each base random number of the set of base random numbers based on security parameters to produce the set of blinded random numbers; and
      
      the generating the set of blinded passwords including;
      
      for each blinded random number of the set of blinded random numbers, transforming the common password utilizing a mask generating function and the blinded random number to produce a blinded password of the set of blinded passwords.
  - 13. The method of claim 6, wherein the generating the set of passkeys comprises at least one of:
    - for each blinded password of the set of blinded passwords, transforming the blinded password utilizing a modulo function based on a corresponding stored random number of the set of stored random numbers and security parameters to produce a passkey of the set of passkeys; and
      
      outputting the set of blinded passwords to a dispersed storage (DS) processing unit and receiving the set of passkeys.
  - 14. The method of claim 6, wherein the decoding the set of shares to reproduce data comprises at least one of:
    - dispersed storage error decoding the set of shares to produce the data; and
      
      decoding the set of shares utilizing a secret sharing function to produce the data.

15. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  apply a share encoding function on data to produce a plurality of encoded shares;
  
  generate a corresponding plurality of random numbers for the plurality of encoded shares;
  
  for an encoded share of the plurality of encoded shares;
  
  generate an encryption key based on a common password and a random number of the corresponding plurality of random numbers;
  
  encrypt the encoded share utilizing the encryption key to produce an encrypted share;
  
  dispersed storage error encode the encrypted share to produce a group of encoded share slices;
  
  send, via the interface, the group of encoded share slices to a dispersed storage network (DSN) memory for storage therein;
  
  andfor the random number;
  
  dispersed storage error encode the random number to produce a group of encoded random number slices; and
  
  send, via the interface, the group of encoded random number slices to the DSN memory or another DSN memory for storage therein.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer claim 15 further comprises:
    - the share encoding function including at least one of;
      
      a dispersed storage error encoding function; and
      
      a secret sharing function, andthe data including a credential package that includes at least one of;
      
      a credential and a credential hash digest, wherein the credential includes one or more of a private key, a public key, a signed certificate, confidential user information, a password, and sensitive confidential information.
  - 17. The computer of claim 15, wherein the processing module further functions to generate the corresponding plurality of random numbers by:
    - obtaining a plurality of base random numbers; and
      
      expanding each base random number of the plurality of base random numbers based on security parameters to produce the corresponding plurality of random numbers.
  - 18. The computer of claim 15, wherein the processing module further functions to generate the encryption key by:
    - transforming the common password utilizing a mask generating function, security parameters, and the corresponding one of the corresponding plurality of random numbers.
  - 19. The computer of claim 15, wherein the processing module functions to:
    - for a second encoded share of the plurality of encoded shares;
      
      generate a second encryption key based on the common password and a second random number of the corresponding plurality of random numbers;
      
      encrypt the second encoded share utilizing the second encryption key to produce a second encrypted share;
      
      dispersed storage error encode the second encrypted share to produce a second group of encoded share slices;
      
      send, via the interface, the second group of encoded share slices to a second DSN memory for storage therein; and
      
      for the second random number;
      
      dispersed storage error encode the second random number to produce a second group of encoded random number slices; and
      
      send, via the interface, the second group of encoded random number slices to the second DSN memory or a second other DSN memory for storage therein.

20. A computer comprises:
- an interface;
  
  a memory; and
  
  a processing module operable to;
  
  retrieve, view the interface, at least a decode threshold number of stored random numbers to produce a set of stored random numbers;
  
  retrieve, via the interface, at least a decode threshold number of encrypted shares to produce a set of encrypted shares, wherein the set of encrypted shares corresponds to the set of stored random numbers;
  
  generate a set of blinded passwords based on a common password and a set of blinded random numbers;
  
  generate a set of passkeys based on the set of blinded passwords and the set of stored random numbers;
  
  generate a set of decryption keys based on the set of blinded random numbers and the set of passkeys;
  
  decrypt each encrypted share of the set of encrypted shares utilizing a corresponding decryption key of the set of decryption keys to produce a set of shares; and
  
  decode the set of shares to reproduce data.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The computer of claim 20, wherein the processing module further functions to generate the set of decryption keys by:
    - generating a set of values based on the set of blinded random numbers; and
      
      generating the set of decryption keys based on the set of values and the set of passkeys.
  - 22. The computer of claim 21, wherein the processing module further functions to:
    - for each blinded random number of the set of blinded random numbers, transform the blinded random number utilizing a modulo function based on security parameters to produce a value of the set of values.
  - 23. The computer of claim 21, wherein the processing module further functions to generate the set of decryption keys by:
    - for each passkey of the set of passkeys, transforming the passkey utilizing a modulo function based on security parameters and a corresponding value of the set of values to produce a decryption key of the set of decryption keys.
  - 24. The computer of claim 20, wherein the processing module functions to retrieve the at least the decode threshold number of stored random numbers by at least one of:
    - outputting, via the interface, at least one stored random number retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of stored random numbers from a dispersed storage network (DSN) memory; and
      
      for each stored random number of the set of stored random numbers;
      
      retrieving, via the interface, a set of encoded stored random number slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded stored random number slices to produce the stored random number.
  - 25. The computer of claim 20, wherein the processing module functions to retrieve the at least the decode threshold number of encrypted shares by at least one of:
    - outputting, via the interface, at least one encrypted share retrieval request message to at least one dispersed storage (DS) processing unit to retrieve the at least the decode threshold number of encrypted shares from a dispersed storage network (DSN) memory; and
      
      for each encrypted share of the set of encrypted shares;
      
      retrieving, via the interface, a set of encoded encrypted share slices from the DSN memory; and
      
      dispersed storage error decoding set of encoded encrypted share slices to produce the encrypted share.
  - 26. The computer of claim 20, wherein the processing module further functions to:
    - generate the set of blinded random numbers by;
      
      obtaining a set of base random numbers; and
      
      expanding each base random number of the set of base random numbers based on security parameters to produce the set of blinded random numbers; and
      
      generate the set of blinded passwords by;
      
      for each blinded random number of the set of blinded random numbers, transforming the common password utilizing a mask generating function and the blinded random number to produce a blinded password of the set of blinded passwords.
  - 27. The computer of claim 20, wherein the processing module further functions to generate the set of passkeys by at least one of:
    - for each blinded password of the set of blinded passwords, transforming the blinded password utilizing a modulo function based on a corresponding stored random number of the set of stored random numbers and security parameters to produce a passkey of the set of passkeys; and
      
      outputting, via the interface, the set of blinded passwords to a dispersed storage (DS) processing unit and receiving the set of passkeys.
  - 28. The computer of claim 20, wherein the processing module functions to decode the set of shares to reproduce data by at least one of:
    - dispersed storage error decoding the set of shares to produce the data; and
      
      decoding the set of shares utilizing a secret sharing function to produce the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pure Storage, Inc.
Original Assignee
Cleversafe Incorporated (International Business Machines Corporation)
Inventors
Resch, Jason K., Dhuse, Greg, Leggette, Wesley, Baptist, Andrew
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/097,396
Publication Number

US 20110286594A1
Time in Patent Office

1,264 Days
Field of Search

380/46
US Class Current

380/46
CPC Class Codes

G06F 11/10   Adding special bits or symb...

G06F 11/1076   Parity data used in redunda...

G06F 3/0619   in relation to data integri...

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

H04L 2209/04   Masking or blinding

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 67/1097   for distributed storage of ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0869   involving random numbers or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Storage of sensitive data in a dispersed storage network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Storage of sensitive data in a dispersed storage network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links