Shared security utility appliance for secure application and data processing
US-9438627-B2 · Sep 6, 2016 · US
Enhancing security for multiple storage configurations
US10650160B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10650160-B2 |
| Application number | US-201816119616-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 31, 2018 |
| Priority date | Aug 11, 2016 |
| Publication date | May 12, 2020 |
| Grant date | May 12, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master key with a secure error coding function to produce master key slices according to the first IDA configuration. The method continues by storing the master key slices in the DSN memory using the first IDA configuration. The method continues by, when storing data with a second IDA configuration having a security level lower than the first IDA configuration, retrieving the master key slices, decoding the master key slices to obtain the master key and encrypting the data using the master key.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method comprises: requesting a retrieval of data, stored within DSN memory, with a first IDA (Information Dispersal Algorithm) configuration, wherein the first IDA configuration includes at least a first security level based on at least a first decode threshold level; determining that the first IDA configuration has a security level lower than an associated second IDA configuration of the DSN memory, wherein the second IDA configuration includes at least a second decode threshold level and the first decode threshold is lower than the second decode threshold; retrieving, for the determination that the first decode threshold is lower than the second decode threshold, previously stored associated master key slices from the DSN memory using the associated second IDA configuration; decoding the associated master key slices to obtain an associated master key; and retrieving, decoding and decrypting the data using the associated master key. 2. The method of claim 1 , wherein the second IDA configuration has a security level that is determined to be a highest security level. 3. The method of claim 2 , wherein the highest security level is further determined based one or more relative levels of: reliability, physical protection of the DSN memory, or geographical distribution of the DSN memory. 4. The method of claim 1 , wherein the first IDA configuration and the associated second IDA configuration are used simultaneously for the DSN memory. 5. The method of claim 1 , wherein the associated master key includes any of: a key wrapping key, a master encryption key or a master signing key. 6. The method of claim 1 , wherein the associated master key is encoded with a secure error coding function including any of: all-or-nothing transform (AONT), Shamir Secret Sharing, or threshold-secure error coding functions to produce a width number of slices. 7. The method of claim 6 , wherein the width number of slices are stored in DSN storage configured with the second IDA configuration. 8. The method of claim 1 , wherein the data stored with the first IDA configuration is encrypted, prior to error coding, using unique keys derived from the associated master key. 9. The method of claim 1 , wherein the data stored with the first IDA configuration is encrypted after error coding, using unique keys derived from the associated master key. 10. The method of claim 1 , wherein the data may be protected by signing keys using any of a digital signature algorithm, an HMAC function, or message authentication code for which knowledge of a key is required to produce. 11. The method of claim 1 , wherein a key identifier indicating which of the associated master key(s) is appended to the data. 12. The method of claim 11 further comprises, when reading slices from the first IDA configuration, using the key identifier to locate the associated master key(s) from the second IDA configuration. 13. The method of claim 1 , wherein the associated master key(s) are cached for future decoding. 14. A computing device of a group of computing devices of a dispersed storage network (DSN), the computing device comprises: an interface; a local memory; and a processing module operably coupled to the interface and the local memory, wherein the processing module functions to: request a retrieval of data, stored within DSN memory, with a first IDA (Information Dispersal Algorithm) configuration, wherein the first IDA configuration includes at least a first security level based on at least a first decode threshold level; determine that the first IDA configuration has a security level lower than an associated second IDA configuration of the DSN memory, wherein the second IDA configuration includes at least a second decode threshold level and the first decode threshold is lower than the second decode threshold; retrieve, for the determination that the first decode threshold is lower than the second decode threshold, previously stored associated master key slices from the DSN memory using the associated second IDA configuration; decode the associated master key slices to obtain an associated master key; and retrieve, decode and decrypt the data using the associated master key. 15. The computing device of claim 14 , wherein the second IDA configuration has a security level that is determined to be a highest security level. 16. The computing device of claim 15 , wherein the highest security level is further determined based one or more relative levels of: reliability, physical protection of the DSN memory, or geographical distribution of the DSN memory. 17. The computing device of claim 14 , wherein the first IDA configuration and the associated second IDA configuration are used simultaneously for the DSN memory. 18. The computing device of claim 14 , wherein the associated master key includes any of: a key wrapping key, a master encryption key or a master signing key. 19. A dispersed storage network (DSN), the DSN comprises: DSN memory; a processing module operably coupled to an interface and a local memory, wherein the processing module functions to: request a retrieval of data, stored within the DSN memory, with a first IDA (Information Dispersal Algorithm) configuration, wherein the first IDA configuration includes at least a first security level based on at least a first decode threshold level; determine that the first IDA configuration has a security level lower than an associated second IDA configuration of the DSN memory, wherein the second IDA configuration includes at least a second decode threshold level and the first decode threshold is lower than the second decode threshold; retrieve, for the determination that the first decode threshold is lower than the second decode threshold, previously stored associated master key slices from the DSN memory using the associated second IDA configuration; decode the associated master key slices to obtain an associated master key; and retrieve, decode and decrypt the data using the associated master key. 20. The DSN of claim 19 , wherein the second IDA configuration has a security level that is determined to be a highest security level.
Assignees
Inventors
Classifications
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
Error detection; Error correction; Monitoring (error detection, correction or monitoring in information storage based on relative movement between record carrier and transducer G11B20/18; monitoring, i.e. supervising the progress of recording or reproducing G11B27/36; in static stores G11C29/00) · CPC title
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
applying encryption of the keys · CPC title
Management of blocks · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10650160B2 cover?
- A method begins by a processing module identifying, for a DSN (Dispersed Storage Network) memory using multiple IDA (Information Dispersal Algorithms) configurations simultaneously, a first IDA configuration with a highest security level relative to each of the multiple IDA configurations. The method continues by generating at least one master key. The method continues by encoding the master ke…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 12 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).