CH716264A2 - A method of storing computer data on a network with proof of storage obtained by a storage node equipped with a cryptographic enclave. - Google Patents

Abstract

The invention relates to a method for the secure storage of computer data within a group of storage nodes (2A) of a network, which comprises a control phase conducted in part in an enclave (8) of a node ( 2A) of storage, and including the calculation of a control condensate (25 ') of an encrypted container (22') and the comparison, within an enclave (8) of a control node (2F) , with a reference condensate (25) reconstituted from fragments distributed over another group of nodes (2C).

Description

TECHNICAL AREA

The invention relates to the field of computing, and more specifically to the field of secure storage of network computer data.

PRIOR ART

The securing of the network storage of computer data has the dual objective of avoiding the loss of data (that is to say their untimely erasure) and their use (this term including reading as well as partial copying or total data) by unauthorized third parties. In other words, security aims to guarantee the sustainability and confidentiality of data.

[0003] To minimize the risk of data loss (in other words, to maximize the durability of the data), replications are generally carried out, that is to say, the data is distributed among several storage spaces. The data is therefore stored redundantly.

To guarantee (as much as possible) the confidentiality of data stored in the network, two methods are generally used: The first consists in restricting (typically via passwords or electronic certificates) access to a server on which the data is stored, which minimizes the risk of reading or copying; The second is to encrypt the data itself using cryptographic techniques.

[0005] The first method is effective under two main conditions.

[0006] First condition: the risk of loopholes in the restrictions on access to the server must be zero or, at the very least, minimum.

However, experience shows that certain attacks make it possible to circumvent these restrictions, typically by recovering the usernames and passwords of users and by usurping their identity to access their data.

[0008] Second condition: the administrator of the server must himself be trustworthy.

However, experience shows that some online service providers (including social networks), which administer servers on which are stored the personal data of many users, allow themselves to access this data and make it operating on their own account, typically by reselling the data to commercial companies or government agencies, or by analyzing the data themselves.

The second method solves the problems of the first, since unauthorized third parties can not make any use of the data, except to crack the encryption algorithms, which, until now, has proved infeasible for the algorithms most commonly used, such as the RSA algorithm (Rivest, Shamir, Adleman) or the elliptic curves algorithm.

Generally, the data is encrypted locally within a sending terminal (typically a personal computer), then the encrypted data is transmitted to the network to be stored there while a cryptographic key for decryption of the data is stored locally at the network. within the sending terminal.

However, this method presents a risk: the loss of the cryptographic key for decryption of the data, which renders the data permanently unusable (and this by anyone, including their owner), because they cannot be deciphered.

It is conceivable to delegate to the network (typically to a remote proxy server) the task of encrypting the data and administering the cryptographic decryption key.

In this case, the problem again arises of a potential access to the data by the administrator of the proxy server, either that the latter copies them before their encryption, or that he takes the liberty of decrypting them by using the generated cryptographic key. Assuming that all or part of the network is prevented from organizing unauthorized access to data, however, the problem arises of obtaining from the network proof, occasionally or regularly, that the storage is continuing, in particular when it is planned to last.

The invention aims to offer an effective solution to these problems, in particular to the problem of proof of storage.

SUMMARY OF THE INVENTION

There is proposed a method for secure storage of computer data within a computer network comprising a plurality of nodes, this method comprising: <tb> <SEP> A) A distribution phase, which comprises the operations consisting in: <tb><SEP> <SEP> - Send, from a sending terminal in which the data is stored, a storage request to the network; <tb><SEP> <SEP> - On receipt of the storage request by at least one node of the network, select within the network at least one node, called entry node, equipped with a computer processing unit in which is implemented an execution environment secured by cryptography, called enclave; <tb><SEP> <SEP> - Instantiate the enclave; <tb><SEP> <SEP> - Load the data, from the sending terminal and via a secure communication line, to the enclave of the input node; <tb><SEP> <SEP> - Enter in an entry of a database a digital fingerprint of the storage request and / or the loading thus performed; <tb><SEP> <SEP> - In the entry node enclave: <tb><SEP><SEP> <SEP> o Encrypt the data to form a first encrypted container, by associating it with a first cryptographic decryption key; <tb><SEP><SEP> <SEP> o Fragment the first cryptographic decryption key into a predetermined number of fragments; <tb><SEP><SEP> <SEP> o Calculate a so-called reference hash of the first encrypted container by applying a predetermined hash function to it; <tb><SEP><SEP> <SEP> o Fragment the reference hash into a predetermined number of fragments; <tb><SEP><SEP> <SEP> o Re-encrypt the first container to form a second encrypted container, by associating it with a second cryptographic decryption key; <tb><SEP><SEP> <SEP> o Fragment the second cryptographic decryption key into a predetermined number of fragments; <tb><SEP><SEP> <SEP> o Designate, among the network, a first group of storage nodes each equipped with a computer processing unit in which an enclave is implemented; <tb><SEP><SEP> <SEP> o Distribute the second encrypted container to the nodes of the first group; <tb><SEP><SEP> <SEP> o Designate, among the network, a second group of storage nodes in a number equal to the fragments of the first cryptographic decryption key; <tb><SEP><SEP> <SEP> o Distribute each fragment of the first cryptographic decryption key to a node of the second group, each node of the second group receiving a unique fragment; <tb><SEP><SEP> <SEP> o Designate, among the network, a third group of storage nodes in a number equal to the fragments of the reference condensate; <tb><SEP><SEP> <SEP> o Distribute each fragment of the reference hash to a node of the third group, each node of the third group receiving a unique fragment; <tb><SEP><SEP> <SEP> o Designate, among the network, a fourth group of storage nodes in a number equal to the fragments of the second cryptographic decryption key; <tb><SEP><SEP> <SEP> o Distribute each fragment of the second decryption key to a node of the fourth group, each node of the fourth group receiving a unique fragment; <tb><SEP> <SEP> - Outside the entry node enclave: <tb><SEP><SEP> <SEP> o Store the second encrypted container within each storage node of the first group; <tb><SEP><SEP> <SEP> o Store each fragment of the first decryption cryptographic key within each storage node of the second group; <tb><SEP><SEP> <SEP> o Store each fragment of the reference condensate within each storage node of the third group; <tb><SEP><SEP> <SEP> o Memorize each fragment of the second cryptographic decryption key within each storage node of the fourth group; <tb><SEP> <SEP> - Enter in a database entry one or more digital fingerprints of these distributions or these memorizations; <tb> <SEP> B) A control phase, which comprises the designation, among the nodes of the network, of a control node equipped with a computer processing unit in which an enclave is implemented, and, for each node of the first group, the operations consisting in: <tb><SEP> <SEP> - Instantiate the storage node enclave; <tb><SEP> <SEP> - Instantiate the control node enclave; <tb><SEP> <SEP> - Establish a secure link between the enclave of the control node and the enclave of the storage node; <tb><SEP> <SEP> - In the control node enclave: <tb><SEP><SEP> <SEP> o Load, from a predetermined number of nodes of the third group, fragments of the reference condensate; <tb><SEP><SEP> <SEP> o Reconstitute the reference condensate from these fragments; <tb><SEP><SEP> <SEP> o Load, from a predetermined number of nodes of the fourth group, fragments of the second cryptographic decryption key; <tb><SEP><SEP> <SEP> o Reconstitute the second cryptographic decryption key from these fragments; <tb><SEP><SEP> <SEP> o Transmit the second cryptographic decryption key to the storage node enclave; <tb><SEP> <SEP> - In the storage node enclave: <tb><SEP><SEP> <SEP> o Load the second encrypted container from a memory location located outside the enclave; <tb><SEP><SEP> <SEP> o Decrypt the second encrypted container using the second decryption cryptographic key received from the enclave of the control node, to reconstitute a copy of the first encrypted container; <tb><SEP><SEP> <SEP> o Calculate a condensate, known as control, of this copy of the first encrypted container; <tb><SEP><SEP> <SEP> o Transmit the control condensate to the control node enclave; <tb><SEP> <SEP> - In the control node enclave, compare the control condensate with the reference condensate; <tb><SEP> <SEP> - Outside the enclave, write the result of this comparison or a fingerprint of this result in an entry of the database.

BRIEF DESCRIPTION OF THE FIGURES

[0017] Other objects and advantages of the invention will become apparent in the light of the description of an embodiment, given below with reference to the accompanying drawings in which: <tb> <SEP> LaFIG.1 is a simplified functional diagram illustrating a computer network on which a database is stored; <tb> <SEP> LaFIG.2 is a simplified functional diagram illustrating different components of a computer processing unit involved in the creation and operation of a secure execution environment called an enclave; <tb> <SEP> LaFIG.3 is a functional diagram partly illustrating a network architecture, partly the steps of a storage process, and partly the files produced, exchanged or stored within the network for the needs (or application) of this process; <tb> <SEP> LaFIG.4 is a functional diagram illustrating different stages of a control phase of the storage process.

DETAILED DESCRIPTION OF THE INVENTION

On theFIG.1is shown a network1informatique which is advantageously of the peer-to-peer type, and which comprises nodes2communicating by links3. For the sake of simplification and conformity with graph theory, on FIG.1, the nodes2 of the network1 are represented by circles; the bonds3, by edges connecting the circles. In order not to overload the drawing with lines, only certain links3 between nodes2 are shown.

[0019] The nodes2 can be scattered over large geographic regions; they can also be grouped into smaller geographic regions.

On at least one of the nodes2 are stored entries4d'a database5, which, according to a particular embodiment, can be distributed over all or part of the nodes.

This database 5 is used here to store traces of a data storage process, some of the operations of which are based on the use of functionalities of secure execution environments.

A secure execution environment (Trusted execution environment or TEE) is, within a computer processing unit provided with a processor or CPU (Central Processing Unit) 7, a temporary computing and data storage space. , called (by convention) an enclave, or even cryptographic enclave, which is isolated, by cryptographic means, from any unauthorized action resulting from the execution of an application outside this space, typically the operating system.

[0023] Intel®, for example, from 2013 revised the structure and interfaces of its processors to include enclave functions, under the name Software Guard Extension, better known by the acronym SGX. SGX equips most of the XX86 type processors marketed by Intel® since 2015, and more specifically from the sixth generation incorporating the so-called Skylake microarchitecture. The enclave functions offered by SGX are not automatically accessible: they must be activated via the elementary input / output system (Basic Input Output System or BIOS).

It does not fall within the requirements of the present description to detail the architecture of the enclaves, insofar as: Despite its relative youth, this architecture is relatively well documented, in particular by Intel® which has filed numerous patents, cf. e.g., among the most recent, the US patent application US 2019/0058696; Processors making it possible to implement them are available on the market - in particular the aforementioned Intel® processors; Only the functionalities allowed by the enclave are of interest to us here, these functionalities being able to be implemented via specific command lines. As such, those skilled in the art may refer to the guide published in 2016 by Intel®: Software Guard Extensions, Developer Guide.

[0025] For a more accessible description of the enclaves, and more particularly of Intel® SGX, those skilled in the art can also refer to A. Adamski, Overview of Intel SGX - Part 1, SGX Internal, or to D. Boneh , Nickaming Schemes, Fast Verification, and Applications to SGX Technology, in Topics in Cryptology, CT - RSA 2017, The Cryptographers' Track at the RSA Conférence 2017, San Francisco, CA, USA, Feb. 14-17, 2017, Proceedings, pp. 149-164, or to K. Severinsen, Secure Programming with Intel SGX and Novel Applications, Thesis submitted for the Degree of Master in Programming and Networks, Dept. Of Informatics, Faculty of Mathematics and Natural Science, University of Oslo, Autumn 2017.

To summarize, with reference to theFIG.2, an enclave8 includes, first of all, a secure memory zone9 (called Enclave Page Cache, in English Enclave Page Cache or EPC), which contains code and data relating to the 'enclave itself, and whose content is encrypted and decrypted in real time by a dedicated chip called the Memory Encryption Engine (MEE). The EPC9 is implemented within a part of the dynamic random access memory (DRAM) 10 allocated to the processor7, and to which ordinary applications (in particular the operating system) do not have access.

[0027] The enclave8 comprises, secondly, cryptographic keys used to encrypt or sign on the fly the data leaving the EPC9, whereby the enclave8 can be identified (in particular by other enclaves), and the The data it generates can be encrypted to be stored in unprotected memory areas (i.e. outside of the EPC9).

In order to be able to operate such an enclave8, an application11 must be segmented into, on the one hand, one or more unsecured parts12 (untrusted part (s)), and, on the other hand, one or more secure parts13 (in English trusted part (s)).

Only the processes induced by the secure part (s) 13 of the application11 can access the enclave8. The processes induced by the unsecured part (s) 12 cannot access the enclave8, i.e. they cannot dialogue with the processes induced by the part (s) (s) 13secure (s).

The creation (also called instantiation) of the enclave8 and the flow of processes within it are controlled via a set14d'instructions particular executable by the processor7et called by the part (s) 13secure (s) of the application11.

[0031] Among these instructions: ECREATE commands the creation of an enclave8; EINIT commands the initialization of the enclave8; EADD commands code loading into the enclave8; EENTER commands code execution in the enclave8; ERESUME commands a new execution of code in the enclave8; EEXIT controls the exit of enclave8, typically at the end of a process running in enclave8.

We have, on theFIG.2, functionally represented the enclave8sous in the form of a block (in dotted lines) including the secure part13 of the application11, the set14d'instructions of the processor7, and the EPC9. This representation is not realistic; it simply aims to visually group together the elements that make up or exploit the enclave8.

[0033] We will explain below how the enclaves are exploited.

The nodes2du network1 being all equipped with memory areas, these can be used as storage space for data15 from a terminal16emitter (here shown in the form of a smartphone) connected to the network1. To minimize the risk of data loss15, it is advantageous to perform a replication of the data, that is to say to make a copy of the data15, and to distribute a copy to several nodes2 of the network1. Data traceability15 can be achieved by entering, in at least one entry4 of the database5, one or more digital fingerprints of the memorizations thus made.

If the replication of the data15 within the network1 resolves the problem of the durability of the data15, it does not solve the problem of their confidentiality.

Encrypting the data15 at the level of the transmitter terminal16 (which would store a data decryption key) would solve the problem of confidentiality vis-à-vis unauthorized third parties (except to admit that the decryption key could be copied by an unauthorized third party from the sender terminal 16), but would not however guarantee that the data would remain accessible by the sender terminal 16 itself, in the hypothesis - which is realistic in practice - where the cryptographic key is lost or corrupted.

Simply distributing the encrypted data15 among nodes2 of the network1 may seem insufficient: it indeed appears necessary to carry out a check (one-off or regular), in order to verify that the data is actually stored - and that it continues to be there. 'being - by nodes2.

To this end, a two-phase data storage method is proposed here, namely: A data distribution phase15 on the network1; A phase of checking that the data15 is actually stored on the network1.

During the distribution phase, it is not only the data15 which are distributed (in encrypted form), but also the decryption keys thereof, via an enclave8 instantiated on a node2E, called entry node, of the network1 (FIG. 3).

To this end, a preliminary operation of the distribution phase consists, from the transmitter terminal16 in which the data15 is stored, in transmitting a storage request for the data15 to the network1.

On receipt of the storage request by at least one node2du network1, it is selected, within network1, at least one input node2E, equipped with a computer processing unit in which an enclave8 is implemented.

This enclave8est then instantiated, and the data15y are loaded from the emitting terminal16 and via a secure communication line17 (eg using the Transport Layer Security or TLS protocol). For this purpose, the enclave8 can be provided, as soon as it is instantiated, with a communication interface 18 emulation supporting the chosen protocol (here TLS) for the exchange of secure data.

The enclave8est advantageously provided with a module19d'interface with the database5, able to interrogate the latter or to write data therein in entries4.

An item of information20containing a digital imprint of the loading of the data15 thus carried out is entered here in an entry4of the database5, for the purposes of traceability.

This information20 can be transmitted to the interface module19 by the emitter terminal16, to be registered (typically by one or more nodes2 of the network1) in an entry4 of the database5. As a variant, the interface module itself sends information 20 for registration in an entry 4.

In the enclave8du entry node then take place the following operations.

A first operation consists in encrypting the data15 by means of a first encryption cryptographic key21 to form a first encrypted container22, by associating it with a first cryptographic decryption key. To this end, the data 15 received from the emitting terminal 16 are relayed by the communication interface 18 to an encryption module 24 implemented in the enclave 8.

[0048] According to a preferred embodiment, the encryption is symmetrical. In this case, the first encryption key21 and the first decryption key23 are one and the same key.

A second operation consists in fragmenting the first decryption key. More precisely, the first decryption key23 is fragmented into a predetermined number N of fragments23.i (i an integer, 2≤i≤N).

According to a preferred embodiment, N is such that N> 3 and the fragmentation of the first decryption key is carried out in application of Shamir's rules (known as Shamir's Secret Sharing, in English Shamir's Secret Sharing), and more precisely of the threshold scheme, where a predetermined integer number K (1 <K <N) is chosen such that a number K of fragments23.isont sufficient to reconstitute the first decryption key23.

A third operation consists in calculating a so-called reference condensate25 of the first container22, by applying to it a predetermined hash function - typically SHA-256.

A fourth operation consists in fragmenting the reference condensate 25de into a predetermined number M of fragments25.j (j an integer, 2≤j≤M).

According to a preferred embodiment, M is such that M> 3 and the fragmentation of the condensate is carried out in application of Shamir's rules, and more precisely of the threshold diagram, where a predetermined integer L (1 <L <M) is chosen such that a number L of fragments25.j are sufficient to reconstitute the condensate25.

A fifth operation consists in re-encrypting the first container22 (already encrypted) by means of a second cryptographic encryption key26 to form a second encrypted container27 (twice, therefore), by associating it with a second cryptographic decryption key28.

According to a preferred embodiment, the encryption is symmetrical. In this case, the second encryption key26 and the second decryption key28 are one and the same key.

A sixth operation consists in fragmenting the second decryption key. More precisely, the second decryption key28 is fragmented into a predetermined number P of fragments28.k (k an integer, 2≤k≤P).

According to a preferred embodiment, P is such that P> 3 and the fragmentation of the second decryption key is carried out by applying Shamir's rules, and more precisely of the threshold scheme, where a predetermined integer Q (1 < Q <P) is chosen such that a number Q of fragments28.k are sufficient to reconstitute the second decryption key28.

A seventh operation consists in designating, among the network1, a first group of storage nodes2A.

An eighth operation consists in distributing the second encrypted container27 to the storage nodes2Ade of the first group.

To this end, the enclave8est advantageously provided with a data distribution module29, to which the encryption module24 communicates the second encrypted container27 for distribution to the storage nodes2A of the first group.

A ninth operation consists in designating, among the network1, a second group of storage nodes2B, in number N equal to the number of fragments23.ide the first decryption key23.

This second group of storage nodes2B is preferably separate from the first group of storage nodes2A (as illustrated in dotted lines on FIG. 3).

A tenth operation consists in distributing the fragments23.ide the first cryptographic decryption key23 to the storage nodes2B of the second group, each storage node2B of the second group receiving a single fragment23.i.

According to a preferred embodiment, the enclave8est provided with a fragmentation and distribution module30, to which the encryption module24 communicates the first decryption key23 for fragmentation and distribution to the storage nodes2B of the second group.

An eleventh operation consists in designating, among the network1, a third group of storage nodes2C in number M equal to the fragments25.jdu condensate25de reference.

A twelfth operation consists in distributing each fragment25.jdu condensate25de reference to a node2C of the third group, each node2C of the third group receiving a single fragment25.j.

This third group of storage nodes2C is preferably separate from the first group of storage nodes2A and from the second group of storage nodes2B (as illustrated in dotted lines in Fig.3).

A thirteenth operation consists in designating, among the network1, a fourth group of storage nodes2D in number P equal to the fragments28.kde of the second cryptographic decryption key28.

This fourth group of storage nodes2D is preferably separate from the first group of storage nodes2A, from the second group of storage nodes2B and from the third group of storage nodes2C (as illustrated in dotted lines in Fig.3).

A fourteenth operation consists in distributing each fragment28.kde the second decryption key28 to a node2D of the fourth group, each storage node2D of the fourth group receiving a unique fragment28.k.

These operations completed, the enclave8 can be closed.

Outside the enclave8, the following operations are carried out: <tb> <SEP> oThe second encrypted container27 is stored within each storage node2A of the first group; <tb> <SEP> o Each fragment23.ide the first decryption cryptographic key23 is stored within each respective storage node2B of the second group; <tb> <SEP> o Each fragment25.jdu reference condensate25 is stored within each respective storage node2 of the third group; <tb> <SEP> o Each fragment28.k of the second decryption cryptographic key28 is stored within each respective storage node2 of the fourth group.

To ensure the traceability of these operations, at least one item of information containing a digital imprint of the distributions or memorizations thus carried out is advantageously recorded in an entry4 of the database5. This information can be transmitted by the storage nodes2A, 2B, 2Cet2D, but it can also be transmitted by the enclave8 itself (and more precisely by the interface module19) before it is closed.

As has already been suggested, it is important to ensure that the data15 are actually stored on the storage nodes2A of the network1. More precisely, it is desirable to obtain (occasionally or regularly) from each node2A proof that this storage is effectively maintained, without however allowing any node2A of the first group to access the data15 that it stores in the doubly encrypted form. of the second container27.

For this purpose, the control phase comprises a succession of operations, described below with reference to the FIG.4.

A preliminary operation consists in designating (DES), among the nodes2du network1, a control node2F equipped with a computer processing unit in which an enclave8 is implemented.

Then, for each storage node 2Ade of the first group, as designated (DES) successively, the control phase comprises the repetition of the following operations.

A first operation consists in instantiating the enclave8du node2Fde control.

A second operation consists in instantiating the enclave8du storage node2A.

A third operation consists in establishing a secure link between the enclave8du node2Fde control and the enclave8du node2Ade storage.

A fourth operation consists, for the control node2F, in requesting (REQ) from P storage nodes2D of the fourth group, P fragments28.k (three in the purely illustrative example of laFIG.4) of the second decryption key28.

A fifth operation consists in loading these P fragments28.kde the second encryption key28 in the enclave8du node2Fde control.

A sixth operation consists in reconstituting, in the enclave8du control node2F, the second decryption key28 from the P fragments28.k thus loaded.

A seventh operation consists, from the enclave8du control node2F, in transmitting to the enclave8du storage node2A the second decryption key28 thus reconstituted.

An eighth operation consists, for the control node2F, in requesting (REQ) L fragments25.jdu condensate25de reference

A ninth operation consists in loading these L fragments25.jdu condensate25de reference in the enclave8du node2Fde control.

A tenth operation consists in reconstituting, in the enclave8du node2Fde control, the reference condensate25de from the L fragments25.jainsi charged.

An eleventh operation consists in loading into the storage enclave8du node2A, from a memory location located outside the enclave8, the second encrypted container27.

A twelfth operation consists, in the enclave8du storage node2A, in decrypting the second encrypted container27, by means of the second decryption key28 received from the enclave8du node2Fde control, to reconstitute a copy22 'of the first encrypted container22.

A thirteenth operation consists, in the enclave8du storage node2A, in calculating a condensate25 ', said to be control, of this copy22' of the first encrypted container22, by the same method as that used for the calculation of the reference condensate25 from the 'original of the first encrypted container (here SHA-256).

A fourteenth operation consists, from the enclave8du storage node2A, in transmitting to the enclave8du control node2F, the control condensate25'de thus calculated.

A fifteenth operation consists, in the enclave8du control node2F, in comparing (=) the control condensate 25 ′ to the reference condensate 25. If the two hashs25 ', 25are equal (result Y), this means that the copy22' of the first encrypted container22 corresponds to the original, and that the storage node2A effectively stores the second container27, and this without altering its content.

If, on the contrary, the two condensates25 ', 25 are different (result N), this means that the copy22' of the first encrypted container22 does not correspond to the original, that consequently the storage node2A does not correctly store the second container27, and that it is therefore likely that the data it contains are, at the very least, corrupted.

In both cases, outside the enclave8 (both of the storage node2A and of the control node2F), an additional operation consists of entering, in an entry4 of the database5, at least one digital fingerprint of this result (here Y or N).

The method which has just been described has the following advantages.

First, the double encryption of data15 drastically limits the risks of unauthorized access to them by a storage node2A or by a third party having improperly obtained the second encrypted container27: it is indeed necessary to obtain Q fragments28.k from the second decryption key28 and K fragments23.ide the first decryption key23 to extract the data15from the second encrypted container27. The success of such a procedure is highly improbable, as it requires prohibitive means of calculation.

Second, the double encryption allows, via the temporarily instantiated enclaves8, during the control phase, in the control node2F and in the storage node2A, to temporarily reconstitute in the storage node2A a copy22 'of the first encrypted container22 in order to extract the condensate. control25 'and, thanks to this, to prove in a way that is not only simple, but also and above all confidential, that the storage of data15 (within the second container27) is actually continuing in the storage node2A.

A storage node2A having provided this proof can be considered reliable and maintained among the first group. Conversely, a storage node2A which would not have provided this proof must be considered as faulty and eliminated from the first group. In this case, it is possible to replace the faulty node (s) thus detected with a new 2A storage node (s) enrolled in the first group, and to which (which) the second container27 is redeployed from a copy available on one of the storage nodes2A deemed reliable.

Claims (4)

1. A method of secure storage of computer data (15) within a computer network (1) comprising a plurality of nodes (2), this method comprising: A) A distribution phase, which includes the operations consisting in: - Sending, from a sender terminal (16) in which the data (15) are stored, a storage request to the network (1); - On receipt of the storage request by at least one node (2) of the network (1), select within the network (1) at least one node (2E), called entry node, equipped with a computer processing in which an execution environment secured by cryptography, called an enclave (8), is implemented; - Instantiate the enclave (8); - Load the data (15), from the sender terminal (2E) and via a secure communication line (17), to the enclave (8) of the input node (2E); - Enter in an entry (4) of a database (5) a digital imprint of the storage request and / or loading thus performed; - In the enclave (8) of the input node (2E): o Encrypt the data (15) to form a first encrypted container (22), by associating it with a first cryptographic decryption key (23); o Fragment the first cryptographic decryption key (23) into a predetermined number N of fragments (23.i); o Calculate a so-called reference condensate (25) of the first encrypted container (22) by applying a predetermined hash function to it; o Fragment the reference condensate (25) into a predetermined number of fragments (25.j); o Re-encrypt the first container (22) to form a second encrypted container (27), by associating it with a second cryptographic decryption key (28); o Fragment the second cryptographic decryption key (28) into a predetermined number of fragments (28.k); o Designate, from among the network (1), a first group of storage nodes (2A) each equipped with a computer processing unit in which an enclave (8) is implemented; o Distribute the second encrypted container (27) to the nodes (2A) of the first group; o Designate, among the network (1), a second group of storage nodes (2B) in a number equal to the fragments (23.i) of the first cryptographic decryption key (23); o Distribute each fragment (23.i) of the first cryptographic decryption key (23) to a node (2B) of the second group, each node (2B) of the second group receiving a single fragment (23.i); o Designate, among the network (1), a third group of storage nodes (2C) in a number equal to the fragments (25.j) of the reference condensate (25); o Distribute each fragment (25.j) of the reference condensate (25) to a node (2C) of the third group, each node (2C) of the third group receiving a single fragment (25.j); o Designate, among the network (1), a fourth group of storage nodes (2D) in a number equal to the fragments (28.k) of the second cryptographic decryption key (28); o Distribute each fragment (28.k) of the second decryption key (28) to a node (2D) of the fourth group, each node (2D) of the fourth group receiving a single fragment (28.k); - Outside the enclave (8) of the input node (2E): o Store the second encrypted container (27) within each storage node (2A) of the first group; o Memorize each fragment (23.i) of the first cryptographic decryption key (23) within each storage node (2B) of the second group; o Memorize each fragment (25.j) of the reference condensate (25) within each storage node (2C) of the third group; o Store each fragment (28.k) of the second cryptographic decryption key (28) within each storage node (2D) of the fourth group; - Enter in an entry (4) of the database (5) one or more digital fingerprints of these distributions or these memorizations; B) A control phase, which includes the designation, among the nodes (2) of the network (1), of a control node (2F) equipped with a computer processing unit in which an enclave (8) is implemented , and, for each storage node (2A) of the first group, the operations consisting in: - Instantiate the enclave (8) of the storage node (2A); - Instantiate the enclave (8) of the control node (2F); - Establish a secure link between the enclave (8) of the control node (2F) and the enclave (8) of the storage node (2A); - In the enclave (8) of the control node (2F): o Load, from a predetermined number of nodes (2C) of the third group, fragments (25.j) of the reference condensate; o Reconstitute the reference condensate (25) from these fragments (25.j); o Load, from a predetermined number of nodes (2D) of the fourth group, fragments (28.k) of the second cryptographic decryption key (28); o Reconstitute the second cryptographic decryption key (28) from these fragments (28.k); o Transmit the second cryptographic decryption key (28) to the enclave (8) of the storage node (2A); - In the enclave (8) of the storage node (2A): o Load the second encrypted container (27) from a memory space located outside the enclave (8); o Decrypt the second container (27) encrypted by means of the second cryptographic decryption key (28) received from the enclave (8) of the control node (2F), to reconstitute a copy (22 ') of the first container (22 ) encrypted; o Calculate a condensate (25 '), called a control, of this copy (22') of the first encrypted container (22); o Transmit the control condensate (25 ') to the control node (2F) enclave (8); - In the enclave (8) of the control node (2F), compare the control condensate (25 ') with the reference condensate (25); - Outside the enclave (8), enter the result of this comparison or an imprint of this result in an entry (4) of the database (5). 2. Method according to claim 1, in which the fragmentation of the first decryption key (23) is carried out in application of Shamir's rules. 3. Method according to claim 1, in which the fragmentation of the second decryption key (28) is carried out in application of Shamir's rules. 4. The method of claim 1, wherein the fragmentation of the reference condensate (25) is carried out in application of Shamir's rules.