KR20230044952A - Computing method and system for file security based on ipfs - Google Patents

Abstract

A computing method and system for IPFS-based file security are disclosed. The computing method is a computing method for IPFS-based file security, which is performed by at least one processor, and generates an AES encryption key and an initialization vector (IV) by a system for IPFS-based file security and based thereon and performing file encryption with In addition, extracting the public key through the address of the file owner's blockchain account and RSA-encrypting the AES encryption key based on this, storing the AES-encrypted file in a storage in a distributed environment, and encrypting the distributed environment access key It includes steps to In addition, the IPFS-based system for file security creates an NFT file that is accessible through the encrypted distributed environment access key, and the generation information, file information, and encryption information for the NFT file are stored in the block chain. It may include recording in a smart contract.

Description

Computing method and system for file security based on IPFS {COMPUTING METHOD AND SYSTEM FOR FILE SECURITY BASED ON IPFS}

The present invention relates to a computing method and system for IPFS-based file security, and more particularly, to a computing method and system for IPFS-based file security capable of providing file security in software using NFT technology. will be.

Blockchain technology is a technology for recording and storing the contents of transactions performed on network communication in a reliable and safe way. A blockchain network is a system in a distributed environment in which digitized assets or transactions can be exchanged, and uses a shared ledger to record the history of electronic transactions or work history occurring in a peer-to-peer (P2P) network. do.

Since the blockchain network uses a decentralized or decentralized consensus mechanism, transaction forgery by a third party is virtually impossible, thereby ensuring reliability and transparency of the transaction. Recently, the use of blockchain technology has been attempted in various service fields such as financial services and medical services such as healthcare.

On the other hand, the file security system recorded in the existing database was a file security system in which all access records for file locations, as well as file access qualifications, file encryption and decryption keys, are recorded in the database. In addition, most of these file security solutions or systems block access to files in hardware and manage file history. Hardware equipment for this is expensive and has limitations in security. Therefore, if the corresponding database or file storage is breached, not only all data is leaked, but also the original file cannot be found because the file is forged or tampered with, or credentials can be easily manipulated. Recently, the ransomware issue that demands money by holding files hostage can be seen as an example.

In general, when the owner of a file and the requester who wants to access the file are different, it goes through a multi-step process for security. Since the owner has to access the administrator or system and provide the requester with authority, it is difficult to respond immediately, and especially in the case of a remote request, processing becomes more difficult.

In addition, even if the storage space of the file is distributed or the backup is well configured, the leakage, forgery, or alteration of the original cannot be completely prevented due to hardware limitations and cost issues. Furthermore, the process of requesting and granting access to files is not smooth, and responsibility for leakage cannot be perfectly determined. In addition, it is difficult to completely trust records of file access or records related to files because they can be forged or tampered with.

The present disclosure provides a computing method for IPFS-based file security, a computer program stored in a recording medium, and a system or device to solve the above problems.

According to some embodiments of the present disclosure, an IPFS-based computing method and system for file security in which forgery and falsification of files is impossible and the risk of leakage or loss of files can be eliminated by storing them in an encrypted form in a distributed environment. Its purpose is to provide

In addition, according to some embodiments of the present disclosure, an object of the present disclosure is to provide a computing method for IPFS-based file security that can provide security in software without the need to add additional hardware and can be used universally. .

In addition, according to some embodiments of the present disclosure, an IPFS-based computing method for file security in which an owner can confirm and then grant a request for file access in real time and manage ownership of a file without complicated proof is provided. But it has a purpose.

The present disclosure may be implemented in various ways, including a computing method for IPFS-based file security, a computer program stored in a recording medium, and a system or device.

Specifically, according to an embodiment of the present disclosure, as a computing method for IPFS-based file security, performed by at least one processor, an AES encryption key and an initialization vector ( IV) generating and performing file encryption based on it; Extracting a public key through an address of a file owner's blockchain account and RSA-encrypting the AES encryption key based on the extracted public key by an IPFS-based file security system; storing an AES-encrypted file in a storage of a distributed environment and encrypting a distributed environment access key by an IPFS-based file security system; Generating an NFT file accessible through the encrypted distributed environment access key by a system for file security based on IPFS; and recording creation information, file information, and encryption information on the NFT file in a smart contract of the blockchain by an IPFS-based file security system.

According to an embodiment, in the step of encrypting the distributed environment access key, the distributed environment access key may be RSA asymmetrically encrypted with a public key extracted through an address of a blockchain account of a file owner.

According to an embodiment, after generating the NFT file, receiving a third party's file access request by an IPFS-based file security system; and requesting permission from the file owner through a service provided by the file owner's block chain account wallet or keystore for the received request by the IPFS-based file security system. .

According to an embodiment, the step of extracting an AES-encrypted file by decrypting the encrypted distributed environment access key based on the file owner's response to the permission request by the IPFS-based file security system is further included. can include

According to an embodiment, after extracting the encrypted file, the method may further include decrypting the AES-encrypted file by decrypting the encrypted AES key by an IPFS-based file security system.

According to an embodiment, after decrypting the AES-encrypted file, generating an access URI for accessing the decrypted file by an IPFS-based file security system; and transmitting the access URI generated by the IPFS-based file security system to a terminal of a third party that has transmitted the file access request.

According to an embodiment, the method may further include discarding the transmitted access URI after a predetermined time has elapsed by an IPFS-based file security system.

According to an embodiment, the method may further include deleting the decrypted file from a memory cache in which the decrypted file is stored after the elapse of the predetermined time by an IPFS-based file security system.

According to an embodiment, the IPFS-based system for file security may further include recording information about the file access request in a smart contract of a blockchain.

According to the embodiment, when there are multiple file owners, the NFT files are created as many as the multiple file owners, and each AES is created using each public key extracted through the blockchain account of each of the multiple file owners. RSA encrypting the encryption key.

According to some embodiments of the present disclosure, since it is recorded and managed in a blockchain, forgery and tampering is impossible, and stored in an encrypted form in a distributed environment such as IPFS, the risk of leakage or loss of files is eliminated.

In addition, according to some embodiments of the present disclosure, since security is provided in a software manner by utilizing NFT technology without the need to add additional hardware, security and management costs can be saved, and operation is performed through a service-based configuration. Usability is expanded because it can be used universally without restrictions on the environment and execution environment.

In addition, according to some embodiments of the present disclosure, a separate blockchain and distributed environment such as IPFS are configured to provide a stronger security system in which only authorized nodes can participate, and the owner confirms the request for access in real time. Since it can grant the following permission, it can be particularly useful for managing access to sensitive individual files.

In addition, according to some embodiments of the present disclosure, an administrator can manage file ownership only with a blockchain account without separate proof, thereby avoiding the hassle of managing multiple accounts, and the hash key is disclosed. Even if it is, it has the advantage of maintaining security because the file can be checked only through the private key of the NFT.

Embodiments of the present disclosure will be described with reference to the accompanying drawings described below, wherein like reference numbers indicate like elements, but are not limited thereto.
1 is a diagram showing an example of a conventional file security system for recording in a database.
2 is a diagram showing an example of a process performed when a third party other than the owner accesses a recorded file in the related art.
3 is an exemplary conceptual diagram illustrating a technique of storing a file using a distributed environment technique according to an embodiment of the present disclosure.
4 is an exemplary conceptual diagram for explaining a case in which one owner of a file is used in a file encryption method related to file access authority according to an embodiment of the present disclosure.
5 is an exemplary conceptual diagram for explaining a case in which a plurality of file owners exist in a file encryption method related to file access authority according to an embodiment of the present disclosure.
6 is a file upload method related to FIG. 4 , and FIG. 7 is conceptual diagrams for explaining a file upload method related to FIG. 5 .
8 is a conceptual diagram for explaining a file access and owner permission method according to an embodiment of the present disclosure.
9 is a schematic diagram illustrating a configuration in which an information processing system is communicatively connected with a plurality of user terminals according to an embodiment of the present disclosure.
10 is a block diagram illustrating exemplary internal configurations of an information processing system and a user terminal according to an embodiment of the present disclosure.
11 is a representative flowchart illustrating a process of a file upload method according to the present disclosure, and FIG. 12 is a representative flow chart illustrating a process of a file access method according to the present disclosure.

Hereinafter, specific details for the implementation of the present disclosure will be described in detail with reference to the accompanying drawings. However, in the following description, if there is a risk of unnecessarily obscuring the gist of the present disclosure, detailed descriptions of well-known functions or configurations will be omitted.

In the accompanying drawings, identical or corresponding elements are given the same reference numerals. In addition, in the description of the following embodiments, overlapping descriptions of the same or corresponding components may be omitted.

However, omission of a description of a component does not intend that such a component is not included in an embodiment.

Advantages and features of the disclosed embodiments, and methods of achieving them, will become apparent with reference to the following embodiments in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below and may be implemented in various different forms, but only the present embodiments make the present disclosure complete, and the present disclosure does not extend the scope of the invention to those skilled in the art. It is provided only for complete information.

Terms used in this specification will be briefly described, and the disclosed embodiments will be described in detail. The terms used in this specification have been selected from general terms that are currently widely used as much as possible while considering the functions in the present disclosure, but they may vary according to the intention of a person skilled in the related field, a precedent, or the emergence of new technology. In addition, in a specific case, there is also a term arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the invention. Therefore, the terms used in the present disclosure should be defined based on the meaning of the terms and the general content of the present disclosure, not simply the names of the terms.

Expressions in the singular number in this specification include plural expressions unless the context clearly dictates that they are singular. Also, plural expressions include singular expressions unless the context clearly specifies that they are plural. When it is said that a certain part includes a certain component in the entire specification, this means that it may further include other components without excluding other components unless otherwise stated.

Also, the term 'module' or 'unit' used in the specification means a software or hardware component, and the 'module' or 'unit' performs certain roles. However, 'module' or 'unit' is not meant to be limited to software or hardware. A 'module' or 'unit' may be configured to reside in an addressable storage medium and may be configured to reproduce one or more processors. Thus, as an example, a 'module' or 'unit' includes components such as software components, object-oriented software components, class components, and task components, processes, functions, and attributes. , procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, or variables. Functions provided within components and 'modules' or 'units' may be combined into a smaller number of components and 'modules' or 'units', or further components and 'modules' or 'units'. can be further separated.

According to one embodiment of the present disclosure, a 'module' or 'unit' may be implemented with a processor and a memory. 'Processor' should be interpreted broadly to include general-purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, and the like.

In some circumstances, 'processor' may refer to an application specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), or the like. 'Processor' refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in conjunction with a DSP core, or a combination of any other such configurations. You may. Also, 'memory' should be interpreted broadly to include any electronic component capable of storing electronic information. 'Memory' includes random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), It may also refer to various types of processor-readable media, such as electrically erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. A memory is said to be in electronic communication with the processor if the processor can read information from and/or write information to the memory. Memory integrated with the processor is in electronic communication with the processor.

In the present disclosure, a 'system' may include at least one of a server device and a cloud device, but is not limited thereto. For example, a system may consist of one or more server devices. As another example, a system may consist of one or more cloud devices. As another example, the system may be operated by configuring a server device and a cloud device together.

In this disclosure, 'display' may refer to any display device associated with a computing device, for example, any display device capable of displaying any information/data provided or controlled by the computing device. can refer to

In the present disclosure, 'each of a plurality of A' or 'each of a plurality of A' may refer to each of all components included in a plurality of A's, or each of some components included in a plurality of A's. .

In this disclosure, 'Smart Contract' is a code implementation of a written contract so that a desired contract can be safely concluded between individuals, and a script that executes the contract when specific conditions are met means (script). The contracts uploaded to the blockchain mainnet are open for anyone to see and are difficult to falsify.

In this disclosure, 'EOA' is an account creation process in which a private key is generated through a wallet program, a public key is generated through the generated private key, and an address is generated, and an account created through this process. is referred to as EOA.

In this disclosure, 'Non-Fungible Token (NFT)' refers to a cryptocurrency in which one token cannot be replaced with another, and non-fungible tokens play a large role in ensuring the ownership of digital assets by users. do. Existing centralized services have limitations that can no longer be used when the service is terminated, but NFTs are recorded in the blockchain system to ensure safe protection and rights. As a result, users can more fully own and utilize their digital assets.

In the present disclosure, 'Advanced Encryption Standard (AES) encryption' is As an advanced encryption standard, AES is an encryption method designated as a federal information processing standard by the National Institute of Standards and Technology, and is the only publicly available encryption algorithm among approved encryption algorithms.

In the present disclosure, 'asymmetric encryption' means using two keys in relation to encryption, where a key means a constant that opens and locks a message. Generally, in many public key algorithms, the public key is known to everyone and is used to encrypt the message. Encrypted messages can be decrypted and viewed only by those who have the private key. Anyone with a public key algorithm can encrypt a message, but only a person with a private key can decrypt and read the encrypted message.

In the present disclosure, an 'asymmetric key' is a pair of a public key and a private key. If the key for encryption and the key for decryption are different, it is said to be an asymmetric key. An asymmetric key includes a public key that can encrypt information with a key that is open to others and a private key that only the user knows and can decrypt only a specific person with authority. pair up

The encryption method using an asymmetric key can be divided into a case of encryption with a public key and a case of encryption with a private key. If more emphasis is placed on data security, encryption with a public key is selected, whereas encryption with a private key is selected if the emphasis is on the authentication process through a secure digital signature.

In the present disclosure, 'InterPlanetary File System (IPFS)' means a protocol for storing data in a distributed file system and sharing it over the Internet. IPFS is used, for example, to share large files and data in a peer-to-peer manner such as Napster or Torrent. Also, since IPFS is open and non-centralized, it limits the centralization of the web, and the backbone of dApps is blockchainized.

The existing HTTP method was a method of finding the address where the data is located and bringing the desired content at once, but the IPFS according to the present disclosure uses a hash value converted to the data content to distribute and store content in multiple computers around the world. It works by finding the data, breaking it into small pieces, importing them at high speed, and then putting them back together and displaying them. At this time, the hash table stores information in key/value pairs, and since numerous distributed nodes around the world store the information, the user can use IPFS to save information in the case of the existing HTTP method. Data can be stored and retrieved much faster than before. When a file is registered on IPFS, an accessible IPFS hash key is issued, and the file can be accessed through the hash key.

In the present disclosure, a 'heap memory area' means a user's dynamically allocated area whose size is determined according to the runtime of an operating system, and can temporarily store data.

Hereinafter, in the present disclosure, a computing method for IPFS-based file security that is recorded and managed in a blockchain so that forgery and tampering is impossible and stored in an encrypted form in a distributed environment such as IPFS to eliminate the risk of leakage or loss of files. , a computer program and system stored in a recording medium will be described in detail.

First, prior to the description of the computing method, computer program and system stored in a recording medium according to the present disclosure, conventional file storage and file access will be described.

1 is an example of a conventional file security system that records in a database, and FIG. 2 illustrates an example of a conventional process performed when a third party other than the owner accesses a recorded file.

Referring to FIG. 1 , users 10 - 1 , 10 - 2 , and 10 - 3 access a file system (file URI) 40 using security hardware 20 . In this case, the users 10-1, 10-2, and 10-3 may include the owner of the file, a user trying to access the file, and a third party.

When users 10-1, 10-2, and 10-3 access the file system (file URI) 40 to store, upload, or access files, encryption and decryption of files 41, access credentials ( 42), file location 43, access record 44, etc. are all stored in the database 50. These records can be accessed either through database 50 or collectively through file storage 30 . Therefore, if the security of the database 50 or the file storage 30 is breached due to a problem such as the dreung security hardware 20, the file record is exposed to the risk of being leaked, lost, or falsified.

In addition, referring to FIG. 2, when a requester 200, for example, a third party trying to access a file 240 sends a file access request 201 to the owner, the file owner 230 recognizes it and then the administrator ( system) (230) to transmit the file access settings (202). Then, the manager (system) 230 provides file access information (eg, an access key) to the requester 220 after checking the access authority (203). Thereafter, the requester 220 may access the corresponding file 240 using the provided file access information (eg, access key) and view the file (204).

The process of FIG. 2 takes time for the file owner 230 to recognize the request and additional time for setting up file access 202 . In addition, there is a problem that security is weakened by providing file access information to the requester 220.

Accordingly, the present disclosure proposes a method and system for implementing block chain-based file security using NFT (Non-Fungible Token). Specifically, the issued NFT is used as the encryption key and access key of the file, the encrypted file is stored in a distributed storage such as IPFS (InterPlanetary File System), and the address of the file is recorded in the NFT.

Basic information about the file is recorded in the meta of NFT, and creation, access, and modification histories are recorded in the smart contract of the blockchain.

Depending on the embodiment, in the case of file upload, in the case of a personal file, access through an app or the web, and when the owner of the file (individual or group) uploads the file, the system stores the file in the memory cache of the temporary server. and creates a 32-character AES encryption key and a 16-character IV (Initialization Vector), which encrypts the file. Then, the public key is extracted through the address of the owner's blockchain account and the AES encryption key is asymmetrically encrypted. AES-encrypted files are stored in a distributed environment, and the access key to the distributed environment is asymmetrically encrypted with a public key. Thereafter, when an NFT is created, file information and encryption information are recorded, and the creation information is recorded in the system, the file upload is completed.

Depending on the embodiment, in the case of file access, when a request for access to a file is received after NFT creation, the system may receive notification of access from the owner of the NFT through an app or web and allow access. Permitted files are decrypted through NFT, stored in the memory cache on the system, and assigned a separate address (URI). The allocated address (URI) is disclosed to the service that requested access, and after a predetermined period of time, the file in the memory cache is automatically deleted and the address (URI) is also deleted. Accordingly, when there is no permission from the NFT owner, file access can be completely blocked and a file security system that is not leaked can be configured.

3 is an exemplary conceptual diagram illustrating a technique of storing a file using a distributed environment technique according to an embodiment of the present disclosure.

In FIG. 3, files are encrypted and stored in IPFS 330 using distributed environment technology. In the distributed storage provided by the IPFS 330, the hash value of a file is stored in a plurality of distributed nodes, so there is no need to worry about file backup or management. In addition, existing problems caused by the centralization of the file system are resolved.

In addition, in the existing system, the contents recorded in the database, for example, the owner account, file information, change history, file access history, access permission information, etc. are recorded in the smart contract of the blockchain (320) Above, tampering is impossible.

In addition, the AES-encrypted file is stored in a distributed environment, and the NFT (310) generated after asymmetric encryption of the access key to the distributed environment with a public key blocks access based on the block chain (320). Prevent file loss and leakage at the source.

Now, after the NFT is created, a file encryption method related to access to the stored file will be described in detail.

First, FIG. 4 is an exemplary conceptual diagram for explaining a case in which there is only one owner of a file in a file encryption method related to file access authority according to an embodiment of the present disclosure.

As shown in FIG. 4, when the owner of one file 410 is one-sided, one NFT 430 is issued to prove qualifications and manage access rights to the file. At this time, as the meta information 411 , for example, a file creation date, a file name, and other file-related information may be stored.

The issued NFT (430) is accessed through the blockchain account (420) and extracted using the public key (421) RSA encryption (423), AES encryption key (424) public key (421) and the private key 422 through AES encryption (425), and asymmetric encryption of the file using this (426). The AES-encrypted file is uploaded to a distributed environment such as IPFS, for example, distributed storage 434 (427). The access address of the file uploaded to the distributed environment, for example, the distributed storage 434, is stored after being encrypted using a public key.

Specifically, an access key 433 of a distributed environment is generated, which includes encryption information 431 using RSA encryption 423 and an index ID 432.

In this way, the distributed file information is encrypted in the smart contract of the blockchain, and the address stored to access the distributed environment is also encrypted and stored, so the file cannot be accessed or decrypted without permission through NFT.

According to an embodiment, FIG. 5 is an exemplary conceptual diagram for explaining a case where a single file has a plurality of owners in a file encryption method related to file access authority.

Referring to FIG. 5 , even if there are several owners of one file 510, encryption is performed in a similar manner to the case where there is only one owner, and a plurality of NFTs 530a and 530b are issued as many as the number of owners.

Credentials are verified for each of the plurality of NFTs 530a and 530b, and access rights to files are managed. At this time, the meta information 511, for example, the date of creation of the file, the file name, and other file-related information may be shared with respect to a plurality of NFTs 530a and 530b.

The issued plurality of NFTs (530a, 530b) are accessed through respective blockchain accounts (520a, 520b) and RSA encrypted using each public key (521, 521-2) extracted (523) , AES encryption key 524 is AES encrypted (525) through each public key (521, 521-2) and private key (522, 522-2), and the file is asymmetrically encrypted (526). Then, the AES-encrypted file is uploaded to a distributed environment such as IPFS, for example, distributed storage 534 (527). The access address of the file uploaded to the distributed environment, for example, the distributed storage 534, is encrypted and stored using the respective public keys 521 and 521-2. Specifically, an access key 533 of a distributed environment is generated, which includes encryption information 531 and 531-2 using RSA encryption 523 and index IDs 532 and 532-2.

In this way, the AES encryption key is asymmetrically encrypted and stored with the public and private keys of the owner of each NFT (530a, 503b), and the file address is also asymmetrically encrypted and stored with each public and private key. Therefore, the owners of each NFT (530a, 503b) can manage access independently without interfering with each other, and it is impossible to modify or delete the original file.

Meanwhile, FIG. 6 is a file upload method related to FIG. 4 (one owner of an uploaded file), and FIG. 7 shows an example of a file upload method related to FIG. 5 (several owners of an uploaded file).

First, referring to FIG. 6, when file and meta information 610, for example, owner information is uploaded (601), a blockchain-based application 620, that is, DApp is accessed, and an AES encryption key 621 is obtained. The encrypted file 622 is stored in the distributed storage 630, which is a distributed environment (602). At this time, the distributed storage 630 can be accessed through an access key 623, and an encrypted access key 624 is stored. In addition, RSA encryption is performed with the public key using the AES encryption key 621 to encrypt the AES encryption key (625).

The blockchain 640 stores information related to the issued NFT 641, for example, NFT issuance in the account of the file owner, file information record, and encryption information record in the meta of the generated NFT.

On the other hand, in FIG. 7, it is the same to issue each NFT (741, 742) and record the hash value of the file encrypted through the private key and public key in a distributed environment such as IFPS, but if there are several owners There is a difference in that only one original file is recorded and the encryption key for this file can be decrypted only through each public key and private key. When a file is uploaded (701), the basic information of the file is recorded in the meta and the DB of the system, and the owner information is attributed to the account of the block chain (740). However, in the case of NFTs (741, 742) in which ownership of files is transferred, ownership may be changed as an NFT transaction between blockchain accounts.

Specifically, when file and meta information (710), for example, owner information is uploaded (701), a blockchain-based application (720), i.e., a DApp is accessed, and a file encrypted using an AES encryption key (721) (722) is stored in a distributed storage (730), which is a distributed environment (702). At this time, the distributed storage 730 can be accessed through an access key 723, and each encrypted access key 724, 726 for accessing each NFT (741, 742) is stored. In addition, RSA encryption is performed with the public key using the AES encryption key 721 to generate encrypted AES encryption keys 725 and 727, respectively.

In FIG. 7, only the first NFT 741 can be accessed through the first encrypted access key 724 and only the second NFT 742 can be accessed through the second encrypted access key 726. there is.

8 is a conceptual diagram for explaining a file access and owner permission method according to an embodiment of the present disclosure.

As shown in FIG. 8, in order for the requester 810, for example, a third party to access the file, first, a service 821 that stores a wallet or keystore linked to the blockchain account of the file owner An access request 801 is transmitted through an App or Web manager 820 capable of accessing to request permission from the user in real time.

The service 821 forwards the access request 805 to the owner 850 through the NFT app 840 and receives permission 806 from the owner 850 . At this time, the contents of access and permission are recorded in the smart contract of the blockchain.

Service 821 responds to authorization 806 and forwards decrypted URI 802 to distributed environment IPFS 830 . The IPFS 830 provides the stored hash value 803, stores the file in the decrypted memory (822), and provides an access URI to the requester 810 (823).

That is, the decrypted file is temporarily stored in the memory cache of the server, and an access address thereof is transmitted to the requester 810, allowing access to the file. Meanwhile, files and access URIs provided in the server's memory cache are discarded after a certain period of time.

9 is a schematic diagram illustrating a configuration in which an information processing system is communicatively connected with a plurality of user terminals according to an embodiment of the present disclosure.

9 is a schematic diagram illustrating a configuration in which an information processing system 930 according to an embodiment of the present disclosure is communicatively connected to a plurality of user terminals 910_1, 910_2, and 910_3. As shown, the plurality of user terminals 910_1, 910_2, and 910_3 encrypt files through the network 920, issue NFTs, generate access keys in a distributed environment, and receive URIs for file access requests. It can be connected to the information processing system 930 that can be. Here, the plurality of user terminals 910_1, 910_2, and 910_3 provide user identification information identified by a private key (eg, password, UID, verifiable credential, VC), and/or user biometrics. information, etc.) to be provided with a file access URI based on permission for a file access request, and/or access rights may include an operator's terminal. In one embodiment, the information processing system 930 is one or more server devices and/or databases capable of storing, providing, and executing computer-executable programs (eg, downloadable applications) and data related to IPFS-based file security. , or one or more distributed computing devices and/or distributed databases based on cloud computing services.

The result of the IPFS-based file upload, encryption, and access request provided by the information processing system 930 is an application related to IPFS-based file security installed in each of the plurality of user terminals 910_1, 910_2, and 910_3, mobile It may be provided to the user through a browser application, a web browser, or a web browser extension program.

A plurality of user terminals 910_1 , 910_2 , and 910_3 may communicate with the information processing system 930 through the network 920 .

The network 920 may be configured to enable communication between the plurality of user terminals 910_1, 910_2, and 910_3 and the information processing system 930. Depending on the installation environment, the network 920 may be, for example, a wired network such as Ethernet, a wired home network (Power Line Communication), a telephone line communication device and RS-serial communication, a mobile communication network, a wireless LAN (WLAN), It may consist of a wireless network such as Wi-Fi, Bluetooth, and ZigBee, or a combination thereof. The communication method is not limited, and the user terminals (910_1, 910_2, 910_3) as well as a communication method utilizing a communication network (eg, mobile communication network, wired Internet, wireless Internet, broadcasting network, satellite network, etc.) that the network 920 may include ), short-range wireless communication between them may also be included.

In FIG. 9, a mobile phone terminal 910_1, a tablet terminal 910_2, and a notebook terminal 910_3 are illustrated as examples of user terminals, but are not limited thereto, and the user terminals 910_1, 910_2, and 910_3 may perform wired and/or wireless communication. It may be any computing device capable of this and having an application, mobile browser application, web browser or web browser extension program installed and running thereon. For example, user terminals include AI speakers, smartphones, mobile phones, navigation devices, computers, laptop computers, digital broadcasting terminals, personal digital assistants (PDA), portable multimedia players (PMPs), tablet PCs, game consoles, It may include a wearable device, an internet of things (IoT) device, a virtual reality (VR) device, an augmented reality (AR) device, a set-top box, and the like. In addition, although FIG. 8 shows three user terminals 910_1, 910_2, and 910_3 communicating with the information processing system 930 through the network 920, it is not limited thereto, and a different number of user terminals may be connected to the network ( 920 may be configured to communicate with information processing system 930.

According to one embodiment, the information processing system 930 may receive one or more file access requests from a plurality of user terminals 910_1, 910_2, and 910_3. The information processing system 930 allocates separate addresses (URIs) to the plurality of user terminals 910_1, 910_2, and 910_3 based on the owner permission for the received request. The allocated address (URI) is disclosed to the service that requested access, and after a predetermined period of time, the file in the memory cache is automatically deleted and the address (URI) is also deleted.

10 is a block diagram illustrating exemplary internal configurations of an information processing system and a user terminal according to an embodiment of the present disclosure.

The user terminal 1010 may refer to any computing device capable of executing an IPFS-based file security-related application, a mobile browser application, a web browser or a web browser extension program, and capable of wired/wireless communication.

As shown, the user terminal 1010 may include a memory 1013, a processor 1014, a communication module 1015, and an input/output interface 1012. Similarly, the information processing system 1030 may include a memory 1032 , a processor 1033 , a communication module 1034 and an input/output interface 1031 . As shown in FIG. 4 , the user terminal 1010 and the information processing system 1030 may be configured to communicate information and/or data through the network 1020 using respective communication modules. In addition, the input/output device 1011 may be configured to input information and/or data to the user terminal 1010 through the input/output interface 1012 or output information and/or data generated from the user terminal 1010.

The memories 1013 and 1032 may include any computer readable recording medium that is non-transitory. According to one embodiment, the memories 1013 and 1032 are non-perishable mass storage devices such as random access memory (RAM), read only memory (ROM), disk drive, solid state drive (SSD), flash memory, and the like. (permanent mass storage device) may be included. As another example, a non-perishable mass storage device such as ROM, SSD, flash memory, disk drive, etc. may be included in the user terminal 1010 or the information processing system 1030 as a separate permanent storage device distinct from memory. In addition, the memories 1013 and 1032 may store an operating system and at least one program code (eg, a code for an IPFS-based file security-related application that is installed and driven in the user terminal 1010).

These software components may be loaded from a computer-readable recording medium separate from the memories 1013 and 1032 . A recording medium readable by such a separate computer may include a recording medium directly connectable to the user terminal 1010 and the information processing system 1030, for example, a floppy drive, a disk, a tape, a DVD/CD- It may include a computer-readable recording medium such as a ROM drive and a memory card. As another example, software components may be loaded into the memories 1013 and 1032 through a communication module rather than a computer-readable recording medium. For example, at least one program is loaded into the memories 1013 and 1032 based on a computer program installed by files provided by developers or a file distribution system that distributes application installation files through the network 1020. It can be.

Processors 1014 and 1033 may be configured to process commands of computer programs by performing basic arithmetic, logic, and input/output operations. Instructions may be provided to processors 1014 and 1033 by memories 1013 and 1032 or communication modules 1015 and 1034. For example, processors 1014 and 1033 may be configured to execute received instructions according to program codes stored in a recording device such as memory 1013 and 1032 .

The communication modules 1015 and 1034 may provide configurations or functions for the user terminal 1010 and the information processing system 1030 to communicate with each other through the network 1020, and the user terminal 1010 and/or information processing The system 1030 may provide configurations or functions for communicating with other user terminals or other systems (eg, a separate cloud system). For example, a request or data generated by the processor 1014 of the user terminal 1010 according to a program code stored in a recording device such as a memory 1013 (eg, file access file request, data related to AES and RSA encryption) , data related to the distributed environment access key, NFT file creation path, various record data, data related to the access URI, etc.) are transmitted to the information processing system 1030 through the network 1020 under the control of the communication module 1015. can

Conversely, a control signal or command provided under the control of the processor 1033 of the information processing system 1030 passes through the communication module 1034 and the network 1020 and through the communication module 1015 of the user terminal 1010. It may be received by the user terminal 1010 . For example, the user terminal 1010 may receive URI information for accessing a requested file from the information processing system 1030 through the communication module 1015 .

The input/output interface 1012 may be a means for interface with the input/output device 1011 . As an example, the input device may include a device such as a camera, keyboard, microphone, mouse, etc. including an audio sensor and/or image sensor, and the output device may include a device such as a display, speaker, haptic feedback device, or the like. can As another example, the input/output interface 1012 may be a means for interface with a device in which a configuration or function for performing input and output is integrated into one, such as a touch screen. For example, when the processor 1014 of the user terminal 1010 processes a command of a computer program loaded into the memory 1013, information and/or data provided by the information processing system 1030 or other user terminals are used. A service screen or the like configured as described above may be displayed on the display through the input/output interface 1012 . In FIG. 10 , the input/output device 1011 is shown not to be included in the user terminal 1010, but is not limited thereto, and the user terminal 1010 and the user terminal 1010 may be configured as one device. In addition, the input/output interface 1031 of the information processing system 1030 is connected to the information processing system 1030 or means for interface with a device (not shown) for input or output that the information processing system 1030 may include. can be In FIG. 10, the input/output interfaces 1012 and 1031 are shown as elements configured separately from the processors 1014 and 1033, but are not limited thereto, and the input/output interfaces 1012 and 1031 may be included in the processors 1014 and 1033. there is.

The user terminal 1010 and the information processing system 1030 may include more components than those shown in FIG. 10 . However, there is no need to clearly show most of the prior art components. According to one embodiment, the user terminal 1010 may be implemented to include at least some of the aforementioned input/output devices 1011 . In addition, the user terminal 1010 may further include other components such as a transceiver, a global positioning system (GPS) module, a camera, various sensors, and a database. For example, when the user terminal 1010 is a smartphone, it may include components that are generally included in a smartphone, for example, an acceleration sensor, a gyro sensor, a camera module, various physical buttons, and a touch screen. Various components such as a button using a panel, an input/output port, and a vibrator for vibration may be implemented to be further included in the user terminal 1010 . According to an embodiment, the processor 1014 of the user terminal 1010 may be configured to operate an application related to IPFS-based file security. At this time, codes associated with the application and/or program may be loaded into the memory 1013 of the user terminal 1010 .

While a program for IPFS-based file security-related applications is running, the processor 1014 connects the input/output interface 1012 with a touch screen, keyboard, audio sensor, and/or an input device such as a camera, microphone, and the like including an image sensor. It is possible to receive input or selected text, image, video, voice, and/or action, and store the received text, image, video, voice, and/or action in the memory 1013 or in the communication module 1015. And it can be provided to the information processing system 1030 through the network 1020.

The processor 1014 of the user terminal 1010 manages, processes, and/or stores information and/or data received from the input device 1011, other user terminals, the information processing system 1030, and/or a plurality of external systems. can be configured to Information and/or data processed by processor 1014 may be provided to information processing system 1030 via communication module 1015 and network 1020 . The processor 1014 of the user terminal 1010 may transmit and output information and/or data to the input/output device 1011 through the input/output interface 1012 . For example, the processor 1014 may display the received information and/or data on the screen of the user terminal.

The processor 1033 of the information processing system 1030 may be configured to manage, process, and/or store information and/or data received from a plurality of user terminals 1010 and/or a plurality of external systems. Information and/or data processed by the processor 1033 may be provided to the user terminal 1010 through the communication module 1034 and the network 1020 .

In one embodiment, the processor 1033 of the information processing system 1030, based on one or more file upload requests received from the user terminal 1010, stores the file in the memory cache of the temporary server and provides a 32-character AES encryption key and A 16-character IV (Initialization Vector) is created and the file is encrypted through it. Then, the public key is extracted through the address of the owner's blockchain account and the AES encryption key is asymmetrically encrypted. AES-encrypted files are stored in a distributed environment, and the access key to the distributed environment is asymmetrically encrypted with a public key. Thereafter, an NFT may be created, file information and encryption information may be recorded, generation information may be recorded in the system, and a file upload completion result may be transmitted to the user terminal 1010 .

In addition, the processor 1033 of the information processing system 1030 notifies access from the NFT owner through an App or Web based on one or more file access requests received from the user terminal 1010, The permitted file is decrypted through NFT and stored in a memory cache on the system, and a temporary address (URI) is assigned to the user terminal 1010. The allocated address (URI) is disclosed to the service that requested access, and after a predetermined period of time, the file in the memory cache is automatically deleted and the address (URI) is also deleted.

The processor 1033 of the information processing system 1030 is configured through an output device 1011 such as a display output capable device (eg, a touch screen, a display, etc.) or an audio output capable device (eg, speaker) of the user terminal 1010. It may be configured to output processed information and/or data.

11 is a flowchart illustrating a process of a file upload method according to the present disclosure, and FIG. 12 is a flowchart illustrating a process of a file access method according to the present disclosure.

First, referring to FIG. 11, an AES encryption key and an Initialization Vector (IV) are generated, and a file is encrypted based on the AES encryption key (1110). Next, a public key is extracted through the address of the user account, and RSA encryption is performed (1120). Subsequently, the AES-encrypted file is stored in a distributed environment, and an access key to the distributed environment is RSA encrypted (1130). Thereafter, an NFT file is created and file information and encryption information are recorded (1140). Then, by storing the NFT generation information (1150), file upload is terminated.

Referring to FIG. 12 , the file access processor according to the present disclosure starts by transmitting a file sharing permission request to the owner of the file ( 1210 ). When request acceptance is received from the owner, encryption information of the blockchain file is extracted (1220). Next, the encrypted distributed environment access key is decrypted and the encrypted file is extracted (1230). Subsequently, the file is decrypted by decrypting the encrypted AES key and transmitted to the server (1240). Next, after providing a temporary URI to the file sharing requester, the file is automatically destroyed after a certain period of time, and these file access details are recorded in the block chain (1250).

On the other hand, the present invention can be widely used in software and services that require file security, DRM (Digital Rights Management) digital content copyright protection, credentials through files, security and copyright of files on a network, and management of access history. Furthermore, the present invention can be widely used in the fields of personal file protection system, personal medical data management, personal register, contract and certification document management in addition to document security solutions and file security solutions.

As described above, according to the IPFS-based computing method and system for file security according to an embodiment of the present disclosure, it is recorded and managed in a block chain, making forgery and tampering impossible and encrypted in a distributed environment such as IPFS. Because it is stored, the risk of leakage or loss of files is eliminated. In addition, security is provided in a software manner by utilizing NFT technology without the need to add additional hardware, so security and management costs can be saved. It can be used as an enemy, so its usability is expanded. In addition, by configuring a distributed environment such as a separate blockchain and IPFS, only authorized nodes can participate, providing a stronger security system. It can be useful for managing access to files. Furthermore, the administrator can manage the ownership of the file only with the blockchain account without separate proof, avoiding the hassle of managing multiple accounts, and even if the hash key is disclosed, the file can be verified only through the private key of the NFT. Since this is possible, it has the advantage of maintaining security.

The above method may be provided as a computer program stored in a computer readable recording medium to be executed on a computer. The medium may continuously store programs executable by a computer or temporarily store them for execution or download. In addition, the medium may be various recording means or storage means in the form of a single or combined hardware, and is not limited to a medium directly connected to a certain computer system, and may be distributed on a network. Examples of the medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROM and DVD, magneto-optical media such as floptical disks, and ROM, RAM, flash memory, etc. configured to store program instructions. In addition, examples of other media include recording media or storage media managed by an app store that distributes applications, a site that supplies or distributes various other software, and a server.

The methods, acts or techniques of this disclosure may be implemented by various means. For example, these techniques may be implemented in hardware, firmware, software, or combinations thereof. Those skilled in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchange of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the particular application and design requirements imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementations should not be interpreted as causing a departure from the scope of the present disclosure.

In a hardware implementation, the processing units used to perform the techniques may include one or more ASICs, DSPs, digital signal processing devices (DSPDs), programmable logic devices (PLDs) ), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, and other electronic units designed to perform the functions described in this disclosure. , a computer, or a combination thereof.

Accordingly, the various illustrative logical blocks, modules, and circuits described in connection with this disclosure may be incorporated into a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or may be implemented or performed in any combination of those designed to perform the functions described in A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other configuration.

In firmware and/or software implementation, the techniques include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), PROM ( on a computer readable medium, such as programmable read-only memory (EPROM), erasable programmable read-only memory (EPROM), electrically erasable PROM (EEPROM), flash memory, compact disc (CD), magnetic or optical data storage device, or the like. It can also be implemented as stored instructions. Instructions may be executable by one or more processors and may cause the processor(s) to perform certain aspects of the functionality described in this disclosure.

Although the embodiments described above have been described as utilizing aspects of the presently-disclosed subject matter in one or more stand-alone computer systems, the disclosure is not limited thereto and may be implemented in conjunction with any computing environment, such as a network or distributed computing environment. . Further, aspects of the subject matter in this disclosure may be implemented in a plurality of processing chips or devices, and storage may be similarly affected across multiple devices. These devices may include PCs, network servers, and portable devices.

Although the present disclosure has been described in relation to some embodiments in this specification, various modifications and changes may be made without departing from the scope of the present disclosure that can be understood by those skilled in the art. Moreover, such modifications and variations are intended to fall within the scope of the claims appended hereto.

Claims (10)

In the computing method for IPFS-based file security, performed by at least one processor,
Generating an AES encryption key and an initialization vector (IV) by a system for file security based on IPFS and performing file encryption based thereon;
Extracting a public key through an address of a file owner's blockchain account and RSA-encrypting the AES encryption key based on the extracted public key by an IPFS-based file security system;
storing an AES-encrypted file in a storage of a distributed environment and encrypting a distributed environment access key by an IPFS-based file security system;
Generating an NFT file accessible through the encrypted distributed environment access key by a system for file security based on IPFS; and
A method for IPFS-based file security comprising the step of recording creation information, file information, and encryption information for the NFT file in a smart contract of a blockchain by a system for IPFS-based file security. According to claim 1,
Encrypting the distributed environment access key,
RSA asymmetric encryption of the distributed environment access key with a public key extracted through the address of the file owner's blockchain account. According to claim 1,
After generating the NFT file, receiving a third party's file access request by an IPFS-based file security system; and
The method further comprising requesting, by the system for IPFS-based file security, permission from the file owner through a service provided by the file owner's blockchain account wallet or keystore for the received request. According to claim 3,
The method further comprising extracting an AES-encrypted file by decrypting the encrypted distributed environment access key, based on the file owner's response to the permission request, by a system for file security based on IPFS. According to claim 4,
After extracting the encrypted file,
The method further comprising decrypting the AES-encrypted file by decrypting the encrypted AES key, by the IPFS-based system for file security. According to claim 5,
After decryption of AES encrypted files,
generating an access URI through which the decrypted file can be accessed by an IPFS-based file security system; and
The method further comprising transmitting the access URI generated by the IPFS-based system for file security to a terminal of a third party that has transmitted the file access request. According to claim 6,
The method further comprising the step of discarding the transmitted access URI after a predetermined time has elapsed by a system for file security based on IPFS. According to claim 7,
The method further comprising deleting the decrypted file from a memory cache in which the decrypted file is stored after the elapse of the predetermined time by an IPFS-based file security system. According to claim 6,
The method further comprising the step of recording information on the file access request in a smart contract of a blockchain by an IPFS-based file security system. According to claim 1,
If there are multiple file owners,
Generating the NFT file as many as a plurality of file owners, and RSA encrypting each AES encryption key using each public key extracted through the blockchain account of each of the plurality of file owners.

Images