WO2019179625A1 - Distributed data storage network nodes and methods - Google Patents

Distributed data storage network nodes and methods Download PDF

Info

Publication number
WO2019179625A1
WO2019179625A1 PCT/EP2018/057300 EP2018057300W WO2019179625A1 WO 2019179625 A1 WO2019179625 A1 WO 2019179625A1 EP 2018057300 W EP2018057300 W EP 2018057300W WO 2019179625 A1 WO2019179625 A1 WO 2019179625A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
user
file
user node
server node
Prior art date
Application number
PCT/EP2018/057300
Other languages
French (fr)
Inventor
Serdar Sahin
Manoj PRASANNA KUMAR
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2018/057300 priority Critical patent/WO2019179625A1/en
Publication of WO2019179625A1 publication Critical patent/WO2019179625A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A server node (100) and a user node (200) for a distributed data storage network (300) comprising a plurality of user nodes. The user node (200) is operative to: generate an encryption key using an encryption algorithm; encrypt a file using the encryption key; send the encrypted file to the server node for distributed storage; provide the encryption key and encryption algorithm to a trusted user node; and send an indication to the server node that said trusted user node is permitted access to the file. The server node is operative to: receive an encrypted file from a first user node (200A); divide the encrypted file into a plurality of file pieces; send the file pieces to different user nodes for storage; save storage information for the file identifying the different user nodes in which the file pieces are stored; and receive and store an indication from the first user node that a trusted user node is permitted access to the file.

Description

DISTRIBUTED DATA STORAGE NETWORK NODES AND METHODS
Technical Field
The invention relates to a server node for a distributed data storage network and to a user node for a distributed data storage network. The invention also relates to a method at a server node of a distributed data storage network and a method at a user node of a distributed data storage network.
Background
Distributed data storage networks, particularly those implementing online social networks, OSNs, can suffer from a lack of security of data stored by users and a lack of privacy of personal data stored by the networks about the users. Online social networks enable users to share personal information, data and files, such as photographs and movies, and to communicate with other users. Typically, all data supplied by users, whether directly or indirectly, is stored permanently by the social networking service, which is then capable of exploiting the data in ways that can violate users’ privacy. Social networking services, such as Facebook, Google+ and Linkedln, earn income by selling user data and information about user activity on the online social network to third parties, particularly to enable third parties to display targeted advertising to users; the social networking services charging the third parties to display the adverts to users. The central storage of users’ data and files can also result in a potential lack of security of the data and files.
A more secure online social network has been reported in L. Cutillo and R.Molva “Safebook: A Privacy-Preserving Online Social Network Leveraging on Real-Life Trust”, IEEE Communications Magazine, December 2009, pages 94-101 . The user nodes in Safebook form two types of overlays: a set of matryoshkas, concentric structures around each user node in the network layer providing data storage and communication privacy; and a peer-to- peer substrate to provide a location service to find entry points to a user’s matryoshka. The Safebook OSN suffers from various disadvantages, including only allowing users to join the OSN at the invitation of an existing user, and paths across a matryoshka being required to be formed of hops connecting pairs of user nodes belonging to users linked by a trust relationship in real life.
Summary
It is an object to provide an improved server node for a distributed data storage network. It is a further object to provide an improved user node for a distributed data storage network. It is a further object to provide an improved method at a server node for a distributed data storage network. It is a further object to provide an improved method at a user node for a distributed data storage network. An aspect of the invention provides a server node for a distributed data storage network comprising a plurality of user nodes. The server node comprises a processor and memory comprising instructions executable by the processor whereby the server node is operative to: receive an encrypted file from a first user node; divide the encrypted file into a plurality of file pieces; send the file pieces to different user nodes for storage in said different user nodes; save storage information for the file pieces to the memory, the storage information identifying the different user nodes in which the file pieces are respectively stored; and receive an indication from the first user node that a trusted user node is permitted access to the file, and store said indication to the memory.
Advantageously, the server node is operative to receive an encrypted file and only information identifying the different user nodes where the file pieces are stored is saved on the server node; the received encrypted file is not stored on the server node. The received file is therefore not useable by the server node, and only trusted user nodes, i.e. entities explicitly authorised by a user of the first user node, can open and read the file. The server node may therefore enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node. The server node may therefore mitigate risk of user data being used for user profiling and marketing purposes. Further advantageously, the different user nodes to which the file pieces are sent to be stored are not required to have a trust relationship with the first user node.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to: receive a plurality of encrypted files from the first user node; divide each encrypted file into a plurality of file pieces; send the file pieces to different user nodes for storage in said different user nodes; save storage information for the file pieces to the memory, the storage information identifying the different user nodes in which the file pieces are respectively stored; and receive an indication from the first user node that a trusted user node is permitted access to all encrypted files received by the server node from the first user node, and store said indication to the memory.
Advantageously, the server node is operative to receive encrypted files and only information identifying the different user nodes where the file pieces are stored is saved on the server node; the received encrypted files are not stored on the server node. The received files are therefore not useable by the server node, and only trusted user nodes, i.e. entities explicitly authorised by a user of the first user node, can open and read the file. The server node may enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node, while enabling access to a user’s files by trusted entities. The server node may therefore mitigate risk of data being used for user profiling and marketing purposes. In an embodiment, the indication from the first user node that a trusted user node is permitted access to the file comprises an indication of a time period for which the trusted user node is permitted access. Time limited access to the encrypted file may therefore be provided to the trusted user node by the server node.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to send a confirmation message to the first user node comprising an indication that a received encrypted file has been stored.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to divide the encrypted file into a plurality of file pieces of random sizes. Advantageously, both size and number of pieces therefore varies, so a hacker is unable to predict what size file pieces, or how many pieces, to look for.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to generate random numbers. The server node is operative to divide the encrypted file into a plurality of file pieces of random sizes depending on the generated random numbers.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to send each file piece to a plurality of different user nodes for storage in said different user nodes. This advantageously provides data redundancy of the file pieces against a file piece being deleted from a said different user node or a said different user node being offline at a time when the trusted user node requests a file piece.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is additionally operative to calculate parity data for the encrypted file and to send the parity data to at least one other user node for storage. This advantageously enables statistical replication of the file pieces, so fewer copies of file pieces are required to be stored .
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to calculate parity data for the encrypted file using a RAID6 Reed-Solomon algorithm.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to select said different user nodes such that at least one of the following conditions are met: said plurality of different user nodes to which a said file piece is sent are not all located in a same geographical region; and said different user nodes are within a same communications network. Storage of a plurality of copies of a file piece in different user nodes in different geographical regions, such as different regions within a country, different countries or different continents, may advantageously provide protection against loss of data or loss of access to data. Storage of file pieces in different user nodes within a same communications network may provide improved data security. In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to provide an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on said different user nodes.
In an embodiment, the access token is a time limited access token.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to: store details of an access token given to a trusted user node an authorisation index in the memory; receive a verification request for an access token from a said different user node; search the authorisation index for the access token; and send a verification message to said different user node in response to finding the access token in the authorisation index.
In an embodiment, the access token conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative as an OAUTH 2.0 authorisation server according to the OAUTH 2.0 Authorisation Framework set out in IETF RFC 6749.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to provide a hash algorithm to the trusted user node. This advantageously enables a trusted user node to check the integrity of the file pieces retrieved from the different user nodes.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to: store a unique identifier and user profile information for the first user node in a user index in the memory; search the user index for the unique identifier of the first user node in response to a search request received from another user node; and provide at least some of the user profile information to said other user node in response to finding the unique identifier of the first user node.
In an embodiment, the unique identifier is one of a name and a telephone number of a user of the first user node.
In an embodiment, the distributed data storage network is an application service level network for an online social network. The server node may therefore enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data and online social interactions completely private, secure and away from an owner or operator of the online social network. The server node may therefore mitigate risk of data being used for user profiling and marketing purposes by a social networking service.
In an embodiment, a user of the first user node within the online social network has a real-life trust relationship with a user of the trusted user node within the online social network.
Corresponding embodiments apply equally to the user node and the distributed data storage network described below. An aspect of the invention provides a user node for a distributed data storage network comprising a plurality of user nodes and a server node. The user node comprises a processor and memory comprising instructions executable by the processor whereby the user node is operative to: generate an encryption key using an encryption algorithm; encrypt a file using the encryption key; send the encrypted file to the server node for distributed storage; provide the encryption key and an indication of the encryption algorithm to a trusted user node; and send an indication to the server node that said trusted user node is permitted access to the file.
Advantageously, the user node may enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node. The user node may therefore mitigate risk of user data being used for user profiling and marketing purposes. Further advantageously, the user node does not require the server node look for any trust relationships to undertake the distributed storage of the file.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: generate an encryption key using an encryption algorithm; encrypt a plurality of files using the encryption key; send the encrypted files to the server node for distributed storage; provide the encryption key and an indication of the encryption algorithm to a trusted user node; and send an indication to the server node that said trusted user node is permitted access to all encrypted files sent to the server node by the first user node.
Advantageously, the user node may enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node, while enabling access to a user’s files by trusted entities. The user node may therefore mitigate risk of data being used for user profiling and marketing purposes.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: send a search request to the server node comprising a unique identifier of another user node; receive user profile information of the other user node from the server node in response to the search request; and generate and transmit a request to a user of the other user node for access to an encrypted file. Advantageously, the user node is able to find trusted users within the distributed data storage network and request access to a file.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: generate and transmit a request to a user of the other user node for access to all of said user’s encrypted files sent to the server node for distributed storage. Advantageously, the user node is able to find trusted users within the distributed data storage network and request access to all of their files. In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: receive from another user node an encryption key and an indication of an encryption algorithm used to generate the encryption key; receive from the server node storage information for file pieces of an encrypted file received from the other user node by the server node, the storage information identifying different user nodes in which the file pieces are respectively stored; obtain the file pieces from said different user nodes; combine the file pieces to form the encrypted file; and decrypt the encrypted file using the encryption key. The user node may therefore enable a completely distributed peer-to- peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: receive from the server node an access token for secure delegated access to the file pieces on said different user nodes; and obtain the file pieces from said different user nodes by sending requests for the file pieces to said different user nodes, the requests including the access token. Advantageously, use of an access token means that the user node is not required to have a trust relationship with said different user nodes storing the file pieces.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to receive and store a file piece of an encrypted file of another user node. Advantageously, since the user node receives only a file piece of an encrypted file, the user node is not required to have a trust relationship with the other user node.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: receive a request for the file piece from another user node; send a request to the server node for verification that the other user node is permitted access to the file piece; and send the file piece to the other user node if the server node provides said verification. Advantageously, while the other user node must have a trust relationship with the user node from which the file piece was received, the user node storing the file piece is not required to have a trust relationship with either user node.
In an embodiment, the request for the file piece comprises an access token for delegated access to the file piece. The request sent to the server is a request to verify the access token and user node is operative to send the file piece to the other user node if verification of the access token is received from the server node.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: generate a new encryption key using an encryption algorithm; obtain the file pieces from said different user nodes; combine the file pieces to form the encrypted file; decrypt the encrypted file using the earlier encryption key; re-encrypt the file using the new encryption key; send the re-encrypted file to the server node for distributed storage; and provide the new encryption key and an indication of the encryption algorithm to the trusted user node.
Advantageously, the user node is able to remove the encrypted file from the distributed data storage network, modify the file if desired, and then re-encrypt and store the file.
In an embodiment, the memory comprises instructions executable by the processor whereby the user node is operative to: obtain the file pieces of a plurality of encrypted files from said different user nodes; combine the file pieces to form the respective encrypted files; decrypt the encrypted files using the earlier encryption key; re-encrypt the files using the new encryption key; send the re-encrypted files to the server node for distributed storage; and provide the new encryption key and an indication of the encryption algorithm to the trusted user node.
Advantageously, the user node is able to remove encrypted files from the distributed data storage network, modify some or all of the files if desired, and then re-encrypt and store the files. A user may thereby remove undesirable data from the distributed data storage network, a functionality that is extremely difficult to achieve within known online social networks.
An aspect of the invention provides a distributed data storage network comprising a server node as described above and a plurality of user nodes as described above.
In an embodiment, the distributed data storage network is an application service level network for an online social network. The distributed data storage network may advantageously enable a completely distributed peer-to-peer application service level network using network users’ own devices, i.e. user nodes, for storage, making their data and online social interactions completely private, secure and away from an owner or operator of the online social network. The server node may therefore mitigate risk of data being used for user profiling and marketing purposes by a social networking service.
An aspect of the invention provides a method at a server node of a distributed data storage network comprising a plurality of user nodes. The method comprises steps of receiving an encrypted file from a first user node, dividing the encrypted file into a plurality of file pieces and sending the file pieces to different user nodes for storage in said different user nodes. The method also comprises saving storage information for the file pieces. The storage information identifies the different user nodes in which the file pieces are respectively stored. The method further comprises receiving an indication from the first user node that a trusted user node is permitted access to the file and storing the indication received from the first user node that a trusted user node is permitted access to the file.
Advantageously, in the method the server node is operative to receive an encrypted file and only information identifying the different user nodes where the file pieces are stored is saved on the server node; the method does not store the received encrypted file on the server node. The received file is therefore not visible to the server node, and only trusted user nodes, i.e. entities explicitly authorised by a user of the first user node, can access the file. The method may therefore enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node. The method may therefore mitigate risk of user data being used for user profiling and marketing purposes.
In an embodiment, the method comprises steps of receiving a plurality of encrypted files from a first user node, dividing each encrypted file into a plurality of file pieces and sending the file pieces to different user nodes for storage in said different user nodes. The method also comprises saving storage information for the file pieces. The storage information identifies the different user nodes in which the file pieces are respectively stored. The method further comprises receiving an indication from the first user node that a trusted user node is permitted to access all encrypted files received by the server node from the first user node and storing the indication.
Advantageously, in the method the server node is operative to receive encrypted files and only information identifying the different user nodes where the file pieces are stored is saved on the server node; the method does not store the received encrypted files on the server node. The received files are therefore not visible to the server node, and only trusted user nodes, i.e. entities explicitly authorised by a user of the first user node, can access the files. The method may therefore enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node. The method may therefore mitigate risk of user data being used for user profiling and marketing purposes.
In an embodiment, the indication from the first user node that a trusted user node is permitted access to the file comprises an indication of a time period for which the trusted user node is permitted access. Time limited access to the encrypted file may therefore be provided to the trusted user node by the server node.
In an embodiment, the method comprises sending a confirmation message to the first user node comprising an indication that a received encrypted file has been stored.
In an embodiment, the method comprises dividing the encrypted file into a plurality of file pieces of random sizes. Advantageously, both size and number of pieces therefore varies, so a hacker is unable to predict what size file pieces, or how many pieces, to look for.
In an embodiment, the method comprises generating random numbers and dividing the encrypted file into a plurality of file pieces of random sizes depending on the generated random numbers.
In an embodiment, the method comprises comprising sending each file piece to a plurality of different user nodes for storage in said different user nodes. This advantageously provides data redundancy of the file pieces against a file piece being deleted from a said different user node or a said different user node being offline at a time when the trusted user node requests a file piece.
In an embodiment, the method additionally comprises calculating parity data for the encrypted file and sending the parity data to at least one other user node for storage. This advantageously enables statistical replication of the file pieces, so fewer copies of file pieces are required to be stored.
In an embodiment, the method comprises calculating the parity data for the encrypted file using a RAID6 Reed-Solomon algorithm.
In an embodiment, the method additionally comprises the step of selecting said different user nodes such that at least one of the following conditions are met: said plurality of different user nodes to which a said file piece is sent are not all located in a same geographical region; and said different user nodes are within a same communications network. Storage of file pieces in different user nodes in different geographical regions, such as different regions within a country, different countries or different continents, may advantageously provide protection against loss of data or loss of access to data. Storage of file pieces in different user nodes within a same communications network may provide improved data security.
In an embodiment, the method additionally comprises the step of providing an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on said different user nodes.
In an embodiment, the access token is a time limited access token.
In an embodiment, the method additionally comprises steps of: storing details of an access token given to a trusted user node in an authorisation index; receiving a verification request for an access token from a said different user node; searching the authorisation index for the access token; and sending a verification message to said different user node in response to finding the access token in the authorisation index.
In an embodiment, the access token conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749.
In an embodiment, the method comprises providing a hash algorithm to the trusted user node. This advantageously enables a trusted user node to check the integrity of the file pieces retrieved from the different user nodes.
In an embodiment, the method additionally comprises steps of: storing a unique identifier and user profile information for the first user node; receiving a search request from another user node for the unique identifier of the first user node; searching for the unique identifier of the first user node; and providing at least some of the user profile information to said other user node in response to finding the unique identifier of the first user node. This advantageously enables a user of a user node to determine whether another user that they know has a user node within the distributed data network. In an embodiment, the unique identifier is one of a name and a telephone number of a user of the first user node.
In an embodiment, the distributed data storage network is an application service level network for an online social network. The method may therefore enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data and online social interactions completely private, secure and away from an owner or operator of the online social network. The method may therefore mitigate risk of data being used for user profiling and marketing purposes by a social networking service.
Corresponding embodiments equally apply to the method at a user node, described below.
An aspect of the invention provides a method at a user node of a distributed data storage network comprising a plurality of user nodes and a server node. The method comprises steps of generating an encryption key using an encryption algorithm. The method further comprises encrypting a file using the encryption key and sending the encrypted file to the server node for distributed storage. The method additionally comprises providing the encryption key and an indication of the encryption algorithm to a trusted user node, and sending an indication to the server node that said trusted user node is permitted access to the file.
Advantageously, the method may enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node. The method may therefore mitigate risk of user data being used for user profiling and marketing purposes.
In an embodiment, the method comprises encrypting a plurality of files using the encryption key and sending the encrypted files to the server node for distributed storage. The method comprises sending an indication to the server node that said trusted user node is permitted access to all encrypted files sent to the server node by the first user node.
Advantageously, the method may enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node, while enabling access to a user’s files by trusted entities. The method may therefore mitigate risk of data being used for user profiling and marketing purposes.
In an embodiment, the method additionally comprises steps of sending a search request to the server node comprising a unique identifier of another user node and receiving user profile information of the other user node from the server node in response to the search request. The method further comprises generating and transmitting a request to a user of the other user node for access to an encrypted file. In an embodiment, the method additionally comprises steps of generating and transmitting a request to a user of the other user node for access to all of said user’s encrypted files sent to the server node for distributed storage.
In an embodiment, the method additionally comprises steps of: receiving from another user node an encryption key and an indication of an encryption algorithm used to generate the encryption key; receiving from the server node storage information for file pieces of an encrypted file received from the other user node by the server node, the storage information identifying different user nodes in which the file pieces are respectively stored; obtaining the file pieces from the different user nodes; combining the file pieces to form the encrypted file; and decrypting the encrypted file using the encryption key. The method may therefore enable a completely distributed peer-to-peer file storage network using network users’ own devices, i.e. user nodes, for storage, making their data completely private, secure and away from an owner or operator of the server node.
In an embodiment, the step of obtaining the file pieces comprises receiving from the server node an access token for secure delegated access to the file pieces on said different user nodes, and obtaining the file pieces from said different user nodes by sending requests for the file pieces to said different user nodes, the requests including the access token. Advantageously, use of an access token means that the user node is not required to have a trust relationship with said different user nodes storing the file pieces.
In an embodiment, the method additionally comprises receiving from the server node a file piece of an encrypted file of another user node and storing said file piece. Advantageously, since the user node receives only a file piece of an encrypted file, the method does not require the user node to have a trust relationship with the other user node.
In an embodiment, the method comprises steps of: receiving a request for the file piece from another user node; sending a request to the server node for verification that the other user node is permitted access to the file piece; and sending the file piece to the other user node if the server node provides said verification. Advantageously, while the other user node must have a trust relationship with the user node from which the file piece was received, the method does not require the user node storing the file piece to have a trust relationship with either user node.
In an embodiment, the request for the file piece comprises an access token for delegated access to the file piece. The request sent to the server is a request to verify the access token and the method comprises sending the file piece to the other user node if verification of the access token is received from the server node.
An aspect of the invention provides a data carrier having computer readable instructions embodied therein. The said computer readable instructions are for providing access to resources available on a processor. The computer readable instructions comprise instructions to cause the processor to perform any of the above steps of the method at a server node of a distributed data storage network. In an embodiment, the data carrier is a non-transitory data carrier.
An aspect of the invention provides a data carrier having computer readable instructions embodied therein. The said computer readable instructions are for providing access to resources available on a processor. The computer readable instructions comprise instructions to cause the processor to perform any of the above steps of the method at a user node of a distributed data storage network.
In an embodiment, the data carrier is a non-transitory data carrier.
References to processors, hardware, processing hardware or circuitry can encompass any kind of logic or analog circuitry, integrated to any degree, and not limited to general purpose processors, digital signal processors, ASICs, FPGAs, discrete components or logic and so on. References to a processor are intended to encompass implementations using multiple processors which may be integrated together, or co-located in the same node or distributed at different locations for example.
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings.
Brief Description of the drawings
Figure 1 is a schematic representation of a server node for a distributed data storage network comprising a plurality of user nodes, according to an embodiment of the invention;
Figure 2 is a schematic representation of a user node for a distributed data storage network comprising a plurality of user nodes and a server node, according to an embodiment of the invention;
Figure 3 is a schematic representation of a distributed data storage network comprising a plurality of user nodes as shown in Figure 2 and a server node as shown in Figure 1 ;
Figure 4 is a signalling diagram illustrating file encryption, distribution, and access authorisation within the distributed data storage network of Figure 3;
Figures 5 to 10 illustrate steps of a method at a server node of a distributed data storage network comprising a plurality of user nodes, according to embodiments of the invention; and
Figures 1 1 to 14 illustrate steps of a method at a user node of a distributed data storage network comprising a plurality of user nodes and a server node, according to embodiments of the invention.
Detailed description
The same reference numbers will used for corresponding features in different embodiments.
Referring to Figures 1 and 3, an embodiment of the invention provides a server node 100 for a distributed data storage network 300 comprising a plurality of user nodes 200. The server node comprises a processor 1 10 and memory 120 comprising instructions executable by the processor whereby the server node 100 is operative to receive an encrypted file from a first user node, for example user node 200A, and to divide the encrypted file into a plurality of file pieces. The memory also comprises instructions executable by the processor whereby the server node is operative to send the file pieces to different user nodes, for example user nodes 200C and 200D, for storage in said different user nodes, and to save storage information for the file pieces to the memory. The storage information identifies the different user nodes in which the file pieces are respectively stored. The memory also comprises instructions executable by the processor whereby the server node is operative to receive an indication from the first user node that a trusted user node, for example user node 200B, is permitted access to the file, and to store said indication to the memory.
While four user nodes 200A-D are shown in Figure 3 for reasons of clarity, it will be appreciated that the network 300 may be formed from a different number of user nodes, and would generally comprise a larger number of user nodes. It will also be appreciated that a first user node 200A may wish to enable access by multiple, different trusted user nodes to the encrypted file, and that a trusted user node within the network 300 may be permitted access to multiple files originating from multiple, different first user nodes within the network.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to receive a plurality of encrypted files from the first user node and divide each encrypted file into a plurality of file pieces. The plurality of files may be received together or may be received in groups of one or more files over an extended period of time, for example where a user of the user node wishes to store various files in the distributed data storage network on an as and when basis over several months or years. The memory comprises instructions executable by the processor whereby the server node is operative to receive an indication from the first user node that a trusted user node is permitted access to all encrypted files received by the server node from the first user node, and store said indication to the memory. A user of the trusted user node can therefore access all of the files that the user of the user node stores in the distributed data storage network over an extended period of time, using the same encryption key.
In an embodiment, the indication from the first user node that a trusted user node is permitted access comprises an indication of a time period for which the trusted user node is permitted access. A user of the first user node is therefore able to provide time limited access to as user of the trusted user node to the file or files that have been stored.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to send a confirmation message to the first user node indicating that a received encrypted file has been stored.
In an embodiment, the server node is operative to randomly divide each encrypted file received for storage. The memory comprises instructions executable by the processor whereby the server node is operative to divide the encrypted file into a plurality of file pieces of random sizes. This may be implemented by the memory comprising instructions executable by the processor whereby the server node is operative to generate random numbers and the server node being operative to divide the encrypted file into a plurality of file pieces of random sizes depending on the generated random numbers.
In an embodiment, the server node is operative to send the file pieces to different user nodes for storage in a manner which provides multiple redundancy for each file piece. This may be achieved through simple replication of the file pieces, by the memory comprising instructions executable by the processor whereby the server node is operative to send each file piece to a plurality of different user nodes for storage. A more efficient multiple redundancy may be provided using statistical replication of the file pieces, where the memory also comprises instructions executable by the processor whereby the server node is operative to calculate parity data for the encrypted file and to send the parity data to at least one other user node for storage. The parity data may, for example, be calculated using a RAID6 Reed- Solomon algorithm. Using statistical replication enables the same level of redundancy to be provided as for simple replication, but requires fewer copies of each file piece to be stored.
By providing multiple redundancy of file pieces even if a user node in which a file piece is stored refuses to provide the file piece or is offline at a time when the file piece is requested, there will be sufficient other copies of the file piece stored in different user nodes to ensure that all of the file pieces can be obtained.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to select said different user nodes such that the different user nodes are not all located in a same geographical region, such as different regions within a country, different countries or different continents. The memory may also comprise instructions executable by the processor whereby the server node is operative to select the different user nodes such that the different user nodes are within a same communications network, operated, for example, by a single network operator or a single enterprise.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to provide an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on the different user nodes. The access token may be a time limited access token. For example, an access token that conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749 may be used. The memory may therefore comprise instructions executable by the processor whereby the server node is operative as an OAUTH 2.0 authorisation server according to the OAUTH 2.0 Authorisation Framework set out in IETF RFC 6749.
The server node is operative to maintain an authorisation index, storing details of a currently valid access token that has been provided to a trusted user node. The memory comprises instructions executable by the processor whereby the server node is operative to: store details of an access token given to a trusted user node in an authorisation index in the memory; receive a verification request for an access token from one of the different user nodes in which the file pieces are stored; search the authorisation index for the access token; and send a verification message to the different user node in response to finding the access token in the authorisation index.
In an embodiment, the memory comprises instructions executable by the processor whereby the server node is operative to provide a hash algorithm to the trusted user node, for checking the integrity of the file pieces retrieved from the different user nodes.
In an embodiment, the server node is operative to maintain a user index, storing basic user details for users of the user nodes within the network. This enables the server node to perform a“find and connect” service to the user nodes of the network, enabling users to discover each other’s presence within the network and to request access to each other’s files.
The memory comprises instructions executable by the processor whereby the server node is operative to: store a unique identifier and user profile information for the first user node in a user index in the memory; search the user index for the unique identifier of the first user node in response to a search request received from another user node; and provide at least some of the user profile information to the other user node in response to finding the unique identifier of the first user node.
The unique identifier may be a name or a telephone number of a user of the first user node, enabling a user of the other user node to contact the user of the first user node requesting access to an encrypted file, or to all of the encrypted files sent by the first user node to the server node for storage in the distributed data storage network. Contact between the users may be made via a message sent directly between the two user nodes, or sent via a separate communication channel, such as SMS or email. Or the two users could simply speak to one another.
In an embodiment, the distributed data storage network is an application service level network for an online social network. The server node may therefore enable a completely distributed peer-to-peer data storage network using network users’ own devices, i.e. user nodes, for storage, making their data and online social interactions completely private, secure and away from an owner or operator of the online social network. The server node may therefore mitigate risk of data being used for user profiling and marketing purposes by a social networking service. A user of the first user node within the online social network will typically have a real-life trust relationship with a user of the trusted user node.
Referring to Figures 2 and 3, an embodiment of the invention provides a user node 200 for a distributed data storage network 300 comprising a plurality of user nodes 200 and a server node 100. The user node comprises a processor 210 and memory 220 comprising instructions executable by the processor whereby the user node is operative to generate an encryption key using an encryption algorithm, encrypt a file using the encryption key and send the encrypted file to the server node for distributed storage. The memory comprises instructions executable by the processor whereby the user node is further operative to provide the encryption key and an indication of the encryption algorithm to a trusted user node, and to send an indication to the server node that the trusted user node is permitted access to the file.
For example, within the network 300, a first user node 200A is operative to generate an encryption key using an encryption algorithm, encrypt a file using the encryption key and send the encrypted file to the server node 100 for distributed storage. The first user node 200A is operative to provide the encryption key and an indication of the encryption algorithm to a trusted user node, for example user node 200B and to send an indication to the server node 100 that the trusted user node is permitted access to the file.
In an embodiment, the encryption algorithm is a symmetric encryption algorithm, such as the Advanced Encryption Standard, AES, algorithm.
In an embodiment, the memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to encrypt a plurality of files using the encryption key and send the encrypted files to the server node for distributed storage. The plurality of files may be sent together or may be sent in groups of one or more files over an extended period of time, for example where a user of a first user node 200A wishes to store various files in the distributed data storage network on an as and when basis over several months or years. The memory also comprises instructions executable by the processor whereby the user node is operative to send an indication to the server node that the trusted user node is permitted access to all encrypted files sent to the server node by the user node. A user of the trusted user node, for example user node 200B, can therefore access all of the files that the user of the first user node 200A sends to the server node 100 for storage in the distributed data storage network over an extended period of time, using the same encryption key.
In an embodiment, the user node 200 is operative to find trusted users within the distributed data storage network 300 and to request access to one or more files. The memory 220 comprises instructions executable by the processor 210 whereby the user node is operative to send a search request to the server node 100 comprising a unique identifier of another user node. The memory comprises instructions executable by the processor 210 whereby the user node is operative to receive user profile information of the other user node from the server node in response to the search request, and to generate and transmit a request to a user of the other user node for access to an encrypted file, or to all of the encrypted files, sent by the other user node to the server node for distributed storage.
For example, in the network 300 illustrated in Figure 3, user node 200B is operative to send a search request to the server node 100 comprising a unique identifier of user node 200A, such as a name or phone number of a user of user node 200A. User node 200B is further operative to receive user profile information of user node 200A from the server node in response to the search request, assuming of course that the server node finds the unique identifier of user node 200A. User node 200B is operative to generate and transmit a request to a user of user node 200A for access either to a specific file or to all of the files that the user of user node 200A has encrypted and send to the server node for storage.
In an embodiment, the user node 200 is operative to obtain and access one or more encrypted files. The memory 220 comprises instructions executable by the processor 210 whereby the user node is operative to receive from another user node an encryption key and an indication of an encryption algorithm used to generate the encryption key. The memory 220 comprises further instructions executable by the processor 210 whereby the user node is operative to receive from the server node 100 storage information for file pieces of an encrypted file received from the other user node by the server node. The storage information identifies different user nodes in which the file pieces are respectively stored. The memory 220 comprises further instructions executable by the processor 210 whereby the user node is operative to obtain the file pieces from the different user nodes in which the file pieces are stored, combine the file pieces to form the encrypted file and decrypt the encrypted file using the encryption key.
For example, in the network 300 illustrated in Figure 3, user node 200B is operative to receive an encryption key and an indication of an encryption algorithm from user node 200A. User node 200B is operative to received storage information for file pieces of one or more encrypted files send to the server node 100 for storage by user node 200A. The storage information identifies user nodes 200C and 200D as the user nodes in which file pieces are stored. It will be appreciated that an encrypted file will typically be divided into a greater number of file pieces to be stored in a greater number of user nodes. User node 200B is operative to obtain file pieces from user nodes 200C and 200D, combine the file pieces to form the encrypted file and decrypt the encrypted file using the encryption key.
In an embodiment, an access token for secure delegated access to the file pieces is used to enable the user node 200 to obtain file pieces from the different user nodes in which the file pieces are stored. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to receive an access token from the server node and to obtain the file pieces from the different user nodes by sending requests, including the access token, for the file pieces to the different user nodes.
For example, in the network 300 of Figure 3, user node 200B is operative to receive an access token from the server node 100 to permit secure delegated access by user node 200B to file pieces of encrypted files sent by user node 200A to the server node for storage in the network. An access token that conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749 may be used. User node 200B is operative to send the access token to user nodes 200C and 200D to obtain the file pieces from those user nodes.
In an embodiment, the user node 200 is operative to receive and store a file piece sent to the user node by the sever node 100 for storage. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to receive and store a file piece of an encrypted file of another user node. For example, in the network 300 of Figure 3, user nodes 200C and 200D are operative to receive and store file pieces file pieces sent to them by the server node 100, the file pieces being pieces of an encrypted file sent by user node 200A to the server node for storage in the network.
In an embodiment, the memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to receive a request for the file piece from another user node, and to send a request to the server node 100 for verification that the other user node is permitted access to the file piece. The memory 220 comprises further instructions executable by the processor 210 whereby the user node 200 is operative to send the file piece to the other user node if the server node provides verification that the other user node is permitted access to the file piece. For example, in the network 300 of Figure 3, user nodes 200C and 200D are each operative to send a request to the server node 100 that user node 200B is permitted access to the file pieces respectively stored user nodes 200C and 200D.
In an embodiment, the request for the file piece comprises an access token for delegated access to the file piece. The request sent to the server node 100 is a request to verify the access token. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to send the file piece to the other user node if verification of the access token is received from the server node. An access token that conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749 may be used.
In an embodiment, the user node 200 is operative to remove encrypted files from the distributed data storage network, modify some or all of the files if desired, and then re-encrypt and store the files. This may, for example, be undertaken if the encryption key has been hacked or has expired, or if a user of the user node wants to remove data from the distributed data storage network that they no longer wish to make available to the trusted user node. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to generate a new encryption key using an encryption algorithm. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to obtain the file pieces of the encrypted files that the user node has sent to the server node 100 for storage from the different user nodes in which the files pieces are stored. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to combine the file pieces to form the encrypted file or files, decrypt the encrypted file or files using the earlier encryption key, re-encrypt the file or files using the new encryption key, and send the re-encrypted file or files to the server node for distributed storage. The memory 220 comprises instructions executable by the processor 210 whereby the user node 200 is operative to provide the new encryption key and an indication of the encryption algorithm to the trusted user node.
In an embodiment, the memory 220 comprises instructions executable by the processor whereby the user node 200 is operative to provide the encryption key and the indication of the encryption algorithm to the trusted user node using a blockchain. In an embodiment, the memory 220 comprises instructions executable by the processor whereby the user node 200 is operative to establish a secure connection across the network 300 with the trusted user node and to provide the encryption key and the indication of the encryption algorithm to the trusted user node using the secure connection.
Referring to Figure 3, it will be understood that each user node 200 within the distributed data storage network 300 may be operative to perform one or more of the functions described above, and that each user node 200 may be operative to perform each of the functions described above. That is to say, each user node 200A, 200B, 200C and 200D of the network 300 in Figure 3 may be operative to: generate an encryption key, encrypt files and send the encrypted files to the server node 100 for storage, as described in relation to user node 200A; become a trusted user node and obtain access to encrypted files of other user nodes, as described above in relation to user node 200B; and store and control access to file pieces, as described above in relation to user nodes 200C and 200D. The user nodes 200C and 200D are not required to have a trust relationship with the user nodes for which they store file pieces, a trust relationship is only required between two user nodes, for example user nodes 200A and 200B, if one of the user nodes wishes to obtain access to an encrypted file of the other user node.
Referring to Figures 3 and 4, an embodiment of the invention provides a distributed data storage network 300 comprising a server node 100 as described above with reference to Figure 1 and a plurality of user nodes 200 as described above with reference to Figure 2.
Each of the user nodes 200 is configured for communication with the server node 100 and with one or more other user nodes, and the server node is configured for communication with the user nodes. Communication may be effected via any communication network that the nodes are connected to, via HTTP REST APIs.
The operation of the user nodes 200 and the server node 100, including the signalling between the nodes, will be described with reference to Figure 4, using the line numbering provided down the left side of the Figure.
A first user node 200A, which here is operating as a source user node, generates an encryption key, KEY1 , using an encryption algorithm and encrypts two files, F1 and F2 (Line
2). It will be appreciated that a single file or a greater number of files may be encrypted by a source user node 200A, for distributed storage in the network 300. The source user node 200A sends the encrypted files to the server node 100 for distributed storage within the network 300 (Line 2-3).
The server node 100 receives the encrypted files F1 and F2 from the source user node 200A and divides each encrypted file into a plurality of file pieces of random sizes (Line
3). The memory 120 of the server node in this embodiment comprises instructions executable by the processor whereby the server node is additionally operative to perform random number generation and to divide each encrypted file into pieces having sizes, i.e. a number of bytes, determined by the generated random numbers. It will be appreciated that both the sizes and the number of file pieces are thereby determined by the generated random numbers.
The server node 100 selects different user nodes within the network 300 for storage of the file pieces; only two different user nodes 200C, 200D are shown in Figure 4 as being used for storage of file pieces of files F1 and F2 for reasons of clarity and it will be understood that a larger number of other user nodes would typically be used for storage of file pieces in practice. The server node 100 sends (Lines 4 and 5) the file pieces to the different user nodes 200C and 200D for storage. The source user node 200A is not required to have any trust relationship with the different user nodes 200C and 200D in which the file pieces are stored, since the different user nodes receive only file pieces of the encrypted file and therefore cannot obtain the encrypted file or decrypt it. The server node notifies (Line 6) the source user node that the encrypted file has been stored in the distributed data storage network 300. The server node may notify the source user node 200A of where the file pieces are stored, but this is not essential since storage information is saved to an Index of Files for the source user node (‘user A’) in the memory of the server node (Lines 7-9).
A second user node 200B, which in Figure 4 is operating as a requester user node, sends a request to a user of the first user node 200A for access to the encrypted files originating from the first user node and stored in the network 300; in this example, files F1 and F2. In Figure 4 this is shown as the requester user node 200B send a‘Friend request’ to the source user node (Line 10). This assumes that a user of the requester user node is already aware of the source user node’s presence within the network and has contact details for the user of the source user node. If not, the requester user node can request user profile information for the source user node from the server node, as described above.
Having decided that they trust the user of the requester user node 200B, the user of the source user node 200A causes the source user node to provide the encryption key,
KEY1 , and an indication of the encryption algorithm to the requester user node (Line 1 1-12), being a trusted user node of the source user node. The source user node then sends an indication to the server node that the requester user node 200B is permitted access to its files, F1 and F2 (Line 14), and the server node 100 stores the indication to memory by updating the Index of Files for the source user node with the requester user node’s access rights. The server node also saves a Hash Algorithm (‘Hash AT) for the source user node’s files to the Index of Files (Line 15). The server node also generates an OAUTH 2.0 access token (T 1 ) for the source user node 200A and saves this to an Authorisation Index in its memory 120.
To obtain files F1 and F2, requester user node 200B is operative to request storage information for the source user node’s files from the server node (Line 16). The server node inspects the Index of Files for the source user node 200A to determine whether the requester user node 200B is permitted access to the files. If access is permitted, the server node sends the storage information, the access token and the Hash A1 hash algorithm to the requester user node 200B (Lines 17-18). The requester user node then sends requests for file pieces of the encrypted files F1 and F2 to user nodes 200C and 200D, including sending the access token (Lines 19-22).
Each of the different user nodes 200C and 200D send a verification request for the access token T1 to the server node. The server node searches its Authorisation Index for the access token, and if the server node finds the access token in its Authorisation Index, the server node sends a verification message to the user node 200C, 200D (Lines 20 and 22). Following receipt of a verification message verifying the access token T 1 , user nodes 200C and 200D send the file pieces to the requester user node 200B.
The requester user node 200B is operative to receive the file pieces, verify each file piece using the Hash A1 hash algorithm, combine the file pieces to form encrypted files F1 and F2, and decrypt the files using the encryption key, KEY 1 , to obtain the files, F1 and F2.
In an embodiment, the distributed data storage network 300 is an online social network.
The above described embodiments equally apply to the methods described below.
Referring to Figure 5, an embodiment of the invention provides a method 400 at a server node of a distributed data storage network comprising a plurality of user nodes. The method comprises steps of:
receiving (410) an encrypted file from a first user node;
dividing (412) the encrypted file into a plurality of file pieces;
sending (414) the file pieces to different user nodes for storage in said different user nodes;
saving (416) storage information for the file pieces, the storage information identifying the different user nodes in which the file pieces are respectively stored; and
receiving (418) and storing (420) an indication from the first user node that a trusted user node is permitted access to the file.
In an embodiment, the method comprises steps of receiving a plurality of encrypted files from a first user node, dividing each encrypted file into a plurality of file pieces and sending the file pieces to different user nodes for storage in said different user nodes. The plurality of files may be received together or may be received in groups of one or more files over an extended period of time, for example where a user of the user node wishes to store various files in the distributed data storage network on an as and when basis over several months or years. The method further comprises receiving an indication from the first user node that a trusted user node is permitted to access all encrypted files received by the server node from the first user node. A user of the trusted user node can therefore access all of the files that the user of the user node stores in the distributed data storage network over an extended period of time, using the same encryption key. In an embodiment, the indication from the first user node that a trusted user node is permitted access to a file or to all of its files comprises an indication of a time period for which the trusted user node is permitted access.
In an embodiment, the method comprises sending a confirmation message to the first user node comprising an indication that a received encrypted file has been stored.
In an embodiment, the method comprises dividing the encrypted file into a plurality of file pieces of random sizes. The method comprises generating random numbers and dividing the encrypted file into a plurality of file pieces of random sizes depending on the generated random numbers.
Referring to Figure 6, in an embodiment, the method (450) comprises sending (452) each file piece to a plurality of different user nodes for storage in the different user nodes.
Referring to Figure 7, in an embodiment, the method (460) additionally comprises calculating (462) parity data for the encrypted file and sending (464) the parity data to at least one other user node for storage.
In an embodiment, the parity data for the encrypted file is calculated using a RAID6 Reed-Solomon algorithm.
Referring to Figure 8, in an embodiment, the method (470) additionally comprises selecting (472) the different user nodes such that at least one of the following conditions are met: the different user nodes are not all located in a same geographical region; and the different user nodes are within a same communications network.
Referring to Figure 9, in an embodiment, the method (480) additionally comprises providing (482) an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on the different user nodes.
In an embodiment, the access token is a time limited access token.
In an embodiment, the method additionally comprises steps of: storing details of an access token given to a trusted user node in an authorisation index; receiving a verification request for an access token from a said different user node; searching the authorisation index for the access token; and sending a verification message to said different user node in response to finding the access token in the authorisation index.
In an embodiment, the access token conforms with the OAUTH 2.0 protocol set out in IETF RFC 6749.
In an embodiment, the method comprises providing a hash algorithm to the trusted user node. This advantageously enables a trusted user node to check the integrity of the file pieces retrieved from the different user nodes.
Referring to Figure 10, in an embodiment, the method (490) additionally comprises steps of:
storing (492) a unique identifier and user profile information for the first user node; receiving (494) a search request from another user node for the unique identifier of the first user node; searching (496) for the unique identifier of the first user node; and
providing (498) at least some of the user profile information to said other user node in response to finding the unique identifier of the first user node.
In an embodiment, the unique identifier is one of a name and a telephone number of a user of the first user node.
In an embodiment, the distributed data storage network is an application service level network for an online social network.
Referring to Figure 1 1 , an embodiment of the invention provides a method 500 at a user node of a distributed data storage network comprising a plurality of user nodes and a server node. The method comprises steps of:
generating 510 an encryption key using an encryption algorithm;
encrypting 512 a file using the encryption key;
sending 514 the encrypted file to the server node for distributed storage;
providing 516 the encryption key and an indication of the encryption algorithm to a trusted user node; and
sending 518 an indication to the server node that the trusted user node is permitted access to the file.
In an embodiment, the method comprises encrypting a plurality of files using the encryption key and sending the encrypted files to the server node for distributed storage. The method comprises sending an indication to the server node that the trusted user node is permitted access to all encrypted files sent to the server node by the first user node.
Referring to Figure 12, in an embodiment the method 550 additionally comprises steps of:
sending 552 a search request to the server node comprising a unique identifier of another user node;
receiving 554 user profile information of the other user node from the server node in response to the search request; and
generating and transmitting 556 a request to a user of the other user node for access to an encrypted file.
In an embodiment, the method additionally comprises steps of generating and transmitting a request to a user of the other user node for access to all of said user’s encrypted files sent to the server node for distributed storage.
Referring to Figure 13, in an embodiment the method 560 additionally comprises steps of:
receiving 562 an encryption key from another user node and receiving an indication of an encryption algorithm used to generate the encryption key from the other user node; receiving 564 storage information from the server node for file pieces of an encrypted file received from the other user node by the server node, the storage information identifying different user nodes in which the file pieces are respectively stored; obtaining 566 the file pieces from the different user nodes; and
combining 568 the file pieces to form the encrypted file and decrypting the encrypted file using the encryption key.
In an embodiment, the step of obtaining the file pieces comprises receiving from the server node an access token for secure delegated access to the file pieces on said different user nodes, and obtaining the file pieces from said different user nodes by sending requests for the file pieces to said different user nodes, the requests including the access token.
Referring to Figure 14, in an embodiment the method 570 additionally comprises steps of receiving 572 from the server node a file piece of an encrypted file of another user node and storing 574 said file piece.
In an embodiment, the method comprises steps of: receiving a request for the file piece from another user node; sending a request to the server node for verification that the other user node is permitted access to the file piece; and sending the file piece to the other user node if the server node provides said verification.
In an embodiment, the request for the file piece comprises an access token for delegated access to the file piece. The request sent to the server is a request to verify the access token and the method comprises sending the file piece to the other user node if verification of the access token is received from the server node.
An embodiment of the invention provides a data carrier having computer readable instructions embodied therein. The computer readable instructions are for providing access to resources available on a processor. The computer readable instructions comprise instructions to cause the processor to perform any of the above steps of the method at a server node of a distributed data storage network.
An embodiment of the invention provides a data carrier having computer readable instructions embodied therein. The computer readable instructions are for providing access to resources available on a processor. The computer readable instructions comprise instructions to cause the processor to perform any of the above steps of the method at a user node of a distributed data storage network.
In an embodiment, the data carrier is a non-transitory data carrier.

Claims

1. A server node for a distributed data storage network comprising a plurality of user nodes, the server node comprising a processor and memory comprising instructions executable by the processor whereby the server node is operative to:
receive an encrypted file from a first user node;
divide the encrypted file into a plurality of file pieces;
send the file pieces to different user nodes for storage in said different user nodes; save storage information for the file pieces to the memory, the storage information identifying the different user nodes in which the file pieces are respectively stored; and receive an indication from the first user node that a trusted user node is permitted access to the file, and store said indication to the memory.
2. A server node according to claim 1 , wherein the memory comprises instructions executable by the processor whereby the server node is operative to send each file piece to a plurality of different user nodes for storage in said different user nodes.
3. A server node according to claim 2, wherein the memory comprises instructions executable by the processor whereby the server node is additionally operative to calculate parity data for the encrypted file and to send the parity data to at least one other user node for storage.
4. A server node according to claim 2 or claim 3, wherein the memory comprises
instructions executable by the processor whereby the server node is operative to select said different user nodes such that at least one of the following conditions are met:
said plurality of different user nodes to which a said file piece is sent are not all located in a same geographical region; and
said different user nodes are within a same communications network.
5. A server node according to any preceding claim, wherein the memory comprises instructions executable by the processor whereby the server node is operative to provide an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on said different user nodes.
6. A server node according to any preceding claim, wherein the memory comprises instructions executable by the processor whereby the server node is operative to: store a unique identifier and user profile information for the first user node in a user index in the memory; and
search the user index for the unique identifier of the first user node in response to a search request received from another user node and provide at least some of the user profile information to said other user node in response to finding the unique identifier of the first user node.
7. A user node for a distributed data storage network comprising a plurality of user nodes and a server node, the user node comprising a processor and memory comprising instructions executable by the processor whereby the user node is operative to:
generate an encryption key using an encryption algorithm;
encrypt a file using the encryption key;
send the encrypted file to the server node for distributed storage;
provide the encryption key and an indication of the encryption algorithm to a trusted user node; and
send an indication to the server node that said trusted user node is permitted access to the file.
8. A user node according to claim 7, wherein the memory comprises instructions
executable by the processor whereby the user node is operative to:
send a search request to the server node comprising a unique identifier of another user node;
receive user profile information of the other user node from the server node in response to the search request; and
generate and transmit a request to a user of the other user node for access to an encrypted file.
9. A user node according to claim 7 or claim 8, wherein the memory comprises
instructions executable by the processor whereby the user node is operative to: receive from another user node an encryption key and an indication of an encryption algorithm used to generate the encryption key;
receive from the server node storage information for file pieces of an encrypted file received from the other user node by the server node, the storage information identifying different user nodes in which the file pieces are respectively stored;
obtain the file pieces from said different user nodes; and
combine the file pieces to form the encrypted file and decrypt the encrypted file using the encryption key.
10. A user node according to any of claims 7 to 9, wherein the memory comprises
instructions executable by the processor whereby the user node is operative to receive and store a file piece of an encrypted file of another user node.
1 1. A method at a server node of a distributed data storage network comprising a plurality of user nodes, the method comprising steps of:
receiving an encrypted file from a first user node; dividing the encrypted file into a plurality of file pieces;
sending the file pieces to different user nodes for storage in said different user nodes; saving storage information for the file pieces, the storage information identifying the different user nodes in which the file pieces are respectively stored; and
receiving and storing an indication from the first user node that a trusted user node is permitted access to the file.
12. A method according to claim 11 , comprising sending each file piece to a plurality of different user nodes for storage in said different user nodes.
13. A method according to claim 11 or claim 12, additionally comprising calculating parity data for the encrypted file and sending the parity data to at least one other user node for storage.
14. A method according to any of claims 11 to 13, additionally comprising the step of selecting said different user nodes such that at least one of the following conditions are met:
said different user nodes are not all located in a same geographical region; and said different user nodes are within a same communications network.
15. A method according to any of claims 11 to 14, additionally comprising the step of providing an access token to the trusted user node for secure delegated access by the trusted node to the file pieces on said different user nodes.
16. A method according to any of claims 1 1 to 15, additionally comprising steps of:
storing a unique identifier and user profile information for the first user node;
receiving a search request from another user node for the unique identifier of the first user node;
searching for the unique identifier of the first user node; and
providing at least some of the user profile information to said other user node in response to finding the unique identifier of the first user node.
17. A method at a user node of a distributed data storage network comprising a plurality of user nodes and a server node, the method comprising steps of:
generating an encryption key using an encryption algorithm;
encrypting a file using the encryption key;
sending the encrypted file to the server node for distributed storage;
providing the encryption key and an indication of the encryption algorithm to a trusted user node; and
sending an indication to the server node that said trusted user node is permitted access to the file.
18. A method according to claim 17, additionally comprising steps of: sending a search request to the server node comprising a unique identifier of another user node;
receiving user profile information of the other user node from the server node in response to the search request; and
generating and transmitting a request to a user of the other user node for access to an encrypted file.
19. A method according to claim 17 or claim 18, additionally comprising steps of:
receiving from another user node an encryption key and an indication of an encryption algorithm used to generate the encryption key;
receiving from the server node storage information for file pieces of an encrypted file received from the other user node by the server node, the storage information identifying different user nodes in which the file pieces are respectively stored;
obtaining the file pieces from the different user nodes; and
combining the file pieces to form the encrypted file and decrypting the encrypted file using the encryption key.
20. A method according to any of claims 17 to 19, additionally comprising steps of
receiving from the server node a file piece of an encrypted file of another user node and storing said file piece.
PCT/EP2018/057300 2018-03-22 2018-03-22 Distributed data storage network nodes and methods WO2019179625A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/057300 WO2019179625A1 (en) 2018-03-22 2018-03-22 Distributed data storage network nodes and methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/057300 WO2019179625A1 (en) 2018-03-22 2018-03-22 Distributed data storage network nodes and methods

Publications (1)

Publication Number Publication Date
WO2019179625A1 true WO2019179625A1 (en) 2019-09-26

Family

ID=61899202

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/057300 WO2019179625A1 (en) 2018-03-22 2018-03-22 Distributed data storage network nodes and methods

Country Status (1)

Country Link
WO (1) WO2019179625A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110830242A (en) * 2019-10-16 2020-02-21 聚好看科技股份有限公司 Key generation and management method and server
CN112087284A (en) * 2020-09-01 2020-12-15 北京明略昭辉科技有限公司 LT code-based file storage method, system and computer-readable storage medium
US20210112102A1 (en) * 2018-05-11 2021-04-15 Cisco Technology, Inc. Detecting targeted data exfiltration in encrypted traffic
CN112988764A (en) * 2021-05-14 2021-06-18 北京百度网讯科技有限公司 Data storage method, device, equipment and storage medium
CN113630448A (en) * 2021-07-26 2021-11-09 重庆邮电大学 Distributed encryption storage method and system, computer device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120072723A1 (en) * 2010-09-20 2012-03-22 Security First Corp. Systems and methods for secure data sharing
US20140237614A1 (en) * 2006-12-01 2014-08-21 Maidsafe Ltd Communication system and method
DE102014113430A1 (en) * 2014-09-17 2016-03-17 Bundesdruckerei Gmbh Distributed data storage using authorization tokens
US9292699B1 (en) * 2014-12-30 2016-03-22 Airwatch Llc Encrypted file storage

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140237614A1 (en) * 2006-12-01 2014-08-21 Maidsafe Ltd Communication system and method
US20120072723A1 (en) * 2010-09-20 2012-03-22 Security First Corp. Systems and methods for secure data sharing
DE102014113430A1 (en) * 2014-09-17 2016-03-17 Bundesdruckerei Gmbh Distributed data storage using authorization tokens
US9292699B1 (en) * 2014-12-30 2016-03-22 Airwatch Llc Encrypted file storage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
L. CUTILLO; R.MOLVA: "Safebook: A Privacy-Preserving Online Social Network Leveraging on Real-Life Trust", IEEE COMMUNICATIONS MAGAZINE, December 2009 (2009-12-01), pages 94 - 101, XP011285859, DOI: doi:10.1109/MCOM.2009.5350374

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210112102A1 (en) * 2018-05-11 2021-04-15 Cisco Technology, Inc. Detecting targeted data exfiltration in encrypted traffic
CN110830242A (en) * 2019-10-16 2020-02-21 聚好看科技股份有限公司 Key generation and management method and server
CN112087284A (en) * 2020-09-01 2020-12-15 北京明略昭辉科技有限公司 LT code-based file storage method, system and computer-readable storage medium
CN112087284B (en) * 2020-09-01 2023-11-28 北京明略昭辉科技有限公司 File storage method, system and computer readable storage medium based on LT code
CN112988764A (en) * 2021-05-14 2021-06-18 北京百度网讯科技有限公司 Data storage method, device, equipment and storage medium
CN112988764B (en) * 2021-05-14 2022-05-10 北京百度网讯科技有限公司 Data storage method, device, equipment and storage medium
CN113630448A (en) * 2021-07-26 2021-11-09 重庆邮电大学 Distributed encryption storage method and system, computer device and readable storage medium
CN113630448B (en) * 2021-07-26 2024-01-12 广州云强信息科技有限公司 Distributed encryption storage method and system, computer device, and readable storage medium

Similar Documents

Publication Publication Date Title
JP6547079B1 (en) Registration / authorization method, device and system
US11102185B2 (en) Blockchain-based service data encryption methods and apparatuses
CN107113165B (en) Method and device for managing repeated data in cloud computing
CN109327481B (en) Block chain-based unified online authentication method and system for whole network
US8607358B1 (en) Storing encrypted objects
US11457018B1 (en) Federated messaging
WO2019179625A1 (en) Distributed data storage network nodes and methods
Horng et al. An identity-based and revocable data-sharing scheme in VANETs
US11658950B2 (en) Centralized secure distribution of messages and device updates
US11349659B2 (en) Transmitting an encrypted communication to a user in a second secure communication network
CN107113314B (en) Method and device for heterogeneous data storage management in cloud computing
Taheri-Boshrooyeh et al. Security and privacy of distributed online social networks
US11582241B1 (en) Community server for secure hosting of community forums via network operating system in secure data network
US20180367308A1 (en) User authentication in a dead drop network domain
Naghizadeh et al. Structural‐based tunneling: preserving mutual anonymity for circular P2P networks
US9866391B1 (en) Permissions based communication
US10791196B2 (en) Directory lookup for federated messaging with a user from a different secure communication network
KR102413497B1 (en) Systems and methods for secure electronic data transmission
US11368442B2 (en) Receiving an encrypted communication from a user in a second secure communication network
US11870899B2 (en) Secure device access recovery based on validating encrypted target password from secure recovery container in trusted recovery device
US11949717B2 (en) Distributed security in a secure peer-to-peer data network based on real-time navigator protection of network devices
US20220399995A1 (en) Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network
US20220417252A1 (en) Distributed security in a secure peer-to-peer data network based on real-time guardian protection of network devices
Dhal et al. RACC: An efficient and revocable fine grained access control model for cloud storage
Salunke et al. Secure data sharing in distributed cloud environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18715542

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18715542

Country of ref document: EP

Kind code of ref document: A1