WO2022241571A1 - Système et procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs - Google Patents

Système et procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs Download PDF

Info

Publication number
WO2022241571A1
WO2022241571A1 PCT/CA2022/050811 CA2022050811W WO2022241571A1 WO 2022241571 A1 WO2022241571 A1 WO 2022241571A1 CA 2022050811 W CA2022050811 W CA 2022050811W WO 2022241571 A1 WO2022241571 A1 WO 2022241571A1
Authority
WO
WIPO (PCT)
Prior art keywords
custodian
data
slice
encrypted
user
Prior art date
Application number
PCT/CA2022/050811
Other languages
English (en)
Inventor
Yuming QIAN
Patricia POPERT-FORTIER
Francois Dumas
Jasseem ALLYBOKUS
Original Assignee
Zeu Technologies, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zeu Technologies, Inc. filed Critical Zeu Technologies, Inc.
Publication of WO2022241571A1 publication Critical patent/WO2022241571A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the specification relates generally to blockchains, and, in particular, to securing data using blockchain technology.
  • Blockchain technology uses blockchain data structures to verify and store data.
  • Blockchain employs distributed node consensus algorithms to provide a new distributed infrastructure and computing paradigm to generate and update data.
  • Cryptography is used in blockchains to ensure secure transmission of data and mitigate unauthorized data access, while smart contracts are often employed to execute automated script codes to program and manipulate data.
  • a method of storing user data for a user in a system including: a blockchain having a first custodian node, a second custodian node, and a custodian contract; and a first and second identity challenge providers associated with the first and second custodian nodes respectively, the method including: upon the size of the user data being above a threshold; generating a random key; encrypting the user data to with the random key to form an encrypted user data; storing the encrypted user data in the distributed storage at an address; and forming private data including the random key and the address; otherwise: encrypting the user data with the a public key of the user to form the encrypted user data; and forming the private data including the encrypted data and a private key of the user; and storing the private data in the blockchain.
  • the method of further includes: slicing the private data into a first slice and a second slice; encrypting the first slice with a first public key of the first custodian node to form a first encrypted slice; and encrypting the second slice with a second public key of the second custodian node to form a second encrypted slice; and storing in the blockchain, the first encrypted slice and the second encrypted slice.
  • the method of further includes: receiving, by one of the first and second custodian nodes, a request to store the user data; using each identity challenge provider: providing at least one challenge to the user; receiving a correct response to the at least one challenge from the user; and encrypting the at least one challenge and the correct response with the public key of each custodian node to form encrypted sets of challenge and response; and storing the encrypted sets to the blockchain.
  • the method of further includes: receiving a request to access the user data by an applicant with a new account on the blockchain; using each of the first and second identity challenge providers: providing at least one challenge to the applicant; and receiving a response to the at least one challenge from the applicant; holding a vote of the first and second identity challenge providers to determine if the applicant with the new account is the user that stored the user data; upon determining that the applicant is the user: decrypting, by the first custodian node, the first encrypted slice; decrypting, by the second custodian node, the second encrypted slice; forming the copy of the user data using the decrypted first and second encrypted slices; and providing the applicant with access to the copy of the user data restored from the first and second custodian nodes; otherwise: denying the applicant access to the copy of the user data.
  • a system including: a processor in communication with a processor readable medium including processor executable instructions implementing: a blockchain including a plurality of nodes including at least a first custodian node and a second custodian node, the blockchain further including a custodian contract; a first and second identity challenge providers associated with the first and second custodian nodes respectively; the processor executable instructions, when executed, implementing the steps of: upon the size of the user data being above a threshold; generating a random key; encrypting the user data to with the random key to form an encrypted user data; storing the encrypted user data in the distributed storage at an address; and forming private data including the random key and the address; otherwise: encrypting the user data with the a public key of the user to form the encrypted user data; and forming the private data including the encrypted data; and storing the private data in the blockchain.
  • the system includes N custodian nodes and the private data is sliced into N slices, and wherein the i th custodian node encrypts and stores the i th slice and the ((i + 1) modulo N) th slice, where 1 ⁇ i ⁇ N.
  • each slice is encrypted and stored by at least two different custodian nodes.
  • FIG. 1 is a simplified block diagram of a blockchain system exemplary of an embodiment of the present invention and its operating environment;
  • FIG. 2 is a schematic diagram showing various physical and logical components of the computer system for implementing the nodes and other components of FIG. 1;
  • FIG. 3a and FIG. 3b are representations of an exemplary organization of user data before and after a custodian fails to timely provide a segment of the user data;
  • FIG. 4 is a sequence diagram illustrating a set of steps for a procedure to store user data
  • FIG. 5 is a sequence diagram illustrating a set of steps for a procedure to restore user data, exemplary of an embodiment of the present invention.
  • a "blockchain” is a tamper-evident, shared digital ledger that records transactions in a public or private peer-to-peer network of computing devices.
  • the ledger is maintained as a growing sequential chain of cryptographic hash-linked blocks.
  • a “node” is a computing device on a blockchain network.
  • the device is typically be a computer having a processor interconnected to a processor readable medium including memory, having processor readable instructions thereon.
  • Any module, unit, component, server, computer, terminal, engine or device exemplified herein that executes instructions may include or otherwise have access to computer readable media such as storage media, computer storage media, or data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape.
  • Computer storage media may include volatile and non volatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by an application, module, or both. Any such computer storage media may be part of the device or accessible or connectable thereto.
  • any processor or controller set out herein may be implemented as a singular processor or as a plurality of processors. The plurality of processors may be arrayed or distributed, and any processing function referred to herein may be carried out by one or by a plurality of processors, even though a single processor may be exemplified.
  • FIG. 1 is a simplified block diagram of a system 100, exemplary of an embodiment of the present invention.
  • System 100 includes custodians 101a, 101b and 101c (individually and collectively, "custodian 101"); identity challenge providers 102a, 102b and 102c (individually and collectively, “identity challenge provider 102"), and custodian accounts 103a, 103b and 103c (individually and collectively, "custodian accounts 103").
  • System 100 further includes a user app 105, applicant account 106 and a custody contract 107.
  • Custodians 101 may be reside on nodes in the blockchain 108 of system 100.
  • Each of the custodians 101a, 101b, 101c may be a peer custodian node.
  • system 100 Some components of system 100 include off-chain programs such as user app 105 executing on a mobile device. Others such as the custody contract 107 are on- chain programs operating on the blockchain.
  • FIG. 2 depicts a simplified block diagram of various physical elements of a computing device used to implement one or more components of system 100 of FIG. 1.
  • an exemplary computing device 20 has a number of physical and logical components including a processor 44, which may be the form of a central processing unit (“CPU"), as well as random access memory (“RAM”) 48, an input/output (“I/O") interface 52, a network interface 56, and non-volatile storage 60.
  • a high-speed interface circuit 64 enables processor 44 to communicate with the other components.
  • Processor 44 executes processor executable instructions in the form of at least an operating system, and a one or more applications including the software modules depicted in FIG. 1.
  • RAM 48 provides relatively responsive volatile storage to processor 44.
  • I/O interface 52 allows input to be received from one or more peripheral devices, such as a keyboard, a mouse, etc., and outputs information to output devices, such as a display and/or speakers.
  • Network interface 56 permits wired or wireless communication with other computing devices over computer networks such as the Internet.
  • Non-volatile storage 60 stores the operating system and programs, including computer-executable instructions for implementing the software implemented modules 22, 23, 26, 28 and 29 and associated code, data structures and objects, depicted in FIG. 1. During operation of computing device 20, the operating system, the programs and the data may be retrieved from non-volatile storage 60 and placed in RAM 48 to facilitate execution.
  • Custodian 101 is a component that stores data in the blockchain and distributed storage 104, depending on the size of the data.
  • a data interchange format such as the following JSON (JavaScript Object Notation) strings are defined for items to be stored in blockchain:
  • DataType defines the storage type for the data.
  • DataType may be set to RAW or ADDR. If DataType is set to RAW, raw data will be stored in the blockchain, and the DATA field will contain the sharded data slice, which will be encrypted with the custodian account's public key (pubkey). In this embodiment, although the existence of the encrypted data may be discernable to the public, only the custodian could decrypt it.
  • the DataType field is set to ADDR. That is, if the size of data to be stored is greater than a predetermined threshold, the data itself will be stored in the distributed storage 104 and the address of the data in distributed storage 104 will be stored in the blockchain.
  • the threshold may be about 1000 bytes or 1024 bytes or the like.
  • An applicant or user will generate a random key, encrypt the data with the random key with a predefined encryption scheme (e.g., AES encryption), store the data in a form of distributed storage (e.g., Amazon S3TM, Azure BlobTM or IPFS), and receive a storage address.
  • AES encryption e.g., Amazon S3TM, Azure BlobTM or IPFS
  • the applicant stores the random key with the storage address in the blockchain.
  • the data field associated with DataType will contain the storage address.
  • the ShareKey data field will store the share key address.
  • Identity challenge provider 102 is a module that determines if a user has account authority. When a user requests sensitive data storage service, identity challenge provider 102a will contract with each identity challenge provider 102b, 102c, in custodian nodes.
  • the challenge may be an email confirmation.
  • the identity challenge providerl02 will send a confirmation email to a pre-authorized email address, and the user must click the link in the email to confirm he is the owner of that email address.
  • a mobile phone short messaging service SMS
  • Identity challenge provider 102 will send a random digital number to the user's pre-authorized phone number, and the user must provide the correct digital number to confirm he or she is the owner of that phone number.
  • the challenge may be a social media token.
  • Identity challenge provider 102 will verify that the user has logged into a pre-authorized social media account to prove he is the owner of the pre-recorded account. When the user passes the challenge, the identity challenge provider 102 will notify custody contract 107 through the respective custodian account 103.
  • Custodian account 103 is a blockchain account used to communicate with the custody contract 107.
  • distributed storage 104 is used to store large data, which is encrypted (e.g., with an AES key). Any third party distributed data storage such as Azure BlobTM, Amazon S3TM, or InterPlanetry File Systm (IPFS) which may be provided as cloud service may be used to implement distributed storage 104. To keep the data safe, duplicates of the data may be stored in multiple data storage services. The data may be stored only after full encryption to mitigate the risk of a data leak.
  • Azure BlobTM Amazon S3TM
  • IPFS InterPlanetry File Systm
  • User app 105 is a software application providing a user interface to interact with identity challenge provider 102, both of which are off-chain programs. User app 105 contacts the custody contract 107 through the applicant account 106. User app 105 is software in the form of a plurality of processor executable instructions stored on a processor readable medium.
  • the processor readable medium may include volatile and non-volatile memory, removable and non-removable media implemented in any method or technology for storage of information, such as processor readable instructions, processor executable instructions, data structures, data, program modules and the like.
  • a user communicates with identity challenge provider 102 and provides the correct responses to the challenges provided, in order to store the data in distributed storage 104.
  • the user then invokes custody contract 107 to verify the user's identity and store the secured data in the blockchain.
  • Applicant account 106 is an account that allows a user to interact with blockchain system 100. However, the account may not be same one originally used by the user to store and retrieve data. As the user may have lost his original account keys, system 100 is able to restore the user's data even without the user's account information.
  • a user associated with a new account passes the challenges from the identity challenge provider with an acceptable ratio (i.e., above a predefined threshold) of correct responses, it may be surmised that the user associated with the new account for retrieving the data is the same user of the previous original account used to store the data.
  • Custody contract 107 is the core contract running on blockchain system 100 responsible for slicing the data, keeping the data slice to custodian mapping relationship, and deciding whether or not to grant the new user access. In the case of no longer having enough copies of the data slices due to custodian failure, the custody contract 107 reorganizes the data slices and create more copies for the data slices to ensure that at least two custodians hold each data slice. When a new user is granted access to a data slice, this contract 107 will also merge the slices, encrypt the data with the new user's public key, and send it to the new user.
  • FIG. 3a and FIG. 3b depict how a copy of desired data is restored, when a custodian fails to provide the service.
  • the first custodian 221 encrypts "Slice 1" and "Slice 2" with the public key of custodian 221 to form and store the encrypted slices 202, 203 respectively in the blockchain.
  • the second custodian 222 encrypts "Slice 2" and “Slice 3” with the public key of custodian 222 to form and store the encrypted slices 204, 205 in the blockchain.
  • the third custodian 223 encrypts "Slice 3" and "Slice 4" with the public key of custodian 223 to form and store encrypted slices 206, 207 in the blockchain.
  • the fourth custodian 224 encrypts "Slice 4" and "Slice 5" with the public key of custodian 224 to form and store encrypted slices 208, 209 in the blockchain.
  • the fifth custodian 225 encrypts "Slice 5" and "Slice 1" with the public key of custodian 225 to form and store encrypted slices 210, 211 in the blockchain.
  • the i th custodian node encrypts and stores the i th slice and the ((i mod N) + l) st slice, where 1 ⁇ i ⁇ N and mod is the modulo operation.
  • a backup custodian can be called upon to provide service and encrypt or decrypt the data.
  • the contract 201 when the custody contract 201 discovers a custodian has failed to respond for a certain period of time, the contract 201 will check the available copies of the slices in the blockchain system 100. If any slice has less than two copies available, the contract will start the process of rearranging the data slices.
  • the custody contract 201 will duplicate the data copy previously handled by the failed custodian.
  • "Slice 2" is kept by custodian 221and custodian 222.
  • the contract 201 will ask custodian 221 to decrypt its copy of "Slice 2" (i.e., encrypted slice 203) with its private key and assign the decrypted "Slice 2" copy to custodian 223.
  • the contract 201 will encrypt "Slice 2" with custodian 223's public key and store it back in the blockchain system 100. Therefore, after completing these operations, there will be two active copies of "Slice 2" and “Slice 3" in the blockchain again (namely encrypted slices 204' and 205' respectively).
  • the custody contract will assign the "Slice 3" copy to custodian 224 and encrypt "Slice 3" with custodian 224's public key to form encrypted slice 205' as depicted in FIG. 3b.
  • custodian 223 will be responsible for "Slice 2", “Slice 3”, and “Slice 4", while custodian 224 will be responsible for "Slice 3", “Slice 4", and "Slice 5".
  • An exemplary rule for to re-arrange the slice copies may be stated as: for any failed custodian, the contract will assign non-duplicated slices to the next two custodians in the ring. Thus, after re-arrangement, all slices must each have at least two active copies.
  • FIG. 4 depicts a sequence diagram illustrating a set of steps for a procedure to store private data, exemplary of an embodiment of the present invention.
  • user app 105 provides an interface to communicate with system 100.
  • Identity challenge provider 102 provides identity verification services whereas distributed storage 104 stores large data.
  • distributed storage 104 stores data encrypted (e.g., with an AES key) and returns a storage address.
  • the encrypted AES key and storage address are stored custodian 101 may encrypt and decrypt data and communicate with the blockchain for custody service custodian 101 manages sliced data.
  • Custody contract 107 running on the blockchain may be used to corroborate identity verification, and facilitates data storage and restoration.
  • a private data is defined as the AES key and the storage address, which are to be stored in the blockchain.
  • the user receives peer custodian address through custody contract 107.
  • a list of challenges is administered, and the user supplies the answers.
  • the user may select the challenges and submit the corresponding answers or responses to the custody contract 107.
  • the selected challenges and responses will be encrypted with the public key of the custodian 101 and stored in the blockchain.
  • the user finds the custodian 101 and submits a store private data request.
  • the custodian 101 may slice the data into N parts or slices where N is the number of peer custodian nodes.
  • Each of the custodians 101a, 101b, 101c may be peer custodian nodes in the blockchain 108 of system 100.
  • Custodian 101 encrypts each slice with the respective peer custodian's public key and call custody contract 107 to store each of the encrypted slices in the blockchain.
  • step 311 a periodic task is undertaken to inform each custodian how many custodians exist in the system.
  • custody contract 107 is called and stores the encrypted private data to the blockchain.
  • FIG. 5 depicts a sequence diagram illustrating a set of steps for a procedure to restore private data, exemplary of an embodiment of the present invention.
  • the illustrated steps restore data from the blockchain if the user's account access was lost.
  • a user with new user account requests via user app 105, a list of challenge providers' addresses from custody contract 107.
  • the user via user app 105, communicates with each challenge provider 102a, 102b, 102c and completes the challenge tasks.
  • the challenge task may include one or more of answering challenge questions, verifying an email address, verifying an SMS, verifying a social media account, and the like.
  • the challenge provider 102 sends the challenge result to the custody contract 107.
  • custody contract 107 will hold a vote to check if the user's success rate is higher than the pre-defined authentication level or threshold. If so, the custody contract will consider that the user to be the owner as of the previous user account and grants the new user account an access token. With this access token, the custodian will grant the new account access to the data of the previous user account.
  • step 410 the user can communicate with custody contract 107 and request restoration of the private data.
  • each custodian 101 decrypts their private data slice and sends decrypted data slices to the custody contract 107.
  • the custody contract 107 will restore the private data from these received slices.
  • the private data may contain the AES key and the distributed storage address in distributed storage 104.
  • the first contacted custodian 101 receives the encrypted large data from the distributed storage 104.
  • the custodian 101 will send the encrypted large data to the user with the AES key encrypted with the new user's public key.
  • the new user account can now decrypt and restore the original data.
  • a method and system for the safe custody of private data using blockchain are provided, such that the user's public key encryption is used by default to keep private data in the blockchain.
  • a secure safe deposit box system is constructed through a contract to back up and restore the stored data, ensuring that the private data can be recovered safely even after the user account is lost.
  • a method and system for the safe custody of private data using blockchain are provided, such that when the user forgets the account keys, the data saved by the account can be restored through challenge tasks.
  • a method and system for the secure storage of private data using blockchain are provided, such that when the amount of private data is large, a symmetric encryption algorithm such as AES is used to encrypt the private data and save it in a distributed file system such as IPFS, AMAZON S3, etc. The system then saves the encryption key and storage address on the blockchain.
  • AES symmetric encryption algorithm
  • a method and system for the safe custody of private data using blockchain are provided, such that the user's private data or data address and key stored on the blockchain can be directly retrieved through the user account's private key.
  • the amount of data is less than IK, it is directly saved to the blockchain.
  • the blockchain only saves the address and key of the data.
  • the user can retrieve the data address and key through the private key and use the address in the distributed file. After obtaining the encrypted data block in the system, the key can be used to decrypt the original data.
  • a method and system for the safe custody of private data using blockchain are provided, such that a distributed key security algorithm is constructed, and the private data or custody keys to be kept are divided amongst multiple custodians for encryption. For safekeeping, all decrypted fragments can only be retrieved after the applicant passes the verification challenge tasks and reaches the preassigned threshold.
  • a method and system for the safe custody of private data using blockchain are provided, such that the user identity certification is completed by defining challenge tasks.
  • These challenge tasks can include but are not limited to challenge questions, the use of email, mobile phone text messages, social media account verification, bank account verification, personal information verification, and general Internet ID (such as Facebook or Google account) verification, etc. If the user verification result is consistent with the pre-stored result in the contract, it will prove that the user is the owner of the private data.
  • a method and system for the safe custody of private data using blockchain are provided.
  • the system includes a blockchain contract and a verified account recovery system.
  • each custodian needs to independently complete the challenge tasks to verify the applicant's identity. After the verification is successfully completed, the custodian contract will encrypt the stored data fragments and send them to the new application address.
  • a method and system for the safe custody of private data using blockchain are provided, such that the data is divided according to the number of custodians.
  • each custodian keeps two parts: the N th slice and the (N + l) st slice.
  • Each data fragment will have two copies securely kept by at least two custodians.
  • a method and system for the safe custody of private data using blockchain are provided, such that, after data segmentation, if a custodian cannot continue to provide custody services, the data custody contract will coordinate the other custodians to obtain the copies of the private data fragments held by the invalid custodian and hand them over to the next two custodians for safekeeping.
  • This arrangement ensures that the number of copies of each data fragment remains unchanged. This feature ensures that the system can resist the failure of N-l custodians while still guaranteeing the data custody of the system's service capabilities.
  • the data to be kept is to be signed with the user's private key and encrypted with the user's public key. The data is stored in the blockchain safely through the custody contract. When the data needs to be retrieved, the user's private key is used for decryption if the user's key is not lost.
  • the encryption key for large data is generated by the applicant using a random method
  • the generation algorithm may be a has function that takes the time, user identification and a random input such as HASH (timestamp + user ID + random amount given by the user), and the data uses the public key using the AES algorithm.
  • HASH timestamp + user ID + random amount given by the user
  • the data uses the public key using the AES algorithm.
  • After encryption it is stored in multiple sets of unrelated distributed file systems to ensure that there is still a usable copy if one set of file systems fails. For different distributed file systems, obtain the address information for the data storage, and use the address information as the private data's fingerprint.
  • the user's original small amount of data or, when the amount of data is large, the distributed storage address and the public key form the private data to be kept.
  • the private data is BASE64 encoded, it is divided according to the number of available custodians. N is divided into equal parts; then, the shards are reassembled and handed over to each custodian for safekeeping.
  • the private data when applying for custody of the private data, is segmented according to the consistent hash method, that is, assuming that there are N custodians, the data is divided into N parts, and the M th custodian keeps the M th data. For the data and the M th +1 data, the Nth custodian keeps the N th data and the first data. In this way, we can ensure that each piece of data has at least two copies, and there are two custodians. After the custody is completed, in the future, when the data is restored, as long as the two adjacent custodians are able to provide services, the data must be recoverable.
  • the segmentation method is shown in FIG. 2.
  • each custodian when applying for custody of the private data, each custodian proposes a challenge method, and the applicant completes the challenge by answering the challenge. The custodian saves the challenge method and answer.
  • the custodian after the custodian receives the applicant's data request, it packs the data fragments and challenge methods and answers, then encrypts them with the custodian's public key and saves them on the blockchain.
  • the data message will only be available in the future when the custodian authorizes decryption with the custodian's private key.
  • the custodian can decrypt the data fragments only after the custody contract confirms that the applicant has passed the challenge verification.
  • users need to set up the identity challenges for the custodian before submitting the custodial data to each custodian. Specifically, the custodian asks questions, and the user provides proof or answers. The custody contract stores challenge answers.
  • the custodian after passing a user's identity challenge, the custodian sends the corresponding identity authentication pass notification to the blockchain custody contract.
  • the blockchain contract is based on the pre-agreed identity challenge success rate conditions (for example, passing 9 of the 10 challenge items) to decide if the challenge was successful.
  • the identity challenge results of each custodian node are integrated.
  • the contract confirms that the new applicant account and the old account belong to the same user, and the challenge success confirmation is sent to each custodian
  • the shard data in their respective custody is decrypted with the private key, encrypted with the contract key, and then the fragmented data is sent to the contract
  • the contract receives the fragmented data sent by the custodian, uses the contract key to decrypt it, and then assembles it.
  • the result of the assembly is encrypted with the public key of the new applicant account and sent to the new applicant account.
  • the custody contract can be in accordance with the contract. After the identity verification is passed, the custody data will be sent to other pre-defined account addresses.
  • a method and system for the safe custody of private data using blockchain are provided.
  • the method combines distributed storage and blockchain technology to store data fingerprints and keys on blockchain effectively.
  • the private data is divided into multiple segments, and the blockchain contract passes it to multiple custody accounts on the blockchain for encrypted storage.
  • the challenge method or challenge question for the data is set when the user stores the data.
  • the alternate recovery address can be set at the same time. If the private data or the account key when storing the data is lost, each custodian verifies the user's identity through the challenge tasks. Only after the user passes the challenge does the custody contract recognize the user's identity. It then retrieves the private data slices from each custody account, merges them, and returns the corresponding private data to the new user account.
  • the system includes two parts: the custody contract on the chain and the identity verifier off the chain.
  • the identity verifier is responsible for constructing the challenge method and verifying challenges. This part states the challenge method used by the owner of the private data to confirm the user's identity when the private data is forgotten.
  • the challenge methods can include but are not limited to the security questions, user email, mobile phone text messages, social media accounts, personal information, and Internet general IDs (such as Facebook or Google accounts).
  • the custody contract defines the specific data retrieval method. If the user loses the private key, he can use another account address to verify each custodian's challenge. When the user passes the agreed verification challenge, we consider the new account address and the previous account address used to store the data as belonging to the same user; the contract will notify the new account of the private data and encryption method according to the pre-arrangement. The new account can restore the private data.
  • the custody contract can also resist the invalidation of a certain number of custodians. If a custodian can no longer provide custodial services, the contract can automatically select the next custodian, extract the data kept by the invalid custodian through a copy, and hand it over to the next two valid custodians on the blockchain for safekeeping
  • the computer system is shown as a single physical computer, it will be appreciated that the computer system can include two or more physical computers in communication with each other. Accordingly, while the embodiment shows the various components of the computer system residing on the same physical computer, those skilled in the art will appreciate that the components can reside on separate physical computers.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système et un procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs. Le procédé combine une technologie de stockage distribué et une technologie de chaîne de blocs pour stocker des empreintes de données et des clés sur une chaîne de blocs tout en fournissant efficacement une boîte de dépôt sécurisé pour les données. Les données sont segmentées en de multiples tranches, et un contrat de chaîne de blocs envoie les tranches à de multiples comptes de gardiennage sur la chaîne de blocs à des fins de stockage chiffré. Un fournisseur de questions d'identité hors chaîne stocke un ensemble de questions et de réponses correctes associé à un utilisateur stockant des données. Si un utilisateur perd l'accès à ses données en raison de la perte d'une clé privée, chaque gardien vérifie l'identité d'un nouveau compte d'utilisateur par l'intermédiaire de l'ensemble de questions. L'accès aux données stockées n'est accordé que si des réponses correctes sont fournies aux questions. Lors de l'octroi d'un accès, un contrat sur la chaîne de blocs récupère les multiples tranches de chaque compte de gardiennage, les fusionne et renvoie les données privées correspondantes au nouveau compte d'utilisateur.
PCT/CA2022/050811 2021-05-21 2022-05-20 Système et procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs WO2022241571A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163191378P 2021-05-21 2021-05-21
US63/191,378 2021-05-21

Publications (1)

Publication Number Publication Date
WO2022241571A1 true WO2022241571A1 (fr) 2022-11-24

Family

ID=84140299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2022/050811 WO2022241571A1 (fr) 2021-05-21 2022-05-20 Système et procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs

Country Status (1)

Country Link
WO (1) WO2022241571A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115623080A (zh) * 2022-11-30 2023-01-17 四川汉唐云分布式存储技术有限公司 基于区块链的分布式存储方法、装置及计算机设备
CN116346508A (zh) * 2023-05-31 2023-06-27 深圳市东信时代信息技术有限公司 基于分片加密存储的信息传输方法、装置、设备及介质

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040146015A1 (en) * 2003-01-27 2004-07-29 Cross David B. Deriving a symmetric key from an asymmetric key for file encryption or decryption
US20120144448A1 (en) * 2010-12-01 2012-06-07 Microsoft Corporation Data Store Including a File Location Attribute
WO2017090041A1 (fr) * 2015-11-24 2017-06-01 Ben-Ari Adi Système et procédé pour la confidentialité de données par contrat intelligent de chaînes de blocs
US20180189333A1 (en) * 2017-01-03 2018-07-05 International Business Machines Corporation Limiting blockchain size to optimize performance
WO2019021107A1 (fr) * 2017-07-24 2019-01-31 nChain Holdings Limited Système et procédé mis en œuvre par ordinateur pour la gestion d'un grand groupe de mémoire distribué dans un réseau de chaîne de blocs
US20190036778A1 (en) * 2017-07-26 2019-01-31 International Business Machines Corporation Using blockchain smart contracts to manage dynamic data usage requirements
US20190281028A1 (en) * 2018-03-06 2019-09-12 Michael Thomas Gillan System and method for decentralized authentication using a distributed transaction-based state machine
WO2020146955A1 (fr) * 2019-01-18 2020-07-23 Zeu Crypto Networks Inc. Procédé de génération de nombres aléatoires dans des contrats intelligents à chaîne de blocs
US20200322131A1 (en) * 2016-07-29 2020-10-08 Workday, Inc. System and method for blockchain-based device authentication based on a cryptographic challenge
US20200374105A1 (en) * 2019-05-22 2020-11-26 Salesforce.Com, Inc. System or method to implement consensus on read on distributed ledger/blockchain
US10965448B1 (en) * 2017-05-03 2021-03-30 Board Of Trustees Of The University Of Illinois Dynamic distributed storage for scaling blockchain
WO2021081675A1 (fr) * 2019-10-31 2021-05-06 Zeu Crypto Networks Inc. Système et procédé de sauvegarde et de récupération sur la base d'une chaîne de blocs

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040146015A1 (en) * 2003-01-27 2004-07-29 Cross David B. Deriving a symmetric key from an asymmetric key for file encryption or decryption
US20120144448A1 (en) * 2010-12-01 2012-06-07 Microsoft Corporation Data Store Including a File Location Attribute
WO2017090041A1 (fr) * 2015-11-24 2017-06-01 Ben-Ari Adi Système et procédé pour la confidentialité de données par contrat intelligent de chaînes de blocs
US20200322131A1 (en) * 2016-07-29 2020-10-08 Workday, Inc. System and method for blockchain-based device authentication based on a cryptographic challenge
US20180189333A1 (en) * 2017-01-03 2018-07-05 International Business Machines Corporation Limiting blockchain size to optimize performance
US10965448B1 (en) * 2017-05-03 2021-03-30 Board Of Trustees Of The University Of Illinois Dynamic distributed storage for scaling blockchain
WO2019021107A1 (fr) * 2017-07-24 2019-01-31 nChain Holdings Limited Système et procédé mis en œuvre par ordinateur pour la gestion d'un grand groupe de mémoire distribué dans un réseau de chaîne de blocs
US20190036778A1 (en) * 2017-07-26 2019-01-31 International Business Machines Corporation Using blockchain smart contracts to manage dynamic data usage requirements
US20190281028A1 (en) * 2018-03-06 2019-09-12 Michael Thomas Gillan System and method for decentralized authentication using a distributed transaction-based state machine
WO2020146955A1 (fr) * 2019-01-18 2020-07-23 Zeu Crypto Networks Inc. Procédé de génération de nombres aléatoires dans des contrats intelligents à chaîne de blocs
US20200374105A1 (en) * 2019-05-22 2020-11-26 Salesforce.Com, Inc. System or method to implement consensus on read on distributed ledger/blockchain
WO2021081675A1 (fr) * 2019-10-31 2021-05-06 Zeu Crypto Networks Inc. Système et procédé de sauvegarde et de récupération sur la base d'une chaîne de blocs

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115623080A (zh) * 2022-11-30 2023-01-17 四川汉唐云分布式存储技术有限公司 基于区块链的分布式存储方法、装置及计算机设备
CN116346508A (zh) * 2023-05-31 2023-06-27 深圳市东信时代信息技术有限公司 基于分片加密存储的信息传输方法、装置、设备及介质
CN116346508B (zh) * 2023-05-31 2023-09-29 深圳市东信时代信息技术有限公司 基于分片加密存储的信息传输方法、装置、设备及介质

Similar Documents

Publication Publication Date Title
US11146541B2 (en) Hierarchical data access techniques using derived cryptographic material
JP7384914B2 (ja) 二重暗号化秘密パーツのサブセットを使用して秘密のアセンブリを可能にする二重暗号化秘密パーツ
US10425223B2 (en) Multiple authority key derivation
US10735193B1 (en) Decentralized encryption and decryption of blockchain data
WO2019179542A2 (fr) Amélioration de l'intégrité de communications entre des réseaux à chaîne de blocs et des sources de données externes
US9305177B2 (en) Source identification for unauthorized copies of content
US11698986B1 (en) Decentralized encryption and decryption of blockchain data
JP5650348B2 (ja) 移動中のデータをセキュア化するためのシステムおよび方法
US12041166B2 (en) Protecting data using controlled corruption in computer networks
Thangavel et al. Enabling ternary hash tree based integrity verification for secure cloud data storage
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
KR20130084604A (ko) 전자 문서들의 판독 가능성을 제어 및 제한하기 위한 방법
US9053130B2 (en) Binary data store
US20220405765A1 (en) Know your customer (kyc) and anti-money laundering (aml) verification in a multi-decentralized private blockchains network
WO2022241571A1 (fr) Système et procédé pour le gardiennage sécurisé de données privées utilisant une chaîne de blocs
US8667281B1 (en) Systems and methods for transferring authentication credentials
CN114629713B (zh) 身份验证方法、装置及系统
CN118260264A (zh) 一种用于分布式文件系统的用户友好型加密存储系统及方法
Srisakthi et al. Towards the design of a secure and fault tolerant cloud storage in a multi-cloud environment
Murthy Cryptographic secure cloud storage model with anonymous authentication and automatic file recovery
Nagesh et al. Cloud architectures encountering data security and privacy concerns—A review
US20130262881A1 (en) Binary Data Store
Kumari et al. A Review on Challenges of Security for Secure Data Storage in Cloud
Chandran et al. Data management issues in cloud integrated computing: A big picture
Parasuraman et al. Secured document management through a third party auditor scheme in cloud computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22803522

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22803522

Country of ref document: EP

Kind code of ref document: A1