WO2008065351A1 - Self encryption - Google Patents

Self encryption Download PDF

Info

Publication number
WO2008065351A1
WO2008065351A1 PCT/GB2007/004440 GB2007004440W WO2008065351A1 WO 2008065351 A1 WO2008065351 A1 WO 2008065351A1 GB 2007004440 W GB2007004440 W GB 2007004440W WO 2008065351 A1 WO2008065351 A1 WO 2008065351A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encryption
chunking
network
identify
Prior art date
Application number
PCT/GB2007/004440
Other languages
French (fr)
Inventor
David Irvine
Original Assignee
David Irvine
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0624058A external-priority patent/GB2446200A/en
Application filed by David Irvine filed Critical David Irvine
Publication of WO2008065351A1 publication Critical patent/WO2008065351A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6272Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • This present invention overcomes these issues by first obfuscating the data, by splitting it into smaller elements, then swapping parts of that data around in a manner to make every element useless on its own, and preferably using known information from the preferably smaller elements or chunks as encryption data that will allow the other elements to be encrypted. This allows data to be hidden and encrypted in such a way, that any attacker would require to obtain all data elements and know the manner in which they connect together and also then crack the encryption used. Even if the data chunks were not encrypted and their encryption was broken, they are useless on their own.
  • WO2005093582 discloses method of encryption where data is secured in the receiving node via private tag for anonymous network browsing.
  • other numerous encryption methods are also available such as (i) implantation of Reed Solomon algorithm (WO02052787), which ensures data is coded in parabolic fashion for self-repairing and storage, (ii) storage involves incremental backup (WO02052787), (ii) uses stenographic (US2006177094), (iv) use cipher keys (CN1620005), encryption for non text (US2006107048) and US2005108240 discloses user keys and randomly generated leaf node keys.
  • the present invention uses none of these methods of encryption and in particular ensures all chunks are unique and do not point to another for security (an issue with Reed Solomon and N + K implementations of parabolic coding)
  • US2003053053625 discloses limitation of asymmetrical and symmetrical encryption algorithms, and particularly not requiring generation of a key stream from symmetric keys, nor requiring any time synchronizing, with minimal computational complexity and capable of operating at high speed.
  • a serial data stream to be securely transmitted is first demultiplexed into a plurality N of encryptor input data stream.
  • the input data slices are created which have a cascade of stages, include mapping & delay functions to generate output slices. These are transmitted though a transmission channel.
  • Decryptor applies inverse step of cascade of stages, equalizing delay function and mapping to generate output data slices.
  • the output data streams are multiplexed.
  • the encryptor and decryptor require no synchronizing or timing and operate in simple stream fashion.
  • N:N mapping does not require expensive arithmetic and implemented in table lookup. This provides robust security and efficiency.
  • a significant difference between this approach and prior cipher method is that the session key is used to derive processing parameters (tables and delays) of the encryptor and decryptor in advance of data transmission. Instead of being used to generate a key stream at real-time rates. Algorithm for generating parameters from a session key is disclosed. This is a data communications network and not related to current invention.
  • US2002184485 addresses secure communication, by encryption of message (SSDO-self signing document objects), such that only known recipient in possession of a secret key can read the message and verification of message, such that text and origin of message can be verified. Both capabilities are built into message that can be transmitted over internet and decrypted or verified by computer implementing a document representation language that supports dynamic content e.g. any standard web browser, such that elaborate procedures to ensure transmitting and receiving computers have same software are no longer necessary. Encrypted message or one encoded for verification can carry within itself all information needed to specify the algorithm needed . for decryption.
  • a system of self encryption which has the functional elements of:
  • a system to provide self-encryption in a distributed network which is made of inter linkage all or some of the following elements;
  • a product for self-encryption in a distributed network which is made of inter linkage all or some of the following elements;
  • a product for self-encryption in a distributed network which is made of inter linkage all or some of the following elements and sub-elements;
  • a content swapping such as byte swapping
  • MID - this is the base ID and is mainly used to store and forget files. Each of these operations will require a signed request. Restoring may simply require a request with an ID attached.
  • PMID - This is the proxy mid which is used to manage the receiving of instructions to the node from any network node such as get/ put / forget etc.
  • TMID - This is today's ID a one time ID as opposed to a one time password. This is to further disguise users and also ensure that their MID stays as secret as possible.
  • MAID - this is basically the hash of and actual public key of the MID. This ID is used to identify the user actions such as put / forget / get on the maidsafe.net network. This allows a distributed PKI infrastructure to exist and be automatically checked.
  • KID - Kademlia ID this can be randomly generated or derived from known and preferably anonymous information such as an anonymous public key hash as with the MAID.. In this case we use kademlia as the example overlay network although this can be almost any network environment at all.
  • MSID - maidsafe.net Share ID an ID and key pair specifically created for each share to allow users to interact with shares using a unique key not related to their MID which should always be anonymous and separate.
  • the Self Encryption invention consists of 4 key functional elements, with a further 5 functional elements being linked with.
  • the key functional elements are:
  • the linked functional elements are:
  • the self-encryption (PT2) itself is made up from linkage of elements, storing file (P6), duplicate removal (P5), chunking (P7) and encryption / decryption (P8) which allows a self-encryption process to provide security and global duplicate data removal.
  • storing file element is preferably dependent upon sub-elements storage and retrieval (P4) and sub-element identify chunks (P9) and generate sub-element self-healing (P2)
  • duplicate removal element is preferably dependent on sub- element identify chunks (P9)
  • chunking element generate sub- element identify chunks (P9)
  • encryption / decryption element can be provided by sub-element provision of keys (P13) to ensure validity of generating or requesting nodes anonymous identity (e.g. we don't know who it is but we know it was the node that put the chunk there) thereby ensuring security availability (P3).
  • files are split preferably using an algorithm to work out the chunk size into several component parts.
  • the size of the parts is preferably worked out from known information about the file as a whole, preferably the hash of the complete file. This information is run through an algorithm such as adding together the first x bits of the known information and using modulo division to give a chunk size that allows the file to preferably split into at least three parts.
  • Preferably known information from each chunk is used as an encryption key. This is preferably done by taking a hash of each chunk and using this as the input to an encryption algorithm to encrypt another chunk in the file. Preferably this is a symmetrical algorithm such as AES256.
  • this key is input into a password creating algorithm such as pbkdf and an initial vector and key calculated from that.
  • a password creating algorithm such as pbkdf
  • an initial vector and key calculated from that.
  • the iteration count for the pbkdf is calculated from another piece of known information, preferably the sum of bits of another chunk or similar.
  • each initial chunk hash and the final hash after encryption are stored somewhere for later decryption.
  • chunk 1 byte 1 swapped with bytei of chunk 2 b. chunk 2 byte 2 swapped with byte 1 chunk 3 c. chunk 3 byte 2 swapped with byte 2 of chunk 1 d. This repeats until all bytes swapped and then repeats the same number of times as there are chunks with each iteration making next chunk first one e. - i.e. second time round chunk 2 is starting position
  • the file is marked as backed up.
  • data chunked and ready for storing can be stored on a distributed network but a search should preferably be carried out for the existence of all associated chunks created.
  • the locations of the chunks Preferably have the same ranking (From earlier ranking system) as user or better, otherwise the existing chunks on the net are promoted to a location of equivalent rank at least. If all chunks exist then the file is considered as already backed up. If less than all chunks exist then this will preferably be considered as a collision (after a time period) and the file will be re chunked using the secondary algorithms (preferably just adjusted file sizes). This allows duplicate files on any 2 or more machines to be only backed up once, although through perpetual data several copies will exist of each file, this is limited to an amount that will maintain perpetual data.
  • the actual encrypting and decrypting is carried out via knowledge of the file's content and this is somehow maintained (see next).
  • Keys will be generated and preferably stored for decrypting.
  • Actually encrypting the file will preferably include a compression process and further obfuscation methods.
  • the chunk will be stored with a known hash preferably based on the contents of that chunk.
  • Decrypting the file will preferably require the collation of all chunks and rebuilding of the file itself.
  • the file may preferably have its content mixed up by an obfuscation technique rendering each chunk useless on its own.
  • every file will go through a process of byte (or preferably bit) swapping between its chunks to ensure the original file is rendered useless without all chunks.
  • This process will preferably involve running an algorithm which preferably takes the chunk size and then distributes the bytes in a pseudo random manner preferably taking the number of chunks and using this as an iteration count for the process. This will preferably protect data even in event of somebody getting hold of the encryption keys - as the chunks data is rendered useless even if transmitted in the open without encryption.
  • each file is split into small chunks and encrypted to provide security for the data. Only the person or the group, to whom the overall data belongs, will know the location of the other related but dissimilar chunks of data.
  • each of the above chunks does not contain location information for any other dissimilar chunks; which provides for security of data content, a basis for integrity checking and redundancy.
  • the method further comprises the step of only allowing the person (or group) to whom the data belongs to have access to it, preferably via a shared encryption technique which allows persistence of data.
  • the checking of data or chunks of data between machines is carried out via any presence type protocol such as a distributed hash table network.
  • a redirection record is created and stored in the super node network, (a three copy process - similar to data) therefore when a user requests a check, the redirection record is given to the user to update their database, which provides efficiency that in turn allows data resilience in cases where network churn is a problem as in peer to peer or distributed networks.
  • This system message can be preferably passed via the messenger system described herein.
  • the system may simply allow a user to search for his chunks and through a challenge response mechanism, locate and authenticate himself to have authority to get/forget this chunk.

Abstract

This present invention provides a method for data to be obfuscated in several ways preferably including self encryption and decryption. The data is preferably chunked, renamed, byte or bit swapped, encrypted and compressed through algorithms seeded by elements preferably derived from the data itself so that data holds the key to reversing the processes used and preferably these keys may be recorded for later use.

Description

Self Encryption
STATEMENT OF INVENTION:
An issue with today's encryption techniques is that a user's key, biometric data or passphrase is used to encrypt every data element, thereby exposing the key on every data element encrypted. Another issue is that eventually all encryption is broken given enough resources, so it is therefore safe to assume that today's strong encryption methods will not suffice in years to come. This implies that storing encrypted data now, will not necessarily protect against that data being unencrypted through some discovered process in the future.
This present invention overcomes these issues by first obfuscating the data, by splitting it into smaller elements, then swapping parts of that data around in a manner to make every element useless on its own, and preferably using known information from the preferably smaller elements or chunks as encryption data that will allow the other elements to be encrypted. This allows data to be hidden and encrypted in such a way, that any attacker would require to obtain all data elements and know the manner in which they connect together and also then crack the encryption used. Even if the data chunks were not encrypted and their encryption was broken, they are useless on their own.
BACKGROUND:
Self-encryption is only possible with combination of number of elements. Described below is prior art for each element. ENCRYPTION
WO2005093582 discloses method of encryption where data is secured in the receiving node via private tag for anonymous network browsing. However, other numerous encryption methods are also available such as (i) implantation of Reed Solomon algorithm (WO02052787), which ensures data is coded in parabolic fashion for self-repairing and storage, (ii) storage involves incremental backup (WO02052787), (ii) uses stenographic (US2006177094), (iv) use cipher keys (CN1620005), encryption for non text (US2006107048) and US2005108240 discloses user keys and randomly generated leaf node keys. The present invention uses none of these methods of encryption and in particular ensures all chunks are unique and do not point to another for security (an issue with Reed Solomon and N + K implementations of parabolic coding)
SELF-ENCRYPTION
Attempts to moving towards attaining some limited aspects of self- encryption are demonstrated by:
(a) US2003053053625 discloses limitation of asymmetrical and symmetrical encryption algorithms, and particularly not requiring generation of a key stream from symmetric keys, nor requiring any time synchronizing, with minimal computational complexity and capable of operating at high speed. A serial data stream to be securely transmitted is first demultiplexed into a plurality N of encryptor input data stream. The input data slices are created which have a cascade of stages, include mapping & delay functions to generate output slices. These are transmitted though a transmission channel. Decryptor applies inverse step of cascade of stages, equalizing delay function and mapping to generate output data slices. The output data streams are multiplexed. The encryptor and decryptor require no synchronizing or timing and operate in simple stream fashion. N:N mapping does not require expensive arithmetic and implemented in table lookup. This provides robust security and efficiency. A significant difference between this approach and prior cipher method is that the session key is used to derive processing parameters (tables and delays) of the encryptor and decryptor in advance of data transmission. Instead of being used to generate a key stream at real-time rates. Algorithm for generating parameters from a session key is disclosed. This is a data communications network and not related to current invention.
(b) US2002184485 addresses secure communication, by encryption of message (SSDO-self signing document objects), such that only known recipient in possession of a secret key can read the message and verification of message, such that text and origin of message can be verified. Both capabilities are built into message that can be transmitted over internet and decrypted or verified by computer implementing a document representation language that supports dynamic content e.g. any standard web browser, such that elaborate procedures to ensure transmitting and receiving computers have same software are no longer necessary. Encrypted message or one encoded for verification can carry within itself all information needed to specify the algorithm needed . for decryption.
Summary of Invention
The main embodiments of this invention are as follows:
A system of self encryption which has the functional elements of:
1. Duplicate Removal
2. Storing Files
3. Chunking
4. Encryption / Decryption
... with the additionally linked functional elements of:
1. Identify Chunks
2. Self Healing
3. Storage and Retrieval
4. Security Availability
5. Provision of Key Pairs
A system of self-encryption of data in a distributed and peer to peer network
A product for self-encryption of data in a distributed and peer to peer network
A system to provide self-encryption in a distributed network which is made of inter linkage all or some of the following elements;
a. encryption / decryption b. chunking c. duplicate removal d. storing files A system to provide self-encryption in a distributed network which is made of inter linkage all or some of the following elements and sub- elements;
a. encryption / decryption i. key pair ii. security b. chunking i. identify chunking c. duplicate removal i. identify chunking ii. storage & retrieval iii. self healing d. storing files i. identify chunking ii. storage & retrieval iii. self healing
A product for self-encryption in a distributed network which is made of inter linkage all or some of the following elements;
a. encryption / decryption b. chunking c. duplicate removal d. storing files
A product for self-encryption in a distributed network which is made of inter linkage all or some of the following elements and sub-elements;
a. encryption / decryption i. key pair ii. security b. chunking i. identify chunking c. duplicate removal i. identify chunking ii. storage & retrieval iii. self healing d. storing files i. identify chunking ii. storage & retrieval iii. self healing
A method of system and product for self-encryption of data in a distributed and peer to peer network
A method of above of securely protecting data in a distributed network, suitable for a self repairing process by chunking the data into many pieces.
A method of above where data privacy by byte or bit exchange and encryption is based on content derived from the data itself.
A method of above where data reconstitution capability is provided only for individuals who know of and/or have the original data elements.
A method of maximising disk space in a worldwide network by aiding the removal of duplicate files, as each data element will always produce the exact same chunks and names regardless of the actual file name itself.
A method of data encryption using only calculable elements from the file contents and not user keys or user passwords.
A method of above where the actual file is first passed though a content swapping (such as byte swapping)algorithm to completely dilute the contents across the data element(s), thereby rendering each chunk useless even if the encryption key is known.
DESCRIPTION
Detailed Description:
(References to IDs used in descriptions of the system's functionality)
MID - this is the base ID and is mainly used to store and forget files. Each of these operations will require a signed request. Restoring may simply require a request with an ID attached.
PMID - This is the proxy mid which is used to manage the receiving of instructions to the node from any network node such as get/ put / forget etc. This is a key pair which is stored on the node - if stolen the key pair can be regenerated simply disabling the thief s stolen PMID - although there's not much can be done with a PMID key pair.
CID - Chunk Identifier, this is simply the chunkid.KID message on the net.
TMID - This is today's ID a one time ID as opposed to a one time password. This is to further disguise users and also ensure that their MID stays as secret as possible.
MPID - The maidsafe.net public ID. This is the ID to which users can add their own name and actual data if required. This is the ID for messenger, sharing, non anonymous voting and any other method that requires we know the user.
MAID - this is basically the hash of and actual public key of the MID. this ID is used to identify the user actions such as put / forget / get on the maidsafe.net network. This allows a distributed PKI infrastructure to exist and be automatically checked. KID - Kademlia ID this can be randomly generated or derived from known and preferably anonymous information such as an anonymous public key hash as with the MAID.. In this case we use kademlia as the example overlay network although this can be almost any network environment at all.
MSID - maidsafe.net Share ID, an ID and key pair specifically created for each share to allow users to interact with shares using a unique key not related to their MID which should always be anonymous and separate.
Linked elements for Self Encryption (Figure 1 - PT2)
The Self Encryption invention consists of 4 key functional elements, with a further 5 functional elements being linked with.
The key functional elements are:
P5 - Duplicate Removal
P6 - Storing Files
P7 - Chunking
P8 - Encryption / Decryption
The linked functional elements are:
P9 - Identify Chunks
P2 - Self Healing
P4 - Storage and Retrieval
P3 - Security Availability
P13 - Provision of Key Pairs
The self-encryption (PT2) itself is made up from linkage of elements, storing file (P6), duplicate removal (P5), chunking (P7) and encryption / decryption (P8) which allows a self-encryption process to provide security and global duplicate data removal. In addition, storing file element (P6) is preferably dependent upon sub-elements storage and retrieval (P4) and sub-element identify chunks (P9) and generate sub-element self-healing (P2), duplicate removal element (P5) is preferably dependent on sub- element identify chunks (P9), chunking element (P7) generate sub- element identify chunks (P9) and encryption / decryption element (P8) can be provided by sub-element provision of keys (P13) to ensure validity of generating or requesting nodes anonymous identity (e.g. we don't know who it is but we know it was the node that put the chunk there) thereby ensuring security availability (P3).
Chunking (Figure 1 - Pl)
According to a related aspect of this invention, files are split preferably using an algorithm to work out the chunk size into several component parts. The size of the parts is preferably worked out from known information about the file as a whole, preferably the hash of the complete file. This information is run through an algorithm such as adding together the first x bits of the known information and using modulo division to give a chunk size that allows the file to preferably split into at least three parts.
Preferably known information from each chunk is used as an encryption key. This is preferably done by taking a hash of each chunk and using this as the input to an encryption algorithm to encrypt another chunk in the file. Preferably this is a symmetrical algorithm such as AES256.
Preferably this key is input into a password creating algorithm such as pbkdf and an initial vector and key calculated from that. Preferably the iteration count for the pbkdf is calculated from another piece of known information, preferably the sum of bits of another chunk or similar. Preferably each initial chunk hash and the final hash after encryption are stored somewhere for later decryption.
Self Encrypting Files (Figure 2a/b)
1. Take a content hash of a file or data element
2. Chunk a file with preferably a random calculable size i.e. based on an algorithm of the content hash (to allow recovery of file). Also obfuscate the file such as in 3
3. Obfuscate the chunks to ensure safety even if encryption is eventually broken (as with all encryption if given enough processing power and time)
a. chunk 1 byte 1 swapped with bytei of chunk 2 b. chunk 2 byte 2 swapped with byte 1 chunk 3 c. chunk 3 byte 2 swapped with byte 2 of chunk 1 d. This repeats until all bytes swapped and then repeats the same number of times as there are chunks with each iteration making next chunk first one e. - i.e. second time round chunk 2 is starting position
4. Take hash of each chunk and rename chunk with its hash.
5. Take h2 and first x bytes of h3 (6 in our example case) and either use modulo division or similar to get a random number between 2 fixed parameter (in our case 1000) to get a variable number. Use the above random number and h2 as the encryption key to encrypt hi or use h2 and the random number as inputs to another algorithm (pdbfk2 in our case) to create a key and ^.(initialisation vector) 6. This process may be repeated multiple times to dilute any keys throughout a series of chunks.
7. Chunk name i.e. hi (unencrypted) and Mc (and likewise for each chunk) written to a location for later recovery of the data. Added to this we can simply update such a location with new chunks if a file has been altered, thereby creating a revision control system where each file can be rebuilt to any previous state.
8. The existence of the chunk will be checked on the net to ensure it is not already backed up. All chunks may be checked at this time.
9. If a chunk exists all chunks must be checked for existence.
10. The chunk is saved
11. The file is marked as backed up.
12. If a collision is detected the process is redone altering the original size algorithm (2) to create a new chunk set, each system will be aware of this technique and will do the exact same process till a series of chunks do not collide. There will be a back off period here to ensure the chunks are not completed due to the fact another system is backing up the same file. The original chunk set will be checked frequently in case there are false chunks or ones that have been forgotten. If the original names become available the file is reworked using these parameters.
Duplicate Removal (Figure 1 - P5)
According to a related aspect of this invention, data chunked and ready for storing can be stored on a distributed network but a search should preferably be carried out for the existence of all associated chunks created. Preferably the locations of the chunks have the same ranking (From earlier ranking system) as user or better, otherwise the existing chunks on the net are promoted to a location of equivalent rank at least. If all chunks exist then the file is considered as already backed up. If less than all chunks exist then this will preferably be considered as a collision (after a time period) and the file will be re chunked using the secondary algorithms (preferably just adjusted file sizes). This allows duplicate files on any 2 or more machines to be only backed up once, although through perpetual data several copies will exist of each file, this is limited to an amount that will maintain perpetual data.
Encrypt - Decrypt (Figure 1 - P8)
According to a related aspect of this invention, the actual encrypting and decrypting is carried out via knowledge of the file's content and this is somehow maintained (see next). Keys will be generated and preferably stored for decrypting. Actually encrypting the file will preferably include a compression process and further obfuscation methods. Preferably the chunk will be stored with a known hash preferably based on the contents of that chunk.
Decrypting the file will preferably require the collation of all chunks and rebuilding of the file itself. The file may preferably have its content mixed up by an obfuscation technique rendering each chunk useless on its own.
Preferably every file will go through a process of byte (or preferably bit) swapping between its chunks to ensure the original file is rendered useless without all chunks.
This process will preferably involve running an algorithm which preferably takes the chunk size and then distributes the bytes in a pseudo random manner preferably taking the number of chunks and using this as an iteration count for the process. This will preferably protect data even in event of somebody getting hold of the encryption keys - as the chunks data is rendered useless even if transmitted in the open without encryption.
This defends against somebody copying all data and storing for many years until decryption of today's algorithms is possible, although this is many years away.
This also defends against somebody; instead of attempting to decrypt a chunk by creating the enormous amount of keys possible, (in the region of 2Λ54) rather instead creating the keys and presenting chunks to all keys - if this were possible (which is unlikely) a chunk would decrypt. The process defined here makes this attempt useless.
All data will now be considered to be diluted throughout the original chunks and preferably additions to this algorithm will only strengthen the process.
Security (Figure 1 - P3)
According to a related aspect of this invention, each file is split into small chunks and encrypted to provide security for the data. Only the person or the group, to whom the overall data belongs, will know the location of the other related but dissimilar chunks of data.
Preferably, each of the above chunks does not contain location information for any other dissimilar chunks; which provides for security of data content, a basis for integrity checking and redundancy. Preferably, the method further comprises the step of only allowing the person (or group) to whom the data belongs to have access to it, preferably via a shared encryption technique which allows persistence of data.
Preferably, the checking of data or chunks of data between machines is carried out via any presence type protocol such as a distributed hash table network.
Preferably, on the occasion when all data chunks have been relocated, i.e. the user has not logged on for a while, a redirection record is created and stored in the super node network, (a three copy process - similar to data) therefore when a user requests a check, the redirection record is given to the user to update their database, which provides efficiency that in turn allows data resilience in cases where network churn is a problem as in peer to peer or distributed networks. This system message can be preferably passed via the messenger system described herein.
Preferably the system may simply allow a user to search for his chunks and through a challenge response mechanism, locate and authenticate himself to have authority to get/forget this chunk.
Further users can decide on various modes of operation preferably such as maintain a local copy of all files on their local machine, unencrypted or chunked or chunk and encrypt even local files to secure machine (preferably referred to as off line mode operation) or indeed users may decide to remove all local data and rely completely on preferably maidsafe.net or similar system to secure their data.

Claims

1. A system to provide self-encryption in a distributed network which allows the data to be chunked, renamed, byte or bit swapped, encrypted and compressed through algorithms seeded by elements derived from the data itself so that data holds the key to reversing the processes used and these are recorded for later use and aids security and duplicate removal on a network wide basis this system comprises of combination of following steps; a. encryption / decryption b. chunking c. duplicate removal d. storing files the above combination provides a unique system with cumulative and synergistic benefits to allow people to secure communications and secure data.
2. A system of claim 1 to provide self-encryption in a distributed network which allows the data to be chunked, renamed, byte or bit swapped, encrypted and compressed through algorithms seeded by elements derived from the data itself so that data holds the key to reversing the processes used and these are recorded for later use and aids security and duplicate removal on a network wide basis this system comprises of combination of following steps; a. encryption / decryption, which further comprises of key pair and security, b. chunking, which further comprises of identify chunking, c. duplicate removal, which further comprises of identify chunking, d. storing files, which further comprises of identify chunking, storage & retrieval and self healing the above combination provides a unique system with cumulative and synergistic benefits to allow people to secure communications and secure data.
3. A product to provide self-encryption in a distributed network which allows the data to be chunked, renamed, byte or bit swapped, encrypted and compressed through algorithms seeded by elements derived from the data itself so that data holds the key to reversing the processes used and these are recorded for later use and aids security and duplicate removal on a network wide basis this product comprises of combination of following steps; e. encryption / decryption f. chunking g. duplicate removal h. storing files the above combination provides a unique product with cumulative and synergistic benefits to allow people to secure communications and secure data.
4. A product of claim 3 to provide self-encryption in a distributed network which allows the data to be chunked, renamed, byte or bit swapped, encrypted and compressed through algorithms seeded by elements derived from the data itself so that data holds the key to reversing the processes used and these are recorded for later use and aids security and duplicate removal on a network wide basis this product comprises of combination of following steps; a. encryption / decryption, which further comprises of key pair and security, b. chunking, which further comprises of identify chunking, c. duplicate removal, which further comprises of identify chunking, d. storing files, which further comprises of identify chunking, storage & retrieval and self healing the above combination provides a unique system with cumulative and synergistic benefits to allow people to secure communications and secure data
5. A method of claim 1-4 where it is to identify data elements using a data map with only a sequence of content hashes for each chunk of data before and after encryption;
6. A method of claims 1-5 storing and retrieving these maps on an insecure network;
7. A method of claim 5 where each, new iteration of a data element is appended to the data map to create a strong revision control system;
8. A method of claim 5 where data elements are obfuscated by encryption or other obfuscation technique, or similar, can be reconstructed in conjunction with the data map;
9. A method of claim 5 where the maps can be stored in private or public locations and/or biometrically accessed;
10. A system of claims 1-2 which allows data to have multiple locations, revisions and encryption or other obfuscation techniques and for the pointer to the data to be a very small file containing the basic information to reconstitute a complete data element at any time from any location on the network;
11. A system of claims 1-2 which allows the identification of which chunks to make up which files;
12. A system of claims 1-2 which allows data maps which preferably become discreet data chunks on the network, just like any other associated data element and are therefore undetectable as data maps;
PCT/GB2007/004440 2006-12-01 2007-11-21 Self encryption WO2008065351A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0624058.4 2006-12-01
GB0624058A GB2446200A (en) 2006-12-01 2006-12-01 Encryption system for peer-to-peer networks which relies on hash based self-encryption and mapping
GB0709761.1A GB2444343B (en) 2006-12-01 2007-05-22 Self encryption
GB0709761.1 2007-05-22

Publications (1)

Publication Number Publication Date
WO2008065351A1 true WO2008065351A1 (en) 2008-06-05

Family

ID=39102993

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2007/004440 WO2008065351A1 (en) 2006-12-01 2007-11-21 Self encryption

Country Status (1)

Country Link
WO (1) WO2008065351A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102402488A (en) * 2010-09-16 2012-04-04 电子科技大学 Encryption scheme for disk-based deduplication system (ESDS)
US8238552B2 (en) 2009-02-13 2012-08-07 Guidance Software, Inc. Password key derivation system and method
EP2873187A1 (en) * 2012-04-16 2015-05-20 Maidsafe.net Limited Method of encrypting data
US10142397B2 (en) 2016-04-05 2018-11-27 International Business Machines Corporation Network file transfer including file obfuscation
US10216940B2 (en) * 2015-03-27 2019-02-26 Change Healthcare Holdings, Llc Systems, methods, apparatuses, and computer program products for truncated, encrypted searching of encrypted identifiers
WO2020036650A3 (en) * 2018-04-25 2020-03-26 The Regents Of The University Of California Compact key encoding of data for public exposure such as cloud storage

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5727062A (en) * 1995-07-06 1998-03-10 Ritter; Terry F. Variable size block ciphers
WO1999037054A1 (en) * 1998-01-16 1999-07-22 Kent Ridge Digital Labs A method of data storage and apparatus therefor
US20020038296A1 (en) * 2000-02-18 2002-03-28 Margolus Norman H. Data repository and method for promoting network storage of data
WO2003012666A1 (en) * 2001-07-27 2003-02-13 Digital Doors, Inc. Computer software product for data security of sensitive words characters or icons

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5727062A (en) * 1995-07-06 1998-03-10 Ritter; Terry F. Variable size block ciphers
WO1999037054A1 (en) * 1998-01-16 1999-07-22 Kent Ridge Digital Labs A method of data storage and apparatus therefor
US20020038296A1 (en) * 2000-02-18 2002-03-28 Margolus Norman H. Data repository and method for promoting network storage of data
WO2003012666A1 (en) * 2001-07-27 2003-02-13 Digital Doors, Inc. Computer software product for data security of sensitive words characters or icons

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8238552B2 (en) 2009-02-13 2012-08-07 Guidance Software, Inc. Password key derivation system and method
CN102402488A (en) * 2010-09-16 2012-04-04 电子科技大学 Encryption scheme for disk-based deduplication system (ESDS)
EP2873187A1 (en) * 2012-04-16 2015-05-20 Maidsafe.net Limited Method of encrypting data
US10216940B2 (en) * 2015-03-27 2019-02-26 Change Healthcare Holdings, Llc Systems, methods, apparatuses, and computer program products for truncated, encrypted searching of encrypted identifiers
US10142397B2 (en) 2016-04-05 2018-11-27 International Business Machines Corporation Network file transfer including file obfuscation
US10826969B2 (en) 2016-04-05 2020-11-03 International Business Machines Corporation Network file transfer including file obfuscation
WO2020036650A3 (en) * 2018-04-25 2020-03-26 The Regents Of The University Of California Compact key encoding of data for public exposure such as cloud storage
US11334676B2 (en) 2018-04-25 2022-05-17 The Regents Of The University Of California Compact key encoding of data for public exposure such as cloud storage

Similar Documents

Publication Publication Date Title
US11108753B2 (en) Securing files using per-file key encryption
CN108809652B (en) Block chain encrypted account book based on secret sharing
US20030174840A1 (en) Encryption method for preventing unauthorized dissemination of protected data
CN107453880B (en) Cloud data secure storage method and system
WO2008065351A1 (en) Self encryption
Kumar et al. Efficient and secure cloud storage for handling big data
WO2017033843A1 (en) Searchable cryptograph processing system
JPH11215117A (en) Method and device for key encoding and recovery
Jeyaselvi et al. Cyber security-based multikey management system in cloud environment
Mahalakshmi et al. Effectuation of secure authorized deduplication in hybrid cloud
GB2444343A (en) Encryption system for peer-to-peer networks in which data is divided into chunks and self-encryption is applied
Li et al. A data assured deletion scheme in cloud storage
Abo-Alian et al. Auditing-as-a-service for cloud storage
JP2021534443A (en) Methods and systems for securing data
CN1558580B (en) A network data safety protection method based on cryptography
CN116248289A (en) Industrial Internet identification analysis access control method based on ciphertext attribute encryption
Senthil Kumari et al. Key derivation policy for data security and data integrity in cloud computing
CN115412236A (en) Method for key management and password calculation, encryption method and device
Ma et al. A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing
CN114036541A (en) Application method for compositely encrypting and storing user private content
CN113656818A (en) No-trusted third party cloud storage ciphertext duplication removing method and system meeting semantic security
Sri et al. SECURE FILE STORAGE USING HYBRID CRYPTOGRAPHY
Sri et al. Concealing the Data using Cryptography
Venkatesh et al. Secure authorised deduplication by using hybrid cloud approach
Nandini et al. Implementation of hybrid cloud approach for secure authorized deduplication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07824654

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07824654

Country of ref document: EP

Kind code of ref document: A1