Select Page
Introducing the Access Control Trie (ACT) in Swarm

Introducing the Access Control Trie (ACT) in Swarm

by | Sep 16, 2024 | ,

by András Arányi

The Access Control Trie (ACT) is an essential feature designed to manage access control in Swarm’s decentralized storage infrastructure. It enables publishers to grant or revoke access to specific content at the chunk level using encrypted session keys. This guide will walk you through the key concepts and practical aspects of using ACT to protect your data in Swarm.

If you’re a content publisher and looking for a way to share data but maintain full control and privacy, you might find that the below concept of a fully fledged access control mechanism covers all your needs.

Content Publishers

⚠️ TLDR: Publishers can control access to their data by encrypting access keys for each viewer and adding/removing them from the ACT lookup table. ⚠️

As a publisher, you have full control over who can view your content. Using ACT, you can upload your data and grant access to specific grantees (viewers) by referring to their Swarm node wallets’ public keys. Additionally, you can revoke access at any time, ensuring that only authorized viewers have the ability to access your data.

What makes ACT unique is that, as opposed to other solutions which only encrypt data, ACT ensures that only the intended viewers will have access to the data. Everyone else is blocked, even from discovering an encrypted version of it. This significantly increases the privacy and security of your content, preventing unauthorized users from knowing the data even exists.

How to manage access:

  1. Upload your content to Swarm as you normally would, but with ACT request headers included.
  2. Assign access rights by adding the grantee’s public key to the ACT.
  3. If needed, revoke access by removing the grantee from the ACT.

Keep in mind: Publishers can control the latest version of content that grantees are able to access. If you update your content, viewers might still have access to an older version if they were granted access to that earlier version before.

You can learn more about how to manage access using tools like swarm-cli by following the tutorial in the Swarm documentation. These features are also fully supported by the Bee API (starting from version 7.0+), enabling any application to interact with them directly.

Grantees (Content Viewers)

⚠️ TLDR: Grantees can access the specific version of content that the publisher has granted access to, but may lose access to future versions if revoked. ⚠️

As a grantee, your ability to view the content is based on the public key of your Swarm node’s wallet and depends on the permission granted by the publisher. The process for gaining access is simple and secure, thanks to ACT’s encryption mechanisms.

How it works:

  • Your Swarm node wallet’s public key is used as a session key, which is then used to create two additional keys:
    • A lookup key to find your entry in the ACT lookup table.
    • An access key decryption key, allowing you to decrypt the content access key specifically encrypted for you.

This ensures that only you can decrypt the content, and you can retrieve the version of the content you have (or have had) permission for.

How ACT Manages Grantee Access

ACT employs a sophisticated mechanism to manage grantee access using public-key cryptography and secure key derivation. At the heart of this system is the ACT lookup table, a key-value store that securely links each grantee’s Swarm node wallet’s public key to an encrypted access key. Here’s a breakdown of how it works:

  1. Session Key:
    Each grantee’s Swarm node’s public and private key pair serves as their unique session key. This session key is crucial because it forms the basis for all further encryption steps related to the grantee’s access.
  2. Key Derivation via Diffie-Hellman:
    Using Diffie-Hellman key derivation, the session key is used to derive two important keys:
    • Lookup Key: This key is used to identify the specific entry for a grantee in the ACT lookup table.
    • Access Key Decryption Key: This key is used to decrypt the access key, which in turn allows the grantee to unlock the protected content.
  3. Encrypted Access Keys:
    The content access key is encrypted specifically for each grantee using their derived decryption key. This ensures that only the intended grantee can decrypt the access key and thus view the content. This per-grantee encryption adds a layer of security, preventing unauthorized access even if someone else obtains the encrypted data.
  4. ACT Lookup Table:
    The lookup table itself is implemented as a key-value store within a Swarm manifest. Each grantee’s public key maps to an encrypted access key, ensuring that only authorized users with the correct session and decryption keys can retrieve the access key and, subsequently, the content. This table allows publishers to manage access dynamically, adding or removing grantees as needed without compromising the security of the stored content.
  5. Adding and Removing Grantees:
    Publishers have the flexibility to dynamically add or remove grantees from the lookup table. When a grantee is added, their public key and the corresponding encrypted access key are stored in the lookup table.

Version Control and Historical Access:
The ACT maintains a version history, which includes timestamps for each version of the access control list. If a grantee’s access is revoked for new versions of the content, they can still access older versions to which they had been granted permission, based on the relevant timestamps.

Encryption and Security in ACT

⚠️ TLDR: Every element in the ACT process is encrypted, ensuring complete security of content and access control. ⚠️

As demonstrated earlier, encryption is central to how ACT is implemented. Every component, from the grantee list to the content access keys, is encrypted using strong cryptographic methods. This ensures that only authorized users can access your data, and any tampering or unauthorized access is effectively prevented.

Here’s how encryption is applied:

  • Grantee List Encryption:
    The list of grantees is encrypted using the publisher’s lookup key, ensuring that unauthorized users cannot even detect the existence of the grantee list. This adds another layer of privacy, as only the publisher and authorized grantees are aware of who has access.
  • Access Key Encryption:
    Each grantee’s access key is individually encrypted using their specific decryption key derived through the Diffie-Hellman process. This ensures that only the intended grantee can decrypt the access key and gain access to the protected content.
  • Historical Version Encryption:
    All versions of the ACT, including older ones, are protected by encryption. This means that even if a grantee’s access is revoked, the historical data they had access to remains encrypted and secure.

Content Encryption:
Finally, the actual content itself is encrypted at the chunk level. Only those who possess the correct access key (which is encrypted for each grantee) can decrypt and retrieve the content.

Key Takeaways

  • Publishers: Maintain control over your data and manage grantee access with fine-grained control using ACT. You can easily add or remove access rights and ensure your data is always protected by encryption.
  • Grantees: Access specific versions of content securely, knowing that only you have the ability to decrypt the content you’ve been granted access to.

For anyone operating in the Swarm ecosystem, the Access Control Trie (ACT) represents a critical advancement in decentralized content management, offering robust security while maintaining flexibility in access control.

If you’re interested in learning more about how ACT works or how to implement it in your Swarm nodes, have a look at the Swarm documentation.

ACT opens up endless possibilities in new type of business applications on decentralised infrastructures. If you want to know how or you already have a concept in mind have a look at our article dedicated to this topic and register your interest in a consultation with us here/

Fake IDs & Fraudulent KYC: Can Crypto Find Salvation in Swarm-Powered Decentralisation?

Fake IDs & Fraudulent KYC: Can Crypto Find Salvation in Swarm-Powered Decentralisation?

by | Feb 6, 2024 | ,

The “OnlyFake” scandal, exposing the ease of bypassing KYC checks with forged IDs, throws a spotlight on the vulnerabilities of centralised verification systems in crypto. But fear not, for decentralisation and Swarm, a leading decentralised data storage and distribution technology, might hold the key to a more secure and empowering future.

Centralised KYC: A Honeycomb for Hackers and Fraudsters

Storing user data on centralised servers creates a honeypot for malicious actors. Deepfakes become potent weapons, exploiting weak verification processes to jeopardise financial security and erode trust. Opaque verifications further exacerbate the issue, leaving users with little control over their data and fostering privacy concerns.

Swarm & Decentralization: Empowering Users, Fortifying Security

Decentralisation offers a paradigm shift. By storing user data on blockchains like Swarm, a distributed and tamper-proof ledger, we eliminate central points of attack. Users regain control through self-sovereign identities, fostering trust and transparency. But how do we verify attributes without exposing sensitive information?

Zero-Knowledge Proofs: Verifying Without Revealing

Zero-knowledge proofs (ZKPs) act as cryptographic shields. They allow individuals to prove they possess certain characteristics (e.g., being above 18) without revealing any underlying data. This guarantees privacy while maintaining the integrity of verification.

A Glimpse into the Future: Secure & Empowering Crypto Identity Management with Swarm

Imagine a world where:

  • Swarm-powered decentralised storage eliminates honeypots, making data breaches a distant memory.
  • ZKPs render deep fakes useless by focusing on attribute verification, not identities.
  • Users hold the reins of their data, fostering trust and transparency within the ecosystem.

Here’s how Swarm and ZKPs could work together:

  1. Store ID data on Swarm: Users upload their encrypted ID documents to the decentralised Swarm network, ensuring data privacy and distribution across multiple nodes.
  2. Zero-knowledge verification: When required, users leverage ZKPs to prove they possess necessary attributes (e.g., age) without revealing the entire document.
  3. Empowered control: Users maintain complete control over their data, deciding who can access specific attributes and revoking access as needed.

The “OnlyFake” incident serves as a stark reminder of the need for change. By embracing Swarm-powered decentralisation and ZKPs, we can create a crypto space where security, privacy, and user empowerment reign supreme.

The question now lies with you: Are you ready to join the movement towards a more secure and empowering crypto future?

Understanding Erasure Coding in Distributed Systems: A Guide to Swarm’s Innovative Approach

Understanding Erasure Coding in Distributed Systems: A Guide to Swarm’s Innovative Approach

by | Feb 1, 2024 |

Introduction to Data Storage in Distributed Systems

In our increasingly digital world, the importance of effective and secure data storage cannot be overstated. Distributed systems, such as cloud storage networks, represent a significant advancement in this area. These systems distribute data across multiple locations, ensuring accessibility and resilience against failures or data losses. However, this distributed nature also introduces unique challenges in terms of data storage and retrieval. For instance, ensuring data integrity and availability across different nodes in a network becomes more complex. Understanding these challenges is crucial for appreciating the innovative solutions like Swarm’s erasure coding, which are designed to address these specific issues.

Overview of Erasure Coding in Swarm

Imagine you have a jigsaw puzzle, and even if a few pieces are missing, you’re still able to recognise the picture. This analogy aptly describes the principle behind erasure coding, a method used for protecting data in distributed systems like Swarm. In Swarm’s context, erasure coding is not just a safety net for missing data; it’s a strategic approach to ensure data is both secure and optimally stored. This coding technique involves dividing data into chunks, then adding additional ‘parity’ chunks. These extra chunks allow the system to reconstruct the original data even if some chunks are lost or corrupted, much like how you can still make out a picture with a few missing puzzle pieces.

Comparison with Traditional Methods

Traditional data storage methods often rely on redundancy—storing multiple copies of data across different locations. While this approach is straightforward, it’s not the most efficient, especially in terms of storage space and resources. In contrast, erasure coding, as used in systems like Swarm, presents a more sophisticated solution. It strikes an optimal balance between data availability and storage efficiency. By storing additional parity information rather than complete data copies, erasure coding provides a reliable means of data recovery with less overall storage requirement. This efficiency makes it particularly suitable for distributed systems, where resource optimization is key.

Deep Dive into Swarm’s Erasure Coding

Swarm’s implementation of erasure coding through Reed-Solomon coding is a masterclass in data protection. This method, at its core, involves breaking down data into manageable chunks, followed by the creation of additional parity chunks. These extra chunks act as a safety mechanism, allowing for the reconstruction of the original data, should any part be lost or corrupted. It’s a method that mirrors the intricacies of a well-crafted puzzle, where each piece, even if minor, plays a crucial role in the bigger picture. This intricate process not only ensures data integrity but also bolsters the system’s ability to recover from unforeseen data losses.

Real-World Applications in Swarm

In practical scenarios, Swarm’s use of erasure coding is a game-changer, especially in maintaining data integrity and availability. In real-world applications, such as cloud storage services, this translates to an unparalleled reliability for users. Whether it’s safeguarding critical business documents or preserving cherished family photos, Swarm’s system ensures that users’ data remains intact and retrievable, even in the face of partial data losses. This level of reliability and security is what makes Swarm stand out in the crowded field of data storage solutions.

Benefits Specific to Swarm’s Approach

Swarm’s unique approach to erasure coding brings with it a suite of advantages. The enhanced data security that comes from this method is the most prominent, providing a robust shield against data loss. Moreover, the system’s efficiency in data storage is noteworthy; by reducing the need for redundant data copies, it significantly cuts down on storage requirements. This efficiency is not just about saving space – it’s also about optimising resources and reducing costs, making it a highly cost-effective solution for large-scale data storage needs.

Technical Challenges and Solutions

The implementation of erasure coding in Swarm, while beneficial, is not without its complexities. Managing the intricate balance between data accessibility, integrity, and storage efficiency presents a significant challenge. However, Swarm’s sophisticated coding techniques and network management strategies have been meticulously designed to address these issues. By continually refining these strategies, Swarm ensures a seamless and reliable user experience, maintaining its status as a leader in distributed data storage.

Conclusion

Erasure coding in distributed systems like Swarm marks a significant milestone in digital data storage and protection. In an era where data’s value is ever-growing, the importance of technologies like erasure coding cannot be understated – they are essential for the reliability and security of our digital world.

Tags