File Sharing
In-depth walkthrough of file sharing feature.
File sharing enables you to share the files in your allocation, either publicly or privately. Check Webapps documentation on how to use it from Blimp/Vult webapps. In this page, we'll be going into the internals of file sharing and the implementation of Proxy Re-Encryption for private file sharing.
Sharing Internals
File sharing depend on an AuthTicket
generated for the shared file, that is used to authenticate other users' access to the shared files.
AuthTicket format
The AuthTicket
is usually encoded in Base64 format and signed with the owner's private key. To access the information contained within the AuthTicket
, you can decode it to retrieve the following details:
client_id
The client of the user with whom you want to share this file/folder, or empty in case of public sharing.
owner_id
The ID (or wallet address) of the owner of the allocation.
allocation_id
The ID of the allocation containing this file.
file_path_hash
Hash of the file/folder path.
actual_file_hash
file_name
The name of the shared file/folder.
reference_type
Indicates whether it is a file or a folder.
expiration
The duration for which the AuthTicket remains valid.
timestamp
The timestamp when the AuthTicket was created.
re_encryption_key
encrypted
signature
The signature of the AuthTicket, used for validation.
Share a file/folder using zboxcli
You can share a file using the share
command in zboxcli:
What happens in the background is simply :
The blobber creates/updates the
ShareInfo
for thefile_path_hash
in theAuthTicket
, after validating the request.
Downloading a shared file/folder
What happens in the background is simply:
The blobber does some validation and verification checks on the request to make sure all is lined up, including:
Checks the path in the request is actually inside the allocation in the request.
Verifies the signature of the AuthTicket.
Verifies the owner of the ticket is the same as the owner of the allocation.
If the ticket has ClientID (meaning the file is privately shared with this specific client), then the blobber will verify that this client actually has access to this blobber. Otherwise, if ClientID is empty, then the file is publicly shared.
Checks the time now is later than
availableAfter
fromShareInfo
above.Checks the expiry, if expiration date is provided. Otherwise, a default expiry date of 90 Days used.
Checks the time now is later than
availableAfter
fromShareInfo
stored for this ticket.
Listing files in a shared folder
To list the files listed under the shared path in the AuthTicket
, you can use the list
command from zboxcli:
What happens under the hood is simply:
The client collects replies from the blobbers and returns the result in case consensus is achieved.
Revoking Access (Public/Private)
To revoke access for a publicly shared file, you'll need to use the zbox share
endpoint with --revoke
flag:
What happens under the hood is simply:
The blobber deletes the token related to the mentioned file (and the mentioned client in case of private sharing).
Private Sharing & Proxy Re-encryption
Our storage system enables secure private file sharing through authorization tickets (auth tickets) while maintaining access control and data confidentiality.
When a user shares a file privately, they generate an auth ticket tied to a specific recipient (client ID). This ensures that only the intended user can access the shared file without exposing the data to unauthorized parties.
For encrypted files, the system utilizes a proxy re-encryption (PRE) scheme that allows file sharing without requiring the owner to download and manually re-encrypt the data. This ensures a secure and efficient sharing process while maintaining end-to-end encryption.
1. Referee Key Generation
Before a file is shared, the recipient, referred to as the referee, generates an encryption key pair.
The key pair consists of a private key and a public encryption key.
The public encryption key is derived from the referee's private key, ensuring that only the referee can decrypt the final re-encrypted file.
2. Re-Encryption Key Computation
To enable proxy re-encryption, the file owner generates a re-encryption key using the following inputs:
Their private key.
The public encryption key of the referee.
The original encryption key of the file, which is unique for every encrypted file.
This computed re-encryption key is included in the auth ticket and stored on the blobbers responsible for holding the file.
3. Proxy Re-Encryption by Blobbers
When the referee initiates the file download, the blobbers apply the re-encryption key to transform the encrypted file.
The blobbers perform the re-encryption process without decrypting the file.
The transformed file remains encrypted and is accessible only to the referee.
Since the blobbers never gain access to the decrypted data, end-to-end encryption is preserved.
4. Decryption by the Referee
Once the re-encrypted file is retrieved, the referee decrypts it using their private key.
The private key used for decryption corresponds to the public encryption key that was provided for re-encryption.
The referee can seamlessly access the shared file without requiring any additional steps from the file owner.
Proxy re-encryption ensures that file sharing remains both secure and efficient without compromising data confidentiality.
The file owner does not need to manually re-encrypt the data before sharing it with different users.
Data remains encrypted throughout the entire process, ensuring security even during re-encryption.
Blobbers facilitate the re-encryption process without having access to the actual file contents.
Only the intended recipient can decrypt and access the file, preventing unauthorized access.
Always keep your private keys safe and secure.
Last updated