Restricting File Access

Intro

Hello forum. I’m mid-level software developer getting familiar with the decentralized web. So, this is all new to me.

Anyway, I am building out a proof of concept for some app, but running into a problem. :sweat_smile:

Problem

The main idea here is: Restricting access to a file uploaded on IPFS to certain users.

Example:

  • User A uploads a PDF, which should only be accessible to those who paid
  • User B pays User A, and is granted access
  • User C has not paid, tries to access file, but access is denied

The example given above is the general flow I’d like to accomplish.

Research Done

Here are some of the links I’ve taken a look at so far:

Current Thought Process/Solution

At a high level, this is what I am thinking:

  • User A gets a private-public key pair per PDF/file uploaded
  • User B purchases PDF
  • User A shares private key (to access PDF) with User B; the message is encrypted with User B public key, thus, giving said user the ability to “decrypt” the private key (to access PDF) with their private key
  • User B is now able to access file

Questions

  1. Does the above flow work? If not, why?
  2. If approach works, what security vulnerabilities can I run into with this approach?
  3. Are there currently any tools that abstract this process?

PS: I’m a SUPER SUPER noob with dWeb, so forgive any obvious/dumb mistakes I’ve made in my assessment.

Best,

Bryan

1 Like
  1. That looks sensible to me. Could even probably use ECDH to agree on symmetric key and exchange that way, not really sure on the pros/cons.

  2. Privacy-wise you’d probably want to ensure metadata isn’t in clear text if you’re concerned about that. I don’t see any obvious problems with security from a design standpoint.

  3. What type of application is this? Is it a website using js-ipfs in the browser?

I’m not entirely sure all the tools available to make your path abstracted totally away, but so far I believe you’ll like want this guide to maybe get a feel for how to bootstrap and get peers in a browser. From there from an IPFS standpoint, you’re pretty much set. You can subscribe to a topic, and publish messages to it as needed for communication using pubsub. So a seller could be subscribed to a topic, a buyer also subscribes to that topic, and then can do communication like exchanging keys/CIDs, etc.

As for the best encryption libraries for this, I don’t know, but I’m sure a quick Google search will find you the libraries that are popular :slight_smile: .

1 Like

Hello,

the most thoughtful approach to this topic so far comes from the folk at Textile (things which happened after the article you linked).

Read their Threadsv2 paper: DocSend

Then their docs: ThreadDB | Documentation | Textile

1 Like

Hello,

Thank you for your time and for your thoughtful feedback.

I really like the pubsub idea you mentioned too BTW, will definitely look into that.

Thanks again buddy!

Best,

Bryan

1 Like

Hello Hector,

Awesome! Thank you as well! Will definitely take a look at those links.

Best,

Bryan