Selective data sharing

Abstract

A method and distributed system for exclusively sharing data between a data provider and one or more selected data recipients is disclosed. Known systems for exclusively sharing data with one or more selected data recipients involve the encryption of the data at a central storage service and limiting use of one or more centrally stored decryption keys to decrypt the data in accordance with an access control list maintained by the remote storage service provider. Ensuring robustness of key management in such systems requires the expenditure of a great deal of resource. This problem is addressed by a combination of two co-operating facilities in the disclosed distributed data sharing system. Firstly, a symmetric key exchange facility is provided which enables each data provider to exclusively derivededicated key encryption keys with respective selected data clients. Secondly, a device controlled by the data provider is arranged to encrypt the data using a data encryption key and, for each selected data recipient, publish or sharea wrapped data encryption key (the data encryption key encrypted with the key encryption key dedicated to the selected recipient). Each selected data recipient is then able to unwrap the wrapped data encryption key using its dedicated key encryption key to decrypt the data. The method and distributed system has particular utility in the selective sharing of Internet of Things data between consumers and enterprises.