Abstract
FlowShield aims to build a decentralized web3 privacy data retrieval security network system around the world, and help users recapture privacy security information eroded by giants under web2, so that the current global hot zero-trust security network technology combined with web3 can better help users master their own security privacy data and give users a good experience of privacy data retrieval security network products.
1. Introduce
1.1 Motivation
At present, the options available for interactive (low-latency) communication with privacy guarantee are very limited, and the currently developed solutions are all focused on the traditional single-source data publisher network model, which has defects in delay and threat models. FlowShield uses the secure network technologies of blockchain, web3 and private data retrieval to enhance and improve the network security/privacy protection of users’ privatization.
In order to protect the public’s network security under web2, a very popular zero-trust security architecture has emerged. However, the zero-trust security company monopolizes users’ network access nodes, and centrally stores users’ core security configuration files. Therefore, we are considering whether we can use web3 technology to realize the secure network of private data retrieval. We designed FlowShield project, which aims to provide users with a decentralized secure network platform for private data retrieval, and help users master their own secure data.
2.System Composition
2.1 FlowShield-Fullnode
All nodes are FlowShield networks, which provide DAO tools for institutions\organizations\individuals, mainly to satisfy users’ privatization and customize their own network privatization attributes.
Anyone can run all nodes, host metadata of decentralized network, and provide metadata networking and transaction matching platform. It integrates metadata from all providers, and providers use libp2p-based pubsub every few seconds to keep their hearts beating to Fullnode to prove that they are online.
Users can find resources and nodes inside the all-node platform to build their own secure anonymous network tunnel. They only need to pay some tokens, and the network providers (miners) nodes can get these tokens as rewards.
For all users’ and Dao’s data, we store it on the decentralized network of Filecoin.
2.2 FlowShield-Provider
Provider, as a secure network tunnel provider for decentralized private data retrieval, provides decentralized network access services for FlowShield network users. The Provider decentralized networking through peer-to-peer discovery and routing through libp2p, and combined with the publish and subscribe function of P2P to achieve data synchronization among multiple nodes.
2.3 FlowShield-Verifier
We provide verifier components for the decentralized trusted bandwidth market. Anyone can run a network verification program, monitor the network quality of ongoing orders, and detect and punish illegal and bad network providers.
2.4 DeCA
Decentralized PKI CA center provides communication authentication function for point-to-point communication between client and miner nodes in FlowShield network. DeCA can perform all the key functions of X.509 PKI standard, that is, register, confirm, revoke and verify mTLS certificates.
Our goal is to completely decentralize the CA pool, and at the same time build our decentralized solution and the established PKI standard (i.e. X.509) to achieve effective real-world integration.
2.4.1 DeCA Decentralized Edge Trusted Computing
At present, DECA has decentralized the storage of certificate data. With the birth of FEVM, we feel the power of trusted storage and calculation that can’t be tampered with. We use FEVM to define the calculation process of deterministic state, which is used to verify the information legality of CA certificate, the authorization legality of both sides of the tunnel, and shield the possibility of both clients and miners contacting Dao authentication information.
At present, DECA’s metadata sharing is still in the traditional stage of data sharing. There is the risk of algorithm logic and confidential data leakage in SDP policy implementation, which leads to a series of untrustworthy and uncertain calculations that disturb or even attack FlowShield services, which brings some challenges to tamper-proof, policy algorithm and service security and stability.
FlowShield plans to use advanced blockchain technology to encapsulate the logic of policy enforcement algorithm, and introduce credential encryption, including the zero-knowledge proof of private data, the data required by specific services. The verification method of these credentials is decentralized and public, which will not reveal any data between users and the services they want to access, and has tamper-proof, credible and deterministic calculation. Enable users to maintain privacy while proving that they have the right to network and carry out activities.
2.4.2 ROOT Certificate Confidentiality
In the current popular PKI system, there is a risk of loss of root certificates and sub certificates. We will also upgrade our certificate risk control scheme.
Using the tamper proof technology of IPFS, we can ensure the accuracy of root certificates and sub certificates, but at the same time, there will be a risk of disclosure. Through FEVM and smart contracts, we can make the reading and parsing process of root certificates credible, so as to ensure the stability and security of miner services.
2.5 Contract
FlowShield mainly uses smart contracts to build a decentralized storage engine policy center. Our goal is to establish a private data retrieval platform that can run by itself and be managed by the public. At present, the operation carrier of smart contract mainly considers the virtual machine environment compatible with EVM. First, we choose FEVM as our decentralized management platform. As the computing layer of the FileCoin storage ecosystem, FEVM allows us to conduct trusted computing, provide services closer to data storage, and provide users with more reliable data computing credibility.
The main functions of smart contracts include:
- Pledge and redemption of fullnode node and provider node
- Matching and payment of users’ online orders
- Withdrawal of benefits by network providers
2.6 DID User Network
Users log in to the platform through Github, and use DID to bind their Github identities, which helps users save the gas costs related to identity binding. After successful binding, users can log in to the platform by using DID authentication. The order part also uses DID for data storage.
2.7 Network Access Client
Client users connect to the provider to establish a network security tunnel for private data retrieval. We have built a client with a certain degree of anti censorship to help users access the Cloud Slit network safely and efficiently.
3. EVM Pool
The fund pool enables individuals and communities to pay for any number of network tunnels on the blockchain. The fund pool is just a smart contract holding funds for Provider Verifier, which can be used for correct actions by network providers and verifiers, while the tokens in the fund pool are used to pay the storage, computing and hardware costs of operators.
FlowShield allows users to use any ERC20 equivalent token to make payment to FlowShield. By allowing payment in any token, FlowShield has created a private retrieval data network independent of the chain.