1. FIELD OF THE DISCLOSURE

The field of the disclosure is that of the back-up of data on a distant server, e.g. in the cloud.

More specifically, the disclosure relates to a method for such back-up of data on a distant server from a terminal equipment.

The disclosure can be of interest in any field wherein such terminal equipment needs to back-up data on a distant server. This is the case for instance for terminals equipment like smartphones, tablets, etc.

2. TECHNOLOGICAL BACKGROUND

In the sequel, we focus more particularly on describing an existing problem in the field of mobile devices (e.g. smartphones, tablets, etc.), with which the inventors of the present patent application were confronted. The invention is of course not limited to this particular field of application, but is of interest for the back up of data on a distant server for any type of terminal equipment (e.g. home servers).

It is known to back up data from a terminal equipment on a cloud provider service, e.g. such as Google Drive. This is often convenient but clashes with privacy needs, because the cloud storage provider can be untrusted, and can access confidential data stored by the user. Encryption of such data is not sufficient to guarantee privacy, because the cloud provider can still see whether the user reads or writes files and which parts of the data are being accessed. That information can be used to track the user's activity.

Oblivious Random-Access Memories (ORAMs) are known solutions for addressing those privacy issues. More particularly, ORAMs are cryptographic schemes that protect the user's privacy by obfuscating the access patterns, at the cost of some performance loss. This performance loss is significant and makes ORAM solutions barely practical, especially on equipment with limited computing power like mobile devices. Indeed, one can see multiple limitations on mobile devices:

The initial setup of an ORAM is quite slow, as the storage needs to be initialized and encrypted; The ORAM needs to store client-side metadata, which is necessary to operate the ORAM (e.g. a position map of the data blocks of the database, etc.). If this client metadata is lost or the device breaks, the encrypted data becomes unusable and is forever lost.

There is thus a need for a solution for improving the confidentiality of the data stored in a remote server by a terminal equipment, even in the case where the terminal equipment has limited computing power.

3. SUMMARY

A particular aspect of the present disclosure relates to a method for using, by a terminal equipment, an ORAM database created in a remote server. A third-party device is connected to the terminal equipment and to the remote server through a communications network. According to such method, the third-party device executes: receiving a request, sent by the terminal equipment through the communications network, for having the third-party device to initiate the creation of the ORAM database in the remote server. Responsive to receiving the request, the third-party device executes: initializing the creation of the ORAM database in the remote server by sending to the remote server, through the communications network, ORAM database elements; generating metadata associated to the ORAM database created in the remote server; and sending, to the terminal equipment through the communications network, the metadata for allowing the terminal equipment to use the ORAM database created in the remote server without going through the third-party device.

Thus, the present disclosure proposes a new and inventive solution for improving the confidentiality of the data stored in the remote server by a terminal equipment, even in the case where the terminal equipment has limited computing power (e.g. a smartphone or a tablet).

More particularly, the proposed solution allows such terminal equipment to use an ORAM database by delegating to a third-party device the most computing demanding step relating to the use of such ORAM database, i.e. the creation (or initialization) itself of the ORAM database in the remote server. In particular, once the ORAM database is created, the metadata necessary for using the ORAM database are provided to the terminal equipment that can thus further access directly (i.e. without going through the third-party device) to the created ORAM database. The confidentiality of the data is thus insured for the terminal equipment despite the use of the third-party device for the creation of the ORAM database.

In some embodiments, the initializing the creation of the ORAM database comprises: generating a temporary symmetric encryption key; encrypting initial data blocks of the ORAM database with the temporary encryption key; and sending, to the remote server through the communications network, the encrypted initial data blocks as part of the ORAM database elements.

In some embodiments, the metadata comprise the temporary symmetric encryption key.

Thus, the terminal equipment can decrypt the data blocks of the ORAM database as initialized by the third-party device.

In some embodiments, the sending to the terminal equipment the metadata comprises establishing an encrypted and authenticated communication channel with the terminal equipment through the communications network. The metadata is sent through the encrypted and authenticated communication channel.

In some embodiments, the third-party device executes, responsive to the sending to the terminal equipment the metadata: deleting the metadata stored in the third-party device.

Thus, the terminal equipment takes ownership of the ORAM database.

In some embodiments, the third-party device executes, after the sending to the terminal equipment the metadata: receiving, from the terminal equipment through the communications network, the metadata associated to the ORAM database in an encrypted form based on a secret encryption key different from the temporary symmetric encryption key.

Thus, a backup of the metadata is stored into the third-party device. Furthermore, the secret encryption key being unknown to the third-party device, the third-party device cannot use the metadata to access the ORAM database. The confidentiality of the data stored in the ORAM database is preserved.

According to another aspect of the disclosure, the terminal equipment being connected to the third-party device and to the remote server through the communications network, the terminal equipment executes: sending a request, to the third-party device through the communications network, for having the third-party device to initiate the creation of the ORAM database in the remote server; and receiving, from the third-party device through the communications network, metadata allowing the terminal equipment to use the ORAM database created in the remote server without going through the third-party device.

In some embodiments, the received metadata comprise a temporary symmetric encryption key used by the third-party device to encrypt initial blocks of the ORAM database stored in the remote server.

In some embodiments, the receiving from the third-party device the metadata comprise establishing an encrypted and authenticated communication channel with the third-party device through the communications network, the metadata are received through the encrypted and authenticated communication channel.

In some embodiments, the terminal equipment executes: sending, to the third- party device through the communications network, an access token so that the third- party device can access the remote server for initializing the creation of the ORAM database in the remote server.

In some embodiments, the terminal equipment executes, after the receiving from the third-party device the metadata: revoking the access token sent to the third-party device so that the third-party device cannot access any more the ORAM database in the remote server.

Thus, the confidentiality of the data stored in the ORAM database is improved.

In some embodiments, the terminal equipment executes a writing of at least one data block in the ORAM database, the writing comprising: encrypting the at least one data block of the ORAM database with a secret encryption key different from the temporary symmetric encryption key; sending, to the remote server through the communications network, the encrypted at least one data block for storing in the ORAM database; and updating the metadata for taking into account the sending of the encrypted at least one data block.

In some embodiments, the terminal equipment executes: generating the secret encryption key.

In some embodiments, the terminal equipment executes a reading of at least one encrypted data block of the ORAM database, the reading comprising: receiving, from the remote server through the communications network, the at least one encrypted data block of the ORAM database; decrypting the encrypted data block based on: the temporary encryption key if the metadata indicates that the encrypted data block is an initial block of the ORAM database encrypted by the third-party device; or the secret encryption key if the metadata indicates that the encrypted data block is a data block of the ORAM database encrypted by the terminal equipment.

In some embodiments, the terminal equipment executes: sending, to the third- party device through the communications network, the metadata in an encrypted form based on the secret encryption key.

In some embodiments, the ORAM database is of a pathORAM type.

In some embodiments, the metadata comprise position map of the database and stash information.

Another aspect of the present disclosure relates to a computer program product comprising program code instructions for implementing the above-mentioned method for using an ORAM database (in any of the different embodiments discussed above), when said program is executed on a computer or a processor.

Another aspect of the present disclosure relates to a device configured for implementing all or part of the steps of the above-mentioned method for using an ORAM database as executed by the terminal equipment (in any of the different embodiments discussed above). Thus, the features and advantages of this device are the same as those of the corresponding steps of said method. Therefore, they are not detailed any further.

Another aspect of the present disclosure relates to a device configured for implementing all or part of the steps of the above-mentioned method for using an ORAM database as executed by the third-party device (in any of the different embodiments discussed above). Thus, the features and advantages of this device are the same as those of the corresponding steps of said method. Therefore, they are not detailed any further.

4. LIST OF FIGURES

Other features and advantages of embodiments shall appear from the following description, given by way of indicative and non-exhaustive examples and from the appended drawings, of which:

Figure 1 illustrates a terminal equipment in communication with a third-party device and with a remote server according to one embodiment of the present disclosure;

Figure 2 illustrates the steps of a method for using, by the terminal equipment of Figure 1, an ORAM database created in the remote server of Figure 1 according to one embodiment of the present disclosure;

Figure 3 illustrates an example of the structural blocks of a device allowing all or part of the corresponding steps of the method of Figure 2 to be implemented by the terminal equipment of Figure 1;

Figure 4 illustrates an example of the structural blocks of a device allowing of all or part of the corresponding steps of the method of Figure 2 to be implemented by the third-party device of Figure 1.

5. DETAILED DESCRIPTION

In all of the Figures of the present document, the same numerical reference signs designate similar elements and steps.

Referring now to Figure 1, we describe a terminal equipment 100 in communication with a third-party device 130 and with a remote server 150 according to one embodiment of the present disclosure. The terminal equipment 100 (e.g. a smartphone, a tablet equipped with a wireless communication module) is in communication with the third-party device 130 and with the remote server 150 (e.g. a server of a storage provider) through a communications network. The communications network is a wireless communications network, e.g. a third Generation Partnership Project, hereafter 3GPP, 2G, 3G, 4G or 5G cellular network. Such communications network comprises a base station 110 that implements the air interface with the terminal equipment 100 and a core network 120 that interfaces with the third- party device 130 and the server 150.

However, in other embodiments the communications network is a wired communications network, e.g. when the terminal equipment 100 is not a mobile equipment (e.g. when the terminal equipment 100 is a home server).

Back to Figure 1, according to the method of the present disclosure, which is further detailed below in relation with Figure 2, the terminal equipment 100 delegates to the third-party device 130 the creation of an ORAM database 150db in the server 150. The third-party device 130 thus initiate the creation of the ORAM database 150db in the server 150 and generates metadata 130md associated to the database 150db. The metadata 130md are sent to the terminal equipment 100 for allowing the terminal equipment 100 to use directly the database 150db, i.e. without going through the third- party device 130. For instance, the metadata 130md comprise a "position map" (e.g. a lookup table) that allows to "undo the scramble" and link back the positions of the blocks in the database 150db to their logical ordering that can be used by the client, i.e. the terminal equipment 100 in the present case.

The third-party device 130 also generates a temporary symmetric encryption key 130tk for encrypting initial data blocks of the database 150db. For instance, the metadata 130md generated by the third-party device 130 comprise the temporary symmetric encryption key 130tk so that the terminal equipment 100 can decrypt the data blocks of the database 150db as initialized by the third-party device 130.

However, in other embodiments, the third-party device 130 does not use such temporary symmetric encryption key 130tk for encrypting initial data blocks of the database 150db. In such embodiments, the metadata 130md don't comprise the temporary symmetric encryption key 130tk.

Back to Figure 1, the terminal equipment 100 uses a secret encryption key lOOsk, different from the temporary symmetric encryption key 130tk, for encrypting the data blocks to be stored in the database 150db. Thus, as the third-party device 130 has no knowledge of the secret encryption key lOOsk, the third-party device 130 cannot access the data blocks stored in the database 150db by the terminal equipment 100.

However, in other embodiments, the terminal equipment 100 does not use a secret encryption key lOOsk different from the temporary symmetric encryption key 130tk for encrypting the data blocks to be stored in the database 150db.

Back to Figure 1, the terminal equipment 100 comprises a device lOOd comprising means configured for implementing all or part of the corresponding steps of the method for using an ORAM database discussed below in relation with Figure 2. The means implemented in the device lOOd are further discussed below in relation with Figure 3.

The third-party device 130 comprises a device 130d comprising means configured for implementing all or part of the corresponding steps of the method for using an ORAM database discussed below in relation with Figure 2. The means implemented in the device 130d are further discussed below in relation with Figure 4.

Referring now to Figure 2, we describe a method for using, by the terminal equipment 100, the ORAM database 150db according to one embodiment of the present disclosure.

More particularly, in a step S200, the terminal equipment 100 sends, to the third- party device 130 through the communications network, an access token. The access token allows the third-party device 130 to access the remote server 150 to initiate the creation of the database 150db in the remote server 150.

Correspondingly, in step S200, the third-party device 130 receives the access token sent by the terminal equipment 100.

For instance, the terminal equipment 100 sends a request to the remote server 150 for receiving such access token. Responsive to receiving the request sent by the terminal equipment 100, the remote server 150 generates and sends the access token to the terminal equipment 100. Such access token can be used to access the remote server 150 by any device that owns the token. The access token is therefore sent by the terminal equipment 100 to the third-party device 130 so that the third-party device 130 can access the remote server 150, e.g. for initiating the creation of the database 150db.

However, in other embodiments, such mechanism involving access token is not implemented. For instance, the third-party device 130 may have already granted access to the remote server 150, e.g. in case of general agreement between parties managing the third-party device 130 and the remote server 150.

Back to Figure 2, in a step S210, the terminal equipment 100 sends a request, to the third-party device 130 through the communications network, for having the third- party device 130 to initiate the creation of the database 150db in the server 150.

Correspondingly, in step S210, the third-party device 130 receives the request sent by the terminal equipment 100.

Responsive to receiving the request sent by the terminal equipment 100, the third-party device 130 initiates the creation of the database 150db in the remote server 150 by sending to the remote server 150 database elements during a step S220. The initiation of the creation of the database 150db is thus delegated from the terminal equipment 100 to the third-party device 130.

More particularly, in a step S221, the third-party device 130 generates a temporary symmetric encryption key 130tk and encrypts initial data blocks of the database 150db with the temporary encryption key 130tk. In a step S222, the third-party device 130 sends to the remote server 150 the encrypted initial data blocks as part of the database elements.

However, in other embodiments, the third-party device 130 does not use such temporary symmetric encryption key 130tk for encrypting initial data blocks of the database 150db. In some embodiments, the database elements comprise additional information allowing the creation of the database 150db including e.g. the size of the database 150db to be created. In some embodiments, the initiation of the database 150db is further delegated from the third-party device 130 to the remote server 150. Back to Figure 2, in a step S230, the third-party device 130 generates metadata 130md associated to the database 150db created in the remote server 150 (e.g. the "position map" as discussed above in relation with Figure 1). In a step S231, the third- party device 130 sends to the terminal equipment 100 the metadata 130md for allowing the terminal equipment 100 to use directly the database 150db created in the remote server 150.

Correspondingly, in step S231, the terminal equipment 100 receives the metadata 130md sent by the third-party device 130.

In some embodiments wherein the third-party device 130 uses a temporary symmetric encryption key 130tk for encrypting initial data blocks of the database 150db, the metadata 130md comprise the temporary symmetric encryption key 130tk. Accordingly, the terminal equipment 100 can decrypt the data blocks of the database 150db as initialized by the third-party device 130.

In some embodiments, the third-party device 130 and the terminal equipment 100 establish an encrypted and authenticated communication channel to communicate with each other through the communications network. The third-party device 130 sends to the terminal equipment 100 the metadata 130md through the encrypted and authenticated communication channel. Correspondingly, the terminal equipment 100 receives the metadata 130md sent by the third-party device 130 through the encrypted and authenticated communication channel. Accordingly, the exchange of information between the terminal equipment 100 and the third-party device 130 is secured.

In some embodiments, the database 150db is of a pathORAM type, which is particularly suited for mobile devices. In such embodiments, the metadata 130md comprise stash information in addition of the "position map" of the database 150db.

Back to Figure 2, in a step S232, responsive to the sending of the metadata 130md to the terminal equipment 100 during step S231, the third-party device 130 deletes the generated metadata 130md. The metadata 130md as generated bythe third-party device 130 are thus not kept stored in the third-party device 130. Therefore, the terminal equipment 100 takes ownership of the database 150db. However, in other embodiments, the third-party device 130 does not delete the metadata 130md that has been generated.

Back to Figure 2, in a step S250, after having received the metadata 130md, the terminal equipment 100 revokes the access token sent to the third-party device 130 during step S200. Thus, the third-party device 130 cannot access any more the database 150db in the remote server 150.

However, in embodiments wherein the step S200 is not implemented, the terminal equipment 100 does not implement the step S250.

Back to Figure 2, after the execution of the steps S200 up to S250, the terminal equipment 100 is now able to use the database 150db for writing data block(s) stored therein.

For instance, in a step S260, the terminal equipment 100 executes a writing of one (or more) data block in the database 150db.

In that respect, in a step S261, the terminal equipment 100 generates a secret encryption key lOOsk different from the temporary symmetric encryption key 130tk and encrypts the data block(s) with the secret encryption key lOOsk. In a step S262, the terminal equipment 100 sends to the remote server 150 the encrypted data block(s) for storing in the database 150db. In a step S263, the terminal equipment 100 updates the metadata 130md for taking into account the sending of the encrypted data block(s).

However, in other embodiments, the terminal equipment 100 does not use a secret encryption key lOOsk different from the temporary symmetric encryption key 130tk for encrypting the data blocks to be stored in the database 150db.

Back to Figure 2, in a step S270, the terminal equipment 100 sends to the third- party device 130 the metadata 130md in an encrypted form based on the secret encryption key lOOsk. Correspondingly, in step S270, the third-party device 130 receives the metadata 130md in the encrypted form based on the secret encryption key lOOsk sent by the terminal equipment 100. Thus, a backup of the metadata 130md is stored into the third-party device 130. Furthermore, the secret encryption key lOOsk being unknown to the third-party device 130, the third-party device 130 cannot use the metadata 130md to access the database 150db. The confidentiality of the data stored in the database 150db is preserved despite the backup of the metadata 130md into the device 130.

However, in other embodiments, the terminal equipment 100 does not execute the step S270 and the metadata 130md is not sent to the third-party device 130 in order to be stored as a back-up.

Back to Figure 2, after the execution of the steps S200 up to S250, the terminal equipment 100 is also able to use the database 150db for reading data block(s) stored therein.

For instance, in a step S280, the terminal equipment 100 executes a reading of one (or more) data block stored in the database 150db.

In that respect, in a step S281, the remote server 150 sends to the terminal equipment 100 one (or more) encrypted data block of the database 150db, e.g. responsive to a request sent by the terminal equipment 100 for such data block(s). Correspondingly, in step S281, the terminal equipment 100 receives from the remote server 150 one (or more) encrypted data block of the database 150db. In a step S282, the terminal equipment 100 decrypts the encrypted data block(s) based on: the temporary encryption key 130tk if the metadata 130md indicates that the corresponding encrypted data block is an initial block of the database 150db encrypted by the third-party device 130; or the secret encryption key lOOsk if the metadata 130md indicates that the corresponding encrypted data block is a data block of the database 150db encrypted by the terminal equipment 100.

In other embodiments wherein the temporary encryption key 130tk and/or the secret encryption key lOOsk are not used for encrypting the data block(s) stored in the database 150db, the terminal equipment 100 does not necessarily decrypts the data block(s) stored in the database 150db. In any case, the terminal equipment 100 relies on the information in the metadata 130md for deciding if a decryption is required and, if relevant, based on which encryption key.

Referring now to Figure 3, we describe an example of the structural blocks implemented in the device lOOd. More particularly, in order to be able to implement all or part of the steps of the method discussed above in relation with Figure 2 as executed by the terminal equipment 100 (according to any of the embodiments disclosed above), in some embodiments the device lOOd comprises: a non-volatile memory 303 (e.g. a read-only memory (ROM), a hard disk, a flash memory, etc.); a volatile memory 301 (e.g. a random-access memory or RAM) and a processor 302.

The non-volatile memory 303 is a non-transitory computer-readable carrier medium. It stores executable program code instructions, which are executed by the processor 302 in order to enable implementation of some steps of the method described above (method for using an ORAM database) in the various embodiment disclosed above in relationship with Figure 2.

Upon initialization, the aforementioned program code instructions are transferred from the non-volatile memory 303 to the volatile memory 301 so as to be executed by the processor 302. The volatile memory 301 likewise includes registers for storing the variables and parameters required for this execution.

The steps of the method for using an ORAM database as executed by the terminal equipment 100 may be implemented equally well: by the execution of a set of program code instructions executed by a reprogrammable computing machine such as a PC type apparatus, a DSP (digital signal processor) or a microcontroller. This program code instructions can be stored in a non- transitory computer-readable carrier medium that is detachable (for example a CD-ROM, a DVD-ROM, a USB key) or non-detachable; or by a dedicated machine or component, such as an FPGA (Field Programmable Gate Array), an ASIC (Application-Specific Integrated Circuit) or any dedicated hardware component.

In other words, the disclosure is not limited to a purely software-based implementation, in the form of computer program instructions, but that it may also be implemented in hardware form or any form combining a hardware portion and a software portion.

Referring now to Figure 4, we describe an example of the structural blocks implemented in the device 130d.

More particularly, in order to be able to implement all or part of the steps of the method discussed above in relation with Figure 2 as executed by third-party device 130 (according to any of the embodiments disclosed above), in some embodiments the device 130d comprises: a non-volatile memory 403 (e.g. a read-only memory (ROM), a hard disk, a flash memory, etc.); a volatile memory 401 (e.g. a random-access memory or RAM) and a processor 402.

The non-volatile memory 403 is a non-transitory computer-readable carrier medium. It stores executable program code instructions, which are executed by the processor 402 in order to enable implementation of some steps of the method described above (method for using an ORAM database) in the various embodiment disclosed above in relationship with Figure 2.

Upon initialization, the aforementioned program code instructions are transferred from the non-volatile memory 403 to the volatile memory 401 so as to be executed by the processor 402. The volatile memory 401 likewise includes registers for storing the variables and parameters required for this execution.

The steps of the method for using an ORAM database as executed by third-party device 130 may be implemented equally well: by the execution of a set of program code instructions executed by a reprogrammable computing machine such as a PC type apparatus, a DSP (digital signal processor) or a microcontroller. This program code instructions can be stored in a non- transitory computer-readable carrier medium that is detachable (for example a CD-ROM, a DVD-ROM, a USB key) or non-detachable; or by a dedicated machine or component, such as an FPGA (Field Programmable Gate Array), an ASIC (Application-Specific Integrated Circuit) or any dedicated hardware component.

In other words, the disclosure is not limited to a purely software-based implementation, in the form of computer program instructions, but that it may also be implemented in hardware form or any form combining a hardware portion and a software portion.