2

Is there a way to establish data sharing between multiple (a couple dozen) businesses where it is the case that some companies don't trust others?

This means that these companies are willing to share some their sensitive data with only select few, while not so sensitive data they are OK with sharing with all. (They can further restrict access to who sees it based on the sensitivity.) The data includes things like financial information, so one would want to aggregate all the sources of data they have access to to grasp the current situation.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
namu
  • 121
  • 3
  • 2
    I'm not sure this is really a security question, or maybe I'm just missing what you are getting at. This simplest way to share some sensitive data with a select few is by only sharing the data you want with the people you trust. If your concern is that the people you share it with might share it with someone else, then that is a rather different concern (and also nearly impossible to prevent). – Conor Mancone Jan 10 '20 at 21:08
  • That is a define concern. I was looking into watermarks, but that will only confirm if data is being shared inappropriately (if it circles back to me), not prevent it. Encrypting might not help because I allow those I want to see it decrypt, and then they can share that... – namu Jan 10 '20 at 21:37
  • 1
    @namu that problem is unsolvable through technical means. You cannot stop someone able to see information from extracting exactly what they think someone else cares about from that information, and then sharing it. (unless you put that info in a secure hardware box, and only let the user do certain calculations with it that do not allow actual induction on the data – and that kind of problem really belongs mostly in the academic crypto world. I've yet to see the usefulness of any zero-knowledge exchange outside of cryptocurrencies.) – Marcus Müller Jan 10 '20 at 22:28
  • you might be able to watermark the data, but then you only know who leaked the data – that doesn't make it unleaked, and if there's no non-technical (as in: legal, human) repercussions for doing so, well, you might as well don't. – Marcus Müller Jan 10 '20 at 22:29

1 Answers1

2

That's pretty classical public-key infrastructure. All businesses have a secret private key, and a public key that matches that.

You can encrypt a dataset with the public key of a single business, and share it with all: only the owner of the matching private key can decrypt it.

If you now want to share something with many instead of single recipients, instead of encrypting the same data for every recipient, you could just generate a symmetric key (i.e. one that's the same for en- and decryption). That is much less data than the actual dataset – and then you just encrypt that single key separately for every single intended recipient, and encrypt the dataset with the single key.

There's even cooler cryptographic approaches to partial keys, but honestly, for "a couple dozen", this is plenty flexible.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27