Cryptographic Storage Key Derivation: The Foundation of Entrelid®'s Security Architecture
Dataparency's Entrelid Framework introduces revolutionary data security through our patented Resource Context - Cryptographic Storage Key Derivation technology—a mathematical approach to data protection that makes unauthorized access to data computationally impossible, not just policy-restricted.
The Three Layers of Entrelid's Security Model
Entity Authentication
JWT tokens authenticate WHO is requesting access, verifying identity through cryptographic signatures and preventing impersonation attacks.
Relationship Authorization
RDID tokens authorize WHAT relationships exist between entities, controlling access permissions with mathematical precision.
Cryptographic Storage Address Derivation
Resource Context defines WHERE data is stored through proprietary transform algorithms that make data location a mathematical secret.
All three factors are mathematically required for data access. Missing any single factor doesn't just deny access—it makes the data mathematically undiscoverable.
Resource Context: Beyond Traditional Access Control
Unlike conventional databases where administrators can enumerate all storage locations, Entrelid's Resource Context creates a vast, sparse keyspace where data exists at specific mathematically-derived coordinates that cannot be discovered without precise inputs.
128-bit
Transformation Space
Creating 340 trillion trillion possible storage addresses
3
Path Components
Namespace/domain, entity class, and collection name
0%
Key Correlation
Mathematical relationship between different document keys
How Resource Context Works
The Resource Context derives storage keys through a multi-stage process:
- Individual transformations of namespace/domain, entity class, EDID, and collection name
- Concatenation with the document's UUID
- Final Transformation to produce a 128-bit encoded storage key
This process ensures that storage keys have no mathematical relationship to each other, making enumeration or discovery computationally impossible.
Mathematical Non-Discoverability
Non-Sequential
Keys are distributed randomly across a vast address space, preventing iteration or enumeration
Non-Discoverable
Without exact inputs, finding data locations is mathematically impossible even with full server access
Non-Pivotable
Discovering one storage key provides zero information about any other key in the system
"Even if attackers gain complete access to our servers, they cannot find and extract your data without knowing the exact Resource Context—which is mathematically impossible to guess or discover."
Partial dump of data store: (Resource Context calculated storage key)
key-> [06umAEq6gmMzdzeX4h9XuG]
value-> [{"B":"tlYtKkRbN/BEO4C97fV/yacxSyIhv4XMSgvYKNMioRCN3hyNZSe7McvqIO3QL3mHVXfoSIsx+SQBCZ846umpWXvyWCx9Z0O117opT+H3Pf0cykeQit0YTrNlLdZs9skHvefdEX5aMSmi5AMdl4ve02boDvRCpHjYiA0pIaeR6NGNBmf1XgLMErwgvkpBQ2mzgfRVQGoIMJDQoYBKFfX6ycow2fI5uks/p1C8Nb+k1FcL4EWhkaSGDwc54XHhWgzsa8cdOXNiQKS1asa8ASZ46Sai8ncN83ZD0jSAFM67tJxZLeZ6A
…
HfiSAkY8HdMwEMVMjZ6MjJ+O6qgvT9JfDTcI1vdhO6RPvvGPH3OhPt86hWvxutdu/JuRiTXh9JiUjKv2j8zBxwIupOfZdL6JiB/PTkB8ZXq5lBDsYpzp//XddHg/mNVDOsTQBxRiDgCMWOPW14uPZInmQXpXyfoys22y1RRVqVYcnQjCNTIYQ9kSV5xquRNPG8i6Tavrj3GnLX0mxfJb+PWI4tTT"}]
Common Hierarchical Format (CHF) Documents
When stored, documents are parsed into our patented CHF structure that embeds security metadata directly into the stored document hierarchy.
Data Nodes (d-nodes)
- Store actual document content
- Organized in traversable hierarchies
- Support complex queries and partial retrieval of nodes
Security Nodes (s-nodes)
- Attach directly to data nodes
- Control access and redaction policies
- Enable field-level security enforcement
Three-Factor Data Access Control
All three security factors must be present for data access to be possible. Missing any factor doesn't just result in an access denied message—it makes data location mathematically undefined.
Unlike traditional databases where admin access means data access, Entrelid's system separates data discovery from data access. Even with server compromise, data remains undiscoverable.
Integration with NATS JetStream
Entrelid leverages NATS Open Source messaging to provide:
- Location independence through topic-based routing
- Jurisdictional compliance with automated data residency
- Transparent failover without manual configuration
- Stream-based automatic synchronized backup and recovery mechanisms
This integration addresses enterprise concerns about reliability and compliance while maintaining our core security model.
Guaranteed Data Residency
Data jurisdiction is guaranteed through NATS topic-based routing. European data stays in Europe, US data stays in US—automatically and without exception.
Queue-ID Routing
Each entity's profile contains a queue-ID that directs all data operations to servers in the correct jurisdiction.
Jurisdictional Compliance
Automatic compliance with GDPR, CCPA, and other regional data sovereignty requirements without complex configuration.
Right to be Forgotten
Revoking an RDID instantly removes access everywhere without touching the underlying data—providing immediate compliance.
Performance Without Compromise
Entrelid's architecture delivers enterprise-grade performance while maintaining its security guarantees. These aren't theoretical numbers—they're measured performance from production environments.
The architecture scales linearly with additional servers, providing predictable performance growth as your data needs expand.
Resource Context Security Properties
Computationally Isolated
No mathematical relationship exists between different storage keys, even for related documents.
Non-Enumerable
It's impossible to discover what keys exist in the system without knowing the exact inputs used to create them.
Cryptographically Vast
The 128-bit address space creates 340 trillion trillion possible values, making brute-force attacks infeasible.
Deterministic
The same inputs always produce the same storage key, ensuring reliable data retrieval for authorized entities.
These properties create a fundamentally different security model than traditional access control systems.
Document Storage and Retrieval Process
The complete process integrates all security factors to ensure that data operations are secure, compliant, and efficient.
On validation of all Resource Context parameters, the server performs the requested action and returns either the unique document ID (POST) or the requested document fragment in JSON format (GET).
Storage Key Security vs. Traditional Models
Entrelid D-ISP
- Storage keys mathematically derived, not enumerable
- No system catalogs or metadata listings
- Data locations are mathematical secrets
- Server compromise doesn't reveal data locations
Traditional Databases
- Sequential storage keys or discoverable addresses
- System catalogs enumerate all objects
- Data locations are discoverable metadata
- Admin access reveals all data locations
Advanced Transaction Control
Entrelid implements innovative transaction control through document TTL-based locking mechanisms:
Document Locking
Temporary locks implemented through document expiration times
Distributed Transactions
Implementation of saga patterns without traditional two-phase commit
Automatic Resolution
Self-healing system with time-based conflict resolution
Global Consistency
Maintenance of data integrity across distributed instances
This approach enables reliable distributed transactions without the complexity and performance penalties of traditional database transaction models.
Enterprise Security Advantages
"Entrelid implements three-factor cryptographic access control. This isn't policy-based security that can be mis-configured or bypassed—it's cryptographic necessity."
01
Defense in Depth
Multiple independent security layers create comprehensive protection against all attack vectors.
02
Zero Trust Architecture
Every data access requires complete verification of all three security factors with no implicit trust.
03
Mathematical Security
Protection based on cryptographic principles rather than policy enforcement, eliminating human error.
04
Regulatory Compliance
Automatic jurisdictional routing and instant access revocation simplify compliance management.