Hyperledger Fabric: Encrypt ledger data in a single channel - hyperledger-fabric

I have a multi-org fabric network where all the orgs are on a single channel.
I understand that using the composer acl file we can hide data from the users based on their roles and other conditions.
However, the data will be visible when we get into the peer container of any org and issue a peer channel fetch.
So, my question is, is there a way to encrypt this ledger data when the orgs shares the same channel? Here, they mention about encrypting the data. Is there any example/reference that can get me started on that one?
Currently, I'm not planning to use different channels between different orgs.

Yes, there are few ways to protect the ledger data. Like your mentioned in your question, Hyperledger Fabric FAQ, official gives five different ways to help us to achieve security and access control.
In the newest version of Fabric, which is tagged v1.2.0, provided a new definition called private data. I prefer to use this method to build my access control in my apps.
Since I am using Fabric Node SDK to deploy and control the fabric network, and it provides a convenient way for me to embed it into the exists projects.
Using the configuration file to define who can persist data, how many peers the data is distributed to, how many peers are required to disseminate the private data, and how long the private data is persisted in the private database. All the upgrade that you need to do is adding some parameters when install and instantiate, modifying some function to invoke the private data, writing some codes to handle the configuration file and users control.
It gives some examples for us to use this new feature:
Chaincode example
SDK example

Related

Implement the distributed-decentralised ledger for a hyperleder network

Did a small example using the hyperledger composer and then used the composer-rest-server to integrate it with GUI. So in the case of identity, only admin is there. There is also documentation to create and issue other identities to login into the business networks.
But still, the problem is it's only in a single peer, meaning my local machine. To my understanding, for the hyperledger to function as decentralized and distributed ledger system, additional peers have to be added to the channel and then states gets synced in those peers. Hence if one node is down, details can be obtained from other nodes.
I checked some links such as this and this. But all of these point to the things that :
Existing network should be stopped and teared down.
The IP address of the second machine should be manually added to the docker.yml file and then have to be restarted.
My doubts are :
But on doing this, won't the existing ledger stated be cleared? All the data are gone.
So before even creating a dApp using hyperledger, we have to include all the IP address of the machine in the yml and start the network?
How to actually implement the distributed-decentralised ledger system for a hyperleder network?
UPDATE :
I have checked the links mentioned by Paul O'Mahony. The links explains about the peer addition steps. Overall what happens there is :
downloaded the fabric sample as the fabric extension is only possible through the cryptogen version appropriate to the Fabric version.
Currently contains order, org1 & org2 (with 2 peers each).
To add a new peer along with its couchdb, changed the template count in the crypto-config.yaml and created crypto material for the new peer using the extend command.
Then using the docker composer file to spawn a new peer and its couchdb. This will create new containers.
Finally the created peers should be joined to the existing channel for the couch db to get sync. The adding to existing channel is via logging into the docker container and typing some cli commands and adding the peer to channel via channel join command.
Is this recommend way to add peers to the channel ? Suppose i am creating a network and wanted to add peers to the channel based on a condition. Like a user/users can add themselves to the network through a login via composer playground and act as a peer. So i have to follow the same steps to do it ? Is this the recommended way ?
Supporting link : https://chat.hyperledger.org/channel/fabric?msg=KgxFegcZyKEPdo4v2

How to use Fabric v.1.2's "Private Data" in Hyperledger Composer?

Since Hyperledger Fabric v1.2 there is the possibility to use "Private Data", see https://hyperledger-fabric.readthedocs.io/en/release-1.2/whatsnew.html
Is there a way to implement "Private Data Collections" via Hyperledger Composer - or is this only possible at the Fabric level?
To configure private data you need to define a JSON file and include it as part of the instantiation request. It's not possible to pass this configuration to the composer network start command so you cannot configure the private collection for a business network.
Composer has no explicit APIs or knowledge of private data. You could use the getNativeAPI to gain access to the stub to interact with the chaincode private apis but that won't be enough
From a client side composer does not support the transient map for invoke, nor does it support peer targetting (which you could get around by defining unique connection profiles in a card) which you need in order to use private data. In theory again you could use the getNativeAPI call to gain access to the node sdk client and try and do it yourself by knowing how to construct the correct JSON and appropriate function to invoke on the composer runtime chaincode, but then you will need to do all the work of collecting the responses and submitting to the orderer and waiting for events, this is not something that is recommended or anything composer would support.
As far as I know, you need to write your private data implementation in golang so composer doesn't support such feature. Maybe you can start to learn chaincode for fabric.

Managing privacy in hyperledger fabric

I have use case where I have 2 organizations and they are sharing some data and some data is kept private. Now after couple of years, I have a requirement to share some more data or restrict some data from/to organization. Is it possible in Hyperledger Fabric? If yes please let me know how. I can see there is private data in Hyperledger fabric but the issue is that the data entered while org was not allowed to have that data will never be available for that same org after allowing that org.
If you have any idea please let me know.
Thanks
In Hyperledger Fabric v1.2 it is possible to update a private data collection configuration definition or add a new collection at chaincode upgrade time. The updated configuration applies from the time the upgrade transaction is committed onwards. Newly added organizations will receive private data for subsequent collection transactions.
In future versions of Hyperledger Fabric, there is intent to add an option that allows newly added organizations to pull (reconcile) prior private data for the collections that they are now entitled to.

How to share data between two chaincodes on Hyperledger Fabric on Single Channel?

I have started to learn Hyperledger Fabric and Composer. I am able to create a simple Business Network using Composer and deploy it on Fabric, but I have a question. Let's say I have 2 BNA (instantiated on single channel) files both having same namespace (org.example) and having same participant name as well, as Customer (identifier will be org.example.Customer). Is there any way that I can access the participants created by first Business Network App in another Business Network App? Logically what I can think of is since both have been instantiated in the same channel with different chaincode and same model file, data should be cross accessible. But it isn't.
Although chaincodes share the same ledger when installed on the same channel (and as business networks are just chaincodes this applies to them also). Fabric still partitions the data that a chaincode can read/write by it's chaincode id. So when you install 2 business networks onto the same channel they will have different chaincode id's and so their data is separately partitioned.
As mentioned in the other answer (although the link is not quite correct), what you can do is make use of a feature of composer to be able to invoke another business network on the same or even different channel from the executing business network.
As the 2 business networks are on the same channel you can not only read information but you are also able to invoke transactions that can change information. (You can only read information if the business networks are on different channels).
The correct link for the tutorial is here
https://hyperledger.github.io/composer/latest/tutorials/invoke-composer-network
Unfortunately this tutorial is rather basic and only offers a glimpse of how to interact with other business networks.
Is available a tutorial about how to interact from a bna to another one.
Here the link to the official Hyperledger Composer documentation.
https://hyperledger.github.io/composer/latest/tutorials/invoke-composer-network

Hyperledger Fabric development lifecycle

I was wandering what is the "best" practice in ordering the steps for the HF development cycle? Here are some questions organized in different topics.
1. Specification of network infrastructure:
What are the mandatory members in one business
network definition (organizations, peers, ca)?
How many pears do we need in our business network (bn)?
I am aware of the semantic in
relationship between the channel and the peer, but I am not sure
about the relationship between the peer and the organization? Also,
what if just one organization (org1.example.com) will use the
developed network, how to specify the endorsement policy in that use
case (since we need at least two organization in chaincode
instantiate command specification)?
2. SDK development lifecycle
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
How to issue the CA certificates needed for SDK app?
3. Chain-code development lifecycle
1.If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
2.After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions! Thank you for your answers.
Let me try to answer your questions:
What are the mandatory members in one business network definition (organizations, peers, ca)?
The only mandatory network entities are peers and ordering service. Of course to be able to define anything you should have a notion of organizations the parties which are going to transact. Each such party expected to have a number of peers which running chaincodes (smartcontracts) on organization behalf. CA is required to issue certificates and bind peers and clients identities to certain organization.
How many pears do we need in our business network (bn)?
The desired number of peers is completely up to your business logic and requirements, need to accommodate expectations for availability, scalability and your trust model (endorsement policies).
I am aware of the semantic in relationship between the channel and the peer, but I am not sure about the relationship between the peer and the organization?
Peer is the network entity which executes chaincodes on behalf of given organization increasing the organization confidence in correctness of execution results.
Also, what if just one organization (org1.example.com) will use the developed network, how to specify the endorsement policy in that use case (since we need at least two organization in chaincode instantiate command specification)?
You do not have to have at least two organizations to define endorsement policy, while with one org is a bit redundant since, default endorsement policy is to have some peer from the channel to sign on endorsement request.
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
You do not need CA certificate, but you need a client certificated signed by root CA to prove client identity and enable peer to validate whenever client has correct access rights.
How to issue the CA certificates needed for SDK app?
You can use fabric-ca to enroll use and get client certificate, or you can simply leverage cryptogen to produce client certs for you.
If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
Here is the thing, peer cli is a bit abused, since it's primary usage is to rapid testing in development and for demoing. The proper way to communicate with Hyperledger Fabric is by using SDK's, e.g. you basically need to implement a client which will be capable to install and instantiate chaincodes based on your own logic and parameters relevant for your application.
After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
You have an upgrade procedure which pretty well covered in Hyperledger Fabric documentation. Or you can see a short demo on video.
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions!
Please consider to login into Rocket.Chat and use #fabric channel to ask your questions.
Additionally please take a look on documentation, since most of the information and details about your questions could be found there and it constantly being updated.

Resources