Perimeter enforcement of encryption rules

US 10,263,966 B2
Filed: 04/14/2016
Issued: 04/16/2019
Est. Priority Date: 04/14/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for securing network traffic comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:

receiving an electronic mail message from a sender for transmittal to a recipient different from the sender, the electronic mail message including an attachment containing at least one file;

removing the attachment from the electronic mail message;

wrapping the attachment into a portable encrypted container that contains an encrypted instance of the file, an encrypted instance of a decryption key to decrypt the file, and program code providing a user interface that supports a first mode of decryption using remote resources and authentication credentials for the recipient and a second mode of decryption based on local input of a password for decrypting the decryption key;

attaching the portable encrypted container to the electronic mail message; and

transmitting the electronic mail message and the portable encrypted container to an electronic mail gateway for communication from the sender to the recipient.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Rules are applied at a network perimeter to outbound network communications that contain file attachments. The rules may, in a variety of circumstances, require wrapping of an outbound file from the endpoint in a portable encrypted container. The network perimeter may be enforced locally at the endpoint, or at any network device between the endpoint and a recipient.

61 Citations

View as Search Results

20 Claims

1. A computer program product for securing network traffic comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- receiving an electronic mail message from a sender for transmittal to a recipient different from the sender, the electronic mail message including an attachment containing at least one file;
  
  removing the attachment from the electronic mail message;
  
  wrapping the attachment into a portable encrypted container that contains an encrypted instance of the file, an encrypted instance of a decryption key to decrypt the file, and program code providing a user interface that supports a first mode of decryption using remote resources and authentication credentials for the recipient and a second mode of decryption based on local input of a password for decrypting the decryption key;
  
  attaching the portable encrypted container to the electronic mail message; and
  
  transmitting the electronic mail message and the portable encrypted container to an electronic mail gateway for communication from the sender to the recipient.

2. A method for securing outbound network traffic, the method comprising:
- receiving a communication from a sender for communication to a recipient different from the sender, the communication including a file coupled to the communication as an attachment;
  
  removing the attachment from the communication;
  
  wrapping the attachment into a portable encrypted container that contains an encrypted instance of the file, an encrypted instance of a decryption key to decrypt the file, and program code providing a user interface that supports a first mode of decryption using remote resources and authentication credentials for the recipient and a second mode of decryption based on local input of a password for decrypting the decryption key;
  
  attaching the portable encrypted container to the communication; and
  
  transmitting the communication and the portable encrypted container to the recipient.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 3. The method of claim 2 wherein the communication is an electronic mail message.
  - 4. The method of claim 2 wherein the communication is a text message.
  - 5. The method of claim 2 wherein the communication is a file upload to a remote resource.
  - 6. The method of claim 5 wherein the remote resource includes at least one of a social networking platform, a web folder, a file transfer protocol server, a remote file directory, and a file drop box.
  - 7. The method of claim 2 wherein the file includes at least one of a word processing document, a spreadsheet, an image, a video, a presentation document, and a portable document format document.
  - 8. The method of claim 2 further comprising encrypting the file with an encryption key from a remote key server.
  - 9. The method of claim 8 further comprising associating the decryption key with the recipient at the remote key server.
  - 10. The method of claim 2 wherein wrapping the attachment includes conditionally wrapping the attachment according to a security protocol applicable to the sender.
  - 11. The method of claim 10 wherein the security protocol specifies automatic wrapping of all outbound attachments from the sender.
  - 12. The method of claim 10 wherein the security protocol specifies automatic wrapping of predetermined file types from the sender.
  - 13. The method of claim 10 wherein the security protocol specifies automatic wrapping of files from predetermined origins.
  - 14. The method of claim 2 wherein wrapping the attachment includes receiving a user input of the password for local decryption of the file.
  - 15. The method of claim 2 wherein wrapping the attachment includes automatically creating the password for local decryption of the file.
  - 16. The method of claim 2 further comprising communicating the password to the recipient through a second communication medium.
  - 17. The method of claim 16 wherein the second communication medium is different from a first communication medium bearing the communication and the attachment.
  - 18. The method of claim 2 wherein receiving the communication includes receiving the communication by at least one of an endpoint firewall for the sender, an enterprise gateway, and an electronic mail server.

19. A network device comprising:
- a first interface for receiving communications;
  
  a second interface for sending communications over a data network;
  
  a memory; and
  
  a processor configured by computer executable code stored in the memory to secure network communications by performing the steps of receiving a communication from a sender through the first interface for communication to a recipient different from the sender, the communication including a file coupled to the communication as an attachment, removing the attachment from the communication, wrapping the attachment into a portable encrypted container that contains an encrypted instance of the file, an encrypted instance of a decryption key to decrypt the file, and program code providing a user interface that supports a first mode of decryption using remote resources and authentication credentials for the recipient and a second mode of decryption based on local input of a password for decrypting the decryption key, attaching the portable encrypted container to the communication, and transmitting the communication and the portable encrypted container to the recipient through the second interface.
- View Dependent Claims (20)
- - 20. The network device of claim 19 wherein the network device includes at least one of an endpoint, a client device operated by the sender, an enterprise gateway, and an electronic mail server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Humphries, Russell, Sullivan, Gordon, Ray, Kenneth D., Merry, Anthony John, Schutz, Harald, Berger, Andreas
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/098,684
Publication Number

US 20170302635A1
Time in Patent Office

1,097 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/80   Wireless network architectu...

H04L 2463/062   applying encryption of the ...

H04L 51/08   Annexed information, e.g. a...

H04L 63/0209   Architectural arrangements,...

H04L 63/0471   applying encryption by an i...

H04L 63/083   using passwords cryptograph...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

Perimeter enforcement of encryption rules

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Perimeter enforcement of encryption rules

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others