Systems and methods for a cryptographic file system layer

US 10,402,582 B2
Filed: 01/29/2018
Issued: 09/03/2019
Est. Priority Date: 02/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving using a programmed hardware processor an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;

in response to receiving the identification, beginning a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;

monitoring a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and

in response to detecting that the data access request is associated with the designated directory location;

intercepting the data access request, wherein the intercepting is transparent to a user of the computer system;

retrieving a data file associated with the data access request;

modifying the data file by performing a cryptographic operation on the data file to generate a modified data file that comprises a substantially random distribution of the data file, wherein the distribution results in a reordering of at least two units of data in the data file;

generating a modified data access request including an identifier associated with the modified data file;

sending the modified data access request to the file system layer or the application layer; and

in response to sending the modified data access request, resuming the process to modify the one or more data files in the designated directory location.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

Citations

20 Claims

1. A method comprising:
- receiving using a programmed hardware processor an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;
  
  in response to receiving the identification, beginning a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;
  
  monitoring a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and
  
  in response to detecting that the data access request is associated with the designated directory location;
  
  intercepting the data access request, wherein the intercepting is transparent to a user of the computer system;
  
  retrieving a data file associated with the data access request;
  
  modifying the data file by performing a cryptographic operation on the data file to generate a modified data file that comprises a substantially random distribution of the data file, wherein the distribution results in a reordering of at least two units of data in the data file;
  
  generating a modified data access request including an identifier associated with the modified data file;
  
  sending the modified data access request to the file system layer or the application layer; and
  
  in response to sending the modified data access request, resuming the process to modify the one or more data files in the designated directory location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location, sending the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication.
  - 3. The method of claim 1, further comprising retrieving one or more shares associated with the data file from a network storage location associated with the designated directory location.
  - 4. The method of claim 1, further comprising generating a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 5. The method of claim 1, wherein the storing, the monitoring, and the modifying are each transparent to the user of the application layer or the file system layer.
  - 6. The method of claim 1 further comprising designating a directory as a designated directory location automatically upon creation of the directory.
  - 7. The method of claim 1, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 8. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 9. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 10. The method of claim 1, further comprising generating compliance data indicative of a proportion of modified data files to the total target of data files to be modified.

11. A system comprising:
- a programmed hardware processor in communication with non-transient computer-readable memory, the programmed hardware processor configured to;
  
  receive an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;
  
  in response to receiving the identification, begin a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;
  
  monitor a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and
  
  in response to detecting that the data access request is associated with the designated directory location;
  
  intercept the data access request, wherein the intercepting is transparent to a user of the computer system;
  
  retrieve a data file associated with the data access request;
  
  modify the data file by performing a cryptographic operation on the data file to generate a modified data file that comprises a substantially random distribution of the data file, wherein the distribution results in a reordering of at least two units of data in the data file;
  
  generate a modified data access request including an identifier associated with the modified data file;
  
  send the modified data access request to the file system layer or the application layer; and
  
  in response to sending the modified data access request, resume the process to modify the one or more data files in the designated directory location.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the programmed hardware processor is further configured to:
    - send the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location.
  - 13. The system of claim 11, wherein the programmed hardware processor is further configured to retrieve one or more shares associated with the data file from a network storage location associated with the designated directory location.
  - 14. The system of claim 11, wherein the programmed hardware processor is further configured to generate a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 15. The system of claim 11, wherein the programmed hardware processor is configured to perform the storing, the monitoring, and the modifying transparently to the user of the application layer or the file system layer.
  - 16. The system of claim 11, wherein the programmed hardware processor is further configured to designate a directory as a designated directory location automatically upon creation of the directory.
  - 17. The system of claim 11, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 18. The system of claim 11, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 19. The system of claim 11, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 20. The system of claim 11, wherein the programmed hardware processor is further configured to generate compliance data indicative of a proportion of modified data files to the total target of data files to be modified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Davenport, Roger S.
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/882,694
Publication Number

US 20180150649A1
Time in Patent Office

582 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

H04L 9/065   Encryption by serially and ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

Systems and methods for a cryptographic file system layer

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for a cryptographic file system layer

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links