Sharing encrypted documents within and outside an organization

US 10,523,423 B2
Filed: 08/09/2017
Issued: 12/31/2019
Est. Priority Date: 08/10/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

providing an information management system having a key management server and a computing device;

providing the computing device having an encryption service module;

providing the key management server having a secret, wherein the secret is not known to the encryption service module;

at the computing device at a time T1, saving a document opened in an application program by a user;

at the encryption service module, detecting a file save operation on the document;

at the encryption service module, collecting user information of the user;

at the encryption service module, sending the user information to the key management server;

at the key management server, creating a document identifier for the document;

at the key management server, creating a first encryption key with the document identifier, the user information and the secret;

at the encryption service module, receiving the document identifier and the first encryption key from the key management server;

at the encryption service module, creating a second encryption key;

at the encryption service module, encrypting the document with the second encryption key to produce encrypted content;

at the encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;

at the encryption service module, storing the document identifier, the user information, the encrypted second encryption key and the encrypted content in an encrypted document;

at the computing device at a time T2, opening the encrypted document in the application program by the user, wherein T2 happens some time after T1;

at the encryption service module, detecting a file open operation on the encrypted document;

at the encryption service module, retrieving the document identifier and the user information in the encrypted document;

at the encryption service module, sending the document identifier and the user information to the key management server;

at the key management server, creating a third encryption key with the document identifier, the user information and the secret;

at the encryption service module, receiving the third encryption key from the key management server;

at the encryption service module, decrypting the encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and

at the encryption service module, decrypting the encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of creating and managing encryption keys that facilitates sharing of encrypted content. The system may include an information management system with a key management server and a computing device having an encryption service module. The encryption service module detects operations at the computing device and encrypts a document with an encryption key created using user information and a secret.

29 Citations

View as Search Results

25 Claims

1. A method comprises:
- providing an information management system having a key management server and a computing device;
  
  providing the computing device having an encryption service module;
  
  providing the key management server having a secret, wherein the secret is not known to the encryption service module;
  
  at the computing device at a time T1, saving a document opened in an application program by a user;
  
  at the encryption service module, detecting a file save operation on the document;
  
  at the encryption service module, collecting user information of the user;
  
  at the encryption service module, sending the user information to the key management server;
  
  at the key management server, creating a document identifier for the document;
  
  at the key management server, creating a first encryption key with the document identifier, the user information and the secret;
  
  at the encryption service module, receiving the document identifier and the first encryption key from the key management server;
  
  at the encryption service module, creating a second encryption key;
  
  at the encryption service module, encrypting the document with the second encryption key to produce encrypted content;
  
  at the encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;
  
  at the encryption service module, storing the document identifier, the user information, the encrypted second encryption key and the encrypted content in an encrypted document;
  
  at the computing device at a time T2, opening the encrypted document in the application program by the user, wherein T2 happens some time after T1;
  
  at the encryption service module, detecting a file open operation on the encrypted document;
  
  at the encryption service module, retrieving the document identifier and the user information in the encrypted document;
  
  at the encryption service module, sending the document identifier and the user information to the key management server;
  
  at the key management server, creating a third encryption key with the document identifier, the user information and the secret;
  
  at the encryption service module, receiving the third encryption key from the key management server;
  
  at the encryption service module, decrypting the encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and
  
  at the encryption service module, decrypting the encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the secret is a cryptographic key.
  - 3. The method of claim 1 wherein the secret is a cryptographic hash.
  - 4. The method of claim 1 wherein the detecting a file save operation on the document is performed using code injection.
  - 5. The method of claim 1 wherein the detecting a file save operation on the document occurs in a process of the application program, wherein the application program invokes the file save operation.
  - 6. The method of claim 1 wherein the detecting a file save operation on the document occurs in an operating system kernel.
  - 7. The method of claim 1 wherein the user information comprises a user identifier.
  - 8. The method of claim 1 wherein the user information comprises a user identifier and an organization identifier.
  - 9. The method of claim 1 wherein the document identifier is a universally unique identifier.
  - 10. The method of claim 1 wherein the first encryption key is a symmetric key.
  - 11. The method of claim 1 wherein the first encryption key is a private key of a public private key pair.
  - 12. The method of claim 1 wherein the first encryption key is not stored on the key management server.
  - 13. The method of claim 1 wherein the second encryption key is a symmetric key.
  - 14. The method of claim 1 wherein the detecting a file open operation on the encrypted document is performed using code injection.
  - 15. The method of claim 1 wherein the detecting a file open operation on the encrypted document occurs in a process of the application program, wherein the application program invokes the file open operation.
  - 16. The method of claim 1 wherein the detecting a file open operation on the encrypted document occurs in an operating system kernel.
  - 17. The method of claim 10 wherein the first encryption key and the third encryption key are identical.
  - 18. The method of claim 11 wherein the third encryption key is a public key of a public private key pair.
  - 19. The method of claim 1 wherein the second encryption key and the fourth encryption key are identical.
  - 20. The method of claim 1 wherein the third encryption key does not exist before T2.

21. A method comprises:
- providing an information management system having a key management server and a computing device;
  
  providing the computing device having an encryption service module;
  
  providing the key management server having a secret, wherein the secret is not known to the encryption service module;
  
  at the computing device at a time T1, saving a document opened in an application program by a user;
  
  at the encryption service module, detecting a file save operation on the document;
  
  at the encryption service module, collecting user information of the user;
  
  at the encryption service module, creating a document identifier for the document;
  
  at the encryption service module, sending the user information and the document identifier to the key management server;
  
  at the key management server, creating a first encryption key with the document identifier, the user information and the secret;
  
  at the encryption service module, receiving the first encryption key from the key management server;
  
  at the encryption service module, creating a second encryption key;
  
  at the encryption service module, encrypting the document with the second encryption key to produce encrypted content;
  
  at the encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;
  
  at the encryption service module, storing the document identifier, the user information, the encrypted second encryption key and the encrypted content in an encrypted document;
  
  at the computing device at a time T2, opening the encrypted document in the application program by the user, wherein T2 happens some time after T1;
  
  at the encryption service module, detecting a file open operation on the encrypted document;
  
  at the encryption service module, retrieving the document identifier and the user information in the encrypted document;
  
  at the encryption service module, sending the document identifier and the user information to the key management server;
  
  at the key management server, creating a third encryption key with the document identifier, the user information and the secret;
  
  at the encryption service module, receiving the third encryption key from the key management server;
  
  at the encryption service module, decrypting the encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and
  
  at the encryption service module, decrypting the encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21 wherein the first encryption key is not stored on the key management server.
  - 23. The method of claim 21 wherein the second encryption key and the fourth encryption key are identical.
  - 24. The method of claim 21 wherein the third encryption key does not exist before T2.

25. A method comprises:
- providing an information management system having a key management server, a first computing device and a second computing device;
  
  providing the first computing device having a first encryption service module;
  
  providing the second computing device having a second encryption service module;
  
  providing the key management server having a secret, wherein the secret is not known to the first encryption service module and the second encryption service module;
  
  at the first computing device at a time T1, saving a document opened in a first application program by a first user;
  
  at the first encryption service module, detecting a file save operation on the document;
  
  at the first encryption service module, collecting user information of the first user;
  
  at the first encryption service module, sending the user information to the key management server;
  
  at the key management server, creating a document identifier for the document;
  
  at the key management server, creating a first encryption key with the document identifier, the user information and the secret;
  
  at the first encryption service module, receiving the document identifier and the first encryption key from the key management server;
  
  at the first encryption service module, creating a second encryption key;
  
  at the first encryption service module, encrypting the document with the second encryption key to produce encrypted content;
  
  at the first encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;
  
  at the first encryption service module, storing the document identifier, the user information, the encrypted second encryption key and the encrypted content in an encrypted document;
  
  at the second computing device at a time T2, opening the encrypted document in a second application program by a second user, wherein T2 happens some time after T1;
  
  at the second encryption service module, detecting a file open operation on the encrypted document;
  
  at the second encryption service module, retrieving the document identifier and the user information in the encrypted document;
  
  at the second encryption service module, sending the document identifier and the user information to the key management server;
  
  at the key management server, creating a third encryption key with the document identifier, the user information and the secret;
  
  at the second encryption service module, receiving the third encryption key from the key management server;
  
  at the second encryption service module, decrypting the encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and
  
  at the second encryption service module, decrypting the encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng, Fung, Poon
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US15/673,338
Publication Number

US 20180048464A1
Time in Patent Office

874 Days
Field of Search

713170
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/12   Applying verification of th...

H04L 9/08   Key distribution or managem...

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

Sharing encrypted documents within and outside an organization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Sharing encrypted documents within and outside an organization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others