ENCRYPTING OPERATING SYSTEM

US 20100217970A1
Filed: 05/07/2010
Published: 08/26/2010
Est. Priority Date: 08/23/2002
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.

Citations

71 Claims

1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The computer system of claim 1, wherein the kernel comprises an encryption engine to encrypt clear data files to generate cipher data files, the encryption engine also to decrypt the cipher data files to generate the clear data files.
  - 3. The computer system of claim 2, wherein the memory portion is coupled to the encryption engine to store the cipher data files.
  - 4. The computer system of claim 2, wherein the encryption engine is to encrypt the clear data files and decrypt the cipher data files according to a symmetric key encryption algorithm.
  - 5. The computer system of claim 4, wherein the symmetric key encryption algorithm is based on a block cipher.
  - 6. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises Rijndael algorithm.
  - 7. The computer system of claim 6, wherein the symmetric key encryption algorithm uses a block size of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 8. The computer system of claim 6, wherein the symmetric key encryption algorithm uses a key length of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 9. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises a DES algorithm.
  - 10. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises a Triple-DES algorithm.
  - 11. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises an algorithm selected from the group consisting of IDEA, Blowfish, Twofish, and CAST-128.
  - 12. The computer system of claim 1, wherein the kernel comprises a UNIX operating system.
  - 13. The computer system of claim 12, wherein the UNIX operating system is a System V-Revision.
  - 14. The computer system of claim 3, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data.
  - 15. The computer system of claim 14, further comprising an encryption key management system, the encryption key management system to control access to the encrypted data files and the encrypted key data.
  - 17. The computer system of claim 15, wherein the encryption key management system is to store an encrypted data file name, wherein the data file are name is associated with encrypted file contents.
  - 18. The computer system of claim 17, wherein the encryption key management system is also to grant access to a data file if a corresponding access permission of the data file is a predetermined value.
  - 19. The computer system of claim 1, further comprising a secondary device coupled to the memory, wherein the secondary device stores the encrypted data file and is accessed using a file abstraction.
  - 20. The computer system of claim 19, wherein the secondary device is a backing store.
  - 21. The computer system of claim 19, wherein the secondary device is a swap device.
  - 22. The computer system of claim 19, wherein the secondary device comprises an interface port comprising a socket connection.
  - 23. The computer system of claim 22, wherein the socket connection comprises a computer network.
  - 24. The computer system of claim 23, wherein the computer network comprises the Internet.
  - 25. The operating system of claim 17, wherein the encryption key management system is also to encrypt a pathname to the encrypted data file, and to decrypt the pathname to the encrypted data file when retrieving the encrypted data file contents.

16. (canceled)

26. A computer system comprising:
- a. a first device having an operating system kernel, to encrypt clear data using an encryption key to generate cipher data, and to decrypt the cipher data using the encryption key to generate the clear data;
  
  b. a key generator to generate one or more encryption keys usable for encrypting and decrypting data only on the computer system; and
  
  c. a second device coupled to the first device to exchange cipher data with the first device.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 27. The computer system of claim 26, wherein the operating system kernel is to encrypt the clear data and decrypt the cipher data using a symmetric algorithm.
  - 28. The computer system of claim 27, wherein the symmetric algorithm comprises a block cipher.
  - 29. The computer system of claim 28, wherein the block cipher comprises Rijndael algorithm.
  - 30. The computer system of claim 29, wherein the encryption key comprises at least 1024 bits.
  - 31. The computer system of claim 26, wherein the second device comprises a backing store.
  - 32. The computer system of claim 26, wherein the second device comprises a swap device.
  - 33. The computer system of claim 26, wherein the second device forms part of a communications channel.
  - 34. The computer system of claim 33, wherein the communications channel comprises a network.
  - 35. The computer system of claim 34, wherein the network comprises the Internet.

36. A method of encrypting data, the method comprising:
- a. receiving a clear data file; and
  
  b. executing kernel code in an operating system, the kernel code using a symmetric key to encrypt the clear data file to generate an encrypted data file, the kernel code further using the symmetric key to decrypt the encrypted data file to generate the clear data file, wherein the symmetric key is generated in part by dividing a key into sub-keys each corresponding to a different block of the data file, modifying each of the sub-keys in a manner unique to its corresponding block to produce modified sub-keys, and combining the modified sub-keys.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 47)
- - 37. The method of claim 36, wherein the symmetric key encrypts the clear data file to generate encrypted data file according to a block cipher.
  - 38. The method of claim 37, wherein the block cipher comprises Rijndael algorithm.
  - 39. The method of claim 37, wherein the block cipher comprises an algorithm selected from the group consisting of DES, triple-DES, Blowfish, and IDEA.
  - 40. The method of claim 36, wherein executing kernel code comprises:
    - entering a pass key and a data file name of the clear data file into a first encryption process to produce an encrypted data file name and an encrypted data file name key; and
      
      processing the clear data file with the encrypted data file name key to generate an encrypted file contents key and an encrypted file contents.
  - 41. The method of claim 40, further comprising:
    - storing the encrypted data file name key and the encrypted file contents key in a first protected area of a computer storage; and
      
      storing the encrypted data file name and the encrypted file contents in a second protected area of the computer storage.
  - 42. The method of claim 36, wherein executing kernel code to encrypt the clear data file is performed when data is transferred between a computer memory and a secondary device.
  - 43. The method of claim 42, wherein the secondary device comprises a backing store.
  - 44. The method of claim 42, wherein the secondary device comprises a swap device.
  - 45. The method of claim 42, wherein the secondary device forms part of a network of devices.
  - 47. The method of claim 45, wherein the network comprises the Internet.

46. (canceled)

48. A computer system comprising:
- a. a processor;
  
  b. a physical memory storing a data file;
  
  c. a secondary device coupled to the physical memory; and
  
  d. an operating system comprising a kernel, the kernel to encrypt and decrypt data transferred between the physical memory and the secondary device using one or more keys generated from one or more identifiers of one or more of the data file, a root directory containing the data file, and a file system containing the root directory.
- View Dependent Claims (49, 50, 51, 52)
- - 49. The computer system of claim 48, wherein the kernel is to encrypt and decrypt data using a symmetric key encryption algorithm.
  - 50. The computer system of claim 49, wherein the symmetric key encryption algorithm is based on a block cipher.
  - 51. The computer system of claim 50, wherein the symmetric key encryption algorithm comprises Rijndael algorithm.
  - 52. The computer system of claim 51, wherein the kernel comprises a UNIX operating system.

53-58. -58. (canceled)

59. A method of decrypting a data file on a computer system comprising:
- granting permission to access the data file by determining that the data file was encrypted on the computer system as an encrypted data file;
  
  determining a location of the encrypted data file on the computer system by decrypting an encrypted directory entry; and
  
  decrypting the encrypted data file.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66)
- - 60. The method of claim 59, wherein determining that the data file was encrypted on the computer system comprises using a unique system-identifier of the computer system.
  - 61. The method of claim 60, wherein the system-identifier is a medium access controller address for the computer system.
  - 62. The method of claim 59, wherein a first encryption key is used to decrypt the encrypted directory entry and a second encryption key is used to decrypt the encrypted data file.
  - 63. The method of claim 62, further comprising using a name of the data file to generate an encrypted version of the first encryption key.
  - 64. The method of claim 63, further comprising using the encrypted version of the first encryption key and the data file to generate an encrypted version of the second encryption key.
  - 65. The method of claim 59, wherein decrypting the encrypted directory entry and decrypting the encrypted data file are executed by a kernel of an operating system executing on the computer system.
  - 66. The method of claim 59, wherein decrypting the encrypted directory entry and decrypting the encrypted data file are performed by a vnode.

67. A method comprising:
- decrypting data in a kernel of an operating system with a key that is usable only on a computer system on which the data was originally encrypted.
- View Dependent Claims (68, 69, 70, 71)
- - 68. The method of claim 67, wherein the key is generated from a first identifier of the computer system unique across computer systems.
  - 69. The method of claim 68, wherein the first identifier is a medium access controller address.
  - 70. The method of claim 68, wherein the key is further generated from a second identifier unique to encrypted data on the computer system.
  - 71. The method of claim 69, wherein the second identifier comprises an identifier of a file system containing the encrypted data, an identifier of a root directory containing the encrypted data, and an identifier of the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exit-Cube Incorporated
Original Assignee
Exit-Cube Incorporated
Inventors
Carter, Ernst B., Zolotov, Vasily

Granted Patent

US 8,407,761 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0625   with splitting of the data ...

ENCRYPTING OPERATING SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTING OPERATING SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links