Integrated file level cryptographical access control

US 20100257372A1
Filed: 03/26/2010
Published: 10/07/2010
Est. Priority Date: 03/26/2009
Status: Active Grant

First Claim

Patent Images

1. A system for controlling access to secure computer files, comprising:

a local computer having a memory, a processor and one or more network connections, further comprising;

an encryption database to store information relating to encrypted files and encryption algorithms;

a user interface communicatively linked to the encryption database;

an administrator interface communicatively linked to the encryption database independently of the user interface; and

a file system gateway communicatively linked to the encryption database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for an Integrated File Level Cryptographical Access Control (IFLCAC). The system comprises, on a local computer, an encryption database to store information relating to encrypted files and encryption algorithms, a user interface communicatively linked to the encryption database, an administrator interface communicatively linked to the encryption database independently of the user interface, and a file system gateway communicatively linked to the encryption database that resides above and operates independently of the file system and transparently to any calling application on the local computer. Also provided are methods of using the IFLCAC system and a computer program product comprising a memory tangibly storing computer executable instructions for the IFLCAC system and method and one or more computer readable media tangibly storing computer executable instructions for the IFLCAC system and method.

62 Citations

View as Search Results

31 Claims

1. A system for controlling access to secure computer files, comprising:
- a local computer having a memory, a processor and one or more network connections, further comprising;
  
  an encryption database to store information relating to encrypted files and encryption algorithms;
  
  a user interface communicatively linked to the encryption database;
  
  an administrator interface communicatively linked to the encryption database independently of the user interface; and
  
  a file system gateway communicatively linked to the encryption database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The system of claim 1, further comprising:
    - one or more applications storable on one or more computer-readable storage media and executable by the processor; and
      
      a file system to store files in and to retrieve files from a data storage device in the computer.
  - 3. The system of claim 1, wherein the file system gateway resides as a layer above and independently of any file system on the computer.
  - 4. The system of claim 3, wherein the interactions of the file system gateway within the system are transparent to a user of the system.
  - 5. The system of claim 3, wherein the file system gateway comprises a minifilter module and a windows service module communicatively linked.
  - 6. The system of claim 5, wherein the minifilter module is configured to intercept file system requests from all applications executing on the local computer
  - 7. The system of claim 5, wherein the windows service module is configured to provide encryption services and encrypted file information to the minifilter module.
  - 8. The system of claim 1, wherein the information in the encryption database is stored in at least an encrypted file table and an algorithm table.
  - 9. The system of claim 8, wherein the information is stored further in one or both of a user table or an exception field table.
  - 10. The system of claim 1, wherein the administrator interface is communicatively linked only to the encryption database.
  - 11. The system of claim 10, wherein the administrator interface further comprises an interface for the system configuration and an encrypted file viewer.
  - 12. The system of claim 1, wherein the user interface comprises a program to enable a display of one or more of a list of secured files, a list of paths to encrypted files and the files modifiers, or a list of encryption algorithms used to encrypt the files for a logged in user.
  - 13. A computer program product comprising a computer memory medium on which are tangibly stored computer readable instructions which, when executed on one or more computer processors, enable the system of claim 1.
  - 14. A method for controlling access to secure files on a local computer, comprising:
    - a) installing the system for controlling access to secure files of claim 1 onto a local computer having a memory, a processor and one or more network connections;
      
      b) intercepting an application call requesting access to file in a file system on the computer via the file system gateway comprising the system, said gateway performing the further actions of;
      
      c) querying the encryption database to determine if the file is secured;
      
      d) receiving the file security information from the encryption database;
      
      e) sending the application request down to the file system, said file system acting upon the request and returning information retrieved from the requested file up to the file system gateway;
      
      f) decrypting any secured information; and
      
      g) returning the decrypted information to the calling application, wherein the actions of the file system gateway are transparent to the calling application.
  - 15. The method of claim 14, wherein a minifilter module comprising the file system gateway intercepts the application call, steps c) and d) comprising:
    - determining if the call is one or both of a read request or a write request;
      
      communicating to the file system gateway window service module the name and file path of the requested file;
      
      querying the encryption database via the window service module;
      
      retrieving encrypted file information from the encryption database;
      
      receiving from the window service module encryption data for the requested file; and
      
      attaching the encryption data to an internal file object.
  - 16. The method of claim 15, wherein the call is a read request, the method further comprising:
    - calculating the amount of data to be read to decrypt the requested file.
  - 17. The method of claim 15, wherein the call is a write request, the method further comprising:
    - calculating the encrypted data length and offset;
      
      communicating the write data, calculated encrypted length and offset to the window service module for encryption; and
      
      receiving from the window service module the processed encrypted write file data.
  - 18. The method of claim 14, wherein via the administrator interface, the method further comprises one or more steps performed by an administrator of:
    - adding new encryption algorithms to a dynamic link library;
      
      configuring group access files;
      
      creating a list of all encrypted files in the system;
      
      updating a list of available encryption algorithms and message digests;
      
      manually encrypting or decrypting selected files,locking files against modification,flagging folders for encryption,associating an encrypted file with its encryption algorithm; and
      
      identifying users with access to the files.
  - 19. The method of claim 14, wherein via the user interface, the method further comprises one or more steps performed by a logged-in user of:
    - displaying a list of secured files, including paths to encrypted files, file modifiers and the encryption algorithm used for each file;
      
      changing a password; and
      
      obtaining authentication to access a secure file.
  - 20. The method of claim 19, further comprising, the steps of:
    - selecting a new file to be secured;
      
      selecting an encryption algorithm;
      
      entering an authentication for the file;
      
      encrypting the selected file with the encryption algorithm; and
      
      adding the secured file to a list of secured files for the user.
  - 21. A computer program product comprising a computer memory medium on which are tangibly stored computer readable instructions which, when executed on one or more computer processors, perform the method of claim 14.

22. One or more computer readable media having tangibly stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform actions to:
- a) intercept an application call to request access to a file in a file system on a computer via the file system gateway;
  
  b) query the encryption database to determine if the file is secured;
  
  c) receive the file security information from the encryption database;
  
  d) send the application request down to the file system;
  
  e) decrypt any secured file information returned from the file system after acting upon the request; and
  
  f) return the decrypted information to the calling application, wherein the processor performs the actions transparently to the calling application.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The one or more computer readable media of claim 22, wherein the actions a) to f) are performed independently of the file system.
  - 24. The one or more computer readable media of claim 22, wherein the computer executable instructions, when executed for steps a) to f), cause the processor(s) to:
    - determine if the call is one or both of a read request or a write request;
      
      communicate to the file system gateway window service module the name and file path of the requested file;
      
      query the encryption database via the window service module;
      
      retrieve encrypted file information from the encryption database;
      
      receive from the window service module encryption data for the requested file; and
      
      attach the encryption data to an internal file object.
  - 25. The one or more computer readable media of claim 24, wherein the call is a read request, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - calculate the amount of data to be read to decrypt the requested file.
  - 26. The one or more computer readable media of claim 24, wherein the call is a write request, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - calculate the encrypted data length and offset;
      
      communicate the write data, calculated encrypted length and offset to the window service module for encryption; and
      
      receive from the window service module the processed encrypted write file data.
  - 27. The one or more computer readable media of claim 22, further comprising computer executable instructions that, when executed, cause the processor(s) to enable an interface for an administrator.
  - 28. The one or more computer readable media of claim 27, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - add new encryption algorithms to a dynamic link library;
      
      configure group access files;
      
      create a list of all encrypted files in the system;
      
      update a list of available encryption algorithms and message digests;
      
      manually encrypt or decrypt selected files,lock files against modification,flag folders for encryption,associate an encrypted file with its encryption algorithm; and
      
      identify users with access to the files.
  - 29. The one or more computer readable media of claim 22, further comprising computer executable instructions that, when executed, cause the processor(s) to enable an interface for a logged-in user.
  - 30. The one or more computer readable media of claim 29, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - display a list of secured files, including paths to encrypted files, file modifiers and the encryption algorithm used for each file;
      
      change a password; and
      
      obtain authentication to access a secure file.
  - 31. The one or more computer readable media of claim 30, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - select a new file to be secured;
      
      select an encryption algorithm;
      
      enter an authentication for the file;
      
      encrypt the selected file with the encryption algorithm; and
      
      add the secured file to a list of secured files for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Houston System
Original Assignee
University of Houston System
Inventors
Seifert, Ryan

Granted Patent

US 9,355,267 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

G06F 21/6218 to a system of files or obj...

Integrated file level cryptographical access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated file level cryptographical access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links