Protecting Documents Using Policies and Encryption
First Claim
Patent Images
1. A method comprising:
- providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an unencrypted document, and the encrypted document is larger in size the unencrypted document from which it is derived;
providing an encryption service driver executing on a computing device;
permitting access to an encrypted document by an application program on the computing device;
when an access to an encrypted document occurs, using the encryption service intercept the access of the encrypted document;
at the encryption service, identifying the application program attempting to access the encrypted document;
from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device;
using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document;
if the application program is determined to be trusted, receiving a decryption key at the encryption service and the encryption service decrypting the encrypted document to produce unencrypted content, and providing the unencrypted content to the application program; and
if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program.
3 Assignments
0 Petitions
Accused Products
Abstract
A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).
287 Citations
20 Claims
-
1. A method comprising:
-
providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an unencrypted document, and the encrypted document is larger in size the unencrypted document from which it is derived; providing an encryption service driver executing on a computing device; permitting access to an encrypted document by an application program on the computing device; when an access to an encrypted document occurs, using the encryption service intercept the access of the encrypted document; at the encryption service, identifying the application program attempting to access the encrypted document; from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device; using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document; if the application program is determined to be trusted, receiving a decryption key at the encryption service and the encryption service decrypting the encrypted document to produce unencrypted content, and providing the unencrypted content to the application program; and if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of distributing encryption keys in an information management system comprising:
-
providing a plurality of encryption keys for encrypting and decrypting documents, wherein the plurality of encryption keys are stored in a key management server; providing a plurality of policies for controlling access to documents, wherein the plurality of policies are stored on a policy server; providing a policy enforcer on a computing device; accessing an encrypted document by an application program, wherein the application program runs on the computing device; distributing a subset of the plurality of polices to the policy enforcer, wherein the policy enforcer enforces the subset of the plurality of polices to control access to documents at the computing device; distributing a subset of the plurality of encryption keys to the policy enforcer, wherein the policy enforcer manages the subset of the plurality of encryption keys to control encryption and deception of documents at the computing device; intercepting the accessing an encrypted document by an application program by the policy enforcer; evaluating at least one policy in the subset of the plurality of policies by the policy enforcer to determine if the accessing an encrypted document by the application program should be allowed; if the accessing an encrypted document by the application program is not allowed, denying access to the encrypted document by the application program; and if the accessing an encrypted document by the application program is allowed, providing an encryption key for decrypting the encrypted document to produce unencrypted content of the encrypted document and providing the unencrypted content to the application program. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
providing a policy enforcer; providing a first application program; providing a shared key ring at the first device wherein the shared key ring is associated with the policy enforcer and comprises at most one domain key and a plurality of shared keys; providing a file at a first device wherein the file further comprises a document content portion and a control data portion; extracting a content key from the control data portion; encrypting the document content portion using the content key; extracting a first key identifier from the control data portion; requesting from the policy enforcer a local key; encrypting the control data portion of the file with the local key; intercepting a request to access the file at a second application program; determining at the policy enforcer whether the request to access the file at the second application program should be granted; if the request to access the file at a second application program is granted, preparing the document content portion comprising; decrypting the content key with the local key; requesting from the policy enforcer a shared key from the key ring wherein the shared key is accessible by the second device; receiving the shared key; and encrypting the local key with the shared key; and transmitting the document content portion encrypted by the content key to the second application program. - View Dependent Claims (18, 19, 20)
-
Specification