SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION

US 20120246463A1
Filed: 03/21/2012
Published: 09/27/2012
Est. Priority Date: 03/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing transparent encryption for a web resource, the method comprising:

receiving, at a key manager operating on a first server, an encryption key policy;

receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator;

defining, at the key manager, an access control list based on a selection of user identifiers;

associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators;

generating, at the key manager, an encryption key and a key identifier for the first resource locator;

establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server;

sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;

the encryption key, the key identifier, and the access control list;

storing, at the transparent encryption module on the second server, the encryption key and the access control list in protected memory;

receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier;

determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource;

encrypting, at the transparent encryption module, data using the encryption key that is passed from the client device to the first resource; and

decrypting, at the transparent encryption module, data using the encryption key that is passed from the first resource to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.

87 Citations

View as Search Results

24 Claims

1. A method of providing transparent encryption for a web resource, the method comprising:
- receiving, at a key manager operating on a first server, an encryption key policy;
  
  receiving, at the key manager, from the web resource, one or more user identifiers and one or more resource locators, wherein the web resource comprises a file store accessible to a plurality of users and is operated by a resource administrator;
  
  defining, at the key manager, an access control list based on a selection of user identifiers;
  
  associating, at the key manager, the access control list and the encryption key policy with a first resource locator from the one or more resource locators;
  
  generating, at the key manager, an encryption key and a key identifier for the first resource locator;
  
  establishing, by a first watchdog module operating on the first server, a secure communication channel between the first watchdog module and a second watchdog module operating on a second server;
  
  sending, from the first watchdog module, to the second watchdog module, encryption information using the secure communication channel, wherein the encryption information comprises;
  
  the encryption key, the key identifier, and the access control list;
  
  storing, at the transparent encryption module on the second server, the encryption key and the access control list in protected memory;
  
  receiving, at the transparent encryption module, from a client device, an input comprising a request to access a first resource stored in the web resource and a user identifier;
  
  determining, at the transparent encryption module, that the user identifier is included in the access control list for the first resource;
  
  encrypting, at the transparent encryption module, data using the encryption key that is passed from the client device to the first resource; and
  
  decrypting, at the transparent encryption module, data using the encryption key that is passed from the first resource to the client device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein:
    - the web resource comprises MICROSOFT SHAREPOINT;
      
      the first server is physically secured from the second server;
      
      the resource administrator is denied access to the first server; and
      
      the resource administrator is denied access to the protected memory on the second server.
  - 3. The method of claim 1 further comprising:
    - encrypting, by the key manager on the first server, the encryption key using a master encryption key, wherein the master encryption key requires two security administrator passwords to access; and
      
      storing, by the key manager, the encrypted encryption key on a hard drive on the first server.
  - 4. The method of claim 1 further comprising:
    - determining, at the transparent encryption module, that a time of day of the input does not violate a time of day restriction;
      
      determining, at the transparent encryption module, that a data amount associated with the user identifier does not violate a data threshold; and
      
      determining, at the transparent encryption module, that the encryption key is not expired according to a key expiration date;
      
      wherein the access control list comprises the time of day restriction, the data threshold, and the key expiration date.
  - 5. The method of claim 1 further comprising:
    - monitoring, by the first watchdog module, the key manager to detect attempts to change a configuration of the key manager; and
      
      monitoring, by the second watchdog module, the transparent encryption module to determine whether any software is operating between the transparent encryption module and the web resource; and
      
      logging, on the first server, by the first watchdog module, events involving the transparent encryption module on the second server.

6. A method of providing transparent encryption for a web resource, the method comprising:
- receiving, at a second server, from a key manager operating on a first server, information comprising;
  
  an encryption key;
  
  a key identifier;
  
  an access control list; and
  
  one or more resource locators;
  
  receiving one or more resources from the web resource, wherein each resource corresponds to one of the one or more resource locators;
  
  encrypting each of the one or more resources using the encryption key to create one or more encrypted resources;
  
  appending the key identifier to each of the one or more encrypted resources;
  
  sending the one or more encrypted resources to the web resource; and
  
  storing the encryption key and the access control list in protected memory, while preventing the encryption key and the access control list from being stored on a hard disk, wherein;
  
  at least a part of the web resource operates on the second server; and
  
  the protected memory is not accessible by a web resource administrator of the second server.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method of claim 6 further comprising:
    - receiving a request from a client device, wherein the request comprises;
      
      a resource identifier; and
      
      a user identifier;
      
      determining that the user identifier is authorized to access the resource identifier according to the access control list;
      
      receiving an encrypted resource from the web resource that corresponds to the resource identifier;
      
      determining that the key identifier appended to the encrypted resource corresponds to the encryption key;
      
      decrypting the encrypted resource using the encryption key to create a decrypted resource; and
      
      sending the decrypted resource to the client device.
  - 8. The method of claim 7 further comprising:
    - determining that a time of day of the request does not violate a time-of-day restriction according to the access control list;
      
      determining that a data amount associated with the request does not violate a data quota according to the access control list; and
      
      determining that the encryption key is not deactivated.
  - 9. The method of claim 6 wherein the web resource is MICROSOFT SHAREPOINT.
  - 10. The method of claim 6 further comprising:
    - determining that a first resource in the web resource comprises a form with structured data;
      
      creating an encrypted form with the encryption key;
      
      replacing data in the form with placeholders that reference corresponding encrypted data in the encrypted form; and
      
      storing the form in the web resource with the encrypted form as an attachment.
  - 11. The method of claim 6 further comprising:
    - receiving a request from a client device, wherein the request comprises accessing a resource identifier;
      
      determining that the resource identifier is included in the access control list;
      
      determining that a resource associated with the resource identifier is not encrypted in the web resource; and
      
      sending a message to the key manager operating on the first server indicating that the resource is not encrypted.
  - 12. The method of claim 6 further comprising:
    - receiving a request from a client device, wherein the request comprises accessing a resource identifier;
      
      receiving an encrypted resource from the web resource that corresponds to the resource identifier;
      
      determining that the encryption key associated with the key identifier appended to the encrypted resource is deactivated; and
      
      sending an indication to the client device that the encrypted resource is not accessible.
  - 13. The method of claim 6 further comprising:
    - receiving a post request from a client device, wherein the post request comprises a resource identifier and an unencrypted resource;
      
      determining that the resource identifier is included in the access control list;
      
      determining that the encryption key is expired, wherein an expired key cannot be used to encrypt new files;
      
      sending an indication to the client device that the unencrypted resource cannot be posted to the web resource.
  - 14. The method of claim 13 wherein the indication is a standard SHAREPOINT access denied web page.

15. A computer-readable memory having stored thereon a sequence of instructions which, when executed by one or more processors, causes the one or more processors to manage a security policy for a web resource by a key manager by:
- receiving an encryption key policy and a key expiration date;
  
  receiving a time of day restriction and a data quota;
  
  receiving, from the web resource, one or more user identifiers, wherein the web resource operates on a separate server;
  
  receiving a selection of user identifiers from the one or more user identifiers;
  
  defining an access control list based on the selection of user identifiers, the encryption key policy, the time of day restriction, and the data quota;
  
  receiving, from the web resource on the separate server, one or more resource locators;
  
  receiving a selection of a first resource locator from the one or more resource locators;
  
  associating the access control list and the encryption key policy with the first resource locator;
  
  generating an encryption key and a key identifier for the first resource locator;
  
  sending the encryption key, the key identifier, and the access control list to a transparent encryption module, wherein;
  
  the transparent encryption module is communicatively coupled to the web resource; and
  
  the transparent encryption module is located on the separate server;
  
  encrypting the encryption key using a master encryption key; and
  
  storing the encrypted encryption key on a hard drive of the key manager;
  
  wherein the hard drive is physically secured from a web resource administrator of the separate server.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable memory of claim 15 wherein the master encryption key requires two security administrator passwords to access.
  - 17. The computer-readable memory of claim 15 wherein the one or more processors further manage the security policy for the web resource by the key manager by:
    - receiving an indication from the transparent encryption module that the encryption key is expired according to the encryption key policy;
      
      generating a second encryption key and a second key identifier for the first resource locator; and
      
      sending the second encryption key and the second key identifier to the transparent encryption module.
  - 18. The computer-readable memory of claim 15 wherein the data quota comprising an expected number of downloads within a time period.
  - 19. The computer-readable memory of claim 15 wherein the one or more processors further manage the security policy for the web resource by the key manager by:
    - receiving an indication from the transparent encryption module that the transparent encryption module is missing the encryption key; and
      
      resending the encryption key to the transparent encryption module.

20. A system for maintaining the integrity of a transparent encryption system for a web resource by a watchdog function, the system comprising:
- a processor; and
  
  a memory communicatively coupled with and readable by the processor and having stored therein a sequence of instructions which, when executed by the processor, cause the processor to maintaining the integrity of the transparent encryption system by;
  
  establishing a secure communication channel between a key manager operating on a first server and a transparent encryption module operating on a second server;
  
  receiving, from the key manager, information associated with a first resource locator in the web resource, wherein the information comprises;
  
  an encryption key;
  
  a key identifier; and
  
  an access control list;
  
  sending the information to the transparent encryption module using the secure communication channel;
  
  logging, on the first server, an attempt to access a first resource associated with the first resource locator by the transparent encryption module on the second server;
  
  crawling the web resource on the second server to identify unencrypted resources that should be encrypted according to the encryption policy, wherein the watchdog function uses an API of the web resource;
  
  monitoring the key manager to detect attempts to change a configuration of the key manager; and
  
  monitoring the transparent encryption module to determine whether any software is operating between the transparent encryption module and the web resource.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20 wherein the instructions further cause the processor to maintaining the integrity of the transparent encryption system by:
    - detecting a software process operating between the web resource and the transparent encryption module on the second server; and
      
      sending information to the key manager indicating the software process.
  - 22. The system of claim 20 wherein the instructions further cause the processor to maintaining the integrity of the transparent encryption system by:
    - causing the transparent encryption module to prevent further decryption of resources in the web resource.
  - 23. The system of claim 20 wherein the instructions further cause the processor to maintaining the integrity of the transparent encryption system by monitoring the physical security of the first server.
  - 24. The system of claim 20 wherein the instructions further cause the processor to maintaining the integrity of the transparent encryption system by:
    - detecting an unencrypted resource that should be encrypted within the web resource; and
      
      causing the transparent encryption module to encrypt the unencrypted resource according to an encryption policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CipherPoint Software, Incorporated (Cipherpoint Ltd.)
Original Assignee
CipherPoint Software, Incorporated (Cipherpoint Ltd.)
Inventors
Shea, Woody, Fleck, Michael

Granted Patent

US 8,631,460 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/101   Access control lists [ACL]

H04L 63/108   when the policy decisions a...

H04L 9/088   Usage controlling of secret...

SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR IMPLEMENTING TRANSPARENT ENCRYPTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links