PORTABLE ENCRYPTION FORMAT

US 20170302653A1
Filed: 04/14/2016
Published: 10/19/2017
Est. Priority Date: 04/14/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for creating portable encrypted content comprising non-transitory computer executable code embodied in a computer-readable medium that, when executing on an endpoint, performs the steps of:

receiving a selection of a file for encryption from a user;

requesting a token uniquely identifying a recipient of the file from a remote identity and access management system to which the recipient can authenticate using authentication credentials;

receiving the token;

transmitting the token to a remote key server;

requesting a cryptographic key associated with the token from the remote key server, the cryptographic key including an encryption key and a decryption key;

receiving the cryptographic key from the remote key server;

receiving a password from the user for local decryption of the file;

encrypting the file with the encryption key to create an encrypted file;

encrypting the decryption key to create an object that can be decrypted using the password to recover the decryption key; and

combining the encrypted file, the object containing the decryption key, application logic providing a user interface and decryption logic for accessing the file to provide a portable encrypted data object, wherein the user interface provides a first mode of accessing the file by supplying the password to locally decrypt the decryption key and a second mode of accessing the file by retrieving the decryption key from the remote key server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Citations

20 Claims

1. A computer program product for creating portable encrypted content comprising non-transitory computer executable code embodied in a computer-readable medium that, when executing on an endpoint, performs the steps of:
- receiving a selection of a file for encryption from a user;
  
  requesting a token uniquely identifying a recipient of the file from a remote identity and access management system to which the recipient can authenticate using authentication credentials;
  
  receiving the token;
  
  transmitting the token to a remote key server;
  
  requesting a cryptographic key associated with the token from the remote key server, the cryptographic key including an encryption key and a decryption key;
  
  receiving the cryptographic key from the remote key server;
  
  receiving a password from the user for local decryption of the file;
  
  encrypting the file with the encryption key to create an encrypted file;
  
  encrypting the decryption key to create an object that can be decrypted using the password to recover the decryption key; and
  
  combining the encrypted file, the object containing the decryption key, application logic providing a user interface and decryption logic for accessing the file to provide a portable encrypted data object, wherein the user interface provides a first mode of accessing the file by supplying the password to locally decrypt the decryption key and a second mode of accessing the file by retrieving the decryption key from the remote key server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1 wherein the user interface of the portable encrypted data object transparently decrypts the file when the recipient has authenticated to the first computing environment with the authentication credentials.
  - 3. The computer program product of claim 1 wherein the user interface includes logic to remotely retrieve the token from the first computing environment using the authentication credentials and transmit the token to the remote key server to retrieve the decryption key.
  - 4. The computer program product of claim 1 wherein the user interface provides a third mode of accessing the file by receiving the authentication credentials in the user interface and applying the authentication credentials to retrieve the token.
  - 5. The computer program product of claim 4 further comprising code that performs the step of transparently decrypting the file for the recipient when the recipient is authenticated to the first computing environment.
  - 6. The computer program product of claim 1 wherein the user interface provides a fourth mode of accessing the file by providing the decryption key through the user interface.

7. A method for creating portable encrypted content, the method comprising:
- receiving a selection of a file for encryption from a user;
  
  requesting a token uniquely identifying a recipient of the file from a first computing environment to which the recipient can authenticate using authentication credentials;
  
  receiving the token;
  
  transmitting the token to a remote key server;
  
  requesting a cryptographic key associated with the token from the remote key server, the cryptographic key including an encryption key and a decryption key;
  
  receiving the cryptographic key from the remote key server;
  
  receiving a password from the user for local decryption of the file;
  
  encrypting the file with the encryption key to create an encrypted file;
  
  encrypting the decryption key to create an object that can be decrypted using the password to recover the decryption key; and
  
  combining the encrypted file, the object containing the decryption key, and application logic providing a user interface for accessing the file into a portable encrypted data object, wherein the user interface provides a first mode of accessing the file by supplying the password to locally decrypt the decryption key and a second mode of accessing the file by retrieving the decryption key from the remote key server.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 8. The method of claim 7 wherein the user interface transparently decrypts the file when the recipient has authenticated to the first computing environment with the authentication credentials.
  - 9. The method of claim 7 wherein the user interface includes logic to remotely retrieve the token from the first computing environment using the authentication credentials and transmit the token to the remote key server to retrieve the decryption key.
  - 10. The method of claim 7 wherein the user interface provides a third mode of accessing the file by receiving the authentication credentials in the user interface and applying the authentication credentials to retrieve the token.
  - 11. The method of claim 10 further comprising transparently decrypting the file for the recipient when the recipient is authenticated to the first computing environment.
  - 12. The method of claim 7 wherein the user interface provides a fourth mode of accessing the file by providing the decryption key through the user interface.
  - 13. The method of claim 7 wherein the user interface provides a fifth mode of accessing the file by providing user credentials for the remote key server.
  - 14. The method of claim 7 wherein the computing environment includes an endpoint.
  - 15. The method of claim 7 wherein the computing environment includes a remote identity and access management system.
  - 16. The method of claim 7 wherein the cryptographic key is a symmetric key and encryption key is the same as the decryption key.
  - 17. The method of claim 7 wherein the portable encrypted data object includes a hypertext markup language file containing encryption and decryption logic.
  - 18. The method of claim 7 further comprising revoking access to the file contained in the portable encrypted data object by causing the remote key server to remove an association of the recipient with the token.

19. An endpoint comprising:
- an interface to a data network;
  
  a memory storing a file; and
  
  a processor configured to create a portable encrypted data object containing the file for secure distribution over the data network by performing the steps of receiving a selection of a file for encryption from a user, requesting a token uniquely identifying a recipient of the file from a first computing environment to which the recipient can authenticate using authentication credentials, receiving the token, transmitting the token to a remote key server, requesting a cryptographic key associated with the token from the remote key server, the cryptographic key including an encryption key and a decryption key, receiving the cryptographic key from the remote key server, receiving a password from the user for local decryption of the file, encrypting the file with the encryption key to create an encrypted file, encrypting the decryption key to create an object that can be decrypted using the password to recover the decryption key, and combining the encrypted file, the object containing the decryption key, and application logic providing a user interface for accessing the file into a portable encrypted data object, wherein the user interface provides a first mode of accessing the file by supplying the password to locally decrypt the decryption key and a second mode of accessing the file by retrieving the decryption key from the remote key server.
- View Dependent Claims (20)
- - 20. The endpoint of claim 19 wherein the processor is configured to automatically create the portable encrypted data object in response to a selection of the file by the user for communication to the recipient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ortner, Stefan, Berger, Andreas, Vanbiervliet, Vincent, Ray, Kenneth D.

Granted Patent

US 10,791,097 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2463/041   using an encryption or decr...

H04L 2463/062   applying encryption of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/083   using passwords cryptograph...

H04L 63/1433   Vulnerability analysis

PORTABLE ENCRYPTION FORMAT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PORTABLE ENCRYPTION FORMAT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links