Sharing Encrypted Documents Within and Outside an Organization

US 20200136812A1
Filed: 12/30/2019
Published: 04/30/2020
Est. Priority Date: 08/10/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprises:

providing an information management system having a key management server, a first computing device and a second computing device;

providing the key management server having a first secret and a first seed token;

providing the first computing device having a first encryption service module, wherein the first encryption service module having a second secret and a second seed token;

providing the second computing device having a second encryption service module;

detecting a file save operation on a document by the first encryption service module;

at the first encryption service module, collecting user information;

at the first encryption service module, creating a document identifier for the document;

at the first encryption service module, creating a first encryption key with the document identifier, the user information, the second seed token and the second secret;

at the first encryption service module, creating a second encryption key;

at the first encryption service module, encrypting the document with the second encryption key to produce encrypted content;

at the first encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;

at the first encryption service module, storing the document identifier, the user information, the first seed token, the second seed token, the encrypted second encryption key and the encrypted content in an encrypted document;

detecting a file open operation on the encrypted document by the second encryption service module;

at the second encryption service module, retrieving the document identifier, the user information and the first seed token in the encrypted document;

at the second encryption service module, sending the document identifier, the user information and the first seed token to the key management server;

at the key management server, creating a third encryption key with the document identifier, the user information, the first seed token and the first secret;

at the second encryption service module, receiving the third encryption key from the key management server;

at the second encryption service module, decrypting encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and

at the second encryption service module, decrypting encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of creating and managing encryption keys that facilitates sharing of encrypted content. The system may include an information management system with a key management server and a computing device having an encryption service module. The encryption service module detects operations at the computing device and encrypts a document with an encryption key created using user information and a secret.

14 Citations

View as Search Results

28 Claims

1. A method comprises:
- providing an information management system having a key management server, a first computing device and a second computing device;
  
  providing the key management server having a first secret and a first seed token;
  
  providing the first computing device having a first encryption service module, wherein the first encryption service module having a second secret and a second seed token;
  
  providing the second computing device having a second encryption service module;
  
  detecting a file save operation on a document by the first encryption service module;
  
  at the first encryption service module, collecting user information;
  
  at the first encryption service module, creating a document identifier for the document;
  
  at the first encryption service module, creating a first encryption key with the document identifier, the user information, the second seed token and the second secret;
  
  at the first encryption service module, creating a second encryption key;
  
  at the first encryption service module, encrypting the document with the second encryption key to produce encrypted content;
  
  at the first encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;
  
  at the first encryption service module, storing the document identifier, the user information, the first seed token, the second seed token, the encrypted second encryption key and the encrypted content in an encrypted document;
  
  detecting a file open operation on the encrypted document by the second encryption service module;
  
  at the second encryption service module, retrieving the document identifier, the user information and the first seed token in the encrypted document;
  
  at the second encryption service module, sending the document identifier, the user information and the first seed token to the key management server;
  
  at the key management server, creating a third encryption key with the document identifier, the user information, the first seed token and the first secret;
  
  at the second encryption service module, receiving the third encryption key from the key management server;
  
  at the second encryption service module, decrypting encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and
  
  at the second encryption service module, decrypting encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the first secret and the second secret are symmetric keys.
  - 3. The method of claim 1 wherein the first seed token and the second seed token are different.
  - 4. The method of claim 1 wherein the first secret and the second secret are different.
  - 5. The method of claim 1 wherein the first encryption key and the third encryption key are identical.
  - 6. The method of claim 1 wherein the first encryption key is not stored on the key management server.
  - 7. The method of claim 1 wherein the second encryption key is a symmetric key.
  - 8. The method of claim 1 wherein the second encryption key and the fourth encryption key are identical.
  - 9. The method of claim 1 wherein the detecting a file save operation on a document by the first encryption service module is performed using code injection.
  - 10. The method of claim 1 wherein the detecting a file save operation on a document by the first encryption service module occurs in a process of an application program, wherein the application program invokes the file save operation.
  - 11. The method of claim 1 wherein the user information comprises a digital certificate.
  - 12. The method of claim 1 wherein the document identifier is a universally unique identifier.
  - 13. The method of claim 1 wherein the detecting a file open operation on a document by the second encryption service module is performed using code injection.
  - 14. The method of claim 1 wherein the detecting a file open operation on a document by the second encryption service module occurs in a process of an application program, wherein the application program invokes the file open operation.

15. A method comprises:
- providing an information management system having a key management server and a computing device, wherein a user has logged on to the computing device;
  
  providing the key management server having a first secret and a first seed token;
  
  providing the computing device having an encryption service module, wherein the encryption service module having a second secret and a second seed token;
  
  detecting a file save operation on a document by the encryption service module;
  
  at the encryption service module, collecting user information;
  
  at the encryption service module, creating a document identifier for the document;
  
  at the encryption service module, creating a first encryption key with the document identifier, the user information, the second seed token and the second secret;
  
  at the encryption service module, creating a second encryption key;
  
  at the encryption service module, encrypting the document with the second encryption key to produce encrypted content;
  
  at the encryption service module, encrypting the second encryption key with the first encryption key to produce an encrypted second encryption key;
  
  at the encryption service module, storing the document identifier, the user information, the first seed token, the second seed token, the encrypted second encryption key and the encrypted content in an encrypted document;
  
  detecting a file open operation on the encrypted document by the encryption service module;
  
  at the encryption service module, retrieving the document identifier, the user information, the first seed token and the second seed token in the encrypted document;
  
  at the encryption service module, if the user information identifies the user, creating a third encryption key with the document identifier, the user information, the second seed token and the second secret;
  
  at the encryption service module, if the user information does not identify the user, sending the document identifier, the user information and the first seed token to the key management server;
  
  at the key management server, creating a third encryption key with the document identifier, the user information, the first seed token and the first secret;
  
  at the encryption service module, if the user information does not identify the user, receiving the third encryption key from the key management server;
  
  at the encryption service module, decrypting encrypted second encryption key in the encrypted document with the third encryption key to produce a fourth encryption key; and
  
  at the encryption service module, decrypting encrypted content in the encrypted document with the fourth encryption key to produce unencrypted content.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15 wherein the first secret and the second secret are symmetric keys.
  - 17. The method of claim 15 wherein the first secret and the second secret are different.
  - 18. The method of claim 15 wherein the first seed token and the second seed token are different.
  - 19. The method of claim 15 wherein the first encryption key and the third encryption key are identical.
  - 20. The method of claim 15 wherein the first encryption key is not stored on the key management server.
  - 21. The method of claim 15 wherein the second encryption key is a symmetric key.
  - 22. The method of claim 15 wherein the second encryption key and the fourth encryption key are identical.
  - 23. The method of claim 15 wherein the detecting a file save operation on a document by the encryption service module is performed using code injection.
  - 24. The method of claim 15 wherein the detecting a file save operation on a document by the encryption service module occurs in a process of an application program, wherein the application program invokes the file save operation.
  - 25. The method of claim 15 wherein the user information comprises a digital certificate.
  - 26. The method of claim 15 wherein the document identifier is a universally unique identifier.
  - 27. The method of claim 15 wherein the detecting a file open operation on a document by the encryption service module is performed using code injection.
  - 28. The method of claim 15 wherein the detecting a file open operation on a document by the encryption service module occurs in a process of an application program, wherein the application program invokes the file open operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng, Fung, Poon

Granted Patent

US 10,911,223 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/12   Applying verification of th...

H04L 9/08   Key distribution or managem...

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

Sharing Encrypted Documents Within and Outside an Organization

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Sharing Encrypted Documents Within and Outside an Organization

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links