System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time

US 5,796,825 A
Filed: 10/06/1997
Issued: 08/18/1998
Est. Priority Date: 01/16/1996
Status: Expired due to Term

First Claim

Patent Images

1. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:

(a) a memory storing a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;

(b) a decrypting mechanism for decrypting ciphertext data into plaintext data;

(c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data,(c.1) wherein said recryption control means is responsive to a supplied directory exclusion list, the directory exclusion list identifying one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption, and wherein the recryption control means accordingly does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A machine system for automatic decryption of confidential file data on a per-use basis and automatic later elimination of the decrypted data by scorching and/or re-encrypting is disclosed. The system can operate within a multi-threaded environment. The following features are provided for secure and automatic recryption: (1) use of file-exclusion lists; (2) use of application-program exclusion lists; (3) decrypting as needed in response to intercepted file-OPEN requests; (4) encrypting as needed in response to intercepted file-CLOSE requests; (5) delaying post-CLOSE encryption in special cases; (6) delaying retry of failed encryption; (7) keeping track of the number of application programs that are using each piece of decrypted plaintext; (8) identifying non-confidential files according to the directories they are contained within; (9) including encryption and decryption rules within directories that contain confidential files; and (10) avoiding unnecessary encryption of non-modified plaintext.

Citations

13 Claims

1. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:
- (a) a memory storing a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
  
  (b) a decrypting mechanism for decrypting ciphertext data into plaintext data;
  
  (c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data,(c.1) wherein said recryption control means is responsive to a supplied directory exclusion list, the directory exclusion list identifying one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption, and wherein the recryption control means accordingly does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.

2. A machine-implemented method for maintaining confidential information generally in encrypted form while allowing for selective decryption of such confidential information into temporary plaintext form, said machine-implemented method being carried out in machine system that stores a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
  
  a decrypting mechanism for decrypting ciphertext data into plaintext data; and
  
  recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
  
  said method comprising the steps of;
  
  (a) receiving a supplied directory exclusion list, where the received directory exclusion list identifies one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption; and
  
  (b) responsively controlling the recryption control means in accordance with the directory exclusion list such that the recryption control means does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.

3. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in machine system that stores a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
  
  a decrypting mechanism for decrypting ciphertext data into plaintext data; and
  
  recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
  
  said on-the-fly recryption control code comprising;
  
  (a) receiving means for receiving a supplied directory exclusion list, where the received directory exclusion list identifies one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption; and
  
  (b) exclusion list responding means for responsively controlling the recryption control means in accordance with the directory exclusion list such that the recryption control means does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.

4. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:
- (a) a memory storing a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information;
  
  (b) a decrypting mechanism for decrypting ciphertext data into plaintext data;
  
  (c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data,(c.1) wherein said recryption control means is responsive to a supplied, programs exclusion list, the programs exclusion list identifying one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when accessed by a program identified in the programs exclusion list, and wherein the recryption control means accordingly does not select files for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.

5. A machine-implemented method for maintaining confidential information generally in encrypted form while allowing for selective decryption of such confidential information into temporary plaintext form, said machine-implemented method being carried out in machine system that stores a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
  
  a decrypting mechanism for decrypting ciphertext data into plaintext data; and
  
  recryption control means for selecting one of the stored files and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
  
  said method comprising the steps of;
  
  (a) receiving a supplied programs exclusion list, where the received programs exclusion list identifies one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when such files are accessed by a program identified by the programs exclusion list; and
  
  (b) responsively controlling the recryption control means in accordance with the programs exclusion list such that the recryption control means does not select files identified by the programs exclusion list for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.

6. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in machine system that stores a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
  
  a decrypting mechanism for decrypting ciphertext data into plaintext data; and
  
  recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
  
  said on-the-fly recryption control code comprising;
  
  (a) receiving means for receiving a supplied programs exclusion list, where the received programs exclusion list identifies one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when such files are accessed by a program identified by the programs exclusion list; and
  
  (b) exclusion list responding means for responsively controlling the recryption control means in accordance with the programs exclusion list such that the recryption control means does not select files identified by the programs exclusion list for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.

7. A machine system having an operating system and a corresponding environment that supports multi-threaded operations, said machine system comprising:
- (a) a decrypting agent that defines a first thread in said multi-threaded environment;
  
  (b) a decrypting mechanism which can be invoked by the decrypting agent, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent;
  
  (c) recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted; and
  
  (d) an events intercepting mechanism that operates as a second thread in said multi-threaded environment, the events intercepting mechanism including;
  
  (d.1) request intercepting means for intercepting requests sent to the operating system and detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and
  
  (d.2) consulting means, operatively coupled to the recryption control means, for consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, for adding an identification of each such file to a to-be-executed queue of control commands, where said to-be-executed queue of control commands is operatively coupled to said threaded, decrypting agent.
- View Dependent Claims (8, 9, 10, 11)
- - 8. A machine system according to claim 7 wherein said recryption control means is responsive to at least a supplied one of:
    - (b.1) a directories exclusion list that identifies one or more directories or subdirectories whose files are to be excluded from being designated by the recryption control means for decryption;
      
      (b.2) a directories inclusion list that identifies one or more directories or subdirectories whose files are to be designated by the recryption control means for decryption;
      
      (b.3) a files exclusion list that identifies one or more files which are to be excluded from being designated by the recryption control means for decryption; and
      
      (b.4) a programs exclusion list that identifies one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when such files are accessed by a program identified by the programs exclusion list.
  - 9. A machine system according to claim 8 wherein said recryption control means is responsive to at least both of:
    - (b.1a) the directories exclusion list; and
      
      (b.3a) the files exclusion list; and
      
      wherein(b.5) the recryption control means responds to the directories exclusion list before being able to respond to the files exclusion list.
  - 10. A machine system according to claim 8 wherein said recryption control means is responsive to at least both of:
    - (b.1a) the directories inclusion list; and
      
      (b.3a) the files exclusion list; and
      
      wherein(b.5) the recryption control means responds to the directories inclusion list before being able to respond to the files exclusion list.
  - 11. A machine system according to claim 7 further comprising:
    - (d) an interfacing mechanism that operates as a third thread in said multi-threaded environment, the events interfacing mechanism including;
      
      (e.1) first detecting means, operatively coupled to the events intercepting mechanism, for detecting an adding of an identification of a to-be-decrypted file to the to-be-executed queue of control commands by the events intercepting mechanism; and
      
      (e.2) second detecting means, operatively coupled to the decrypting agent, for detecting completion of a decrypting operation by the decrypting agent.

12. A machine-implemented method for use with an operating system and a corresponding environment that supports multi-threaded operations, where said machine system includes:
- a decrypting agent that defines a first thread in said multi-threaded environment;
  
  a decrypting mechanism which can be invoked by the decrypting agent, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent; and
  
  recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted;
  
  said method operating as a second thread in said multi-threaded environment and comprising the steps of;
  
  (a) intercepting requests sent to the operating system;
  
  (b) detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and
  
  (c) consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, communicating with the decrypting agent so as to invoke decryption of the so-identified files that are to-be decrypted.

13. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in a machine system having an operating system and a corresponding environment that supports multi-threaded operations, said machine system further having a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs that run under the operating system, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said on-the-fly recryption control code comprises;
  
  (a) a decrypting agent means that defines a first thread in said multi-threaded environment;
  
  (b) a decrypting mechanism which can be invoked by the decrypting agent means, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent means;
  
  (c) recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted; and
  
  (d) an events intercepting means that operates as a second thread in said multi-threaded environment, the events intercepting means including;
  
  (d.1) request intercepting means for intercepting requests sent to the operating system and detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and
  
  (d.2) consulting means, operatively coupled to the recryption control means, for consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, for adding an identification of each such file to a to-be-executed queue of control commands, where said to-be-executed queue of control commands is operatively coupled to said threaded, decrypting agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lohstroh, Shawn, Grawrock, David, McDonnal, William D.
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/944,397
Time in Patent Office

316 Days
Field of Search

380/4, 380/25, 380/49
US Class Current

713/165
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2221/2141   Access rights, e.g. capabil...

System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links