System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time
First Claim
1. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:
- (a) a memory storing a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
(b) a decrypting mechanism for decrypting ciphertext data into plaintext data;
(c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data,(c.1) wherein said recryption control means is responsive to a supplied directory exclusion list, the directory exclusion list identifying one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption, and wherein the recryption control means accordingly does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.
0 Assignments
0 Petitions
Accused Products
Abstract
A machine system for automatic decryption of confidential file data on a per-use basis and automatic later elimination of the decrypted data by scorching and/or re-encrypting is disclosed. The system can operate within a multi-threaded environment. The following features are provided for secure and automatic recryption: (1) use of file-exclusion lists; (2) use of application-program exclusion lists; (3) decrypting as needed in response to intercepted file-OPEN requests; (4) encrypting as needed in response to intercepted file-CLOSE requests; (5) delaying post-CLOSE encryption in special cases; (6) delaying retry of failed encryption; (7) keeping track of the number of application programs that are using each piece of decrypted plaintext; (8) identifying non-confidential files according to the directories they are contained within; (9) including encryption and decryption rules within directories that contain confidential files; and (10) avoiding unnecessary encryption of non-modified plaintext.
-
Citations
13 Claims
-
1. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:
-
(a) a memory storing a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information; (b) a decrypting mechanism for decrypting ciphertext data into plaintext data; (c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data, (c.1) wherein said recryption control means is responsive to a supplied directory exclusion list, the directory exclusion list identifying one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption, and wherein the recryption control means accordingly does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.
-
-
2. A machine-implemented method for maintaining confidential information generally in encrypted form while allowing for selective decryption of such confidential information into temporary plaintext form, said machine-implemented method being carried out in machine system that stores a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
a decrypting mechanism for decrypting ciphertext data into plaintext data; and recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data; said method comprising the steps of; (a) receiving a supplied directory exclusion list, where the received directory exclusion list identifies one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption; and (b) responsively controlling the recryption control means in accordance with the directory exclusion list such that the recryption control means does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.
- wherein said machine system further includes;
-
3. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in machine system that stores a plurality of digital data files, wherein each of said files is organized as belonging to one of at least first and second directories or subdirectories, and further wherein at least a first file among said files belongs to a corresponding one of said directories or subdirectories, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
a decrypting mechanism for decrypting ciphertext data into plaintext data; and recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
said on-the-fly recryption control code comprising;(a) receiving means for receiving a supplied directory exclusion list, where the received directory exclusion list identifies one or more directories or subdirectories whose files are to be excluded from being selected by the recryption control means for decryption; and (b) exclusion list responding means for responsively controlling the recryption control means in accordance with the directory exclusion list such that the recryption control means does not select files identified by the directory exclusion list for decryption by the decrypting mechanism.
- wherein said machine system further includes;
-
4. A machine system for maintaining confidential information generally in encrypted form while allowing for decryption of such confidential information into temporary plaintext form, said machine system comprising:
-
(a) a memory storing a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information; (b) a decrypting mechanism for decrypting ciphertext data into plaintext data; (c) recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data, (c.1) wherein said recryption control means is responsive to a supplied, programs exclusion list, the programs exclusion list identifying one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when accessed by a program identified in the programs exclusion list, and wherein the recryption control means accordingly does not select files for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.
-
-
5. A machine-implemented method for maintaining confidential information generally in encrypted form while allowing for selective decryption of such confidential information into temporary plaintext form, said machine-implemented method being carried out in machine system that stores a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
a decrypting mechanism for decrypting ciphertext data into plaintext data; and recryption control means for selecting one of the stored files and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data; said method comprising the steps of; (a) receiving a supplied programs exclusion list, where the received programs exclusion list identifies one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when such files are accessed by a program identified by the programs exclusion list; and (b) responsively controlling the recryption control means in accordance with the programs exclusion list such that the recryption control means does not select files identified by the programs exclusion list for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.
- wherein said machine system further includes;
-
6. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in machine system that stores a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said machine system further includes;
a decrypting mechanism for decrypting ciphertext data into plaintext data; and recryption control means for selecting one of the files stored in said memory and for causing the decrypting mechanism to decrypt data contained in the selected file and for automatically later eliminating the decrypted data;
said on-the-fly recryption control code comprising;(a) receiving means for receiving a supplied programs exclusion list, where the received programs exclusion list identifies one or more application programs whose accessed files are to be excluded from being selected by the recryption control means for decryption when such files are accessed by a program identified by the programs exclusion list; and (b) exclusion list responding means for responsively controlling the recryption control means in accordance with the programs exclusion list such that the recryption control means does not select files identified by the programs exclusion list for decryption by the decrypting mechanism when such files are accessed by a program identified by the programs exclusion list.
- wherein said machine system further includes;
-
7. A machine system having an operating system and a corresponding environment that supports multi-threaded operations, said machine system comprising:
-
(a) a decrypting agent that defines a first thread in said multi-threaded environment; (b) a decrypting mechanism which can be invoked by the decrypting agent, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent; (c) recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted; and (d) an events intercepting mechanism that operates as a second thread in said multi-threaded environment, the events intercepting mechanism including; (d.1) request intercepting means for intercepting requests sent to the operating system and detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and (d.2) consulting means, operatively coupled to the recryption control means, for consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, for adding an identification of each such file to a to-be-executed queue of control commands, where said to-be-executed queue of control commands is operatively coupled to said threaded, decrypting agent. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A machine-implemented method for use with an operating system and a corresponding environment that supports multi-threaded operations, where said machine system includes:
-
a decrypting agent that defines a first thread in said multi-threaded environment; a decrypting mechanism which can be invoked by the decrypting agent, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent; and recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted; said method operating as a second thread in said multi-threaded environment and comprising the steps of; (a) intercepting requests sent to the operating system; (b) detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and (c) consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, communicating with the decrypting agent so as to invoke decryption of the so-identified files that are to-be decrypted.
-
-
13. A data conveying apparatus having on-the-fly recryption control code defined therein for execution by a predefined code executing unit, the on-the-fly recryption control code being for allowing selective decryption of confidential information into temporary plaintext form, said selective decryption being carried out in a machine system having an operating system and a corresponding environment that supports multi-threaded operations, said machine system further having a plurality of digital data files, wherein at least a first file among said files is accessible to a corresponding one of plural application programs that run under the operating system, and said first file contains first data representing a pre-encrypted form of confidential first information;
- wherein said on-the-fly recryption control code comprises;
(a) a decrypting agent means that defines a first thread in said multi-threaded environment; (b) a decrypting mechanism which can be invoked by the decrypting agent means, said decrypting mechanism being for decrypting ciphertext data into plaintext data when invoked by the decrypting agent means; (c) recryption control means for determining for a plurality of files whether certain ones of the files are to be decrypted; and (d) an events intercepting means that operates as a second thread in said multi-threaded environment, the events intercepting means including; (d.1) request intercepting means for intercepting requests sent to the operating system and detecting file-OPEN ones of the intercepted requests that request the opening of respective files; and (d.2) consulting means, operatively coupled to the recryption control means, for consulting with the recryption control means to determine whether decryption is to be carried out for the respective files associated with the intercepted file-OPEN requests, and if so, for adding an identification of each such file to a to-be-executed queue of control commands, where said to-be-executed queue of control commands is operatively coupled to said threaded, decrypting agent.
- wherein said on-the-fly recryption control code comprises;
Specification