System for optimized key management with file groups

US 7,171,557 B2
Filed: 10/31/2001
Issued: 01/30/2007
Est. Priority Date: 10/31/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of implementing a file system, comprising:

creating a plurality of file encryption groups from a plurality of files stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system;

associating each file encryption group of said plurality of file encryption groups with a respective key;

accessing one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group;

determining a modification in at least one attribute of a plurality of attributes for a file of the plurality of files;

utilizing the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of the plurality of file encryption groups;

determining whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attribute for the file based on the indexing;

in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file,generating a new file encryption group having attributes matching the plurality of attributes for the file;

including said file in the new file encryption group;

generating a read/write key pair for the new file encryption group;

encrypting said file with the write key of the read/write key pair generated for the new file encryption groups;

updating the table with said write key of the read/write key pair generated for the new file encryption group;

in response to determining an existence of an existing file encryption group having attributes match the plurality of attributes for the file,including said file in the existing file encryption group having the attributes matching the plurality of attributes for the file;

encrypting said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and

updating the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A group manager module may provide the capability to segregate or associate files into file encryption groups. A file may be placed into a file encryption group based on the attributes of the file. The attributes may be characteristics/parameters that describe who has access to a file such as UNIX permission/mode bits (group-read/write/executable bit, owner-read/write/executable bits, users-read/write/executable bits) or other system for access control lists (ACLs). Once associated with a file encryption group, the file may be encrypted with the encryption (or write) key of the selected file encryption group, and thus, decrypted with the decryption (or read) key of the file encryption group. A user may have membership into multiple file encryption groups as long as the user possesses the appropriate read/write key pairs. Membership of a file in a file encryption group is determined automatically by the system based on the permission attributes assigned by the system—groups are not explicitly created by administrators or other centralized authority. It is not users that belong to groups based on their access rights, but files which belong to groups based on their permission attributes.

145 Citations

17 Claims

1. A method of implementing a file system, comprising:
- creating a plurality of file encryption groups from a plurality of files stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system;
  
  associating each file encryption group of said plurality of file encryption groups with a respective key;
  
  accessing one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group;
  
  determining a modification in at least one attribute of a plurality of attributes for a file of the plurality of files;
  
  utilizing the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of the plurality of file encryption groups;
  
  determining whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attribute for the file based on the indexing;
  
  in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file,generating a new file encryption group having attributes matching the plurality of attributes for the file;
  
  including said file in the new file encryption group;
  
  generating a read/write key pair for the new file encryption group;
  
  encrypting said file with the write key of the read/write key pair generated for the new file encryption groups;
  
  updating the table with said write key of the read/write key pair generated for the new file encryption group;
  
  in response to determining an existence of an existing file encryption group having attributes match the plurality of attributes for the file,including said file in the existing file encryption group having the attributes matching the plurality of attributes for the file;
  
  encrypting said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and
  
  updating the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17)
- - 2. The method according to claim 1, further comprising:
    - encrypting each file in each file encryption group of said plurality of file encryption groups with said respective key;
      
      storing said encrypted files of said plurality of file encryption groups; and
      
      accessing said encrypted files from said one file encryption group by utilizing said respective key.
  - 3. The method according to claim 1, further comprising:
    - detecting a creation of a new file;
      
      encrypting said new file with a default write key; and
      
      associating said new file with a default file encryption group.
  - 4. The method according to claim 3, wherein said default file encryption group is based on an owner file permissions.
  - 5. The method according to claim 1, further comprising:
    - determining a modification in at least one attribute of a file;
      
      searching for an existing file encryption group of said plurality of file encryption groups based on said at least one attribute of said file; and
      
      associating said file with said existing file encryption group of said plurality of file encryption groups.
  - 6. The method according to claim 5, wherein said association further comprises:
    - retrieving a write key for said existing file encryption group in response to said determination of existence of said existing file encryption group;
      
      retrieving a read key for a current file encryption group of said file;
      
      decrypting said file with said read key; and
      
      encrypting said decrypted file with said write key.
  - 7. The method according to claim 5, wherein said search further comprises:
    - searching a table by using said at least one attribute of said file as a search index.
  - 8. The method according to claim 1, wherein said attributes includes at least one of the owner, the group, a group read bit, a group write bit, a group execute bit, an owner read bit, an owner write bit, an owner execute bit, user read bit, user write bit and user execute bit.
  - 17. The method of claim 1, wherein creating a plurality of file encryption groups from a plurality of files stored in the file system based on common attributes of said plurality of files further comprises:
    - determining a set of common attributes for each file encryption group;
      
      identifying files of the plurality of files stored in the file system including the set of common attributes for a respective file encryption group; and
      
      including the files stored in the file system having the set of common attributes in the respective file encryption group.

9. A system for implementing a file system, comprising:
- at least one processor;
  
  a memory coupled to said at least one processor; and
  
  a group manager module residing in said memory and executed by said at least one processor, wherein said group manager module is configured to create a plurality of file encryption groups from a plurality of flies stored in the file system based on common attributes of said plurality of files, wherein at least one of the file encryption groups includes multiple files stored in the file system, is also configured to associate each file encryption group of said plurality of file encryption groups with a respective key, and is further configured to access one of the file encryption groups by utilizing one of the respective keys that is associated with the one file encryption group;
  
  wherein said group manager module is further configured to determine a modification in at least one of the common attributes of a file of the plurality of files, wherein the at least one of the common attributes of the file was previously used by the group manger to determine which of the file encryption groups the file belongs to, is yet further configured to search for an existing file encryption group of said plurality of file encryption groups within a file encryption group table storing attributes for each of the plurality of file encryption groups using the modification in the at least one of the common attributes of said file, anddetermine whether an existing file encryption group of the plurality of file encryption groups has attributes matching the modification in the at least one of the common attributes of said file based on the search, andin response to determining a non-existence of an existing file encryption group having attributes matching the modification in the at least one of the common attributes said file, the module configured to,generate a new file encryption group having attributes matching the modification in the at least one of the common attributes of said file,include said file in the new file encryption group,generate a read/write key pair for the new file encryption group,encrypt said file with the write key of the read/write key pair generated for the new file encryption group, andupdate the table with said write key of the read/write key pair generated for the new file encryption group; and
  
  in response to determining an existence of an existing file encryption group having attributes matching the modification in the at least one of the common attributes of said file, the module configured to,include said file in the existing file encryption group having the attributes matching the modification in the at least one of the common attributes of said file,encrypt said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the modification in the at least one of the common attributes of said file, andupdate the table with the modification in the at least one of the common attributes of the files.
- View Dependent Claims (10, 11, 12)
- - 10. The system according to claim 9, wherein said group manager is further configured to encrypt each file in each file encryption group of said plurality of file encryption groups with said respective key, is yet further configured to store said encrypted files of said plurality of file encryption groups and is yet further configured to access said encrypted files from said one file encryption group by utilizing said respective key.
  - 11. The system according to claim 9, wherein said group manager module is further configured to detect a creation of a new file, is yet further configured to encrypt said new file with a default write key, and is yet further configured to associate said new file with a default file encryption group.
  - 12. The system according to claim 9, wherein said group manager module is further configured to retrieve a write key for said existing file encryption group in response to said determination of existence of said existing file encryption group, is yet further configured to retrieve a read key for a current file encryption group of said file, is yet further configured to decrypt said file with said read key, and is yet further configured to encrypt said decrypted file with said write key.

13. An apparatus for implementing a file system, comprising:
- an interface configured to communicate with a storage device;
  
  an encryption/decryption module; and
  
  a manager module configured to associate multiple files of a plurality of files stored on said storage device into a file group based on a common attributes of a plurality of attributes of said multiple files and encrypting said multiple files with one encryption key of a plurality of encryption keys by utilizing said encryption/decryption module to create a file encryption group and wherein the manager module is further configured to,determine a modification in at least one attribute of the plurality of attributes for a file of the plurality of files;
  
  utilize the plurality of attributes for the file for indexing into a file encryption group table storing attributes for each of plurality of file encryption groups;
  
  determine whether an existing file encryption group of the plurality of file encryption groups has attributes matching the plurality of attributes for the file based on the indexing; and
  
  in response to determining a non-existence of an existing file encryption group having attributes matching the plurality of attributes for the file, the module configured to,generate a new file encryption group having attributes matching the plurality of attributes for the file;
  
  including said file in the new file encryption group;
  
  generate a read/write key pair for the new file encryption group;
  
  encrypt said file with the write key of the read/write key pair generated for the new file encryption group;
  
  update the table with said write key of the read/write key pair generated for the new file encryption group; and
  
  in response to determining an existence of an existing file encryption group having attributes matching the plurality of attributes for the file, the module configured to,include said file in the existing file encryption group having the attributes matching the plurality of attributes for the file;
  
  encrypt said file with the write key of the read/write key pair for the existing file encryption group having the attributes matching the plurality of attributes for the file; and
  
  update the table with the modification in the at least one attribute of the plurality of attributes for the file of the plurality of files.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus according to claim 13, further comprising:
    - a key generation module configured to generate an encryption/decryption key pair in response to a determination of a new file group status, wherein said manager module is also configured to request said encryption/decryption pair in response to a determination of a modification of attributes of said file indicating a new file group.
  - 15. The apparatus according to claim 14, further comprising:
    - a file group table configured to maintain a listing of a plurality of encryption keys and associated file groups, wherein said manager module is further configured to update said file group table with said new file group in response to said determination of said modification of attribute of said file indicating said new file group.
  - 16. The apparatus according to claim 13, further comprising:
    - a file group table configured to maintain a listing of a plurality of encryption keys and associated file groups, wherein said manager module is further configured to search said file group table for an existing file group in response to a modification of attributes of a file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Swaminathan, Ram, Kallahalla, Mahesh, Riedel, Erik
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Abrishamkar; Kaveh

Application Number

US09/984,928
Publication Number

US 20030081784A1
Time in Patent Office

1,917 Days
Field of Search

380/277, 713/165, 713/166
US Class Current

713/165
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2209/80   Wireless network architectu...

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

System for optimized key management with file groups

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

System for optimized key management with file groups

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others