Method and apparatus for securing electronic data

US 7,681,034 B1
Filed: 02/12/2002
Issued: 03/16/2010
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for securing a file, the method comprising:

determining whether the file stored in a file system and being accessed is secured;

if the file is determined to be secured, activating a cipher module and loading the file from the file system through the cipher module into an application; and

if the file is determined to be non-secured, loading the file from the file system into the application without activating the cipher module, wherein the file includes a header having a file key, the file key is encrypted with a user key, and the user key is different from the file key.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securing electronic data and keeping the electronic data secured at all times are disclosed. According to one embodiment, a client module in a client machine is configured to provide access control to secured documents that may be located in a local store, another computer machine or somewhere over a data network. The client module includes a document-securing module configured to operate in a path through which a document being accessed is caused to pass so that the document can be examined or detected for the security nature. If the document is secured, the document-securing module obtains a user or group key to decrypt security information in the secured document for access rules therein. If a user accessing the document is determined to have the access privilege to the secured document, a file key is retrieved from the security information and a cipher module is activated to decrypt the encrypted data portion with the file key. Likewise, if a document is to be secured, the cipher module encrypts clear data from the document to create the encrypted data portion. The document-securing module integrates proper or desired security information with the encrypted data portion to produce the secured document.

697 Citations

52 Claims

1. A computer implemented method for securing a file, the method comprising:
- determining whether the file stored in a file system and being accessed is secured;
  
  if the file is determined to be secured, activating a cipher module and loading the file from the file system through the cipher module into an application; and
  
  if the file is determined to be non-secured, loading the file from the file system into the application without activating the cipher module, wherein the file includes a header having a file key, the file key is encrypted with a user key, and the user key is different from the file key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the cipher module, once activated, operates within an operating system.
  - 3. The method of claim 1, wherein the file further includes an encrypted portion and the header includes or points to security information including the file key used to decrypt the encrypted portion.
  - 4. The method of claim 3, wherein the loading the file from the file system through the cipher module into the application comprises:
    - retrieving the file key;
      
      decrypting the encrypted portion with the file key in the cipher module; and
      
      sending the file in clear mode to the application.
  - 5. The method of claim 4, wherein the retrieving the file key comprises:
    - obtaining the user key; and
      
      decrypting security information including the file key with the user key to retrieve the file key.
  - 6. The method of claim 1, further comprising:
    - launching the application when a request to access the file is received.

7. A computer implemented method for securing a file, the method comprising:
- determining if the file stored in a file system and being accessed includes a header, wherein existence of the header indicates that the file is secured, wherein the header includes a file key, the file key is encrypted with a user key, and the user key is different from the file key;
  
  activating a cipher module and loading the file from the file system through the cipher module into an application if the file is determined to be secured; and
  
  loading the file from the file system into the application without activating the cipher module if the file is determined to be non-secured.

8. A computer implemented method for securing a file, the method comprising:
- determining if the file stored in a file system and being accessed has a flag, wherein existence of the flag indicates that the file is secured, wherein the file includes a header having a file key, the file key is encrypted with a user key, and the user key is different from the file key;
  
  activating a cipher module and loading the file from the file system through the cipher module into an application if the file is determined to be secured; and
  
  loading the file from the file system into the application without activating the cipher module if the file is determined to be non-secured.

9. A computer implemented method for securing a file, the method comprising:
- determining whether the file stored in a file system and being accessed is secured, wherein the file includes a header and an encrypted portion, the header including or pointing to security information including a file key used to decrypt the encrypted portion, wherein the security information including the file key is encrypted with a user key, and wherein the security information further includes access rules to control how and by whom the file is to be accessed;
  
  if the file is determined to be secured, activating a cipher module, loading the file from the file system through the cipher module into an application, retrieving the file key, obtaining the user key, decrypting the security information with the user key to retrieve the file key, and decrypting the encrypted portion with the file key in the cipher module, and sending the file in clear mode to the application; and
  
  if the file is determined to be non-secured, loading the file from the file system into the application without activating the cipher module.
- View Dependent Claims (10)
- - 10. The method of claim 9, wherein the loading the file from the file system through the cipher module into the application only happens if an access privilege is within permissions granted by the access rules.

11. A computer implemented method for securing a file, the method comprising:
- maintaining a file key in a temporary memory space;
  
  encrypting the file with the file key in a cipher module to produce an encrypted portion;
  
  preparing security information for the encrypted portion, the security information being encrypted with a user key and including the file key and access rules to control access to the encrypted portion, wherein the access rules in the security information comprise user information identifying who has access to the encrypted portion and how the encrypted portion is to be accessed; and
  
  attaching the security information to the encrypted portion.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising deleting the file key from the temporary memory space when the attaching the security information to the encrypted portion is complete.
  - 13. The method of claim 11, wherein the encrypting the file with the file key, the preparing the security information, and the attaching the security information happen whenever the file is caused to be stored.
  - 14. The method of claim 11, wherein the encrypting the file with the file key, the preparing the security information, and the attaching the security information happen upon receiving an instruction from an application or an operating system supporting the application.
  - 15. The method of claim 14, wherein the instruction is one of (i) Save, (ii) Close or (iii) Exit, all provided in the application.
  - 16. The method of claim 14, wherein the instruction is generated from an automatic operation of saving the file being opened into a storage space, the automatic operation being triggered by the application itself or the operating system.
  - 17. The method of claim 11, wherein the user key is associated with a member selected from a group consisting of a user, a device, a software module, and a group of users.
  - 18. The method of claim 11, further comprising:
    - launching an application that accesses the file.

19. A computer implemented method for providing access control to a file, the method comprising:
- forwarding a request to access the file to a file system manager in an operating system;
  
  activating a document securing module by the file system manager to determine whether the file stored in a file system driver and being accessed is secured, wherein the file includes a header having a file key, the file key is encrypted with a user key, and the user key is different from the file key;
  
  activating a cipher module if the file is determined to be secured; and
  
  loading the file from the file system driver through the cipher module into an application.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, further comprising:
    - retrieving security information from the file if the file is determined to be secured, the security information including the file key and access rules; and
      
      obtaining an access privilege requesting to access the file.
  - 21. The method of claim 20, wherein the activating the cipher module proceeds successfully when the access privilege is within permissions granted by the access rules.
  - 22. The method of claim 21, wherein the activating the cipher module comprises decrypting an encrypted portion of the file with the file key.
  - 23. The method of claim 19, further comprising:
    - launching the application under the operating system when the request to access the file is received.

24. A computer-readable storage medium having stored thereon, computer-executable instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- determining whether the file stored in a file system and being accessed is secured;
  
  if the file is determined to be secured,activating a cipher module; and
  
  loading the file from the file system through the cipher module into an application; and
  
  if the file is determined to be non-secured,loading the file from the file system into the application without activating the cipher module;
  
  wherein the file includes a header having a file key, the file key is encrypted with a user key, and the user key is different from the file key.
- View Dependent Claims (25, 26)
- - 25. The computer-readable storage medium of claim 24, wherein the file further includes an encrypted portion and the header includes or points to security information including the file key used to decrypt the encrypted portion.
  - 26. The computer readable storage medium of claim 24, wherein the program code stored on the medium, if executed, causes the application to be launched when a request to access the file is received.

27. A computer-readable storage medium having stored thereon, computer-executable instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- determining if the file stored in a file system and being accessed includes a header, wherein existence of the header indicates that the file is secured, wherein the header includes a file key, the file key is encrypted with a user key, and the user key is different from the file key;
  
  if the file is determined to be secured,activating a cipher module; and
  
  loading the file from the file system through the cipher module into the application; and
  
  if the file is determined to be non-secured,loading the file from the file system into the application without activating the cipher module.
- View Dependent Claims (28, 29)
- - 28. The computer-readable storage medium of claim 27, wherein the loading the file from the file system driver through the cipher module into the application comprises:
    - retrieving the file key;
      
      decrypting an encrypted portion with the file key in the cipher module; and
      
      sending the file in clear mode to the application.
  - 29. The computer-readable storage medium of claim 28, wherein the retrieving the file key comprises:
    - obtaining the user key; and
      
      decrypting security information including the file key with the user key to retrieve the file key.

30. A computer-readable storage medium having stored thereon, computer-executable instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- determining whether the file stored in a file system and being accessed is secured, wherein the file includes a header and an encrypted portion, the header including or pointing to security information including a file key used to decrypt the encrypted portion, wherein the security information including the file key is encrypted with a user key, and wherein the security information further includes access rules of how and by whom the file is to be accessed;
  
  if the file is determined to be secured,activating a cipher module; and
  
  loading the file from the file system through the cipher module into the application;
  
  retrieving the file key;
  
  obtaining the user key;
  
  decrypting the security information with the user key to retrieve the file key;
  
  decrypting the encrypted portion with the file key in the cipher module; and
  
  sending the file in clear mode to the application; and
  
  if the file is determined to be non-secured,loading the file from the file system into the application without activating the cipher module.
- View Dependent Claims (31)
- - 31. The computer-readable storage medium of claim 30, wherein the loading the file from the file system through the cipher module into the application proceeds if an access privilege is within permissions granted by the access rules.

32. A computer-readable storage medium having stored thereon, computer-executable instructions that if executed by a computing device, cause the computing device to perform a method comprising:
- maintaining a file key in a temporary memory space;
  
  encrypting the file with the file key in a cipher module to produce an encrypted file, wherein the file has been opened with an application and the cipher module operates transparently as far as a user executing the application is concerned; and
  
  storing, in a storage space, a secured file including the encrypted file and a header, wherein the header includes or points to security information including the file key, wherein the security information further includes access rules of how and by whom the file is to be accessed.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40)
- - 33. The computer-readable storage medium of claim 32, the method further comprising deleting the file key from the temporary memory space if the application closes the file.
  - 34. The computer-readable storage medium of claim 32, wherein the encrypting the file with the file key happens if the file is caused to be stored.
  - 35. The computer-readable storage medium of claim 32, wherein the encrypting the file with the file key happens an instruction from the application or an operating system supporting the application.
  - 36. The computer-readable storage medium of claim 35, wherein the instruction is one of (i) Save, (ii) Close or (iii) Exit, all provided in the application.
  - 37. The computer-readable storage medium of claim 35, wherein the instruction is generated from an automatic operation of saving the file being opened into the storage space, the automatic operation is either triggered by the application itself or the operating system.
  - 38. The computer-readable storage medium of claim 32, further comprising encrypting the security information with a user key associated with a member selected from a group consisting of a user, a device, a software module, and a group of users.
  - 39. The computer-readable storage medium of claim 32, further comprising attaching the header to the encrypted file, wherein the header includes the security information encrypted in addition to a flag indicating that the file is secured.
  - 40. The computer readable storage medium of claim 32, wherein the program code stored on the medium, if executed, causes the application to be launched.

41. A computing device for securing a file, comprising:
- an application configured to access the file that includes security information and an encrypted portion, the security information further including a file key and access rules, the encrypted portion being an encrypted version of the file; and
  
  a cipher module configured to activate upon determining that the file being accessed is secured;
  
  wherein the security information is configured to be encrypted with a user key, is configured to be decrypted with the user key when authenticated, and includes access rules of how and by whom the file is to be accessed; and
  
  wherein the file key is configured to be retrieved to decrypt the encrypted portion only after the access rules have been successfully measured against access privilege.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 42. The computing device of claim 41, further comprising an operating system configured to support operations of the application, and wherein the cipher module is embedded in the operating system.
  - 43. The computing device of claim 41, wherein the cipher module is configured to operate in a path through which the file is caused to pass when accessed by the application.
  - 44. The computing device of claim 41, further including a memory space and a storage space, and wherein the file key is temporarily kept in the memory space when the file is successfully loaded into the application.
  - 45. The computing device of claim 44, wherein the file key is deleted from the memory space as soon as the file is written back to the storage space.
  - 46. The computing device of claim 41, wherein the user key becomes authenticated by an authentication process.
  - 47. The computing device of claim 41, wherein the computing device is coupled to a second computing device over a data network and the user key becomes authenticated only after successful logging from the computing device into the second computing device.
  - 48. The computing device of claim 41, wherein the computing device is provided with means for capturing biometric data and the user key becomes authenticated only after the biometric data is successfully verified.
  - 49. The computing device of claim 41, wherein the user key becomes authenticated after the computing device receives credential information.
  - 50. The computing device of claim 49, wherein the credential information includes at least one of a password, biometric information, or personalized information.
  - 51. The computing device of claim 50, wherein the biometric information is captured from a device coupled to the computing device.
  - 52. The computing device of claim 41, wherein the application is launched to access the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Lee, Chang-Ping, Garcia, Denis Jacques Paul
Primary Examiner(s)
Revak; Christopher A

Application Number

US10/074,996
Time in Patent Office

2,954 Days
Field of Search

None
US Class Current

713/164
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Method and apparatus for securing electronic data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

697 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing electronic data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

697 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links