Encrypting operating system

US 7,810,133 B2
Filed: 08/25/2003
Issued: 10/05/2010
Est. Priority Date: 08/23/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system comprising:

a memory portion containing an encrypted data file, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data;

an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein; and

an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.

83 Citations

View as Search Results

65 Claims

1. A computer system comprising:
- a memory portion containing an encrypted data file, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data;
  
  an operating system comprising a kernel to use a unique system-identifier to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein; and
  
  an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The computer system of claim 1, wherein the kernel comprises an encryption engine to encrypt clear data files to generate cipher data files, the encryption engine also to decrypt the cipher data files to generate the clear data files.
  - 3. The computer system of claim 2, wherein the memory portion is coupled to the encryption engine to store the cipher data files.
  - 4. The computer system of claim 2, wherein the encryption engine is to encrypt the clear data files and decrypt the cipher data files according to a symmetric key encryption algorithm.
  - 5. The computer system of claim 4, wherein the symmetric key encryption algorithm is based on a block cipher.
  - 6. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises Rijndael algorithm.
  - 7. The computer system of claim 6, wherein the symmetric key encryption algorithm uses a block size of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 8. The computer system of claim 6, wherein the symmetric key encryption algorithm uses a key length of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 9. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises a DES algorithm.
  - 10. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises a Triple-DES algorithm.
  - 11. The computer system of claim 5, wherein the symmetric key encryption algorithm comprises an algorithm selected from the group consisting of IDEA, Blowfish, Twofish, and CAST-128.
  - 12. The computer system of claim 1, wherein the kernel comprises a UNIX operating system.
  - 13. The computer system of claim 12, wherein the UNIX operating system is a System V-Revision.
  - 14. The computer system of claim 1, wherein the encryption key management system is to store the encrypted data file name, wherein the data file name is associated with the encrypted data file contents.
  - 15. The computer system of claim 14, wherein the encryption key management system is also to grant access to a data file if a corresponding access permission of the data file is a predetermined value.
  - 16. The computer system of claim 14, wherein the encryption key management system is also to encrypt a pathname to the encrypted data file, and to decrypt the pathname to the encrypted data file when retrieving the encrypted data file contents.
  - 17. The computer system of claim 1, further comprising a secondary device coupled to the memory, wherein the secondary device stores the encrypted data file and is accessed using a file abstraction.
  - 18. The computer system of claim 17, wherein the secondary device is a backing store.
  - 19. The computer system of claim 17, wherein the secondary device is a swap device.
  - 20. The computer system of claim 17, wherein the secondary device comprises an interface port comprising a socket connection.
  - 21. The computer system of claim 20, wherein the socket connection comprises a computer network.
  - 22. The computer system of claim 21, wherein the computer network comprises the Internet.
  - 23. The computer system of claim 1, wherein the kernel is also to encrypt or decrypt a data file in the directory with a corresponding one of multiple file encryption keys and to encrypt or decrypt the directory with a directory encryption key.
  - 24. The computer system of claim 23, wherein the multiple file encryption keys are different from each other.
  - 25. The computer system of claim 1, wherein the encrypted directory comprises encrypted directory information including file names and locations of data blocks.
  - 26. The computer system of claim 1, wherein the encrypted directory comprises encrypted directory information including data file names and corresponding i-node entries.
  - 27. The computer system of claim 1, further comprising a plurality of different encryption keys to decrypt corresponding blocks of the data file.

28. A computer system comprising:
- a. a first device having an operating system kernel and a directory structure with directory information comprising encrypted data file names and corresponding encrypted data file locations for accessing encrypted data files within a file system, the operating system kernel to decrypt the encrypted data file names and encrypted data file locations using one or more encryption keys to recover clear data corresponding to the data file names, data file locations, and data files, the operating system kernel comprising a virtual node to encrypt the clear data using the one or more encryption keys to generate cipher data corresponding to the directory information and encrypted data files;
  
  b. a key generator to generate the one or more encryption keys from identifiers unique to the computer system and unique to encrypted data files on the computer system; and
  
  c. a second device coupled to the first device to exchange cipher data with the first device.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 29. The computer system of claim 28, wherein the operating system kernel is to encrypt clear data and decrypt cipher data using a symmetric algorithm.
  - 30. The computer system of claim 29, wherein the symmetric algorithm comprises a block cipher.
  - 31. The computer system of claim 30, wherein the block cipher comprises a Rijndael algorithm.
  - 32. The computer system of claim 31, wherein one of the one or more encryption keys comprises at least 1024 bits.
  - 33. The computer system of claim 28, wherein the second device comprises a backing store.
  - 34. The computer system of claim 28, wherein the second device comprises a swap device.
  - 35. The computer system of claim 28, wherein the second device forms part of a communications channel.
  - 36. The computer system of claim 35, wherein the communications channel comprises a network.
  - 37. The computer system of claim 36, wherein the network comprises the Internet.
  - 38. The computer system of claim 28, wherein the operating system kernel is also to locate a target directory by comparing an encrypted name of the target directory with encrypted names of candidate directories on the computer system.
  - 39. The computer system of claim 28, wherein the directory information comprises data file names and locations of data blocks.
  - 40. The computer system of claim 28, wherein the directory information comprises data file names and corresponding i-node entries.

41. A method of storing an encrypted data file in a computer file system having a directory, the method comprising:
- a. receiving a clear data file having a name; and
  
  b. executing kernel code in an operating system, the kernel code comprising a virtual node comprising drivers to encrypt the clear data file to generate an encrypted data file using a symmetric key, store the encrypted data file at a location in the computer file system, and store in the directory an entry containing an encryption of the name and an encryption of the location, wherein the symmetric key is generated in part by dividing a first key into sub-keys each corresponding to a block of the data file, modifying each of the sub-keys based on an identifier of a corresponding block to produce modified sub-keys, and combining the modified sub-keys.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 42. The method of claim 41, wherein the symmetric key encrypts clear data to generate cipher data according to a block cipher.
  - 43. The method of claim 42, wherein the block cipher comprises a Rijndael algorithm.
  - 44. The method of claim 42, wherein the block cipher comprises an algorithm selected from the group consisting of DES, triple-DES, Blowfish, and IDEA.
  - 45. The method of claim 41, wherein executing kernel code comprises:
    - entering a pass key and a data file name into a first encryption process to produce an encrypted data file name and an encrypted data file name key; and
      
      processing the clear data file together with the encrypted data file name key to generate an encrypted file contents key and an encrypted file contents.
  - 46. The method of claim 45, further comprising:
    - storing the encrypted data file name key and the encrypted file contents key in a first protected area of a computer storage; and
      
      storing the encrypted data file name and the encrypted file contents in a second protected area of the computer storage.
  - 47. The method of claim 41, wherein executing kernel code to encrypt the clear data file is performed when data is transferred between a computer memory and a secondary device.
  - 48. The method of claim 47, wherein the secondary device comprises a backing store.
  - 49. The method of claim 47, wherein the secondary device comprises a swap device.
  - 50. The method of claim 47, wherein the secondary device forms part of a network of devices.
  - 51. The method of claim 50, wherein the network comprises the Internet.
  - 52. The method of claim 41, wherein the directory comprises encrypted directory information including data file names and locations of data blocks.
  - 53. The method of claim 41, wherein the directory comprises encrypted directory information including data file names and corresponding i-node entries.

54. A computer system comprising:
- a. a processor;
  
  b. a physical memory containing an encrypted data file and a directory, wherein the directory comprises a record having a first element corresponding to an encrypted name of the data file and a second element corresponding to an encrypted location of the data file in the memory;
  
  c. a secondary device coupled to the physical memory; and
  
  d. an operating system comprising a kernel, the kernel comprising a virtual node integrated with drivers to directly decrypt the first and second elements to access the encrypted data file from memory when transferring the data file from the memory to the secondary device and to directly re-encrypt the first and second elements when transferring the data file from the secondary device to the memory, wherein the drivers decrypt and re-encrypt the first and second elements using one or more keys generated from identifiers of one or more of the data file, a root directory containing the data file, and a file system containing the root directory.
- View Dependent Claims (55, 56, 57, 58, 59, 60)
- - 55. The computer system of claim 54, wherein the kernel is to encrypt and decrypt data using a symmetric key encryption algorithm.
  - 56. The computer system of claim 55, wherein the symmetric key encryption algorithm is based on a block cipher.
  - 57. The computer system of claim 56, wherein the symmetric key encryption algorithm comprises Rijndael algorithm.
  - 58. The computer system of claim 57, wherein the kernel comprises a UNIX operating system.
  - 59. The computer system of claim 54, wherein the directory comprises data file names and locations of data blocks.
  - 60. The computer system of claim 54, wherein the directory comprises data file names and corresponding i-node entries.

61. A computer system containing an operating system, the computer system comprising:
- a kernel comprising a virtual node integrated with drivers to encrypt and decrypt data transferred between a memory and a secondary device, wherein the kernel comprises an encryption engine to encrypt clear data to generate cipher data, the encryption engine also to decrypt the cipher data to generate the clear data;
  
  a memory coupled to the encryption engine to store the cipher data, wherein the memory comprises a first logical protected memory to store encrypted file data and a second logical protected memory to store encrypted key data;
  
  an encryption key management system to control access to the encrypted file data and the encrypted key data, wherein the encryption key management system comprises a key engine to receive a pass key and the file name to generate an encrypted file name key, use the encrypted file name key and file contents to generate an encrypted file contents key, and encrypt the file contents with the encrypted file contents key to generate encrypted file contents.

62. A method of encrypting data, the method comprising:
- receiving clear data; and
  
  executing kernel code in an operating system, wherein the kernel code comprises a virtual node integrated with drivers to use a symmetric key to encrypt the clear data to generate cipher data and to use the symmetric key to decrypt the cipher data to generate the clear data, and further wherein executing the kernel code comprises entering a pass key and a file name into a first encryption process to produce an encrypted file name and an encrypted file name key and processing the clear data together with the encrypted file name key to generate an encrypted file contents key and encrypted file contents.

63. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel, wherein the kernel comprises a virtual node to decrypt an encrypted directory entry to determine a location of the encrypted data file and to decrypt the encrypted data file to access data contained therein, the virtual node to decrypt the data file using a first key generated from an identifier of the operating system, an identifier of a file system containing the data file, an identifier of a root directory containing the encrypted data file, an identifier of the data file, and a second key.

64. A computer system comprising:
- a memory portion containing an encrypted data file, a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data, and an operating system comprising a kernel, wherein the kernel comprises a virtual node (a) to directly decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to directly decrypt the encrypted data file to access data file contents contained therein; and
  
  an encryption key management system to control access to the encrypted data files and the encrypted key data, wherein the encryption key management system comprises a key engine, the key engine to receive a pass key and a data file name to generate an encrypted data file name key, the key engine also to use the encrypted data file name key and the data file contents to generate an encrypted data file contents key, the key engine also to encrypt the data file contents with the encrypted data file contents key to generate encrypted data file contents and to encrypt the data file name with the encrypted data file name key to generate an encrypted data file name.

65. A method of storing an encrypted data file in a computer file system having a directory, the method comprising:
- receiving a clear data file having a name; and
  
  executing kernel code in an operating system, the kernel code comprising a virtual node comprising drivers to directly encrypt the clear data file to generate an encrypted data file using a symmetric key, store the encrypted data file at a location in the computer file system, and store in the directory an entry containing an encryption of the name and an encryption of the location, wherein executing kernel code comprises;
  
  entering a pass key and a data file name into a first encryption process to produce an encrypted data file name and an encrypted data file name key; and
  
  processing the clear data file together with the encrypted data file name key to generate an encrypted file contents key and an encrypted file contents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exit-Cube Incorporated
Original Assignee
Exit-Cube Incorporated
Inventors
Carter, Ernst B., Zolotov, Vasily
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US10/648,630
Publication Number

US 20040091114A1
Time in Patent Office

2,598 Days
Field of Search

726/2, 713/164
US Class Current

726/2
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0625   with splitting of the data ...

Encrypting operating system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

65 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting operating system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

65 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links