Encrypting operating system

US 8,407,761 B2
Filed: 05/07/2010
Issued: 03/26/2013
Est. Priority Date: 08/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method of encrypting data, the method comprising:

a. receiving a clear data file; and

b. executing kernel code in an operating system, the kernel code using a symmetric key to encrypt the clear data file to generate an encrypted data file, the kernel code further using the symmetric key to decrypt the encrypted data file to generate the clear data file, wherein the symmetric key is generated by a generation method comprising dividing a key into sub-keys each corresponding to a different block of the data file, modifying each of the sub-keys in a manner unique to its corresponding block to produce modified sub-keys, and combining the modified sub-keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.

84 Citations

View as Search Results

19 Claims

1. A method of encrypting data, the method comprising:
- a. receiving a clear data file; and
  
  b. executing kernel code in an operating system, the kernel code using a symmetric key to encrypt the clear data file to generate an encrypted data file, the kernel code further using the symmetric key to decrypt the encrypted data file to generate the clear data file, wherein the symmetric key is generated by a generation method comprising dividing a key into sub-keys each corresponding to a different block of the data file, modifying each of the sub-keys in a manner unique to its corresponding block to produce modified sub-keys, and combining the modified sub-keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the symmetric key encrypts the clear data file to generate encrypted data file according to a block cipher.
  - 3. The method of claim 2, wherein the block cipher comprises Rijndael algorithm.
  - 4. The method of claim 2, wherein the block cipher comprises an algorithm selected from the group consisting of DES, triple-DES, Blowfish, and IDEA.
  - 5. The method of claim 1, wherein executing kernel code comprises:
    - entering a pass key and a data file name of the clear data file into a first encryption process to produce an encrypted data file name and an encrypted data file name key; and
      
      processing the clear data file with the encrypted data file name key to generate an encrypted file contents key and an encrypted file contents.
  - 6. The method of claim 5, further comprising:
    - storing the encrypted data file name key and the encrypted file contents key in a first protected area of a computer storage; and
      
      storing the encrypted data file name and the encrypted file contents in a second protected area of the computer storage.
  - 7. The method of claim 1, wherein executing kernel code to encrypt the clear data file is performed when data is transferred between a computer memory and a secondary device.
  - 8. The method of claim 7, wherein the secondary device comprises a backing store.
  - 9. The method of claim 7, wherein the secondary device comprises a swap device.
  - 10. The method of claim 7, wherein the secondary device forms part of a network of devices.
  - 11. The method of claim 7, wherein the network comprises the Internet.

12. A method of decrypting a data file on a computer system comprising:
- granting permission to access the data file by determining that the data file was encrypted on the computer system as an encrypted data file;
  
  determining a location of the encrypted data file on the computer system by decrypting an encrypted directory entry; and
  
  decrypting the encrypted data file.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein determining that the data file was encrypted on the computer system comprises using a unique system-identifier of the computer system.
  - 14. The method of claim 13, wherein the system-identifier is a medium access controller address for the computer system.
  - 15. The method of claim 12, wherein a first encryption key is used to decrypt the encrypted directory entry and a second encryption key is used to decrypt the encrypted data file.
  - 16. The method of claim 15, further comprising using a name of the data file to generate an encrypted version of the first encryption key.
  - 17. The method of claim 16, further comprising using the encrypted version of the first encryption key and the data file to generate an encrypted version of the second encryption key.
  - 18. The method of claim 12, wherein decrypting the encrypted directory entry and decrypting the encrypted data file are executed by a kernel of an operating system executing on the computer system.
  - 19. The method of claim 12, wherein decrypting the encrypted directory entry and decrypting the encrypted data file are performed by a vnode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exit-Cube Incorporated
Original Assignee
Exit-Cube Incorporated
Inventors
Carter, Ernst B., Zolotov, Vasily
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US12/776,337
Publication Number

US 20100217970A1
Time in Patent Office

1,054 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0625   with splitting of the data ...

Encrypting operating system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting operating system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links