Secure kerberized access of encrypted file system

US 8,495,366 B2
Filed: 04/18/2012
Issued: 07/23/2013
Est. Priority Date: 12/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request from a client at a file server for the client to mount a file system located at the file server;

determining, at the file server, that the requested file system is encrypted;

sending a message from the file server to the client that informs the client that the requested file system is encrypted;

receiving a session ticket from the client that includes a security protocol mounting selection;

decrypting an encrypted private key at the file server that corresponds to a user, the decrypting resulting in a private key;

decrypting the file system at the file server using the private key;

andsending the decrypted file system from the file server to the client over a secure channel corresponding to the security protocol mounting selection.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file server receives a request from a client to mount an encrypted file system. The file server informs the client that the requested file system is encrypted and, in turn, receives a session ticket from the client that includes a security protocol mounting selection. The file server decrypts the client'"'"'s user'"'"'s encrypted private key, and then decrypts the requested encrypted file system using the private key. In turn, the file server sends the decrypted file system to the client over a secure channel, which is based upon the security protocol mounting selection. In one embodiment, a key distribution center server receives a request from the client for the client'"'"'s user to access the encrypted file system at the file server. The key distribution center server retrieves an intermediate key; includes the intermediate key in a session ticket; and sends the session ticket to the client.

24 Citations

View as Search Results

9 Claims

1. A method comprising:
- receiving a request from a client at a file server for the client to mount a file system located at the file server;
  
  determining, at the file server, that the requested file system is encrypted;
  
  sending a message from the file server to the client that informs the client that the requested file system is encrypted;
  
  receiving a session ticket from the client that includes a security protocol mounting selection;
  
  decrypting an encrypted private key at the file server that corresponds to a user, the decrypting resulting in a private key;
  
  decrypting the file system at the file server using the private key;
  
  andsending the decrypted file system from the file server to the client over a secure channel corresponding to the security protocol mounting selection.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - wherein the file system is an advanced interactive executive encrypted file system;
      
      wherein the file server and the client communicate using a network file system format that allows the user to access files from the file server in a distributed manner; and
      
      wherein the security protocol mounting selection is a Kerberos protocol that allows the client and the file server to communicate securely over a computer network.
  - 3. The method of claim 1 wherein decrypting the encrypted private key further comprises:
    - determining whether the session ticket includes an intermediate key;
      
      in response to determining that the session ticket includes the intermediate key, extracting the intermediate key from the session ticket and decrypting the encrypted private key using the extracted intermediate key; and
      
      in response to determining that the session ticket fails to include the intermediate key, the method further comprising;
      
      sending a request from the file server to the client for an encrypted file system password;
      
      receiving the encrypted file system password from the client at the file server;
      
      generating the intermediate key from the encrypted file system password located at the file server; and
      
      decrypting the encrypted private key using the generated intermediate key.
  - 4. The method of claim 3 wherein the intermediate key is provided to the client by a key distribution center server, the key distribution center server being different than the file server and adapted to retrieve the intermediate key from a storage area managed by the file server.
  - 5. The method of claim 1 wherein the file server manages a plurality of session threads, each of the plurality of session threads corresponding to one of a plurality of users and associated with one of a plurality of private keys, the user included in the plurality of users and the private key included in the plurality of private keys.
  - 6. The method of claim 1 wherein the client automatically selects the security protocol mounting selection in response to receiving the message from the file server that the requested file system is encrypted.

7. A method comprising:
- receiving a request at a key distribution center server from a client, the requesting identifying a user and a file server;
  
  retrieving an intermediate key that corresponds to both the file server and the user, wherein the intermediate key is adapted to decrypt an encrypted private key utilized by the file server for decrypting encrypted file systems;
  
  including the intermediate key in a session ticket; and
  
  sending the session ticket to the client.
- View Dependent Claims (9)
- - 9. The method of claim 7 wherein the key distribution center server manages an intermediate key storage area that includes a plurality of intermediate keys, each of the plurality of intermediate keys corresponding to one of a plurality of users, the method further comprising:
    - selecting an intermediate key from the plurality of intermediate keys, wherein the selected intermediate key is associated with both the file server and the user; and
      
      including the intermediate key in the session ticket that is sent to the client.

8. The method of 7 further comprising:
- identifying, at the key distribution center server, an internet protocol address that corresponds to the file server;
  
  extracting a user name from the request that corresponds to the user; and
  
  locating the intermediate key in an intermediate storage area managed by the file server using the internet protocol address and the user name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Banerjee, Dwip N., Punadikar, Sachin Chandrakant, Patil, Sandeep Ramesh, Shankar, Ravi A.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/449,925
Publication Number

US 20120204028A1
Time in Patent Office

461 Days
Field of Search

713/165, 713/176, 713/179, 380/278, 380/279, 709/203, 726/7, 726/10
US Class Current

713/165
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

Secure kerberized access of encrypted file system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Secure kerberized access of encrypted file system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links