Secure file access using a file access server
First Claim
1. A secure file access system, comprising:
- a processor of a computing device;
a file access module, executing on the processor of the computing device, configured to;
receive a request, from a computer program executing on the computing device, to access an encrypted file, the encrypted file including an encrypted first segment and an encrypted second segment, the encrypted first segment having a different decryption key than the encrypted second segment, the encrypted first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file;
send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file;
receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key for decrypting the encrypted second segment;
if access to the encrypted second segment is authorized, receive a latest version of the file at the file access module if the access query did not request the latest version of the file by way of the access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and
decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable the computer program to access the second segment of the file or the latest version of the file in accordance with the requested designated action.
0 Assignments
0 Petitions
Accused Products
Abstract
A secure file access system and method are disclosed which comprises a file access module executed on a processor of a computing device. The file access module receives a request to access an encrypted file from a computer program executed on the computing device and sends an access query including an encrypted first segment of the encrypted file and a user identifier to a file access server via a communication network. The access query enables the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier and file access permission data. The file access module decrypts the encrypted second segment using a second decryption key obtained from the file access server to enable the computer program to access the second segment of the file.
38 Citations
15 Claims
-
1. A secure file access system, comprising:
-
a processor of a computing device; a file access module, executing on the processor of the computing device, configured to; receive a request, from a computer program executing on the computing device, to access an encrypted file, the encrypted file including an encrypted first segment and an encrypted second segment, the encrypted first segment having a different decryption key than the encrypted second segment, the encrypted first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file; send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file; receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key for decrypting the encrypted second segment; if access to the encrypted second segment is authorized, receive a latest version of the file at the file access module if the access query did not request the latest version of the file by way of the access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable the computer program to access the second segment of the file or the latest version of the file in accordance with the requested designated action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
-
-
9. A method of controlling access to a file by a computing device, comprising:
-
generating a file including a first segment and a second segment, the first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file, the file access permission data indicating whether a user indicated by a user identifier may perform each designated action of a set of one or more designated actions on the file; encrypting the file to obtain an encrypted first segment from the first segment and an encrypted second segment from the second segment, the encrypted first segment having a different decryption key than the encrypted second segment; saving the encrypted file to a data storage device; in response to a request to access the encrypted file, sending an access query indicating a requested designated action of the set of one or more designated actions to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server to decrypt the encrypted first segment with a first decryption key and to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data of the first segment; receiving an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key; if access to the encrypted second segment is authorized, receiving a latest version of the file at the computing device if the access query did not request the latest version of the file by way of the file access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save data and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and decrypting the encrypted second segment of the file or the latest version of the file using the second decryption key to enable access to the second segment of the file or to the latest version of the file in accordance with the requested designated action. - View Dependent Claims (10, 11, 12, 14)
-
-
15. A computing system, comprising:
-
a first computing device including a processor and a data storage device having a first instruction set stored thereon executable by the processor to; generate a file including a first segment and a second segment, the first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file, encrypt the file to obtain an encrypted first segment from the first segment and an encrypted second segment from the second segment, the encrypted first segment having a different decryption key than the encrypted second segment; and a second computing device including another processor and another data storage device having a second instruction set stored thereon executable by the another processor to; obtain the encrypted file, in response to a request to access the encrypted file, send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment of the encrypted file and a user identifier for a user of the second computing device to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment with a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data of the encrypted first segment, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file, receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling the second computing device to access or generate the second decryption key, if access to the encrypted second segment is authorized, receiving a latest version of the file at the second computing device if the access query did not request the latest version of the file by way of the file access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the second computing device; and decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable access to the second segment of the file or the latest version of the file in accordance with the requested designated action.
-
Specification