Secure file access using a file access server

US 8,621,036 B1
Filed: 11/17/2010
Issued: 12/31/2013
Est. Priority Date: 11/17/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A secure file access system, comprising:

a processor of a computing device;

a file access module, executing on the processor of the computing device, configured to;

receive a request, from a computer program executing on the computing device, to access an encrypted file, the encrypted file including an encrypted first segment and an encrypted second segment, the encrypted first segment having a different decryption key than the encrypted second segment, the encrypted first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file;

send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file;

receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key for decrypting the encrypted second segment;

if access to the encrypted second segment is authorized, receive a latest version of the file at the file access module if the access query did not request the latest version of the file by way of the access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and

decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable the computer program to access the second segment of the file or the latest version of the file in accordance with the requested designated action.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure file access system and method are disclosed which comprises a file access module executed on a processor of a computing device. The file access module receives a request to access an encrypted file from a computer program executed on the computing device and sends an access query including an encrypted first segment of the encrypted file and a user identifier to a file access server via a communication network. The access query enables the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier and file access permission data. The file access module decrypts the encrypted second segment using a second decryption key obtained from the file access server to enable the computer program to access the second segment of the file.

38 Citations

View as Search Results

15 Claims

1. A secure file access system, comprising:
- a processor of a computing device;
  
  a file access module, executing on the processor of the computing device, configured to;
  
  receive a request, from a computer program executing on the computing device, to access an encrypted file, the encrypted file including an encrypted first segment and an encrypted second segment, the encrypted first segment having a different decryption key than the encrypted second segment, the encrypted first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file;
  
  send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment using a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file;
  
  receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key for decrypting the encrypted second segment;
  
  if access to the encrypted second segment is authorized, receive a latest version of the file at the file access module if the access query did not request the latest version of the file by way of the access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and
  
  decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable the computer program to access the second segment of the file or the latest version of the file in accordance with the requested designated action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
- - 2. The system of claim 1, wherein the set of one or more designated actions includes one or more of an open action, a save action, a save as action, a copy action, a print action.
  - 3. The system of claim 1, wherein the second decryption key for decrypting the encrypted second segment is generated at the computing device based, at least in part, on the key information.
  - 4. The system of claim 1, wherein the second decryption key for decrypting the encrypted second segment is generated at the file access server.
  - 5. The system of claim 1, wherein the second decryption key for decrypting the encrypted second segment is unique to the user identifier and/or to the file.
  - 6. The system of claim 1, wherein the file is stored on a local data store at the computing device and/or on a remote data store at the file access server.
  - 7. The system of claim 1, wherein the file access module is an application programming interface, a plug-in module for a computer program, an executable computer program, or a file system driver.
  - 8. The system of claim 1, wherein, prior to authorizing access to the file, the file access module is configured to:
    - generate the file including the first segment and the second segment;
      
      encrypt the first segment of the file with a first encryption key to obtain the encrypted first segment, the first encryption key being generated by the file access module locally at the computing device or being requested and received from the file access server;
      
      request and receive a second encryption key from the file access server;
      
      encrypt the second segment of the file with the second encryption key to obtain the encrypted second segment; and
      
      save the encrypted first segment and the encrypted second segment on a local data store and/or a remote data store.
  - 13. The method of claim 8, wherein the second decryption key for decrypting the encrypted second segment is unique to the user identifier and/or to the file.

9. A method of controlling access to a file by a computing device, comprising:
- generating a file including a first segment and a second segment, the first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file, the file access permission data indicating whether a user indicated by a user identifier may perform each designated action of a set of one or more designated actions on the file;
  
  encrypting the file to obtain an encrypted first segment from the first segment and an encrypted second segment from the second segment, the encrypted first segment having a different decryption key than the encrypted second segment;
  
  saving the encrypted file to a data storage device;
  
  in response to a request to access the encrypted file, sending an access query indicating a requested designated action of the set of one or more designated actions to be performed on the file and including the encrypted first segment and a user identifier to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server to decrypt the encrypted first segment with a first decryption key and to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data of the first segment;
  
  receiving an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling a second computing device to generate or access the second decryption key;
  
  if access to the encrypted second segment is authorized, receiving a latest version of the file at the computing device if the access query did not request the latest version of the file by way of the file access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save data and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the computing device; and
  
  decrypting the encrypted second segment of the file or the latest version of the file using the second decryption key to enable access to the second segment of the file or to the latest version of the file in accordance with the requested designated action.
- View Dependent Claims (10, 11, 12, 14)
- - 10. The method of claim 9, wherein the set of one or more designated actions includes one or more of an open action, a save action, a save as action, a copy action, a print action.
  - 11. The method of claim 9, wherein the second decryption key for decrypting the second encrypted segment is generated at the computing device based, at least in part, on the key information received from the file access server.
  - 12. The method of claim 9, wherein the second decryption key for decrypting the encrypted second segment is generated at the file access server.
  - 14. The method of claim 9, wherein the data storage device comprises the remote data store, and wherein saving the encrypted file to the data storage device comprises transmitting the encrypted file to the remote data store.

15. A computing system, comprising:
- a first computing device including a processor and a data storage device having a first instruction set stored thereon executable by the processor to;
  
  generate a file including a first segment and a second segment, the first segment including or indicating file access permission data, a save date for the file, a file identifier, and a hash of at least a portion of the file,encrypt the file to obtain an encrypted first segment from the first segment and an encrypted second segment from the second segment, the encrypted first segment having a different decryption key than the encrypted second segment; and
  
  a second computing device including another processor and another data storage device having a second instruction set stored thereon executable by the another processor to;
  
  obtain the encrypted file,in response to a request to access the encrypted file, send an access query indicating a requested designated action to be performed on the file and including the encrypted first segment of the encrypted file and a user identifier for a user of the second computing device to a file access server via a communication network, the hash for use by the file access server to determine integrity of the access query, and the access query enabling the file access server, after decryption of the encrypted first segment with a first decryption key, to authorize or deny access to the encrypted second segment based, at least in part, on the user identifier, the hash, the file identifier, and the file access permission data of the encrypted first segment, the file access permission data indicating whether a user indicated by the user identifier may perform each designated action of a set of one or more designated actions, including the requested designated action, on the file,receive an access reply from the file access server, the access reply indicating whether access to the encrypted second segment including the requested designated action is authorized and including key information for decrypting the encrypted second segment only if the file access server has authorized access, the key information including a second decryption key for decrypting the encrypted second segment or information enabling the second computing device to access or generate the second decryption key,if access to the encrypted second segment is authorized, receiving a latest version of the file at the second computing device if the access query did not request the latest version of the file by way of the file access server enforcing versioning control by checking a version of the file stored at a remote data store identified by the access query based on the save date and the hash and by checking the version against a latest version of the file stored at the remote data store to determine whether the access query requested the latest version of the file, and if the access query did not request the latest version of the file, then the file access server serving the latest version of the file to the second computing device; and
  
  decrypt the encrypted second segment of the file or the latest version of the file using the second decryption key to enable access to the second segment of the file or the latest version of the file in accordance with the requested designated action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
L'Heureux, Israel, Mark D. Alleman
Original Assignee
L'Heureux, Israel, Mark D. Alleman
Inventors
L'Heureux, Israel, Alleman, Mark D.
Primary Examiner(s)
Follansbee, John
Assistant Examiner(s)
Woolcock, Madhu

Application Number

US12/948,666
Time in Patent Office

1,140 Days
Field of Search

713/165, 709/217, 709/219, 709/226, 709/225, 726/27, 726/28, 726/30
US Class Current

709/217
CPC Class Codes

G06F 21/62 Protecting access to data v...

H04L 63/062 for key distribution, e.g. ...

Secure file access using a file access server

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Secure file access using a file access server

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others