System and method for controlling access to decrypted data

US 8,788,815 B1
Filed: 01/31/2012
Issued: 07/22/2014
Est. Priority Date: 01/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method for accessing a protected file system, comprising:

receiving a passphrase and salt;

generating a decryption key using the passphrase and salt;

decrypting an access control list (ACL) using the decryption key to obtain one or more ACL process names and one or more ACL process file checksums;

storing an access table, the access table including the one or more ACL process names, one or more ACL process identifications, and the one or more ACL process file checksums;

receiving a request from a requesting process to access the file system, the request including a requesting process identification and a requesting process name;

checking the requesting process name for a corresponding ACL process name in the access table; and

(i) allowing the requesting process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification;

or(ii) allowing the requesting process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum and storing the requesting process identification that did not match in the access table.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for accessing a protected file system includes receiving a request from a process to access the file system, the request including a requesting process identification and a requesting process name; decrypting an ACL to obtain ACL process names, ACL process identifications, and ACL process file checksums; allowing the process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification; or allowing the process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum. In one embodiment, the ACL information can be stored in a key ring.

Citations

20 Claims

1. A method for accessing a protected file system, comprising:
- receiving a passphrase and salt;
  
  generating a decryption key using the passphrase and salt;
  
  decrypting an access control list (ACL) using the decryption key to obtain one or more ACL process names and one or more ACL process file checksums;
  
  storing an access table, the access table including the one or more ACL process names, one or more ACL process identifications, and the one or more ACL process file checksums;
  
  receiving a request from a requesting process to access the file system, the request including a requesting process identification and a requesting process name;
  
  checking the requesting process name for a corresponding ACL process name in the access table; and
  
  (i) allowing the requesting process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification;
  
  or(ii) allowing the requesting process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum and storing the requesting process identification that did not match in the access table.
- View Dependent Claims (2, 3, 4, 7, 8, 9, 10)
- - 2. The method in accordance with claim 1, further comprising adding a new process to the access control list wherein adding the new process to the access control list comprises:
    - reading the access control list;
      
      calculating a file checksum for the new process to be added to the access control list;
      
      adding a name of the new process and the file checksum to the access control list; and
      
      encrypting the access control list using an encryption key.
  - 3. The method in accordance with claim 1, further comprising loading access control list information from the decrypted access control list into a key ring, wherein the key ring is in a kernel layer.
  - 4. The method of claim 3, further comprising creating the access table as accessible in user space, the access table containing access control list information from the key ring in the kernel layer.
  - 7. The method in accordance with claim 1, wherein the access control list comprises permissions rules for processes.
  - 8. The method in accordance with claim 1, wherein receiving the passphrase and salt comprises receiving the passphrase from a user.
  - 9. The method in accordance with claim 1, wherein receiving the passphrase and salt comprises receiving the salt from a remote key server.
  - 10. The method in accordance with claim 4, wherein creating the access table comprises reading access control information from the key ring in the kernel layer and wherein storing the access table comprises storing the access table in memory.

5. A system, comprising:
- a network;
  
  a server coupled to the network, the server including an encrypted file system and an encrypted access control list, the server further comprising;
  
  a processor;
  
  a non-transitory computer readable medium storing a set of instructions executable by the processor to;
  
  receive a passphrase and a salt;
  
  generate a decryption key using the passphrase and salt;
  
  decrypt the encrypted access control list (ACL) using the decryption key to obtain one or more ACL process names and one or more ACL process file checksums;
  
  store an access table, the access table including the one or more ACL process names, one or more ACL process identifications, and the one or more ACL process file checksums;
  
  receive a request from a requesting process to access the file system, the request including a requesting process identification and a requesting process name;
  
  check the requesting process name for a corresponding ACL process name in the access table; and
  
  (i) allow the requesting process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification;
  
  or(ii) allow the requesting process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum and store the requesting process identification that did not match in the access table.
- View Dependent Claims (6, 11, 12, 13)
- - 6. The system in accordance with claim 5, wherein the server is configured to add a new process to the access control list by:
    - reading the access control list;
      
      calculating a file checksum for the new process responsive to the reading the access control list;
      
      adding a name of the new process and the file checksum for the new process to the access control list; and
      
      encrypting the access control list using an encryption key.
  - 11. The system in accordance with claim 5, wherein the access control list comprises permissions rules for processes.
  - 12. The system in accordance with claim 5, further comprising instructions executable to load access control list information from the decrypted access control list into a key ring in a kernel layer.
  - 13. The system in accordance with claim 12, wherein creating the access table comprises reading access control information from the key ring in the kernel layer and wherein storing the access table comprises storing the access table in memory.

14. A computer program product comprising a non-transitory computer readable medium storing a set of computer instructions, the set of computer instructions executable by a processor to perform a method comprising:
- accessing an encrypted access control list (ACL);
  
  receiving a passphrase and a salt;
  
  generating a decryption key using the passphrase and salt;
  
  decrypting the access control list (ACL) using the decryption key to obtain one or more ACL process names and one or more ACL process file checksums;
  
  storing an access table, the access table including the one or more ACL process names, one or more ACL process identifications, and the one or more ACL process file checksums;
  
  receiving a request from a process to access the encrypted file system, the request including a requesting process identification and a requesting process name;
  
  checking the requesting process name for a corresponding ACL process name in the access table; and
  
  (i) allowing the requesting process access to the file system if the requesting process name matches a corresponding ACL process name and the requesting process identification matches a corresponding ACL process identification;
  
  or(ii) allowing the requesting process access to the file system if the requesting process identification does not match a corresponding ACL process identification but a calculated process file checksum matches a corresponding ACL process file checksum and storing the requesting process identification that did not match in the access table.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product in accordance with claim 14, wherein the method further comprises loading access control list information from the decrypted access control list into a key ring, wherein the key ring is in a kernel layer.
  - 16. The computer program product in accordance with claim 15, wherein the method further comprises creating the access table as accessible in user space from information in the key ring.
  - 17. The computer program product in accordance with claim 16, wherein creating the access table comprises reading access control information from the key ring in the kernel layer and wherein storing the access table comprises storing the access table in memory.
  - 18. The computer program product in accordance with claim 14, wherein the method further comprises:
    - reading the access control list;
      
      calculating a file checksum for a new process responsive to the reading the access control list;
      
      adding a name of the new process and the file checksum for the new process to the access control list; and
      
      encrypting the access control list using an encryption key.
  - 19. The computer program product in accordance with claim 14, wherein the encrypted access control list comprises permissions rules for processes.
  - 20. The computer program product in accordance with claim 14, wherein receiving the passphrase and salt comprises receiving the salt from a key server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloudera Incorporated
Original Assignee
Gazzang Incorporated (Cloudera Incorporated)
Inventors
Garcia, Eduardo, Pena, Sergio A.
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
SARKER, SANCHIT K

Application Number

US13/362,961
Time in Patent Office

903 Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/0869 for achieving mutual authen...

System and method for controlling access to decrypted data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling access to decrypted data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links