Encrypting operating system

US 9,098,712 B2
Filed: 02/25/2013
Issued: 08/04/2015
Est. Priority Date: 08/23/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique hardware address to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for encrypting and decrypting data on a computer system is disclosed. In one embodiment, the system comprises an encrypting operating system (EOS), which is a modified UNIX operating system. The EOS is configured to use a symmetric encryption algorithm and an encryption key to encrypt data transferred from physical memory to secondary devices, such as disks, swap devices, network file systems, network buffers, pseudo file systems, or any other structures external to the physical memory and on which can data can be stored. The EOS further uses the symmetric encryption algorithm and the encryption key to decrypt data transferred from the secondary devices back to physical memory. In other embodiments, the EOS adds an extra layer of security by also encrypting the directory structure used to locate the encrypted data. In a further embodiment a user or process is authenticated and its credentials checked before a file can be accessed, using a key management facility that controls access to one or more keys for encrypting and decrypting data.

Citations

39 Claims

1. A computer system comprising a memory portion containing an encrypted data file and an operating system comprising a kernel to use a unique hardware address to verify a user to control access to the encrypted data file, wherein the kernel comprises a virtual node (a) to decrypt an encrypted directory entry to determine a location of the encrypted data file and (b) to decrypt the encrypted data file to access data file contents contained therein.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The computer system of claim 1, wherein the kernel comprises an encryption engine to encrypt clear data files to generate cipher data files, the encryption engine also to decrypt the cipher data files to generate the clear data files.
  - 3. The computer system of claim 2, wherein the memory portion is coupled to the encryption engine to store the cipher data files.
  - 4. The computer system of claim 3, wherein the memory portion comprises a first logical protected memory to store encrypted data files and a second logical protected memory to store encrypted key data.
  - 5. The computer system of claim 4, further comprising an encryption key management system, the encryption key management system to control access to the encrypted data files and the encrypted key data.
  - 6. The computer system of claim 5, wherein the encryption key management system is to store an encrypted data file name, wherein the data file name is associated with encrypted file contents.
  - 7. The computer system of claim 6, wherein the encryption key management system is also to grant access to a data file if a corresponding access permission of the data file is a predetermined value.
  - 8. The computer system of claim 6, wherein the encryption key management system is also to encrypt a pathname to the encrypted data file, and to decrypt the pathname to the encrypted data file when retrieving the encrypted data file contents.
  - 9. The computer system of claim 2, wherein the encryption engine is to encrypt the clear data files and decrypt the cipher data files according to a symmetric key encryption algorithm.
  - 10. The computer system of claim 9, wherein the symmetric key encryption algorithm is based on a block cipher.
  - 11. The computer system of claim 10, wherein the symmetric key encryption algorithm comprises Rijndael algorithm.
  - 12. The computer system of claim 11, wherein the symmetric key encryption algorithm uses a block size of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 13. The computer system of claim 11, wherein the symmetric key encryption algorithm uses a key length of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 bits.
  - 14. The computer system of claim 10, wherein the symmetric key encryption algorithm comprises a DES algorithm.
  - 15. The computer system of claim 10, wherein the symmetric key encryption algorithm comprises a Triple-DES algorithm.
  - 16. The computer system of claim 10, wherein the symmetric key encryption algorithm comprises an algorithm selected from the group consisting of IDEA, Blowfish, Twofish, and CAST-128.
  - 17. The computer system of claim 1, wherein the kernel comprises a UNIX operating system.
  - 18. The computer system of claim 17, wherein the UNIX operating system is a System V-Revision.
  - 19. The computer system of claim 1, further comprising a secondary device coupled to the memory, wherein the secondary device stores the encrypted data file and is accessed using a file abstraction.
  - 20. The computer system of claim 19, wherein the secondary device is a backing store.
  - 21. The computer system of claim 19, wherein the secondary device is a swap device.
  - 22. The computer system of claim 19, wherein the secondary device comprises an interface port comprising a socket connection.
  - 23. The computer system of claim 22, wherein the socket connection comprises a computer network.
  - 24. The computer system of claim 23, wherein the computer network comprises the Internet.

25. A computer system comprising:
- a. a first device having an operating system kernel to encrypt clear data using an encryption key to generate cipher data, and to decrypt the cipher data using the encryption key to generate the clear data;
  
  b. a key generator to generate one or more encryption keys usable for encrypting and decrypting data on the computer system, wherein at least one of the keys is generated by a method comprising dividing an initial key into sub-keys each corresponding to a different block of the clear data, modifying each of the sub-keys in a manner unique to its corresponding block to produce modified sub-keys, and combining the modified sub-keys; and
  
  c. a second device coupled to the first device to exchange cipher data with the first device.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The computer system of claim 25, wherein the operating system kernel is to encrypt the clear data and decrypt the cipher data using a symmetric algorithm.
  - 27. The computer system of claim 26, wherein the symmetric algorithm comprises a block cipher.
  - 28. The computer system of claim 27, wherein the block cipher comprises a Rijndael algorithm.
  - 29. The computer system of claim 28, wherein the encryption key comprises at least 1024 bits.
  - 30. The computer system of claim 25, wherein the second device comprises a backing store.
  - 31. The computer system of claim 25, wherein the second device comprises a swap device.
  - 32. The computer system of claim 25, wherein the second device forms part of a communications channel.
  - 33. The computer system of claim 32, wherein the communications channel comprises a network.
  - 34. The computer system of claim 33, wherein the network comprises the Internet.

35. A method comprising:
- decrypting a user data file in a kernel of an operating system in response to user read commands with a key that is usable only on a computer on which the user data file was encrypted.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The method of claim 35, wherein the key is generated from a first identifier of the computer unique across computer systems.
  - 37. The method of claim 36, wherein the first identifier is a medium access controller address.
  - 38. The method of claim 36, wherein the key is further generated from a second identifier unique to encrypted data on the computer.
  - 39. The method of claim 38, wherein the second identifier comprises an identifier of a file system containing the encrypted data, an identifier of a root directory containing the encrypted data, and an identifier of the encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exit-Cube Incorporated
Original Assignee
Exit-Cube Incorporated
Inventors
Carter, Ernst B., Zolotov, Vasily
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US13/776,266
Publication Number

US 20130290727A1
Time in Patent Office

890 Days
Field of Search

726/2, 713/164
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 2209/12   Details relating to cryptog...

H04L 2209/20   Manipulating the length of ...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/0625   with splitting of the data ...

Encrypting operating system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypting operating system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links