Integrated file level cryptographical access control
First Claim
1. A method for controlling access to secure files on a local computer, comprising:
- a) installing a system for controlling access to secure files onto a local computer having a memory, a processor and one or more network connections, said system comprising;
an encryption database to store information relating to encrypted files and encryption algorithms;
a user interface communicatively linked to the encryption database;
an administrator interface communicatively linked to the encryption database independently of the user interface; and
a file system gateway residing on the local computer as a layer above and independent of any file system on the computer and communicatively linked only to the encryption database, said file system gateway comprising a minifilter module configured to intercept the application call;
b) intercepting an application call requesting access to file in a file system on the computer via the file system gateway comprising the system, said gateway performing the further actions of;
c) determining if the call is one or both of a read request or a write request via said minifilter module;
d) communicating to the file system gateway window service module the name and file path of the requested file through said minifilter module;
e) querying the encryption database via the window service module and said minifilter module;
f) retrieving encrypted file information from the encryption database through said minifilter module;
g) receiving from the window service module encryption data for the requested file through said minifilter module;
h) attaching the encryption data to an internal file object through said minifilter module;
i) sending the application request down to the file system, said file system acting upon the request and returning information retrieved from the requested file up to the file system gateway;
j) decrypting any secured information; and
k) returning the decrypted information to the calling application, wherein the actions of the file system gateway are transparent to the calling application.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided herein are systems and methods for an Integrated File Level Cryptographical Access Control (IFLCAC). The system comprises, on a local computer, an encryption database to store information relating to encrypted files and encryption algorithms, a user interface communicatively linked to the encryption database, an administrator interface communicatively linked to the encryption database independently of the user interface, and a file system gateway communicatively linked to the encryption database that resides above and operates independently of the file system and transparently to any calling application on the local computer. Also provided are methods of using the IFLCAC system and a computer program product comprising a memory tangibly storing computer executable instructions for the IFLCAC system and method and one or more computer readable media tangibly storing computer executable instructions for the IFLCAC system and method.
3 Citations
22 Claims
-
1. A method for controlling access to secure files on a local computer, comprising:
-
a) installing a system for controlling access to secure files onto a local computer having a memory, a processor and one or more network connections, said system comprising; an encryption database to store information relating to encrypted files and encryption algorithms; a user interface communicatively linked to the encryption database; an administrator interface communicatively linked to the encryption database independently of the user interface; and a file system gateway residing on the local computer as a layer above and independent of any file system on the computer and communicatively linked only to the encryption database, said file system gateway comprising a minifilter module configured to intercept the application call; b) intercepting an application call requesting access to file in a file system on the computer via the file system gateway comprising the system, said gateway performing the further actions of; c) determining if the call is one or both of a read request or a write request via said minifilter module; d) communicating to the file system gateway window service module the name and file path of the requested file through said minifilter module; e) querying the encryption database via the window service module and said minifilter module; f) retrieving encrypted file information from the encryption database through said minifilter module; g) receiving from the window service module encryption data for the requested file through said minifilter module; h) attaching the encryption data to an internal file object through said minifilter module; i) sending the application request down to the file system, said file system acting upon the request and returning information retrieved from the requested file up to the file system gateway; j) decrypting any secured information; and k) returning the decrypted information to the calling application, wherein the actions of the file system gateway are transparent to the calling application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. One or more non-transitory computer readable media having tangibly stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform actions to:
-
a) intercept an application call to request access to a file in a file system on a local computer via a file system gateway that resides on the local computer as a layer above and independent of any file system on the computer, said file system gateway communicatively linked only to an encryption database comprising the file system; b) query the encryption database via the file system gateway to determine if the file is secured; c) receive the file security information from the encryption database; d) send the application request down to the file system; e) decrypt any secured file information returned from the file system after acting upon the request; f) return the decrypted information to the calling application, wherein the processor performs the actions transparently to the calling application; and g) enable an interface for an administrator to; i) add new encryption algorithms to a dynamic link library; ii) configure group access files; iii) create a list of all encrypted files in the system; iv) update a list of available encryption algorithms and message digests; v) manually encrypt or decrypt selected files; vi) lock files against modification; vii) flag folders for encryption; viii) associate an encrypted file with its encryption algorithm; and ix) identify users with access to the files. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification