Integrated file level cryptographical access control

US 9,355,267 B2
Filed: 03/26/2010
Issued: 05/31/2016
Est. Priority Date: 03/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to secure files on a local computer, comprising:

a) installing a system for controlling access to secure files onto a local computer having a memory, a processor and one or more network connections, said system comprising;

an encryption database to store information relating to encrypted files and encryption algorithms;

a user interface communicatively linked to the encryption database;

an administrator interface communicatively linked to the encryption database independently of the user interface; and

a file system gateway residing on the local computer as a layer above and independent of any file system on the computer and communicatively linked only to the encryption database, said file system gateway comprising a minifilter module configured to intercept the application call;

b) intercepting an application call requesting access to file in a file system on the computer via the file system gateway comprising the system, said gateway performing the further actions of;

c) determining if the call is one or both of a read request or a write request via said minifilter module;

d) communicating to the file system gateway window service module the name and file path of the requested file through said minifilter module;

e) querying the encryption database via the window service module and said minifilter module;

f) retrieving encrypted file information from the encryption database through said minifilter module;

g) receiving from the window service module encryption data for the requested file through said minifilter module;

h) attaching the encryption data to an internal file object through said minifilter module;

i) sending the application request down to the file system, said file system acting upon the request and returning information retrieved from the requested file up to the file system gateway;

j) decrypting any secured information; and

k) returning the decrypted information to the calling application, wherein the actions of the file system gateway are transparent to the calling application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for an Integrated File Level Cryptographical Access Control (IFLCAC). The system comprises, on a local computer, an encryption database to store information relating to encrypted files and encryption algorithms, a user interface communicatively linked to the encryption database, an administrator interface communicatively linked to the encryption database independently of the user interface, and a file system gateway communicatively linked to the encryption database that resides above and operates independently of the file system and transparently to any calling application on the local computer. Also provided are methods of using the IFLCAC system and a computer program product comprising a memory tangibly storing computer executable instructions for the IFLCAC system and method and one or more computer readable media tangibly storing computer executable instructions for the IFLCAC system and method.

3 Citations

22 Claims

1. A method for controlling access to secure files on a local computer, comprising:
- a) installing a system for controlling access to secure files onto a local computer having a memory, a processor and one or more network connections, said system comprising;
  
  an encryption database to store information relating to encrypted files and encryption algorithms;
  
  a user interface communicatively linked to the encryption database;
  
  an administrator interface communicatively linked to the encryption database independently of the user interface; and
  
  a file system gateway residing on the local computer as a layer above and independent of any file system on the computer and communicatively linked only to the encryption database, said file system gateway comprising a minifilter module configured to intercept the application call;
  
  b) intercepting an application call requesting access to file in a file system on the computer via the file system gateway comprising the system, said gateway performing the further actions of;
  
  c) determining if the call is one or both of a read request or a write request via said minifilter module;
  
  d) communicating to the file system gateway window service module the name and file path of the requested file through said minifilter module;
  
  e) querying the encryption database via the window service module and said minifilter module;
  
  f) retrieving encrypted file information from the encryption database through said minifilter module;
  
  g) receiving from the window service module encryption data for the requested file through said minifilter module;
  
  h) attaching the encryption data to an internal file object through said minifilter module;
  
  i) sending the application request down to the file system, said file system acting upon the request and returning information retrieved from the requested file up to the file system gateway;
  
  j) decrypting any secured information; and
  
  k) returning the decrypted information to the calling application, wherein the actions of the file system gateway are transparent to the calling application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the call is a read request, the method further comprising:
    - calculating the amount of data to be read to decrypt the requested file.
  - 3. The method of claim 1, wherein the call is a write request, the method further comprising:
    - calculating the encrypted data length and offset;
      
      communicating the write data, calculated encrypted length and offset to the window service module for encryption; and
      
      receiving from the window service module the processed encrypted write file data.
  - 4. The method of claim 1, wherein via the administrator interface, the method further comprises one or more steps performed by an administrator of:
    - adding new encryption algorithms to a dynamic link library;
      
      configuring group access files;
      
      creating a list of all encrypted files in the system;
      
      updating a list of available encryption algorithms and message digests;
      
      manually encrypting or decrypting selected files,locking files against modification,flagging folders for encryption,associating an encrypted file with its encryption algorithm; and
      
      identifying users with access to the files.
  - 5. The method of claim 1, wherein via the user interface, the method further comprises one or more steps performed by a logged-in user of:
    - displaying a list of secured files, including paths to encrypted files, file modifiers and the encryption algorithm used for each file;
      
      changing a password; and
      
      obtaining authentication to access a secure file.
  - 6. The method of claim 5, further comprising, the steps of:
    - selecting a new file to be secured;
      
      selecting an encryption algorithm;
      
      entering an authentication for the file;
      
      encrypting the selected file with the encryption algorithm; and
      
      adding the secured file to a list of secured files for the user.
  - 7. A computer program product tangibly stored on a non-transitory computer-readable media, said computer program product comprising computer readable instructions which, when executed on one or more computer processors, perform the method of claim 1.
  - 8. The method claim 1, said system further comprising:
    - one or more applications storable on one or more computer-readable storage media and executable by the processor; and
      
      a file system to store files in and to retrieve files from a data storage device in the computer.
  - 9. The method of claim 8, wherein the interactions of the file system gateway within the system are transparent to a user of the system.
  - 10. The method of claim 8, wherein said minifilter module is communicatively linked to a windows service module.
  - 11. The system of claim 10, wherein the windows service module is configured to provide encryption services and encrypted file information to the minifilter module.
  - 12. The method of claim 1, wherein the information in the encryption database is stored in at least an encrypted file table and an algorithm table.
  - 13. The method of claim 12, wherein the information is stored further in one or both of a user table or an exception field table.
  - 14. The method of claim 1, wherein the administrator interface further comprises an interface for the system configuration and an encrypted file viewer.
  - 15. The method of claim 1, wherein the user interface comprises a program to enable a display of one or more of a list of secured files, a list of paths to encrypted files and the files modifiers, or a list of encryption algorithms used to encrypt the files for a logged in user.

16. One or more non-transitory computer readable media having tangibly stored thereon a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform actions to:
- a) intercept an application call to request access to a file in a file system on a local computer via a file system gateway that resides on the local computer as a layer above and independent of any file system on the computer, said file system gateway communicatively linked only to an encryption database comprising the file system;
  
  b) query the encryption database via the file system gateway to determine if the file is secured;
  
  c) receive the file security information from the encryption database;
  
  d) send the application request down to the file system;
  
  e) decrypt any secured file information returned from the file system after acting upon the request;
  
  f) return the decrypted information to the calling application, wherein the processor performs the actions transparently to the calling application; and
  
  g) enable an interface for an administrator to;
  
  i) add new encryption algorithms to a dynamic link library;
  
  ii) configure group access files;
  
  iii) create a list of all encrypted files in the system;
  
  iv) update a list of available encryption algorithms and message digests;
  
  v) manually encrypt or decrypt selected files;
  
  vi) lock files against modification;
  
  vii) flag folders for encryption;
  
  viii) associate an encrypted file with its encryption algorithm; and
  
  ix) identify users with access to the files.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The one or more non-transitory computer readable media of claim 16, wherein the computer executable instructions, when executed for steps a) to f), cause the processor(s) to:
    - determine if the call is one or both of a read request or a write request;
      
      communicate to the file system gateway window service module the name and file path of the requested file;
      
      query the encryption database via the window service module;
      
      retrieve encrypted file information from the encryption database;
      
      receive from the window service module encryption data for the requested file; and
      
      attach the encryption data to an internal file object.
  - 18. The one or more non-transitory computer readable media of claim 17, wherein the call is a read request, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - calculate the amount of data to be read to decrypt the requested file.
  - 19. The one or more non-transitory computer readable media of claim 17, wherein the call is a write request, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - calculate the encrypted data length and offset;
      
      communicate the write data, calculated encrypted length and offset to the window service module for encryption; and
      
      receive from the window service module the processed encrypted write file data.
  - 20. The one or more non-transitory computer readable media of claim 16, further comprising computer executable instructions that, when executed, cause the processor(s) to enable an interface for a logged-in user.
  - 21. The one or more non-transitory computer readable media of claim 20, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - display a list of secured files, including paths to encrypted files, file modifiers and the encryption algorithm used for each file;
      
      change a password; and
      
      obtain authentication to access a secure file.
  - 22. The one or more non-transitory computer readable media of claim 21, further comprising computer executable instructions that, when executed, cause the processor(s) to:
    - select a new file to be secured;
      
      select an encryption algorithm;
      
      enter an authentication for the file;
      
      encrypt the selected file with the encryption algorithm; and
      
      add the secured file to a list of secured files for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Houston System
Original Assignee
University of Houston System
Inventors
Seifert, Ryan
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US12/661,947
Publication Number

US 20100257372A1
Time in Patent Office

2,258 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

G06F 21/6218 to a system of files or obj...

Integrated file level cryptographical access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

3 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated file level cryptographical access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links