Methods and apparatuses for securing tethered data

US 9,697,372 B2
Filed: 03/19/2013
Issued: 07/04/2017
Est. Priority Date: 03/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed by a first computing device for securing a file created on the first computing device, the method comprising:

adding a communication portion as executable code to the file, the communication portion communicating with an authentication agent on the first computing device to retrieve identification information of machines remote to the first computing device in a trusted network, the trusted network including the first computing device;

encrypting data of the file using a first key received through the communication portion from the authentication agent, the first key being generated based on data from a first machine of the machines;

adding a metadata field to the file to indicate a key location of the first key including identification information of the machines, the metadata field including a plurality of hashed values indicating respective locations of the machines including the first machine;

saving the file to a remote file storage location;

setting a metadata indicator within the file to a value, the value indicating whether permissions exist to save the file locally to the first computing device; and

if the value indicates that permissions exist;

receiving a second key through the communication portion from the authentication agent, the second key being generated based on identification information of the first computing device;

encrypting data of a second version of the file using the received second key; and

saving the encrypted second version of the file to a local memory of the first computing device; and

if the value indicates that permissions do not exist, deleting the file from the first computing device in response to closing the file in an editor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of a method and apparatus for securing and accessing files are generally described herein. In some embodiments, the method includes adding a communication portion to the file. The communication portion may communicate with an authentication agent on the first computing device. The method may include encrypting data of the file using a first key received through the communication portion from the authentication agent. The first key may be generated based on identification information of a second computing device in a trusted network of computing devices with the first computing device. The method may include saving the file to a remote file storage location.

50 Citations

View as Search Results

16 Claims

1. A method performed by a first computing device for securing a file created on the first computing device, the method comprising:
- adding a communication portion as executable code to the file, the communication portion communicating with an authentication agent on the first computing device to retrieve identification information of machines remote to the first computing device in a trusted network, the trusted network including the first computing device;
  
  encrypting data of the file using a first key received through the communication portion from the authentication agent, the first key being generated based on data from a first machine of the machines;
  
  adding a metadata field to the file to indicate a key location of the first key including identification information of the machines, the metadata field including a plurality of hashed values indicating respective locations of the machines including the first machine;
  
  saving the file to a remote file storage location;
  
  setting a metadata indicator within the file to a value, the value indicating whether permissions exist to save the file locally to the first computing device; and
  
  if the value indicates that permissions exist;
  
  receiving a second key through the communication portion from the authentication agent, the second key being generated based on identification information of the first computing device;
  
  encrypting data of a second version of the file using the received second key; and
  
  saving the encrypted second version of the file to a local memory of the first computing device; and
  
  if the value indicates that permissions do not exist, deleting the file from the first computing device in response to closing the file in an editor.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the identification information of the first machine includes a media access control (MAC) address of the first machine.
  - 3. The method of claim 1, further comprising:
    - destroying the file upon a failure of the communication portion to communicate with the authentication agent.
  - 4. The method of claim 3, wherein the destroying comprises:
    - encrypting the file a plurality of times using a random key.

5. A method performed by a first computing device for opening a secured file on the first computing device, the method comprising:
- retrieving the secured file from a file storage remote to the first computing device, the secured file including a communication portion that was added as a wrapper to the secured file by the first computing device and that includes executable code for communicating with an authentication agent on the first computing device to authenticate an environment on which the secured file is being opened, the environment including machines remote to the first computing device in a trusted network with the first computing device, an encrypted data portion, and a metadata field;
  
  decrypting the data portion using a key received through the communication portion from the authentication agent, the key including key locations that correspond to identification information of a first machine of the machines, the key generated based on data from the first machine of the machines, the metadata field including a plurality of hashed values indicating respective locations of the machines including the first machine;
  
  opening the decrypted data portion for viewing or editing in an editing application or a viewing application;
  
  determining whether permissions for local file storage are enabled based on an inspection of a value of a metadata indicator within the secured file; and
  
  if the value indicates that permissions exist;
  
  receiving a second key through the communication portion from the authentication agent, the second key being generated based on identification information of the first computing device;
  
  encrypting data of a second version of the secured file using the received second key; and
  
  saving the encrypted second version of the secured file to a local memory of the first computing device; and
  
  if the value indicates that permissions do not exist,deleting the secured file from the first computing device in response to closing the file in an editor.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5, wherein:
    - the file storage is a remote file storage.
  - 7. The method of claim 6, further comprising:
    - authenticating access permissions of the at least one other computing device to the remote file storage.
  - 8. The method of claim 7, wherein the authenticating is performed through a lightweight directory access protocol (LDAP) mechanism or through an Active Directory mechanism.
  - 9. The method of claim 5, further comprising:
    - retrieving the secured file from a local memory, wherein the key for the decrypting is based on identification information of the first computing device.
  - 10. The method of claim 5, further comprising:
    - destroying the file upon a failure of the communication portion to communicate with the authentication agent.

11. A non-transitory computer-readable medium comprising instructions that, when executed on a machine, cause the machine to:
- receive, from a first computing device, a request for a first encryption key for encrypting a file, wherein the request is received over a connection to a communication portion of the file, the communication portion comprising a wrapper including computer-executable code to retrieve environment information of the machine, wherein the environment information includes identification information of a first network device of at least two other network devices in a trusted network of the first computing device;
  
  query the first network device of the network devices for data of the first network device, the first network device being a member of the trusted network including at least the first network device and the machine;
  
  create the first encryption key using the data of the first network device, the data being collected by an aggregation server;
  
  add a metadata field to the file to indicate a key location of the first encryption key including identification information of the network devices, the metadata field including a plurality of hashed values indicating respective locations of the network devices;
  
  write a secured file to a file storage, the file storage remote from the first computing device, the secured file including an encrypted data portion encrypted with the first encryption key, and the secured file further including a metadata portion to indicate key locations within the first encryption key that correspond to locations of the data collected by the aggregation server;
  
  set a metadata indicator within the file to a value, the value indicating whether permissions exist to save the file locally to the first computing device;
  
  receive, from the first computing device, a request for a second encryption key for encrypting a file, wherein the request is received over the connection to the communication portion of the file;
  
  if the value indicates that permissions exist;
  
  create a second encryption key using identification information data of the first computing device, the data being collected by an aggregation server;
  
  add a metadata field to a second version of the file to indicate a key location of the second encryption key including identification information of the first computing device;
  
  encrypt data of a second version of the file using the second encryption key; and
  
  write the encrypted second version of the file to a local memory of the first computing device; and
  
  if the value indicates that permissions do not exist,delete the file from the first computing device in response to the file being closed in an editor.
- View Dependent Claims (12, 13)
- - 12. The computer-readable medium of claim 11, wherein the data of the first network device includes a medium access control (MAC) address of the first network device.
  - 13. The computer-readable medium of claim 11, further comprising instructions that, when executed on the machine, cause the machine to:
    - receive a request for a decryption key for decrypting the file; and
      
      provide the first encryption key or the second encryption key in response to the request based on the value of the indicator.

14. An apparatus comprising:
- a communication interface;
  
  a computer processor, to communicate with a remote file storage over the communication interface, and generate a first encryption key based on identification information of a first machine of machines in a trusted network with the apparatus, the identification information being collected by an aggregation server; and
  
  one or more file editors executing on the processor to create a secured file, the secured file including a communication portion comprised of a wrapper including executable code for retrieving environment information, through an authentication agent, of the apparatus and for requesting the first encryption key from the authentication agent and a data portion including data encrypted with the first encryption key, and the secured file further including a metadata field to indicate a key location of the first encryption key, including a plurality of hashed values indicating respective locations of the machines; and
  
  wherein the one or more file editors is further configured to;
  
  save the secured file to remote file storage;
  
  set a metadata indicator within the secured file to a value, the value indicating whether permissions exist to save the secured file locally to the apparatus; and
  
  if the value indicates that permissions exist;
  
  request a second encryption key, via the communication interface, using identification information data of the apparatus;
  
  receive the second encryption key through the communication portion from the authentication agent;
  
  create a secured second version of the file using the second encryption key; and
  
  write the secured second version of the file to a local memory of the apparatus; and
  
  if the value indicates that permissions do not exist,delete the file from the apparatus in response to closing the file in the one or more file editors.
- View Dependent Claims (15, 16)
- - 15. The apparatus of claim 14, further comprising a memory for local file storage of the secured file.
  - 16. The apparatus of claim 14, further comprising:
    - a credentials agent to authenticate the apparatus to the remote file storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Neumann, Matthew D., Smith, Michael W.
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US13/846,974
Publication Number

US 20140289517A1
Time in Patent Office

1,568 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2149   Restricted operating enviro...

H04L 2463/041   using an encryption or decr...

H04L 63/0428   wherein the data content is...

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

Methods and apparatuses for securing tethered data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatuses for securing tethered data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links