SYSTEMS AND METHODS FOR A CRYPTOGRAPHIC FILE SYSTEM LAYER

US 20140229731A1
Filed: 02/13/2014
Published: 08/14/2014
Est. Priority Date: 02/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving by processing circuitry an identification of a designated directory location, wherein the designated directory location is usable to store one or more data files;

storing on non-transient computer-readable memory in communication with the processing circuitry security data indicative of a respective secured status of each of the one or more data files;

monitoring a communication interface between an application layer and a file system layer to detect communications associated with the designated directory location;

detecting that a communication between the file system layer and the application layer is associated with the designated directory location; and

in response to the detecting, (1) modifying a data file associated with the communication to obtain a modified data file, (2) associating the communication with the modified data file to obtained a modified communication, (3) updating the secured status of the data file; and

(4) sending the modified communication to the file system layer or the application layer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

57 Citations

View as Search Results

28 Claims

1. A method comprising:
- receiving by processing circuitry an identification of a designated directory location, wherein the designated directory location is usable to store one or more data files;
  
  storing on non-transient computer-readable memory in communication with the processing circuitry security data indicative of a respective secured status of each of the one or more data files;
  
  monitoring a communication interface between an application layer and a file system layer to detect communications associated with the designated directory location;
  
  detecting that a communication between the file system layer and the application layer is associated with the designated directory location; and
  
  in response to the detecting, (1) modifying a data file associated with the communication to obtain a modified data file, (2) associating the communication with the modified data file to obtained a modified communication, (3) updating the secured status of the data file; and
  
  (4) sending the modified communication to the file system layer or the application layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location, sending the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication.
  - 3. The method of claim 1, wherein modifying the data file comprises performing an encryption or decryption operation on the data file to generate the modified data file.
  - 4. The method of claim 1, wherein modifying the data file comprises generating the modified data file by performing a cryptographic operation on contents of the data file and substantially randomly distributing the content of the data file in the modified data file, wherein said distributing results in a reordering of at least two units of data in the data file.
  - 5. The method of claim 4, further comprising generating a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 6. The method of claim 1, wherein the storing, the monitoring, and the modifying are each transparent to a user of the application layer or the file system layer.
  - 7. The method of claim 1 further comprising designating a directory as a designated directory location automatically upon creation of the directory.
  - 8. The method of claim 1, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 9. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 10. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 11. The method of claim 1, further comprising generating compliance data indicative of a proportion of modified data files to the total target of data files to be modified.
  - 12. The method of claim 11, wherein the compliance data is indicative of the percentage of a number of data files modified relative to a total number of data files to be modified.
  - 13. The method of claim 11, wherein the compliance data is indicative of the percentage of a size of data files modified relative to a total size of data files to be modified.

14. A system comprising:
- processing circuitry in communication with non-transient computer-readable memory, the processing circuitry configured to;
  
  receive an identification of a designated directory location, wherein the designated directory location is usable to store one or more data files;
  
  store on the non-transient computer-readable memory security data indicative of a respective secured status of each of the one or more data files;
  
  monitor a communication interface between an application layer and a file system layer to detect communications associated with the designated directory location;
  
  detect that a communication between the file system layer and the application layer is associated with the designated directory location; and
  
  in response to the detecting, (1) modify a data file associated with the communication to obtain a modified data file, (2) associate the communication with the modified data file to obtained a modified communication, (3) update the secured status of the data file; and
  
  (4) send the modified communication to the file system layer or the application layer.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 15. The system of claim 14, wherein the processing circuitry comprises one or more hardware processors in a cloud computing environment.
  - 16. The system of claim 14, wherein the non-transient computer-readable memory comprises one or more storage locations in a cloud computing environment.
  - 17. The system of claim 14, wherein the processing circuitry is further configured to:
    - send the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location.
  - 18. The system of claim 14, wherein the processing circuitry is configured to modify the data file by performing an encryption or decryption operation on the data file to generate the modified data file.
  - 19. The system of claim 14, wherein the processing circuitry is further configured to generate the modified data file by performing a cryptographic operation on contents of the data file and substantially randomly distributing the content of the data file in the modified data file, wherein said distributing results in a reordering of at least two units of data in the data file.
  - 20. The system of claim 19, wherein the processing circuitry is further configured to generate a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 21. The system of claim 14, wherein processing circuitry is configured to perform the storing, the monitoring, and the modifying transparently to a user of the application layer or the file system layer.
  - 22. The system of claim 14, wherein the processing circuitry is further configured to designate a directory as a designated directory location automatically upon creation of the directory.
  - 23. The system of claim 14, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 24. The system of claim 14, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 25. The system of claim 14, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 26. The system of claim 14, wherein the processing circuitry is further configured to generate compliance data indicative of a proportion of modified data files to the total target of data files to be modified.
  - 27. The system of claim 26, wherein the compliance data is indicative of the percentage of a number of data files modified relative to a total number of data files to be modified.
  - 28. The system of claim 26, wherein the compliance data is indicative of the percentage of a size of data files modified relative to a total size of data files to be modified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Davenport, Roger S.

Granted Patent

US 9,881,177 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

H04L 9/065   Encryption by serially and ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

SYSTEMS AND METHODS FOR A CRYPTOGRAPHIC FILE SYSTEM LAYER

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR A CRYPTOGRAPHIC FILE SYSTEM LAYER

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links