SECURITY

US 20150074398A1
Filed: 03/27/2013
Published: 03/12/2015
Est. Priority Date: 03/30/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method of secure information sharing between a first domain and a plurality of destination domains, the method comprising:

processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent;

encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file;

providing the first domain with, for a first destination domain, a first egress data guard comprising a destination attribute associated with the first destination domain;

identifying that the encrypted file is desired to be communicated to the first destination domain;

attempting to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file; and

if it has been possible to decrypt the encrypted file, making a determination as to whether the file may be communicated to the first destination domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of secure information sharing between a first domain and a plurality of destination domains, the method comprising:

- a. Processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent,
- b. Encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file,
- c. providing the first domain with, for a first destination domain, a first egress data guard comprising a destination attribute associated with the first destination domain,
- d. identifying that the encrypted file is desired to be communicated to the first destination domain,
- e. attempting to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file,
- f. if it has been possible to decrypt the encrypted file at step e, making a determination as to whether the file may be communicated to the first destination domain.

26 Citations

View as Search Results

20 Claims

1. A method of secure information sharing between a first domain and a plurality of destination domains, the method comprising:
- processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent;
  
  encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file;
  
  providing the first domain with, for a first destination domain, a first egress data guard comprising a destination attribute associated with the first destination domain;
  
  identifying that the encrypted file is desired to be communicated to the first destination domain;
  
  attempting to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file; and
  
  if it has been possible to decrypt the encrypted file, making a determination as to whether the file may be communicated to the first destination domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 15)
- - 2. A method according to claim 1 wherein at least one of the plurality of destination domains is predetermined.
  - 3. A method according to claim 1 wherein each of the plurality of destination domains is predetermined.
  - 4. A method according to claim 2 further comprising providing, for each of the predetermined destination domains, at least one uniquely associated egress data guard.
  - 5. A method according to claim 1 further comprising providing, for each of the predetermined destination domains, a single uniquely associated egress data guard.
  - 6. The method according to claim 1 wherein if it is possible to decrypt the encrypted file, the file is permitted to be sent to the destination domain.
  - 7. The method according to claim 1 wherein if it is possible to decrypt the encrypted file, the decrypted file is scanned according to an egress policy.
  - 9. A method according to claim 1 further comprising:
    - providing, for a second destination domain, a second egress data guard at the first domain, the second egress domain comprising a destination attribute associated with the second destination domain;
      
      providing the second egress data guard withthe capability to analyse the attributes of a file according to an attribute scheme of the second destination domain, andan encryption key derived for the second destination domain;
      
      re-encrypting the file using the encryption key applied to the attributes of the second destination domain;
      
      providing an ingress data guard at the second destination domain for determining whether the encrypted file that is desired to be communicated may be received from the first domain into the second destination domain;
      
      providing the ingress data guard with a decryption key derived from an attribute of the second destination domain;
      
      wherein users in the second destination domain issued with a decryption key for the second destination domain have the capability to decrypt some of the re-encrypted files that are desired to be communicated from the first domain and received into the further domain.
  - 10. A method according to claim 1 wherein each predetermined destination is an organisation or department within an organisation.
  - 11. A method according to claim 10 wherein the organisation operates an internal network.
  - 12. An apparatus arranged to carry out the method according to claim 1.
  - 15. The method according to claim 6 wherein the file is permitted to be sent to the destination domain unencrypted.

8. A method secure information sharing between a first domain and a plurality of destination domains, the method comprising:
- processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent;
  
  encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file;
  
  providing the first domain with, for a first destination domain, a first egress data guard comprising a destination attribute associated with the first destination domain;
  
  identifying that the encrypted file is desired to be communicated to the first destination domain;
  
  attempting to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file;
  
  if it has been possible to decrypt the encrypted file, making a determination as to whether the file may be communicated to the first destination domain;
  
  sending the encrypted file to the first destination domain;
  
  providing at least one ingress data guard at the first destination domain for determining whether the encrypted file may be received from the first domain into the first destination domain;
  
  communicating a destination decryption key from the first domain to the first destination domain, for selectively enabling the decryption of the file at the first destination domain.
- View Dependent Claims (16, 17)
- - 16. The method according to claim 8 wherein if it is possible to decrypt the encrypted file, the file is permitted to be sent to the destination domain as one of encrypted or unencrypted.
  - 17. The method according to claim 8 wherein if it is possible to decrypt the encrypted file, the decrypted file is scanned according to an egress policy.

13. One or more non-transient computer-readable mediums encoded with instructions that when executed cause one or more processors to carry out a process of secure information sharing between a first domain and a plurality of destination domains, the process comprising:
- processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent;
  
  encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file;
  
  providing the first domain with, for a first destination domain, a first egress data guard comprising a destination attribute associated with the first destination domain;
  
  identifying that the encrypted file is desired to be communicated to the first destination domain;
  
  attempting to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file;
  
  if it has been possible to decrypt the encrypted file, making a determination as to whether the file may be communicated to the first destination domain.

14. A system for secure information sharing between a first domain and a plurality of destination domains, the first domain comprising:
- an attribute identification module for processing a file at the first domain to establish a set of attributes of the file, the attributes of the file comprising a destination attribute for determining permitted domains to which the file may be sent;
  
  an encryption module for encrypting the file at the first domain using the attributes of the file, and thereby generating an encrypted file; and
  
  a first egress data guard for a first destination domain, comprising a destination attribute associated with the first destination domain;
  
  wherein, upon identifying that the encrypted file is desired to be communicated to the first destination domain, the system attempts to decrypt the encrypted file at the first egress data guard using a decryption key derived from the destination attribute of the first egress data guard, where decryption will be possible if the destination attribute of the data guard matches the destination attribute of the file, such that if it has been possible to decrypt the encrypted file at step, it is thereby determined whether the file may be communicated to the first destination domain.
- View Dependent Claims (18, 19, 20)
- - 18. The system according to claim 14 wherein if it is possible to decrypt the encrypted file, the file is permitted to be sent to the destination domain.
  - 19. The system according to claim 14 wherein if it is possible to decrypt the encrypted file, the file is permitted to be sent to the destination domain unencrypted.
  - 20. The system according to claim 14 wherein if it is possible to decrypt the encrypted file, the decrypted file is scanned according to an egress policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BAE Systems Plc
Original Assignee
BAE Systems Plc
Inventors
Cullen, Alan Manuel, Dearlove, Christopher Mark, Jenkinson, Graeme Craig

Application Number

US14/388,444
Publication Number

US 20150074398A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 67/06   specially adapted for file ...

H04L 9/088   Usage controlling of secret...

SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links