Protecting documents using policies and encryption
First Claim
Patent Images
1. A method comprising:
- providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an encrypted document, and the encrypted document is larger in size than the unencrypted document from which it is derived;
providing a policy server accessible to devices of the system, wherein the policy server comprises a plurality of policies and each policy manages access to documents of the system;
providing an encryption service driver executing on a computing device, wherein the policy server is separate from the computing device;
permitting access to an encrypted document by an application program on the computing device;
when an access to an encrypted document occurs, using the encryption service to intercept the access of the encrypted document, wherein the intercepting the access of the encrypted document occurs at a system level of the application program comprising;
allowing the access to the encrypted document by the application program to execute until a first system level operation executes;
identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and
preventing the first system level operation from executing;
at the encryption service, identifying the application program attempting to access the encrypted document;
from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device;
using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document based on a first policy of the plurality of policies stored at the policy server;
if the application program is determined to be trusted, controlling access to the unencrypted content based on the first policy comprising;
identifying a first application process identifier assigned by an operating system executing on the computing device for the application program, wherein the application program is attempting access to the encrypted document;
receiving a decryption key based on the first application process identifier at the encryption service;
using the encryption service to decrypt the encrypted document to produce unencrypted content;
providing the unencrypted content to the application program; and
allowing the first system level operation to execute; and
if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program.
3 Assignments
0 Petitions
Accused Products
Abstract
A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).
17 Citations
30 Claims
-
1. A method comprising:
-
providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an encrypted document, and the encrypted document is larger in size than the unencrypted document from which it is derived; providing a policy server accessible to devices of the system, wherein the policy server comprises a plurality of policies and each policy manages access to documents of the system; providing an encryption service driver executing on a computing device, wherein the policy server is separate from the computing device; permitting access to an encrypted document by an application program on the computing device; when an access to an encrypted document occurs, using the encryption service to intercept the access of the encrypted document, wherein the intercepting the access of the encrypted document occurs at a system level of the application program comprising; allowing the access to the encrypted document by the application program to execute until a first system level operation executes; identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and preventing the first system level operation from executing; at the encryption service, identifying the application program attempting to access the encrypted document; from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device; using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document based on a first policy of the plurality of policies stored at the policy server; if the application program is determined to be trusted, controlling access to the unencrypted content based on the first policy comprising; identifying a first application process identifier assigned by an operating system executing on the computing device for the application program, wherein the application program is attempting access to the encrypted document; receiving a decryption key based on the first application process identifier at the encryption service; using the encryption service to decrypt the encrypted document to produce unencrypted content; providing the unencrypted content to the application program; and allowing the first system level operation to execute; and if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method comprising:
-
providing a policy enforcer executing at a first device; providing a first application program executing at the first device; providing a shared key ring at the first device wherein the shared key ring is associated with the policy enforcer and comprises at most one domain key and a plurality of shared keys; providing a file at the first device wherein the file further comprises a document content portion and a control data portion; extracting a content key from the control data portion; encrypting the document content portion using the content key; extracting a first key identifier from the control data portion; requesting from the policy enforcer a domain key; encrypting the control data portion of the file with the domain key; at the first device, providing access to the file and its encrypted control data portion; intercepting at a second device a request to access the file at a second application program, wherein the intercepting the access of the encrypted document occurs at an system level of the application program comprising; allowing the access to the encrypted document by the application program to execute until a first system level operation executes; identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and preventing the first system level operation from executing; determining at a policy enforcer executing at the second device whether the request to access the file at the second application program should be granted; if the request to access the file at a second application program is granted, preparing the document content portion comprising; decrypting the content key with the domain key; requesting from the policy enforcer a shared key from the key ring wherein the shared key is accessible by the second device; receiving the shared key; and encrypting the domain key with the shared key; and transmitting the document content portion encrypted by the content key to the second application program. - View Dependent Claims (28, 29, 30)
-
Specification