Protecting documents using policies and encryption

US 9,064,131 B2
Filed: 07/28/2011
Issued: 06/23/2015
Est. Priority Date: 07/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an encrypted document, and the encrypted document is larger in size than the unencrypted document from which it is derived;

providing a policy server accessible to devices of the system, wherein the policy server comprises a plurality of policies and each policy manages access to documents of the system;

providing an encryption service driver executing on a computing device, wherein the policy server is separate from the computing device;

permitting access to an encrypted document by an application program on the computing device;

when an access to an encrypted document occurs, using the encryption service to intercept the access of the encrypted document, wherein the intercepting the access of the encrypted document occurs at a system level of the application program comprising;

allowing the access to the encrypted document by the application program to execute until a first system level operation executes;

identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and

preventing the first system level operation from executing;

at the encryption service, identifying the application program attempting to access the encrypted document;

from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device;

using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document based on a first policy of the plurality of policies stored at the policy server;

if the application program is determined to be trusted, controlling access to the unencrypted content based on the first policy comprising;

identifying a first application process identifier assigned by an operating system executing on the computing device for the application program, wherein the application program is attempting access to the encrypted document;

receiving a decryption key based on the first application process identifier at the encryption service;

using the encryption service to decrypt the encrypted document to produce unencrypted content;

providing the unencrypted content to the application program; and

allowing the first system level operation to execute; and

if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).

17 Citations

View as Search Results

30 Claims

1. A method comprising:
- providing a system comprising unencrypted and encrypted document content, wherein an unencrypted document is encrypted to become an encrypted document, and the encrypted document is larger in size than the unencrypted document from which it is derived;
  
  providing a policy server accessible to devices of the system, wherein the policy server comprises a plurality of policies and each policy manages access to documents of the system;
  
  providing an encryption service driver executing on a computing device, wherein the policy server is separate from the computing device;
  
  permitting access to an encrypted document by an application program on the computing device;
  
  when an access to an encrypted document occurs, using the encryption service to intercept the access of the encrypted document, wherein the intercepting the access of the encrypted document occurs at a system level of the application program comprising;
  
  allowing the access to the encrypted document by the application program to execute until a first system level operation executes;
  
  identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and
  
  preventing the first system level operation from executing;
  
  at the encryption service, identifying the application program attempting to access the encrypted document;
  
  from the encryption service, sending identification information on the application program to a policy enforcer component, executing on the computing device;
  
  using the policy enforcer, determining if the application program can be trusted to protect unencrypted content of the encrypted document based on a first policy of the plurality of policies stored at the policy server;
  
  if the application program is determined to be trusted, controlling access to the unencrypted content based on the first policy comprising;
  
  identifying a first application process identifier assigned by an operating system executing on the computing device for the application program, wherein the application program is attempting access to the encrypted document;
  
  receiving a decryption key based on the first application process identifier at the encryption service;
  
  using the encryption service to decrypt the encrypted document to produce unencrypted content;
  
  providing the unencrypted content to the application program; and
  
  allowing the first system level operation to execute; and
  
  if the application program is determined not to be trusted, providing encrypted content of the encrypted document to the application program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1 wherein the encryption service is a file system filter device driver.
  - 3. The method of claim 1 wherein the encryption service is a device driver.
  - 4. The method of claim 1 wherein accessing an encrypted document comprises at least one of opening the encrypted document or reading the content of the encrypted document.
  - 5. The method of claim 1 wherein the identifying the application program attempting the accessing an encrypted document operation comprises examining a process that invokes the accessing an encrypted document operation.
  - 6. The method of claim 1 wherein determining if the application program can be trusted to protect unencrypted content of the encrypted document comprises:
    - querying a policy enforcer to determine if the application program can be trusted to protect unencrypted content of the encrypted document.
  - 7. The method of claim 1 wherein if the application program is determined to be trusted, decrypting the encrypted document to produce unencrypted content comprises:
    - obtaining an encryption key from the policy enforcer to decrypt the encrypted document.
  - 8. The method of claim 1 comprising:
    - when the application is a back-up program, identifying the application program as being not trusted, whereby a back-up program does not need access to the unencrypted content of the document to perform its back-up function.
  - 9. The method of claim 1 wherein an application program that is determined to be trusted at a first time T1, and after an elapsed time T2 after T1, the application program will be determined not to be trusted, and T2 is a configurable parameter.
  - 10. The method of claim 1 wherein the encrypted document comprises a header comprising a key ring name and key ring number for a decryption key, and the decryption key is stored separate from the encrypted document.
  - 11. The method of claim 1 comprising:
    - when an access to an unencrypted document occurs, performing a bypass of the encryption service for the access of the unencrypted document; and
      
      controlling access to the unencrypted document according to a second policy of the plurality of policies stored at the policy server.
  - 12. The method of claim 1 wherein each policy of the plurality of policies comprises a conditional statement that is evaluated to determine whether to allow access to content of the system.
  - 13. The method of claim 12 wherein the conditional statement contains a policy abstraction and each policy abstraction has a corresponding definition statement stored separately from the policy.
  - 14. The method of claim 1 wherein the application program is capable of being identified by the first application process identifier for a first instance of the application program and a second application process identifier for a second instance of the application program.
  - 15. The method of claim 1 wherein the determining if the application program can be trusted to protect unencrypted content of the encrypted document comprises:
    - determining the first policy controls edit operations for content of the system; and
      
      determining that the application program controls edit operations for content accessed by the application program.
  - 16. The method of claim 15 wherein the edit operation comprises a copy operation.
  - 17. The method of claim 1 wherein the determining if the application program can be trusted to protect unencrypted content of the encrypted document comprises:
    - determining the first policy controls attaching content to an e-mail operation for content of the system; and
      
      determining that the application program controls attaching content to an e-mail operation for content accessed by the application program.
  - 18. The method of claim 1 wherein the determining if the application program can be trusted occurs before receiving the decryption key.
  - 19. The method of claim 1 further comprising:
    - if the application program is determined not to be trusted, transmitting a notification of the failed access attempt to an administrator.
  - 20. The method of claim 1 wherein the controlling access to unencrypted content of the encrypted document comprises evaluating a first policy of the plurality of policies to determine at least one of a current user or document being accessed.
  - 21. The method of claim 1 further comprising:
    - evaluating a first policy from the plurality of policies to determine whether the application program can be trusted to protect unencrypted content;
      
      if the application program can be trusted, determining from the first policy a first key identifier specifying a key needed to allow decryption of the encrypted document;
      
      selecting a first key from a key ring accessible by the policy enforcer component, wherein the key ring comprises a plurality of keys and the first key identifier identifies the first key of the key ring; and
      
      using the first key to decrypt the encrypted document.
  - 22. The method of claim 1 wherein the encryption service executes on the computing device as a kernel device driver of an operating system executing on the computing device.
  - 23. The method of claim 1 wherein the encryption service executes on the computing device on a user mode of the computing device.
  - 24. The method of claim 1 wherein the encrypted document is accessed remotely by the computing device from a document server.
  - 25. The method of claim 1 further comprising:
    - if the application program is trusted, disallowing another application program with a second application process identifier executing on the computing device from accessing the unencrypted content that has been allowed access to by the application program.
  - 26. The method of claim 1 wherein the system level operation executes separately from an application layer of the computing device.

27. A method comprising:
- providing a policy enforcer executing at a first device;
  
  providing a first application program executing at the first device;
  
  providing a shared key ring at the first device wherein the shared key ring is associated with the policy enforcer and comprises at most one domain key and a plurality of shared keys;
  
  providing a file at the first device wherein the file further comprises a document content portion and a control data portion;
  
  extracting a content key from the control data portion;
  
  encrypting the document content portion using the content key;
  
  extracting a first key identifier from the control data portion;
  
  requesting from the policy enforcer a domain key;
  
  encrypting the control data portion of the file with the domain key;
  
  at the first device, providing access to the file and its encrypted control data portion;
  
  intercepting at a second device a request to access the file at a second application program, wherein the intercepting the access of the encrypted document occurs at an system level of the application program comprising;
  
  allowing the access to the encrypted document by the application program to execute until a first system level operation executes;
  
  identifying the first system level operation as executing due to the application program requesting access to the encrypted document; and
  
  preventing the first system level operation from executing;
  
  determining at a policy enforcer executing at the second device whether the request to access the file at the second application program should be granted;
  
  if the request to access the file at a second application program is granted, preparing the document content portion comprising;
  
  decrypting the content key with the domain key;
  
  requesting from the policy enforcer a shared key from the key ring wherein the shared key is accessible by the second device;
  
  receiving the shared key; and
  
  encrypting the domain key with the shared key; and
  
  transmitting the document content portion encrypted by the content key to the second application program.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27 wherein the policy enforcer is a memory resident program executing on the first device, and the policy enforcer program is separate for the operating system.
  - 29. The method of claim 27 comprising:
    - on the first device, executing a encryption service, separate from the policy enforcer, and the encryption service receives the shared key from the policy enforcer.
  - 30. The method of claim 29 wherein the policy enforcer requests the from a server and receives the shared key over a network connection to the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng, Fung, Poon, Han, Andrew
Primary Examiner(s)
Lagor, Alexander

Application Number

US13/193,588
Publication Number

US 20120036370A1
Time in Patent Office

1,426 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

H04L 2209/60   Digital content management,...

H04L 51/08   Annexed information, e.g. a...

H04L 63/0428   wherein the data content is...

H04L 63/0457   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

Protecting documents using policies and encryption

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting documents using policies and encryption

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links