Systems and methods for a cryptographic file system layer

US 9,881,177 B2
Filed: 02/13/2014
Issued: 01/30/2018
Est. Priority Date: 02/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving using a programmed hardware processor an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;

in response to receiving the identification, beginning a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;

monitoring a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and

in response to detecting that the data access request is associated with the designated directory location, (1) pausing the process to modify the one or more data files in the designated directory location, (2) intercepting the data access request, wherein the intercepting is transparent to a user of the computer system, (3) retrieving a data file associated with the data access request, (4) modifying the data file by performing a cryptographic operation on the data file to obtain a modified data file, (5) generating a modified data access request including an identifier associated with the modified data file (6) sending the modified data access request to the file system layer or the application layer, and (7) in response to sending the modified data access request, resuming the process to modify the one or more data files in the designated directory location.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

161 Citations

30 Claims

1. A method comprising:
- receiving using a programmed hardware processor an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;
  
  in response to receiving the identification, beginning a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;
  
  monitoring a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and
  
  in response to detecting that the data access request is associated with the designated directory location, (1) pausing the process to modify the one or more data files in the designated directory location, (2) intercepting the data access request, wherein the intercepting is transparent to a user of the computer system, (3) retrieving a data file associated with the data access request, (4) modifying the data file by performing a cryptographic operation on the data file to obtain a modified data file, (5) generating a modified data access request including an identifier associated with the modified data file (6) sending the modified data access request to the file system layer or the application layer, and (7) in response to sending the modified data access request, resuming the process to modify the one or more data files in the designated directory location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location, sending the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication.
  - 3. The method of claim 1, wherein performing the cryptographic operation comprises performing an encryption or decryption operation on the data file to generate the modified data file.
  - 4. The method of claim 1, wherein performing the cryptographic operation comprises substantially randomly distributing contents of the data file in the modified data file, wherein said distributing results in a reordering of at least two units of data in the data file.
  - 5. The method of claim 4, further comprising generating a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 6. The method of claim 1, wherein the storing, the monitoring, and the modifying are each transparent to the user of the application layer or the file system layer.
  - 7. The method of claim 1 further comprising designating a directory as a designated directory location automatically upon creation of the directory.
  - 8. The method of claim 1, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 9. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 10. The method of claim 1, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 11. The method of claim 1, further comprising generating compliance data indicative of a proportion of modified data files to the total target of data files to be modified.
  - 12. The method of claim 11, wherein the compliance data is indicative of the percentage of a number of data files modified relative to a total number of data files to be modified.
  - 13. The method of claim 11, wherein the compliance data is indicative of the percentage of a size of data files modified relative to a total size of data files to be modified.
  - 14. The method of claim 1, wherein the retrieving comprises retrieving one or more shares associated with the data file from a network storage location associated with the designated directory location.

15. A system comprising:
- a programmed hardware processor in communication with non-transient computer-readable memory, the programmed hardware processor configured to;
  
  receive an identification of a designated directory location, wherein the designated directory location is selected from a plurality of directory locations on a computer system, and wherein the identification indicates that the designated directory location is usable to secure one or more data files;
  
  in response to receiving the identification, begin a process to modify one or more data files in the designated directory location by performing an operation to secure the one or more data files;
  
  monitor a communication interface between an application layer and a file system layer of the computer system to detect a data access request associated with the designated directory location; and
  
  in response to detecting that the data access request is associated with the designated directory location, (1) pause the process to modify the one or more data files in the designated directory location (2) intercept the data access request, wherein the intercepting is transparent to a user of the computer system, (3) retrieve a data file associated with the data access request, (4) modify the data file by performing a cryptographic operation on the data file to obtain a modified data file, (5) generate a modified data access request including an identifier associated with the modified data file, (6) send the modified data access request to the file system layer or the application layer, and (7) in response to sending the modified data access request, resume the process to modify the one or more data files in the designated directory location.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 16. The system of claim 15, wherein the programmed hardware processor comprises one or more hardware processors in a cloud computing environment.
  - 17. The system of claim 15, wherein the non-transient computer-readable memory comprises one or more storage locations in a cloud computing environment.
  - 18. The system of claim 15, wherein the programmed hardware processor is further configured to:
    - send the communication to the application layer or the file system layer without modifying a directory location or data file associated with the communication in response to detecting that a communication between the file system and the application layer is not associated with the designated directory location.
  - 19. The system of claim 15, wherein performing the cryptographic operation comprises performing an encryption or decryption operation on the data file to generate the modified data file.
  - 20. The system of claim 15, wherein performing the cryptographic operation comprises substantially randomly distributing contents of the data file in the modified data file, wherein said distributing results in a reordering of at least two units of data in the data file.
  - 21. The system of claim 20, wherein the programmed hardware processor is further configured to generate a plurality of secondary blocks from the modified data file and storing each of the secondary data blocks in a respective share location.
  - 22. The system of claim 15, wherein the programmed hardware processor is configured to perform the storing, the monitoring, and the modifying transparently to the user of the application layer or the file system layer.
  - 23. The system of claim 15, wherein the programmed hardware processor is further configured to designate a directory as a designated directory location automatically upon creation of the directory.
  - 24. The system of claim 15, wherein the designated directory location comprises a virtual directory of designated files in one or more physical directory locations.
  - 25. The system of claim 15, wherein the designated directory location comprises a virtual directory of files having a designated type.
  - 26. The system of claim 15, wherein the designated directory location comprises a virtual directory of files having a specified content attribute.
  - 27. The system of claim 15, wherein the programmed hardware processor is further configured to generate compliance data indicative of a proportion of modified data files to the total target of data files to be modified.
  - 28. The system of claim 27, wherein the compliance data is indicative of the percentage of a number of data files modified relative to a total number of data files to be modified.
  - 29. The system of claim 27, wherein the compliance data is indicative of the percentage of a size of data files modified relative to a total size of data files to be modified.
  - 30. The system of claim 15, wherein the programmed hardware processor is further configured to retrieve one or more shares associated with the data file from a network storage location associated with the designated directory location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Davenport, Roger S.
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/180,151
Publication Number

US 20140229731A1
Time in Patent Office

1,447 Days
Field of Search

713165
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

H04L 9/065   Encryption by serially and ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

Systems and methods for a cryptographic file system layer

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for a cryptographic file system layer

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links