US20150227758A1 - Method and System for Securing Documents on a Remote Shared Storage Resource - Google Patents

Method and System for Securing Documents on a Remote Shared Storage Resource Download PDF

Info

Publication number
US20150227758A1
US20150227758A1 US14/691,331 US201514691331A US2015227758A1 US 20150227758 A1 US20150227758 A1 US 20150227758A1 US 201514691331 A US201514691331 A US 201514691331A US 2015227758 A1 US2015227758 A1 US 2015227758A1
Authority
US
United States
Prior art keywords
key
user
folder
data
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/691,331
Inventor
Robin Glover
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WORKSHARE Ltd
Original Assignee
WORKSHARE Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US201161559227P priority Critical
Priority to US13/333,605 priority patent/US20120317239A1/en
Priority to US201261614380P priority
Priority to US13/436,577 priority patent/US9070112B2/en
Priority to US13/799,067 priority patent/US20130254536A1/en
Application filed by WORKSHARE Ltd filed Critical WORKSHARE Ltd
Priority to US14/691,331 priority patent/US20150227758A1/en
Publication of US20150227758A1 publication Critical patent/US20150227758A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • G06F17/24
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/10Text processing
    • G06F40/166Editing, e.g. inserting or deleting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation, e.g. computer aided management of electronic mail or groupware; Time management, e.g. calendars, reminders, meetings or time accounting
    • G06Q10/101Collaborative creation of products or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0807Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

This invention discloses a novel system and method for displaying electronic documents on remote devices and enabling collaborative editing in conjunction with a content management system where the documents that are shared are securely encrypted on the system in a manner that avoids a single point of failure in the security.

Description

    PRIORITY CLAIM
  • This application herein incorporates by reference in their entireties U.S. patent application Ser. No. 13/333,605 filed on Dec. 21, 2011, U.S. patent application Ser. No. 13/155,900 filed on Jun. 8, 2011, and U.S. Provisional Patent Application No. 61/559,227 filed on Nov. 14, 2011. This application claims priority as a continuation of U.S. patent application Ser. No. 13/436,577 filed on Mar. 30, 2012, which is herein incorporated by reference in its entirety. This application claims priority as a continuation of U.S. patent application Ser. No. 13/799,067 filed on Mar. 13, 2013, which is a non-provisional continuation of U.S. Provisional Patent Application No. 61/614,380 filed on Mar. 22, 2012, both of which are herein incorporated by reference in their entireties.
  • FIELD OF INVENTION
  • This invention provides a mechanism whereby a group of people operating individual computer devices can view and share and collaboratively edit an electronic document stored in a remote data repository. The users can operate the invention in order to secure the data that they store in the remote data repository. The invention can also be used to facilitate shared service by providing a mechanism to securely share secured content among users of the invention. The content is stored in encrypted form and only is in free-text when requested by authorized users.
  • BACKGROUND
  • Electronic documents, for example text documents, are now often stored in a remote data repository, sometimes referred to as an Entity Content Management system (ECM) or Document Management System. This type of system has one or more servers acting as storage locations for the document. The document is accessed by users operating their own computing devices. In order to facilitate collaborative editing of the remotely stored document, security protocols and data integrity protocols are instituted.
  • SUMMARY OF THE INVENTION
  • The invention involves a novel use of encryption key protocols to establish authority to remotely access document file directories on a central server. The invention involves assigning a master public/private key pair to each user of the system. In addition, documents as well as folders or directories have key pairs. By using verifiable chains of keys in order to grant a user access to a document, the system is resilient to data security attacks. Folders or directories that contain encrypted documents may be shared by virtue of sharing the keys associated with the folder or directory, that is, by means of the folder or directory key authority.
  • DESCRIPTION OF THE FIGURES
  • 1. System Diagram.
  • 2. Flowchart for encryption of file.
  • 3. Flowchart for decryption of file.
  • 4. Flowchart.
  • 5. Flowchart.
  • 6. Flowchart.
  • 7. Flowchart.
  • 8. Flowchart.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • The method and system operates on one or more computers, typically using one or more servers and one or more remote user's computing devices. A customer's device can be a personal computer, mobile phone, mobile handheld device like a Blackberry′ or iPhone™ or a tablet device like the iPad™ or Galaxy™ or any other kind of computing device a user can use to view and edit an electronic document. The user devices are operatively connected to the remote server using a data network. The invention does not require that the data network be in continuous contact with the remote file server. The invention works in combination with document collaborative editing system (CES) The system can be embodied in a client/server architecture, whereby an executable code operates on the user's remote device and interacts with processes operating on the CES. In other embodiments, the same system can be running on the user's remote device by means of scripts or apps that are downloaded and executed within an Internet web-browser.
  • The user's remote computer is operatively connected to a data communication network, typically the Internet. This may be directly or indirectly through another network, for example a telephone network or a private data network. The user operates a client software on their computing device that communicates with the CES.
  • In one embodiment, the documents stored on the CES can be encrypted. In one embodiment, each document has its own symmetric key is assigned. When a user wishes to receive a document, a private key is generated that is used to encrypt the document already encrypted using the symmetric key. The private key is stored encrypted using user's data password and the clear version of the key is deleted. When the user is present on the CES, the CES system can do something with the document. When the user logs off, then the password is lost because it is not stored in the clear. The password only becomes accessible again when the user logs in with their password.
  • Online file and document storage and sharing services have a dilemma regarding how to deal with encryption of the uploaded content. The traditional approaches which involve encryption on the server do not encrypt uploaded content—the content is stored with no encryption on whatever basic storage medium is used by the service. Disadvantages of this approach include: (1) Vulnerability to illicit retrieval of content by staff or hackers, (2) all content is readable if the storage medium is stolen physically or subject to unauthorized duplication.
  • Coding errors in that if access controls are not correctly applied will mean that users may gain access to other users documents. Other traditional forms of security include encrypting all uploaded content using a single encryption key. While the storage medium is now secure if compromised, the single key becomes a point of risk. That is, the single encryption key must be known to each server on the system to allow it to encrypt and decrypt content. Hackers and/or staff may gain access to this key. In addition, this approach suffers the risk that once an unauthorized party has gained access to the single encryption key, all content becomes vulnerable in the same way as unencrypted content in approach.
  • Another traditional approach is to encrypt uploaded content using encryption keys that are generated (and different) on a per-user, per item or other basis. In this case, the generated keys must be stored in some fashion so that they are available to decrypt the content when it is downloaded. The server software must have functionality to access this storage and select the right key to decrypt a particular content item. Hackers who gain access to the system or steal a physical or virtual copy of one or more servers will be able to track this functionality and learn how to recover the appropriate key for a particular piece of content. Another drawback is that if the key storage is compromised as described above then the system is vulnerable to data theft in the same way as an unencrypted system. As a result, sharing items between users to allow collaboration becomes troublesome under some key schemes (such as one encryption key per user). Additionally, the user of any of the above services may choose to encrypt or password protect sensitive data before uploading. This would generally ensure that the data is secure while stored online (provided the encryption or password protection is not flawed), but has the following drawbacks: (1) the user must take responsibility for managing (storing and not losing) encryption keys and passwords, (2) when sharing with others, the user must take care of key or password distribution. Although this can be handled securely for public key style cryptography, secure key distribution is not possible for password protected content. Additionally, even where secure key distribution is possible it imposes a heavy burden on the user.
  • Most importantly, the user and anyone he shares the content with must have suitable software installed to handle encryption/decryption or password protection on the device used to access the content. This may exclude access from mobile devices and other non-PC computers. As a result the server can provide no added value to the user—it simply acts as an online store of uploaded encrypted data. Therefore traditional approaches to cloud based security for servers cannot provide services such as
      • HTML or image based rendering of content for use on non-encryption capable devices
      • Document comparison or content management
      • Metadata scanning or removal
      • Other services requiring access to the content of the document on the server side.
  • The solution to the problem is summarized as follows: Each user of the shared storage environment is assigned a master encryption key, which is a private/public key pair. The public/private key pair work together such that the public key can be publicly known, but the private key is kept secret. Anyone can use the public key, to encrypt content, but only the holder of the private key can decrypt it. The user public key is stored on the server in plain (unencrypted) form. In addition, an encrypted form of the user private key is stored on the server. The user private key is encrypted using a further encryption key (referred to as the user secret key) supplied by the user along with each request to the server that needs to access the user private key. The user secret key is not stored on the server, although irreversible cryptographic hashes (or other types of one-way encryption) of it may be stored on the server. These may be used by the server to verify that a person submitting a user secret key as an authentication token has presented a valid key. This may used to verify that a challenge response passphrase is correct. The user secret key may be derived from a passphrase entered by the user or may be provided in some other way, for instance from a hardware token or a file stored on a removable device. Each piece of content (text, image, video, audio or other data) uploaded to the server for storage is encrypted with a different, newly generated, encryption key—this is the item key. The item key is encrypted using the uploading user's public key, which is available at all times on the server. The encrypted item key is stored in a database. The unencrypted copy of the item key is discarded and never stored. As a result only the user that is uploading the content can access the content file, or someone the user shares their private key with.
  • To download the encrypted content item, the user sends their user secret key to the server as part of the download request. This may be in combination with a passphrase to verify authenticity. The server can then use the secret key to decrypt the user's private key from the encrypted version which has been stored. Then the system can use the user's private key to decrypt the item key. As a result the system can use the item key to decrypt the item content and return the item content to the user. Once the request is complete, the server wipes the user secret key and the decrypted copies of the user private key and item key from memory or any other data storage. In this case, the item key can be the key to a symmetrical encryption algorithm, where the same key is used to encrypt as to decrypt the content. Alternatively, in another embodiment, the item key can be replaced by an item public/private key pair.
  • This approach also supports implementing secure methods to cause other actions that require access to the document content may also be carried out by the server in response to a request from the user that contains the user secret key. For example, a content item can be shared with another user of the system by the following mechanism: First, the user that uploaded the content item sends a share request to the server, accompanied by their user secret key. The server uses the secret key to decrypt first the user private key, and then uses the user private key to decrypt the item key. However, before any decryption of the content occurs, the server re-encrypts the item key using the public key of the destination user with whom the content item is to be shared. This newly encrypted copy of the item key is stored in the database, typically in a data record that references or can be logically connected to permission data that grants access to the item to the destination user. The database can have data records associated with each user and each content file. The user's data record contains the stored keys and passphrase, as well as an index to the data record of that user's uploaded content (or content where that user is designated the owner.) The user's data record can also contain references to content where the user has permission to view the content. Each content file can also have an associated data record in the database. That data record contains the item keys and can also contain a reference to the user designated the owner of the content. As a result, both the uploading user, and the downloading destination user can download the content item by providing their appropriate user secret keys. This is accomplished by the system verifying the identity of either user that seeks access and then automatically selecting the appropriate version of the encrypted item key to decrypt.
  • The user can submit their name or passphrase as well as their secret key. The system will generate the one-way encrypted version of the secret key and then query the database using the user name. The name or passphrase brings up the data record, and then the encrypted secret key value that is stored in the data record is compared to the generated version. If there is a match, then the user is authenticated. Next, the system can use the user secret key to decrypt the user private key and then use that to decrypt the encrypted version of the item key stored in the data record. Then the system can seek the encrypted version of the content file and decrypt it for the authenticated user.
  • This approach exhibits several advantages. First, the information needed to decrypt any content item is never permanently stored on the server, making the system resilient to attacks. In particular, access to a copy of the server data store, software and encrypted content items is not sufficient to allow an attacker or malicious staff member to decrypt any user content. Further, sharing content between users is handled by the server, freeing the user from the need to worry about sharing encryption keys or password distribution. Access permissions on content items are backed up by the existence of or non-existence of the proper chain of encryption keys granting a user access to a content item. In other words, a malicious alteration of the database that contains permission tracking data will not work because the chain of keys will not support it. Instead, the system will appear to fail to deliver the content to the surreptitiously designated recipient. Thus a programming error that causes the system to fail to apply access permissions to content will not result the server allowing users to download content they have no right to—the server will try (and fail) to decrypt the content item because there is no copy of the item key that has been encrypted with the user key of the unauthorized user.
  • Additional improvements to securing on-line shared resources can be accomplished so as to avoid additional cases of security breaches. For example, in the case of a compromise of the user's secret key (or the information that it is based on such as a passphrase). Since this information is transferred to the server and processed on the server, precautions should be taken in handling this communication and processing. In the preferred embodiment, communication with the server is secured by encryption, for example by HTTPS, SSL and other kinds of secure protocols that avoid transmission of text or information in the clear. In addition, in the preferred embodiment, the server will erase, or wipe the computer memory (and any other storage devices) used to store this information when the request for access to the data is complete. An attacker who is able to take control of a server while it is operational may be able to monitor memory and capture any or all of user secret keys, user private keys, document keys and/or decrypted content item data. This is however a far more challenging task than extracting passwords and encryption keys from an offline server or database since the attack has to take place in real time and remain undetected by the operators of the service.
  • Additional security improvements can be considered. A typical on-line content or file sharing and collaboration system has data representations of users, folders, files and permissions. Such a basic service would be expected to have the following features:
  • Provision for users to register with an identifier (typically an email address) and a password to authenticate them
  • Provision for the storage of files and the organization of files into folders
  • Ability to upload new files and download files that have already been uploaded
  • Ability to upload new versions of existing files and maintain a version history (see/download previous versions)
  • Ability to share files or folders (and all files within them) with other users.
  • Maintenance of access control lists (ACLs) which record which users are entitled to access the contents of which files and folders.
  • Storage of file contents in a file store of some description (hard disk, cloud storage, SAN/NAS Network Accessed Storage etc)
  • Storage of other data (user details, file names, folder contents, ACLs etc) in some form of database (relational or otherwise) or equivalent data storage medium.
  • Security of such a system is enhanced by organizing the encryption keys to be associated with the users and also the content. In this embodiment of the invention, when each user is registered with the system, they must provide a unique piece of information (the user secret) which will be used as the basis of all encryption for that user. The user secret may be based on a text passphrase (which preferably would be distinct from the user's logon password) or may be derived from some other source. The user secret can be transformed by the server into a symmetric encryption key (the user secret key) by a process such as a one way cryptographic hash. Techniques to derive encryption keys from passwords or other data such as those described in RFC 2898 may be used. The user secret is never stored on the server or in the server database or datastore, although a secure, one-way, cryptographic hash (or other one-way encryption) of the user secret may be stored to allow the server to validate that a supplied user secret is correct.
  • Upon registration of a new user the server will also create a new, randomly generated, public/private key pair. Various public key cryptography systems are suitable for the generation of this key pair, for instance RSA (Rivest-Shamir-Adleman) or ECC (Elliptic curve cryptography). The key length should be chosen with regard to the strength of encryption required for the file content. For instance recent recommendations indicate that an RSA key of 3072 bits or an ECC key of 256 bits should be used for equivalent security to an AES encryption at 128 bit strength. This key pair makes up the user private key and user public key.
  • The public key of the generated user key pair is stored in the server database along with the new user details. The user private key is encrypted using the user secret key and a symmetric encryption algorithm (for instance AES) and the encrypted version is stored in the database along with the new user details. A one way cryptographic hash of the unencrypted user private key (for example an SHA256 hash) may also be stored in the database.
  • Uploading Files
  • When a new file is uploaded to the server by the user, another new, randomly generated item public/private key pair is created as described above. See FIG. 1. The public key is used to encrypt the content file and the free-text or unencrypted version of the file is discarded. The private key from this item key pair is encrypted using the public key of the uploading user, who presumably owns or controls the content. The new item public key and encrypted private key thus generated are stored in the server database alongside the data identifying the newly uploaded content file. This key pair makes up the file private key and file public key (synonymous with the item private and public key pair).
  • There is no need for the server to have access to the user secret or user secret key in order to perform a file upload. This allows automated uploads via a service without the need for the service to hold the user's secret information—for instance allowing a user to email files to be uploaded to a special email address.
  • The newly uploaded file is encrypted using the file public key and the encrypted version is stored by the server in its content store. A typical place to store this encrypted key would be alongside the permission record on the server that identifies the uploading server as having permission to access the newly uploaded file. See FIG. 1. It is normal practice when encrypting a large block of data with a public key cryptography scheme to actually create a random symmetric key (which could be an AES key), encrypt the bulk data using that key and then encrypt the symmetric key using the public key cryptography. The stored data then includes the encrypted symmetric key and the encrypted document data.
  • If updated versions of an existing file are uploaded to the server at any time, then they may be encrypted as described above, using the existing file public key.
  • Downloading Files
  • In order to download a file, the user makes a request to the server specifying which file and optionally which version of the file. Along with this request the user sends their user secret key or information sufficient to derive it (such as the passphrase from which it is generated). The user secret key is used to decrypt the encrypted version of the user private key (which has been retrieved from the database). See FIG. 2. The user private key is used to decrypt the encrypted version of the file private key (again, which has been retrieved from the database). The file private key is used to decrypt the file content, which is then returned to the user. In order to maintain maximum security the server may wipe the memory (that is, remove from computer memory or other data storage) used to store the unencrypted version of the file contents and the various encryption keys used when the request is complete.
  • Sharing Files
  • Assume that a file has been uploaded by a user ‘A’ who now wants to share that file with user ‘B’ so that user B can view and edit it. In order to enable this file sharing, user A makes a sharing request to the server specifying the file to share and who to share it with. Along with this request the user sends their user secret key or information sufficient to derive it (such as the passphrase from which it is generated). The database search described above is carried out to retrieve the file private key for the file to be shared.
  • The public key for user B is retrieved from the database and used to create a new encrypted version of the file private key. This second encrypted copy of the file private key is stored in the database, in one embodiment, together with the new permissions record that will grant user B access to the file. Note that the original copy of the encrypted file private key is not overwritten or replaced. Instead, after completing the sharing procedure there are now two separate encrypted copies of the file private key stored, one for each user who has access. Sharing to more than one additional user proceeds in the same manner (the sharing request may allow multiple recipients to be specified or multiple requests may be made). A separate encrypted copy of the file private key is stored for each user who is granted access to the file.
  • When a user sends a request to download a file the correct encrypted copy of the file private key is selected by the server by retrieving it from the database. In one embodiment, the data record for a user includes one or more references to locations where an encrypted copies of file private keys that are encrypted by that user's public key are stored. If a user attempts to download a file to which they have not been granted access, they will have no way to obtain a correctly decrypted copy of the file private key, and therefore no way to access the file contents. This restriction applies independently to any code on the server which checks for permissions for a user to access a file. In other words, corruption or surreptitious interception of the database queries will not suffice to crack the security of the encryption key structure that is applied.
  • The system can also support revocation of access. If the sharing permission assigned to a user is revoked then the copy of the encrypted file private key that was encrypted by the user's public key will be discarded from the database along with removing any permissions record that grants access to that user to the file.
  • Sharing Folders
  • Sharing folders (also referred to as a directory) requires additional complexity. It is not sufficient to just treat the action of sharing a folder with user B as equivalent to sharing each file in the folder with user B. That would give user B access to the private file key for all existing files in the folder, but they would not gain access to the encryption keys for files subsequently added to the folder. Instead, when a new folder is created (including a top level folder) a new public/private key pair is created for the folder as described above. This pair makes up the folder private key and folder public key.
  • The folder public key is stored in the database alongside the information making up the folder record. The folder private key is encrypted with the creating user's public key. The encrypted folder private key is stored in the database, most likely along with the record that grants the creating user permission to access the folder as its creator. When a new item (file or subfolder) is created within any folder, the (file or folder) private key of the newly created content item is encrypted with the public key of the containing folder. This encrypted copy of the new content item private key is stored in the database, typically referenced by the data identifying the new content item itself.
  • When a folder is shared to a different user, the steps for sharing files described above are carried out, but for the folder private key rather than the file private key. Thus at the end of the steps the database contains a version of the folder private key encrypted with the public key of the user who is being granted permission to access the folder.
  • Downloading a File from a Shared Folder
  • When downloading a file from a folder that has been shared to the user, there will be no copy of the file private key encrypted by the user's public key to be found. At this point the server will check the parent folder of the file (and its parent folders) looking for a folder where the user has been granted permission. The database will contain a copy of this folder's private key encrypted with the user's public key (as described above). The user's encrypted private key is retrieved from the database and decrypted using the user secret key. The user's private key is used to decrypt the encrypted folder private key found in accordance with the previous steps. The folder private key can be used to decrypt the file private key or folder private key for any item contained in that folder where the content item file private key is managed as explained above. This allows access either directly to the private key of the file to be downloaded or indirectly (via decrypting the private keys of intermediate folders between the shared folder and the file).
  • Changing the User Secret Key
  • In order to update the user secret key—for instance change the passphrase if the secret is based upon a passphrase—the user must provide the server with both the existing and new user secret keys (or equivalently information that can be used to calculate them, such as the existing and new passphrase). The server decrypts the user private key using the existing user secret key and then re-encrypts it using the new user secret key. The newly re-encrypted user private key is then stored in the database replacing the original encrypted user private key.
  • Resetting the User Secret Key
  • If the user no longer has access to their user secret key (for example they have forgotten the passphrase which is used to generate it), they cannot use the mechanism described in steps above to reset it. If the user no longer has access to their user secret key and has no means to reset it, they will be unable to access any of their files. This is unacceptable from a usability point of view, so the next sections describe techniques that may be used to allow recovery from user secret key loss while maintaining security.
  • Storing a User Private Key Backup on the Client
  • The server may provide a mechanism for the user to download and backup their private key in unencrypted form. The request to download the private key must be accompanied by the user secret key in order to allow the server to decrypt the encrypted private key, so the encryption key can only be backed up by a user who is still in possession of their user secret key. The user should store the backed up private key securely. If a user who has forgotten their passphrase or otherwise lost their user secret key has kept a backup of their unencrypted user private key, the server may offer a mechanism for the user to re-upload their backed up user private key along with a new user secret key. If the server has stored a cryptographic hash of the user private key (or some other one-way mapping or encryption), the server can validate that the correct private key is being uploaded.
  • The server must also validate the identity of the uploading user in some other manner to ensure that the reset of the user secret key is not being carried out by an unauthorized user. Providing the user is authenticated properly and the correct private key is uploaded, the server can encrypt the user private key using the new user secret key and then store this new encrypted copy of the user private key in the database. The new user secret key will allow the user access to all of their existing files and folders.
  • Storing a User Private Key Backup on the Server
  • If the user is unable or unwilling to keep a backup of their user private key, it is possible for the server to store a backup on their behalf. In order to avoid breaching the security of the system, the backup of the user private key on the server must be encrypted and the encryption key must not be stored on the server. The backup of the user private key must therefore be stored on the server encrypted using a key based on information provided by the user. If, at a later point in time the user is able to provide the same information again, the same key will be generated and the user private key will be decrypted correctly. One approach to this problem is to request that the user give answers that are easily memorable to a number of questions. Typical questions might be ‘What was your town or place of birth?’, ‘What was the name of your first pet?’, ‘What was the name of your first school?’. Depending on the level of security required, the structure of the encrypted key stored may be varied.
  • For the highest security, the user would need to provide answers to a number of questions, and a single encryption key would be generated from all the answers. This key would then be used to encrypt the user private key and the result would be stored. The user would have to provide exactly the same answers to all the questions to recover the private key at a later time. For a less secure but more usable approach, the user would also need to provide answers to a number of questions. Each answer would be used separately to produce an encryption key and generate an encrypted version of the user private key. All of these versions of the encrypted user private key would be stored. At a later time, the user would only need to answer one of the questions correctly to be able to decrypt and recover the private key.
  • Other balances between security and ease can be devised—for instance it would be possible to ask the user 4 questions and store 6 copies of the encrypted private key under different encryptions (each copy encrypted by a different pair of answers selected from the 4 questions). In this way the user would be required to answer any 2 questions from 4 correctly to recover their private key.
  • Storing a User Private Key Backup Via an Admin User
  • If the server provides for a hierarchy of users or the facility for administrative users, backups of users private keys may be stored in the database encrypted by the public key of the user's administrator. When a new user is created and the new user's public and private key are generated, a copy of the private key is encrypted using the public key of the user's administrator and then stored in the database. At a later date, the administrator may provide their user secret key to the server which can then decrypt the administrator's private key, which can then be used to decrypt the private key of any user for which the administrator is responsible. In a corporate environment, the administrator described here would typically be the CIO or someone reporting to the CIO rather than a computer system administrator. By virtue of their ability to access any user's private key the administrator can indirectly access any file stored by one of their users. This property is desirable as it allows the administrator to access the files of a user who has (for example) left the organization, however it requires the administrator to be fully trusted by the organization.
  • Operating Environment:
  • The user's computer may be a laptop or desktop type of personal computer. It can also be a cell phone, smart phone or other handheld device, including a tablet. The precise form factor of the user's computer does not limit the claimed invention. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held, laptop or mobile computer or communications devices such as cell phones and PDA's, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • The system and method described herein can be executed using a computer system, generally comprised of a central processing unit (CPU) that is operatively connected to a memory device, data input and output circuitry (I/O) and computer data network communication circuitry. A video display device may be operatively connected through the I/O circuitry to the CPU. Components that are operatively connected to the CPU using the I/O circuitry include microphones, for digitally recording sound, and video camera, for digitally recording images or video. Audio and video may be recorded simultaneously as an audio visual recording. The I/O circuitry can also be operatively connected to an audio loudspeaker in order to render digital audio data into audible sound. Audio and video may be rendered through the loudspeaker and display device separately or in combination. Computer code executed by the CPU can take data received by the data communication circuitry and store it in the memory device. In addition, the CPU can take data from the I/O circuitry and store it in the memory device. Further, the CPU can take data from a memory device and output it through the I/O circuitry or the data communication circuitry. The data stored in memory may be further recalled from the memory device, further processed or modified by the CPU in the manner described herein and restored in the same memory device or a different memory device operatively connected to the CPU including by means of the data network circuitry. The memory device can be any kind of data storage circuit or magnetic storage or optical device, including a hard disk, optical disk or solid state memory.
  • The computer can display on the display screen operatively connected to the I/O circuitry the appearance of a user interface. Various shapes, text and other graphical forms are displayed on the screen as a result of the computer generating data that causes the pixels comprising the display screen to take on various colors and shades. The user interface also displays a graphical object referred to in the art as a cursor. The object's location on the display indicates to the user a selection of another object on the screen. The cursor may be moved by the user by means of another device connected by I/O circuitry to the computer. This device detects certain physical motions of the user, for example, the position of the hand on a flat surface or the position of a finger on a flat surface. Such devices may be referred to in the art as a mouse or a track pad. In some embodiments, the display screen itself can act as a trackpad by sensing the presence and position of one or more fingers on the surface of the display screen. When the cursor is located over a graphical object that appears to be a button or switch, the user can actuate the button or switch by engaging a physical switch on the mouse or trackpad or computer device or tapping the trackpad or touch sensitive display. When the computer detects that the physical switch has been engaged (or that the tapping of the track pad or touch sensitive screen has occurred), it takes the apparent location of the cursor (or in the case of a touch sensitive screen, the detected position of the finger) on the screen and executes the process associated with that location. As an example, not intended to limit the breadth of the disclosed invention, a graphical object that appears to be a 2 dimensional box with the word “enter” within it may be displayed on the screen. If the computer detects that the switch has been engaged while the cursor location (or finger location for a touch sensitive screen) was within the boundaries of a graphical object, for example, the displayed box, the computer will execute the process associated with the “enter” command. In this way, graphical objects on the screen create a user interface that permits the user to control the processes operating on the computer.
  • The system is typically comprised of a central server that is connected by a data network to a user's computer. The central server may be comprised of one or more computers connected to one or more mass storage devices. The precise architecture of the central server does not limit the claimed invention. In addition, the data network may operate with several levels, such that the user's computer is connected through a fire wall to one server, which routes communications to another server that executes the disclosed methods. The precise details of the data network architecture does not limit the claimed invention.
  • A server may be a computer comprised of a central processing unit with a mass storage device and a network connection. In addition a server can include multiple of such computers connected together with a data network or other data transfer connection, or, multiple computers on a network with network accessed storage, in a manner that provides such functionality as a group. Practitioners of ordinary skill will recognize that functions that are accomplished on one server may be partitioned and accomplished on multiple servers that are operatively connected by a computer network by means of appropriate inter process communication. In addition, the access of the website can be by means of an Internet browser accessing a secure or public page or by means of a client program running on a local computer that is connected over a computer network to the server. A data message and data upload or download can be delivered over the Internet using typical protocols, including TCP/IP, HTTP, SMTP, RPC, FTP or other kinds of data communication protocols that permit processes running on two remote computers to exchange information by means of digital network communication. As a result a data message can be a data packet transmitted from or received by a computer containing a destination network address, a destination process or application identifier, and data values that can be parsed at the destination computer located at the destination network address by the destination application in order that the relevant data values are extracted and used by the destination application.
  • The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices. Practitioners of ordinary skill will recognize that the invention may be executed on one or more computer processors that are linked using a data network, including, for example, the Internet. In another embodiment, different steps of the process can be executed by one or more computers and storage devices geographically separated by connected by a data network in a manner so that they operate together to execute the process steps. In one embodiment, a user's computer can run an application that causes the user's computer to transmit a stream of one or more data packets across a data network to a second computer, referred to here as a server. The server, in turn, may be connected to one or more mass data storage devices where the database is stored. The server can execute a program that receives the transmitted packet and interpret the transmitted data packets in order to extract database query information. The server can then execute the remaining steps of the invention by means of accessing the mass storage devices to derive the desired result of the query. Alternatively, the server can transmit the query information to another computer that is connected to the mass storage devices, and that computer can execute the invention to derive the desired result. The result can then be transmitted back to the user's computer by means of another stream of one or more data packets appropriately addressed to the user's computer.
  • Computer program logic implementing all or part of the functionality previously described herein may be embodied in various forms, including, but in no way limited to, a source code form, a computer executable form, and various intermediate forms (e.g., forms generated by an assembler, compiler, linker, or locator.) Source code may include a series of computer program instructions implemented in any of various programming languages (e.g., an object code, an assembly language, or a high-level language such as FORTRAN, C, C++, JAVA, or HTML or scripting languages that are executed by Internet web-browsers) for use with various operating systems or operating environments. The source code may define and use various data structures and communication messages. The source code may be in a computer executable form (e.g., via an interpreter), or the source code may be converted (e.g., via a translator, assembler, or compiler) into a computer executable form.
  • The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer program and data may be fixed in any form (e.g., source code form, computer executable form, or an intermediate form) either permanently or transitorily in a tangible storage medium, such as a semiconductor memory device (e.g., a RAM, ROM, PROM, EEPROM, or Flash-Programmable RAM), a magnetic memory device (e.g., a diskette or fixed hard disk), an optical memory device (e.g., a CD-ROM or DVD), a PC card (e.g., PCMCIA card), or other memory device. The computer program and data may be fixed in any form in a signal that is transmittable to a computer using any of various communication technologies, including, but in no way limited to, analog technologies, digital technologies, optical technologies, wireless technologies, networking technologies, and internetworking technologies. The computer program and data may be distributed in any form as a removable storage medium with accompanying printed or electronic documentation (e.g., shrink wrapped software or a magnetic tape), preloaded with a computer system (e.g., on system ROM or fixed disk), or distributed from a server or electronic bulletin board over the communication system (e.g., the Internet or World Wide Web.) It is appreciated that any of the software components of the present invention may, if desired, be implemented in ROM (read-only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques.
  • The described embodiments of the invention are intended to be exemplary and numerous variations and modifications will be apparent to those skilled in the art. All such variations and modifications are intended to be within the scope of the present invention as defined in the appended claims. Although the present invention has been described and illustrated in detail, it is to be clearly understood that the same is by way of illustration and example only, and is not to be taken by way of limitation. It is appreciated that various features of the invention which are, for clarity, described in the context of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable combination. It is appreciated that the particular embodiment described in the specification is intended only to provide an extremely detailed disclosure of the present invention and is not intended to be limiting.
  • It should be noted that the flow diagrams are used herein to demonstrate various aspects of the invention, and should not be construed to limit the present invention to any particular logic flow or logic implementation. The described logic may be partitioned into different logic blocks (e.g., programs, modules, functions, or subroutines) without changing the overall results or otherwise departing from the true scope of the invention. Oftentimes, logic elements may be added, modified, omitted, performed in a different order, or implemented using different logic constructs (e.g., logic gates, looping primitives, conditional logic, and other logic constructs) without changing the overall results or otherwise departing from the true scope of the invention.
  • Modifications of the above disclosed apparatus and methods which fall within the scope of the invention will be readily apparent to those of ordinary skill in the art. Accordingly, while the present invention has been disclosed in connection with exemplary embodiments thereof, it should be understood that other embodiments may fall within the spirit and scope of the invention, as defined by the following claims.

Claims (12)

What is claimed:
1. A method executed by a shared computer system that is comprised of data storage of securing content files associated with a folder data structure stored on the shared computer system, said folder data structure being associated with a public/private encryption key pair and a folder originator, said folder originator being associated with a public/private encryption key pair, the method comprising:
by a computer, receiving and storing the content file;
generating a public/private encryption key pair associated with the content file;
encrypting the content file with the public key associated with the content file;
retrieving from data storage the public key of the public/private encryption key pair associated with the folder data structure;
encrypting the private key associated with the content file using the public key of the folder data structure;
encrypting the private key associated with the folder data structure using the public key associated with the folder originator associated with the folder data structure; and
preventing access to an unencrypted version of the folder data structure private key and an unencrypted version of the private key associated with the content file.
2. The method of claim 1 further comprising:
decrypting the folder data structure private key using the folder originator private key;
obtaining a destination user public key;
encrypting the folder data structure private key using the public key of the destination user.
3. A computer system for securing a content file comprising:
at least one central processing unit connected using a data channel to at least one data storage device;
a folder data structure stored on the shared computer system, said folder data structure being associated with a public/private encryption key pair and a folder originator, said folder originator being associated with a public/private encryption key pair;
said system being adapted to execute a method comprising:
receiving and storing the content file;
generating a public/private encryption key pair associated with the content file;
encrypting the content file with the public key associated with the content file;
retrieving from data storage the public key of the public/private encryption key pair associated with the folder data structure;
encrypting the private key associated with the content file using the public key of the folder data structure;
encrypting the private key associated with the folder data structure using the public key associated with the folder originator associated with the folder data structure; and
preventing access to an unencrypted version of the folder data structure private key and an unencrypted version of the unencrypted private key associated with the content file.
4. The shared computer system of claim 3 further adapted to execute the method of:
decrypting the folder data structure private key using the folder originator private key;
obtaining a destination user public key; and
encrypting the folder data structure private key using the public key of the destination user.
5. A non-transitory computer storage medium containing program code that, when executed by a shared computer system, causes the shared computer system to execute a method of securing a content file associated with a folder data structure stored on the shared computer system, said folder data structure being associated with a public/private encryption key pair and a folder originator, said folder originator being associated with a public/private encryption key pair, the method comprising:
receiving and storing the content file;
generating a public/private encryption key pair associated with the content file;
encrypting the content file with the public key associated with the content file;
retrieving from data storage the public key of the public/private encryption key pair associated with the folder data structure;
encrypting the private key associated with the content file using the public key of the folder data structure; and
encrypting the private key associated with the folder data structure using the public key associated with the folder originator associated with the folder data structure; and preventing access to an unencrypted version of the folder data structure private key and an unencrypted version of the unencrypted private key associated with the content file.
6. The non-transitory storage medium of claim 5 further adapted so that the executed method is further comprised of:
decrypting the folder data structure private key using the folder originator private key;
obtaining a destination user public key; and
encrypting the folder data structure private key using the public key of the destination user.
7. The method of claim 1 where the preventing access step is comprised of:
removing from data storage the unencrypted version of the private key associated with the content file; and
removing from data storage the unencrypted version of the folder data structure private key.
8. The system of claim 3 further adapted to execute the preventing access by removing from data storage the unencrypted version of the private key associated with the content file; and removing from computer data storage the unencrypted version of the folder data structure private key.
9. The non-transitory storage medium of claim 5 further adapted so that the preventing access is executed by removing from computer data storage the unencrypted private key associated with the content file and removing from computer data storage the unencrypted folder data structure private key.
10. The method of claim 1 where the preventing access step is comprised of:
encrypting the unencrypted version of the private key associated with the content file; and
encrypting the unencrypted version of the folder data structure private key.
11. The system of claim 3 further adapted to execute the preventing access by:
encrypting the unencrypted version of the private key associated with the content file; and
encrypting the unencrypted version of the folder data structure private key.
12. The non-transitory storage medium of claim 5 further adapted so that the preventing access is executed by:
encrypting the unencrypted version of the private key associated with the content file; and
encrypting the unencrypted version of the folder data structure private key.
US14/691,331 2011-06-08 2015-04-20 Method and System for Securing Documents on a Remote Shared Storage Resource Abandoned US20150227758A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US201161559227P true 2011-11-14 2011-11-14
US13/333,605 US20120317239A1 (en) 2011-06-08 2011-12-21 Method and system for collaborative editing of a remotely stored document
US201261614380P true 2012-03-22 2012-03-22
US13/436,577 US9070112B2 (en) 2011-06-08 2012-03-30 Method and system for securing documents on a remote shared storage resource
US13/799,067 US20130254536A1 (en) 2012-03-22 2013-03-13 Secure server side encryption for online file sharing and collaboration
US14/691,331 US20150227758A1 (en) 2011-11-14 2015-04-20 Method and System for Securing Documents on a Remote Shared Storage Resource

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/691,331 US20150227758A1 (en) 2011-11-14 2015-04-20 Method and System for Securing Documents on a Remote Shared Storage Resource

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/436,577 Continuation US9070112B2 (en) 2011-06-08 2012-03-30 Method and system for securing documents on a remote shared storage resource

Publications (1)

Publication Number Publication Date
US20150227758A1 true US20150227758A1 (en) 2015-08-13

Family

ID=47294089

Family Applications (4)

Application Number Title Priority Date Filing Date
US13/333,605 Pending US20120317239A1 (en) 2011-06-08 2011-12-21 Method and system for collaborative editing of a remotely stored document
US13/436,577 Active 2032-01-16 US9070112B2 (en) 2011-06-08 2012-03-30 Method and system for securing documents on a remote shared storage resource
US14/581,069 Abandoned US20150113270A1 (en) 2011-06-08 2014-12-23 Method and System for Securing Documents on a Remote Shared Storage Resource
US14/691,331 Abandoned US20150227758A1 (en) 2011-06-08 2015-04-20 Method and System for Securing Documents on a Remote Shared Storage Resource

Family Applications Before (3)

Application Number Title Priority Date Filing Date
US13/333,605 Pending US20120317239A1 (en) 2011-06-08 2011-12-21 Method and system for collaborative editing of a remotely stored document
US13/436,577 Active 2032-01-16 US9070112B2 (en) 2011-06-08 2012-03-30 Method and system for securing documents on a remote shared storage resource
US14/581,069 Abandoned US20150113270A1 (en) 2011-06-08 2014-12-23 Method and System for Securing Documents on a Remote Shared Storage Resource

Country Status (1)

Country Link
US (4) US20120317239A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110502909A (en) * 2019-08-06 2019-11-26 北京北信源软件股份有限公司 A kind of file encrypting method and device, a kind of file decryption method and device

Families Citing this family (166)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10055595B2 (en) 2007-08-30 2018-08-21 Baimmt, Llc Secure credentials control method
US8326814B2 (en) 2007-12-05 2012-12-04 Box, Inc. Web-based file management system and service
US8286171B2 (en) 2008-07-21 2012-10-09 Workshare Technology, Inc. Methods and systems to fingerprint textual information using word runs
US20120136862A1 (en) 2010-11-29 2012-05-31 Workshare Technology, Inc. System and method for presenting comparisons of electronic documents
US9237155B1 (en) 2010-12-06 2016-01-12 Amazon Technologies, Inc. Distributed policy enforcement with optimizing policy transformations
US10554426B2 (en) 2011-01-20 2020-02-04 Box, Inc. Real time notification of activities that occur in a web-based collaboration environment
US10911492B2 (en) 2013-07-25 2021-02-02 Workshare Ltd. System and method for securing documents prior to transmission
US10880359B2 (en) 2011-12-21 2020-12-29 Workshare, Ltd. System and method for cross platform document sharing
US10574729B2 (en) 2011-06-08 2020-02-25 Workshare Ltd. System and method for cross platform document sharing
US9613340B2 (en) 2011-06-14 2017-04-04 Workshare Ltd. Method and system for shared document approval
US9455961B2 (en) * 2011-06-16 2016-09-27 Pasafeshare Lcc System, method and apparatus for securely distributing content
US10095848B2 (en) 2011-06-16 2018-10-09 Pasafeshare Llc System, method and apparatus for securely distributing content
US9015601B2 (en) 2011-06-21 2015-04-21 Box, Inc. Batch uploading of content to a web-based collaboration environment
US9063912B2 (en) 2011-06-22 2015-06-23 Box, Inc. Multimedia content preview rendering in a cloud content management system
US9978040B2 (en) 2011-07-08 2018-05-22 Box, Inc. Collaboration sessions in a workspace on a cloud-based content management system
US9652741B2 (en) 2011-07-08 2017-05-16 Box, Inc. Desktop application for access and interaction with workspaces in a cloud-based content management system and synchronization mechanisms thereof
US10165007B2 (en) * 2011-09-15 2018-12-25 Microsoft Technology Licensing, Llc Securing data usage in computing devices
US9197718B2 (en) 2011-09-23 2015-11-24 Box, Inc. Central management and control of user-contributed content in a web-based collaboration environment and management console thereof
US9197409B2 (en) 2011-09-29 2015-11-24 Amazon Technologies, Inc. Key derivation techniques
US9203613B2 (en) 2011-09-29 2015-12-01 Amazon Technologies, Inc. Techniques for client constructed sessions
US9178701B2 (en) 2011-09-29 2015-11-03 Amazon Technologies, Inc. Parameter based key derivation
US9098474B2 (en) 2011-10-26 2015-08-04 Box, Inc. Preview pre-generation based on heuristics and algorithmic prediction/assessment of predicted user behavior for enhancement of user experience
US9606972B2 (en) * 2011-11-09 2017-03-28 Microsoft Technology Licensing, Llc Document collaboration with collaboration context data
US8990307B2 (en) 2011-11-16 2015-03-24 Box, Inc. Resource effective incremental updating of a remote client with events which occurred via a cloud-enabled platform
GB2500152A (en) 2011-11-29 2013-09-11 Box Inc Mobile platform file and folder selection functionalities for offline access and synchronization
US8751800B1 (en) 2011-12-12 2014-06-10 Google Inc. DRM provider interoperability
US9019123B2 (en) 2011-12-22 2015-04-28 Box, Inc. Health check services for web-based collaboration environments
US9904435B2 (en) 2012-01-06 2018-02-27 Box, Inc. System and method for actionable event generation for task delegation and management via a discussion forum in a web-based collaboration environment
AU2014274590B2 (en) * 2012-02-20 2016-05-19 Kl Data Security Pty Ltd Cryptographic Method and System
AU2013200916B2 (en) * 2012-02-20 2014-09-11 Kl Data Security Pty Ltd Cryptographic Method and System
US20130219166A1 (en) * 2012-02-20 2013-08-22 Motorola Mobility, Inc. Hardware based identity manager
US9965745B2 (en) 2012-02-24 2018-05-08 Box, Inc. System and method for promoting enterprise adoption of a web-based collaboration environment
US9195636B2 (en) 2012-03-07 2015-11-24 Box, Inc. Universal file type preview for mobile devices
US8892865B1 (en) 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
US8739308B1 (en) 2012-03-27 2014-05-27 Amazon Technologies, Inc. Source identification for unauthorized copies of content
US9215076B1 (en) 2012-03-27 2015-12-15 Amazon Technologies, Inc. Key generation for hierarchical data access
US9054919B2 (en) 2012-04-05 2015-06-09 Box, Inc. Device pinning capability for enterprise cloud service and storage accounts
US9575981B2 (en) 2012-04-11 2017-02-21 Box, Inc. Cloud service enabled to handle a set of files depicted to a user as a single file in a native operating system
US9251360B2 (en) 2012-04-27 2016-02-02 Intralinks, Inc. Computerized method and system for managing secure mobile device content viewing in a networked secure collaborative exchange environment
US9253176B2 (en) * 2012-04-27 2016-02-02 Intralinks, Inc. Computerized method and system for managing secure content sharing in a networked secure collaborative exchange environment
US9148417B2 (en) 2012-04-27 2015-09-29 Intralinks, Inc. Computerized method and system for managing amendment voting in a networked secure collaborative exchange environment
US9553860B2 (en) 2012-04-27 2017-01-24 Intralinks, Inc. Email effectivity facility in a networked secure collaborative exchange environment
GB2505272B (en) 2012-05-04 2014-07-09 Box Inc Repository redundancy implementation of a system which incrementally updates clients with events that occurred via cloud-enabled platform
US20130305328A1 (en) * 2012-05-08 2013-11-14 Wai Pong Andrew LEUNG Systems and methods for passing password information between users
US9691051B2 (en) 2012-05-21 2017-06-27 Box, Inc. Security enhancement through application access control
US8914900B2 (en) 2012-05-23 2014-12-16 Box, Inc. Methods, architectures and security mechanisms for a third-party application to access content in a cloud-based platform
US9027108B2 (en) 2012-05-23 2015-05-05 Box, Inc. Systems and methods for secure file portability between mobile applications on a mobile device
US9258118B1 (en) 2012-06-25 2016-02-09 Amazon Technologies, Inc. Decentralized verification in a distributed system
US9660972B1 (en) 2012-06-25 2017-05-23 Amazon Technologies, Inc. Protection from data security threats
US8984598B2 (en) * 2012-06-27 2015-03-17 International Business Machines Corporation Web-based security proxy for computing system environment scanning
US9021099B2 (en) 2012-07-03 2015-04-28 Box, Inc. Load balancing secure FTP connections among multiple FTP servers
US9712510B2 (en) 2012-07-06 2017-07-18 Box, Inc. Systems and methods for securely submitting comments among users via external messaging applications in a cloud-based platform
US9792320B2 (en) 2012-07-06 2017-10-17 Box, Inc. System and method for performing shard migration to support functions of a cloud-based service
GB2505072A (en) 2012-07-06 2014-02-19 Box Inc Identifying users and collaborators as search results in a cloud-based system
US9237170B2 (en) 2012-07-19 2016-01-12 Box, Inc. Data loss prevention (DLP) methods and architectures by a cloud service
US8896858B2 (en) * 2012-07-22 2014-11-25 Xerox Corporation Method for enforcing document privacy through third party systems
US9794256B2 (en) 2012-07-30 2017-10-17 Box, Inc. System and method for advanced control tools for administrators in a cloud-based service
US8868574B2 (en) 2012-07-30 2014-10-21 Box, Inc. System and method for advanced search and filtering mechanisms for enterprise administrators in a cloud-based environment
US8745267B2 (en) 2012-08-19 2014-06-03 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
US9369520B2 (en) 2012-08-19 2016-06-14 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
GB2513671A (en) 2012-08-27 2014-11-05 Box Inc Server side techniques for reducing database workload in implementing selective subfolder synchronization in a cloud-based environment
US9135462B2 (en) 2012-08-29 2015-09-15 Box, Inc. Upload and download streaming encryption to/from a cloud-based platform
WO2014036403A2 (en) * 2012-08-31 2014-03-06 Pkware, Inc. System and methods for data verification and replay prevention
US9195519B2 (en) 2012-09-06 2015-11-24 Box, Inc. Disabling the self-referential appearance of a mobile application in an intent via a background registration
US9117087B2 (en) * 2012-09-06 2015-08-25 Box, Inc. System and method for creating a secure channel for inter-application communication based on intents
US9311071B2 (en) 2012-09-06 2016-04-12 Box, Inc. Force upgrade of a mobile application via a server side configuration file
US9292833B2 (en) 2012-09-14 2016-03-22 Box, Inc. Batching notifications of activities that occur in a web-based collaboration environment
US10200256B2 (en) 2012-09-17 2019-02-05 Box, Inc. System and method of a manipulative handle in an interactive mobile user interface
US9553758B2 (en) 2012-09-18 2017-01-24 Box, Inc. Sandboxing individual applications to specific user folders in a cloud-based service
US9372864B2 (en) 2012-09-24 2016-06-21 Moxtra, Inc. Online binders
US9959420B2 (en) 2012-10-02 2018-05-01 Box, Inc. System and method for enhanced security and management mechanisms for enterprise administrators in a cloud-based environment
US9705967B2 (en) 2012-10-04 2017-07-11 Box, Inc. Corporate user discovery and identification of recommended collaborators in a cloud platform
US9495364B2 (en) 2012-10-04 2016-11-15 Box, Inc. Enhanced quick search features, low-barrier commenting/interactive features in a collaboration platform
US9665349B2 (en) 2012-10-05 2017-05-30 Box, Inc. System and method for generating embeddable widgets which enable access to a cloud-based collaboration platform
JP5982343B2 (en) 2012-10-17 2016-08-31 ボックス インコーポレイテッドBox, Inc. Remote key management in a cloud-based environment
US9213867B2 (en) * 2012-12-07 2015-12-15 Microsoft Technology Licensing, Llc Secure cloud database platform with encrypted database queries
US10235383B2 (en) 2012-12-19 2019-03-19 Box, Inc. Method and apparatus for synchronization of items with read-only permissions in a cloud-based environment
US9396245B2 (en) 2013-01-02 2016-07-19 Box, Inc. Race condition handling in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9953036B2 (en) 2013-01-09 2018-04-24 Box, Inc. File system monitoring in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9507795B2 (en) 2013-01-11 2016-11-29 Box, Inc. Functionalities, features, and user interface of a synchronization client to a cloud-based environment
EP2757491A1 (en) 2013-01-17 2014-07-23 Box, Inc. Conflict resolution, retry condition management, and handling of problem files for the synchronization client to a cloud-based platform
US9170990B2 (en) 2013-03-14 2015-10-27 Workshare Limited Method and system for document retrieval with selective document comparison
US10783326B2 (en) 2013-03-14 2020-09-22 Workshare, Ltd. System for tracking changes in a collaborative document editing environment
US9767299B2 (en) * 2013-03-15 2017-09-19 Mymail Technology, Llc Secure cloud data sharing
US9542377B2 (en) 2013-05-06 2017-01-10 Dropbox, Inc. Note browser
US10725968B2 (en) 2013-05-10 2020-07-28 Box, Inc. Top down delete or unsynchronization on delete of and depiction of item synchronization with a synchronization client to a cloud-based platform
US10846074B2 (en) 2013-05-10 2020-11-24 Box, Inc. Identification and handling of items to be ignored for synchronization with a cloud-based platform by a synchronization client
GB2515192B (en) 2013-06-13 2016-12-14 Box Inc Systems and methods for synchronization event building and/or collapsing by a synchronization component of a cloud-based platform
US9407440B2 (en) 2013-06-20 2016-08-02 Amazon Technologies, Inc. Multiple authority data security and access
US9805050B2 (en) 2013-06-21 2017-10-31 Box, Inc. Maintaining and updating file system shadows on a local device by a synchronization client of a cloud-based platform
US20140380191A1 (en) * 2013-06-24 2014-12-25 Autodesk, Inc. Method and apparatus for design review collaboration across multiple platforms
US10229134B2 (en) 2013-06-25 2019-03-12 Box, Inc. Systems and methods for managing upgrades, migration of user data and improving performance of a cloud-based platform
US10110656B2 (en) 2013-06-25 2018-10-23 Box, Inc. Systems and methods for providing shell communication in a cloud-based platform
US9521000B1 (en) 2013-07-17 2016-12-13 Amazon Technologies, Inc. Complete forward access sessions
US9948676B2 (en) 2013-07-25 2018-04-17 Workshare, Ltd. System and method for securing documents prior to transmission
US9535924B2 (en) 2013-07-30 2017-01-03 Box, Inc. Scalability improvement in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US10509527B2 (en) 2013-09-13 2019-12-17 Box, Inc. Systems and methods for configuring event-based automation in cloud-based collaboration platforms
US8892679B1 (en) 2013-09-13 2014-11-18 Box, Inc. Mobile device, methods and user interfaces thereof in a mobile device platform featuring multifunctional access and engagement in a collaborative environment provided by a cloud-based platform
US9213684B2 (en) 2013-09-13 2015-12-15 Box, Inc. System and method for rendering document in web browser or mobile device regardless of third-party plug-in software
US9704137B2 (en) 2013-09-13 2017-07-11 Box, Inc. Simultaneous editing/accessing of content by collaborator invitation through a web-based or mobile application to a cloud-based collaboration platform
GB2518298A (en) 2013-09-13 2015-03-18 Box Inc High-availability architecture for a cloud-based concurrent-access collaboration platform
US9535909B2 (en) 2013-09-13 2017-01-03 Box, Inc. Configurable event-based automation architecture for cloud-based collaboration platforms
US10181953B1 (en) 2013-09-16 2019-01-15 Amazon Technologies, Inc. Trusted data verification
US9311500B2 (en) * 2013-09-25 2016-04-12 Amazon Technologies, Inc. Data security using request-supplied keys
US9237019B2 (en) 2013-09-25 2016-01-12 Amazon Technologies, Inc. Resource locators with keys
US10866931B2 (en) 2013-10-22 2020-12-15 Box, Inc. Desktop application for accessing a cloud collaboration platform
US10243945B1 (en) 2013-10-28 2019-03-26 Amazon Technologies, Inc. Managed identity federation
EP3069462A4 (en) 2013-11-14 2017-05-03 Intralinks, Inc. Litigation support in cloud-hosted file sharing and collaboration
US9420007B1 (en) 2013-12-04 2016-08-16 Amazon Technologies, Inc. Access control using impersonization
EP3080742A4 (en) * 2013-12-11 2017-08-30 Intralinks, Inc. Customizable secure data exchange environment
US9292711B1 (en) 2014-01-07 2016-03-22 Amazon Technologies, Inc. Hardware secret usage limits
US9369461B1 (en) 2014-01-07 2016-06-14 Amazon Technologies, Inc. Passcode verification using hardware secrets
US9374368B1 (en) 2014-01-07 2016-06-21 Amazon Technologies, Inc. Distributed passcode verification system
US9262642B1 (en) 2014-01-13 2016-02-16 Amazon Technologies, Inc. Adaptive client-aware session security as a service
US20150220506A1 (en) * 2014-02-05 2015-08-06 Kopin Corporation Remote Document Annotation
US9692763B2 (en) 2014-02-12 2017-06-27 International Business Machines Corporation Document event notifications based on document access control lists
CN104915601B (en) 2014-03-12 2019-04-19 三星电子株式会社 The system and method that file in device is encrypted
US10771255B1 (en) 2014-03-25 2020-09-08 Amazon Technologies, Inc. Authenticated storage operations
US9398014B2 (en) * 2014-04-04 2016-07-19 International Business Machines Corporation Validation of a location resource based on recipient access
US10171579B2 (en) 2014-04-08 2019-01-01 Dropbox, Inc. Managing presence among devices accessing shared and synchronized content
US9998555B2 (en) 2014-04-08 2018-06-12 Dropbox, Inc. Displaying presence in an application accessing shared and synchronized content
CN103927354A (en) * 2014-04-11 2014-07-16 百度在线网络技术(北京)有限公司 Interactive searching and recommending method and device
GB2530685A (en) 2014-04-23 2016-03-30 Intralinks Inc Systems and methods of secure data exchange
US20150341460A1 (en) * 2014-05-22 2015-11-26 Futurewei Technologies, Inc. System and Method for Pre-fetching
US10530854B2 (en) 2014-05-30 2020-01-07 Box, Inc. Synchronization of permissioned content in cloud-based environments
US9602514B2 (en) 2014-06-16 2017-03-21 Box, Inc. Enterprise mobility management and verification of a managed application by a content provider
US9258117B1 (en) 2014-06-26 2016-02-09 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
US10326597B1 (en) 2014-06-27 2019-06-18 Amazon Technologies, Inc. Dynamic response signing capability in a distributed system
US10205597B2 (en) 2014-06-30 2019-02-12 Hewlett-Packard Development Company, L.P. Composite document referenced resources
US9921855B2 (en) * 2014-07-18 2018-03-20 JM Consulting Systems and methods for generating an interactive user interface from a database
US9722958B2 (en) * 2014-07-18 2017-08-01 International Business Machines Corporation Recommendation of a location resource based on recipient access
US10452855B2 (en) * 2014-08-12 2019-10-22 Hewlett Packard Development Company, L.P. Composite document access
US9894119B2 (en) 2014-08-29 2018-02-13 Box, Inc. Configurable metadata-based automation and content classification architecture for cloud-based collaboration platforms
US9756022B2 (en) 2014-08-29 2017-09-05 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US10038731B2 (en) 2014-08-29 2018-07-31 Box, Inc. Managing flow-based interactions with cloud-based shared content
US10574442B2 (en) 2014-08-29 2020-02-25 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US9390282B2 (en) * 2014-09-03 2016-07-12 Microsoft Technology Licensing, Llc Outsourcing document-transformation tasks while protecting sensitive information
EP3210157B1 (en) * 2014-10-23 2020-04-01 Pageproof.com Limited Encrypted collaboration system and method
US9639687B2 (en) 2014-11-18 2017-05-02 Cloudfare, Inc. Multiply-encrypting data requiring multiple keys for decryption
US10133723B2 (en) 2014-12-29 2018-11-20 Workshare Ltd. System and method for determining document version geneology
US9773119B2 (en) 2015-02-25 2017-09-26 Sap Se Parallel and hierarchical password protection on specific document sections
US10015173B1 (en) * 2015-03-10 2018-07-03 Symantec Corporation Systems and methods for location-aware access to cloud data stores
US10042900B2 (en) * 2015-03-23 2018-08-07 Dropbox, Inc. External user notifications in shared folder backed integrated workspaces
JP2016192103A (en) * 2015-03-31 2016-11-10 日本電気株式会社 Information processing system, information processing method, and information processing program
US10615961B2 (en) * 2015-06-02 2020-04-07 Telefonatiebolaget Lm Ericsson (Publ) Method and encryption node for encrypting message
US10122689B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Load balancing with handshake offload
US10122692B2 (en) 2015-06-16 2018-11-06 Amazon Technologies, Inc. Handshake offload
US10033702B2 (en) 2015-08-05 2018-07-24 Intralinks, Inc. Systems and methods of secure data exchange
US10007809B1 (en) * 2015-08-26 2018-06-26 EMC IP Holding Company LLC Fine-grained self-shredding data in a secure communication ecosystem
US10073981B2 (en) 2015-10-09 2018-09-11 Microsoft Technology Licensing, Llc Controlling secure processing of confidential data in untrusted devices
US9965475B2 (en) 2016-03-31 2018-05-08 Microsoft Technology Licensing, Llc User interface for navigating comments associated with collaboratively edited electronic documents
US10382502B2 (en) * 2016-04-04 2019-08-13 Dropbox, Inc. Change comments for synchronized content items
US10791097B2 (en) 2016-04-14 2020-09-29 Sophos Limited Portable encryption format
US10554664B2 (en) * 2016-05-02 2020-02-04 Microsoft Technology Licensing, Llc Activity feed for hosted files
US9842095B2 (en) * 2016-05-10 2017-12-12 Adobe Systems Incorporated Cross-device document transactions
CN109496414A (en) * 2016-07-28 2019-03-19 皇家飞利浦有限公司 The network node that identification data will be copied to
US10116440B1 (en) 2016-08-09 2018-10-30 Amazon Technologies, Inc. Cryptographic key management for imported cryptographic keys
US10719807B2 (en) 2016-12-29 2020-07-21 Dropbox, Inc. Managing projects using references
US10402786B2 (en) 2016-12-30 2019-09-03 Dropbox, Inc. Managing projects in a content management system
US10587401B2 (en) * 2017-04-03 2020-03-10 Salesforce.Com, Inc. Secure handling of customer-supplied encryption secrets
US10691619B1 (en) * 2017-10-18 2020-06-23 Google Llc Combined integrity protection, encryption and authentication
US20190318118A1 (en) * 2018-04-16 2019-10-17 International Business Machines Corporation Secure encrypted document retrieval
US20190325153A1 (en) * 2018-04-20 2019-10-24 Rohde & Schwarz Gmbh & Co. Kg System and method for secure data handling
US10657318B2 (en) * 2018-08-01 2020-05-19 Microsoft Technology Licensing, Llc Comment notifications for electronic content
US20200142863A1 (en) 2018-11-06 2020-05-07 Dropbox, Inc. Technologies for integrating cloud content items across platforms
US10902146B2 (en) 2019-03-19 2021-01-26 Workiva Inc. Method and computing device for gating data between workspaces

Family Cites Families (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7349892B1 (en) * 1996-05-10 2008-03-25 Aol Llc System and method for automatically organizing and classifying businesses on the World-Wide Web
US20060129627A1 (en) * 1996-11-22 2006-06-15 Mangosoft Corp. Internet-based shared file service with native PC client access and semantics and distributed version control
US6317777B1 (en) * 1999-04-26 2001-11-13 Intel Corporation Method for web based storage and retrieval of documents
US6405219B2 (en) * 1999-06-22 2002-06-11 F5 Networks, Inc. Method and system for automatically updating the version of a set of files stored on content servers
US6356937B1 (en) * 1999-07-06 2002-03-12 David Montville Interoperable full-featured web-based and client-side e-mail system
US6591289B1 (en) * 1999-07-27 2003-07-08 The Standard Register Company Method of delivering formatted documents over a communications network
WO2001052473A1 (en) * 2000-01-14 2001-07-19 Critical Path, Inc. Secure management of electronic documents in a networked environment
AU6422200A (en) * 2000-02-08 2001-08-20 Swisscom Mobile Ag Single sign-on process
US7111060B2 (en) * 2000-03-14 2006-09-19 Aep Networks, Inc. Apparatus and accompanying methods for providing, through a centralized server site, a secure, cost-effective, web-enabled, integrated virtual office environment remotely accessible through a network-connected web browser
US7903822B1 (en) * 2000-11-10 2011-03-08 DMT Licensing, LLC. Method and system for establishing a trusted and decentralized peer-to-peer network
US7181017B1 (en) * 2001-03-23 2007-02-20 David Felsher System and method for secure three-party communications
ES2266514T5 (en) * 2001-06-07 2015-09-30 Contentguard Holdings, Inc. Method and system of digital subscription rights management
US7562112B2 (en) * 2001-07-06 2009-07-14 Intel Corporation Method and apparatus for peer-to-peer services for efficient transfer of information between networks
US7194513B2 (en) * 2001-07-08 2007-03-20 Imran Sharif System and method for using an internet appliance to send/receive digital content files as E-mail attachments
US7266699B2 (en) * 2001-08-30 2007-09-04 Application Security, Inc. Cryptographic infrastructure for encrypting a database
JP3879594B2 (en) * 2001-11-02 2007-02-14 日本電気株式会社 Switch method, apparatus and program
US7194761B1 (en) * 2002-01-22 2007-03-20 Cisco Technology, Inc. Methods and apparatus providing automatic client authentication
GB0202431D0 (en) * 2002-02-02 2002-03-20 F Secure Oyj Method and apparatus for encrypting data
US6971017B2 (en) * 2002-04-16 2005-11-29 Xerox Corporation Ad hoc secure access to documents and services
US20040031052A1 (en) * 2002-08-12 2004-02-12 Liberate Technologies Information platform
EP1565019A1 (en) * 2002-11-14 2005-08-17 Omron Corporation Information distribution system, information acquisition device, information distribution server, information reproduction device, information reproduction method, information distribution control method, information distribution control program, and computer-readable recording medium
KR100390172B1 (en) * 2003-03-22 2003-07-04 Knowledge Info Net Service Inc Method and system for controlling internet contents providing service using redirection method
US20050021980A1 (en) * 2003-06-23 2005-01-27 Yoichi Kanai Access control decision system, access control enforcing system, and security policy
US7831693B2 (en) * 2003-08-18 2010-11-09 Oracle America, Inc. Structured methodology and design patterns for web services
US20130212707A1 (en) * 2003-10-31 2013-08-15 James Donahue Document control system
US20100174826A1 (en) * 2003-12-23 2010-07-08 Anupam Sharma Information gathering system and method
DE602005015435D1 (en) * 2004-04-26 2009-08-27 Storewiz Inc METHOD AND SYSTEM FOR COMPRESSING FILES FOR STORING AND OPERATING ON COMPRESSED FILES
JP4827523B2 (en) * 2005-01-17 2011-11-30 キヤノン株式会社 Information processing apparatus, information processing method, and control program
US7526812B2 (en) * 2005-03-24 2009-04-28 Xerox Corporation Systems and methods for manipulating rights management data
US20060277229A1 (en) * 2005-05-31 2006-12-07 Michihiro Yoshida Document management server, information terminal, document managing method, and program
US20070179967A1 (en) * 2005-11-22 2007-08-02 Zhang Xiaoge G Intuitive and Dynamic File Retrieval Method and User Interface System
AU2006320203B2 (en) * 2005-12-02 2011-12-01 Citrix Systems, Inc. Method and apparatus for providing authentication credentials from a proxy server to a virtualized computing environment to access a remote resource
US7958101B1 (en) * 2006-01-03 2011-06-07 Emc Corporation Methods and apparatus for mounting a file system
EP1984866B1 (en) 2006-02-07 2011-11-02 Nextenders (India) Private Limited Document security management system
US7428306B2 (en) 2006-04-18 2008-09-23 International Business Machines Corporation Encryption apparatus and method for providing an encrypted file system
ES2694690T3 (en) * 2006-05-10 2018-12-26 Syngrafii Inc. System, method and computer program, to allow entry into transactions on a remote basis
US7613770B2 (en) * 2006-06-30 2009-11-03 Microsoft Corporation On-demand file transfers for mass P2P file sharing
JP2008243066A (en) * 2007-03-28 2008-10-09 Canon Inc Information processor and control method thereof
US7904484B2 (en) * 2007-11-30 2011-03-08 Red Hat, Inc. Incremental packaging
US20090150462A1 (en) * 2007-12-07 2009-06-11 Brocade Communications Systems, Inc. Data migration operations in a distributed file system
JP4645644B2 (en) * 2007-12-25 2011-03-09 富士ゼロックス株式会社 Security policy management device, security policy management system, and security policy management program
US8117225B1 (en) * 2008-01-18 2012-02-14 Boadin Technology, LLC Drill-down system, method, and computer program product for focusing a search
US8539229B2 (en) 2008-04-28 2013-09-17 Novell, Inc. Techniques for secure data management in a distributed environment
US20100064004A1 (en) * 2008-09-10 2010-03-11 International Business Machines Corporation Synchronizing documents by designating a local server
US9384295B2 (en) * 2009-01-22 2016-07-05 Adobe Systems Incorporated Method and apparatus for viewing collaborative documents
US20110035655A1 (en) * 2009-08-04 2011-02-10 Sap Ag Generating Forms Using One or More Transformation Rules
US8327434B2 (en) * 2009-08-14 2012-12-04 Novell, Inc. System and method for implementing a proxy authentication server to provide authentication for resources not located behind the proxy authentication server
US8732848B2 (en) * 2009-11-05 2014-05-20 Kyocera Document Solutions Inc. File-distribution apparatus and recording medium having file-distribution authorization program recorded therein
KR101279442B1 (en) * 2009-11-24 2013-06-26 삼성전자주식회사 Method of managing file in WevDAV embeded image forming apparatus and image forming system for performing thereof
US8838962B2 (en) * 2010-09-24 2014-09-16 Bryant Christopher Lee Securing locally stored Web-based database data
US20120131635A1 (en) 2010-11-23 2012-05-24 Afore Solutions Inc. Method and system for securing data
US8776190B1 (en) * 2010-11-29 2014-07-08 Amazon Technologies, Inc. Multifactor authentication for programmatic interfaces
US20120173881A1 (en) 2011-01-03 2012-07-05 Patient Always First Method & Apparatus for Remote Information Capture, Storage, and Retrieval

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110502909A (en) * 2019-08-06 2019-11-26 北京北信源软件股份有限公司 A kind of file encrypting method and device, a kind of file decryption method and device

Also Published As

Publication number Publication date
US20150113270A1 (en) 2015-04-23
US20120317414A1 (en) 2012-12-13
US20120317239A1 (en) 2012-12-13
US9070112B2 (en) 2015-06-30

Similar Documents

Publication Publication Date Title
AU2017204853B2 (en) Data security service
JP2018067941A (en) Federated key management
JP2018077893A (en) Policy enforcement with associated data
US9832016B2 (en) Methods, systems and computer program product for providing verification code recovery and remote authentication
US9536102B2 (en) Privacy-protective data transfer
US9882888B2 (en) Revocable shredding of security credentials
JP6542962B2 (en) Delayed data access
US9432346B2 (en) Protocol for controlling access to encryption keys
US10904014B2 (en) Encryption synchronization method
US9537864B2 (en) Encryption system using web browsers and untrusted web servers
JP2018160919A (en) Data security using request-supplied keys
US10567167B1 (en) Systems and methods for encryption and provision of information security using platform services
US10090998B2 (en) Multiple authority data security and access
ES2584057T3 (en) System and method of secure remote data storage
US9430211B2 (en) System and method for sharing information in a private ecosystem
EP2513804B1 (en) Trustworthy extensible markup language for trustworthy computing and data services
US20150169892A1 (en) Encryption-Based Data Access Management
EP2831803B1 (en) Systems and methods for secure third-party data storage
US8966287B2 (en) Systems and methods for secure third-party data storage
JP5639660B2 (en) Confirmable trust for data through the wrapper complex
US9224003B2 (en) Method for secure storing and sharing of a data file via a computer communication network and open cloud services
US8667267B1 (en) System and method for communicating with a key management system
US9584517B1 (en) Transforms within secure execution environments
US7454021B2 (en) Off-loading data re-encryption in encrypted data management systems
EP2396922B1 (en) Trusted cloud computing and services framework

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- INCOMPLETE APPLICATION (PRE-EXAMINATION)