WO1996000942A1 - File encryption scheme - Google Patents

File encryption scheme Download PDF

Info

Publication number
WO1996000942A1
WO1996000942A1 PCT/US1995/006329 US9506329W WO9600942A1 WO 1996000942 A1 WO1996000942 A1 WO 1996000942A1 US 9506329 W US9506329 W US 9506329W WO 9600942 A1 WO9600942 A1 WO 9600942A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
data
computer
encrypted
storage device
Prior art date
Application number
PCT/US1995/006329
Other languages
English (en)
French (fr)
Inventor
Diane E. Georgiades
Neal E. Taylor
Original Assignee
Hughes Aircraft Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hughes Aircraft Company filed Critical Hughes Aircraft Company
Priority to JP8503140A priority Critical patent/JPH08509087A/ja
Priority to KR1019960701005A priority patent/KR960705275A/ko
Priority to EP95920547A priority patent/EP0715734A1/en
Priority to AU25967/95A priority patent/AU2596795A/en
Priority to CA002165649A priority patent/CA2165649C/en
Publication of WO1996000942A1 publication Critical patent/WO1996000942A1/en
Priority to NO960817A priority patent/NO960817L/no

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory

Definitions

  • the disclosed invention is generally directed to computer security systems, and more particularly to a computer system that wherein files stored on a data storage device are individually encrypted.
  • a commonly utilized element of computer security is encryption whereby information is encrypted in accordance with a predetermined "key" and decryption requires knowledge of the key.
  • a computer disk drive can be encrypted to make access to the information contained on the drive more difficult.
  • data communicated between computer systems can be encrypted so that the communication would be more difficult to understand if intercepted.
  • a consideration with known techniques of encryption at the communication level includes degraded performance due to the need for encryption of the information to be trans ⁇ mitted. Further, to the extent that the received informa- tion is to be stored on an encrypted data storage device, all of the information stored on the device including the received information would have to be encrypted, after the contents of the data storage device and the received information are initially decrypted.
  • a computer data storage system that includes a data storage device, and a processor for encrypting file data to produce encrypted file data and writing the en ⁇ crypted file data to a computer file on the data storage device, wherein the computer file includes a file informa ⁇ tion header that contains information indicating that the computer file contains encrypted file data.
  • the processor further reads and decrypts the encrypted file data.
  • FIG. 1 is a schematic block diagram of a computer system in which file encryption in accordance with the invention can be implemented.
  • FIG. 2 is a schematic depiction of the logical organi ⁇ zation of an encrypted computer file in accordance with the invention.
  • FIG. 3 is a simplified flow diagram that schematically depicts the logic flow of an illustrative example of file encryption in accordance with the invention.
  • FIG. 1 schematically depicted therein by way of illustrative example is an overall block diagram of a computer hardware system in which file encryp- tion in the invention can be implemented.
  • the system
  • includes a central processor unit 11 which performs general digital operations for the computer system and a primary storage memory 13 which stores data and programs including processes which when executed by the central processor unit 11 implement file encryption in accordance with the inven ⁇ tion.
  • the primary storage memory 13 can include in accordance with conventional techniques random access memory as well as read only memory.
  • the computer system further includes peripheral devices 15 such as a display 15a, a keyboard 15b, a data storage device 15c, a printer 15d, and a modem 15e.
  • a data bus 17 provides for communication between the processor, the primary storage memory, and the peripheral devices.
  • a computer file is stored on the data storage device 15c in encrypted form wherein encryption is performed at the file level such that encryption and decryption are performed on a file by file basis.
  • an encrypt ⁇ ed computer file is stored in a logical form of encrypted file data 51 (e.g., programs and user data) and a non- encrypted file header 53.
  • the file header 53 includes file control information such as operating system type 55 and a pointer 57 that points to the encryption key for the encrypted file data or one or more other pointers to the encryption key for the encrypted file data.
  • the file data 51 contains user information such as a program or data, and can also contain further control information such as security access control labels.
  • FIG. 3 set forth therein is a schematic flow diagram of the logic flow of an illustrative example of a file encryption procedure in accordance with the invention.
  • the procedure of FIG. 3 is implemented by execution of one or more appropriately configured programs by the central processor unit 11 of FIG. 1.
  • an application program makes a file operation call to the operating system utilized in the computer system of FIG. 1, and at 113 the file operation call is intercepted.
  • a file operation call is typically a call to an operating system routine that performs a conventional file operation such as create, open, read, write, and close.
  • intercept mecha ⁇ nism Techniques for interception of operating system calls are well known in the art, and the particular nature of the intercept mecha ⁇ nism will depend on the particular operating system with which the invention is implemented, and can involve, for example, redirecting file operation calls to routines of the invention.
  • a file information header for the file is written on the data storage device in the data blocks allocated for the file, and at 121 control returns to the calling application program.
  • the term "normal" in the context of a file operation routine refers to a standard or built-in routine contained in a computer operating system for performing operations associated with or requested by a file operation call. If the determination at 115 is no, at 123 a determina ⁇ tion is made as to whether the application program making the intercepted file operation call is exempt from the need to decrypt the file that is the subject of the intercepted file operation call. For example, a file copy program or a file transfer program can operate on files without decryption.
  • exempt applications would include electronic mail applications, back-up applications, and an application that implements the subject invention. If the determination at 123 is yes, at 125 a call is made to the normal file operation routine that would have been called if the intercepted file operation call had not been intercepted.
  • the file information header for the file that is the subject of the intercepted file operation call is read.
  • a determi- nation is made as to whether the intercepted file operation call is a write to file. If yes, at 131 the file data to be stored is encrypted to form encrypted file data, and the encrypted file data is written to the data storage device.
  • file data can include file control labels as well as user data such as a program or data.
  • the encryption and write operations are performed, for example, by encrypting the file data one portion at a time, buffering each encrypted file data portion in a file buffer, which can be contained in the memory 13 of FIG. 1, and calling the normal write to file routine to write the buffered encrypted file data portion to the data storage device.
  • a deter ina- tion is made as to whether the intercepted file operation call is a read. If yes, at 129 the file that is the subject of the intercepted file operation call is read and decrypted.
  • the reading and decryption of the file can be achieved, for example, by calling the normal read file routine to read the encrypted file data into a file buffer, which can be contained in the memory 13 of FIG. 1, and then decrypting the buffered encrypted file data to produce decrypted file data.
  • the encrypted file data is read into the file buffer one portion at a time, wherein the portion read is of a fixed size.
  • control returns to the application program that made the intercept ⁇ ed file operation call.
  • control is trans ⁇ ferred to the normal file operation routine that would have been called had the intercepted file operation call not been intercepted.
  • the foregoing procedure essentially intercepts each file operation call and determines whether operations related to encryption and decryption of a file that is the subject of the file operation call are required. If not, the normal file operation routine that would have been invoked by the intercepted file operation call is invoked. If operations related to encryption and decryption are required, the procedure of the invention performs such operations which include encrypting file to be written to the data storage device, invoking the normal file operation routine to write encrypted file data to the data storage device, invoking the normal file routine to read the encrypted file data from the data storage device, and decrypting the encrypted file data read from the data storage device.
  • a determina ⁇ tion is made as to whether the existing file is encrypted, which can be determined, for example, from a catalog or directory record if a provision is made to include encryp- tion status in the catalog or directory record, or alterna ⁇ tively, the file can be read to determine whether it includes a file information header as described above relative to FIG. 1. If the existing file is not encrypted, the normal file operation is invoked by a call to the file operation routine that would have been called had the intercepted file operation call not been intercepted.
  • the foregoing has been a disclosure of a computer file encryption scheme that encrypts files on a file by file basis, which advantageously allows files to be individually encrypted and decrypted without the need to encrypt and decrypt the entire contents of a data storage device, and without intervention by the user.
  • the encryption scheme of the invention allows different files on the same storage device to have different encryption keys, which provides for increased security and reduces the amount of informa ⁇ tion that becomes vulnerable should an encryption key become inappropriately known. Also, only selected computer files are decrypted at any given time, which maintains the security of the remaining files.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Optical Communication System (AREA)
  • Engine Equipment That Uses Special Cycles (AREA)
  • Gyroscopes (AREA)
PCT/US1995/006329 1994-06-30 1995-05-19 File encryption scheme WO1996000942A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
JP8503140A JPH08509087A (ja) 1994-06-30 1995-05-19 ファイル暗号構造
KR1019960701005A KR960705275A (ko) 1994-06-30 1995-05-19 컴퓨터 데이타 저장 시스템 및 저장 방법(File Encryption Scheme)
EP95920547A EP0715734A1 (en) 1994-06-30 1995-05-19 File encryption scheme
AU25967/95A AU2596795A (en) 1994-06-30 1995-05-19 File encryption scheme
CA002165649A CA2165649C (en) 1994-06-30 1995-05-19 File encryption scheme
NO960817A NO960817L (no) 1994-06-30 1996-02-28 Filkrypteringsskjema

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US26869594A 1994-06-30 1994-06-30
US268,695 1994-06-30

Publications (1)

Publication Number Publication Date
WO1996000942A1 true WO1996000942A1 (en) 1996-01-11

Family

ID=23024080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1995/006329 WO1996000942A1 (en) 1994-06-30 1995-05-19 File encryption scheme

Country Status (7)

Country Link
EP (1) EP0715734A1 (ko)
JP (1) JPH08509087A (ko)
KR (1) KR960705275A (ko)
AU (1) AU2596795A (ko)
CA (1) CA2165649C (ko)
NO (1) NO960817L (ko)
WO (1) WO1996000942A1 (ko)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6158004A (en) * 1997-06-10 2000-12-05 Mitsubishi Denki Kabushiki Kaisha Information storage medium and security method thereof
KR100820971B1 (ko) * 2001-10-11 2008-04-10 엘지전자 주식회사 압축 오디오 파일에서의 암호화 해독 키 기록 및 재생방법
US9081982B2 (en) 2011-04-18 2015-07-14 Raytheon Company Authorized data access based on the rights of a user and a location

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102523794B1 (ko) * 2020-11-17 2023-04-21 주식회사 한글과컴퓨터 전자 문서에 삽입된 테이블에 대한 트리 구조 목록화를 지원하는 전자 장치 및 그 동작 방법

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4757533A (en) * 1985-09-11 1988-07-12 Computer Security Corporation Security system for microcomputers
US4864616A (en) * 1987-10-15 1989-09-05 Micronyx, Inc. Cryptographic labeling of electronically stored data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4757533A (en) * 1985-09-11 1988-07-12 Computer Security Corporation Security system for microcomputers
US4864616A (en) * 1987-10-15 1989-09-05 Micronyx, Inc. Cryptographic labeling of electronically stored data

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6158004A (en) * 1997-06-10 2000-12-05 Mitsubishi Denki Kabushiki Kaisha Information storage medium and security method thereof
KR100820971B1 (ko) * 2001-10-11 2008-04-10 엘지전자 주식회사 압축 오디오 파일에서의 암호화 해독 키 기록 및 재생방법
US9081982B2 (en) 2011-04-18 2015-07-14 Raytheon Company Authorized data access based on the rights of a user and a location

Also Published As

Publication number Publication date
NO960817D0 (no) 1996-02-28
CA2165649C (en) 1999-11-02
EP0715734A1 (en) 1996-06-12
JPH08509087A (ja) 1996-09-24
KR960705275A (ko) 1996-10-09
NO960817L (no) 1996-04-18
CA2165649A1 (en) 1995-12-31
AU2596795A (en) 1996-01-25

Similar Documents

Publication Publication Date Title
US5748744A (en) Secure mass storage system for computers
US6895506B1 (en) Secure storage and execution of processor control programs by encryption and a program loader/decryption mechanism
US6378071B1 (en) File access system for efficiently accessing a file having encrypted data within a storage device
US7536524B2 (en) Method and system for providing restricted access to a storage medium
US6185686B1 (en) Computer system and process for accessing an encrypted and self-decrypting digital information product while restricting access to decrypted digital information
US7293173B2 (en) Methods and systems for protecting information in paging operating systems
JP5175856B2 (ja) セキュアデバイス・システムにおけるフラッシュメモリ・ブロックの保護と方法
US20060117178A1 (en) Information leakage prevention method and apparatus and program for the same
US7596695B2 (en) Application-based data encryption system and method thereof
EP0297347A2 (en) Method to prevent use of incorrect program version in a computer system
US20100228937A1 (en) System and method for controlling exit of saved data from security zone
US20020194389A1 (en) Secure machine platform that interfaces to operating systems and customized control programs
US20030163718A1 (en) Tamper resistant software-mass data encoding
US20030037248A1 (en) Crypto-pointers for secure data storage
US9152813B2 (en) Transparent real-time access to encrypted non-relational data
KR950029930A (ko) 화일 액세스 보안유지 방법 및 장치
WO1998011690A9 (en) Self-decrypting digital information system and method
WO2001025932A1 (en) Back-channeling in a memory vault system
WO2005081115A1 (en) Application-based access control system and method using virtual disk
US20090222500A1 (en) Information storage device and method capable of hiding confidential files
KR101120779B1 (ko) 시스템 페이징 파일의 암호화
CN114611123B (zh) 一种文件透明加解密方法和系统
WO2024045407A1 (zh) 虚拟磁盘安全存储方法
US20040003275A1 (en) Information storage apparatus, information processing system, specific number generating method and specific number generating program
CA2165649C (en) File encryption scheme

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2165649

Country of ref document: CA

AK Designated states

Kind code of ref document: A1

Designated state(s): AU CA JP KR NO

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE

WWE Wipo information: entry into national phase

Ref document number: 1995920547

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 1995920547

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 1995920547

Country of ref document: EP