Blackout, Inc. Patent applications |
Patent application number | Title | Published |
20090106552 | RIGHTS MANAGEMENT SERVICES-BASED FILE ENCRYPTION SYSTEM AND METHOD - A method to leverage Windows Rights Management Services (RMS) to provide protection and sharing of encryption keys to file systems. Windows Rights Management Services (RMS) that enables users to share protected content without having to exchange encryption certificates or passwords. Using the method any EFS can be extended to protect its FEKs and assign it user access rights using RMS. This enables EFSs to delegate key sharing, management and recovery to the RMS system. User rights to FEKs are derived from files security descriptor information or as explicitly specified by users. Whenever an encrypted file is created its FEK is protected using RMS and the resulting byte stream is stored in the file encryption metadata information. When a user tries to access an encrypted file and doesn't have a private key to decrypt the FEK, the EFS transparently extracts the RMS protected byte stream from the file encryption metadata information. It then uses RMS to try and obtain access to the FEK stored in the bytes stream using the user security context. If the user is authorized access and the FEK is successfully obtained then EFS is able to decrypt the file data and the user is granted access. The FEK is protected with the user master key, encryption certificate or password and cached in the system protected non-page memory or local stable storage. This enables the system to reuse the FEK for the user on the next file access. If the user doesn't hold rights to extract the FEK then the user is denied access. | 04-23-2009 |
20090106550 | EXTENDING ENCRYPTING WEB SERVICE - A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval. | 04-23-2009 |
20090106549 | METHOD AND SYSTEM FOR EXTENDING ENCRYPTING FILE SYSTEM - Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file. | 04-23-2009 |