Who is the assignee on this patent?

Hayton Richard, Innes Andrew, Citrix Systems Inc

What technology area does this patent fall under?

Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Apr 05 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for secure handling of data

US9306737B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9306737-B2
Application number	US-201213475082-A
Country	US
Kind code	B2
Filing date	May 18, 2012
Priority date	May 18, 2011
Publication date	Apr 5, 2016
Grant date	Apr 5, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The methods and systems described herein provide for secure implementation of external storage providers in an enterprise setting. Specifically, the present invention provides for allowing the secure use of processes that may transmit files to external storage providers or access files from an external storage provider. In some arrangements, process, such as an untrusted process, may request access to a file. A security agent may intercept the request and encrypt the file. The file can then be transmitted to the external storage provider. A user may subsequently request access to the file. A security agent may intercept a message in connection with this request, determine whether the user is authorized to access the file, and decrypt the file.

First claim

Opening claim text (preview).

We claim: 1. A method, comprising: intercepting, by a first security agent executing on a first client computer, a message from a first process executing on the first client computer, wherein the message is addressed to an external storage provider, and wherein the message identifies a file; and responding to the intercepting by at least encrypting, by the first security agent, the file using a first encryption key, resulting in an encrypted file, encrypting, by the first security agent, the first encryption key with a shared key, resulting in an encrypted first encryption key, and causing storage of the encrypted file and the encrypted first encryption key to a location accessible to the first process. 2. The method of claim 1 , further comprising: tagging the encrypted file with an audience class that specifies which requestors are authorized to access the file. 3. The method of claim 2 , further comprising: intercepting, by a second security agent executing on a second client computer, a file access request that requests access to the file which was previously encrypted by the first security agent; determining that the file access request is authorized based on the audience class; decrypting, by the second security agent, the encrypted first encryption key with the shared key; and decrypting, by the second security agent, the encrypted file with the first encryption key. 4. The method of claim 1 , further comprising: determining that the first process intends to perform at least one the following: synchronize the file to a network copy of the file, store a copy of the file to a network, or transmit a copy of the file via a network. 5. The method of claim 1 , wherein causing storage of the encrypted file and the encrypted first encryption key to the location accessible to the first process includes causing storage of a tagged file to the location accessible to the first process, wherein the tagged file includes the encrypted file, the encrypted first encryption key, and an audience class identifier assigned to the encrypted file. 6. The method of claim 1 , further comprising: using an access list to determine whether access to the file is authorized. 7. The method of claim 1 , further comprising: adding an identifier for the file to an access list that lists one or more authorized files a requestor may access. 8. The method of claim 1 , further comprising: obtaining the shared key from a centralized service in communication with the first security agent. 9. The method of claim 1 , wherein the message is a file access request that requests access to the file that is being stored by the external storage provider, or the message is a file storage request that requests the file be stored by the external storage provider. 10. The method of claim 1 , wherein the first process is an untrusted program. 11. An apparatus, comprising: one or more processors; and memory storing computer readable instructions configured to, when executed by the one or more processors, cause the apparatus to: intercept a message from a first process executing on a first client computer, wherein the message is addressed to an external storage provider, and wherein the message identifies a file; and respond to the intercept by at least encrypting the file using a first encryption key, resulting in an encrypted file, encrypting the first encryption key with a shared key, resulting in an encrypted first encryption key, and causing storage of the encrypted file and the encrypted first encryption key to a location accessible to the first process. 12. The apparatus of claim 11 , wherein the computer readable instructions are configured to, when executed by the one or more processors, cause the apparatus to: tag the encrypted file with an audience class that specifies which requestors are authorized to access the file. 13. The apparatus of claim 11 , wherein the computer readable instructions are configured to, when executed by the one or more processors, cause the apparatus to: determine that the first process intends to perform at least one the following: synchronize the file to a network copy of the file, store a copy of the file to a network, or transmit a copy of the file via a network. 14. The apparatus of claim 11 , wherein causing the apparatus to cause storage of the encrypted file and the encrypted first encryption key to the location accessible to the first process comprises causing the apparatus to cause storage of a tagged file to the location accessible to the first process, wherein the tagged file includes the encrypted file, the encrypted first encryption key, and an audience class identifier assigned to the encrypted file. 15. The apparatus of claim 11 , wherein the computer readable instructions are configured to, when executed by the one or more processors, cause the apparatus to: use an access list to determine whether access to the file is authorized. 16. The apparatus of claim 11 , wherein the computer readable instructions are configured to, when executed by the one or more processors, cause the apparatus to: add an identifier for the file to an access list that lists one or more authorized files a requestor may access. 17. The apparatus of claim 11 , wherein the computer readable instructions are configured to, when executed by the one or more processors, cause the apparatus to: obtain the shared key from a centralized service in communication with the apparatus. 18. The apparatus of claim 11 , wherein the message is a file access request that requests access to the file that is being stored by the external storage provider, or the message is a file storage request that requests the file be stored by the external storage provider. 19. A method, comprising: intercepting, by a first security agent executing on a first client computer, a file storage request from a first program executing on the first client computer, wherein the file storage request is addressed to an external storage provider in communication with the first program, and wherein the file storage request requests the external storage provider store a file; encrypting, by the first security agent, the file using a first encryption key, resulting in an encrypted file; and causing storage of the encrypted file and an encrypted version of the first encryption key to the external storage provider. 20. The method of claim 19 , further comprising: assigning a location for mounting a virtual disk volume, resulting in an assigned mount location; mounting the virtual disk volume to the assigned mount location; providing access to the encrypted file using the virtual disk volume; intercepting a request to access the encrypted file via the virtual disk volume; retrieving the encrypted file from the external storage provider; and decrypting the encrypted file.

Assignees

Inventors

Classifications

H04L9/0825
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
H04L9/083
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
H04L9/0822Primary
using key encryption key · CPC title
H04L9/088
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
G06F21/6272
by registering files or documents with a third party · CPC title

Patent family

Related publications grouped by family.

View patent family 47175857

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9306737B2 cover?: The methods and systems described herein provide for secure implementation of external storage providers in an enterprise setting. Specifically, the present invention provides for allowing the secure use of processes that may transmit files to external storage providers or access files from an external storage provider. In some arrangements, process, such as an untrusted process, may request ac…
Who is the assignee on this patent?: Hayton Richard, Innes Andrew, Citrix Systems Inc
What technology area does this patent fall under?: Primary CPC classification H04L9/0822. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Apr 05 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).