US2013124861A1PendingUtilityA1

Shielding a sensitive file

40
Assignee: CHINEN MITSURUPriority: Nov 28, 2008Filed: May 7, 2012Published: May 16, 2013
Est. expiryNov 28, 2028(~2.4 yrs left)· nominal 20-yr term from priority
G06F 21/577H04L 9/0897G06F 21/6209H04L 9/32
40
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An apparatus for shielding a sensitive file includes a client computer having various units. An encryption-decryption unit performs a cryptographic operation on the sensitive file with a cryptographic key, which corresponds to the encryption key ID. An encryption key ID is associated with the sensitive file. A key storing unit stores the cryptographic key. A compliance requirements storing unit stores security compliance requirements from the server computer, which define a plurality of compliant operating conditions of the client computer. A security requirements monitoring unit determines whether the client computer complies with the security compliance requirements in response to a file access instruction for the sensitive file by application software, and passes the cryptographic key from the key storing unit to the encryption-decryption unit in response to a determination that the client computer complies with the security compliance requirements.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . An apparatus for shielding a sensitive file, the apparatus comprising:
 a client computer configured to store the sensitive file and to connect to a server computer, wherein the client computer comprises:
 an encryption-decryption unit configured to perform a cryptographic operation on the sensitive file with a cryptographic key, wherein an encryption key ID is associated with the sensitive file, and the cryptographic key corresponds to the encryption key ID; 
 a key storing unit configured to store the cryptographic key; 
 a compliance requirements storing unit configured to store security compliance requirements from the server computer, wherein the security compliance requirements define a plurality of compliant operating conditions of the client computer; and 
 a security requirements monitoring unit configured to determine whether the client computer complies with the security compliance requirements in response to a file access instruction for the sensitive file by application software, wherein the security requirements monitoring unit is further configured to pass the cryptographic key from the key storing unit to the encryption-decryption unit in response to a determination that the client computer complies with the security compliance requirements. 
   
     
     
         2 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to:
 communicate with the server computer at a predetermined time,   request the server computer to verify user information of the client computer and a version of the security compliance requirements, and   receive the encryption key and the decryption key corresponding to the latest version of the security compliance requirements and the encryption key ID corresponding to the encryption key and the decryption key from the server computer in response to a determination that the user information is successfully verified on the server computer and a latest version of the security compliance requirements stored in the client computer matches an indicated version of the security compliance requirements from the server computer.   
     
     
         3 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to lock the key storing unit in response to a determination that the client computer is not connected to the server computer. 
     
     
         4 . The apparatus according to  claim 3 , wherein the security requirements monitoring unit is further configured to unlock the key storing unit in response to a determination that the client computer is disconnected from a network associated with the server computer. 
     
     
         5 . The apparatus according to  claim 3 , wherein the security requirements monitoring unit is further configured to
 request the server computer to verify user information of the client computer and the version of the security compliance requirements, and   unlock the key storing unit in response to a determination that the user information and the version are successfully verified.   
     
     
         6 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to delete the key stored in the key storing unit in response to a determination that the client computer does not comply with the security compliance requirements. 
     
     
         7 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to delete the key stored in the key storing unit in response to a determination that the security compliance requirements are not stored in the compliance requirements storing unit. 
     
     
         8 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is configured to delete the key stored in said the key storing unit in response to reception of a warning from security software. 
     
     
         9 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to:
 send an instruction to the server computer to request a decryption key, user information, and the encryption key ID corresponding to the decryption key in response to a determination that the decryption key is not in the key storing unit,   receive from the server computer the decryption key corresponding to the encryption key ID, and   pass the received decryption key to said encryption-decryption unit.   
     
     
         10 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to notify the encryption-decryption unit that the key cannot be obtained in response to a determination that the key is not in the key storing unit. 
     
     
         11 . The apparatus according to  claim 1 , wherein the security requirements monitoring unit is further configured to determine whether the client computer complies with the security compliance requirements by a predetermined cycle. 
     
     
         12 . The apparatus according to  claim 1 , wherein the encryption-decryption unit is further configured to:
 access the sensitive file, wherein the sensitive file is encrypted with an encryption key, and a decryption key corresponds to the encryption key;   obtain the encryption key ID from the sensitive file;   pass the encryption key ID to the security requirements monitoring unit; and   decrypt the encrypted sensitive file with the decryption key passed from the security requirements monitoring unit.   
     
     
         13 . The apparatus according to  claim 1 , wherein the encryption-decryption unit is further configured to:
 encrypt the sensitive file with the key passed from the security requirements monitoring unit, wherein the key comprises an encryption key; and   embed the encryption key ID corresponding to the encryption key in the encrypted sensitive file.   
     
     
         14 . The apparatus according to  claim 1 , wherein compliance of the security compliance requirements includes at least one of:
 no threat being reported by the security software;   a boot password for the client computer being set; or   an idle time screen lock being set.   
     
     
         15 . A server computer that can connect to the client computer according to  claim 1 , wherein the server computer comprises:
 an access authority storing unit configured to store access authority information of a user of the client computer;   a server side compliance requirements storing unit configured to store security compliance requirements to be sent to the client computer;   an encryption key-decryption key storing unit configured to store a record including an encryption key, a decryption key corresponding to the encryption key, an encryption key ID corresponding to the encryption key and the decryption key, and a version of security compliance requirements; and   a security verifying unit configured to:
 compare user information sent from the client computer to access authority information stored in the access authority storing unit in response to reception of a request from the client computer to verify the user information, and 
 compare the version of the security compliance requirements sent from the computer to a latest version that is stored in the security requirements storing unit. 
   
     
     
         16 . The server computer according to  claim 15 , wherein the encryption key-decryption key creating unit is further configured to add a record including the encryption key, the decryption key corresponding to the encryption key, the encryption key ID corresponding to the encryption key and the decryption key, and an updated version of the security compliance requirements to the encryption key-decryption key storing unit at each time when the security compliance requirements are updated. 
     
     
         17 . The server computer according to  claim 15 , wherein security verifying unit is further configured to send the encryption key, the decryption key, the encryption key ID corresponding to the encryption key and the decryption key which correspond to the latest version of the security compliance requirements, and the latest version of the security compliance requirements to the client computer in response to a determination that the version of the security compliance requirements sent from the client computer matches the latest version that is stored in said security compliance requirements storing unit. 
     
     
         18 . The server computer according to  claim 15 , wherein the security verifying unit is further configured to:
 match the user information that is sent with a request to send the decryption key with the access authority that is stored in said access authority storing unit in response to reception of the request from the apparatus, and   send the decryption key, and the encryption key ID corresponding to the encryption key and the decryption key to the client computer in response to a determination that the user information matches the access authority.   
     
     
         19 . A method for shielding a sensitive file on an client computer that can connect to a server computer via a network, the method comprising:
 determining whether the client computer complies with security compliance requirements sent from the server computer in response to a file access instruction for the sensitive file by application software, wherein the security compliance requirements are stored in a compliance requirements storing unit, and the security compliance requirements define a plurality of compliant operating conditions of the client computer;   passing a cryptographic key from a key storing unit to an encryption-decryption unit in response to a determination that the client computer complies with the security compliance requirements; and   executing the file access instruction.   
     
     
         20 . The method according to  claim 19 , further comprising
 deleting the key stored in the key storing unit in response to a determination that the client computer does not comply with the security compliance requirements, that the security compliance requirements are not stored at the client computer, or that a warning is received from security software.   
     
     
         21 . The method according to  claim 19 , further comprising:
 sending to the server computer an instruction to request a decryption key, user information, an encryption key ID corresponding to the decryption key in response to a determination that the decryption key is not stored at the client computer; and   decrypting the sensitive file with the received decryption key.   
     
     
         22 . A method for shielding a sensitive file on an client computer that can connect to a server computer via a network, the method comprising:
 determining whether the client computer complies with security compliance requirements sent from the server computer in response to a file access instruction for the sensitive file by application software, wherein the security compliance requirements are stored in a compliance requirements storing unit, and the security compliance requirements define a plurality of compliant operating conditions of the client computer;   passing a cryptographic key from a key storing unit to an encryption-decryption unit in response to a determination that the client computer complies with the security compliance requirements;   executing the file access instruction;   deleting the key stored in the key storing unit in response to a determination that the client computer does not comply with the security compliance requirements, that the security compliance requirements are not stored at the client computer, or that a warning is received from security software; and   requesting the server computer to send the security compliance requirements.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.