US2017286699A1PendingUtilityA1

Methods and systems for enforcing, by a kernel driver, a usage restriction associated with encrypted data

52
Assignee: VIRTRU CORPPriority: Aug 28, 2014Filed: Jun 15, 2017Published: Oct 5, 2017
Est. expiryAug 28, 2034(~8.1 yrs left)· nominal 20-yr term from priority
G06F 2221/2107G06F 21/602H04L 63/0428G06F 2221/2141H04L 2463/101H04L 63/0892G06F 9/468G06F 21/6281
52
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method of providing a restricted set of application programming interfaces includes decrypting, by a secure object information reader executing on a computing device, an encrypted data object using information associated with the encrypted data object to generate a decrypted data object, the information received from an access control management system. The method includes intercepting, by a kernel driver executing on the computing device, from a process executing on the computing device, a request to access the decrypted data object. The method includes identifying, by the kernel driver, using the information associated with the encrypted data object, a usage requirement restricting a set of operations available to the process in accessing the decrypted data object. The method includes providing, by the kernel driver, to the process, a restricted set of application programming interfaces with which to interact with the decrypted data object, as permitted by the restricted set of operations.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of providing a restricted set of application programming interfaces comprising:
 decrypting, by a secure object information reader executing on a computing device, an encrypted data object using information associated with the encrypted data object to generate a decrypted data object, the information received from an access control management system;   intercepting, by a kernel driver executing on the computing device, from a process executing on the computing device, a request to access the decrypted data object;   retrieving, by the kernel driver, from the information received from the access control management system, a usage requirement restricting a set of operations available to the process in accessing the decrypted data object;   identifying, by the kernel driver, in the retrieved usage requirement, an operation a user of the computing device is authorized to execute; and   providing, by the kernel driver, to the process, a restricted set of application programming interfaces with which to interact with the decrypted data object, the restricted set including the authorized operation identified in the retrieved usage requirement.   
     
     
         2 . A method of providing a restricted set of application programming interfaces comprising:
 decrypting, by a secure object information reader executing on a computing device, an encrypted data object using information associated with the encrypted data object, the information received from an access control management system and including at least one usage restriction;   intercepting, by a kernel driver executing on the computing device, from a user of the computing device, a request to access the decrypted data object;   identifying, by the kernel driver, a process associated with the decrypted data object in a file type association mapping;   launching, by the kernel driver, the identified process on the computing device into a protected memory space;   intercepting, by the kernel driver, a request from the identified process for a type of access to the decrypted data object;   retrieving, by the kernel driver, from the information received from the access control management system, the at least one usage requirement;   identifying, by the kernel driver, in the retrieved at least one usage requirement, an operation a user of the computing device is authorized to execute;   determining, by the kernel driver, based on the identified authorized operation in the retrieved at least one usage requirement, that the at least one usage restriction permits the type of access requested; and   providing, by the kernel driver, to the process, an application programming interface with which to access the decrypted data object.   
     
     
         3 . A method of providing a restricted set of application programming interfaces comprising:
 decrypting, by a secure object information reader executing on a computing device, an encrypted data object using information associated with the encrypted data object, the information received from an access control management system and including at least one usage restriction;   intercepting, by a kernel driver executing on the computing device, from a user of the computing device, a request to access the decrypted data object;   identifying, by the kernel driver, a process associated with the decrypted data object in a file type association mapping;   launching, by the kernel driver, the identified process on the computing device into a protected memory space;   intercepting, by the kernel driver, a request from the identified process for a type of access to the decrypted data object;   retrieving, by the kernel driver, from the information received from the access control management system, the at least one usage requirement;   determining, by the kernel driver, using the retrieved at least one usage requirement, that the at least one usage restriction does not permit the type of access; and   rejecting, by the kernel driver, the process request for access.   
     
     
         4 . The method of  claim 3 , further comprising identifying, by the kernel driver, in the retrieved at least one usage requirement, an operation a user of the computing device is authorized to execute. 
     
     
         5 . The method of  claim 4 , further comprising providing, by the kernel driver, to the process, a restricted set of application programming interfaces with which to interact with the decrypted data object, the restricted set including the authorized operation identified in the retrieved usage requirement.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.