Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Encryption proxy for web file store and share service

IP.com Disclosure Number: IPCOM000189478D
Original Publication Date: 2009-Nov-10
Included in the Prior Art Database: 2009-Nov-10
Document File: 3 page(s) / 84K

Publishing Venue

IBM

Abstract

Disclosed is a system for separating out encryption logic from a file service offering and providing it as a configurable proxy between the user that service. Being configurable, the system allows the use of any encryption provider or any encryption protocol and performs encryption, decryption or key management operations transparently from file storage service, freeing that service from needing to understand encryption details.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 48% of the total text.

Page 1 of 3

Encryption proxy for web file store and share service

The encryption proxy will work as a transparent proxy between user and insecure file storage. A proxy would understand the specifics of the file storage (or multiple ones), intercept and modify the requests with (or without) user's interaction.

The process for configuring and using the proxy will be:
The Proxy can be configured to intercept requests to a file sharing application. The proxy could be inside a company firewall or reside in the cloud
The File Sharing application implements a set of operations. The proxy can be configured to understand those operations, e.g. upload, download and share
The Proxy can be configured with one or more encryption protocols to be applied to intercepted files. For example, a password based encryption, or more advanced key management like IBE or classic PKI
The Proxy can be configured to work with different encryption providers or DRM (Digital Rights Management) systems based on some properties of the operation

This is particularly useful in a SaaS environment where a Customer may want to choose their own 3rd party or in-house encryption provider while still utilizing the SaaS file sharing service and enable collaboration across organizational boundaries.

Location of the proxy

The encryption proxy can be placed in multiple locations. It is suggested to (but not limit to) three:

1

[This page contains 1 picture or other non-text object]

Page 2 of 3

1. User's system


In this approach, the encryption proxy is deployed to user's desktop. This approach can be suitable for a single user that uses encryption just for their own data that is nor shared. User can easily communicate with proxy through application dialogues and provide encryption passwords or keys. This approach may also work in larger organizations where central (deployed in organization boundaries or in cloud) key server is used by proxies installed on organization members. In this approach plain text file never leaves user's system.

2. Organization infrastructure


The proxy can be deployed as on premises software, an element of the organization's infrastructure. Multiple organization members can use the proxy transparently, as network infrastructure can route traffic between user's machine and file sharing service through proxy. The company administrator can configure what file storage services and what encryption protocols the proxy will operate with. In this approach, files will be sent in plain text between the user's machine and the proxy. Depending on the requirements, this communication should be done in a way that would assure file confidentiality. It can be achieved through securing medium itself or introducing transport layer encryption like SSL.

3. Cloud


This approach assumes that proxy would be deployed as another third party service. Cryptographic operations on...