A System and Method for Automating Records Declaration of Encrypted Documents
Publication Date: 2014-Mar-17
The IP.com Prior Art Database
Many government agencies would like to implement automated records collection and declaration. However, encrypted documents cannot be automatically collected. Currently, users must go through many manual steps to decrypt and save the document for records declaration. Most organizations do not have the resource for this. The result is that encrypted documents are excluded from records management, contrary to statutory requirement. It affects a growing portion of emails in the federal space. This idea simplifies user action to save decrypted documents for the purpose of records management. In a nutshell, it takes advantage of the constraint that PKI-encrypted content (e.g. email) can be decrypted only by the intended recipient who has the private key, at the client workstation. Upon the intended recipient's decrypting the content (to read it), this method provides the recipient a choice to save the decrypted copy to the content server (e.g. email server), where content collecting tools collect and declare the copy as record in the Records Management Application (RMA).
Page 01 of 5
A System and Method for Automating Records Declaration of Encrypted Documents One key obstacle preventing government agencies from rolling out records management as
required by U.S. Public Law is the amount of manual effort required of the business user to declare records. This manual labor is particularly inhibitive when declaring PKI-encrypted emails as records.
PKI encryption protects the confidentiality of official documents (e.g. email) at rest and in transit over the network. PKI encryption/decryption process follows these steps:
1. The source computer (SC) generates a one-time secret key (SK)
2. SC encrypts the content of the document (Doc) using symmetric encryption algorithm with SK
3. SC encrypts SK using asymmetric encryption algorithm with the PKI Public Key (PK) of the intended Recipient (RC), packaging the encrypted SK with the encrypted Doc
4. RC receives encrypted Doc, decrypts SK using RC's PKI Private Key (PV), then decrypts Doc using SK
Since only the intended recipient has access to the Private Key, no one else can decrypt the document, including any application that collects and automatically declares documents as records into a Records Management Application (RMA).
For records management, records professionals other than the original intended recipient need to have full access to the document in RMA (now known as a record). For this reason, Records Management Policies typically require that encrypted documents be decrypted prior to being declared as a record in the RMA.
To enable an application to declare PKI-encrypted emails as records from the email server, this invention proposes that a Client Record Indicator (CRI) plug-in be included with the email client. The CRI takes advantage of the fact that encrypted documents are decrypted in memory when viewed on the client computer today, re-encrypts it with the email server's public key (for in-transit protection) and saves it over the network back to the email server. The email server decrypts this CRI-indicated email and stores it in the original email folder. The record-declaring application then declares the email as a record into the RMA.
Page 02 of 5
Fig. 1: Invention context - Declaring Encrypted Emails as Records. RMA stands for Records Management Application.
Page 03 of 5
Fig. 2: Invention details
The CRI requires at most one click on the part of the intended email recipient, thus eliminating the major complaint that records management burdens the already overloaded business user.
Configuration 1: One-click. A "Save for Records" button re-encrypts the decrypted document using the email server's public key for transmission to and storage on the server. Specifically, the client generates a one-time secret key, encrypts the clear text content in memory with that secret key, then encrypts the secret key with the email server's public key. This encrypted copy (email itself along with encrypted secret key) is transmitted to and stored on the machine tha...