U.S. patent application number 10/626103 was filed with the patent office on 2004-09-16 for methods for conducting server-side encryption/decryption-on-demand.
Invention is credited to Blew, Edwin O., Chang, Ker-Ming.
Application Number | 20040181668 10/626103 |
Document ID | / |
Family ID | 38429777 |
Filed Date | 2004-09-16 |
United States Patent
Application |
20040181668 |
Kind Code |
A1 |
Blew, Edwin O. ; et
al. |
September 16, 2004 |
Methods for conducting server-side
encryption/decryption-on-demand
Abstract
A method and system for encryption and decryption of data files
on a web-based computer system includes encrypting the data file in
a memory subsystem, such as RAM, storing the encrypted data file in
one or more of a plurality of memory locations, analyzing and
modifying the encrypted data file, retrieving and decrypting the
modified data file; and displaying the decrypted data file on a web
browser. The computer system may include one to three servers. The
data file may be encrypted and decrypted using any dual-key
encryption algorithm, such as PGP, or a single key algorithm. Data
transmitted into and out of the computer system may be via an
SSL/HTTPS protocol to provide additional security.
Inventors: |
Blew, Edwin O.; (Doylestown,
PA) ; Chang, Ker-Ming; (West Windsor, NJ) |
Correspondence
Address: |
Pepper Hamilton LLP
One Mellon Center, 50th Floor
500 Grant Street
Pittsburgh
PA
15219
US
|
Family ID: |
38429777 |
Appl. No.: |
10/626103 |
Filed: |
July 23, 2003 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10626103 |
Jul 23, 2003 |
|
|
|
09343921 |
Jun 30, 1999 |
|
|
|
Current U.S.
Class: |
713/165 |
Current CPC
Class: |
H04L 2209/60 20130101;
H04L 2209/76 20130101; G06F 21/606 20130101; H04L 63/166 20130101;
H04L 9/08 20130101; H04L 63/0428 20130101 |
Class at
Publication: |
713/165 |
International
Class: |
H04L 009/00 |
Claims
What is claimed is:
1. A method of encrypting and decrypting an electronic file on a
web-based computer system, comprising: receiving, by a computer
system, an electronic data file, wherein the computer system
includes a memory subsystem and a plurality of memory locations;
encrypting the data file in the memory subsystem; storing the
encrypted data file in one or more of the plurality of memory
locations; retrieving the encrypted data file from the one or more
memory locations; decrypting the encrypted data file in the memory
subsystem; and displaying the decrypted data file on a web
browser.
2. The method of claim 1 further comprising, prior to the receiving
step: receiving a username and a password from an external user
device; and verifying the username and password correspond to a
pre-defined user having access to the computer system.
3. The method of claim 1 further comprising, between the storing
step and the retrieving step: retrieving the encrypted data file
from the one or more memory locations; analyzing the encrypted data
file; modifying the analyzed data file; and storing the modified
data file in the one or more memory locations.
4. The method of claim 1 wherein the receiving step is performed
using a SSL/HTTPS protocol.
5. The method of claim 1 wherein the displaying step is performed
using a SSL/HTTPS protocol.
6. The method of claim 1 wherein the memory subsystem includes
random access memory.
7. A method of encrypting and decrypting an electronic data file on
a web-based computer system, comprising: receiving, by a web
server, an electronic data file, wherein the web server includes a
memory subsystem; encrypting the data file in the memory subsystem;
transmitting the encrypted data file to a file server having a
plurality of memory locations; storing the encrypted data file in
one or more of the plurality of memory locations; retrieving the
encrypted data file from the one or more memory locations;
transmitting the encrypted data file to the web server; decrypting
the encrypted data file in the memory subsystem; and displaying the
decrypted data file on a web browser.
8. The method of claim 7 further comprising, prior to the receiving
step: receiving, by the web server, a username and a password from
an external user device; and verifying, by the web server, the
username and password correspond to a pre-defined user having
access to the computer system.
9. The method of claim 7 further comprising, between the storing
step and the retrieving step: retrieving the encrypted data file
from the one or more memory locations; analyzing the encrypted data
file; modifying the analyzed data file; and storing the modified
data file in the one or more memory locations.
10. The method of claim 7 wherein the receiving step is performed
using a SSL/HTTPS protocol.
11. The method of claim 7 wherein the displaying step is performed
using a SSL/HTTPS protocol.
12. The method of claim 7 wherein the memory subsystem includes
random access memory.
13. The method of claim 7 further comprising, between the storing
step and the retrieving step: retrieving the encrypted data file
from the one or more memory locations; transmitting the encrypted
data file to a back-end data processing server; analyzing, by the
back-end data processing server, the encrypted data file;
modifying, by the back-end data processing server, the analyzed
data file; transmitting the modified data file to the file server;
and storing the modified data file in the one or more memory
locations.
14. A system for encrypting and decrypting an electronic data file,
comprising: a web server for encrypting a data file and decrypting
an encrypted data file, the web server having a memory subsystem; a
file server, electrically connected to the web server, for storing
the encrypted data file, the file server having a plurality of
memory locations; and a back-end data processing server,
electrically connected to the file server, for modifying the
encrypted data file, wherein the web server includes a computer
process comprising: receiving the data file from an external user
device, encrypting the data file in the memory subsystem, and
transmitting the encrypted data file to the file server, wherein
the file server includes a computer process comprising: receiving
the encrypted data file from the web server, storing the encrypted
data file in one or more of a plurality of memory locations,
retrieving the encrypted data file from the one or more memory
locations, and transmitting the encrypted data file to the back-end
data processing server, wherein the back-end data processing server
includes a computer process comprising: receiving the encrypted
data file from the file server, analyzing the encrypted data file,
modifying the analyzed data file, and transmitting the modified
data file to the file server.
15. The system of claim 14 wherein the computer process of the file
server further comprises: receiving the modified data file from the
back-end data processing server; storing the modified data file in
the one or more memory locations; retrieving the modified data file
from the one or more memory locations; and transmitting the
modified data file to the web server.
16. The system of claim 15 wherein the computer process of the web
server further comprises: receiving the modified data file from the
file server; decrypting the modified data file in the memory
subsystem; and displaying the decrypted data file on a web
browser.
17. A system for encrypting and decrypting an electronic data file,
comprising: a web server for encrypting a data file and decrypting
an encrypted data file, the web server-having a memory subsystem;
and a file server electrically connected to the web server, for
storing the encrypted data file, the file server having a plurality
of memory locations wherein the web server includes a computer
process comprising: receiving the data file from an external user
device, encrypting the data file in the memory subsystem, and
transmitting the encrypted data file to the file server, wherein
the file server includes a computer process comprising: receiving
the encrypted data file from the web server, storing the encrypted
data file in one or more of the plurality of memory locations,
retrieving the encrypted data file from the one or more memory
locations, and transmitting the encrypted data file to the web
server.
18. The system of claim 17 wherein the computer process of the web
server further comprises: receiving the encrypted data file from
the file server; decrypting the encrypted data file in the memory
subsystem; and displaying the decrypted data file on a web
browser.
19. The system of claim 17 wherein the computer process of the file
server further comprises, between the storing step and the
retrieving step: retrieving the encrypted data file from the one or
more memory locations; analyzing the encrypted data file; modifying
the analyzed data file; and storing the modified data file in the
one or more memory locations.
20. A system for encrypting and decrypting an electronic data file,
comprising a computer system including: a memory subsystem; a
plurality of memory locations; and a computer process comprising:
receiving a-data file from an external user device, encrypting the
data file in a memory subsystem, storing the encrypted data file in
one or more of a plurality of memory locations, retrieving the
encrypted data file from the one or more memory locations,
decrypting the encrypted data file in the memory subsystem, and
displaying the decrypted data file on a web browser.
21. The system of claim 20 wherein the computer process further
comprises, between the storing step and the retrieving step:
retrieving the encrypted data file from the one or more memory
locations; analyzing the encrypted data file; modifying the
analyzed data file; and storing the modified data file in the one
or more memory locations.
Description
CLAIM OF PRIORITY
[0001] This application is a continuation-in-part of, claims
priority to, and incorporates by reference in its entirety,
co-pending U.S. patent application Ser. No. 09/343,921, filed on
Jun. 30, 1999.
FIELD OF THE INVENTION
[0002] The present invention is directed to methods and systems for
securing files that are received, processed, stored, and delivered
on or by typical web server applications, services, and
devices.
BACKGROUND OF THE INVENTION
[0003] Many current web-based services receive and deliver
encrypted files to and from external users or customers over
electronic networks, such as the Internet. These web-based services
often require their users to encrypt files prior to transmission
and decrypt files upon receipt.
[0004] Requiring users of a service to encrypt and decrypt files
typically requires time-consuming public key exchange procedures
between the user and the service provider. In addition, it places a
heavy burden on non-technical users who may not be familiar with
dual-key encryption methods and tools. Furthermore, the encryption
and decryption processes require the service provider to develop
and establish a key management infrastructure that increases in
complexity as the number of users using the service increases.
[0005] What is needed is a method and system for encrypting and
decrypting electronic files that overcomes all of these concerns
and problems while ensuring that strong protection and security are
provided to important files.
SUMMARY OF THE INVENTION
[0006] The present invention implements a method used to secure
computer files on a file server using dual-key encryption
technologies without requiring the exchange of encryption keys with
external users. The method may be embedded within one or more
computer-readable programs, written in a programming language, such
as Perl, and running on a web server. The method may employ the use
of a single encryption/decryption key pair that is stored on the
same web server to encrypt files received from external users on an
inbound path and to decrypt files delivered to external users on an
outbound path. All inbound and outbound encryption and decryption
occurs in real time in a memory subsystem of the web server, which
may include Random Access Memory (RAM). As a result, no unencrypted
version of an electronic file needs to be created using the present
invention. The method and system do not require any specific
dual-key or public-private key encryption product or
environment.
[0007] In a preferred embodiment of the present invention, a method
of encrypting and decrypting an electronic file on a web-based
computer system includes receiving, by a computer system, an
electronic data file, where the computer system includes a memory
subsystem and a plurality of memory locations, encrypting the data
file in the memory subsystem, storing the encrypted data file in
one or more of the plurality of memory locations, retrieving the
encrypted data file from the one or more memory locations,
decrypting the encrypted data file in the memory subsystem, and
displaying the decrypted data file on a web browser. In an
embodiment, the memory subsystem includes random access memory. In
an embodiment, the receiving step is performed using a SSL/HTTPS
protocol. In an embodiment, the transmitting step is performed
using a SSL/HTTPS protocol.
[0008] In an embodiment, the method may further include, prior to
the receiving step, receiving a username and a password from an
external user device and verifying that the username and password
correspond to a pre-defined user having access to the computer
system. In an alternate embodiment, the method further includes,
between the storing step and the retrieving step retrieving the
encrypted data file from the one or more memory locations,
analyzing the encrypted data file, modifying the analyzed data
file, and storing the modified data file in the one or more memory
locations.
[0009] In an alternate embodiment, a method of encrypting and
decrypting an electronic data file on a web-based computer system
includes receiving, by a web server, an electronic data file, where
the web server includes a memory subsystem, encrypting the data
file in the memory subsystem, transmitting the encrypted data file
to a file server having a plurality of memory locations, storing
the encrypted data file in one or more of the plurality of memory
locations, retrieving the encrypted data file from the one or more
memory locations, transmitting the encrypted data file to the web
server, decrypting the encrypted data file in the memory subsystem,
and displaying the decrypted data file on a web browser. In an
alternate embodiment, the method further includes, between the
storing step and the retrieving step, retrieving the encrypted data
file from the one or more memory locations, transmitting the
encrypted data file to a back-end data processing server,
analyzing, by the back-end data processing server, the encrypted
data file, modifying, by the back-end data processing server, the
analyzed data file, transmitting the modified data file to the file
server, and storing the modified data file in the one or more
memory locations.
[0010] In a preferred embodiment, a system for encrypting and
decrypting an electronic data file includes a web server for
encrypting a data file and decrypting an encrypted data file, the
web server having a memory subsystem, a file server, electrically
connected to the web server, for storing the encrypted data file,
the file server having a plurality of memory locations, and a
back-end data processing server, electrically connected to the file
server, for modifying the encrypted data file. The web server
includes a computer process for receiving the data file from an
external user device, encrypting the data file in the memory
subsystem, and transmitting the encrypted data file to a file
server. The file server includes a computer process for receiving
the encrypted data file from the web server, storing the encrypted
data file in one or more of a plurality of memory locations,
retrieving the encrypted data file from the one or more memory
locations, and transmitting the encrypted data file to the back-end
data processing server. The back-end data processing server
includes a computer process for receiving the encrypted data file
from the file server, analyzing the encrypted data file, modifying
the analyzed data file, and transmitting the modified data file to
the file server. In a further embodiment, the computer process of
the file server further includes receiving the modified data file
from the back-end data processing server, storing the modified data
file in the one or more memory locations, retrieving the modified
data file from the one or more memory locations, and transmitting
the modified data file to the web server. In a further embodiment,
the computer process of the web server further includes receiving
the modified data file from the file server, decrypting the
modified data file in the memory subsystem, and displaying the
decrypted data file on a web browser.
[0011] In an alternate embodiment, a system for encrypting and
decrypting an electronic data file includes a web server for
encrypting a data file and decrypting an encrypted data file, the
web server having a memory subsystem, and a file server
electrically connected to the web server, for storing the encrypted
data file, the file server having a plurality of memory locations.
The web server includes a computer process for receiving the data
file from an external user device, encrypting the data file in the
memory subsystem, and transmitting the encrypted data file to the
file server. The file server includes a computer process for
receiving the encrypted data file from the web server, storing the
encrypted data file in one or more of the plurality of memory
locations, retrieving the encrypted data file from the one or more
memory locations, and transmitting the encrypted data file to the
web server. In a further embodiment, the computer process of the
web server further includes receiving the encrypted data file from
the file server, decrypting the encrypted data file in the memory
subsystem, and displaying the decrypted data file on a web browser.
In an alternate embodiment, the computer process of the file server
further includes, between the storing step and the retrieving step,
retrieving the encrypted data file from the one or more memory
locations, analyzing the encrypted data file, modifying the
analyzed data file, and storing the modified data file in the one
or more memory locations.
[0012] In an alternate embodiment, a system of for encrypting and
decrypting an electronic data file includes a server including a
memory subsystem, a plurality of memory locations, and a computer
process for receiving a data file from an external user device,
encrypting the data file in a memory subsystem, storing the
encrypted data file in one or more of a plurality of memory
locations, retrieving the encrypted data file from the one or more
memory locations, decrypting the encrypted data file in the memory
subsystem, and displaying the decrypted data file on a web browser.
In a further embodiment, the computer process further includes,
between the storing step and the retrieving step, retrieving the
encrypted data file from the one or more memory locations,
analyzing the encrypted data file, modifying the analyzed data
file, and storing the modified data file in the one or more memory
locations.
[0013] Further advantages and aspects of the present invention will
become apparent to those of ordinary skill in the art upon reading
and understanding the following detailed description of the
invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0014] The invention may take form in various components and
arrangements of components, and in various steps and arrangements
of steps. The drawings are only for purposes of illustrating the
preferred embodiments and are not to be construed as limiting the
invention.
[0015] FIG. 1 depicts an exemplary diagram of the computer
architecture and network connections used to implement an
embodiment of the present invention.
[0016] FIG. 2 illustrates a data flow diagram of the inbound flow
of files sent from an external user computer and the outbound flow
of files to an external user computer according to an embodiment of
the present invention.
[0017] FIG. 3 shows a program logic diagram for two computer
program applications according to an embodiment of the present
invention.
DETAILED DESCRIPTION OF THE INVENTION
[0018] Before the present methods and systems are described, it is
to be understood that this invention is not limited to the
particular methodologies, protocols, or systems described, as these
may vary. It is also to be understood that the terminology used in
the description is for the purpose of describing the particular
versions or embodiments only, and is not intended to limit the
scope of the present invention which will be limited only by the
appended claims. In particular, although the present invention is
described in conjunction with Internet files, it will be
appreciated that the present invention may find use in any
electronic exchange of data.
[0019] It must also be noted that as used herein and in the
appended claims, the singular forms "a", "an", and "the" include
plural reference unless the context clearly dictates otherwise.
Thus, for example, reference to a "computer" is a reference to one
or more computers and equivalents thereof known to those skilled in
the art, and so forth. Unless defined otherwise, all technical and
scientific terms used herein have the same meanings as commonly
understood by one of ordinary skill in the art. Although any
methods similar or equivalent to those described herein can be used
in the practice or testing of embodiments of the present invention,
the preferred methods are now described. All publications mentioned
herein are incorporated by reference. Nothing herein is to be
construed as an admission that the invention is not entitled to
antedate such disclosure by virtue of prior invention.
[0020] FIG. 1 depicts an exemplary diagram of the computer
architecture and network connections used to implement an
embodiment of the present invention. A user computer 1 may be
connected to a computer network 2. The computer network 2 may
include, without limitation, the Internet, an intranet, or any
other interconnected network of computers. The connection of the
user computer 1 to the computer network 2 may be achieved by any
standard communication means including, but not limited to, a
dialup service, a cable connection, a digital subscriber line, an
Ethernet network interface, an Asynchronous Transfer Mode network
interface, a wireless service, or similar technologies. A web
server 3 running a standard http/https web server application may
be used to transmit web pages to the user computer 1. A file server
4 may store a plurality of incoming files until they are retrieved
by a back-end data processing server 5. In addition, the file
server 4 may store outgoing files until they are retrieved by the
user and sent to the user computer 1. A back-end data processing
server 5 may be used to host special purpose applications that may
transform or modify encrypted files and generate outgoing
user-deliverable files.
[0021] The computer/network architecture depicted in FIG. 1 is only
one of many configurations that may be used to implement the method
and system of the present invention. For example, the method or
system may be implemented using only two servers, such as a web
server and a combined file and back-end data processing server.
Moreover, the method or system may be implemented entirely within a
single server, such as a web server that performs all three
functions described in reference to FIG. 1: web server, file server
and back-end data processing server. However, the network
architecture depicted in FIG. 1, and described in reference
thereto, is preferred because it maximizes security by separating
the data flow and processing across machines that may be separated
by firewalls.
[0022] FIG. 2 illustrates a data flow diagram of the inbound flow
of files sent from an external user computer and the outbound flow
of files to an external user computer according to an embodiment of
the present invention. The user computer 1 may-access a login page
6 of a service provider's website using any web browsing
application, such as Netscape Navigator or Microsoft's Internet
Explorer. A user may supply an assigned username and password when
accessing the login page 6 in order to access the web server 3. The
transmission of the login page 6 and all subsequently described
pages and files transmitted between the user computer 1 and the web
server 3 may utilize the secure SSL/HTTPS protocol standard. The
login page 6 of the preferred embodiment may be used to provide an
additional layer of security. However, the login page 6 may be
removed where user authentication via the submission of a username
and/or a password is unnecessary, but
encryption/decryption-on-demand is still required.
[0023] A user may select a file stored locally on the user computer
1 and submit the file for processing by the web server 3 via a file
upload web page 7. The file upload process may be achieved through
use of a standard HTML tag, such as <form><input
type="file" name="filename"></form>. The upload
transmission may be securely transmitted via use of the SSL/HTTPS
protocol standard, which provides an additional layer of security
to the transmission environment. In an alternate embodiment, the
SSL/HTTPS standard is not used for the transmission of one or more
of the transmitted files between the user computer 1 and the web
server 3.
[0024] A computer program 8 written in a computer-recognizable
language, such as Perl, and stored on the web server 3, may be used
to process an incoming electronic data file. The process of
encrypting the program is depicted in FIG. 3. The electronic data
file may be processed by reading the data file in unencrypted form
16 from a buffer on the web server 3 into a memory subsystem of the
web server. The memory subsystem may include one or more memory
devices, including, without limitation, Random Access Memory (RAM).
The content of the data file may then be encrypted 17 in the memory
subsystem via a system call to an encryption application, such as
PGP. The encrypted data content may be saved 18 to a file on the
web server 3. The encrypted data file may then be transferred 9
from the web server 3 to the file server 4. This transfer may be
performed via a File Transfer Protocol (FTP) program or any similar
program for transferring files between servers.
[0025] In an alternate embodiment, a computer application
environment other than Perl may be used to implement the present
invention. In fact, any application environment permitting direct
system calls (e.g., to an encryption utility) and Common Gateway
Interface (CGI) interactions with a web server may be used.
Moreover, the present invention may be implemented via the use of
dual-key encryption technologies other than PGP or through the use
of single-key or other encryption methodologies.
[0026] Once the encrypted data file is stored on the file server 4,
additional processing of the encrypted data file on the back-end
data processing server 5 may be performed. Such additional
processing is optional to the present invention. The additional
processing may include using a FIP program to send 10 the encrypted
data file from the file server 4 to the back-end data processing
server 5. The encrypted data file may then be analyzed, modified
and/or rewritten II by the back-end data processing server 5, and
transferred back 12 to the file server 4 as an encrypted
user-deliverable data file.
[0027] When requested by a user, the encrypted user-deliverable
data file may be transferred 13 from the file server 4 to the web
server 3 by using a FIP program. A computer program 14 written in a
computer-recognizable language, such as Perl, and stored on the web
server 3, may be used to decrypt the outgoing encrypted
user-deliverable data file. The process of decrypting the file is
depicted in FIG. 3. The encrypted user-deliverable data file may be
read in encrypted form 19 from a buffer on the web server 3 into
the memory subsystem. The file content may be decrypted in the
memory subsystem via a system call to a decryption application,
such as PGP, and the encrypted data file may be deleted from the
system 20. The decrypted content in the memory subsystem may then
be downloaded 21 to the user's browser 15 via a buffer on the web
server 3.
[0028] The two computer programs 8, 14 may perform additional
functions that are not essential to the implementation of the
present invention. The additional, non-essential functions are part
of the preferred embodiment of the present invention, however, and
are referenced herein to show the implementation of the preferred
embodiment. The additional, non-essential functions in computer
program 8 may include, without limitation, the user authentication
process including the reception of a username and password. The
additional, non-essential functions in computer program 14 may
include, without limitation, a means for creating a web page
(dynamically) listing all available user-deliverable files and
allowing the user to choose which file to decrypt and download.
[0029] The foregoing is considered as illustrative only of the
principles of the invention. Further, since numerous modifications
and changes will readily occur to those skilled in the art, it is
not desired to limit the invention to the exact construction and
operation shown and described, and accordingly, all suitable
modifications and equivalents may be resorted to, falling within
the scope of the invention.
* * * * *