WO2015004327A1 - Method and device for file encryption - Google Patents

Method and device for file encryption Download PDF

Info

Publication number
WO2015004327A1
WO2015004327A1 PCT/FI2014/050566 FI2014050566W WO2015004327A1 WO 2015004327 A1 WO2015004327 A1 WO 2015004327A1 FI 2014050566 W FI2014050566 W FI 2014050566W WO 2015004327 A1 WO2015004327 A1 WO 2015004327A1
Authority
WO
WIPO (PCT)
Prior art keywords
mass
memory device
file
encrypted
address
Prior art date
Application number
PCT/FI2014/050566
Other languages
French (fr)
Inventor
Tuukka Korhonen
Mikael Seppälä
Original Assignee
Tuukka Korhonen
Mikael Seppälä
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tuukka Korhonen, Mikael Seppälä filed Critical Tuukka Korhonen
Publication of WO2015004327A1 publication Critical patent/WO2015004327A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail

Definitions

  • the invention relates to file encryption and, in particular, file encryption by using a mass-memory device.
  • Unencrypted data exchange or confidential and secret data exchange can be transmitted via and in data networks.
  • data protection methods are needed, which are suitable for the occasion.
  • file encryption is performed by encrypting plain text by means of a suitable mathematical method or algorithm.
  • an encrypted text is provided.
  • the encryption may be converted back to an understandable form by decrypting the encrypted text or interpreting the encrypted text.
  • the decryption may be carried out by either the same encryption key that was used for encrypting the text or, alternatively, another key. When the same key is used, it is called symmetric encryption and when another key is used, it is called asymmetric encryption.
  • An object of the invention is thus to provide a method and equipment implementing the method so as to enable the aforementioned problems to be solved.
  • the object of the invention is achieved by a method and system which are characterized by what is disclosed in the independent claims.
  • the preferred embodiments of the invention are disclosed in the dependent claims.
  • the invention is based on configuring one or more memory sticks, authenticating the user of the memory stick, authenticating the recipient of a file to be transmitted and encrypted, opening an encryption program and encrypting the file to be transmitted.
  • FIG. 1 shows a block diagram according to the invention and its preferred embodiment
  • FIG. 2 shows a signalling diagram according to the invention and its preferred embodiment.
  • Figure 1 shows a block diagram according to the invention and its preferred embodiment.
  • a user A wants to send a text, voice, image or other file or document or a combination thereof from his computer 1-2 to a user B.
  • the transmission takes place via a telecommunication network or communication network 1-6.
  • the network may be a wireless network, a wired network or a combination thereof.
  • a memory device 1-12 acts as a physical certificate, a physical key for material to be transmitted and received so that material to be e-mailed, for instance, can be protected and certified and the e-mail and the received material can be Opened.
  • the memory device or another physical device which acts as a key to the encrypted material and onto which a program used in the encryption may be loaded may be manufactured and coded and profiled in connection with either the production or purchase, for instance. Thus, everyone having the mass- memory device can use the program and encrypt their files.
  • the memory device used may be attached in connection with the user B's computer 1 -4, such as a USB (Universal Serial Bus) port 1-14.
  • the user A may connect a device or component enabling the encryption, such as a memory device, to a serial bus port or parallel bus port of the computer he uses.
  • the device or component enabling the encryption may also be in a wireless connection with the computer or other device performing the encryption.
  • a database DB 1 -10 to be used may be stored on a server 1 - 20, a memory in connection with the server or some other memory.
  • the database may comprise necessary data for identifying the mass-memory device of one or more recipients. These include, for instance, the user's name, a random code given to the device, and a code informing of the opening of the algorithm.
  • a cloud service 1-8, the server 1-20 and/or the database 1- 10 may be in connection with the communication network. They may be in connection with the communication network either directly, via each other or via some other component.
  • Figure 2 shows a process chart for content encryption use according to a preferred embodiment of the invention, which can be used in connection with many types of services.
  • Services may include, for instance, an e-mail service, a cloud service, a server service, use of databases, or industrial machines including programmable components, i.e., services enabling the use of a file encryption method.
  • a file or record containing content is encrypted.
  • the first step comprises generating, for an e-mail key program, users that may use the program and the encryption it provides, and random numbers for the users, which information may be stored in the database.
  • the database may be located and arranged on a server in such a manner that it may comprise data and/or information on the following subjects, for instance: the user's name, a random number given to the user's name or a random code of the device, a condition for opening the algorithm, and the user's right to send and/or receive encrypted files.
  • the database may comprise these data or information as one or more records.
  • a database on the server including usernames and rights to open an e-mail attachment, to send via e.g. an e-mail program an attachment that the recipient may open only with his own mass-memory device.
  • the user who sent or encrypted the file can open or read the file and/or write on the encrypted file.
  • These infrastructures may be generated and arranged on one or more centralized servers or a firm's own server, for example.
  • the user A wants to e-mail an encrypted file to the user B.
  • step 2-2 the first user A inserts a memory stick containing an encryption program into a USB port and opens the encryption program.
  • the user A selects a file that he wants to send to the other user B via the program.
  • the user A defines the recipient, the user B, who may open and read the file to be encrypted and sent.
  • the user A writes an e-mail message to the user B and writes the user B's address to the address field.
  • the user A sends in step 2-4 an identifier number, an ID number or a random number to the database DB.
  • the identifier number is memory stick - specific and the first identifier number is generated for the stick during the formatting of the stick.
  • the identifier number passes via the user A's server to the database where it is checked.
  • a random character or bit string is transmitted to the database or the database in connection with the server program.
  • the database includes data on the stick or other physical device after the formatting phase of the stick, and the user has the data on the stick or other physical device after he has received the stick.
  • stick identification data such as a random number or metadata
  • step 2-6 the stick identification data sent by the user are compared with the identification data stored in the database.
  • the amount of data in the database may be compared with the amount of data sent. If the identifiers are the same, the user of the stick has been identified.
  • a different random number or identifier number is generated for the user A by the server in connection with the database and it is both stored in the database and transmitted to the user A in step 2-8.
  • the purpose of a new number is to prevent the use of copied memory devices using only one number.
  • step 2-10 After the user A has been identified, he may open the e-mail program and draft an e-mail in step 2-10.
  • step of drafting an e-mail the user A writes the name of the recipient to the address field.
  • step 2-12 a message is transmitted to the database, in response to which message the server connected to the database checks in step 2-14 from the database, whether the recipient defined by the user A is found in the database. If the recipient is found, the server transmits an identifier about the recipient of the message to the user A in step 2-16.
  • a document to be attached to the e-mail When a document to be attached to the e-mail has been selected, it is encrypted with the encryption program stored and existing in the memory device of the user A in step 2-18.
  • the encryption of a file or document may be carried out by using another random character string so that only the recipient defined as recipient may open this file.
  • an algorithm of the external mass-memory device, protecting the file and/or user data is used.
  • the algorithm used may be, for instance, a virtual algorithm of AES (Advanced Encryption Standard) type.
  • step 2-20 the user A sends the file from his own e-mail program directly to the user B and the user B receives the file from the user A.
  • the file may be sent via e-mail, as a multimedia message, a short message, a Bluetooth message or other communication message, for example.
  • the notification may be a proprietary message.
  • the encryption level of the attachment may be stated at the same time.
  • step 2-22 the user B inserts his memory stick into the computer he uses and starts to open the file reading program.
  • the user B is identified in the same way as the user A was identified.
  • the user B sends his identification data to the database, where the identification data existing in the database and stored therein in the registration phase are compared with the identification data transmitted in step 2-26. If these identification data are the same, e.g. the data amounts are the same, a different identifier number and, at the same time, a verification that the user B may open the file are transmitted to the user B in step 2-28.
  • step 2-30 the user B opens the e-mail by means of the memory device.
  • the file opens and it is thus delivered to its destination in a secure way.
  • step 2-32 the user B may send data to the database, such as data on the time he has opened or read the attachment.
  • the user A may also send corresponding data to the database.
  • the file to be stored and opened may be located in the server or cloud.
  • the user may also encrypt his own files on the computer.
  • the user may open the program, select a file to be encrypted and encrypt the file with his memory stick. After this, the files only open by using the correct memory stick or memory card, i.e., when the user opens the file by using the memory stick of the same encryption algorithm that he used for encrypting the file.
  • files stored on the server may also pass through the device according to the invention and its preferred embodiments and acting as a memory device.
  • the e-mail can only be opened with a mass-memory device or other given component. This means that when the person A sends an en- . crypted e-mail to the person B, the latter person must use his mass-memory device, if he wants to open the e-mail.
  • the purpose is to achieve a physical verification that increases data security in such a way that only the right person can open the e-mail.
  • a memory stick, a memory card, an external mass-memory device may function as a mass-memory device.
  • the external mass-memory device acts as a physical key to encrypted data or data to be encrypted.
  • a person C receives the encrypted e-mail in his mailbox and opens it, he receives a notification that this e-mail and/or the attachment of the e-mail is encrypted.
  • the person C needs to log in to the e-mail key program. When the person C logs in to the program and tries to open the e-mail and/or the attachment of the e-mail, then.
  • user data of all the users whom is given permission to participate in a specific encrypted communication may be entered to the e-mail key program.
  • the entering of data may be performed in a firm, which manufactures mass-memory devices, or in another firm, for instance.
  • an ID accountl may be generated for the person A and an ID account2 may be generated for the person B.
  • the person A wants to send an important file to the person B, he defines the person B as recipient in the e-mail.
  • the program retrieves the encryption key of the person B from the server.
  • the person B is given rights to open the file.
  • mass- memory identification is utilised.
  • a mass-memory device is attached to a machine.
  • a program on the mass-memory device may be opened and a desired service, such as a cloud service, may be selected from the program.
  • the cloud service may have been built on the platform of a service producer or service provider.
  • the service requests a username and a password, which may be entered to the program.
  • the files may be transferred via file management to an encrypting program, after which the program encrypts the files, which are transferred to the cloud, or the user's own files, before they are transferred to the server and/or kept encrypted on the user's computer.
  • physical node data such as location data, time of use and/or log information, may be added. In this way, a key to the cloud is generated.
  • the encrypted files are transmitted to the cloud, and the files are located encrypted in the cloud, i.e., on the server of the data network or in the memory of the data network.
  • the location of the files may be a part of the cloud, which may be encrypted.
  • the key may then be used for opening and reading and further storing the files, whereby the opening may have been performed with a proprietary program.
  • the files have been transferred to the cloud as encrypted, and they exist encrypted in the cloud.
  • the mass-memory device In connection with opening and reading and further storing the files, the mass-memory device is connected to the computer in which the encrypted files are to be read or used in other ways.
  • the user logs in to the encryption program and enters the username and the password to the program.
  • the encryption program application opens and asks where to go or where to retrieve the file: whether the file will be read locally or from the cloud. If the cloud is selected as the file location, the cloud account may open in the file management system, for example. After this, it is possible to view the encrypted documents in the cloud, the cloud service and/or the memory in the cloud.
  • the files are read locally because they must be encrypted locally.
  • File encryption may be performed in various ways, such as by means of the aforementioned AES standard (Advanced Encryption Standard) in 256 bits.
  • databases may be located on certified or protected servers, such as in the premises of a service provider or a client. Communication may be established by using an SSL connection (Secure Sockets Layer), for instance.
  • SSL connection Secure Sockets Layer
  • Information on the servers may be encrypted by, for instance, a hash value used in connection with a digital signature, such as a so- called hash code and/or a so-called southed code, in order to increase data security. This reduces the risk of intrusion.
  • a plurality of different users may now manage their files safely in the network.
  • a mass-memory device may be provided for each user by using the same encryption key and each user may register in the service. These users may form the first file transfer or data exchange group. Thereafter, each user may check, read, encrypt and decrypt files in the network, for example, by using the encryption key of the group.
  • Each file name can be seen in the network and each user can view the files with his own memory device.
  • a backup feature may be provided on the memory stick.
  • the program on the memory stick transmits the latest version of the encrypted file to the memory in connection with the Internet server for storage. If the memory stick gets lost, the data still remains stored in the network.
  • the user may observe his files and save new files on the memory stick.
  • the memory stick When the memory stick is connected and has a connection to the Internet, it loads the new files onto its memory.
  • the memory stick is connected to the computer and, through it, to the cloud service, the files in the cloud service are removed therefrom automatically.
  • a method for transferring a file from a sending address to a target address comprises starting 2-2 an encryption program stored on a mass-memory device 1- 12; transmitting 2-4 a first identifier assigned to the mass-memory device to a predefined address related to the encryption program to authenticate the mass-memory device; receiving 2-8 an accepting response to authenticate the mass-memory device, the response comprising a second identifier assigned to the mass-memory device; receiving 2-10 via a user interface the target ad- dress of the file to be transmitted and encrypted; transmitting 2-12 the target address to the predefined address related to the encryption program to authenticate the target address; receiving 2-16 an accepting response to authenticate the target address; receiving 2-18 via the user interface the file to be encrypted; encrypting 2- 8 the file with the encryption program stored on the mass- memory device; storing 2- 8 the encrypted file on the mass-memory device; receiving 2-18 via the user interface a selection of the encrypted file
  • the user interface may be, for instance, a computer, a tablet computer, a mobile station, a navigator, a television, an oscilloscope or some Other device to which the mass-memory device can be connected or arranged.
  • the file may also be re-encrypted with the same or another encryption program stored on the mass-memory device in response to the selection of the encrypted file to be transmitted, which was received via the user interface.
  • the authentication of the mass-memory device can be performed at least partly on the basis of the data amount transmitted.
  • the user identifier and/or password and/or location of the mass- memory device user may be used for the authentication.
  • a random code may also be used.
  • the location may also be used in such a manner that the IP address of the place where the encryption was used is transmitted to the database, from which, in case of a lost memory stick, for example, the most recent place of use of the memory stick can be read. This may be performed before step 2-4, for instance. If the device has been lost or forgotten, a signal, such as 'user inactive", may be supplied from the database to the device, which inactivates all data on the device, and it can no longer be used after this.
  • Log information may also be transmitted to the database.
  • Information such as how long the mass-memory device has been used, which data or files of the stick have been used and what is stored on the stick, can be read from the log information.
  • Log information supplied to the database may be assembled or it may form a file log, from which it is possible to read which data exist on which memory stick or other mass-memory device.
  • the encryption method and arrangement of the invention and its preferred embodiments may also be applied in such a manner that it is now possible to determine, in which location the mass-memory device can be opened or read or in which location it is possible to store data thereon. It is also possible to give different addresses and rights to different user groups.
  • a method for opening a file, the file being received from a sending address at a target address comprises receiving 2-20 via a user interface an encrypted file from the sending address; starting 2-22 an encryption program stored on a mass-memory device 1-12; transmitting 2-24 a first identifier assigned to the mass-memory device 1- 2 to a predefined address related to the encryption program to authenticate the mass-memory device 1-12; receiving 2-28 an accepting response to authenticate the mass-memory device
  • the response comprising a second identifier assigned to the mass- memory device; and opening 2-30 the encrypted file via the user interface by means of the encryption program stored on the mass-memory device 1-12.
  • a method for performing file transfer authentication comprises steps of: storing a list of target addresses, which may encrypt a file and transmit and receive an encrypted file; storing first identifiers assigned to mass-memory devices 1-12; and, in response to receiving 2-4 an identifier from a sending address for authenticating a mass-memory device: searching
  • the system comprises: a first device comprising means for performing first method steps and an interface for receiving a mass-memory device; a second device comprising means for performing second method steps and an interface for receiving a mass-memory device; a third device comprising means for performing third method steps; a first mass-memory device comprising an encryption program and an identifier for authenticating the mass-memory device; a second mass-memory device comprising an encryption program and an identifier for authenticating the mass-memory device; and a database comprising a list of addresses, which may encrypt a file and transmit and receive an encrypted file and a list of identifiers assigned to the mass-memory devices.
  • the device according to the invention and its preferred embodiments comprises computer program means arranged to perform all steps of a method when said program is run on a computer.
  • a plurality of advantages are achieved, such as secure data encryption in such a manner that there is only one way of decrypting data and information. This is carried out with a decryption key that exists on a memory stick. In other words, a file can now be opened only by using a memory device. In addition, data security increases and the computer itself need not be encrypted.
  • a key for the cloud is generated, the use of which key requires a physical device, such as a memory stick, enabling the user to access files in the cloud.
  • a physical device such as a memory stick
  • servers become more secure, too.
  • a computer need not be encrypted to achieve an efficient encryption according to the invention, but computers may also be encrypted.
  • a plug-in element may be provided behind the firewall, which provides the advantage of increased reliability when traffic to the server is encrypted.

Abstract

The invention relates to a method, a device and an arrangement for transferring a file from a sending address to a target address. The invention comprises starting (2-2) an encryption program stored on a mass-memory device (1- 12); transmitting (2-4) a first identifier assigned to the mass-memory device (1-12) to a predefined address related to the encryption program to authenticate the mass- memory device (1-12); receiving (2-8) an accepting response to authenticate the mass-memory device (1-12), the response comprising a second identifier assigned to the mass-memory device; receiving (2-10) via a user interface data on the file to be encrypted; transmitting (2-12) data on the target address of the file to be encrypted to the predefined address related to the encryption program to authenticate the target address; receiving (2-16) an accepting response to authenticate the target address; receiving (2-18) via the user interface data on the file to be encrypted; encrypting (2-18) the file with the encryption program stored on the mass-memory device (1-12); storing (2-18) the encrypted file on the mass-memory device (1-12); receiving (2-18) via the user interface the encrypted file to be transmitted; and transmitting (2-20) the encrypted file from the sending address to the selected target address.

Description

Method and device for file encryption
Field of the invention
[0001] The invention relates to file encryption and, in particular, file encryption by using a mass-memory device.
Background of the invention
[0002] Unencrypted data exchange or confidential and secret data exchange can be transmitted via and in data networks. To have a secure data transfer and storage and to prevent outsiders from accessing data that is not meant for them, data protection methods are needed, which are suitable for the occasion.
[0003] In prior art, file encryption is performed by encrypting plain text by means of a suitable mathematical method or algorithm. Thus, an encrypted text is provided. The encryption may be converted back to an understandable form by decrypting the encrypted text or interpreting the encrypted text. The decryption may be carried out by either the same encryption key that was used for encrypting the text or, alternatively, another key. When the same key is used, it is called symmetric encryption and when another key is used, it is called asymmetric encryption.
[0004] A problem with the above-described arrangement is, however, that anyone who knows the password can decrypt and read the secret text.
Brief description of the invention
[0005] An object of the invention is thus to provide a method and equipment implementing the method so as to enable the aforementioned problems to be solved. The object of the invention is achieved by a method and system which are characterized by what is disclosed in the independent claims. The preferred embodiments of the invention are disclosed in the dependent claims.
[0006] The invention is based on configuring one or more memory sticks, authenticating the user of the memory stick, authenticating the recipient of a file to be transmitted and encrypted, opening an encryption program and encrypting the file to be transmitted.
[0007] The method and system of the invention provide the advantage of achieving a very efficient and secure data encryption method. Brief description of the drawings
[0008] The invention is now described in more detail in connection with the preferred embodiments and with reference to the accompanying drawings, of which:
Figure 1 shows a block diagram according to the invention and its preferred embodiment; and
Figure 2 shows a signalling diagram according to the invention and its preferred embodiment.
Description of a preferred embodiment of the invention
[0009] Figure 1 shows a block diagram according to the invention and its preferred embodiment. In the figure, a user A wants to send a text, voice, image or other file or document or a combination thereof from his computer 1-2 to a user B. The transmission takes place via a telecommunication network or communication network 1-6. The network may be a wireless network, a wired network or a combination thereof.
[0010] According to the invention and its preferred embodiments, a memory device 1-12 acts as a physical certificate, a physical key for material to be transmitted and received so that material to be e-mailed, for instance, can be protected and certified and the e-mail and the received material can be Opened. The memory device or another physical device which acts as a key to the encrypted material and onto which a program used in the encryption may be loaded may be manufactured and coded and profiled in connection with either the production or purchase, for instance. Thus, everyone having the mass- memory device can use the program and encrypt their files. The memory device used may be attached in connection with the user B's computer 1 -4, such as a USB (Universal Serial Bus) port 1-14. Similarly, the user A may connect a device or component enabling the encryption, such as a memory device, to a serial bus port or parallel bus port of the computer he uses. The device or component enabling the encryption may also be in a wireless connection with the computer or other device performing the encryption.
[0011] A database DB 1 -10 to be used may be stored on a server 1 - 20, a memory in connection with the server or some other memory. The database may comprise necessary data for identifying the mass-memory device of one or more recipients. These include, for instance, the user's name, a random code given to the device, and a code informing of the opening of the algorithm. [0012] A cloud service 1-8, the server 1-20 and/or the database 1- 10 may be in connection with the communication network. They may be in connection with the communication network either directly, via each other or via some other component.
[0013] Figure 2 shows a process chart for content encryption use according to a preferred embodiment of the invention, which can be used in connection with many types of services. Services may include, for instance, an e-mail service, a cloud service, a server service, use of databases, or industrial machines including programmable components, i.e., services enabling the use of a file encryption method. In the encryption, a file or record containing content is encrypted.
[0014] In the case of an e-mail service, the first step comprises generating, for an e-mail key program, users that may use the program and the encryption it provides, and random numbers for the users, which information may be stored in the database. The database may be located and arranged on a server in such a manner that it may comprise data and/or information on the following subjects, for instance: the user's name, a random number given to the user's name or a random code of the device, a condition for opening the algorithm, and the user's right to send and/or receive encrypted files. The database may comprise these data or information as one or more records.
[0015] Thus, on the basis of access rights, for example, it is possible to construct a database on the server, including usernames and rights to open an e-mail attachment, to send via e.g. an e-mail program an attachment that the recipient may open only with his own mass-memory device. Also the user who sent or encrypted the file can open or read the file and/or write on the encrypted file. These infrastructures may be generated and arranged on one or more centralized servers or a firm's own server, for example.
[0016] Via the e-mail key program, it is thus possible to select a file which is attached as an attachment to the e-mail and which is encrypted by the program. The encryption can only be decrypted with the sender's and recipient's device, such as a mass-memory device.
[0017] In accordance with Figure 2, the user A wants to e-mail an encrypted file to the user B. In step 2-2, the first user A inserts a memory stick containing an encryption program into a USB port and opens the encryption program. The user A selects a file that he wants to send to the other user B via the program. The user A defines the recipient, the user B, who may open and read the file to be encrypted and sent. After this, the user A writes an e-mail message to the user B and writes the user B's address to the address field.
[0018] In order to be able to verify that the user A is the correct user, the user A sends in step 2-4 an identifier number, an ID number or a random number to the database DB. The identifier number is memory stick - specific and the first identifier number is generated for the stick during the formatting of the stick. The identifier number passes via the user A's server to the database where it is checked. In other words, in this step, a random character or bit string is transmitted to the database or the database in connection with the server program. The database includes data on the stick or other physical device after the formatting phase of the stick, and the user has the data on the stick or other physical device after he has received the stick.
[0019] When the stick is registered in the database for the first time, stick identification data, such as a random number or metadata, are stored therein. In step 2-6 the stick identification data sent by the user are compared with the identification data stored in the database. In the comparison of identification data, the amount of data in the database may be compared with the amount of data sent. If the identifiers are the same, the user of the stick has been identified. After this, another, a different random number or identifier number is generated for the user A by the server in connection with the database and it is both stored in the database and transmitted to the user A in step 2-8. The purpose of a new number is to prevent the use of copied memory devices using only one number.
[0020] After the user A has been identified, he may open the e-mail program and draft an e-mail in step 2-10. In the step of drafting an e-mail, the user A writes the name of the recipient to the address field. In this step, i.e., step 2-12, a message is transmitted to the database, in response to which message the server connected to the database checks in step 2-14 from the database, whether the recipient defined by the user A is found in the database. If the recipient is found, the server transmits an identifier about the recipient of the message to the user A in step 2-16.
[0021] When a document to be attached to the e-mail has been selected, it is encrypted with the encryption program stored and existing in the memory device of the user A in step 2-18. The encryption of a file or document may be carried out by using another random character string so that only the recipient defined as recipient may open this file. In the encryption, an algorithm of the external mass-memory device, protecting the file and/or user data, is used. The algorithm used may be, for instance, a virtual algorithm of AES (Advanced Encryption Standard) type.
[0022] In step 2-20, the user A sends the file from his own e-mail program directly to the user B and the user B receives the file from the user A. The file may be sent via e-mail, as a multimedia message, a short message, a Bluetooth message or other communication message, for example.
[0023] It is notified in the sent e-mail that the file is encrypted. The notification may be a proprietary message. In other words, when the user B receives the e-mail, the encryption level of the attachment may be stated at the same time.
[0024] In step 2-22, the user B inserts his memory stick into the computer he uses and starts to open the file reading program. In this step, the user B is identified in the same way as the user A was identified. In step 2-24, the user B sends his identification data to the database, where the identification data existing in the database and stored therein in the registration phase are compared with the identification data transmitted in step 2-26. If these identification data are the same, e.g. the data amounts are the same, a different identifier number and, at the same time, a verification that the user B may open the file are transmitted to the user B in step 2-28.
[0025] In step 2-30, the user B opens the e-mail by means of the memory device. The file opens and it is thus delivered to its destination in a secure way.
[0026] Messages, signals and documents to and from the user B pass through the user B's own server.
[0027] In step 2-32, the user B may send data to the database, such as data on the time he has opened or read the attachment. The user A may also send corresponding data to the database.
[0028] The file to be stored and opened may be located in the server or cloud.
[0029] According to a preferred embodiment, the user may also encrypt his own files on the computer. The user may open the program, select a file to be encrypted and encrypt the file with his memory stick. After this, the files only open by using the correct memory stick or memory card, i.e., when the user opens the file by using the memory stick of the same encryption algorithm that he used for encrypting the file. Thus, files stored on the server may also pass through the device according to the invention and its preferred embodiments and acting as a memory device.
[0030] The e-mail can only be opened with a mass-memory device or other given component. This means that when the person A sends an en- . crypted e-mail to the person B, the latter person must use his mass-memory device, if he wants to open the e-mail. The purpose is to achieve a physical verification that increases data security in such a way that only the right person can open the e-mail. For example, a memory stick, a memory card, an external mass-memory device may function as a mass-memory device. Thus, the external mass-memory device acts as a physical key to encrypted data or data to be encrypted.
[0031] If a person C receives the encrypted e-mail in his mailbox and opens it, he receives a notification that this e-mail and/or the attachment of the e-mail is encrypted. The person C needs to log in to the e-mail key program. When the person C logs in to the program and tries to open the e-mail and/or the attachment of the e-mail, then.
[0032] In other words, user data of all the users whom is given permission to participate in a specific encrypted communication may be entered to the e-mail key program. The entering of data may be performed in a firm, which manufactures mass-memory devices, or in another firm, for instance. For example, an ID accountl may be generated for the person A and an ID account2 may be generated for the person B. When the person A wants to send an important file to the person B, he defines the person B as recipient in the e-mail. When the purpose is to keep this communication encrypted, i.e., the file is transmitted as encrypted, the program retrieves the encryption key of the person B from the server. At the same time, the person B is given rights to open the file. When the person B sees that he has received a communication, such as an e-mail, notifying that an encrypted file has been received, he can open the file by using his memory stick in the computer. At this stage, he brings the memory stick in connection with the computer and contacts the server, in which... The file cannot be opened in any other way. The invention and its preferred embodiments thus increase data security in devices receiving sensitive data. Thus, when the device according to the invention and its preferred embodiments is used, data leakages, for instance, would not occur at all. [0033] In the method according to a preferred embodiment, mass- memory identification is utilised. In the first step thereof, a mass-memory device is attached to a machine. Then a program on the mass-memory device may be opened and a desired service, such as a cloud service, may be selected from the program. The cloud service may have been built on the platform of a service producer or service provider.
[0034] The service requests a username and a password, which may be entered to the program. Next, the files may be transferred via file management to an encrypting program, after which the program encrypts the files, which are transferred to the cloud, or the user's own files, before they are transferred to the server and/or kept encrypted on the user's computer. Furthermore, physical node data, such as location data, time of use and/or log information, may be added. In this way, a key to the cloud is generated. The encrypted files are transmitted to the cloud, and the files are located encrypted in the cloud, i.e., on the server of the data network or in the memory of the data network. The location of the files may be a part of the cloud, which may be encrypted.
[0035] After the files have been encrypted and possibly stored on another server or the user's own computer, for instance, the key may then be used for opening and reading and further storing the files, whereby the opening may have been performed with a proprietary program. In other words, the files have been transferred to the cloud as encrypted, and they exist encrypted in the cloud.
[0036] In connection with opening and reading and further storing the files, the mass-memory device is connected to the computer in which the encrypted files are to be read or used in other ways. At this stage, the user logs in to the encryption program and enters the username and the password to the program. After this, the encryption program application opens and asks where to go or where to retrieve the file: whether the file will be read locally or from the cloud. If the cloud is selected as the file location, the cloud account may open in the file management system, for example. After this, it is possible to view the encrypted documents in the cloud, the cloud service and/or the memory in the cloud. The files are read locally because they must be encrypted locally. [0037] File encryption may be performed in various ways, such as by means of the aforementioned AES standard (Advanced Encryption Standard) in 256 bits.
[0038] According to a preferred embodiment, databases may be located on certified or protected servers, such as in the premises of a service provider or a client. Communication may be established by using an SSL connection (Secure Sockets Layer), for instance.
[0039] Information on the servers may be encrypted by, for instance, a hash value used in connection with a digital signature, such as a so- called hash code and/or a so-called southed code, in order to increase data security. This reduces the risk of intrusion.
[0040] According to a preferred embodiment of the invention, a plurality of different users may now manage their files safely in the network. For this purpose, a mass-memory device may be provided for each user by using the same encryption key and each user may register in the service. These users may form the first file transfer or data exchange group. Thereafter, each user may check, read, encrypt and decrypt files in the network, for example, by using the encryption key of the group. Each file name can be seen in the network and each user can view the files with his own memory device.
[0041] According to another preferred embodiment of the invention, a backup feature may be provided on the memory stick. Here, whenever the memory stick is inserted into the computer and the computer is in connection with the Internet, the program on the memory stick transmits the latest version of the encrypted file to the memory in connection with the Internet server for storage. If the memory stick gets lost, the data still remains stored in the network.
[0042] By inserting the memory stick into the computer, the user may observe his files and save new files on the memory stick. When the memory stick is connected and has a connection to the Internet, it loads the new files onto its memory. Alternatively, when the memory stick is connected to the computer and, through it, to the cloud service, the files in the cloud service are removed therefrom automatically.
[0043] According to the invention and its preferred embodiments, a method for transferring a file from a sending address to a target address comprises starting 2-2 an encryption program stored on a mass-memory device 1- 12; transmitting 2-4 a first identifier assigned to the mass-memory device to a predefined address related to the encryption program to authenticate the mass-memory device; receiving 2-8 an accepting response to authenticate the mass-memory device, the response comprising a second identifier assigned to the mass-memory device; receiving 2-10 via a user interface the target ad- dress of the file to be transmitted and encrypted; transmitting 2-12 the target address to the predefined address related to the encryption program to authenticate the target address; receiving 2-16 an accepting response to authenticate the target address; receiving 2-18 via the user interface the file to be encrypted; encrypting 2- 8 the file with the encryption program stored on the mass- memory device; storing 2- 8 the encrypted file on the mass-memory device; receiving 2-18 via the user interface a selection of the encrypted file to be transmitted; and transmitting 2-20 the selected encrypted file from the sending address to the target address.
[0044] The user interface may be, for instance, a computer, a tablet computer, a mobile station, a navigator, a television, an oscilloscope or some Other device to which the mass-memory device can be connected or arranged.
[0045] The file may also be re-encrypted with the same or another encryption program stored on the mass-memory device in response to the selection of the encrypted file to be transmitted, which was received via the user interface. The authentication of the mass-memory device can be performed at least partly on the basis of the data amount transmitted. Alternatively or additionally, the user identifier and/or password and/or location of the mass- memory device user may be used for the authentication. A random code may also be used.
[0046] The location may also be used in such a manner that the IP address of the place where the encryption was used is transmitted to the database, from which, in case of a lost memory stick, for example, the most recent place of use of the memory stick can be read. This may be performed before step 2-4, for instance. If the device has been lost or forgotten, a signal, such as 'user inactive", may be supplied from the database to the device, which inactivates all data on the device, and it can no longer be used after this.
[0047] Log information may also be transmitted to the database. Information, such as how long the mass-memory device has been used, which data or files of the stick have been used and what is stored on the stick, can be read from the log information. Log information supplied to the database may be assembled or it may form a file log, from which it is possible to read which data exist on which memory stick or other mass-memory device.
[0048] The encryption method and arrangement of the invention and its preferred embodiments may also be applied in such a manner that it is now possible to determine, in which location the mass-memory device can be opened or read or in which location it is possible to store data thereon. It is also possible to give different addresses and rights to different user groups.
[0049] A method for opening a file, the file being received from a sending address at a target address, comprises receiving 2-20 via a user interface an encrypted file from the sending address; starting 2-22 an encryption program stored on a mass-memory device 1-12; transmitting 2-24 a first identifier assigned to the mass-memory device 1- 2 to a predefined address related to the encryption program to authenticate the mass-memory device 1-12; receiving 2-28 an accepting response to authenticate the mass-memory device
1- 12, the response comprising a second identifier assigned to the mass- memory device; and opening 2-30 the encrypted file via the user interface by means of the encryption program stored on the mass-memory device 1-12.
[0050] A method for performing file transfer authentication comprises steps of: storing a list of target addresses, which may encrypt a file and transmit and receive an encrypted file; storing first identifiers assigned to mass-memory devices 1-12; and, in response to receiving 2-4 an identifier from a sending address for authenticating a mass-memory device: searching
2- 6 for the received first identifier among the stored identifiers; if the corresponding identifier is found among the stored identifiers, generating 2-8 a second identifier to be assigned to the mass-memory device and transmitting 2-8 an accepting response to authenticate the mass-memory device, the response comprising the second identifier assigned to the mass-memory device; marking the first identifier as used; and, in response to receiving 2-12 a target address from the sending address for authenticating the target address: searching 2-14 for the received target address among the stored target addresses; and if the corresponding target address is found, transmitting 2-16 an accepting response to authenticate the target address. The device according to the invention and its preferred embodiments and the means comprising the device for performing the method steps.
[0051] The system according to the invention and its preferred embodiments comprises: a first device comprising means for performing first method steps and an interface for receiving a mass-memory device; a second device comprising means for performing second method steps and an interface for receiving a mass-memory device; a third device comprising means for performing third method steps; a first mass-memory device comprising an encryption program and an identifier for authenticating the mass-memory device; a second mass-memory device comprising an encryption program and an identifier for authenticating the mass-memory device; and a database comprising a list of addresses, which may encrypt a file and transmit and receive an encrypted file and a list of identifiers assigned to the mass-memory devices.
[0052] The device according to the invention and its preferred embodiments comprises computer program means arranged to perform all steps of a method when said program is run on a computer.
[0053] In accordance with the invention and its preferred embodiments, a plurality of advantages are achieved, such as secure data encryption in such a manner that there is only one way of decrypting data and information. This is carried out with a decryption key that exists on a memory stick. In other words, a file can now be opened only by using a memory device. In addition, data security increases and the computer itself need not be encrypted.
[0054] Data security and reliability of cloud services and technology can also be increased and improved. In accordance with the invention and its preferred embodiments, a key for the cloud is generated, the use of which key requires a physical device, such as a memory stick, enabling the user to access files in the cloud. Thus, servers become more secure, too. A computer need not be encrypted to achieve an efficient encryption according to the invention, but computers may also be encrypted.
[0055] According to the invention and its preferred embodiments, a plug-in element may be provided behind the firewall, which provides the advantage of increased reliability when traffic to the server is encrypted.
[0056] It is obvious to a person skilled in the art that as technology advances, the basic idea of the invention may be implemented in many different ways. The invention and its embodiments are thus not restricted to the examples described above but may vary within the scope of the claims.

Claims

Claims
1. A method for transferring a file from a sending address to a target address, characterized in that the method comprises:
- starting (2-2) an encryption program stored on a mass-memory device (1-12);
- transmitting (2-4) a first identifier assigned to the mass-memory device (1-12) to a predefined address related to the encryption program to authenticate the mass-memory device (1-12);
- receiving (2-8) an accepting response to authenticate the mass- memory device (1-12), the response comprising a second identifier assigned to the mass-memory device;
- receiving (2- 0) via a user interface the target address of the file to be transmitted and encrypted;
- transmitting (2-12) the target address to the predefined address related to the encryption program to authenticate the target address;
- receiving (2-16) an accepting response to authenticate the target address;
- receiving (2-18) via the user interface the file to be encrypted;
- encrypting (2- 8) the file with the encryption program stored on the mass-memory device (1-12);
- storing (2-18) the encrypted file on the mass-memory device (1-
12);
- receiving (2-18) via the user interface a selection of the encrypted file to be transmitted; and
- transmitting (2-20) the selected encrypted file from the sending address to the target address.
2. A method as claimed in claim 1, characterized by re- encrypting (2-18) the file with the same or another encryption program stored on the mass-memory device (1-12) in response to the selection of the encrypted file to be transmitted, which was received via the user interface.
3. A method as claimed in any one of the preceding claims 1 to 2, characterized by authenticating (2-6) the mass-memory device at least partly on the basis of the data amount transmitted.
4. A method for opening a file, the file being received from a sending address at a target address, characterized in that the method comprises: - receiving (2-20) via a user interface an encrypted file from the sending address;
- starting (2-22) an encryption program stored on a mass-memory device (1-12);
- transmitting (2-24) a first identifier assigned to the mass-memory device (1-12) to a predefined address related to the encryption program to authenticate the mass-memory device (1-12);
- receiving (2-28) an accepting response to authenticate the mass- memory device (1-12), the response comprising a second identifier assigned to the mass-memory device; and
- opening (2-30) the encrypted file via the user interface by means of the encryption program stored on the mass-memory device (1-12).
5. A method for file transfer authentication, c h a r a c t e r i z e d in that the method comprises:
- storing a list of target addresses, which may encrypt a file and transmit and receive an encrypted file;
- storing first identifiers assigned to mass-memory devices (1-12);
- in response to receiving (2-4) an identifier from a sending address for authenticating a mass-memory device (1-12):
- searching (2-6) for the received first identifier among the stored identifiers;
- if the corresponding identifier is found among the stored identifiers, generating (2-8) a second identifier to be assigned to the mass-memory device (1-12) and transmitting (2-8) an accepting response to authenticate the mass- memory device (1-12), the response comprising the second identifier assigned to the mass-memory device;
- marking the first identifier as used;
- in response to receiving (2- 2) a target address from the sending address for authenticating the target address:
- searching (2-14) for the received target address among the stored target addresses; and
- if the corresponding target address is found, transmitting (2-16) an accepting response to authenticate the target address.
6. A device comprising means for performing the method as claimed in any one of claims 1 to 3.
7. A device comprising means for performing the method as claimed in claim 4.
8. A device comprising means for performing the method as claimed in claim 5.
9. A system comprising:
a first device comprising means for performing the method as claimed in claims 1 to 3 and an interface for receiving a mass-memory device (1-12);
a second device comprising means for performing the method as claimed in claim 4 and an interface for receiving a mass-memory device (1-12);
a third device comprising means for performing the method as claimed in claim 5;
a first mass-memory device (1-12) comprising an encryption program and an identifier for authenticating the mass-memory device (1-12);
a second mass-memory device (1-12) comprising an encryption program and an identifier for authenticating the mass-memory device (1-12); and
a database comprising a list of addresses, which may encrypt a file and transmit and receive an encrypted file and a list of identifiers assigned to the mass-memory devices (1-12).
10. A system as claimed in claim 9, wherein the first device further comprises means for performing the method as claimed in claim 4 and the second device further comprises means for performing the method as claimed in claims 1 to 3.
11. A computer program, c h a r a c t e r i z e d in that it comprises computer program means arranged to perform all steps of the method as claimed in any one of claims 1 to 5 when said program is run on a computer.
PCT/FI2014/050566 2013-07-08 2014-07-08 Method and device for file encryption WO2015004327A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20135753 2013-07-08
FI20135753 2013-07-08

Publications (1)

Publication Number Publication Date
WO2015004327A1 true WO2015004327A1 (en) 2015-01-15

Family

ID=52279395

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2014/050566 WO2015004327A1 (en) 2013-07-08 2014-07-08 Method and device for file encryption

Country Status (1)

Country Link
WO (1) WO2015004327A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117473537A (en) * 2023-12-27 2024-01-30 北京亿赛通科技发展有限责任公司 File security level calibration method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
US20120066493A1 (en) * 2010-09-14 2012-03-15 Widergren Robert D Secure Transfer and Tracking of Data Using Removable Non-Volatile Memory Devices
US20120084544A1 (en) * 2010-10-04 2012-04-05 Ralph Robert Farina Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system
US20120198224A1 (en) * 2010-08-10 2012-08-02 Maxlinear, Inc. Encryption Keys Distribution for Conditional Access Software in TV Receiver SOC
US20120210119A1 (en) * 2004-06-14 2012-08-16 Arthur Baxter Method and Apparatus for Secure Internet Browsing
US20120265976A1 (en) * 2011-04-18 2012-10-18 Bank Of America Corporation Secure Network Cloud Architecture
US20130173904A1 (en) * 2011-12-29 2013-07-04 Eric T. Obligacion Secure data communications with network back end devices

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120210119A1 (en) * 2004-06-14 2012-08-16 Arthur Baxter Method and Apparatus for Secure Internet Browsing
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
US20120198224A1 (en) * 2010-08-10 2012-08-02 Maxlinear, Inc. Encryption Keys Distribution for Conditional Access Software in TV Receiver SOC
US20120066493A1 (en) * 2010-09-14 2012-03-15 Widergren Robert D Secure Transfer and Tracking of Data Using Removable Non-Volatile Memory Devices
US20120084544A1 (en) * 2010-10-04 2012-04-05 Ralph Robert Farina Methods and systems for providing and controlling cryptographically secure communications across unsecured networks between a secure virtual terminal and a remote system
US20120265976A1 (en) * 2011-04-18 2012-10-18 Bank Of America Corporation Secure Network Cloud Architecture
US20130173904A1 (en) * 2011-12-29 2013-07-04 Eric T. Obligacion Secure data communications with network back end devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PEARSON, SIANI ET AL.: "Securing Information Transfer in Distributed Computing Environments.", IEEE SECURITY & PRIVACY, vol. 6, no. ISS. 1, January 2008 (2008-01-01), pages 34 - 42, XP011200923, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4446695> [retrieved on 20141017], DOI: doi:10.1109/MSP.2008.19 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117473537A (en) * 2023-12-27 2024-01-30 北京亿赛通科技发展有限责任公司 File security level calibration method and device

Similar Documents

Publication Publication Date Title
US11647007B2 (en) Systems and methods for smartkey information management
AU2013101722A4 (en) Data security management system
EP1942430B1 (en) Token Passing Technique for Media Playback Devices
US9124641B2 (en) System and method for securing the data and information transmitted as email attachments
CN101605137B (en) Safe distribution file system
CN105103488A (en) Policy enforcement with associated data
WO2013002833A2 (en) Binding of cryptographic content using unique device characteristics with server heuristics
CN112673600A (en) Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
KR20050053569A (en) Document preservation authority endowment method
CN105072134A (en) Cloud disk system file secure transmission method based on three-level key
GB2584455A (en) An encryption process
KR20220039779A (en) Enhanced security encryption and decryption system
WO2013008351A1 (en) Data distributed storage system
US10740478B2 (en) Performing an operation on a data storage
CN107070881B (en) Key management method, system and user terminal
CN112671735B (en) Data encryption sharing system and method based on block chain and re-encryption
CN110955909B (en) Personal data protection method and block link point
CN115514523A (en) Data security access system, method, device and medium based on zero trust system
WO2015004327A1 (en) Method and device for file encryption
KR102055888B1 (en) Encryption and decryption method for protecting information
KR102638374B1 (en) Method for saving to distribution data employing image value deciding based in CNN and blockchain driving
JP2016163198A (en) File management device, file management system, file management method, and file management program
CN116305236A (en) Shared file encryption and decryption method and device and electronic equipment
JP2012073888A (en) Electronic data transfer system, electronic data transfer method, and electronic data transfer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14823213

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28/04/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14823213

Country of ref document: EP

Kind code of ref document: A1