Abstract: A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.

Abstract: Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file.

Abstract: Windows Rights Management Services (RMS) are leveraged to provide protection and sharing of encryption keys to file systems. An encrypting file system (EFS) delegates key sharing, management and recovery to the RMS system. User rights to file encryption keys (FEKs) are derived from files' security descriptor information or as explicitly specified by users. Whenever an encrypted file is created, its FEK is protected using RMS, as a byte stream stored in file encryption metadata information. When a user with access tries to access an encrypted file without having a private key to decrypt the FEK, the EFS transparently extracts the RMS protected byte stream from the file encryption metadata information and uses RMS to access the FEK stored in the bytes stream using the user security context. The FEK is protected with the user master key, encryption certificate or password and cached for the next user file access.

Abstract: A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.

Abstract: A method to leverage Windows Rights Management Services (RMS) to provide protection and sharing of encryption keys to file systems. Windows Rights Management Services (RMS) that enables users to share protected content without having to exchange encryption certificates or passwords. Using the method any EFS can be extended to protect its FEKs and assign it user access rights using RMS. This enables EFSs to delegate key sharing, management and recovery to the RMS system. User rights to FEKs are derived from files security descriptor information or as explicitly specified by users. Whenever an encrypted file is created its FEK is protected using RMS and the resulting byte stream is stored in the file encryption metadata information. When a user tries to access an encrypted file and doesn't have a private key to decrypt the FEK, the EFS transparently extracts the RMS protected byte stream from the file encryption metadata information.

Abstract: Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file.