The invention relates to the protection of data stored in a computer; and more particularly to the protection of data stored in a memory vault system.
In order to secure data from unauthorized access, the data may be encrypted. Encryption algorithms are commonly designed to use a key pairxe2x80x94one key for encryption and one key for decryption. Encryption is used to encode information and send it as an encrypted file. Encryption may also be used to set up a secure connection between two computers so that eavesdroppers will not be able to intercept data being exchanged.
An encrypted container may be used to protect data within a computer system. An encrypted container is a reserved area on a disk to which protected files are copied and saved. This may be implemented by creating a file which is encrypted, and which is mounted as and acts as a file system. Prior art encrypted containers allow content distributors to distribute content to users without endangering the security of the content. A client side container-opener application is used to access the encrypted container. The client side container-opener may limit the accesses to data in the encrypted container in any number of ways. For example, it may allow the data to be accessed only at certain times or with a proof of payment key.
Prior art encrypted container systems contain limited security once the container is opened and the data released. When a file is opened in a computer running prior art software and operating systems, the data may leak to applications (such as clipboard or other system. applications) and may be copied and left insecure during system operations, such as printing. This compromises the system.
Some client side container-openers may come with integrated data-display mechanisms which allow the user to view the secure data. For example, Folio (NextPage, Inc.) provides a viewer browser to display files and the viewer browser prevents unauthorized use of data by turning off application level controls. However, this means that when documents in Folio are displayed, data can still be saved to the clip board and attacked in other ways from the system level.
Watermarking or digital fingerprinting by the client side container-opener application can be used to trace the origin of content which has been opened and removed from an encrypted container. This will allow tracing of content which has been distributed in an unauthorized way. However, this still allows the data to be viewed by unauthorized users.
The invention discloses a memory vault system and method particularly applicable to a system in which protected data is transmitted to a recipient with access controls. An illustrative embodiment of the invention comprises a computer system in which secured data in a memory vault is accessed via a system-level security application which enforces strict access controls on data, and outside applications permitted to access data are monitored and certain system-level commands from these outside applications mediated by the security application. Back-channeling of any data derived from secured data is effected so that all data remains secured.