1. Field of Art
The disclosure generally relates to the field of secured document access.
2. Description of the Related Art
The use of digital data to store and share private or sensitive information has become commonplace. Private or sensitive digital data may be stored locally on a personal computing device or it may be stored remotely by a server that caches, copies and archives information transmitted using web services. Additionally, the intended recipients may also store such information locally or remotely. The unwanted disclosure of private digital data has also become commonplace. Information can be disclosed by a trusted or intended recipient of the information or as a result of an accidental or malicious attack and theft.
One attempt to protect sensitive data stored either locally or remotely, requires explicitly and manually deleting all such data or to execute a command (e.g., install a cron job in UNIX) to perform the task. However, this approach is not very effective because one may not be able to delete data from all sources; for example, emails can be stored, cached, or backed up at numerous places throughout the Internet or on email servers. Furthermore, such techniques do not protect against physical theft of drives or storage devices prior to a manual delete, thus disclosure of sensitive data is still possible.
In another approach to protect sensitive data, the use of a standard public key or symmetric encryption scheme, such as PGP (pretty good privacy) and GPG (GNU privacy guard) have been employed. However, such protection measures only provide protection against attackers who do not have access to the decryption keys. For example, there exists situations where unauthorized parties could learn private keys, thus disclosure of sensitive data is still possible.
A potential alternative to standard encryption might be to use forward-secure encryption. Forward-privacy means that if an attacker learns the state of the user's cryptographic keys at some point in time, they should not be able to decrypt data encrypted at an earlier time. However, due to caching in backup archives, the attacker may either view past cryptographic state or force a user to decrypt his data, thereby violating the model for forward-secure encryption. For similar reasons, and to avoid introducing new trusted agents or secure hardware, other cryptographic approaches, like key-insulated and intrusion-resilient cryptography are not used. Finally, while exposure-resilient cryptography allows an attacker to view parts of a key, an attacker may view all of a key.
Another approach might be to use steganography, deniable encryption, or a deniable file system. The idea is that one could hide, deny the contents of, or deny the existence of private historical data, rather than destroying it. These approaches are also attractive but hard to scale and automate for many applications, such as generating plausible cover texts for emails and SMS messages. In addition, this system, if applied to local files in a particular folder, would require the user to take several steps. Its not an automatic or an invisible solution from a user's perspective
For online, interactive communications systems, an ephemeral key exchange process can protect derived symmetric keys from future disclosures of asymmetric private keys. A system like OTR (off the record) messaging is particularly attractive, but this approach is not directly suited for less-interactive email applications, and similar arguments can be made for OTR's unsuitability for the other above-mentioned applications as well.
Another approach is the Ephemerizer family of solutions. These approaches involve the introduction of one or more (possibly thresholded) trusted third parties which (informally) escrow information necessary to access the protected contents. These third parties destroy this extra data after a specified timeout. The biggest risks with such centralized solutions are that they may either not be trustworthy, or that even if they are trustworthy, users may still not trust them, hence limiting their adoption. Indeed, many users may be wary to use dedicated, centralized trusted third party services after it was revealed that the Hushmail email encryption service was offering the clear-text contents of encrypted messages to a third party.