There are many situations where it is desirable or necessary to encrypt data when the data is stored and/or transmitted, principally in order to prevent unauthorized access to the data. A number of different methods and techniques for encrypting data are known. Some of these make use of a “container” concept: the data is encrypted and “wrapped” in a (digital) container for which various access policies can be applied to control which users can access the (encrypted) data within the container and under what circumstances. A container is a meta-file format whose specification describes how different data elements and metadata coexist in a computer file. The encryption key which is used to encrypt (and, correspondingly, decrypt) the data may itself be encrypted for secure storage purposes, typically in the prior art by using a user-entered password as an encryption key for that encryption.
Data can be sent in an encrypted form over some kind of transmission system, including for example one or more of wireless and wired connections, local and wide area networks, the Internet, cellular (mobile) telephone systems, etc. The data may be sent between user devices or may be uploaded to or downloaded from some central server or servers, such as at a user's workplace.
However, a problem with encrypting data is making it easily accessible to users. This is a particular problem where the user is using a mobile device, including for example a wireless device such as a so-called smart phone or a tablet computer or the like, or other devices of relatively low computing power, including devices that connect to a network with wired connections, as such devices may have relatively limited amounts of storage and functionality. A particular example is enabling users to have a secure way of viewing and/or editing data or files in general, or carrying out other actions in respect of the data or files including for example other manipulation, transformation, processing, storage, transmission and other computing operations. Such files may have been downloaded or received at the user device as an attachment to an email or by some other file transfer protocol or method. Since a container may contain many files, this can give rise to problems as many different types of files are typically stored and each different type of file requires different application code to view/edit/manipulate/etc, so the container application becomes larger the more different types of files it supports. It is desirable to make the encrypted file available to third party applications on the user device, such as viewers/editors/etc., though this availability must be achieved in a secure manner which does not compromise the security of the encrypted file.
Another issue that may arise in practice is that the secure containers on a user device may need to be updated from time to time in certain respects. For example, there may be some central control center which manages the user devices and at least some of the files that are stored on the user devices. The central control center may for example want to amend certain access policies or the like for one or more of the files in the containers, or delete the containers or the file(s) within them, perhaps because the user device has been lost or stolen. However, it may be that some of the containers on the user device effectively only connect to the central control center rarely or never and thus it may be difficult in practice to update access polices or the like, or delete the files, for all of the containers concerned on the user device in a timely fashion.
Another issue that arises is the matter of how to generate encryption keys that are to be used to encrypt and decrypt data. This is a particular issue where there are several applications running on a computing device that require access to or store data in encrypted form. This includes the case above where there are several applications such as viewers/editors/etc. on the computing device that access and/or store data in encrypted form. It is inconvenient for a user to have to enter a password each time that a particular application accesses data on a user device, but it is also preferred not to use the same encryption key for each application for security reasons.
Various aspects of the present invention are directed to overcoming one or more of the problems set out above.