1. Field of the Invention
The present invention relates to computer systems and, more particularly, to a method for revoking computer backup files using cryptographic techniques.
2. Discussion of Related Art
Many computer systems, such as local area networks (or LANs), have a central file system for multiple users. FIG. 1 illustrates a typical LAN 100. The LAN 100 comprises a central file server 102 which includes a system memory 104. This system memory 104 is a central file system for a number of terminals 106-1-106-n. These terminals transmit data to and receive data from the server 102. To prevent a catastrophic loss of stored information if, for example, the system memory 104 crashes, computer systems often make a backup copy of all files existing at a particular time. For example, once a week or once a month a computer system may make a backup copy of some or all files existing at that time. The backups are performed by the central file server 102 and a backup system 108. These backups may be kept separately from the central file storage system, such as on magnetic tape. Backups may be made onto any suitable memory device or medium, but are herein described as being made on tape. The backup tape may then be stored forever, sometimes off site.
This backup policy enables users to restore an entire central file system to particular points in time from the past. Files on the backup tape may be accessed provided the backup tape is not erased or discarded. Accessing these files may require retrieving one or more backup tapes (often from off site storage), physically mounting the tape or tapes onto a tape drive, locating the desired file on the tape or tapes, and copying the file from the appropriate tape.
It is often desirable to erase all copies of particular files, such as sensitive, confidential, or out-of-date information. For example, many institutions have a document retention program in which after a certain time period (such as three years) certain classifications of documents are retained and all other documents (both hard and electronic copies) are destroyed. Other examples of situations where deleting an entire file, including the backup, is desirable include a patient removing medical files from a hospital's computer system upon checkout, removing financial data which should be erased after a short period of time, or government agencies desiring to delete sensitive data for security purposes.
On many computer systems the "remove-file" command instructing the computer system to delete a file misleads the user into thinking that the file is entirely removed. If the file was copied onto a backup, however, the file is still available, provided that the backup tape has not been erased or discarded. This file availability is an important feature used to protect against accidental file erasure or system crashes and is a primary reason file systems are backed up. The ability to delete backup files is important for users of UNIX operating systems. Standard UNIX operating system backup utilities, e.g., dump and tar, do not enable a user to specify a collection of files that should not be backed up. A user, however, may not be able to completely remove files.
In an article entitled "The Messy Business of Culling Company Files," Wall Street Journal, pp. B1-B2, May 22, 1997, the importance of purging old files is discussed. The article notes, for example, that "a perfectly innocent document . . . in the hands of a skilled attorney . . . can be made to look sinister." Also, a user may wish to remove the history and cache files of his web browser. The Wall Street Journal article notes, for example, that offensive jokes found on company computers were submitted as evidence in discrimination lawsuits against certain companies. This article, however, does not address the problem of purging backup tapes. Thus, if documents are backed up, they may still be obtained by an adversary, such as opposing counsel in a litigation.
A naive solution to this problem is simply to erase the data from the file system and then remove the file from any backup tape on which it may be found. This may require mounting backup tapes one by one (which files may be located off site), locate the file on each tape, and erase the data from each tape. Note that if a particular file was stored on the file system for a year, it may have been backed up many times (such as 12, 52, or 365 times).
This naive method is impractical for at least two reasons. First, the method is inconvenient to the user. The user typically calls a computer operator or network supervisor whenever such an erasure is to take place. The computer operator may have to retrieve many tapes from storage (which may be off site) and then mount each tape onto a tape drive, search each tape, and erase the relevant portions. Second, this naive approach is likely to fail. The computer operator may have to remove the data from many backup tapes. Not only is this procedure painstaking as described above, it is also insecure because the operator is not infallible and may inadvertently neglect to remove the data from one or more of the old backup tapes or inadvertently erase information intended to be saved.
Cryptographic file systems are known. One such system is described by M. Blaze, "A Cryptographic File System for Unix", available at http://www.cert-kr.or.kr/doc/Crypto-File-System.ps.asc.html. This document is incorporated herein by reference. In a cryptographic file system, files are stored on the system memory in an encrypted form using an encryption function (such as DES, IDEA, or FEAL) E which uses a secret key K. A clear text message M may be encrypted into a ciphertext message C using an encryption function and secret key E.sub.K. Thus, E.sub.K (M)=C. The cipher text message C may be decrypted back to the plaintext message M using a decryption function D, which also uses the secret key K. Thus, D.sub.K (C)=M.
In the cryptographic file system, whenever a file stored on the file system is to be accessed, it is decrypted on the fly using the owner's decryption key. The backup tape is a direct dump of the file system, i.e., the tape contains the encrypted version of every file. Persons having access to the decryption key to decrypt the file on the file system may also access the backed up version of the file. Typically, only the file owner has access to the decryption key. As long as the backup tape exists and the file owner has the decryption key, the file remains on the backup tape in encrypted form. This arrangement does not guarantee that backed up files are inaccessible to other parties. For example, the owner might be forced to reveal his decryption key, e.g., due to a court order. Thus, the cryptographic file system does not guarantee that data on the backup tape desired to be disposed of cannot be accessed.
Therefore, it is an object of the present invention to provide a method for revoking backup files in a manner in which the revoked files are inaccessible to anyone.
It is another object of the present invention to provide a method for revoking backup files without having to physically mount and search backup tapes.
It is a further object of the present invention to provide an infallible, automated method for revoking backup files.