`
`
`as) United States
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 0) Pub. No.: US 2002/0099666 Al
`
`
`
`
`
`
`
`
`
` Dryeret al. (43) Pub. Date: Jul. 25, 2002
`
`
`US 20020099666A1
`
`
`
`
`
`
`
`
`
`(52) US. C0. eee ecsecssecssesseesnessnsenceasessrenssenssnscenseeses 705/71
`
`
`
`
`
`
`
`(54) SYSTEM FOR MAINTAINING THE
`SECURITY OF CLIENT FILES
`
`
`
`Inventors: Joseph E. Dryer, Houston, TX (US);
`
`
`
`
`
`John David Lambert, Katy, TX (US)
`
`
`
`
`
`ddress:
`d
`
`
`Toskon1hDRYER.
`
`
`}0307 SUGAR HILL DRIVE
`
`
`
`HHOUSTON. TX 77042 (US
`
`
`
`(US)
`,
`.
`10/007,893
`(21) Appl. No.:
`
`
`
`
`
`
`
`Nov. 13, 2001
`Filed:
`(22)
`
`
`
`Related U.S. Application Data
`
`(76)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(60) Provisional application No. 60/252,720,filed on Nov.
`
`
`22, 2000.
`
`
`
`
`
`Publication Classification
`
`
`
`
`
`
`CSL) Tt C0 eecccccceeecccssssssssnnsecceesnnnnnnseecsesnnnees H04K 1/00
`
`
`
`ABSTRACT
`
`57
`67)
`
`
`
`Embodiments of the invention provide a high degree of
`
`
`
`
`
`
`
`
`
`
`
`
`
`security to a computer or several computers connected to the
`Internet or a LAN. Where there is a high degree of confi-
`
`
`
`
`
`
`
`dentiality required, a combination of hardware and software
`
`
`
`
`
`
`secures data and provides someisolation from the outside
`
`
`
`
`
`
`
`
`
`network. An exemplary hardware system consists of a
`
`
`
`
`
`
`
`
`
`
`
`
`
`processor module, a redundant non-volatile memory system,
`such as dual disk drives, and multiple communications
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`interfaces. This security system must be unlocked by a
`
`
`
`
`
`
`
`
`
`passphrase to access data, and all data is transparently
`
`
`
`
`
`
`
`encrypted, stored, archived and available for encrypted
`
`
`
`
`
`
`backup. A system for maintaining secure communications,
`
`
`
`
`
`
`
`
`
`file transfer and document signing with PKI, and a system
`
`
`
`
`
`
`
`
`for intrusion monitoring and system integrity checks are
`
`
`
`
`
`
`provided, logged and selectively alarmed in a tamper-proof,
`
`
`
`
`
`
`
`time-certain manner. The encryption keys can be automati-
`
`
`
`
`
`
`
`cally sent encrypted to be escrowed with a secure party to
`
`
`allow recovery.
`
`ee
`
`:
`
`i
`
`
`—iN Co
`
`
`
`
`— 154
`
`
`FILE
`
`INTEGRITY\/aocEss
`CHECKING7\CHECKS
`
`
`
`134
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` EPHEMERAL
`
`
`MESSAGING
`124
`
`
`E-MAIL
`
`[1 MESSAGING
`126
`ao
`
`
`
`
`
`
`
`
`INTERNET 150 |
`
`Page 1 of 11
`
`Netskope Exhibit 1013
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`L
`
`
`
`
`
`
`
`
`
`
`POSSIBLE CORPORATE FIREWALL 148
`
`
`
`POSSIBLE CORPORATE INTRANET
`146
`a
`
`
`
`
`Floe
`
`
`@g
`
`
`
`
`
`
`
`
`“TUNNELING:
`CONDTIONING
`
`MIRRORae ANDUPS144
`
`
`
`
`
`
`
`Page 1 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`
`
`
`
`SNINOLICNG|.SOR[IOS)
`
`
`ONTENNNLHX|
`
`rnnour|[ios|OFF|CoDcrt
`
`
`
`
`
`
`
`
`<x
`
`4074
`
`SILL
`
`
`
`ow
`
`waco
`
`
`
`
`
`
`
`
`
`
` =
`
`
`
`
`
`
`
`Page 2 of 11
`
`Netskope Exhibit 1013
`
`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Jul. 25, 2002 Sheet 1 of 5
`
`
`
`US 2002/0099666 Al
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cOL
`
`
`
`Srl
`
`TivWMadlsAlWeOddOoATdISSOd
`
`
`
`
`
`
`
`
`
`JAINVeLLNISULWeOdHOSSTdISSOd
`
`0G
`
`
`
`T1SNMAINIsar
`
`
`
`bSH
`
`Page 2 of 11
`
`Netskope Exhibit 1013
`
`
`
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Jul. 25,2002 Sheet 2 of 5
`
`
`
`US 2002/0099666 Al
`
`
`
`oad
`
`216
`
`LOCKBOX
`
`206
`
`
`
`
`
`
`
`INTERNET
`
`
` PROTECTED
`
`FIG.2
`
`
`
`COMPUTERS
`
`
`
`Page 3 of 11
`
`Netskope Exhibit 1013
`
`Page 3 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Jul. 25, 2002 Sheet 3 of 5
`
`
`
`US 2002/0099666 Al
`
`306
`
`
`
`
`
`©“9
`
`
`
`
`
`
`
`
`
`LOCKBOX
`=
`
`
`We
`O
`
`
`E
`=
`one
`©
`st
`x
`
`Wy =
`~
`c=
`Oo
`
`
`
`~o
`og
`©
`OU
`ie
`
`an
`
`fF
`=
`Ho
`os
`xO
`ao
`
`Page 4 of 11
`
`Netskope Exhibit 1013
`
`+ fx
`co
`o)
`Wi
`92z2'18 0
`oO US
`i
`oO
`x
`a
`
`Q
`
`oF a
`
`& O
`Sas Bee
`cr Ya
`-
`Lu
`th
`z
`Oot &
`a oe
`u Uz
`
`2
`=
`9
`oO
`w
`
`“u
`
`
`
`
`
`316 326
`
`
`
`
`
`
`
`Page 4 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`Jul. 25, 2002
`
`
`
`
`Sheet 4 of 5
`
`
`US 2002/0099666 Al
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`bDH
`
`
`
`
`
`
`
`
`
`
`Page 5 of 11
`
`Netskope Exhibit 1013
`
`Page 5 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Jul. 25, 2002 Sheet 5 of 5
`
`
`US 2002/0099666 Al
`
`
`
`CaiLdNyys.Ni38
`Nv¥OsLIVML
`YOITOSENLVNOISWLOIdVG[aunNoIs__[aanoisnn|
`
`LNaI19SAWVEwosLSTINAWNDOG
`o0Z.NaNnORe|aanois_|900'LLNAWNOOE
`
`
`TIMYasSNVaLaunoasSHL
`SNWNOANOLLNELIWANSSH
`
`“"FUN.LVNOISHNO
`
`YWANMOWOLOL4AW4GNAS
`
`
`quaisioadLAALONSAVHNOAal
`AaLVYSINSOOL38354
`LOMONOAAONOIVWHLALON
`
`3SIMYAHLOLNAWSOSTMONMOV
`
`G‘Sila
`
`
`
`
`
`
`
`
`
`a
`
`
`
`“LONIWNOILdO
`
`
`
`Page 6 of 11
`
`Netskope Exhibit 1013
`
`Page 6 of 11
`
`Netskope Exhibit 1013
`
`
`
`

`

`
`
`US 2002/0099666 Al
`
`
`
`Jul. 25, 2002
`
`
`
`SYSTEM FOR MAINTAINING THE SECURITY OF
`
`
`
`
`
`CLIENT FILES
`
`
`
`CROSS-REFERENCE TO RELATED
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0001] This application claims benefit of United States
`
`
`
`
`
`
`
`provisional patent application Ser. No. 60/252,720, filed
`
`
`
`
`
`
`
`Nov. 22, 2000, which is herein incorporated by reference.
`TECHNICAL FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0002] This invention generally relates to data processing.
`
`
`
`
`
`Moreparticularly, embodiments of the invention relate secu-
`
`
`
`
`
`
`rity provisions for on-line communications as well as secure
`
`
`data storage.
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`[0003] When the computer replaced the file cabinet as the
`
`
`
`
`
`
`
`
`
`storage place for documents there remained the threat to
`
`
`
`
`
`
`
`these documents of physical loss through theft or destruction
`
`
`
`
`
`
`
`
`
`
`as by fire or flood. In addition the computer added its own
`
`
`
`
`
`
`
`methods of destruction of data as by file corruption, com-
`
`
`
`
`
`
`
`
`puter virus or disk crash. Most corporations also maintain
`
`
`
`
`
`
`system administration that allows system administrators to
`
`
`
`
`
`
`
`
`
`
`have access to most computer data. Not only does this imply
`
`
`
`
`
`
`
`
`trust in the department with administrator or root authori-
`
`
`
`
`
`
`
`
`
`zation, but also the object of most computer hacking is to
`
`
`
`
`
`
`
`
`obtain this level of authorization, and this is often accom-
`
`
`
`
`
`
`plished. Operating with user or administrator authorization
`
`
`
`
`
`
`
`
`in a user’s computer allows file deletion and modification
`
`
`
`
`
`
`
`
`
`and could allow disk formatting, emailing of any file to
`
`
`
`
`
`
`
`outside parties, and modification of the computer’s security
`
`
`
`
`
`
`settings. This is difficult to overcome in a computer without
`
`
`
`
`
`
`
`restricting the normal secure functioning of the computer,
`
`
`
`
`
`
`
`
`
`
`since the attacker can often attain the ability to perform any
`
`
`
`
`
`
`
`
`function a legitimate user of the computer can perform.
`Common email communications of this sensitive informa-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tion is in plain text and is subject to being read by unau-
`
`
`
`
`
`
`
`
`thorized code on the senders system, during transit and by
`
`
`
`
`
`unauthorized code on the receiver’s system.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`
`So that the manner in which the above recited
`[0004]
`
`
`
`
`
`
`
`features, advantages and objects of the present invention are
`
`
`
`
`
`
`
`attained and can be understood in detail, a more particular
`
`
`
`
`
`
`description of the invention, briefly summarized above, may
`
`
`
`
`
`
`
`
`be had by reference to the embodiments thereof which are
`
`
`
`
`illustrated in the appended drawings.
`
`
`
`
`
`
`
`
`
`
`that
`[0005]
`the appended
`It
`is to be noted, however,
`
`
`
`
`
`
`
`drawings illustrate only typical embodiments of this inven-
`
`
`
`
`
`
`
`
`tion and are therefore not to be considered limiting of its
`
`
`
`
`
`
`
`
`
`scope, for the invention may admit to other equally effective
`embodiments.
`
`
`
`
`
`
`
`
`[0006] FIG. 1 shows a high level diagram of an embodi-
`
`
`
`
`
`
`mentof a security device, termed a Lockbox, coupled to an
`
`
`
`
`
`
`
`
`end user’s computer (PC) and to a network (e.g., a LAN).
`
`
`
`
`
`
`
`Information from the PCis transferred to the security device
`
`
`
`
`
`
`where the information is encrypted andstored.Illustratively,
`
`
`
`
`
`information is distributed according to client in order to be
`
`
`
`
`
`
`
`
`available for customer viewing over a secure socket. How-
`
`
`
`
`
`
`
`
`
`ever, the Lockbox also supports standardfile structures and
`
`
`
`
`
`
`can store any normal computer folders.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0007] FIG. 2 shows one use of the Lockbox where a
`routable static IP address is available to allow the Lockbox
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to act as a web host to provide enhanced data security and
`secure communications for a small office environment.
`
`
`
`
`
`
`
`
`
`
`
`
`[0008] FIG. 3 showsan alternative embodiment of the
`
`
`
`
`
`
`
`Lockbox as a security and storage system in which files
`
`
`
`
`
`
`enciphered by an owner’s security device are duplicated on
`
`
`
`
`
`
`
`
`
`a remotely located third-party ISP host. The host provides
`access restricted to authorized users.
`
`
`
`
`
`
`
`
`
`
`[0009] FIG. 4 showsan alternative embodiment of the
`
`
`
`
`
`
`
`Lockbox as a security and storage system in which the
`
`
`
`
`
`
`computer to be secured is located within a corporate LAN.
`
`
`
`
`
`
`
`
`While providing the data security inherent in the Lockbox,
`
`
`
`
`
`the communications security is provided by an encrypted
`standardized Internet service to either another Lockboxor to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a secure third party server with customized software.
`
`
`
`
`
`
`
`[0010] FIG. 5 showsa client file as viewed by the client
`under a secure socket connection. This illustrates the client’s
`
`
`
`
`
`
`
`
`
`
`
`
`
`ability to view all documents in the folder, to digitally sign
`
`
`
`
`
`
`selected documents and to securely return documents with
`
`
`
`
`
`
`comments. This illustratively showsa clientfile established
`
`
`
`
`
`
`by “Tom Owner” for viewing by “James Client”.
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`‘To address these problemsthis invention proposes
`[0011]
`
`
`
`
`
`
`
`
`to offer the computer owner a system establishing a com-
`
`
`
`
`
`
`
`prehensive security system. Wherethere is a high degree of
`
`
`
`
`
`
`confidentially required, a combination of hardware and
`
`
`
`
`
`
`
`software secures that data. Running software with a
`
`
`
`
`
`
`restricted operating system on a separate processor allows
`
`
`
`
`
`
`
`
`security of stored files that cannot be corrupted by com-
`
`
`
`
`
`
`
`mands from a compromised host system. An exemplary
`
`
`
`
`
`
`hardware system,referred to in this application as a “Lock-
`
`
`
`
`
`
`
`box”, consists of a processor module, a redundant non-
`
`
`
`
`
`
`
`
`volatile memory system such as dual hard disks, power
`
`
`
`
`
`
`conditioning and multiple communications interfaces. The
`
`
`
`
`
`
`Lockbox is connected by a Local Area Network link to a
`
`
`
`
`
`protected computer or computers. On power-up the Lockbox
`data is inaccessible until the Lockbox is connected to the
`
`
`
`
`
`
`
`
`
`
`
`
`
`appropriate networks and unlocked by a passphrase from a
`
`
`
`
`
`
`
`
`protected computer. After unlocking, the Lockbox can pro-
`
`
`
`
`
`
`
`
`vide files to only a protected computer. The Lockbox regu-
`
`
`
`
`
`
`
`
`
`larly archives its files. Data stored in the Lockbox is
`
`
`
`
`
`
`
`encrypted before storage and decrypted before delivery to a
`
`
`
`
`
`
`protected computer transparently to a user. Files delivered to
`
`
`
`
`
`
`
`
`client folders in the Lockbox will trigger an email to the
`
`
`
`
`
`client notifying them of the availability of a communication.
`
`
`
`
`
`
`
`
`
`Theclient can only access his folder by establishing a secure
`
`
`
`
`
`
`
`socket connection and thereby viewing,digitally signing or
`
`
`
`
`
`
`
`
`modifying the client
`file contents. Security is
`further
`
`
`
`
`
`
`
`enhancedbya firewall, various system integrity checks, and
`
`
`
`
`
`
`
`
`
`intrusion detection, all of which log incidents and, if the
`
`
`
`
`
`
`
`
`incident is sufficiently serious, alarms the user. These logs
`
`
`
`
`
`
`
`
`and alarms cannot by disabled by any commands from the
`
`
`host system.
`DETAILED DESCRIPTION OF THE
`
`
`PREFERRED EMBODIMENTS
`
`
`
`
`
`
`
`
`
`
`
`
`[0012] An exemplary configuration of a Lockboxis illus-
`
`
`
`
`
`
`
`trated in FIG. 1. The Lockbox enclosure 102 includes power
`
`
`
`
`
`
`
`
`
`conditioning and UPS 144 and two Ethernet ports 110 and
`
`
`
`
`
`
`
`112 for connection to a protected subnet 150 and to an
`
`
`
`
`
`
`Page 7 of 11
`
`Netskope Exhibit 1013
`
`Page 7 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`US 2002/0099666 Al
`
`
`
`Jul. 25, 2002
`
`
`
`
`
`
`
`
`
`
`
`outside network 151, respectively. The outside network 151
`can be either an outside intranet 146 or the Internet 150.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Whenan Intranet 146 is employed this customarily connects
`
`
`
`
`
`
`
`
`through a firewall 148 to the Internet 148. The protected
`
`
`
`
`
`
`
`
`subnet 150 connects to one or more protected user comput-
`
`
`
`
`
`
`
`ers represented by 104, 106 and 108 by Ethernet connections
`
`
`
`
`
`
`
`
`
`with any required switches, etc. not shown. Within the
`
`
`
`
`
`
`
`
`Lockbox 102 an encrypted file system 114 encrypts and
`
`
`
`
`
`
`decrypts on-the-fly Ethernet communications between the
`
`
`
`
`
`
`
`protected computers 104-106 and the internally stored
`
`
`
`
`
`
`
`
`encrypted data. Thefiles stored in 114 are regularly archived
`
`
`
`
`
`
`
`
`in 116 to provide file access if malicious code in a protected
`
`
`
`
`
`
`
`
`
`
`computer erases or alters a file in 114. The file system 114
`
`
`
`
`
`
`
`
`also organizes client folders exemplified by 118, 120 and
`
`
`
`
`
`
`
`122 in additional to regular files. As shown in the progres-
`
`
`
`
`
`
`
`
`sion from 120 to 122, there can be an indefinite number of
`
`
`
`
`
`
`
`
`client folders, and a client folder can represent a group of
`clients. Associated with a client folder are files to be sent to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the client, files received from the client, and client informa-
`
`
`
`
`
`
`
`
`
`tion such as client password, email address and digital
`
`
`
`
`
`
`
`
`
`signature public and private key. A computer task 126 scans
`
`
`
`
`
`
`
`
`
`for changes in the client folders and sends emails to the
`
`
`
`
`
`
`
`
`
`client orto the user on receipt ofa file to be sent to the client
`
`
`
`
`
`
`
`
`
`or received from the client, respectively. Another task 124
`
`
`
`
`
`
`
`
`can be activated to purge a sent message from the system
`
`
`
`
`
`
`
`
`
`once the client has retrieved it. All incoming and outgoing
`
`
`
`
`
`
`
`communications to the outside network 151 passes through
`
`
`
`
`
`
`
`
`an internal firewall 128 to provide a layered security to the
`
`
`
`
`
`
`
`
`protected subnet 150 and to the Lockbox. Traffic is moni-
`
`
`
`
`
`
`
`
`tored by the firewall 128 and reported to a logging task 130
`
`
`
`
`
`
`
`
`
`which also has input from internal integrity checks 132,
`
`
`
`
`
`
`
`
`which monitors the physical condition of the Lockbox, the
`
`
`
`
`
`
`functioning of its components, invalid access attempts, and
`the file access monitor 134. The file access monitor 134
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`detects attempts to access selected files as an additional
`
`
`
`
`
`
`
`intrusion monitor. The time is continually monitored over
`
`
`
`
`
`
`
`
`
`the Internet by a task 136 that insures the accuracy of the
`
`
`
`
`
`
`
`
`
`
`time stamps in the logs. Any failure of this task is alerted.
`
`
`
`
`
`
`Any changes in passphrases can be optionally detected by a
`
`
`
`
`
`
`
`
`task 138 to trigger encrypted exchange with a trusted party
`
`
`
`
`
`
`
`
`
`to escrow the change. In association with the client folders
`
`
`
`
`
`
`
`
`
`a task 140 can optionally provide a Public Key Infrastructure
`
`
`
`
`
`
`
`for the internally stored digital signatures. A task is provided
`
`
`
`
`
`
`
`for organizing a network tunneling system 142 to allow
`
`
`
`
`
`
`secure encrypted communications with ordinary Internet
`
`
`
`
`
`communications protocol to associated software on an out-
`
`
`
`
`
`
`
`
`
`side computer on the Intranet 146 or the Internet 150. This
`
`
`
`
`
`
`
`
`monitors the encrypted file system 114 to detect changes
`
`
`
`
`
`
`
`and, if the changeis in a selectedfile, to coordinate a change
`
`
`
`
`
`
`
`
`in the outside computer to mirror those changes. Conversely,
`
`
`
`
`
`
`
`
`
`changes in the mirrored files in the outside computer are
`reflected to 114.
`
`
`
`
`
`
`
`
`
`[0013] FIG. 2 illustrates the Lockbox connected to an
`
`
`
`
`
`
`
`Internet connection 216, which would normally be a
`
`
`
`
`
`
`
`
`routable, static IP address, through the Lockbox outside port
`
`
`
`
`
`
`
`
`204. The Lockbox 200 incorporates the features of 102 in
`FIG. 1. The Lockbox communicates over the Internet 206 to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`client boxes on the Internet as illustrated by 220 and 222.
`The Lockbox can also communicate to a mirrored outside
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computer 224 with tunneling mirror software to provide data
`
`
`
`
`
`
`
`
`backup. The Lockbox connects via its Ethernet connection
`
`
`
`
`
`
`
`
`
`202 to a protected subnet 214 and from there to one or more
`
`
`
`
`
`
`
`protected computers as illustrated by 208, 210 and 212.
`
`
`
`
`
`
`
`
`FIG.3 illustrates the possibly of securely export-
`[0014]
`
`
`
`
`
`
`
`
`ing the function of providing the secure emailnotification to
`
`
`
`
`
`
`
`
`
`an outside Internet Service Provider (ISP) using the tunnel-
`
`
`
`
`
`
`
`
`ing mirror service. This is useful if a static, routable IP
`addressis not available to the Lockboxat its connection 316.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Elements 300 to 324 correspond to elements 200 through
`
`
`
`
`
`
`
`
`224 in FIG.2, respectively. The ISP 326 is also connected
`to the Internet 328. The ISP 326 contains a web server 330
`
`
`
`
`
`
`
`
`
`
`
`that connects to a mirrored remote client box 332 with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`software corresponding to the tunneling mirror software 142
`
`
`
`
`
`
`
`in FIG. 1. This software negotiates an encrypted commu-
`nication with 142 to mirror the client folders in the Lockbox
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(118 through 122 in FIG. 1) to mirrored folders in the ISP
`
`
`
`
`
`
`
`
`
`illustrated by 334, 336 and 338. Changes in the folders
`
`
`
`
`
`
`
`
`
`detected by task 342 trigger emails to the client to allow
`
`
`
`
`
`
`
`retrieval through a secure socket communication to the ISP.
`
`
`
`
`
`
`
`
`
`The client, when accessing his folder through the secure
`
`
`
`
`
`
`
`
`
`
`socket, can add files to his folder or digitally sign the files
`
`
`
`
`
`
`
`
`
`
`in his folder and the mirroring task 332 will communicate
`
`
`
`
`
`
`
`
`this information to the equivalent folders in the Lockbox 300
`
`
`
`
`
`
`
`
`
`
`to allow update of thosefiles by task 142 in FIG. 1. Task 340
`
`
`
`
`
`
`
`allows purging of the client’s selected files on retrieval by
`the client.
`
`
`
`
`
`
`
`
`
`
`
`[0015] FIG. 4 illustrates the use of a Lockbox 400 within
`
`
`
`
`
`
`
`
`
`a local area network such as a company’s Intranet 418. Such
`
`
`
`
`
`
`an Intranet is usually accompanied bya firewall or firewalls
`
`
`
`
`
`
`
`
`420 to limit access to the Internet 422. In such a configu-
`
`
`
`
`
`
`
`
`ration the Lockbox 400 serves to provide a layered protec-
`
`
`
`
`
`
`
`
`tion to the protected subnet 414 and the protected computers
`
`
`
`
`
`
`
`
`
`connected on that subnet such as 408, 410 and 412. Con-
`
`
`
`
`
`
`
`
`nection is made to the protected subnet 414 through the
`Ethernet connection 402. The Ethernet connection to the
`
`
`
`
`
`
`
`outside world 404 serves both as a connection to the Intranet
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and as a method of providing the tunneling of encrypted
`
`
`
`
`
`
`Internet standard protocol messages containing information
`
`
`
`
`
`
`
`
`onthe files to be mirrored. These tunneled messages 418 can
`
`
`
`
`
`
`
`
`
`pass through the corporate intranet 418 and firewall 420 to
`
`
`
`
`
`
`
`
`
`another server 430 located externally on the Internet or
`
`
`
`
`
`
`
`
`locally on the Internet. The server 430 contains an Ethernet
`
`
`
`
`
`
`
`
`port 428 that serves both as an ordinary Internet connection
`
`
`
`
`
`
`
`
`426 and as a recipient for the tunneled Internet messages
`418. Another Lockbox could function as the server 430. In
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the server, task 234 is a web server with the file decryption,
`
`
`
`
`
`
`
`
`functioning as 114 in FIG. 1. The tunneling mirror task 436
`mirrors selectedfiles in the Lockbox in communication with
`
`
`
`
`
`
`
`task 142 in FIG.1. To insure accurate file coordination there
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is an accurate, web-based time synchronizing task 440 in the
`
`
`
`
`
`
`
`server corresponding to task 136 in FIG. 1. Optionally the
`server could havea file server 442 to connect to a local area
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network at the server’s location via an Ethernet port 432.
`
`
`
`
`
`
`
`
`This would be useful if the Lockbox 400 is serving consult-
`
`
`
`
`
`
`
`
`
`ants on computers 408 through 412 who want to maketheir
`
`
`
`
`
`
`
`localfiles available to operators at their office on computers
`such as 446 over their homeoffice local area network 444.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In such a configuration the Lockbox would serve to protect
`
`
`
`
`
`
`
`
`the confidentiality of the consultant’s files from the corpo-
`
`
`
`
`
`
`
`
`rate network 418, protect the consultant’s computers 408
`
`
`
`
`
`
`
`
`
`
`thru 412 from attacks from the Intranet 418, and provide
`
`
`
`
`
`
`
`
`
`physical security to those files through the encrypted file
`
`
`
`
`
`
`
`
`
`system. Clients and co-workers such as 448 can log on the
`
`
`
`
`
`
`
`
`Internet through an ordinary Internet access 450 to view
`selected files in client folders over a secure socket connec-
`
`
`
`
`
`
`
`
`
`tion.
`
`
`Page 8 of 11
`
`Netskope Exhibit 1013
`
`Page 8 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`US 2002/0099666 Al
`
`
`
`Jul. 25, 2002
`
`
`
`
`
`
`
`
`
`
`[0016]
`Ina particular embodiment,a file in the Lockboxis
`
`
`
`
`
`
`
`
`shared with a protected computer using standardfile sharing.
`
`
`
`
`
`
`
`
`The Lockbox data will therefore appear as another folder or
`
`
`
`
`
`
`
`disk drive to an unmodified protected computer. The Lock-
`
`
`
`
`
`
`
`
`
`
`box maintains its own encryption of stored data with an
`
`
`
`
`
`
`
`
`internal symmetric encryption key. This insures that
`the
`
`
`
`
`
`
`
`encryption cannot be compromised by data stored on the
`
`
`
`
`
`
`
`
`protected computer. This data in the Lockbox will be unin-
`
`
`
`
`
`
`
`telligible to anyone having physical possession of the Lock-
`
`
`
`
`
`
`
`
`
`box or having direct access to the files on the Lockbox. The
`
`
`
`
`
`
`data stored on the Lockboxis regularly archived to a second
`
`
`
`
`
`
`
`
`disk, with software to coordinate the data archiving and
`
`
`
`
`
`
`
`
`
`check the integrity of each storage device. In the case of a
`
`
`
`
`
`
`
`
`storage failure, as in a disk crash, the files are maintained in
`
`
`
`
`
`
`
`
`
`the uncorrupted storage and the user is notified that the
`
`
`
`
`
`
`
`corrupted drive must be replaced. On replacement, the data
`
`
`
`
`
`
`
`
`is restored to both drives and operation continues uninter-
`
`
`
`
`
`
`
`
`rupted. The archiving of data rather than a straight backup
`
`
`
`
`
`
`
`
`
`allows data recovery in case an attacker on a protected
`
`
`
`
`
`
`
`
`computer directs the deletionoffiles. An attacker would not
`be able to reformat the Lockbox drives since this level of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`control is not available to a protected computer.
`
`
`
`
`
`
`
`
`
`[0017] To ensure that the data is available in the case of a
`
`
`
`
`
`
`
`
`complete physical destruction of the host computer and
`
`
`
`
`
`
`
`Lockbox,as in the case of the destruction of the building by
`
`
`
`
`
`
`
`
`
`fire, the software includes the ability to externally archive
`
`
`
`
`
`
`
`
`
`the data on a periodic basis. The archive files contain a
`
`
`
`
`
`
`software wrapper containing non-sensitive information such
`
`
`
`
`
`
`
`
`as the date on which the data is to be allowed to expire. In
`
`
`
`
`
`
`
`
`
`one embodiment, the file name andall data in thefile will be
`
`
`
`
`
`
`
`encrypted under a second encryption key, and in another
`
`
`
`
`
`
`
`
`embodiment the name will be unencrypted to allow file
`
`
`
`
`searching of the encrypted data.
`
`
`
`
`
`
`
`[0018] Files are archived, either incrementally or by a total
`
`
`
`
`
`
`
`
`
`memory dump, into local or remote storage. Locally, the
`
`
`
`
`
`
`
`archival will be to a removable media, located within the
`
`
`
`
`
`
`
`Lockbox or on a protected computer, such as a tape or
`
`
`
`
`
`
`
`
`CDROM,foroff-site storage. Since the files on the storage
`
`
`
`
`
`
`
`
`media will be encrypted, the physical loss of the archival
`
`
`
`
`
`
`
`
`
`
`media will not pose any security risk since they will be
`
`
`
`
`
`unreadable without the encoding key.
`
`
`
`
`
`
`
`[0019]
`In one embodiment, off-site storage is provided
`
`
`
`
`
`
`whereby the Lockbox is periodically and automatically
`
`
`
`
`
`
`backed up over a secure Internet communications channel.
`
`
`
`
`
`
`
`The Lockbox incorporates tunneling software that allows
`
`
`
`
`
`
`
`
`selected files to be mirrored at the off-site storage. This is
`
`
`
`
`
`
`accomplished by negotiating a secure channel and encrypt-
`
`
`
`
`
`
`
`
`ing the information inside Internet packets which appearto
`
`
`
`
`
`
`intervening firewalls as normal Internet communications.
`
`
`
`
`
`
`
`
`These packets are unintelligible to any observer. Synchro-
`
`
`
`
`
`
`
`nization software is included to update any files modified
`
`
`
`between mirroring exchanges.
`
`
`
`
`
`
`
`
`
`[0020]
`In any case,
`the archival computer would then
`
`
`
`
`
`
`
`reconstruct an image of the Lockbox’s encrypted data files
`
`
`
`
`
`
`
`
`
`and keep that image available for archivalretrieval. As these
`
`
`
`
`
`
`
`
`files are stored encrypted, they would be unintelligible to the
`
`
`
`
`
`
`
`
`
`storing agent. Once restored to the Lockbox, the user would
`
`
`
`
`
`
`
`
`again have unencrypted accessto the files by the operation
`
`
`
`
`
`
`
`
`of the Lockbox’s decryption ability. The files would be
`
`
`
`
`
`
`
`referenced in the archival files by their encrypted identifiers
`
`
`
`
`
`
`
`
`and the Lockbox owner can selectively restore them by
`
`
`
`
`
`reloading into the Lockbox for decryption.
`
`
`
`
`
`
`[0021] Provision is made in the code to optionally auto-
`
`
`
`
`
`
`
`matically escrow to a trusted third party or internal agent the
`
`
`
`
`
`
`
`encryption key and the passphrase that unlocks the Lockbox.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`This will insure that the data remains unintelligible to any
`
`
`
`
`
`
`
`third-party archivist but is still available to the authorized
`
`
`
`
`
`
`
`person in the case of unforeseen circumstances such as the
`
`
`
`
`
`
`
`physical destruction of the Lockbox or the removal of the
`
`
`
`
`
`
`
`
`
`user. The separation of the encrypted data access from the
`
`
`
`
`
`
`
`
`key storage access is designed to prevent one party, such as
`
`
`
`
`
`
`
`
`the system administrator, from having access to both, and
`
`
`
`
`
`
`
`
`
`therefore access to the data. The escrow agent will maintain
`
`
`
`
`
`
`
`
`a public key under which the Lockbox automatically
`
`
`
`
`
`
`
`
`
`encrypts the selected access keys and emails them back to
`
`
`
`
`
`
`
`
`
`
`the agent. This is automatically done each time the keys are
`
`
`
`
`
`
`
`
`
`
`changed. In the exceptional case where the keysare lost the
`
`
`
`
`
`
`
`
`
`escrow agentwill return the keys after proper authentication.
`
`
`
`
`
`
`
`The key may be stored in a symmetric encrypted form on the
`
`
`
`
`
`
`
`Lockbox pending receipt of acknowledgment
`from the
`
`
`
`
`
`
`escrow agent in order to prevent intermediate loss.
`
`
`
`
`
`
`[0022] Whenthe protected computers are located within a
`
`
`
`
`
`
`
`
`host local area network, a client cannot normally establish
`
`
`
`
`
`
`
`secure socket communications since such computers do not
`
`
`
`
`
`
`
`
`
`
`normally have a routable static IP address. In this case the
`
`
`
`
`
`
`mirrored remote client functionality can be provided by an
`
`
`
`
`
`
`
`associated Lockbox at a static IP address on the corporate
`
`
`
`
`
`
`
`Internet interface, or a secure server at a third party running
`
`
`
`
`
`
`
`
`parts of the Lockbox software, as shown in FIG. 4. The
`
`
`
`
`
`
`
`Lockbox contains code for negotiating an encryption with a
`
`
`
`
`
`
`
`correspondent computer and encrypting file transfers with
`
`
`
`
`
`
`that correspondent computer by embedding the encrypted
`
`
`
`
`
`
`
`data within ordinary Internet packets. This is referred to as
`
`
`
`
`
`
`
`
`tunneling through the Internet. The secure tunneling func-
`
`
`
`
`
`
`
`
`tionality of the Lockbox will insure the security of commu-
`
`
`
`
`
`
`
`
`nications while traveling between the Lockbox and the
`
`
`
`
`corresponding secure server or Lockbox.
`
`
`
`
`
`
`[0023] Where the Lockbox is connected to the Internet, as
`
`
`
`
`
`
`
`
`a customerservice there can be regular scans of the interface
`
`
`
`
`
`
`
`
`
`to test for vulnerabilities. This, together with the internal
`
`
`
`
`
`
`
`system health monitor, detection of invalid logon attempts,
`
`
`
`
`
`
`
`
`
`firewall intrusion detection, and the disk integrity tests, will
`
`
`
`
`
`
`provide warnings of impending or actual problems. Such
`
`
`
`
`
`
`warningsare logged and,if of sufficient importance, alarmed
`
`
`
`
`
`
`
`
`
`to the protected computers. These logs and alarms cannot be
`
`
`
`
`
`
`
`
`
`
`turned off or erased by the protected computers, so an
`
`
`
`
`
`
`
`
`intruder has no way of masking his attacks. The logs can be
`
`
`
`
`
`
`
`cleared on an alarmed command,deleting only those logs
`
`
`
`
`
`
`
`before a predetermined time before the command. This
`
`
`
`
`
`
`
`
`prevents an intruder from deleting those logs that evidenced
`his intrusion.
`
`
`
`
`
`
`
`
`
`
`[0024] Where there are several protected computers with
`
`
`
`
`
`
`
`a need to access files while maintaining separate confiden-
`
`
`
`
`
`
`
`
`tiality, and confidentiality from each other, the system could
`
`
`
`
`
`
`
`use traditional restricted shared file access to provide sepa-
`rate user areas.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0025] The Lockbox includes a web server with a pass-
`
`
`
`
`
`
`phrase-protected, secure socket viewing of client folders.
`
`
`
`
`
`
`
`
`
`
`The user sets up the client folders to be accessible for a
`
`
`
`
`
`
`
`
`particular set of users names and associated passphrases and
`
`
`
`
`
`
`
`
`
`digital signatures. This would allow the client secure access
`
`
`
`
`
`
`
`
`to documents selected by the secure computer owner as
`
`
`
`
`
`
`
`
`
`
`accessible for that user and password, and the ability to
`
`
`
`
`
`
`
`securely return documents. FIG. 5 shows one example of
`
`
`
`
`
`
`
`
`such a client view of the documents and shows one example
`
`
`
`
`
`
`
`
`of client options. The establishment of the documents, the
`
`
`
`
`
`
`
`
`notice to the client of the availability of the documents, and
`
`
`
`
`
`
`
`
`the access by the client to the documents would all be logged
`
`
`
`
`
`
`
`and be archived to address any subsequentissues of failure
`to communicate. Notice would be sent to the Lockbox owner
`
`
`
`
`
`
`
`
`
`Page 9 of 11
`
`Netskope Exhibit 1013
`
`Page 9 of 11
`
`Netskope Exhibit 1013
`
`

`

`
`
`US 2002/0099666 Al
`
`
`
`Jul. 25, 2002
`
`
`
`of documents available to the client for whom no access
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`attempts were made within some established period. The
`
`
`
`
`
`
`
`
`communications with the client may also include provision
`
`
`
`
`
`
`
`
`for digital signatures of client documents, using,
`for
`
`
`
`
`
`
`
`exampl