METHOD AND SYSTEM FOR SECURE DATA TRANSFER AND DECRYPTION

RELATED APPLICATIONS

[0001] The present application claims benefit under 35 U.S.C. 119(e) of U.S. Provisional Applications 63/142,509 filed on January 28, 2021, the disclosure of which is incorporated herein by reference.

TECHNICAL FIELD

[0002] The present disclosed subject matter is directed to securely decrypting encrypted data.

BACKGROUND

[0003] Data breaches are frequently occurring, with losses from data breaches in millions of dollars, as well as loss of a business’ reputation. Some organizations recover from data breaches, but typically do not return to their state prior to the data breach.

[0004] One common way a data breach occurs is due to decrypted data passing between entities. Other ways include data being saved on servers hosting databases (database servers) as unencrypted or decrypted, and as such, exposed to hackers, sniffers, and other, who can access this data.

SUMMARY

[0005] Embodiments of the disclosed subject matter provide a security for data storage by maintaining data in encrypted formats, only decrypting the data when requested by and displayed to authorized users, with limited access, in limited amounts, and for limited time periods. Here, only encrypted data passes between entities, and all data is stored as encrypted. This solution of the present disclosed subject matter is known as an “always encrypted” solution.

[0006] The disclosed subject matter is such that all data is saved as encrypted. The disclosed subject matter provides a system that works with existing hardware, and additional hardware is not required to implement the system. The encryption is performed “on the fly”, for example, while editing a customer relations management (CRM) field, and decryption is on-screen only.

[0007] The disclosed subject matter employs decentralized keys. As a result, there is secure storage of keys and certificates.

[0008] The disclosed subject matter provides for decentralized encryption and decryption of data. The system is agnostic with and works with all file types.

[0009] The disclosed subject matter provides for on-screen encryption and decryption, also known as “screen level decryption”, without changing the user experience. The user can work in the same way as always, with the disclosed application decrypting and encrypting data, such that the user has the necessary data decrypted for performing the necessary operations on his computer. As all data is encrypted, even that which is on the memory of the user computer, the present disclosed subject matter is highly secure. Moreover, data is transferred securely between system components throughout the system, another high security feature of the disclosed subject matter.

[0010] This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF FIGURES

[0011] Non-limiting examples of embodiments are described below with reference to figures attached hereto that are listed following this paragraph. Identical structures, elements or parts that appear in more than one figure are generally labeled with a same numeral in all the figures in which they appear, and a numeral labeling an icon representing a given feature in a figure may be used to reference the given feature. Dimensions of components and features shown in the figures are chosen for convenience and clarity of presentation and are not necessarily shown to scale.

[0012] FIG. 1A is a diagram of an environment in which the disclosed subject matter operates;

[0013] FIG. IB is a diagram of the environment of FIG. 1A specific to a browser extension and a web application;

[0014] FIG. 2 A is a diagram of the system from the environment of FIG. 1 A;

[0015] FIG. 2B is a diagram of the system from the environment of FIG. IB;

[0016] FIGs. 3A-1 and 3A-2, collectively referred to as FIG. 3 A) are a diagram of a display unit for decrypted data in accordance with the disclosed subject matter;

[0017] FIG. 3B is a diagram of the display unit of FIGs. 3A-1 and 3A-2 as fitting on a single display screen;

[0018] FIGs. 4A-1 and 4A-2, collectively referred to as FIG. 4A, are a flow diagram of an example process in accordance with the disclosed subject matter;

[0019] FIG. 4B is a flow diagram of a process from the flow diagram of FIGs. 4A-1 and 4A- 2;

[0020] FIG. 5A is a screen diagram of a data portion of data displayed on the screen display of a customer relations management (CRM) computer, the data which is encrypted; [0021] FIG. 5B is the data portion of FIG. 5A which has been decrypted and is displayed on the screen display of the CRM computer;

[0022] FIGs. 6A-1 and 6A-2, collectively referred to as FIG. 6A, are a flow diagram of an example process for a browser extension and web application in accordance with the disclosed subject matter;

[0023] FIG. 6B is a flow diagram of a process from the flow diagram of FIGs. 6A-1 and 6A- 2; and,

[0024] FIG. 7 is a flow diagram of an updating process in accordance with the disclosed subject matter.

DETAILED DESCRIPTION

[0025] Before explaining at least one embodiment of the disclosed subject matter in detail, it is to be understood that the disclosed subject matter is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings. The disclosed subject matter is capable of other embodiments or of being practiced or carried out in various ways.

[0026] In the discussion, unless otherwise stated, adjectives such as "substantially" and "about" modifying a condition or relationship characteristic of a feature or features of an embodiment of the disclosure, are understood to mean that the condition or characteristic is defined to within tolerances that are acceptable for operation of the embodiment for which the embodiment is intended. Wherever a general term in the disclosure is illustrated by reference to an example instance or a list of example instances, the instance or instances referred to, are by way of nonlimiting example instances of the general term, and the general term is not intended to be limited to the specific example instance or instances referred to. Unless otherwise indicated, the word "or" in the description and claims is considered to be the inclusive "or" rather than the exclusive or, and indicates at least one of, or any combination of items it conjoins.

[0027] As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or computer program product. Accordingly, aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," "module" or "system." Furthermore, aspects of the present disclosure may take the form of a computer program product embodied in one or more non-transitory computer readable (storage) medium(s) having computer readable program code embodied thereon. [0028] FIG. 1A shows an environment in which the disclosed subject matter operates. The environment includes a network(s) 50. Components communicate (e.g., in electronic and/or data communication) with other components via the network 50, either directly or indirectly. The network(s) 50 include one or more networks, such as wide area networks (WANs) including the Internet, cellular networks and the like and local area networks (LANs).

[0029] The components include a home server 102, main server, or engine, which receives decryption and/or encryption requests from a Monitor Component (MC) 104 associated with the browsing application of a computer 106, e.g., a Customer Relations Management (CRM) software computer (representative of multiple user (CRM) computers in communication with the network 50). The computer 106 and MC 104 are in communication with the network 50. The computer 106 includes a monitor (screen) or display screen 106x, as well as a browser (BR) 106br, such as Google® Chrome®, Microsoft® Internet Explorer®, Microsoft® Edge® or the like, and a memory 106m. The computer 106, for example, hosts one or more applications, for example, an application (APP) 107, which performs various functions associated with the MC 104 and the computer 106. The application 107, for example, is an existing application, such as a Software as a Service (SAAS) application as well as existing CRM applications such as Microsoft® Dynamics™. The APP 107 may also be for example, a web application 107’, such as a customer relations manager (CRM) application (the web application 107’ for working with the browser extension 104’), including already existing SAAS applications. The application 107 determines the data available for display on the display screen 106x and renders the data available for display to the display screen 106x, without regard to the data being encrypted, decrypted or clear, unencrypted or was never encrypted.

[0030] One or more data storage units, for example, database servers, which include databases, represented by the storage unit 108, are in communication with the network 50. The database servers may be one or more servers. A client key vault 110, and a master key holder 112 are mapped to the home server 102, and communicate with the home server 102 via the network 50. The client key vault 110 and master key holder 112 are, for example, separate and decentralized from the home server 102.

[0031] The client key vault 110 holds user encryption/decryption keys, which are obtained by the home server 102 (i.e., user encryption/decryption key module 212a), in response to authenticating an identifier (ID) of a user.

[0032] The master key vault 112 holds master keys, which are obtained by the home server 102 (i.e., the master key module 212b), to decrypt the obtained user encryption/decryption key. This system of a master key encrypting/decrypting an encryption/decryption key (from the client key vaults 110) is a double encryption/decryption for the system 150.

[0033] The home server 102, MC 104, client key vault 110, and master key holder 112, form a system 150, as shown in FIG. 2A. Network communication between components in FIG. 2A is shown by the double headed arrows. The home server 102 includes an encryption/decryption engine 216, which uses, for example, an Advanced Encryption System (AES-256), coupled with an encryption/decryption algorithm. This algorithm is such that it generates different encrypted strings for the same input, making it impossible to decrypt even if the encryption key is exposed. In response to a decryption request associated with encrypted data, the home server 102 decrypts the encrypted data and sends the decrypted data to the MC 104, for display on the computer 106 associated with the MC 104, for example, in real time.

[0034] The home server 102 is also programmed to identify identifiers associated with a user, who has provided data to be decrypted/encrypted. The identifiers may be, for example, Application Program Interface (API) keys. These API keys identify decryption requests from the MC 104, and, for example, may also apply a whitest to decryption requests, to determine whether the requests are authorized and/or legitimate. While the home server 102 is shown as a single component, it may be multiple servers, computerized components and the like.

[0035] The MC 104 is downloaded and installed on the computer 106, and operates as part of the computer 106 (as shown by the broken line box CP in FIG. 1A). The MC 104 maps to the home server 102. The MC 104 may take the form of a computer program product embodied in one or more non-transitory computer readable (storage) medium(s) having computer readable program code embodied thereon, or can execute machine readable instructions.

[0036] The MC 104 is programmed, for example, to monitor and inspect the displayed data, e.g., text and/or images, the images for example being still images, such as photographs, and video, for example, in ordered or predetermined units, as defined by the rules and policies of the APP, for example, a page as defined by a scrollable area (including areas for display when the page is scrolled up or down, but is not in the instantaneous display view). The MC 104 monitors the data displayed on the screen 106x by the APP 107, for user actions, such as SAVE actions, data changes, for example, on the display screen, and activates when there is a change, for example page 1 appearing, as well as moving between pages 1, 2, and 3. The MC 104 monitors the APP 107 for changes in the displayed data on the display screen 106x. When a change in the displayed data on the display screen 106x is detected, the MC 104 extracts, via the extractor 104x (FIG. 2A) the relevant encrypted data. For example, when the data to be extracted is that displayed on the display screen 106x, the extractor 104x performs a unit grab (e.g., page grab when the unit is a page) of the data.

[0037] The MC 104 also performs sending (transmitting) functions for data and data requests, as well as receiving functions. For example, the MC 104 sends the captured encrypted and/or decrypted data to the home server 102 using an API for the home server 102, for example, with a Secure Socket Layer (SSL) protocol, with a decryption and/or encryption request. The home server 102 decrypts and/or encrypts the received data and returns this decrypted and/or encrypted data to the MC 104, for example, via an SSL protocol. The browser extension 104, passes all or a portion of the received and returned decrypted data into the APP 107, where the received and returned decrypted data replaces the encrypted data, such that the decrypted data is rendered to be available for display on the display screen. In the case of encrypted data, the APP 107 renders this data to the storage media 108 for storage.

[0038] The data storage unit 108, including its database(s) is independent of the home server 102. For example, the database(s) may include Customer Relations Management (CRM) data, so as to include CRM databases, such that the computer 106 is associated with a CRM user.

[0039] FIG. IB is similar in construction and operation to FIG. 1A, except that the MC 104 is replaced by a browser extension (BRE) 104’ and the APP 107 is replaced with a web application (Web APP) 107’, since the browser extension 104’obtains and renders web pages to the Web APP 107’. The browser extension 104’ operates similar to the MC 104, as detailed above, and the Web App 107’ operates similarly to the APP 107, such that the descriptions provided for the MC 104 and APP 107 are applicable for the BRE 104’ and Web APP 107’, except where specifically indicated. The home server 102, browser extension 104’, client key vault 110, and master key holder 112, form a system 150’ , as shown on FIG. 2A.

[0040] For example, as shown in FIGs. 3A-1 and 3A-2 (collectively referred to as FIG. 3 A) and FIG. 3B, the data which is decrypted and displayed or available for display (on the display screen 106x in the display area 106d thereof), includes an ordered or predetermined display unit 300, as defined by the APP 107 or Web APP 107’ of the user computer 106. This ordered display unit 300, may be a page (when system 150 is used) or web page (when system 150’ is used) 301 (of one or more pages or web pages), with its page definitions and boundaries set by the APP 107 (e.g., rules and policies) or Web APP 107’, with the page or web page 301 rendered by the respective APP 107 or Web App 107’. The ordered display unit 300 may include those portions of the page 301 accessible by activating the scroll bar 302 on the side of the displayed portion of the page or web page 300, as shown in FIGs. 3A-1 and 3A-2. The MC 104 or browser extension 104’ provides the decrypted data for the ordered display unit 300 being displayed (or otherwise designated (available) for display, for example, via scrolling up and/or down, e.g., via a scroll bar 302) on the display screen 106x (in the designated display area 106d).

[0041] The APP 107 or Web APP 107’ separates the data into the ordered or predetermined display units, decrypting only the data which is displayed and/or available for display on the display screen 106, as the ordered or predetermined display unit (as determined by the rules and policies of the APP 107 or Web APP 107’), for example, in real time. For example, a predetermined or ordered display unit 300 (or “display unit”) may be a page or web page 301 of one or more pages of an electronic document or web document (in the case of web pages), which is displayed in the display area 106d or otherwise available to be displayed within the display area 106d of the display screen 106x of the computer 106 at any given time. As shown in FIGs. 3A-1 and 3A-2, a display unit 300 of a single page 301, i.e., Page 1, set by the APP 107 or Web App 107’, includes page 1 of a three page document or web document (which also includes page 2 and page 3, as indicated by the boxes numbered accordingly). Page 1 is the entire area available for viewing as decrypted data, with lines AAA... AAA through TL. . .TZ . Page 1, which is the ordered display unit 300 in this instance, is accessible and available for viewing in portions, by moving the scroll bar 302 (line QQQ. . -QQQ is a shown as a reference to show positioning of the page or web page 300 portions upon movement of the scroll bar 302), such that the ordered display unit 300 is moveable within the display area 106d. As shown in FIG. 3B, should the ordered display unit 300, i.e., the page or web page 301 (Pagel), be made smaller, the entire ordered display unit 300 fits, and is presented within, the display area 106d of the display screen 106x (the entire scroll bar 302 is for the entire display unit 300).

[0042] Optionally, MC 104 and/or the browser extension 104’ may include an editing feature (edit module 104y in FIG. 2A (and also FIG. 2B for the browser extension 104’)) that allows for editing and updating the encrypted data, such that the data remains encrypted. An example editing and creating new data process is shown in FIG. 7 and detailed below. The MC 104 and/or browser extension 104’ is also programmed to prevent or block copying of the decrypted data. The MC 104 and/or browser extension 104’ may be, for example, written in JavaScript, and is downloadable from an internet source, such as the Google® Chrome® Store. For example, the Java Script may be:

/** disable copy event */ wrapper = window. document . querySelector( ' . content ' ) wrapper .oncopy = function (e) { e . preventDef ault ( ) ; return false; }

[0043] For example, each of the MC 104 and/or browser extension 104’ is typically initiated with a user private key, which is, for example, an API key.

[0044] The user computer 106 sends data requests to the data storage unit 108, and the data storage unit 108 returns the requested data to the computer memory 106m as encrypted data. The memory 106m is coordinated with the browser 106br, such that the encrypted data is broken into the above-mentioned ordered display units, as per the APP 107 or Web APP 107’, for display. The unit, e.g., page 1 or web page 1, made available for display on the display screen 106x, by the APP 107 or Web APP 107’, is detected by the respective MC 104 or browser extension 104’ as a change on the display screen 106x in the respective APP 107 or Web APP 107’, from previously displayed data on the display screen 106x, as the APP 107 is monitored by the MC 104 or browser extension 104’ respectively, for changes in the displayed data. The newly displayed unit, e.g., a page 301, such as page 1 or web page 1, now displayed (including the entire page (e.g., page 1) or web page (e.g., page 1) available for display), as shown in FIGs, 3A-1 and 3A-2, is captured and extracted by the MC 104 or the browser extension 104’. The extracted data is sent to the home server 102, for decryption, with the decrypted data of the available screen display, received by the MC 104 or the browser extension 104’ for display on the display screenl06x. Should the unit 301 on the display screen 106x be changed, for example, by clicking on the number for “Page 2” (FIGs. 3A-1, 3A-2 and 3B), this unit, e.g., page 2 or web page 2, is decrypted, and the previously decrypted and displayed unit, e.g., page 1, is lost in its decrypted form. Should page 1 or web page 1 be subsequently activated again for display, its data must be pulled from the memory 106m, which is encrypted, and again decrypted, via interaction by the respective MC 104 or the browser extension 104’, as detailed above. Accordingly, the system 150, and also system 150’, is dynamic, decrypting the data that is displayed/available for display, for example, as an ordered display unit (ordered unit).

[0045] FIG. 2 A is a block diagram of the system 150. FIG. 2B is a system 150’ similar to the system 150 of FIG. 2A, except that the MC 104 is replaced by the browser extension 104’, and the browser extension 104’ works with the Web APP 107’, as detailed herein. In both systems 150, 150’, the home server 102 includes one or more processors, for a central processing unit (CPU) 202 and storage/memory 204 associated therewith. In communication with the CPU 202 are modules including a data transceiver 210, a user encryption/decryption key obtaining module 212a, a master (encryption/decryption) key obtaining module 212b, an identifier analysis module 214, and a decryption engine or decryptor 216. The home server 102 communicates with the respective MC 104 or browser extension 104’, the client key vaults 110 and master key vaults 112, over the network 50 (the network 50 is shown in broken lines).

[0046] The CPU 202 is formed of one or more processors, including hardware processors, and performs processes, including the disclosed processes of FIGs. 4A and 4B, and 6A (formed of FIGs. 6A-1 and 6A-2) and 6B, as detailed below. The processes of FIGs. 4A and 4B and 6A and 6B may be in the form of programs, algorithms and the like. For example, the processors of the CPU 202 may include x86 Processors from AMD (Advanced Micro Devices) and Intel, Xenon® and Pentium® processors from Intel, as well as any combinations thereof.

[0047] The storage/memory 204 is associated with the CPU 202, and is any conventional storage media. The storage/memory 204 also includes machine executable instructions associated with the operation of the CPU 202 and the components 210, 212, 214 and 216, along with the processes and subprocesses shown in FIGs. 4A and 4B, and 6A and 6B, detailed herein. The processors of the CPU 202 and the storage/memory 204, although shown as a single component for representative purposes, may be multiple components, and may be outside of the home server 102 and/or the system 150, 150’ and in communication with the network 50.

[0048] The data transceiver 210 receives the encrypted and/or decrypted data to be decrypted and/or encrypted from the MC 104 or browser extension 104’, and sends the decrypted and/or encrypted data back to the MC 104 or browser extension 104’, for example, as the MC 104 or browser extension 104’ is mapped to the home server 102.

[0049] The user encryption/decryption key obtaining module 212a obtains a user encryption and/or decryption key for data associated with a user request, once the user is identified, for example, by the identifier analysis module 214. The master (encryption and/or decryption) key obtaining module 212b obtains the decryption master key for the user encryption and/or decryption key obtained by the user key obtaining module 212a.

[0050] The identifier analysis module 214 performs verification of identifiers, for example, those sent or associated with the sending of the decryption request, from the MC 104 or browser extension 104’. The identifiers may be API keys, Internet Protocol (IP) addresses/code on a whitelist, and other identifiers.

[0051] The decryption engine 216 provides decryption of the encrypted data it receives. The engine 216 uses, for example, an Advanced Encryption System (AES-256), coupled with an encryption/decryption algorithm. This algorithm is such that it generates different encrypted strings for the same input, making it impossible to decrypt even if the encryption key is exposed.

[0052] Attention is now directed to FIGs. 4A-1 and 4A-2 (collectively referred to as FIG. 4A) and FIG. 4B, which form a flow diagram detailing a computer-implemented process in accordance with embodiments of the disclosed subject matter. Reference is also made to elements shown in FIGs. 1A and 2A. The process and sub-processes of FIGs. 4A and 4B are computerized processes performed by the system detailed above. The aforementioned processes and sub-processes can be, for example, performed manually, automatically, or a combination thereof, and, for example, in real time.

[0053] The process begins at a START block 402. Prior to, or at the START, the computer 106, for example, running CRM software and the like (so as to be referred to as a CRM computer) has downloaded and installed the MC 104, and the user (known as a CRM user since working with a CRM computer), enters one or more identifications, such as identification keys, into the MC 104, for example, after the afore-mentioned installation of the MC 104.

[0054] The process moves to block 404, where the APP 107 (e.g., running in the computer 106) sends a data request to (e.g., requests data from) a data source, for example, the storage media 108, for example, for data, in one or more databases. This data is stored in the storage media 108, for example, in the one or more databases, as encrypted data, and once the data is obtained from the requisite database in the storage media 108, the data is returned to the APP 107 as encrypted data (data in an encrypted format), at block 406.

[0055] The encrypted data, the portion which is displayed on the computer 106 (and which may be part of the data available for display), as shown in FIG. 5A, for example, displays as an ordered unit, for example, the ordered unit determined in accordance with rules and policies of the APP 107, as detailed above. The MC 104 detects the data displayed on the display screen having changed (or other presented display having changed), for example, to the encrypted data, and extracts the display ed/available for display encrypted data, for example, displaying as an ordered unit, at block 408. The extraction is typically automatically performed by extraction software, and/or by an extractor 104x, which is typically part of the MC 104.

[0056] Turning to FIG. 4B, the process of block 408 is shown in detail. At block 408-1, the MC 104 “listens” or otherwise monitors the data displayed on the display screen 106x of computer 106, for example, the data displayed being an ordered unit of the displayed data, as displayed by the APP 107. The monitoring is for a change in the displayed data (e.g., a change in the presentation of the data displayed, or the data available for display, on the display screen 106x). At block 408-2, the monitoring is such that, should a change not be determined, at the monitoring intervals, the process returns to block 408-1, from where it resumes. Should a change be detected, at block 408-2, the process moves to block 408-3, where the MC 104 extracts the encrypted data, for example, all encrypted data, including text and/or images, the images including, for example, photographs and other still images, and/or video.

[0057] For example, when new data, as an ordered (predetermined) unit is displayed in the display area 106d (FIGs. 3A and 3B) of the display screen 106x, the data available for display, of the ordered unit is extracted. The extraction of the data may be, for example, item by item, field by field, and the like, and is sent to the home server 102. For example, the data may be sent as a single send, at block 410 (detailed below), with decryption performed by the home server 102, for example, on this one by one basis. Similarly, with images encrypted as displayed on the ordered display unit, with or without text, requiring decryption, the images are extracted, for example, on a picture by picture (image by image) basis, and sent to the home server 102 for decryption, for example, in a single send, for each image.

[0058] When the image is video, the video can be embedded into a page, similar to that for images (e.g., pictures), which can be embedded. Video is sent for embedding and it is encrypted. The encrypted video is saved. When decryption is desired, players can be added to the MC 104, which can play the encrypted video.

[0059] The image single send is, for example, a separate send from the text single send. For example, if text and images are sent for decryption in separate sends, each send is accompanied by a decryption requests, one decryption request for the text and one request decryption request for each picture (image) being sent for decryption. Returning to FIGs. 4A- 1 and 4A-2, with the extraction process of block 408 complete, the MC 104 sends the extracted encrypted data, with user identification(s) and with a decryption request(s), to the home server 102, at block 410. This process of block 410 allows for decryption of the encrypted data which has been sent to the home server 102.

[0060] The process moves onward, where the extracted encrypted data is received by the home server 102. The home server 102 now performs identification and/or authorization processes, at block 412, to authorize the user and accordingly, authorize decryption. For example, the identification and authorization of the user is based on the received identifier, for example, an API key, a password, and/or other identifier, from the user with the decryption request, the identifier being matched or otherwise equated to or correlated with a corresponding identifier in the system 150, to authenticate and/or verify, or the like, the user and/or the decryption request. Should the API key be accepted, decryption, for example, at the home server 102, may begin (by moving directly to block 414). [0061] Optionally, the process may move from block 412 to block 412a, where one or more additional process is performed to check other identifiers to verify and/or further verify and/or authenticate the user who made the data request (e.g., decryption request). If the optional process(es) of block 412a is/are performed and successful, the process moves to block 414. For example, one of the processes of block 412a may include checking the data request to determine whether it is whitelisted.

[0062] Should one of the processes of blocks 412 or block 412a, if block 412a is part of the process fail, the process moves to block 413. At block 413, decryption of the text/data on screen/available for on display on screen, does not occur and the encrypted data remains displayed on screen and/or available for display on screen. The process then moves to block 420, where it ends.

[0063] Returning to blocks 412/412a, if the processes are successful and the user is properly identified and authorized (and further verified at block 412a), the process moves to block 414. At block 414, the home server 102, by the decryption engine or decryptor 216, decrypts the received encrypted data using encryption/decryption keys, matching or otherwise corresponding to the received encryption key. The decrypted data is sent to the MC 104, also at block 414. The MC 104 receives the decrypted data at block 416.

[0064] The MC 104 renders the decrypted data to the APP 107 for display on the display screen

106x (e.g., in the display area 106d) of the computer 106, at block 418. For example, at block 418, the MC 104, replaces the encrypted data available for display and/or available for display in the APP 107 on the display screen 106x, and, the MC 104 renders the decrypted data in locations as displayed and/or available for display in the locations of the corresponding previously encrypted data. The display of the decrypted data, as shown for example, in FIG. 5B, is at the same corresponding locations on the display as was the corresponding encrypted data, shown, for example, in FIG. 5A. The process moves to block 420 where it ends.

[0065] Once the process ends, at block 420, the process can be repeated for as long as desired. For example, the process is repeated automatically every time the MC 104 detects new or different data displayed on the display screen 106x of the computer 106. During the processes of FIGs. 4A and 4B, the data transfers are, for example, asynchronous, allowing users to continue working on their CRM computers 106, during the aforementioned data transfer and encryption/decryption processes.

[0066] Attention is now directed to FIGs. 6A (FIGs. 6A-1 and 6A-2) and 6B, which show a flow diagram detailing a computer-implemented process in accordance with embodiments of the disclosed subject matter. Reference is also made to elements shown in FIGs. IB and 2B. The process and sub-processes of FIGs. 6A and 6B are computerized processes performed by the system detailed above. The aforementioned processes and sub-processes can be, for example, performed manually, automatically, or a combination thereof, and, for example, in real time.

[0067] The process begins at a START block 602. Prior to, or at the START, the computer 106, for example, running CRM software and the like (so as to be referred to as a CRM computer) has downloaded and installed the Browser Extension (BRE) 104’, and the user (known as a CRM user since working with a CRM computer), enters one or more identifications, such as identification keys, into the BRE 104’, for example, after the aforementioned installation of the BRE 104’.

[0068] The process moves to block 604, where the Web APP 107’ (e.g., running in the computer 106) sends a data request to (e.g., requests data from) a data source, for example, the storage media 108, for example, for data, in one or more databases. This data is stored in the storage media 108, for example, in the one or more databases, as encrypted data, and once the data is obtained from the requisite database in the storage media 108, the data is returned to the Web APP 107’ as encrypted data (data in an encrypted format), at block 606.

[0069] The encrypted data, the portion which is displayed on the computer 106 (and which may be part of the data available for display), as shown in FIG. 5A, for example, displays as an ordered unit, for example, the ordered unit determined in accordance with rules and policies of the Web APP 107’, as detailed above. The BRE 104’ detects the data displayed on the display screen having changed (or other presented display having changed), for example, to the encrypted data, and extracts the displayed/available for display encrypted data, for example, displaying as an ordered unit, at block 608. The extraction is typically automatically performed by extraction software, and/or by an extractor 104x, which is typically part of the BRE 104’.

[0070] Turning to FIG. 6B, the process of block 608 is shown in detail. At block 608-1, the BRE 104’ “listens” or otherwise monitors the data displayed on the display screen 106x of computer 106, for example, the data displayed being an ordered unit of the displayed data, as displayed by the Web APP 107’. The monitoring is for a change in the displayed data (e.g., a change in the presentation of the data displayed, or the data available for display, on the display screen 106x). At block 608-2, the monitoring is such that, should a change not be determined by the BRE 104’, at the monitoring intervals, the process returns to block 608-1, from where it resumes. Should a change be detected by the BRE 104’, at block 608-2, the process moves to block 608-3, where the BRE 104’ extracts the encrypted data, for example, all encrypted data, including text and/or images, the images including, for example, photographs and other still images, and/or video.

[0071] For example, when new data, for example, as an ordered unit is displayed in the display area 106d (FIGs. 3A and 3B) of the display screen 106x, the data available for display, of the ordered unit is extracted. The extraction of the data may be, for example, item by item, field by field, and the like, and is sent to the home server 102. For example, the data may be sent as a single send, at block 610 (detailed below), with decryption performed by the home server 102, for example, on this one by one basis. Similarly, with images encrypted as displayed on the ordered display unit, with or without text, requiring decryption, the images are extracted, for example, on a picture by picture (image by image) basis, and sent to the home server 102 for decryption, for example, in a single send, for each image.

[0072] When the image is video, the video can be embedded into a page, similar to that for images (e.g., pictures), which can be embedded. Video is sent for embedding and it is encrypted. The encrypted video is saved. When decryption is desired, players can be added to the BRE 104’, which can play the encrypted video.

[0073] The image single send is, for example, a separate send from the text single send. For example, if text and images are sent for decryption in separate sends, each send is accompanied by a decryption requests, one decryption request for the text and one request decryption request for each picture (image) being sent for decryption. Returning to FIGs. 6A-1 and 6A-2, with the extraction process of block 608 complete, the BRE 104’ sends the extracted encrypted data, with user identification(s) and with a decryption request(s), to the home server 102, at block 610. This process of block 610 allows for decryption of the encrypted data which has been sent to the home server 102.

[0074] The process moves onward, where the extracted encrypted data is received by the home server 102. The home server 102 now performs identification and/or authorization processes, at block 612, to authorize the user and accordingly, authorize decryption. For example, the identification and authorization of the user is based on the received identification, for example, an API key, a password, and/or other identifier, from the user with the decryption request, the identifier being matched or otherwise equated to or correlated with a corresponding identifier in the system 150, to authenticate and/or verify, or the like, the user and/or the decryption request.. Should the API key be accepted, decryption, for example, at the home server 102, may begin (by moving directly to block 614).

[0075] Optionally, the process may move from block 612 to block 612a, where one or more additional process is performed to check other identifiers to verify and/or further verify and/or authenticate the user who made the data request (e.g., decryption request). If the optional process(es) of block 612a is/are performed and successful, the process moves to block 614. For example, one of the processes of block 612a may include checking the data request to determine whether it is whitelisted.

[0076] Should one of the processes of blocks 612 or block 612a, if block 612a is part of the process fail, the process moves to block 613. At block 613, decryption of the text/data on screen/available for on display on screen, does not occur and the encrypted data remains displayed on screen and/or available for display on screen. The process then moves to block 620, where it ends.

[0077] Returning to blocks 612/612a, if the processes are successful and the user is properly identified and authorized (and further verified at block 612a), the process moves to block 614. At block 614, the home server 102, by the decryption engine or decryptor 216, decrypts the received encrypted data using encryption/decryption keys, matching or otherwise corresponding to the received encryption key. The decrypted data is sent to the BRE 104’, also at block 614. The BRE 104’ receives the decrypted data at block 416.

[0078] The BRE 104’ renders the decrypted data to the Web APP 107’ for display on the display screen 106x (e.g., in the display area 106d) of the computer 106, at block 418. For example, at block 418, the BRE 104’, replaces the encrypted data available for display and/or available for display in the Web APP 107’ on the display screen 106x, and, the BRE 104’ renders the decrypted data in locations as displayed and/or available for display in the locations of the corresponding previously encrypted data. The display of the decrypted data, as shown for example, in FIG. 5B, is at the same corresponding locations on the display as was the corresponding encrypted data, shown, for example, in FIG. 5A. The process moves to block 620 where it ends.

[0079] Once the process ends, at block 620, the process can be repeated for as long as desired. For example, the process is repeated automatically every time the BRE 104’ detects new or different data displayed on the display screen 106x of the computer 106. During the processes of FIGs. 6A and 6B, the data transfers are, for example, asynchronous, allowing users to continue working on their CRM computers 106, during the aforementioned data transfer and encryption/decryption processes.

[0080] Attention is now directed to the process of FIG. 7, where a flow diagram illustrates the process for automatically encrypting edited or new data, which is, for example “clear” data, meaning that the data has not been encrypted or has yet to be encrypted. This process is performed by using the Edit function of the edit module 104y of the MC 104 or the browser extension 104’. The process, for example, is described, using the browser extension 104’ and the Web APP 107’.

[0081] Initially, at the START block 702, the Web APP 107’ is running on the computer 106. The process moves to block 704, where the browser extension (BRE) 104’ monitors user activity for a SAVE action. By monitoring or otherwise looking and/or waiting for a SAVE action, the present data is to be saved, for example, in memory. SAVE actions are, for example, begun by activation of a SAVE button (the user contacting, swiping, clicking on a SAVE box on-screen or otherwise activating a function indicative of a SAVE action), or other activation.

[0082] The process moves to block 706, where data input in fields is placed into the web application 107’, for example, as “clear data”. “Clear data” is data which is unencrypted, and has never or is yet to be encrypted. This clear data is inputted and is now considered as updated data.

[0083] The process moves to block 708, where it is determined whether a SAVE action for a SAVE procedure has been detected. If no, a SAVE action has not been detected, and the process returns to block 704, from where it resumes. If yes, at block 708, a SAVE action has been detected, and the process moves to block 710.

[0084] At block 710, the SAVE request is intercepted by the browser 106br of the computer 106. The SAVE procedure is engaged by the browser extension 104’, and the browser extension 104’ pauses the SAVE procedure. The browser extension 104’ is now controlling the SAVE procedure.

[0085] The process moves to block 712, where the inputted, and updated clear data, is extracted and sent to the home server 102 for encryption. The home server 102 returns the data as encrypted to the BRE 104’ , at block 714. The encrypted data is now replaced in the appropriate field in the SAVE request, at block 716. The display screen 106x is such that it continues to display the clear data, even though this data has been encrypted.

[0086] At block 718, the SAVE procedure is resumed for this now encrypted data. Moving to block 720, the encrypted data is sent from the web app 107’ to the database(s) in the data storage 108, for storage as encrypted data.

[0087] The process moves to block 722 where it ends. The process may be repeated for as long as is desired.

[0088] There is therefore provided, in accordance with an embodiment of the disclosure, a method for decrypting data. The method, which for example, may be performed automatically , comprises: monitoring a display screen of a computer for changes in the data being displayed in an application running on the computer; responding to a detected change in the data available for being displayed on the display screen. The response includes: extracting encrypted data available for display on the display screen; sending the extracted encrypted data to a decryptor for decrypting the data; receiving the decrypted data; and, replacing the encrypted data with the decrypted data, the decrypted data being available for display in the application on the display screen.

[0089] Optionally, the replacing the encrypted data with the decrypted data is such that the decrypted data replaces the encrypted data at corresponding locations available for display on the display screen. Optionally, the monitoring is performed by a monitor component. Optionally, the monitoring of the display screen and the responding to the detected change are performed in real time. Optionally, the method additionally comprises: storing data as encrypted data; and, the computer obtaining at least a portion of the encrypted data for display on the display screen of the computer. Optionally, the at least a portion of the encrypted data displays on the display screen as at least one predetermined unit available for display on the display screen. Optionally, the application causes the encrypted data to be available for display as the at least one predetermined unit on the display screen. Optionally, the at least one predetermined unit is created by the application. Optionally, the application includes a web application. Optionally, the monitoring is performed by a browser extension. Optionally, the sending the extracted data to a decryptor for decrypting the data includes: providing at least one decryption request for decrypting of the extracted data. Optionally, the at least one decryption request includes at least one decryption request for text and/or at least one decryption request for images, in accordance with text and/or images being decrypted. Optionally, the at least one decryption request includes at least one identifier, that is for matching with a corresponding identifier associated with the decryptor prior to the decryptor decrypting the encrypted data. Optionally, the at least one identifier is used to obtain a user decryption key, the user decryption key being encrypted. Optionally, the method additionally comprises: obtaining a master key for decrypting the encrypted user decryption key. Optionally, upon the decrypted data rendered to the application to be available for display, issuing a command to prevent the decrypted data from being copied.

[0090] There is therefore provided in accordance with an embodiment of the disclosure, a system for maintaining data as encrypted. The system comprises: a decryptor for decrypting data; an application hosted by a computer; and, a monitor component (MC) in communication with the decryptor and the application. The monitor component is configured for: monitoring a display screen of a computer for changes in the data being displayed in the application running on the computer; and, responding to a detected change in the data available for being displayed on the display screen on the computer by: extracting encrypted data available for display on the display screen; sending the extracted encrypted data to the decryptor for decrypting the data; receiving the decrypted data; and, replacing the encrypted data with the decrypted data, the decrypted data being available for display in the application on the display screen. The system, for example, operates automatically and in real time.

[0091] Optionally, the system additionally comprises a data store in communication with the monitor component for storing data as encrypted data. Optionally, the monitor component configured for replacing the encrypted data with the decrypted data includes replacing the decrypted at locations available for display on the display screen corresponding to the locations of the encrypted data. Optionally, the monitoring of the display screen and the responding to the detected change are performed in real time. Optionally, the application causes the encrypted data to be available for display as at least one predetermined unit on the display screen. Optionally, the monitor component is additionally configured for providing at least one decryption request for decrypting of the extracted data, for sending with the extracted data. Optionally, the monitor component provides the at least one decryption request as at least one of: a decryption request for text, and/or a decryption request for images, in accordance with text and/or images being decrypted. Optionally, the monitor component provides the at least one decryption request with at least one identifier for matching with a corresponding identifier associated with the decryptor prior to the decryptor decrypting the encrypted data. Optionally, the at least one identifier is used to obtain a user decryption key, the user decryption key being encrypted. Optionally, the decryptor is configured to obtain a master key for decrypting the encrypted user decryption key. Optionally, the monitor component is configured for issuing a command to prevent the decrypted data from being copied, upon the decrypted data being rendered to the application to be available for display in the application.

[0092] There is therefore provided in accordance with an embodiment of the disclosure, another system for maintaining data as encrypted. The system, for example, operates automatically. The system comprises: a decryptor for decrypting data; a web application hosted by a computer; and, a browser extension (BRE) associated with the computer, and, in communication with the decryptor and the application. The browser extension is configured for: monitoring a display screen of a computer for changes in the data being displayed in the web application running on the computer; and, responding to a detected change in the data available for being displayed on the display screen of the computer by: extracting encrypted data available for display on the display screen; sending the extracted encrypted data to the decryptor for decrypting the data; receiving the decrypted data; and, replacing the encrypted data with the decrypted data, the decrypted data being available for display in the web application on the display screen. The system, for example, operates automatically and in real time.

[0093] Optionally, the system additionally comprises a data store in communication with the browser extension for storing data as encrypted data. Optionally, the browser extension configured for replacing the encrypted data with the decrypted data includes replacing the decrypted at locations available for display on the display screen corresponding to the locations of the encrypted data. Optionally, the monitoring of the display screen and the responding to the detected change are performed in real time. Optionally, the web application causes the encrypted data to be available for display as at least one predetermined unit on the display screen. Optionally, the browser extension is additionally configured for providing at least one decryption request for decrypting of the extracted data, for sending with the extracted data. Optionally, the browser extension provides the at least one decryption request as at least one of: a decryption request for text, and/or a decryption request for images, in accordance with text and/or images being decrypted. Optionally, the browser extension provides the at least one decryption request with at least one identifier for matching with a corresponding identifier associated with the decryptor prior to the decryptor decrypting the encrypted data. Optionally, the at least one identifier is used to obtain a user decryption key, the user decryption key being encrypted. Optionally, the decryptor is configured to obtain a master key for decrypting the encrypted user decryption key. Optionally, the browser extension is configured for issuing a command to prevent the decrypted data from being copied, upon the decrypted data being rendered to the web application to be available for display in the web application.

[0094] There is therefore provided in accordance with an embodiment of the disclosure, a method for encrypting edited data. The method comprises: receiving input data at a location displayed on a computer by an application; detecting a SAVE action for a SAVE procedure for saving the input data; and taking control of the SAVE procedure from an operating system of the computer. Taking control of the SAVE procedure includes: pausing the SAVE procedure; extracting the input data and sending the input data for encryption; receiving the input data as encrypted data; replacing the encrypted data in the location of the input data in the application; and, resuming the SAVE procedure. The method is, for example, performed automatically and in real time.

[0095] Optionally, the SAVE procedure includes sending the encrypted data to storage media. Optionally, saving the input data includes saving the input data in storage media. Optionally, the location includes at least one of a field and/or a box in the application. Optionally, the input data includes clear data. Optionally, the method additionally comprises: monitoring the computer for a SAVE action. Optionally, the application includes a web application. Optionally, the monitoring and detecting the SAVE action is performed by a browser extension. Optionally, the monitoring and detecting the SAVE action is performed by a monitor component.

[0096] There is therefore provided in accordance with an embodiment of the disclosure, a system for encrypting edited data. The system comprises: an application for receiving and displaying input data at a location in an area available for display associated with a display screen of a computer; and, a monitor component associated with the computer. The monitor component is configured for: detecting a SAVE action for a SAVE procedure for saving the input data; and, taking control of the SAVE procedure from an operating system of the computer, including: pausing the SAVE procedure; extracting the input data and sending the input data for encryption; receiving the input data as encrypted data; replacing the encrypted data in the location of the input data in the application; and, resuming the SAVE procedure. The system, for example, operates automatically and in real time.

[0097] Optionally, the monitor component is additionally configured for resuming the SAVE procedure by causing sending of the encrypted data to storage media. Optionally, the system additionally comprises: storage media for storing received data as encrypted. Optionally, the location includes at least one of a field and/or a box in the application. Optionally, the monitor component is additionally configured to monitor the computer for a SAVE action to detect the SAVE action.

[0098] There is therefore provided in accordance with an embodiment of the disclosure, a webbased system for encrypting edited data. The system comprises: a web application for receiving and displaying input data at a location in an area available for display associated with a display screen of a computer; and, a browser extension associated with the computer, the browser extension configured for: detecting a SAVE action for a SAVE procedure for saving the input data; and, taking control of the SAVE procedure from an operating system of the computer, by: pausing the SAVE procedure; extracting the input data and sending the input data for encryption; receiving the input data as encrypted data; replacing the encrypted data in the location of the input data in the application; and, resuming the SAVE procedure. The system, for example, operates automatically and in real time.

[0099] Optionally, the browser extension is additionally configured for resuming the SAVE procedure by causing sending of the encrypted data to storage media. Optionally, the system additionally comprises storage media for storing received data as encrypted. Optionally, the location includes at least one of a field and/or a box in the application. Optionally, the browser extension is additionally configured to monitor the computer for a SAVE action to detect the SAVE action.

[00100] In the description and claims of the present application, each of the verbs, “comprise,” “include” and “have,” and conjugates thereof, are used to indicate that the object or objects of the verb are not necessarily a complete listing of components, elements or parts of the subject or subjects of the verb.

[00101] Descriptions of embodiments of the invention in the present application are provided by way of example and are not intended to limit the scope of the invention. The described embodiments comprise different features, not all of which are required in all embodiments of the invention. Some embodiments utilize only some of the features or possible combinations of the features. Variations of embodiments of the invention that are described, and embodiments of the invention comprising different combinations of features noted in the described embodiments, will occur to persons of the art. The scope of the invention is limited only by the claims.