Controlling access to protected objects
First Claim
1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:
- executing, on the processor, instructions that cause the server to;
receive a request of a user to establish an assignment, to a particular device of a user, of an access privilege authorizing the particular device to access the object;
store a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object;
receive a request from the particular device to access the key;
verify that the access privilege requested by the user authorizes the particular device to access the object; and
responsive to verifying the access privilege;
generate a ticket granting access to the key and indicating the access privilege assigned to the particular device for access to the object, andsend the ticket to the particular device; and
responsive to receiving the ticket from the particular device;
verify the ticket, andresponsive to verifying the ticket, send the key to the particular device.
2 Assignments
0 Petitions
Accused Products
Abstract
A device operated by a user may store an object to which access is to be regulated, which may be achieved by encrypting the object with an encryption key and sending the key to a server having a key store. When a user of the device requests access to the object, the server may authenticate the user (e.g., according to a credential submitted by the user) and verify a trust identifier of the device (e.g., authorization to access the object through the device, and/or the integrity of the device), before sending to the device a ticket granting access to the key. The device may send the ticket to the server, receive the key from the server, decrypt the stored encrypted object, and provide the object to the user. This mechanism promotes rapid access upon request and efficient use of the server, and enables remote revocation of access.
-
Citations
20 Claims
-
1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:
executing, on the processor, instructions that cause the server to; receive a request of a user to establish an assignment, to a particular device of a user, of an access privilege authorizing the particular device to access the object; store a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object; receive a request from the particular device to access the key; verify that the access privilege requested by the user authorizes the particular device to access the object; and responsive to verifying the access privilege; generate a ticket granting access to the key and indicating the access privilege assigned to the particular device for access to the object, and send the ticket to the particular device; and responsive to receiving the ticket from the particular device; verify the ticket, and responsive to verifying the ticket, send the key to the particular device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method of accessing objects on a device operated by a user and having a processor and a data store using a server having a key store, the method comprising:
executing on the processor instructions that cause the device to; receive a key; encrypt at least one object with the key to generate an encrypted object; store the encrypted object in the data store; send the key to the server; responsive to a request to access the object; submit to the server; at least one credential authenticating the user, and an identifier device identifier of the device; and receiving a ticket from the server indicating an access privilege that has been assigned particularly to the device for accessing the object responsive to a request of the user of the device to establish an assignment of an access privilege, particular to the device, to authorize the device to access the object; sending the ticket to the server; and responsive to receiving a key from the server; decrypting the encrypted object with the key to generate an unencrypted object, and presenting the unencrypted object in response to the request. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
20. A server that regulates access to an object encrypted with a key, the server comprising:
-
a processor; and a memory storing; a key store for the key; and instructions that, when executed by the processor, cause the server to fulfill a request from a device of a user to access the key, wherein the request includes a trust identifier establishing that the user has authorized the device to access the object by; receiving a request of a user to establish an assignment, to a particular device of the user, of an access privilege authorizing the particular device to access the object; storing a record of the assignment of the access privilege to the particular device of the user of the access privilege to access the object; verifying that the access privilege requested by the user authorizes the particular device to access the object; responsive to verifying the access privilege; generating a ticket granting access to the key and indicating the access privilege requested by the user for the particular device to access to the object, and sending the ticket to the device; and responsive to receiving the ticket from the device; verifying the ticket, and responsive to verifying the ticket, sending the key to the particular device.
-
Specification