Method and apparatus for accessing secured electronic data off-line

US 10,360,545 B2
Filed: 02/12/2002
Issued: 07/23/2019
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for accessing secured data off-line, the method comprising:

sending a request to a server from a client machine via a private link provided by an internal network using a secured communication protocol used to retrieve secured data, the request including at least;

credential information associated with a user to access the secured data on the client machine;

information identifying operations to perform with the secured data;

information identifying a location where the secured data will be accessed; and

a duration the secured data is to be accessible on the client machine when the client machine is off-line;

receiving at the client machine, from the server, via the private link, a response to the request and the secured data which is accessed on the client machine without the client machine being coupled to the server;

determining that the client machine is off-line and disconnected from the internal network;

recording, by the client machine, activities involving the secured data on the client machine during an off-line period;

determining, after the off-line period in response to the client machine coupling again to the server, that the client machine is on-line and coupled to the server; and

reporting the recorded activities to the server from the client machine once the client machine is again on-line and coupled to the server.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and Apparatus for access secured electronic data are disclosed. According to one aspect, an off-line access mechanism in a client machine is activated to facilitate those users on the go to access secured electronic data. When a user decides to be away from a network premises or on a business trip, an off-line access request may be generated by the off-line access mechanism and forwarded to a server. In response, the server may grant the off-line access request to the user as well as the client machine from which the user will access the secured electronic data off-line. Depending on implementation, the AC may provide amended or tentative access rules, access privileges or user keys that will automatically expire when a predetermined time ends or become invalid the next time the client machine is connected to the server.

722 Citations

32 Claims

1. A method for accessing secured data off-line, the method comprising:
- sending a request to a server from a client machine via a private link provided by an internal network using a secured communication protocol used to retrieve secured data, the request including at least;
  
  credential information associated with a user to access the secured data on the client machine;
  
  information identifying operations to perform with the secured data;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client machine when the client machine is off-line;
  
  receiving at the client machine, from the server, via the private link, a response to the request and the secured data which is accessed on the client machine without the client machine being coupled to the server;
  
  determining that the client machine is off-line and disconnected from the internal network;
  
  recording, by the client machine, activities involving the secured data on the client machine during an off-line period;
  
  determining, after the off-line period in response to the client machine coupling again to the server, that the client machine is on-line and coupled to the server; and
  
  reporting the recorded activities to the server from the client machine once the client machine is again on-line and coupled to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 31)
- - 2. The method as recited in claim 1, wherein receiving the response at the client machine includes receiving secured data that includes a header and an encrypted data portion.
  - 3. The method as recited in claim 2, wherein receiving the response at the client machine includes receiving the header that includes encrypted security information to control restrictive access control to the encrypted data portion.
  - 4. The method as recited in claim 3, wherein receiving the response at the client machine includes receiving security information that further includes at least a set of access rules and a file key.
  - 5. The method as recited in claim 4, wherein the file key, once obtained, is used to decrypt the encrypted data portion at the client machine.
  - 6. The method as recited in claim 4, wherein an off-line access mechanism keeps a user key activated by the received response, and wherein the user key is associated with the user.
  - 7. The method as recited in claim 6, wherein the user key expires when the duration ends.
  - 8. The method as recited in claim 6, further comprising expiring the user key in response to a connection to the server being restored anytime in the duration.
  - 9. The method as recited in claim 6, further comprising receiving the user key from the server after the request is approved by the server.
  - 10. The method as recited in claim 9, wherein receiving the user key includes receiving one or more of a private key and a public key, and wherein the private key is used to decrypt the encrypted security information to retrieve the access rules.
  - 11. The method as recited in claim 10, further comprising:
    - decrypting the encrypted data portion using the private key to retrieve the access rules; and
      
      in response to measuring the access rules successfully against the information included in the request, retrieving the file key to decrypt the encrypted data portion.
  - 12. The method as recited in claim 10, further comprising generating the encrypted security information with the public key.
  - 31. The method as recited in claim 10, further comprising:
    - decrypting the encrypted data portion using the private key to retrieve the access rules; and
      
      in response to measuring the access rules unsuccessfully against the information included in the request, denying access to the encrypted data portion.

13. An apparatus comprising:
- a processor;
  
  a non-transitory computer-readable storage medium configured to store computer-readable instructions that, in response to being executed by the processor, cause the processor to perform operations for accessing secured data off-line, the operations comprising;
  
  sending a request to a server from a client via a private link provided by an internal network using a secured communication protocol used to retrieve the secured data, the request including at least;
  
  credential information associated with a user to access the secured data on the client;
  
  information identifying operations to perform with the secured data;
  
  information identifying one or more applications used to perform the identified operations;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client when the client is off-line;
  
  receiving at the client, from the server, via the private link, a response to the request and the secured data which is accessed on the client using the one or more applications without the client being coupled to the server;
  
  determining that the client machine is off-line and disconnected from the internal network;
  
  recording, by the client, activities involving the secured data and the one or more applications on the client during an off-line period;
  
  determining, after the off-line period in response to the client coupling again to the server, that the client is on-line and coupled to the server; and
  
  reporting the recorded activities to the server from the client once the client is again on-line and coupled to the server.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 32)
- - 14. The apparatus as recited in claim 13, wherein receiving the response includes receiving secured data that includes a header and an encrypted data portion.
  - 15. The apparatus as recited in claim 14, wherein receiving the response at the client includes receiving the header that includes encrypted security information to control restrictive access control to the encrypted data portion.
  - 16. The apparatus as recited in claim 15, wherein receiving the response at the client includes receiving security information that further includes at least a set of access rules and at least a file key.
  - 17. The apparatus as recited in claim 16, wherein the file key, once obtained, is used to decrypt the encrypted data portion at the client.
  - 18. The apparatus as recited in claim 16, wherein an off-line access mechanism keeps a user key activated by the received response, and wherein the user key is associated with the user.
  - 19. The apparatus as recited in claim 18, wherein the user key expires when the duration ends.
  - 20. The apparatus as recited in claim 18, the operations further comprising expiring the user key in response to a connection to the server being restored anytime in the duration.
  - 21. The apparatus as recited in claim 18, wherein the user key is activated after the request is approved by the server.
  - 22. The apparatus as recited in claim 21, wherein the user key is activated by activating one or more of a private key and a public key, and wherein the private key is used to decrypt the encrypted security information to retrieve the access rules.
  - 23. The apparatus as recited in claim 22, the operations further comprising:
    - decrypting the encrypted data portion using the private key to retrieve the access rules; and
      
      in response to measuring the access rules successfully against the information included in the request, retrieving the file key to decrypt the encrypted data portion when the access rules measure successfully against access privilege of the user associated with the user key.
  - 24. The apparatus as recited in claim 22, the operations further comprising generating the encrypted security information with the public key.
  - 32. The apparatus recited in claim 22, the operations further comprising:
    - decrypting the encrypted data portion using the private key to retrieve the access rules; and
      
      in response to measuring the access rules unsuccessfully against the information included in the request, denying access to the encrypted data portion.

25. A system for accessing secured data off-line, the system comprising:
- a client machine having a processor and a non-transitory computer-readable storage medium, storing modules executed by the processor comprising;
  
  an access request module executable on the client machine and configured to send a request to a server via a private link provided by an internal network using a secured communication protocol used to retrieve secured data, the request including at least;
  
  credential information associated with a user to access the secured data on the client machine;
  
  information identifying operations to perform with the secured data;
  
  information identifying one or more applications used to perform the identified operations;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client machine when the client machine is off-line;
  
  an off-line access manager configured to receive, at the client machine, a response to the request and the secured data which is accessed on the client machine without the client machine being coupled to the server;
  
  an access report module executable on the client machine and configured to determine that the client machine is off-line and disconnected from the internal network and record activities involving the secured data on the client machine during an off-line period; and
  
  a reporting module executable on the client machine configured to determine, after the off-line period and in response to the client machine coupling again to the server, that the client machine is on-line and to transmit the recorded activities to the server from the client once the client machine is again on-line and coupled to the server.

26. A non-transitory computer-readable storage medium having instructions stored thereon, execution of which, by a processor, causes the processor to perform operations comprising:
- sending a request to a server from a client via a private link provided by an internal network using a secured communication protocol that is used to retrieve secured data, the request including at least;
  
  credential information associated with a user to access the secured data on the client;
  
  information identifying operations to perform with the secured data;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client when the client is off-line;
  
  receiving at the client, from the server, via the private link, a response to the request and the secured data which is accessed on the client without the client being coupled to the server;
  
  determining that the client machine is off-line and disconnected from the internal network;
  
  recording, by the client, activities involving the secured data on the client during an off-line period;
  
  determining, after the off-line period and in response to the client machine coupling again to the server, that the client machine is on-line and coupled to the server; and
  
  reporting the recorded activities to the server from the client once the client is again on-line and coupled to the server.

27. An apparatus comprising:
- a computer executing computer-readable instructions stored on a non-transitory computer-readable storage medium, causing the computer to perform operations for providing access to secured data via a private link provided by an internal network using a secured communication protocol used to retrieve the secured data, the operations comprising;
  
  receiving a request from a client, the request including at least;
  
  information identifying the secured data to be accessed;
  
  credential information associated with a user to access the secured data on the client;
  
  information identifying operations to perform with the secured data;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client when the client is off-line;
  
  retrieving access rules associated with the secured data identified in the request;
  
  measuring the retrieved access rules against access privileges of the user associated with the credential information included in the request;
  
  transmitting, via the private link, a response to the request and the secured data, the secured data including a header portion and a secured data portion, the header portion including automatically expiring access rules, access privileges, or user keys allowing limited activities to be performed on the secured data portion of the secured electronic document during an off-line period where the client is disconnected from the internal network, the secured data portion including at least;
  
  an encrypted data portion; and
  
  a set of access rules that facilitate restrictive access to the encrypted data portion;
  
  determining, after the off-line period in response to the client coupling again to the internal network, that the client is on-line and coupled to the apparatus; and
  
  receiving a report from the client once the client is again on-line and coupled to the apparatus, the report identifying activities involving the secured data on the client during the off-line period.
- View Dependent Claims (28, 29)
- - 28. The apparatus as recited in claim 27, wherein transmitting the response to the client includes transmitting a header portion that further includes at least a set of access rules and a file key.
  - 29. The apparatus as recited in claim 28, wherein the file key, once obtained, is used to decrypt the encrypted data portion at the client.

30. A system for providing access to secured data, the system comprising:
- a processor and a non-transitory computer-readable storage medium storing modules, the modules comprising;
  
  an access monitor module executable on a server machine and configured to receive a request from a client via a private link provided by an internal network using a secured communication protocol used to retrieve secured data, the request including at least;
  
  information identifying the secured data;
  
  credential information associated with a user to access the secured data on the client;
  
  information identifying operations to perform with the secured data;
  
  information identifying a location where the secured data will be accessed; and
  
  a duration the secured data is to be accessible on the client when the client is off-line;
  
  a rules manager executable on the server machine and configured to;
  
  retrieve access rules associated with the secured data identified in the request; and
  
  measure the retrieved access rules against the information included in the request;
  
  an off-line access manager configured to send to the client, via the private link, a response to the request and the secured data, the secured data including a header portion and a secured data portion, the header portion including automatically expiring access rules, access privileges, or user keys allowing, based on information included in the request, limited activities to be performed on the secured data portion of the secured electronic document during an off-line period where the client is disconnected from the internal network, the secured data portion including at least;
  
  an encrypted data portion; and
  
  a set of access rules that facilitate restrictive access to the encrypted data portion; and
  
  an access report module executable on the server machine and configured to determine, after the off-line period and in response to the client coupling again to the internal network, that the client is on-line and coupled to the server machine and to receive report from the client identifying activities involving secured data on the client when the client is again on-line and coupled to the server machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Lee, Chang-Ping, Garcia, Denis Jacques Paul, Hildebrand, Hal, Vainstein, Klimenty
Primary Examiner(s)
Hewitt, II, Calvin L
Assistant Examiner(s)
Sherr, Cristina Owen

Application Number

US10/074,825
Publication Number

US 20170116431A1
Time in Patent Office

6,370 Days
Field of Search

705 51- 59, 380259, 380287, 380 59, 713182, 713189, 713193, 713194, 713200-202, 713150-152
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/74   operating in dual or compar...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2117   User registration

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06Q 20/1235   with control of digital rig...

G06Q 2220/18   Licensing

H04L 63/0846   using time-dependent-passwo...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Method and apparatus for accessing secured electronic data off-line

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

722 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for accessing secured electronic data off-line

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

722 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links