Method and apparatus for a web-based application service model for security management
First Claim
1. A method for providing cryptographic capabilities to a plurality of network users over a decentralized public network, the method comprising:
- (a) receiving a request for an access permission security profile on behalf of a network user;
(b) authenticating the request;
(c) creating the access permission security profile, to be used in forming a cryptographic key for enabling the network user to decrypt selected portions of an encrypted object and to encrypt selected portions of a plaintext object; and
(d) securely transmitting the access permission security profile to the network user over the network.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention combines cryptographic key management technology with various authentication options and the use of a companion PKI system in a web-centric cryptographic key management security method and apparatus called PXa3™ (Precise eXtensible Authentication, Authorization and Administration). The PXa3 model uses a security profile unique to a network user and the member domain(s) he/she belongs to. A PXa3 server holds all private keys and certificates, the user'"'"'s security profile, including credentials and the optional authentication enrollment data. The server maintains a security profile for each user, and administrators simply transmitted credential updates and other periodic maintenance updates to users via their PXa3 server-based member accounts. Domain and workgroup administrators also perform administrative chores via a connection to the PXa3 web site, rather than on a local workstation. A member'"'"'s security profile, containing algorithm access permissions, credentials, domain and maintenance values, a file header encrypting key, optional biometric templates, and domain-specific policies is contained in one of two places: either on a removable cryptographic token (e.g., a smart card), or on a central server-based profile maintained for each member and available as a downloadable “soft token” over any Internet connection.
535 Citations
58 Claims
-
1. A method for providing cryptographic capabilities to a plurality of network users over a decentralized public network, the method comprising:
-
(a) receiving a request for an access permission security profile on behalf of a network user;
(b) authenticating the request;
(c) creating the access permission security profile, to be used in forming a cryptographic key for enabling the network user to decrypt selected portions of an encrypted object and to encrypt selected portions of a plaintext object; and
(d) securely transmitting the access permission security profile to the network user over the network. - View Dependent Claims (2, 3, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 27, 28, 29, 30, 31, 57, 58)
-
-
4. A method for providing decryption capabilities to a plurality of network users over a decentralized public network, the method comprising:
-
(a) receiving a request for decryption capabilities on behalf of a network user;
(b) authenticating the request;
(c) creating an access permission security profile to be used in forming a cryptographic key for enabling the network user to decrypt an encrypted object;
(d) receiving from the user information associated with the encrypted object;
(e) generating a cryptographic key using the access permission security profile and the received information associated with the encrypted object; and
(f) securely transmitting the cryptographic key to the network user over the network. - View Dependent Claims (5, 6)
-
-
7. A method for cryptographically securing the distribution of information over a decentralized public network to a plurality of network users, the method comprising:
-
(a) creating a computer representable data object including one or more embedded objects;
(b) selecting one or more embedded objects of the data object to be encrypted;
(c) encrypting the selected embedded objects;
(d) creating one or more access permission credentials;
(e) assigning an access permission credential to each of the selected embedded objects, wherein the access permission credential ensures that only authorized users are able to decrypt encrypted embedded objects of the data object;
(f) authorizing the user; and
(g) transmitting the data object over the network. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
23. A method for controlling access to a secured system, the method comprising:
-
(a) selecting one or more portions of the system to be secured;
(b) creating one or more groups of system users, said groups defining which users are to be allowed access to which secured portions of the system;
(c) establishing one or more access codes for each group;
(d) assigning the access codes to the secured portions of the system, wherein each access code is adapted to be combined with other components to form a key for controlling access to one or more secured portions of the system. (e) securing the access codes; and
(f) distributing over a decentralized public network the secured access codes to users of the system who are to be allowed access to one or more of the selected portions of the system.
-
-
32. A method for administering cryptographic capabilities over a decentralized public network to a plurality of network users, the method comprising:
-
(a) identifying one or more groups of network users for defining which users are to be provided with cryptographic capabilities;
(b) creating a member account for each network user in each group;
(c) performing administrative tasks associated with maintaining the member accounts in a single database;
(d) establishing one or more access codes for each group, wherein each access code is adapted to be combined with other components to form a cryptographic key;
(e) creating one or more security profiles for each network user in each group, wherein each security profile is stored in the user'"'"'s member account and contains at least one access code;
(f) generating a member token relating to each security profile;
(g) securing the security profiles and related member tokens; and
(h) distributing the member tokens over the network to individual network users upon authenticated request and according to each individual user'"'"'s security profile. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 47, 48, 49, 50, 51)
-
-
46. A centralized security management system for administering and distributing cryptographic capabilities over a decentralized public network, the system comprising:
-
(a) a set of server systems;
(b) a set of member domains, wherein each member domain is maintained on at least one of the server systems;
(c) a set of system maintenance tasks associated with maintaining the set of member domains;
(d) one or more system administrators for performing the set of system maintenance tasks;
(e) a set of members, wherein each member is associated with at least one member domain via a member account;
(f) a set of member security profiles, wherein each security profile is uniquely associated with a member account and provides cryptographic capabilities to the member associated with the member account;
(g) a set of administrative tasks associated with maintaining the set of member accounts; and
(h) a set of domain administrators for performing the administrative tasks remotely over the network.
-
-
52. A centralized security management system for distributing cryptographic capabilities to a plurality of network users over a decentralized public network, the system comprising:
-
(a) a plurality of member tokens for providing cryptographic capabilities to authenticated users of the decentralized public network;
(b) a set of server systems for managing the distribution of the member tokens;
(c) means for requesting a member token from at least one server system;
(d) a set of client systems, wherein each client system includes (i) means for receiving the requested member token, and (ii) means for utilizing the cryptographic capabilities provided by said member token; and
(e) means for securely distributing a requested member token from at least one server system to at least one client system over the decentralized public network. - View Dependent Claims (53, 54, 55, 56)
-
Specification