Method and system for protecting digital objects distributed over a network

US 20030051172A1
Filed: 10/23/2002
Published: 03/13/2003
Est. Priority Date: 09/13/2001
Status: Abandoned Application

First Claim

Patent Images

1. In a communications network, a system for protecting objects comprising:

a) an object server connected to the network, the object server running a first software program having instructions to be executed by the object server, said instructions including designating at least one object among a set of objects stored at the object server to be protected and determining a security policy for each protected object;

b) a requester device having means for requesting a protected object from the object server, the requester device connected to the network; and

c) a security server running a second software program providing protection services for objects designated by the first software program as protected objects, the security server connected to the network wherein the second software program has instructions to be executed by the security server for providing protection services, said instructions including;

i) obtaining the requested protected object from a storage location;

ii) combining the requested protected object with mobile code, a security policy, and object controls; and

iii) sending the requested protected object combined with mobile code, the security policy, and object controls to the requester device, wherein the mobile code instantiates the security policy and object controls for the requested protected object at the requester device upon receipt of the object such that the requested protected object may be accessed only in accordance with the security policy and object controls associated with the requested protected object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting objects stored on network servers are presented. An object server runs computer software that designates which objects are to be protected and the security policy for that object. If the object server receives a request for a protected object, the object server creates an enhanced request containing cryptographically protected data related to the request and to the requested object; this enhanced request is redirected to a security server. The security server authenticates the request, retrieves the requested object from the object server, a file server associated with the security server, or a local cache, encrypts the object, and combines the encrypted object with mobile code, the security policy, and object controls to implement the policy. This package is then sent to the requester, which executes the mobile code, resulting in the installation of the security policy and object controls on the requester computer. The requested object is rendered subject to the security policy and object controls. The security server maintains a logfile of actions taken on the object. This logfile can be used to create an audit trail for the object.

83 Citations

View as Search Results

42 Claims

1. In a communications network, a system for protecting objects comprising:
- a) an object server connected to the network, the object server running a first software program having instructions to be executed by the object server, said instructions including designating at least one object among a set of objects stored at the object server to be protected and determining a security policy for each protected object;
  
  b) a requester device having means for requesting a protected object from the object server, the requester device connected to the network; and
  
  c) a security server running a second software program providing protection services for objects designated by the first software program as protected objects, the security server connected to the network wherein the second software program has instructions to be executed by the security server for providing protection services, said instructions including;
  
  i) obtaining the requested protected object from a storage location;
  
  ii) combining the requested protected object with mobile code, a security policy, and object controls; and
  
  iii) sending the requested protected object combined with mobile code, the security policy, and object controls to the requester device, wherein the mobile code instantiates the security policy and object controls for the requested protected object at the requester device upon receipt of the object such that the requested protected object may be accessed only in accordance with the security policy and object controls associated with the requested protected object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The system of claim 1 wherein the security server further comprises means for receiving a redirected enhanced request for the requested protected object from the requester device, the enhanced request corresponding to the requestor'"'"'s device'"'"'s first request for the requested protected object, wherein the object server creates the enhanced request.
  - 3. The system of claim 1 wherein the security server further comprises means for verifying proper instantiation of the object controls.
  - 4. The system of claim 1 wherein the security server further comprises means for providing a decryption key to the requester computer upon verification of proper instantiation of the object controls and satisfactory authentication of a request from the requester device for the decryption key.
  - 5. The system of claim 1 wherein the security server further comprises means for encrypting the requested protected object.
  - 6. The system of claim 1 wherein the security server further comprises means for compressing the requested protected object before encrypting it.
  - 7. The system of claim 1 wherein the security server further comprises means for recording to a logfile information about events, the events belonging to a group comprising:
    - a) requests for action on a requested protected object initiated by the requester device;
      
      b) action taken on the protected object at the requester device; and
      
      c) actions taken by the security server related to the protection of the requested protected object.
  - 8. The system of claim 7 wherein the security server further comprises means for creating an audit trail from the information recorded to the logfile.
  - 9. The system of claim 7 wherein the information recorded is time of the event.
  - 10. The system of claim 7 wherein the information recorded is a network IP address of the requester device initiating the event.
  - 11. The system of claim 7 wherein the information recorded to the logfile includes a descriptor of the event.
  - 12. The system of claim 7 wherein the information recorded to the logfile includes a request sent to the security server.
  - 13. The system of claim 7 wherein the information sent by the requester device to the security server is cryptographically protected according to a protocol.
  - 14. The system of claim 7 further confirming means for establishing a connection between the requester device and the security server for recording information about requests for action initiated at the requester device, said connection to be established when there is no existing connection between said requester device and said security server.
  - 15. The system of claim 14 further comprising means for refusing a requested action on the protected object if a connection between the requester device and the security server cannot be established.
  - 16. The system of claim 7 further comprising means for an untethered requester device recording any actions on the requested protected object in a file on the requester device and means for sending the file to the security server when the requester device establishes a network connection to the security server.
  - 17. The system of claim 1 wherein the storage location is one of a local file server, a local cache, or the object server.
  - 18. The system of claim 1 wherein the object server further comprises:
    - a) means for sending a message to at least one recipient that at least one object stored at the object server which may be accessed by the at least one recipient, and b) means for generating a URL corresponding to the at least one object stored at the object server and which may be accessed by the at least one recipient, wherein the generated URL is included in the message to the at least one recipient.
  - 19. The system of claim 1 further comprising a sender device attached to the network, the sender device running a third software program associated with a browser at the sender device, said third software program comprising:
    - a) means for specifying at least one object stored at the object server which may be accessed by at least one recipient;
      
      b) means for identifying a security policy for the at least one object, the security policy specified by the sender temporarily overriding any security policy identified by the first software program at the object server; and
      
      c) means for sending a message to the security server to notify the at least one recipient that the specified at least one object may be accessed.
  - 20. The system of claim 19 wherein the security server comprises means for generating a URL corresponding to the at least one object stored at the object server.
  - 21. The system of claim 20 wherein the security server further comprises means for sending an e-mail to at least one identified recipient, said e-mail identifying the at least one object which may be accessed and including each generated URL corresponding to the at least one object stored at the object server.
  - 22. The system of claim 19 wherein the security server further comprises means for authenticating the message from the sending device.

23. In a communications network, a method for protecting objects comprising:
- a) receiving a request from a requestor device at an object server for a protected object;
  
  b) redirecting the request to a security server;
  
  c) obtaining the requested protected object, the obtainment performed by the security server;
  
  d) combining the requested protected object with the security policy, object controls, and mobile code;
  
  e) sending the requested protected object combined with the security policy, object controls, and mobile code to the requestor device; and
  
  f) executing the mobile code at the requester device when the mobile code is received at the requester device, wherein the mobile code instantiates the security policy and the object controls at the requester device such that the requested protected object is accessed in accordance with the security policy.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 24. The method of claim 23 further defined by the security server obtaining the requested protected object from the object server.
  - 25. The method of claim 23 further defined by the security server obtaining the requested protected object from a local cache.
  - 26. The method of claim 23 further defined by the security server obtaining the requested protected object from a local file server.
  - 27. The method of claim 23 further defined by the security server obtaining the security policy for the requested protected object from a local database.
  - 28. The method of claim 23 further defined by encrypting the requested protected object at the security server.
  - 29. The method of claim 24 further defined by redirecting an enhanced request created by the object server, the enhanced request being a second object including at least one of the following:
    - a) cryptographically protected authentication of the original request for the protected object;
      
      b) cryptographically protected time of the original request for the requested object;
      
      c) cryptographically protected serialization of the requested object; and
      
      d) cryptographically protected security policy for the requested object.
  - 30. The method of claim 23 further including providing a decryption key to the requester device.
  - 31. The method of claim 23 further defined by providing and protecting a record of requested actions and actions taken on protected objects by:
    - a) recording to a logfile information about events, the logfile stored on the security server, the events selected from a group consisting of;
      
      i) requests for action on the requested protected object initiated by the requester device;
      
      ii) actions taken on the requested protected object at the requester device;
      
      iii) actions taken by the security server relating to protection of the requested protected object, wherein the information about the event that is recorded is at least one of the following;
      
      A) local data;
      
      B) time of the event;
      
      C) a network IP address of the requester device initiating the event;
      
      D) a descriptor of the event; and
      
      E) a request sent to the security server; and
      
      b) providing an authorized user access to the logfile.
  - 32. The method of claim 31 further defined by providing object controls for a protected object instantiated on the requester device, said object controls denying an attempted action on a protected object at the requester device when the requester device is not in network communication with the security server.
  - 33. The method of claim 31 further defined by providing object controls for a protected object instantiated on the requester device, said object controls attempting to establish a connection between the requester device and the security server when the requester device is not in network communication with the security server and the requestor device attempts an action on the protected object.
  - 34. The method of claim 31 further defined by encrypting the information sent by the requester device to the security server.
  - 35. The method of claim 31 further defined by creating an audit trail with the logfile.
  - 36. The method of claim 31 further defined by recording in a file any actions on a protected object on an untethered requester device and sending the file to the security server when the requestor device establishes a network connection to the security server.
  - 37. The method of claim 31 further defined by restricting views of the logfile.
  - 38. The method of claim 23 further defined by designating at least one object stored at an object server to receive protection.
  - 39. The method of claim 38 further defined by determining a security policy for each protected object.
  - 40. The method of claim 23 further defined by:
    - a) receiving at the security server a notification from a sending device, said notification specifying at least one protected object stored at the object server to be accessible by at least one requester;
      
      b) generating a URL for each object to be accessed, said URL corresponding to the at least one object stored at the object server; and
      
      c) sending an e-mail message to the at least one requestor indicating the at least one object may be accessed, said message containing the URL for each object to be accessed, wherein referencing the URL requests the at least one protected object from the object server.
  - 41. The method of claim 40 further defined by authenticating the notification from the sending device.
  - 42. The method of claim 23 further defined by receiving at the requester device a message from an object server indicating that at least one object stored at the object server may be accessed by the requester device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OmniTrust Security Systems, Inc. (TriIs, Inc.)
Original Assignee
OmniTrust Security Systems, Inc. (TriIs, Inc.)
Inventors
Scheibe, Paul O., Robinson, Daniel J., Lordemann, David A.

Application Number

US10/279,378
Publication Number

US 20030051172A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04L 63/1425   Traffic logging, e.g. anoma...

Method and system for protecting digital objects distributed over a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting digital objects distributed over a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links