Web environment access control

US 20030079120A1
Filed: 08/30/2002
Published: 04/24/2003
Est. Priority Date: 06/08/1999
Status: Abandoned Application

First Claim

Patent Images

1. An access control system in a web environment;

having pre-encrypted files on a web server;

decryption keys provided to authorised users;

and a trusted user proxy for controlling file access and decrypting files received.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control system and method in a web environment having pre-encrypted files on a web server decryption keys provided to authorised users and a trusted user proxy for controlling file access and decrypting files received, in which files are encrypted using a file key (FK), and the FK is encrypted using a Group Encryption Key (GEK), and the user proxy has a Group Decryption Key (GDK) to decrypt the FK and the file. Each encrypted file is labelled with an Access Control Expression (ACE) which indicates which users or groups of users are authorised to decrypt and observe the file; this provides a secure client server system having pre-encrypted documents on the web-server, released to a decryption proxy on the client side, which controls access to, and decrypts the documents the client is allowed to see.

Citations

33 Claims

1. An access control system in a web environment;
- having pre-encrypted files on a web server;
  
  decryption keys provided to authorised users;
  
  and a trusted user proxy for controlling file access and decrypting files received.
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 29)
- - 2. A system as claimed in claim 1, in which documents are encrypted using a file key FK, and the FK is encrypted using a Group Encryption Key GEK, and the user proxy has a Group Decryption Key GDK to decrypt the FK and the file.
  - 4. A system as per claim 1 or 2, in which the GDK is symmetric with the GEK;
  - 5. A system as in any previous claim in which user proxy is a unit operating functionally separately to client side operating system.
  - 6. A system as in any previous claim in which each encrypted file is labelled with an Access Control Expression (ACE) which indicates which users or groups of users are authorised to decrypt and observe the file;
  - 7. A system as claimed in claim 6 in which the ACE is a formula defined in terms of groups combined with operators ‘
    - and’ and
      
      ‘
      
      or’
      
      .
  - 8. An access control system as claimed in claim 6 whereby the different groups can be combined formulaically so as to limit access to users in the right combination of groups.
  - 9. An access control system as in any previous claim whereby each user within a group is provided with one or more group decryption keys stored securely in the user proxy.
  - 10. An access control system as in any previous claim whereby the users can only decrypt files if the user has the right combination of GDKs for access.
  - 11. A system as claimed as in any previous claim in which the GDKs are distributed to authorised users using public key technology;
  - 12. A system as in any previous claim, in which the GDK is distributed using the security mechanisms of a net worked operating system;
  - 13. A system as in any previous claim, in which the GDK becomes invalid after a defined period of time;
  - 14. A system as in any previous claim in which the group decryption key is protected so that it is tamper proof and an application cannot pass it on to users not in the defined group;
  - 15. A system as in any previous claim in which the file data key is protected so that it is tamper proof and an application cannot pass it on to other users;
  - 16. A system as in any previous claim in which prior to encryption, files are checked by a release service for correct ACE and hidden data;
  - 17. A system as in any previous claim in which where data is drawn from other sources such as backend database it is embedded in a template rather than shown as a link;
  - 18. A system as in any previous claim in which data drawn from other sources is encrypted by the database engine;
  - 19. A system as in any previous claim in which data drawn from other sources is encrypted by a separate trusted server between database and web documents;
  - 20. A system as in any previous claim in which files are controlled by the ACE at variable granularity page by page.
  - 21. A system as claimed in claims 1-20 in which the system has encryption proxy located on user workstation
  - 22. A system as claimed in claims 1-20 in which the system has encryption proxy located on web server
  - 23. A decryption proxy for a system as in any previous claim which is installed on user workstation with access controls provided by workstation operating system set that the proxy has access to a file containing users group decryption key so that users application software is denied access to this file
  - 29. Method of file release for the system or method as in any previous claim comprising the following steps creating a file associating an ACE with the file releasing the file to the web server obtaining the users'"'"'sanction via a trusted path interface asking user to confirm ACE checking content for prohibited material uploading the file to the encrypt proxy on the server

24. A method of access control in a web environment, including;
- pre-encrypting files on a web server and providing a decryption key to authorised users;
  
  controlling access and effecting decryption by means of a trusted user proxy
- View Dependent Claims (30, 31, 32)
- - 30. A computer readable medium having a program recorded thereon in which the program causes a computer running the program to execute a procedure for access control according to the method of any of claims 24-29
  - 31. A computer program element adapted to cause a computer using such element to perform the method of any of claims 24-29
  - 32. A software carrier carry access control software which when operational provides means of operating method according to any of claims 24-29.

25. A method of restricting access to files to a limited number of groups of users across a computer network by means of encrypting the files by means of a File Key (FK), encrypting the FK by means of a Group Encryption Key, and providing only the limited number of groups with a means of decrypting the FK.

26. A method of controlling access to secure information in a distributed system having a server side including a web server and a server browser, and a client side including a browser and a user proxy including;
- labelling each file with an Access Control Expression (ACE), which indicates which users are permitted to observe the file;
  
  a file encryption key (FK) is generated and used to encrypt the file;
  
  the encrypted file is provided with a header containing information including the ACE enabling authorised users to decrypt the encrypted file;
  
  a group encryption key (GEK) is generated for defined groups of authorised users;
  
  a GEK encrypts the FK and adds it to the file header;
  
  placing on the web server the encrypted file, unencrypted information relating to the file, a header file containing Group ID, the FK in GEK, and the ACE;
  
  delivering to the users proxy a group decryption key (GDK) user retrieves file and proxy examines incoming encrypted file ACE in the header to see how or if decryption can take place;
  
  users group decryption key (GDK) is used to decrypt the files data key (FK) from the header;
  
  the file is then decrypted using the File key FK, the decrypted file is delivered to client side web browser
- View Dependent Claims (27)
- - 27. A method as per claim 26, in which the GDK is symmetric with the GEK;

28. A method as previously claimed in which the access controls are set on user operating system so that proxy but not application software has access to the file containing group keys (GK);

33. A system and method of controlling access to web environments substantially as herein described.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qinetiq Limited (QinetiQ Group PLC)
Original Assignee
Qinetiq Limited (QinetiQ Group PLC)
Inventors
Wilkinson, Timothy J., Hearn, David B., Hearn, Tina

Application Number

US10/231,444
Publication Number

US 20030079120A1
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/10   Protecting distributed prog...

G06F 21/62   Protecting access to data v...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/065   for group communications cr...

H04L 63/104   Grouping of entities

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0833   involving conference or gro...

Web environment access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Web environment access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links