Managing file access via a designated place

US 20030154381A1
Filed: 09/27/2002
Published: 08/14/2003
Est. Priority Date: 02/12/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining access to files via a designated store, the method comprising:

associating a security template with the store;

retrieving the security template when a file is deposited in the store;

encrypting the file in accordance with the security template to produce an encrypted data portion;

generating a header to include security information from the security template; and

integrating the header with the encrypted data portion to produce a secured file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing access to digital assets via a designated place or its sub-places are disclosed. The designated place may be a file folder, a directory, a local or remote store. The designated place is characterized by or associated with a securing module that causes all files stored in the designated place to have substantially similar security. In other words, a file to be secured can be simply dropped into the designated place and the securing module is configured to take actions to secure the file transparently in accordance with the security characteristics of the designated place. Likewise, a designated place can be set up to unsecure the secured files being deposited in the designated place, provided a user of the secured files is permitted to do so.

115 Citations

40 Claims

1. A method for determining access to files via a designated store, the method comprising:
- associating a security template with the store;
  
  retrieving the security template when a file is deposited in the store;
  
  encrypting the file in accordance with the security template to produce an encrypted data portion;
  
  generating a header to include security information from the security template; and
  
  integrating the header with the encrypted data portion to produce a secured file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the associating of the security template with the store includes providing the security template to a computing machine after one or both of the computing machine and a user thereof are authenticated.
  - 3. The method of claim 2, wherein the security template is managed by a server machine coupled to the computing machine over a network.
  - 4. The method of claim 3, wherein the store is located in one of the computing machine, the server machine or a separate storage device.
  - 5. The method of claim 1, wherein the security information includes at least a set of access rules controlling restrictive access to the encrypted data portion.
  - 6. The method of claim 5, wherein the access rules determine who and how the secured file can be accessed.
  - 7. The method of claim 5, wherein the access rules determine when or where the secured file can be accessed.
  - 8. The method of claim 5, wherein the access rules are expressed in a descriptive language.
  - 9. The method of claim 5, wherein the security information in the header is added at least a cipher key that, once obtained, can decrypt the encrypted data portion.
  - 10. The method of claim 9, wherein the cipher key is encrypted and directly or indirectly protected by access rules.
  - 11. The method of claim 1, wherein the generating of the header to include the security information from the security template comprises:
    - copying the security information into the header from the security template;
      
      obtaining a cipher key, that, once obtained, can decrypt the encrypted data portion; and
      
      encrypting the cipher key to produce an encrypted version of the cipher key.
  - 12. The method of claim 11, wherein the encrypted version of the cipher key is protected by the security information in the header of the secured file.

13. A method for determining access to files via a designated store, the method comprising:
- associating a security template with the store;
  
  retrieving the security template when a secured file is deposited by a user in the store, wherein the secured file includes a header and an encrypted data portion, the header including embedded security information controlling restrictive access to the encrypted data portion;
  
  evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to revise the embedded security information of the secured file; and
  
  superseding the embedded security information with current security information from the security template after the user is determined to be permitted to revise the embedded security information of the secured file.
- View Dependent Claims (14, 15, 16, 17, 19)
- - 14. The method of claim 13, wherein the superseding of the embedded security information with the current security information comprises:
    - preserving the embedded security information in a temporary place; and
      
      replacing the embedded security information in the header of the secured file with the current security information.
  - 15. The method of claim 14, wherein the temporary place is a memory stack operating in a manner of last-in-first-out (LIFO).
  - 16. The method of claim 15, wherein the temporary place is configured to have K layers with a K-th layer for storing the embedded security information, the embedded security information in the K-th layer is pushed to (K-1)-th layer when another embedded security information is received in K-th layer;
    - and wherein the K-th layer is always accessed first.
  - 17. The method of claim 14, wherein the temporary place is in the header and vanished upon the secured file is successfully accessed next time.
  - 19. The method of claim 17, wherein the special access policy is deleted or revised after the secured file is secured again via another store with another security template.

18. A method for determining access to files via a designated store, the method comprising:
- associating a security template with the store;
  
  retrieving the security template when a secured file is deposited by a user in the store, wherein the secured file includes a header and an encrypted data portion, the header including embedded security information controlling restrictive access to the encrypted data portion;
  
  evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to revise the embedded security information of the secured file; and
  
  after the user is determined to be permitted to revise the embedded security information of the secured file, evaluating current security information in the template to determine whether the user is permitted to access files in the store;
  
  after the user is determined not to be permitted to access the files in the store, adding a special access policy to the security information to be included in the header such that the user can still access the secured file secured in accordance with the security template associated with the store.

20. A method for determining access to files via a designated store, the method comprising:
- associating a decryption module with the store;
  
  when a secured file is deposited by a user in the store, the secured file including a header and an encrypted data portion and the header including embedded security information controlling restrictive access to the encrypted data portion, evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to unsecure the secured file;
  
  after the user is determined to be permitted to unsecure the secured file, retrieving a file key from the header; and
  
  decrypting the encrypted data portion to produce a plain file.
- View Dependent Claims (21)
- - 21. The method of claim 20, wherein the store is managed by a server.

22. A system for determining access to files via a designated store, the system comprising:
- a server machine providing management to the store, the server accessible by a first user to determine access policies for the store such that all secured files in the store have substantially similar security, wherein the store is associated with a security template;
  
  at least a client machine coupled to the server machine over a first network, after a user of the client machine is authenticated by the server machine, the client machine communicating with the server machine to activate the security template, if the security template is already in the client machine, or download the security template from the server, if the security template is not already in the client machine, and wherein unsecured files deposited by the user into the store are secured in accordance with the security template.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22, wherein the server machine is a local server machine configured to service the client machine.
  - 24. The system of claim 23, wherein the local server is coupled to a central server over a second network, the central server providing centralized access control management.
  - 25. The system of claim 22, wherein the store is accessible from the client machine and located in one of (i) the local client machine, (ii) the server machine and (iii) a separate storage device.

26. A software product to be executed in a computer for determining access to files via a designated store, the software product comprising:
- program code for associating a security template with the store;
  
  program code for retrieving the security template when a file is deposited in the store;
  
  program code for encrypting the file in accordance with the security template to produce an encrypted data portion;
  
  program code for generating a header to include security information from the security template; and
  
  program code for integrating the header with the encrypted data portion to produce a secured file.
- View Dependent Claims (27, 28, 32, 33)
- - 27. The software product of claim 26, wherein the program code for associating the security template with the store includes program code for providing the security template to a computing machine after one or both of the computing machine and a user thereof are authenticated.
  - 28. The software product of claim 26, wherein the security information includes at least a set of access rules controlling restrictive access to the encrypted data portion.
  - 32. The method of claim 26, wherein the program code for generating the header to include the security information from the security template comprises:
    - program code for copying the security information into the header from the security template;
      
      program code for obtaining a cipher key, that, once obtained, can decrypt the encrypted data portion; and
      
      program code for encrypting the cipher key to produce an encrypted version of the cipher key.
  - 33. The method of claim 32, wherein the encrypted version of the cipher key is protected by the security information in the header of the secured file.

29. The software product of claim 29, wherein the access rules determine who and how the secured file can be accessed.
- View Dependent Claims (30, 31)
- - 30. The software product of claim 29, wherein the access rules determine when or where the secured file can be accessed.
  - 31. The software product of claim 30, wherein the access rules are expressed in a descriptive language.

34. A software product to be executed in a computer for determining access to files via a designated store, the software product comprising:
- program code for associating a security template with the store;
  
  program code for retrieving the security template when a secured file is deposited by a user in the store, wherein the secured file includes a header and an encrypted data portion, the header including embedded security information controlling restrictive access to the encrypted data portion;
  
  program code for evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to revise the embedded security information of the secured file; and
  
  program code for superseding the embedded security information with current security information from the security template after the user is determined to be permitted to revise the embedded security information of the secured file.
- View Dependent Claims (35, 36)
- - 35. The software product of claim 34, wherein the program code for superseding the embedded security information with the current security information comprises:
    - program code for preserving the embedded security information in a temporary place; and
      
      program code for replacing the embedded security information in the header of the secured file with the current security information.
  - 36. The software product of claim 35, wherein the temporary place is a memory stack operating in a manner of last-in-first-out (LIFO).

37. A software product to be executed in a computer for determining access to files via a designated store, the software product comprising:
- program code for associating a security template with the store;
  
  program code for retrieving the security template when a secured file is deposited by a user in the store, wherein the secured file includes a header and an encrypted data portion, the header including embedded security information controlling restrictive access to the encrypted data portion;
  
  program code for evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to revise the embedded security information of the secured file; and
  
  after the user is determined to be permitted to revise the embedded security information of the secured file, program code for evaluating current security information in the template to determine whether the user is permitted to access files in the store;
  
  after the user is determined not to be permitted to access the files in the store, program code for adding a special access policy to the security information to be included in the header such that the user can still access the secured file secured in accordance with the security template associated with the store.
- View Dependent Claims (38)
- - 38. The software product of claim 37, wherein the special access policy is deleted or revised after the secured file is secured again via another store with another security template.

39. A software product to be executed in a computer for determining access to files via a designated store, the software product comprising:
- program code for associating a decryption module with the store;
  
  when a secured file is deposited by a user in the store, the secured file including a header and an encrypted data portion and the header including embedded security information controlling restrictive access to the encrypted data portion, program code for evaluating the embedded security information from the header of the secured file against access privilege of the user to determine whether the user is permitted to unsecure the secured file;
  
  after the user is determined to be permitted to unsecure the secured file, program code for retrieving a file key from the header; and
  
  program code for decrypting the encrypted data portion to produce a plain file.
- View Dependent Claims (40)
- - 40. The software product of claim 39, wherein the store is managed by a server providing centralized access control management.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardian Data Storage LLC
Original Assignee
PSS Systems, Inc. (International Business Machines Corporation)
Inventors
Gilbertson, Eric, Paul Garcia, Denis Jacques, Ouye, Michael Michio, Humpich, Serge, Vainstein, Klimenty, Ryan, Nicholas Michael, Huang, Weiqing, Crocker, Steven Toye, Rossmann, Alain

Application Number

US10/259,078
Publication Number

US 20030154381A1
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/045   wherein the sending and rec...

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

Managing file access via a designated place

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Managing file access via a designated place

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links