System and techniques to bind information objects to security labels

US 20030196108A1
Filed: 04/01/2003
Published: 10/16/2003
Est. Priority Date: 04/12/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing multilevel security for a data object requested by a workstation user, the method comprising:

providing a security label for the data object;

associating security rules including a security clearance level for the data object with the security label;

binding the security label to the data object;

validating the correctness of the security label;

associating the user'"'"'s security clearance level with at least one user certificate;

verifying the at least one user certificate; and

determining whether the user has clearance to receive the requested data object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to providing multilevel security for a data object requested by a workstation user includes providing a security label for the data object, associating security rules including a security clearance level for the data object with the security label, binding the security label to the data object, validating the correctness of the security label, associating the user'"'"'s security clearance level with at least one user certificate, verifying the at least one user certificate, and determining whether the user has clearance to receive the requested data.

188 Citations

29 Claims

1. A method for providing multilevel security for a data object requested by a workstation user, the method comprising:
- providing a security label for the data object;
  
  associating security rules including a security clearance level for the data object with the security label;
  
  binding the security label to the data object;
  
  validating the correctness of the security label;
  
  associating the user'"'"'s security clearance level with at least one user certificate;
  
  verifying the at least one user certificate; and
  
  determining whether the user has clearance to receive the requested data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 further comprising providing the at least one user certificate on an identification document adapted for securely storing the at least one user certificate.
  - 3. The method of claim 2 wherein the identification document is a smart card.
  - 4. The method of claim 1 further comprising:
    - detecting the security label in a network packet;
      
      extracting the security rules from the security label; and
      
      applying the security rules.
  - 5. The method of claim 4 wherein applying the rules associated with the security label comprises determining whether the user clearance dominates the data object clearance using the security rules.
  - 6. The method of claim 5 wherein detecting the security label comprises:
    - detecting an XML security label data type definition.
  - 7. The method of claim 6 wherein the XML security label data type definition comprises:
    - a level attribute; and
      
      a compartment attribute.
  - 8. The method of claim 7 wherein the XML security label data type definition comprises at least one of:
    - a handling instruction attribute; and
      
      a caveat attribute.
  - 9. The method of claim 1 wherein the data object comprises at least one of:
    - a record in a database;
      
      a view in a database;
      
      a specific word;
      
      a specific paragraph;
      
      a digital image;
      
      a specific file; and
      
      an electronic representation of digital information.
  - 10. The method of claim 1 wherein binding the security label to the data object comprises:
    - deriving a hash digest from the security label and the data object; and
      
      digitally signing the hash digest.
  - 11. The method of claim 10 wherein validating the correctness of the security label for the data object comprises verifying the digital signature.
  - 12. The method of claim 1 further comprising associating the user certificate with at least one of:
    - a security category;
      
      a clearance caveat;
      
      an authorization; and
      
      a permitted role.
  - 13. The method of claim 1 wherein the security label includes at least one of:
    - a security clearance level;
      
      a security category;
      
      a clearance caveat; and
      
      a handling instruction.
  - 14. The method of claim 1 wherein the security label comprises at least one statement in an extensible markup language.
  - 15. The method of claim 14 wherein the extensible markup language is XML.
  - 16. The method of claim 1 wherein the security label comprises a security clearance level.
  - 17. The method of claim 16 further comprising downgrading the security label security clearance level.
  - 18. The method of claim 17 wherein the data object is transmitted to a mission execution center.
  - 19. The method of claim 1 wherein the data object is located on a remote intelligence source workstation.

20. A multilevel security system for controlling access to data objects in a secure network comprising:
- a plurality of security integration code processors coupled to the secure network;
  
  a secure manager workstation coupled to one of the plurality of security integration code processors;
  
  at least one application workstation coupled to a corresponding one the of the plurality of security integration code processors; and
  
  at least one of a multi-level protection database and a multi-level protection server coupled to a corresponding one of the plurality of security integration code processors.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The system of claim 20 wherein the application workstation is adapted to receive an identification document.
  - 22. The system of claim 21 wherein the identification document comprises a smart card associated with at least one user certificate.
  - 23. The system of claim 22 further comprising an interface to a public key infrastructure (PKI) to verify the at least one user certificate.
  - 24. The system of claim 20 further comprising:
    - a first firewall coupled to a corresponding one of the plurality of security integration code processors;
      
      a secure wide area network coupled to the first firewall;
      
      an Intel source workstation coupled to the secure wide area network.
  - 25. The system of claim 20 further comprising:
    - a first firewall coupled to a corresponding one of the plurality of security integration code processors;
      
      a secure wide area network coupled to the first firewall;
      
      a mission execution center coupled to the secure wide area network.
  - 26. The system of claim 20 wherein at least one of the plurality of security integration code processors is implemented in a protocol stack in at least one application workstation.
  - 27. The system of claim 20 wherein at least one of the plurality of security integration code processors is implemented in an operating system interface to the network in at least one application workstation.
  - 28. The system of claim 20 wherein the secure network includes an IPSEC protocol.
  - 29. The method of claim 20 further comprising a trusted downgrader workstation coupled to one of the plurality of security integration code processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Kung, Kenneth C.

Application Number

US10/404,703
Publication Number

US 20030196108A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 9/3268   using certificate validatio...

System and techniques to bind information objects to security labels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

188 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

System and techniques to bind information objects to security labels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others