Access control method using token having security attributes in computer system
First Claim
1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
- a) allowing a computer system to assign a token having security attributes to a user permitted to access an arbitrary file and a corresponding file;
b) allowing the user process to check an access request related to the arbitrary file;
c) determining whether an access-requested file contains the token having security attributes; and
d) permitting access to a corresponding file if the corresponding file has no token, determining whether a user of the access request has the same token as the corresponding file if the corresponding file has the token, and determining access permission or access denial upon receiving the determination result.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an access control method using a token having security attributes in a computer system when a user gains access to a specific file. The computer system adopts a token having encryption, modification, execution, and provision attributes to determine access permission or access denial between a user and a file in such a way that a file access request is controlled. The access control method enciphers a file and stores the enciphered file in a storage unit, so that it can maintain security of the file even though the storage unit is stolen. The access control method enables a system manager to read only enciphered contents of the file when the system manager performs a data backup operation, thereby eliminating limitations in commonly operating a system simultaneously with maintaining file security. The access control method enables programs for executing operations on behalf of a user to automatically obtain a corresponding token, confirms authority to execute the file, and prevents that the authority is stolen or drained due to a program error.
71 Citations
12 Claims
-
1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
-
a) allowing a computer system to assign a token having security attributes to a user permitted to access an arbitrary file and a corresponding file;
b) allowing the user process to check an access request related to the arbitrary file;
c) determining whether an access-requested file contains the token having security attributes; and
d) permitting access to a corresponding file if the corresponding file has no token, determining whether a user of the access request has the same token as the corresponding file if the corresponding file has the token, and determining access permission or access denial upon receiving the determination result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable recording medium for storing a program therein, the program comprising:
-
a first function for providing a token having security attributes, such as an encryption attribute, a modification attribute, an execution attribute, and a provision attribute, to a user permitted to access an arbitrary file and a corresponding file;
a second function for decoding a corresponding file on condition that the user has the same token as the file and providing the user with the decoded file in the case where a user attempts to read a file having an encryption attribute, or providing a user process with an enciphered file state without decoding the file in the case where a user does not have the same token as the file;
a third function for, in case of a write request of a user on a file having a modification attribute, determining an access denial on condition that a user does not have the same token as the file, determining access permission on condition that a user has the same token as the file, enciphering and storing the file on condition that a corresponding file has an encryption attribute, and directly storing the file as it is on condition that a corresponding file has no encryption attribute;
a fourth function for, in case of an execution request of a file having an execution attribute, determining an access denial of a user who does not have the same token as the file, and executing a corresponding file for a user who has the same token as the file; and
a fifth function for, in case of an execution request of a file having a provision attribute, removing all tokens assigned to a user by the provision attribute, providing the user with a corresponding token, and executing a corresponding file.
-
Specification