Access control method using token having security attributes in computer system

US 20030200436A1
Filed: 10/25/2002
Published: 10/23/2003
Est. Priority Date: 04/17/2002
Status: Active Grant

First Claim

Patent Images

1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:

a) allowing a computer system to assign a token having security attributes to a user permitted to access an arbitrary file and a corresponding file;

b) allowing the user process to check an access request related to the arbitrary file;

c) determining whether an access-requested file contains the token having security attributes; and

d) permitting access to a corresponding file if the corresponding file has no token, determining whether a user of the access request has the same token as the corresponding file if the corresponding file has the token, and determining access permission or access denial upon receiving the determination result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an access control method using a token having security attributes in a computer system when a user gains access to a specific file. The computer system adopts a token having encryption, modification, execution, and provision attributes to determine access permission or access denial between a user and a file in such a way that a file access request is controlled. The access control method enciphers a file and stores the enciphered file in a storage unit, so that it can maintain security of the file even though the storage unit is stolen. The access control method enables a system manager to read only enciphered contents of the file when the system manager performs a data backup operation, thereby eliminating limitations in commonly operating a system simultaneously with maintaining file security. The access control method enables programs for executing operations on behalf of a user to automatically obtain a corresponding token, confirms authority to execute the file, and prevents that the authority is stolen or drained due to a program error.

71 Citations

View as Search Results

12 Claims

1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
- a) allowing a computer system to assign a token having security attributes to a user permitted to access an arbitrary file and a corresponding file;
  
  b) allowing the user process to check an access request related to the arbitrary file;
  
  c) determining whether an access-requested file contains the token having security attributes; and
  
  d) permitting access to a corresponding file if the corresponding file has no token, determining whether a user of the access request has the same token as the corresponding file if the corresponding file has the token, and determining access permission or access denial upon receiving the determination result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The access control method as set forth in claim 1, wherein the step (a) includes the steps of:
    - providing a user with a token name or number; and
      
      providing a file with a token and an attribute related to the token.
  - 3. The access control method as set forth in claim 1, wherein the token assigned in the step (a) has at least one of an encryption attribute for indicating permission related to encryption/decoding of a file, a modification attribute for indicating permission related to a modification such as file deletion or correction, an execution attribute for indicating permission related to file execution, and a provision attribute for assigning a corresponding token to an arbitrary user if the arbitrary user process attempts to execute a file.
  - 4. The access control method as set forth in claim 3, wherein the step (a) includes the steps of:
    - enciphering a file having the encryption attribute using a key related to a corresponding token; and
      
      storing the enciphered file.
  - 5. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to read a file having an encryption attribute, decoding a corresponding file on condition that the user has the same token as the file, and providing the user with the decoded file; and
      
      if the user does not have the same token as the file, providing a user process with an enciphered file state without decoding the file.
  - 6. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to read/write a file having the modification attribute, determining access denial on condition that the user does not have the same token as the file;
      
      determining access permission on condition that the user has the same token as the file;
      
      determining whether an encryption attribute is assigned to a corresponding file in case of correcting and storing the file;
      
      if the corresponding file has the encryption attribute, enciphering the file, and storing the enciphered file; and
      
      if the corresponding file has no encryption attribute, storing the corresponding file as it is.
  - 7. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if an arbitrary user attempts to execute a file having a provision attribute, providing a corresponding user with a corresponding token, and executing the file.
  - 8. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to execute a file having the execution attribute, determining access permission on condition that the user has the same token as the file, and executing the file; and
      
      determining an access denial on condition that the user does not have the same token as the file.
  - 9. The access control method as set forth in claim 8, wherein the step (d) further includes the steps of:
    - if the file has a provision attribute, removing all tokens assigned to a user by the provision attribute, providing a user with a corresponding token, and executing a corresponding file.
  - 10. The access control method as set forth in claim 1, wherein the step (a) includes the step of:
    - allowing a user process to receive all tokens assigned to a corresponding user if the user process gains access to the computer system, or allowing a user process to selectively receive the tokens if the user process gains access to the computer system.
  - 11. The method as set forth in claim 1, further comprising the step of:
    - if the user process generates a child process, providing the child process with all tokens contained in a parent process.

12. A computer-readable recording medium for storing a program therein, the program comprising:
- a first function for providing a token having security attributes, such as an encryption attribute, a modification attribute, an execution attribute, and a provision attribute, to a user permitted to access an arbitrary file and a corresponding file;
  
  a second function for decoding a corresponding file on condition that the user has the same token as the file and providing the user with the decoded file in the case where a user attempts to read a file having an encryption attribute, or providing a user process with an enciphered file state without decoding the file in the case where a user does not have the same token as the file;
  
  a third function for, in case of a write request of a user on a file having a modification attribute, determining an access denial on condition that a user does not have the same token as the file, determining access permission on condition that a user has the same token as the file, enciphering and storing the file on condition that a corresponding file has an encryption attribute, and directly storing the file as it is on condition that a corresponding file has no encryption attribute;
  
  a fourth function for, in case of an execution request of a file having an execution attribute, determining an access denial of a user who does not have the same token as the file, and executing a corresponding file for a user who has the same token as the file; and
  
  a fifth function for, in case of an execution request of a file having a provision attribute, removing all tokens assigned to a user by the provision attribute, providing the user with a corresponding token, and executing a corresponding file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Yu, Joon Suk, Kim, Jeong Nyeo, Ko, Jong Gook, Lim, Jae Deok, Eun, Sung Kyong, Doo, So Young

Granted Patent

US 7,290,279 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

G06F 21/6209 to a single file or object,...

G06F 21/6218 to a system of files or obj...

Access control method using token having security attributes in computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Access control method using token having security attributes in computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others