System and method for data protection and secure sharing of information over a computer network

US 20040022390A1
Filed: 08/02/2002
Published: 02/05/2004
Est. Priority Date: 08/02/2002
Status: Abandoned Application

First Claim

Patent Images

1. A system for protection and secure exchange of data objects over a computer network comprising:

an object access control subsystem that implements a first cryptographic function based on the content of the objects and the credentials of an originating user, the first cryptographic function granting access to the objects only to recipient users possessing appropriate credentials; and

a network access control subsystem that implements a second cryptographic function based on attributes of the network, the second cryptographic function ensuring secure and confidential transit of the data objects over the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for data protection and secure sharing of information over a computer network. Data objects are subjected to a first level of encryption at their creation based on their content and the credentials or security attributes of the originating user. The first level of encryption has both symmetric and asymmetric aspects. A second level of encryption is employed to establish a secure network for transit of the object over the network to a recipient user or to a common server. The recipient user is granted access to the object only if he possesses the appropriate credentials and security attributes. A configurable policy system implements and manages these principles of access control as a rule based system, and manages and distributes the keys and material necessary to implement the cryptographic functions. A further level of protection is provided by strong identification, authentication and authorization implemented at user workstations by a means independent of a workstation'"'"'s untrusted operating system.

156 Citations

17 Claims

1. A system for protection and secure exchange of data objects over a computer network comprising:
- an object access control subsystem that implements a first cryptographic function based on the content of the objects and the credentials of an originating user, the first cryptographic function granting access to the objects only to recipient users possessing appropriate credentials; and
  
  a network access control subsystem that implements a second cryptographic function based on attributes of the network, the second cryptographic function ensuring secure and confidential transit of the data objects over the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system as claimed in claim 1, and further comprising a policy subsystem that manages and distributes cryptographic keys to implement the first and second cryptographic functions based on the credentials of the users.
  - 3. A system as claimed in claim 2, and further comprising an identification, authentication and authorization subsystem governing access to the system by all users.
  - 4. A system as claimed in claim 3, wherein the identification, authentication and authorization subsystem inputs and processes a user'"'"'s token, PIN and biometrics via a trusted path and trusted processor that is independent of an untrusted operating system of a user'"'"'s workstation.
  - 5. A system as claimed in claim 1, wherein the first cryptographic function comprises use of a symmetric object encryption key to encrypt/decrypt the data object and use of an asymmetric key to encrypt/decrypt a variable required to create the symmetric object encryption key.
  - 6. A system as claimed in claim 1, wherein the second cryptographic function is implemented by a symmetric key created by secure and authenticated exchange of keying material between the originating and recipient user.

7. A method for secure exchange of data objects over a computer network comprising:
- identification, authentication and authorization of an originating user;
  
  determination of the originating user'"'"'s credentials;
  
  assignment of object and network cryptographic keys and materials to the originating user based on the originating user'"'"'s credentials;
  
  performing a first level of encryption on a data object using the object keys and materials assigned to the originating user;
  
  performing a second level of encryption on the data object using the network keys and materials assigned to the originating user;
  
  sending the data object over the computer network to a recipient user;
  
  if the recipient user has appropriate network keys, performing a first level of decryption on the data object;
  
  if the recipient user has appropriate object keys and materials, performing a second level of decryption on the data object;
  
  access to the decrypted object by the recipient user.

8. A method for encrypting a data object, comprising the following steps:
- generating a symmetric key from a plurality of key elements, wherein the plurality of key elements comprise a first key element that is not in possession of an intended recipient;
  
  encrypting the data object using the symmetric key;
  
  encrypting the first key element using an asymmetric key; and
  
  sending the encrypted data object and encrypted first key element to the intended recipient.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A method as claimed in claim 8, wherein the plurality of key elements comprise a prime modulus “
    - p”
      
      , a primitive element “
      
      g” and
      
      a random number “
      
      R”
      
      .
  - 10. A method as claimed in claim 9, wherein the symmetric key is generated as g^Rmod p.
  - 11. A method as claimed in claim 10, wherein the first element that is not in the possession of the intended recipient is the random number R.
  - 12. A method as claimed in claim 11, wherein the encrypted first key element is placed in a plaintext header attached to the encrypted data object.
  - 13. A method as claimed in claim 12, wherein R is separately encrypted with a plurality of asymmetric keys, and all encrypted values of R are placed in the header to make the object accessible to a greater number of recipients.
  - 14. A method as claimed in claim 12, wherein R is sequentially-encrypted using a plurality of asymmetric keys, and the sequentially-encrypted value of R is placed in the header to make the object accessible to a lesser number of recipients.

15. A method for decrypting a data object, comprising the following steps:
- receiving an encrypted data object and encrypted key element from a sender;
  
  decrypting the key element using an asymmetric key;
  
  generating a symmetric key using the decrypted key element and additional key elements possessed in common with the sender; and
  
  decrypting the data object with the symmetric key.

16. A system for protection of data objects comprising:
- means for a sender to generate a symmetric key from a first key element not possessed by a recipient and an additional key element possessed by the recipient;
  
  means for the sender to encrypt a data object with the symmetric key;
  
  means for the sender to encrypt the first key element with an encrypting half of an asymmetric key pair;
  
  means for the recipient to decrypt the first key element with a decrypting half of an asymmetric key pair;
  
  means for the recipient to generate the symmetric key using the decrypted first key element and the additional key element; and
  
  means for the recipient to decrypt the data object using the symmetric key.

16-1. A system for storage of encrypted objects, wherein the encrypted objects may be encrypted via different algorithms and different keys so as to support storage of objects that are encrypted at different security levels on a common server.

17. A system for storage of encrypted objects that are encrypted at different security levels, wherein the encrypted objects are downloadable only by those users possessing the credentials needed to decrypt the downloaded objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synetics, Inc.
Original Assignee
Synetics, Inc.
Inventors
Fastring, Richard A., McDonald, Jeremy D.

Application Number

US10/212,018
Publication Number

US 20040022390A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

H04L 9/3234   involving additional secure...

System and method for data protection and secure sharing of information over a computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

156 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for data protection and secure sharing of information over a computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links