System and method for data protection and secure sharing of information over a computer network
First Claim
1. A system for protection and secure exchange of data objects over a computer network comprising:
- an object access control subsystem that implements a first cryptographic function based on the content of the objects and the credentials of an originating user, the first cryptographic function granting access to the objects only to recipient users possessing appropriate credentials; and
a network access control subsystem that implements a second cryptographic function based on attributes of the network, the second cryptographic function ensuring secure and confidential transit of the data objects over the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for data protection and secure sharing of information over a computer network. Data objects are subjected to a first level of encryption at their creation based on their content and the credentials or security attributes of the originating user. The first level of encryption has both symmetric and asymmetric aspects. A second level of encryption is employed to establish a secure network for transit of the object over the network to a recipient user or to a common server. The recipient user is granted access to the object only if he possesses the appropriate credentials and security attributes. A configurable policy system implements and manages these principles of access control as a rule based system, and manages and distributes the keys and material necessary to implement the cryptographic functions. A further level of protection is provided by strong identification, authentication and authorization implemented at user workstations by a means independent of a workstation'"'"'s untrusted operating system.
156 Citations
17 Claims
-
1. A system for protection and secure exchange of data objects over a computer network comprising:
-
an object access control subsystem that implements a first cryptographic function based on the content of the objects and the credentials of an originating user, the first cryptographic function granting access to the objects only to recipient users possessing appropriate credentials; and
a network access control subsystem that implements a second cryptographic function based on attributes of the network, the second cryptographic function ensuring secure and confidential transit of the data objects over the network. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for secure exchange of data objects over a computer network comprising:
-
identification, authentication and authorization of an originating user;
determination of the originating user'"'"'s credentials;
assignment of object and network cryptographic keys and materials to the originating user based on the originating user'"'"'s credentials;
performing a first level of encryption on a data object using the object keys and materials assigned to the originating user;
performing a second level of encryption on the data object using the network keys and materials assigned to the originating user;
sending the data object over the computer network to a recipient user;
if the recipient user has appropriate network keys, performing a first level of decryption on the data object;
if the recipient user has appropriate object keys and materials, performing a second level of decryption on the data object;
access to the decrypted object by the recipient user.
-
-
8. A method for encrypting a data object, comprising the following steps:
-
generating a symmetric key from a plurality of key elements, wherein the plurality of key elements comprise a first key element that is not in possession of an intended recipient;
encrypting the data object using the symmetric key;
encrypting the first key element using an asymmetric key; and
sending the encrypted data object and encrypted first key element to the intended recipient. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for decrypting a data object, comprising the following steps:
-
receiving an encrypted data object and encrypted key element from a sender;
decrypting the key element using an asymmetric key;
generating a symmetric key using the decrypted key element and additional key elements possessed in common with the sender; and
decrypting the data object with the symmetric key.
-
-
16. A system for protection of data objects comprising:
-
means for a sender to generate a symmetric key from a first key element not possessed by a recipient and an additional key element possessed by the recipient;
means for the sender to encrypt a data object with the symmetric key;
means for the sender to encrypt the first key element with an encrypting half of an asymmetric key pair;
means for the recipient to decrypt the first key element with a decrypting half of an asymmetric key pair;
means for the recipient to generate the symmetric key using the decrypted first key element and the additional key element; and
means for the recipient to decrypt the data object using the symmetric key.
-
-
16-1. A system for storage of encrypted objects, wherein the encrypted objects may be encrypted via different algorithms and different keys so as to support storage of objects that are encrypted at different security levels on a common server.
-
17. A system for storage of encrypted objects that are encrypted at different security levels, wherein the encrypted objects are downloadable only by those users possessing the credentials needed to decrypt the downloaded objects.
Specification