Portable authentication and access control involving multiple identities

US 20070050362A1
Filed: 10/21/2005
Published: 03/01/2007
Est. Priority Date: 09/01/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting a plurality of electronic files, the computer-implemented method comprising using a portable access control lock that is adapted for automatically maintaining an audit trail and allowing for configuring of access control rules for constraining user access based on a mandatory presence of specified users before granting access for each electronic file including any copies of said each electronic file of said plurality of electronic files.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protecting electronic files by applying a portable access control lock to each electronic file while allowing multi-user access to the protected electronic files across a distributed network is described. The portable access control lock is adapted for implementing a set of complex access control rules that include managing an audit trail for the corresponding protected electronic file.

Citations

52 Claims

1. A computer-implemented method for protecting a plurality of electronic files, the computer-implemented method comprising using a portable access control lock that is adapted for automatically maintaining an audit trail and allowing for configuring of access control rules for constraining user access based on a mandatory presence of specified users before granting access for each electronic file including any copies of said each electronic file of said plurality of electronic files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 49, 50, 51, 52)
- - 2. The computer-implemented method of claim 1, further comprising using an access agent for aiding in enforcing said access control rules and for authenticating users who wish to access any of said plurality of electronic files.
  - 3. The computer-implemented method of claim 1, further comprising using said portable access control lock for implementing a distributed escrow capability for said each electronic file of said plurality of electronic files, wherein said distributed escrow capability grants reading and writing privileges associated with said each electronic file by allowing said each electronic file to be unlocked only if the author'"'"'s manager and one other manager is present.
  - 4. The computer-implemented method of claim 1, further comprising using said portable access control lock for allowing for constraining of access based on a date range for access for any of said each electronic file including said copies of said each electronic file.
  - 5. The computer-implemented method of claim 1, further comprising using said portable access control lock for allowing for constraining of access based on time of day for access for any of said each electronic file including said copies of said each electronic file.
  - 6. The computer-implemented method of claim 1, further comprising using said portable access control lock for allowing for constraining of access based on an identity of an accessing computer for any of said each electronic file including said copies of said each electronic file.
  - 7. The computer-implemented method of claim 1, wherein said constraining user access based on said mandatory presence of specified users further comprises at least M number persons from among a group of N pre-selected authorized persons required to be present in order to update or view said each electronic file including said copies of said each electronic file, wherein M and N are positive integers and M is less than N.
  - 8. The computer-implemented method of claim 1, wherein said constraining user access based on said mandatory presence of specified users further comprises specifying persons P1 and P2 both of whose presence are required in order to update or view any of said each electronic file including said copies of said each electronic file, wherein P1 and P2 are from a set of authorized users associated with said each electronic file.
  - 9. The computer-implemented method of claim 1, further comprising specifying one or more persons who are allowed only reading privileges for any of said each electronic file including said copies of said each electronic file.
  - 10. The computer-implemented method of claim 1, further comprising specifying one or more persons who are allowed both reading and writing privileges for any of said each electronic file including said copies of said each electronic file.
  - 11. The computer-implemented method of claim 1, further comprising synchronizing any modifications to said portable access control lock to all instances of said portable control lock including instances corresponding to said copies of said each electronic file.
  - 12. The computer-implemented method of claim 1, wherein said automatically maintaining said audit trail includes registering said each electronic file with a central server and submitting said portable access control lock corresponding to said each electronic file when said each electronic file is first created.
  - 13. The computer-implemented method of claim 1, further comprising using said portable access control lock for specifying a type of user authentication required for accessing said each electronic file including said copies of said each electronic file.
  - 14. The computer-implemented method of claim 13, wherein said type of user authentication includes any type of user authentication of a set of user authentication comprising:
    - a strong user password, a smart card, biometric data, and an RFID token.
  - 15. The computer-implemented method of claim 1, further comprising creating and binding one or more public-private key-pairs to each user associated with said plurality of electronic files.
  - 49. The method of claim 1, further comprising using an access agent to periodically synchronize an operating system clock of a users computer with a remote operating system clock of a central server computer.
  - 50. The method of claim 1, further comprising using an access agent to monitor for any attempts by a user to modify an operating system clock or computer network settings of said user'"'"'s computer, wherein said access agent blocks said user'"'"'s access upon detection of said any attempts.
  - 51. The method of claim 1, further comprising granting reading and writing privileges for said each electronic file that is classified as sensitive only when an access agent, that controls said sensitive electronic file, is logged onto a central server that is maintaining said audit trail.
  - 52. The method of claim 1, wherein said portable access control lock is protected by a group-based public-private key-pair shared by a pre-determined group of users.

16. A file protection system for protecting a plurality of electronic files, said file protection system comprising a portable access control lock corresponding to each protected electronic file of said plurality of electronic files, and an access agent associated with said portable access control lock, and wherein said portable access control lock is adapted for automatically maintaining an audit trail and allowing for configuring of access control rules for constraining user access based on a mandatory presence of specified users before granting access for each protected electronic file.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The file protection system of claim 16, wherein said portable access control lock includes a set of access control rules corresponding to said each protected electronic file.
  - 18. The file protection system of claim 16, wherein said portable access control lock includes a server-registered ID or URI associated with said each protected electronic file.
  - 19. The file protection system of claim 16, wherein said portable access control lock includes a digital signature for document contents of said each protected electronic file.
  - 20. The file protection system of claim 16, wherein said portable access control lock includes a designation as to a storage location of said each protected electronic file.
  - 21. The file protection system of claim 16, wherein said portable access control lock includes document encryption keys corresponding to said each protected electronic file, wherein said document encryption keys are for decrypting corresponding said each electronic file.
  - 22. The file protection system of claim 21, wherein said document encryption keys are protected using one or more key-pairs of public-private key encryption.
  - 23. The file protection system of claim 16, wherein said portable access control lock includes a signed audit log of reads and writes associated with said each protected electronic file.
  - 24. The file protection system of claim 16, further includes a server for centrally managing said portable access control lock corresponding to said each protected electronic file.

25. A file protection system for protecting a plurality of electronic files, said file protection system comprising:
- a user-registering means for registering each user of said file protection system;
  
  an authentication means for authenticating said each user; and
  
  an access control means for constraining user access based on a mandatory presence of specified users before granting access for each electronic file including any copies of said each electronic file of said plurality of electronic files.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The file protection system of claim 25, further comprising a first encryption means for encrypting said plurality of electronic files.
  - 27. The file protection system of claim 25, further comprising a second encryption means for encrypting encryption keys that are used for encrypting said plurality of electronic files.
  - 28. The file protection system of claim 25, further comprising an auditing means for auditing access of said plurality of electronic files.
  - 29. The file protection system of claim 25, further comprising a document-registering means for registering each electronic file of said plurality of electronic files.
  - 30. The file protection system of claim 25, wherein said access control means further comprises a means for allowing for constraining of access based on a date range for access of said plurality of electronic files.
  - 31. The file protection system of claim 25, wherein said access control means further comprises a means for allowing for constraining of access based on time of day for access of said plurality of electronic files.
  - 32. The file protection system of claim 25, wherein said access control means further comprises a means for allowing for constraining of access based on an identity of an accessing computer of said plurality of electronic files.
  - 33. The file protection system of claim 25, wherein said constraining user access based on said mandatory presence of specified users further comprises at least M number persons from among a group of N pre-selected authorized persons required to be present in order to update or view said each electronic file of said plurality of electronic files, wherein M and N are positive integers and M is less than N.
  - 34. The file protection system of claim 25, wherein said constraining user access based on said mandatory presence of specified users further comprises specifying persons P1 and P2 both of whose presence are required in order to update or view any of said each electronic file of said plurality of electronic files, wherein P1 and P2 are from a set of authorized users associated with said each electronic file.

35. A computer-implemented method for protecting a plurality of electronic files, the computer-implemented method comprising:
- using an access agent to aid an author-user in configuring access control rules for an electronic file created by said author-user;
  
  wrapping a corresponding logical computer-implemented lock around said electronic file to form a protected electronic file, wherein said corresponding logical computer-implemented lock includes allowing for configuring of access control rules for constraining user access based on a mandatory presence of specified users before granting access to said protected electronic file;
  
  registering said protected electronic file at a central server; and
  
  submitting said corresponding logical computer-implemented lock to said central server for auditing said protected electronic file.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 36. The computer-implemented method of claim 35, further comprising determining if said corresponding logical computer-implemented lock stored on said central server has been updated when a copy of said protected electronic file is subsequently accessed by a user.
  - 37. The computer-implemented method of claim 36, further comprising downloading, from said central server, an updated copy of said corresponding logical computer-implemented lock stored on said central server if said corresponding logical computer-implemented lock stored on said central server has been updated.
  - 38. The computer-implemented method of claim 35, further comprising determining if said protected electronic file stored on said central server has been updated when a copy of said protected electronic file is subsequently accessed by a user.
  - 39. The computer-implemented method of claim 38, further comprising prompting said user to retrieve an updated copy of said protected electronic file if it is determined that said protected electronic file stored on said central server has been updated.
  - 40. The computer-implemented method of claim 35, further comprising encrypting said protected electronic file using document encryption keys.
  - 41. The computer-implemented method of claim 40, further comprising encrypting said document encryption keys using a public-private key-pair.
  - 42. The computer-implemented method of claim 35, further comprising using said corresponding logical computer-implemented lock for implementing a distributed escrow capability for said protected electronic file, wherein said distributed escrow capability automatically grants reading and writing privileges to a manager of said author-user.
  - 43. The computer-implemented method of claim 35, further comprising using said corresponding logical computer-implemented lock for allowing for constraining of access based on a date range for access of said protected electronic file, including any copies of said protected electronic file.
  - 44. The computer-implemented method of claim 35, further comprising using said corresponding logical computer-implemented lock for allowing for constraining of access based on time of day for access of said protected electronic file, including any copies of said protected electronic file.
  - 45. The computer-implemented method of claim 35, further comprising using said corresponding logical computer-implemented lock for allowing for constraining of access based on an identity of an accessing computer for access of said protected electronic file, including any copies of said protected electronic file.
  - 46. The computer-implemented method of claim 35, wherein said constraining user access based on said mandatory presence of specified users further comprises at least M number persons from among a group of N pre-selected authorized persons required to be present in order to update or view said protected electronic file, including any copies of said protected electronic file, wherein M and N are positive integers and M is less than N.
  - 47. The computer-implemented method of claim 35, wherein said constraining user access based on said mandatory presence of specified users further comprises specifying persons P1 and P2 both of whose presence are required in order to update or view said protected electronic file, including any copies of said protected electronic file, wherein P1 and P2 are from a set of authorized users associated with said protected electronic file.

48. A computer-implemented portable access control lock for protecting an electronic file, the computer-implemented portable access control lock comprising:
- a registered ID information of said electronic file;
  
  encryption keys; and
  
  a set of access control rules, wherein said access control rules is configurable for constraining user access based on a mandatory presence of specified users before granting access to said protected electronic file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ong, Peng, Low, Chee

Granted Patent

US 7,620,976 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6245 Protecting personal data, e...

Portable authentication and access control involving multiple identities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Portable authentication and access control involving multiple identities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links