Methods and systems for providing access control to electronic data
First Claim
Patent Images
1. A method for controlling access to electronic data, comprising:
- (a) receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine;
(b) establishing a secured link between the server machine and the client machine associated with the user;
(c) validating the user according to the identifier;
(d) sending an authentication message to the client machine when the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data;
(e) formatting the electronic data to include a header portion and an encrypted data portion;
(f) controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion;
(g) determining if user access to the electronic data is permitted by the access rules; and
(h) decrypting the encrypted security information with the user key when the determining in step (g) determines that the user is permitted to access the electronic data.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques for providing pervasive security to digital assets are disclosed. According to one aspect of the techniques, a server is configured to provide access control (AC) management for a user (e.g., a single user, a group of users, software agents or devices) with a need to access secured data. Within the server module, various access rules for the secured data and/or access privileges for the user can be created, updated, and managed so that the user with the proper access privileges can access the secured documents if granted by the corresponding access rules in the secured data.
193 Citations
36 Claims
-
1. A method for controlling access to electronic data, comprising:
-
(a) receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine;
(b) establishing a secured link between the server machine and the client machine associated with the user;
(c) validating the user according to the identifier;
(d) sending an authentication message to the client machine when the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data;
(e) formatting the electronic data to include a header portion and an encrypted data portion;
(f) controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion;
(g) determining if user access to the electronic data is permitted by the access rules; and
(h) decrypting the encrypted security information with the user key when the determining in step (g) determines that the user is permitted to access the electronic data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer readable medium including at least computer program code, which when executed by a computer, causes the computer to:
-
(a) receive authentication requests containing an identifier identifying a user and a client machine;
(b) parse authentication requests to identify the user and the client machine contained within the identifier;
(c) establish a secured link with the client machine;
(d) authenticate the user according to the identifier;
(e) send an authentication message to the client machine when the user is authenticated;
(f) activate a user key in the client machine when the authentication message is sent;
(g) provide access control management to electronic data wherein the electronic data includes an encrypted data portion and security information with access rules and a file key; and
(h) retrieve the file key to decrypt the encrypted data portion when user access is permitted by the access rules. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer readable medium including at least computer program code, which when executed by a computer, causes the computer to:
-
a) receive a request to access secured electronic data at a server computer, wherein the electronic data includes a header and an encrypted data portion, the header further including encrypted security information including at least access rules and a file key, and wherein the request includes a user key, and an identifier identifying a user and a client machine associated with the user;
b) establish a secured link between the server and the client machine associated with the user;
c) authenticate the user in the server based on the user and client machine information in the identifier;
d) decrypt the security information in the header of the requested secured electronic data using the user key;
e) retrieve the file key retrieved from the header;
f) retrieve access rules from the security information;
g) determine from the access rules if the user has necessary access privileges to access the encrypted data portion;
h) decrypt the encrypted data portion when the it has been determined that user has necessary access privileges to access the encrypted data portion; and
i) provide user access to the decrypted data portion via the secured link established between the server and the client machine associated with the user. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for providing access control management to electronic data, comprising:
-
(a) a link module executable in a server computer configured to establish a secured link between the server computer and a client machine when an access request containing an access request identifier identifying at least a user and an associated client machine is received at the server from the client machine;
(b) an authentication module executable in the server computer configured to authenticate the user and the client machine identified in the access request identifier;
(c) a document securing module executable in the server computer configured to secure electronic data in a format including security information in a header that includes encrypted security information controlling access to the encrypted data portion and a signature signifying that the electronic data is secured, and an encrypted data portion;
(d) a key issuing module executable in the server computer configured to issue a user key after the user has been authenticated by the authentication module in step (b), wherein the user key is used to decrypt the encrypted security information, wherein the security information includes a set of access rules and a file key;
(e) a rule processing module executable in the server computer configured to decrypt and retrieve access rules from the security information and measure the retrieved access rules against the access privileges of the user requesting access to the electronic data;
(f) a cipher module executable in the server computer configured to decrypt and retrieve the file key from the security information and subsequently decrypt the encrypted data portion using the file key; and
(g) a document release module executable in the server computer configured to fulfill the access request by releasing a decrypted version of a requested document to the user via the secured link established by the link module in step (a) when the authentication module authenticates both the user and the client machine in step (b) and the and rule processing module determines that the user is permitted to access the requested electronic data in step (e). - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
Specification