CONTROLLING ACCESS TO PROTECTED OBJECTS
First Claim
1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:
- executing on the processor instructions configured to;
store the key in the key store;
upon receiving a request from the device to access the key;
authenticate the user;
verify a trust identifier of the device; and
upon authenticating the user and verifying the trust identifier of the device;
generate a ticket granting access to the key, andsend the ticket to the device; and
upon receiving the ticket from the device;
verify the ticket, andupon verifying the ticket, send the key to the device.
2 Assignments
0 Petitions
Accused Products
Abstract
A device operated by a user may store an object to which access is to be regulated, which may be achieved by encrypting the object with an encryption key and sending the key to a server having a key store. When a user of the device requests access to the object, the server may authenticate the user (e.g., according to a credential submitted by the user) and verify a trust identifier of the device (e.g., authorization to access the object through the device, and/or the integrity of the device), before sending to the device a ticket granting access to the key. The device may send the ticket to the server, receive the key from the server, decrypt the stored encrypted object, and provide the object to the user. This mechanism promotes rapid access upon request and efficient use of the server, and enables remote revocation of access.
-
Citations
20 Claims
-
1. A method of regulating access, by a server having a processor and a key store that stores a key, to an object encrypted with the key and stored on a device operated by a user, the method comprising:
executing on the processor instructions configured to; store the key in the key store; upon receiving a request from the device to access the key; authenticate the user; verify a trust identifier of the device; and upon authenticating the user and verifying the trust identifier of the device; generate a ticket granting access to the key, and send the ticket to the device; and upon receiving the ticket from the device; verify the ticket, and upon verifying the ticket, send the key to the device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method of accessing objects on a device operated by a user and having a processor and a data store using a server having a key store, the method comprising:
-
executing on the processor instructions configured to; receive a key; encrypt the object with the key to generate an encrypted object; store the encrypted object in the data store; send the key to the server; upon receiving a request from the user to access the object; submit to the server; at least one credential authenticating the user, and a trust identifier of the device; and upon receiving a ticket from the server; send the ticket to the server, and upon receiving a key from the server; decrypt the encrypted object with the key to generate an unencrypted object, and present the unencrypted object in response to the request. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable storage medium comprising instructions that, when executed on a processor of a server comprising a key store configured to store at least one key and a credential store configured to store at least one credential of at least one user, provide an object to a user of a device having a device identifier by:
-
upon receiving a key, storing the key in the key store; upon receiving a credential of a user, store the credential of the user in the credential store; upon receiving a request from the device to access the key; authenticating the user by; receiving a submitted credential from the user, and comparing the submitted credential with the at least one credential of the user; verifying a trust identifier delegated to the device by a user of the device; and upon authenticating the user and verifying the trust identifier of the device; generating a ticket granting access to the key and having a duration and at least one device identifier of the device, and sending the ticket to the device; and upon receiving the ticket from the device; verifying the ticket by; receiving at least one device identifier of the device; verifying that the ticket specifies at least one device identifier received from the device; and verifying the ticket duration; upon verifying the ticket, sending the key to the device; upon failing to identify a ticket received from a device; re-authenticating the user using the at least one credential; re-verifying a trust identifier of the device; and upon re-authenticating the user and re-verifying the trust identifier of the device; generating a renewed ticket granting access to the key, and sending the renewed ticket to the device; and upon detecting an unauthorized access attempt relating to the object; sending to the device a request to encrypt the object with a second key; and upon receiving the second key from the device, replacing the first key in the key store with the second key.
-
Specification