SPACE-TIME SEPARATED AND JOINTLY EVOLVING RELATIONSHIP-BASED NETWORK ACCESS AND DATA PROTECTION SYSTEM

US 20150082399A1
Filed: 06/02/2014
Published: 03/19/2015
Est. Priority Date: 09/17/2013
Status: Active Grant

First Claim

Patent Images

1. A system for determining whether user access to data stored in a database is authorized, comprising:

computer-executable software code stored on at least one non-transitory data storage device for accepting a request by a user to access the data stored in the database;

means for identifying a sequence of servers to participate in authenticating the access of the data by the user;

means for generating a sequence of passwords;

computer-executable software code stored on at least one non-transitory data storage device for checking, at each one of the servers, a corresponding one of the passwords;

means for determining that the user is permitted to access the data if all the servers accept the corresponding password; and

means for varying the passwords over time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system that employs space-time separated and jointly-evolving relationships to provide fast network access control, efficient real-time forensics capabilities, and enhanced protection for at-rest data in the event of a network breach. The network security system allows, in part, functionality by which the system accepts a request by a user to access the data stored in the database, identifies a sequence of security agents to participate in authenticating and protecting the access of the data by the user, generates a sequence of pseudorandom IDs and space-time varying credentials, checks at each one of the security agents a corresponding one of the credentials, determines that the user is permitted to access the data using access control logs if all the security agents accept the corresponding credentials, and varies the credentials based on a space-time relationship.

160 Citations

30 Claims

1. A system for determining whether user access to data stored in a database is authorized, comprising:
- computer-executable software code stored on at least one non-transitory data storage device for accepting a request by a user to access the data stored in the database;
  
  means for identifying a sequence of servers to participate in authenticating the access of the data by the user;
  
  means for generating a sequence of passwords;
  
  computer-executable software code stored on at least one non-transitory data storage device for checking, at each one of the servers, a corresponding one of the passwords;
  
  means for determining that the user is permitted to access the data if all the servers accept the corresponding password; and
  
  means for varying the passwords over time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the sequence of passwords comprise one-time passwords.
  - 3. The system of claim 1, wherein the passwords vary subsequent to transmission of a data packet, subsequent to the user accessing the data, or subsequent to a user logon session.
  - 4. The system of claim 1, further comprising computer-executable software code stored on at least one non-transitory data storage device forcomputing the passwords by gathering cryptographic seed information associated with the user and forhashing the cryptographic seeds.
  - 5. The system of claim 1, further comprising computer-executable software code stored on at least one non-transitory data storage device for splitting the data to be accessed into encrypted components and for storing each encrypted component in respective spatially separated memory positions.
  - 6. The system of claim 5, further comprising computer-executable software code stored on at least one non-transitory data storage device for assigning respective time-varying identifiers to each encrypted component of the data, and for using the time-varying identifiers to authenticate access to the data.
  - 7. The system of claim 1, further comprising computer-executable software code stored on at least one non-transitory data storage device for computing the time-varying identifiers by gathering cryptographic seed information associated with the user and hashing the cryptographic seeds.
  - 8. The system of claim 5, further comprising computer-executable software code stored on at least one non-transitory data storage device for splitting the data into the encrypted components by selecting random locations of the data at which to split the data, andcomputer-executable software code stored on at least one non-transitory data storage device for storing the encrypted components in randomly selected spatially separated memory positions.
  - 9. The system of claim 5, further comprising computer-executable software code stored on at least one non-transitory data storage device for storing information regarding locations at which the data is split in a map;
    - splitting the map into encrypted map components; and
      
      storing the encrypted map components in respective spatially separated memory positions.
  - 10. The system of claim 5, further comprising computer-executable software code stored on at least one non-transitory data storage device for protecting cryptographic keys associated with the encrypted components using a Trusted Platform Module.
  - 11. The system of claim 1, wherein the servers comprise computer-executable software code stored on a non-transitory data storage device, andwherein the servers are located on a single network-enabled computing device.
  - 12. The system of claim 1, further comprisingcomputer-executable software code stored on at least one non-transitory data storage device for determining that the user is not permitted to access the data if at least one of the servers does not accept the corresponding password, andcomputer-executable software code stored on at least one non-transitory data storage device for identifying a source of an attack using log records stored in the servers, wherein the log records contain information regarding data packets associated with the request by the user.
  - 13. The system of claim 1, further comprisingcomputer-executable software code stored on at least one non-transitory data storage device for transmitting time-dependent authentication vectors among the servers;
    - andcomputer-executable software code stored on at least one non-transitory data storage device for determining that the user is not permitted to access the data if at least one of the servers does not accept as authentic one of the time-dependent authentication vectors transmitted to that server from another server.
  - 14. The system of claim 1, further comprising computer-executable software code stored on at least one non-transitory data storage device for identifying a sequence of servers by computing and comparing Hamming distances.

15. A method for determining whether user access to data stored in a database is authorized, comprising:
- accepting a request by a user to access the data stored in the database;
  
  identifying a sequence of servers to participate in authenticating the access of the data by the user;
  
  generating a sequence of passwords;
  
  checking, at each one of the servers, a corresponding one of the passwords;
  
  determining that the user is permitted to access the data if all the servers accept the corresponding password; and
  
  varying the passwords over time.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, wherein the sequence of passwords comprise one time passwords.
  - 17. The method of claim 15, wherein the passwords vary subsequent to transmission of a data packet, subsequent to the user accessing the data, or subsequent to a user logon session.
  - 18. The method of claim 15, further comprising computing the passwords by gathering cryptographic seed information associated with the user and hashing the cryptographic seeds.
  - 19. The method of claim 15, further comprising splitting the data to be accessed into encrypted components and storing each encrypted component in respective spatially separated memory positions.
  - 20. The method of claim 19, further comprising assigning respective time-varying identifiers to each encrypted component of the data, and using the time-varying identifiers to authenticate access to the data.
  - 21. The method of claim 19, further comprising computing the time-varying identifiers by gathering cryptographic seed information associated with the user and hashing the cryptographic seeds.
  - 22. The method of claim 19, further comprising splitting the data into the encrypted components by selecting random locations of the data at which to split the data, andstoring the encrypted components in randomly selected spatially separated memory positions.
  - 23. The method of claim 19, further comprising storing information regarding locations at which the data is split in a map;
    - splitting the map into encrypted map components; and
      
      storing the encrypted map components in respective spatially separated memory positions.
  - 24. The method of claim 19, further comprising protecting cryptographic keys associated with the encrypted components using a Trusted Platform Module.
  - 25. The method of claim 15, wherein the servers comprise computer-executable software code stored on a non-transitory data storage device, andwherein the servers are located on a single network enabled computing device.
  - 26. The method of claim 15, further comprisingdetermining that the user is not permitted to access the data if at least one of the servers does not accept the corresponding password, andidentifying a source of an attack using log records stored in the servers, wherein the log records contain information regarding data packets associated with the request by the user.
  - 27. The method of claim 15, further comprisingtransmitting time-dependent authentication vectors among the servers;
    - anddetermining that the user is not permitted to access the data if at least one of the servers does not accept as authentic one of the time-dependent authentication vectors transmitted to that server from another server.
  - 28. The method of claim 15, further comprising identifying a sequence of servers by computing and comparing Hamming distances.

29. A server for authenticating user access to data stored in a database, comprising:
- computer-executable software code stored on at least one non-transitory data storage device foraccepting a request by a user to access the data stored in the database;
  
  identifying one or more subsequent servers to participate in authenticating the access of the data by the user;
  
  analyzing a one-time password among a plurality of one-time passwords; and
  
  passing a client security ticket to at least one of the one or more subsequent servers; and
  
  passing a network security ticket to at least one of the one or more subsequent servers.

30. A server for authenticating user access to data stored in a database, comprising:
- computer-executable software code stored on at least one non-transitory data storage device forreceiving a client security ticket;
  
  comparing the client security ticket against a time varying access control list;
  
  determining whether an attack has occurred based on the comparison of the client security ticket against the time varying access control list;
  
  generating a network security ticket;
  
  identifying one or more subsequent servers to participate in authenticating the access of the data by the user; and
  
  passing the network security ticket to at least one of the subsequent servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Auburn University
Original Assignee
Auburn University
Inventors
WU, Chwan-Hwa, IRWIN, J. David, LAST, David Charles, HAWKINS, Myers, SUN, Hao

Granted Patent

US 9,208,335 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2107   File encryption

H04L 2209/606   Traitor tracing

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/10   for controlling access to d...

H04L 9/0656   Pseudorandom key sequence c...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0869   involving random numbers or...

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

H04L 9/50   using hash chains, e.g. blo...

SPACE-TIME SEPARATED AND JOINTLY EVOLVING RELATIONSHIP-BASED NETWORK ACCESS AND DATA PROTECTION SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

160 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SPACE-TIME SEPARATED AND JOINTLY EVOLVING RELATIONSHIP-BASED NETWORK ACCESS AND DATA PROTECTION SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links