×

Data enclave and trusted path system

  • US 5,502,766 A
  • Filed: 10/26/1993
  • Issued: 03/26/1996
  • Est. Priority Date: 04/17/1992
  • Status: Expired due to Term
First Claim
Patent Images

1. A data enclave for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising:

  • protected storage in the server and in each of the workstations;

    a crypto media controller in each Workstation that can be used to read the fixed media and the removable media;

    a personal keying device assigned to each user in the enclave;

    an enclave key, a copy held in the protected storage in the server and in each of the workstations and used to protect other keys stored or transmitted on the network;

    a personal identification number (PIN) for each user in the enclave;

    an access vector associated with each media key to form media key/access vector pairs, the pairs stored in the personal keying devices, and used to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs;

    the media key/access vector pairs stored in the personal keying devices enciphered with a combined key including the user'"'"'s PIN and the enclave key;

    device attributes assigned to each Workstation, and used to represent the security attributes of the workstations; and

    each crypto media controller including logic for (i) reading a unit of media using the media key received from the personal keying device of the user seeking access to the data, (ii) decrypting a media key/access vector pair received from a personal keying device using the enclave key stored in the controller and the user PIN entered by a user in the personal keying device used by the user seeking access to the data, (iii) decrypting the data on the media using the media key, and (iv) restricting access to the decrypted data based on the access vector and the device attributes for the Workstation from which access is attempted.

View all claims
  • 5 Assignments
Timeline View
Assignment View
    ×
    ×