Network system for transporting security-protected data

US 6,480,963 B1
Filed: 01/04/1999
Issued: 11/12/2002
Est. Priority Date: 06/17/1998
Status: Expired due to Term

First Claim

Patent Images

1. A network system in which a sender transmits data to a recipient over a network after applying appropriate security processes to the data, the system comprising:

a transmission unit comprising;

at least one table containing information about data confidentiality levels of different kinds of data and about security processes required in each data confidentiality level, the data confidentiality levels being determined from data attribute information and communication environment, security processing means for determining the data confidentiality level of given data to be transmitted to the recipient and identifying which security processes to apply thereto, with reference to said at least one table, and applying the identified security processes to the data, identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied, and transmission means for transmitting the data over the network to the recipient, together with the identification data being attached thereto; and

a reception unit, coupled to said transmission unit via the network, comprising;

reception means for receiving the data that is sent over the network by said transmission unit, identification data extracting means for extracting the identification data that is attached to the data, and unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network system with integrated security protection facilities. The system involves a transmission unit and a reception unit, which are coupled to each other via a network. In the transmission unit, a data management unit performs centralized management of source data that is stored in a plurality of storage units in a distributed manner. In response to a data transmission request from a terminal local to the transmission unit, a data collection unit collects requested data items from the data management unit. A security processor applies appropriate security protection processes to the collected data, depending on its data confidentiality level. An identification data attaching unit attaches identification data to the transmission data. This identification data informs the recipient of what sequence of security process primitives has been applied to the source data. A transmitter sends out the security-protected data over the network. In the reception unit, a receiver accepts the data sent from the transmission unit, and an identification data extracting unit extracts the identification data attached to the received data. With this identification data, an unprotection unit unprotects the received data, thereby reconstructing the original data contents.

Citations

15 Claims

1. A network system in which a sender transmits data to a recipient over a network after applying appropriate security processes to the data, the system comprising:
- a transmission unit comprising;
  
  at least one table containing information about data confidentiality levels of different kinds of data and about security processes required in each data confidentiality level, the data confidentiality levels being determined from data attribute information and communication environment, security processing means for determining the data confidentiality level of given data to be transmitted to the recipient and identifying which security processes to apply thereto, with reference to said at least one table, and applying the identified security processes to the data, identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied, and transmission means for transmitting the data over the network to the recipient, together with the identification data being attached thereto; and
  
  a reception unit, coupled to said transmission unit via the network, comprising;
  
  reception means for receiving the data that is sent over the network by said transmission unit, identification data extracting means for extracting the identification data that is attached to the data, and unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network system according to claim 1, the transmission unit further comprising:
3. The network system according to claim 1, wherein said security processing means executes the security processes, taking into account an access privilege level of the recipient.
4. The network system according to claim 3, wherein said security processing means executes the security processes, taking into account a system security level that indicates a security level of a system constructed by said reception unit and the network.
5. The network system of claim 1, wherein if any security process primitives are outside of a predetermined range, the system denies requested transmission for lack of security.

6. A method of transporting data from a transmission unit to a reception unit over a network after applying appropriate security processes to the data, the method comprising:
- at the transmission unit, determining the data confidentiality level of given data to be transmitted to the recipient and identifying which security processes to apply thereto, with reference to at least one table containing information about data confidentiality levels of different kinds of data and about security processes required in each data confidentiality level, the data confidentiality levels being determined from data attribute information and communication environment;
  
  at the transmission unit, applying security processes to data that is to be transmitted to the reception unit, the security processes being relevant to a data confidentiality level that is determined from data attribute information and communication environment;
  
  at the transmission unit, attaching identification data to the data to allow the recipient to identify what security processes have been applied to the data;
  
  at the transmission unit, transmitting the data over the network to the reception unit, together with the identification data being attached thereto;
  
  at the reception unit, receiving the data that is sent over the network by the transmission unit;
  
  at the reception unit, extracting the identification data that is attached to the data; and
  
  at the reception unit, unprotecting the data by using the identification data extracted.

7. A transmission unit which transmits data to a reception unit over a network after applying appropriate security processes to the data, the transmission unit comprising:
- at least one table containing information about data confidentiality levels of different kinds of data and about security processes required in each data confidentiality level, the data confidentiality levels being determined from data attribute information and communication environment;
  
  security processing means for determining the data confidentiality level of given data to be transmitted to the recipient and identifying which security processes to apply thereto, with reference to said at least one table, and applying the identified security processes to the data;
  
  identification data attaching means for attaching identification data to the data to allow the recipient to identify what security processes said security processing means has applied; and
  
  transmission means for transmitting the data over the network to the reception unit, together with the identification data being attached thereto.

8. A computer-readable storage medium for storing a computer program to be used to transport data over a network from a transmission unit to a reception unit after applying appropriate security processes to the data, the computer program being designed to run on a computer in order to cause the computer to function as:
- at least one table containing information about data confidentiality levels of different kinds of data and about security processes required in each data confidentiality level, the data confidentiality levels being determined from data attribute information and communication environment;
  
  security processing means for determining the data confidentiality level of given data to be transmitted to the recipient and identifying which security processes to apply thereto, with reference to said at least one table, and applying the identified security processes to the data;
  
  identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied; and
  
  transmission means for transmitting the data over the network to the reception unit, together with the identification data being attached thereto.

9. A reception unit to receive data to which security processes are applied by a transmission unit, comprising:
- reception means for receiving the data that is sent over a network by the transmission unit;
  
  identification data extracting means for extracting identification data that is attached to the data; and
  
  unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means, wherein the data is not encrypted or transmitted if an intended recipient does not have adequate privileges.

10. A computer-readable storage medium for storing a computer program to be used to receive data to which security processes are applied by a transmission unit, the computer program being designed to run on a computer in order to cause the computer to function as:
- reception means for receiving the data that is sent over a network by the transmission unit;
  
  identification data extracting means for extracting identification data that is attached to the data; and
  
  unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means, wherein the data is not encrypted or transmitted if an intended recipient does not have adequate privileges.

11. A network system in which a sender transmits data to a recipient over a network after applying appropriate security processes to the data, the system comprising:
- a transmission unit comprising;
  
  security processing means for applying security processes to data that is to be transmitted to the recipient, the security processes being relevant to a data confidentiality level that is determined from data attribute information and communication environment, identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied, and transmission means for transmitting the data over the network to the recipient, together with the identification data being attached thereto; and
  
  a reception unit, coupled to said transmission unit via the network, comprising;
  
  reception means for receiving the data that is sent over the network by said transmission unit, identification data extracting means for extracting the identification data that is attached to the data, and unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means, wherein said security processing means executes the security processes, taking into account an access privilege level of the recipient, wherein said security processing means executes the security processes, taking into account a system security level that indicates a security level of a system constructed by said reception unit and the network, wherein said transmission unit further comprises;
  
  a first table which defines the data confidentiality level of the data to be transmitted, and the access privilege level and system security level of the recipient; and
  
  a second table which defines combinations of security process primitives and execution order thereof, in association with possible combinations of the data confidentiality level, the access privilege level, and system security level, wherein said security processing means applies the security processes to the data to be transmitted to the recipient, according to one of the combinations of security process primitives and execution order thereof that is determined from said second table, wherein said identification data attaching means attaches the identification data to the security-protected data to enable the reception unit to identify the combination of security process primitives and the execution order that have been applied to the data by said security processing means, wherein said identification data extracting means extracts the identification data that shows the combination of security process primitives and the execution order, and wherein said unprotecting means unprotects the data by using the extracted identification data that shows the combination of security process primitives and the execution order.
- View Dependent Claims (12, 13)
- - 12. The network system according to claim 11, further comprising security process primitive adding means, disposed in said transmission unit, for adding a new security process primitive.
  - 13. The network system according to claim 11, further comprising security process primitive modifying means for modifying the existing security process primitives.

14. A network system in which a sender transmits data to a recipient over a network after applying appropriate security processes to the data, the system comprising:
- a transmission unit comprising;
  
  security processing means for applying security processes to data that is to be transmitted to the recipient, the security processes being relevant to a data confidentiality level that is determined from data attribute information and communication environment, identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied, and transmission means for transmitting the data over the network to the recipient, together with the identification data being attached thereto; and
  
  a reception unit, coupled to said transmission unit via the network, comprising;
  
  reception means for receiving the data that is sent over the network by said transmission unit, identification data extracting means for extracting the identification data that is attached to the data, and unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means, wherein said security processing means executes the security processes, taking into account an access privilege level of the recipient, wherein said security processing means executes the security processes, taking into account a system security level that indicates a security level of a system constructed by said reception unit and the network, both of said transmission unit and said reception unit further comprise;
  
  a first table which defines the data confidentiality level of the data to be transmitted, and the access privilege level and system security level of the recipient, and a second table which defines combinations of security process primitives and execution order thereof, in association with possible combinations of the data confidentiality level, the access privilege level, and system security level;
  
  wherein said security processing means applies the security processes to the data to be transmitted to the recipient, according to one of the combinations of security process primitives and execution order thereof that is obtained from said second table, wherein said identification data attaching means attaches the identification data to the security-protected data to inform the reception unit of a sender name and a data name, wherein said identification data extracting means extracts the sender name and the data name from the received data, and wherein said unprotecting means obtains a combination of security process primitives and execution order of the security process primitives from said first and second table by using the extracted sender name and data name as keywords, and unprotects the data according to the obtained information.

15. A network system in which a sender transmits data to a recipient over a network after applying appropriate security processes to the data, the system comprising:
- a transmission unit comprising;
  
  security processing means for applying security processes to data that is to be transmitted to the recipient, the security processes being relevant to a data confidentiality level that is determined from data attribute information and communication environment, identification data attaching means for attaching identification data to the data to allow the recipient to identify the security processes that said security processing means has applied, and transmission means for transmitting the data over the network to the recipient, together with the identification data being attached thereto; and
  
  a reception unit, coupled to said transmission unit via the network, comprising;
  
  reception means for receiving the data that is sent over the network by said transmission unit, identification data extracting means for extracting the identification data that is attached to the data, and unprotecting means for unprotecting the data by using the identification data extracted by said identification data extracting means, wherein said security processing means executes the security processes, taking into account an access privilege level of the recipient, wherein said security processing means executes the security processes, taking into account a system security level that indicates a security level of a system constructed by said reception unit and the network, wherein said transmission unit and said reception unit share a first and second tables which are placed at a predetermined location on the network, wherein said first table defines the data confidentiality level of the data to be transmitted, and the access privilege level and system security level of the recipient, wherein said second table defines combinations of security process primitives and execution order thereof, in association with possible combinations of the data confidentiality level, the access privilege level, and system security level, wherein said security processing means applies the security processes to the data to be transmitted to the recipient, according to one of the combinations of security process primitives and execution order thereof that is obtained from said second table, wherein said identification data attaching means attaches the identification data to the security-protected data to inform the reception unit of a sender name and a data name, wherein said identification data extracting means extracts the sender name and the data name from the received data, and wherein said unprotecting means obtains a combination of security process primitives and execution order of the security process primitives from said first and second table by using the extracted sender name and data name as keywords, and unprotects the data according to the obtained information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Tachibana, Hirotaka, Urita, Seiichi, Hayashi, Takehiko, Kotani, Seigo
Primary Examiner(s)
HUA, LY

Application Number

US09/225,212
Time in Patent Office

1,408 Days
Field of Search

713/166, 713/200, 713/172, 713/156, 713/168, 713/176, 713/155, 713/151, 713/201
US Class Current

726/4
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Network system for transporting security-protected data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network system for transporting security-protected data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links