Security services and policy enforcement for electronic data
First Claim
Patent Images
1. A computerized method for providing security services and policy enforcement for electronic data, the method comprising the steps of:
- submitting, by a first client, a certificate request to a server;
receiving, by the server, the certificate request, authenticating the first client, generating a certificate, registering the certificate, and transmitting the certificate to the first client;
receiving, by the first client, the certificate, creating an authenticated file containing the certificate and a distribution unit, generating a first digest from the authenticated file using a hashing algorithm, and submitting the first digest to the server;
time stamping, by the server, the digest, logging the digest, and transmitting a time stamped receipt to the first client;
acquiring, by a second client, the authenticated file, generating a second digest from the authenticated file using the hashing algorithm, and submitting the second digest to the server; and
receiving, by the server, the second digest, comparing the second digest to the logged first digest, and transmitting a message to the second client as a result of the comparison.
2 Assignments
0 Petitions
Accused Products
Abstract
Security services and policy enforcement for electronic data is provided through a series of transactions among a server and clients using electronic security certificates. A first client generates a digest from the electronic data, and submits a security certificate request containing the digest to a trusted arbitrator server, where the request is time stamped and logged. The trusted arbitrator authenticates the first client'"'"'s credentials and returns the security certificate to the first client. The data and security certificate are combined to create a distribution unit. A second client acquires the distribution unit, extracts the security certificate, and generates a digest from the data. If the digest from the second client matches the logged digest from the first client, the data is valid. Depending on the certificate type and policy level, the trusted arbitrator server provides other services to the clients, such as notification of improper user of the data.
-
Citations
29 Claims
-
1. A computerized method for providing security services and policy enforcement for electronic data, the method comprising the steps of:
-
submitting, by a first client, a certificate request to a server;
receiving, by the server, the certificate request, authenticating the first client, generating a certificate, registering the certificate, and transmitting the certificate to the first client;
receiving, by the first client, the certificate, creating an authenticated file containing the certificate and a distribution unit, generating a first digest from the authenticated file using a hashing algorithm, and submitting the first digest to the server;
time stamping, by the server, the digest, logging the digest, and transmitting a time stamped receipt to the first client;
acquiring, by a second client, the authenticated file, generating a second digest from the authenticated file using the hashing algorithm, and submitting the second digest to the server; and
receiving, by the server, the second digest, comparing the second digest to the logged first digest, and transmitting a message to the second client as a result of the comparison. - View Dependent Claims (2, 3, 4, 5, 6)
registering, by the server, the second client as having the authenticated file;
creating, by the first client, an update authenticated file containing the certificate and an updated version of the distribution unit, generating an update digest from the update authenticated file using the hashing algorithm, and submitting the update digest to the server;
receiving, by the server, time stamping and logging the update digest, and returning a time stamped update receipt to the first client; and
determining, by the server, that the second client has the authenticated file and notifying the second client of the update authenticated file.
-
-
4. The computerized method of claim 1, wherein the certificate requested is a policy enforcement certificate.
-
5. The computerized method of claim 4, further comprising the steps of:
-
generating, by the second client, a notification that the data in the distribution unit is being used inappropriately based on a policy level specified in the certificate receiving, by the server, the inappropriate use notification; and
notifying the first client of the inappropriate use.
-
-
6. The computerized method of claim 4, wherein the message returned by the server to the second client requests the second client pay for the authenticated file and further comprising the steps of:
-
receiving, by the server, a payment from the second client; and
transmitting, by the server, a key to unlock data in the distribution unit.
-
-
7. A computer-readable medium having computer-executable instructions to a cause a server computer to perform a method comprising:
-
creating a certificate in response to receiving a certificate request from an authenticated first client;
registering the certificate as held by the first client;
transmitting the certificate to the first client;
logging a digest received from the first client using a first time stamp;
comparing a digest received from a second client with the logged digest; and
transmitting a comparison result message to the second client. - View Dependent Claims (8, 9, 10)
receiving a notification that the second client is using data associated with the logged digest inappropriately based on a policy level specified in the certificate; and
transmitting a notification of inappropriate use to the first client.
-
-
9. The computer-readable medium of claim 7, further comprising the steps of:
-
registering the second client as having data associated with the logged digest;
logging an update digest received from the first client using a second time stamp;
returning an update receipt to the first client; and
notifying the second client of that the data associated with the logged digest has been updated.
-
-
10. The computer-readable medium of claim 7, further comprising the steps of:
-
transmitting a request for payment to the second client;
receiving payment from the second client; and
transmitting a key to unlock data associated with the logged digest.
-
-
11. A computer-readable medium having computer-executable instructions to a cause a client computer to perform a method comprising:
-
transmitting a certificate request to a server;
receiving a certificate from the server;
generating a digest from the certificate combined with a distribution unit using a hashing algorithm;
transmitting the digest to the server; and
receiving a time stamped confirmation message for the digest from the server. - View Dependent Claims (13)
generating an update digest from the certificate and an updated version of the distribution unit;
transmitting the update digest to the server; and
receiving a time stamped confirmation message for the update digest from the server.
-
-
12. The computer-readable medium 11, wherein the method further comprises receiving an inappropriate use message from the server.
-
14. A computer-readable medium having computer-executable instructions to a cause a client computer to perform a method comprising:
-
generating a digest from a certificate and a distribution unit received by the client;
transmitting the digest to a server;
receiving a message from the server as a result of transmitting the digest;
determining that data in the distribution unit is being used inappropriately based on a policy level specified in the certificate;
alerting a user of the client computer of the inappropriate use; and
transmitting a notification message to the server regarding the inappropriate use if the user continues the use. - View Dependent Claims (15, 16)
receiving a payment request from the server;
transmitting a payment to the server; and
receiving a key from the server to unlock data in the distribution unit.
-
-
17. A computer system comprising:
-
a processing unit;
a system memory coupled to the processing unit through a system bus;
a computer-readable medium coupled to the processing unit through a system bus; and
a client application executed from the computer-readable medium by the processing unit, wherein the client application comprises;
a validation module that causes the processing unit to generate a digest from an authenticated file received by the processing unit, to submit the digest to a server, and to receive a message from the server as a result of submitting the digest;
wherein the validation module further causes the processing unit to detect inappropriate use of data in the authenticated file based on a policy level specified in a certificate in the authenticated file, to notify a user of the computer of the inappropriate use, and to submit an inappropriate use message to the server if the use continues. - View Dependent Claims (18, 19, 20, 21, 22)
an authentication module that causes the processing unit to create a request for a certificate, to submit the request to a server, to combine a distribution unit and the certificate received from the server into an authenticated file, to generate a digest from the authenticated file using a hashing algorithm, to submit the digest to the server, and to receive a confirmation message from the server.
-
-
21. The computer system of claim 20, wherein the authentication module further causes the processing unit to combine an updated version of the distribution unit and the certificate into an update authenticated file, to generate a digest from the update authenticated file using the hashing algorithm, to submit the update digest to the server, and to receive an update confirmation message from the server.
-
22. The computer system of claim 20, wherein the authentication module further causes the processing unit to receive an inappropriate use notification message from the server.
-
23. A computer system comprising:
-
a processing unit;
a system memory coupled to the processing unit through a system bus;
a computer-readable medium coupled to the processing unit through a system bus; and
a client application executed from the computer-readable medium by the processing unit, wherein the client application comprises;
an authentication module that causes the processing unit to create a request for a certificate, to submit the request to a server, to combine a distribution unit and the certificate received from the server into an authenticated file, to generate a digest from the authenticated file, to submit the digest to the server, and to receive a confirmation message from the server. - View Dependent Claims (24, 25)
-
-
26. A computer system comprising:
-
a processing unit;
a system memory coupled to the processing unit through a system bus;
a computer-readable medium coupled to the processing unit through a system bus; and
a client application executed from the computer-readable medium by the processing unit, wherein the client application comprises;
a security module that causes the processing unit to detect inappropriate use of data in an authenticated file based on a policy level specified in a certificate in the authenticated file, to notify a user of the computer of the inappropriate use, and to submit an inappropriate use message to a server if the use continues.
-
-
27. A computer system comprising:
-
a processing unit;
a system memory coupled to the processing unit through a system bus;
a computer-readable medium coupled to the processing unit through a system bus; and
a server application executed from the computer-readable medium by the processing unit, wherein the server application comprises;
a certificate module that causes the processing unit to create a certificate in response to receiving a certificate request from an authenticated requesting client, to register the certificate, and to transmit the certificate to the requesting client;
a registration module that causes the processing unit to log a digest with a time stamp in response to receiving the digest, and to return a confirmation message; and
a security module that causes the processing unit to compare a digest received by the processing unit against the logged digest, and to transmit a message as a result of the comparison. - View Dependent Claims (28, 29)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsDanieli, Damon V.
-
Primary Examiner(s)Darrow, Justin T.
-
Application NumberUS09/229,427Time in Patent Office1,469 DaysField of Search713/155, 713/156, 713/160, 713/164, 713/165, 713/166, 713/167, 713/175, 713/176, 713/178, 713/179, 713/181, 713/193, 713/201, 705/1, 705/51, 705/52, 705/53, 380/279US Class Current713/156CPC Class CodesG06F 21/64 Protecting data integrity, ...G06F 2221/2151 Time stampH04L 2209/56 Financial cryptography, e.g...H04L 2209/603 Digital right managament [DRM]H04L 63/0823 using certificates cryptogr...H04L 63/12 Applying verification of th...H04L 9/3236 using cryptographic hash fu...H04L 9/3263 involving certificates, e.g...H04L 9/3297 involving time stamps, e.g....
