Method, system and apparatus for selecting encryption levels based on policy profiling

US 7,010,681 B1
Filed: 01/29/1999
Issued: 03/07/2006
Est. Priority Date: 01/29/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising steps of:

identifying one or more security-sensitive document content sections in each of a plurality of structured documents encoded in a markup language by delimiting each of the security-sensitive sections in each of the structured documents using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section;

receiving, at the server from a requester located at the client, a request for a particular one of the structured documents;

determining a maximum security level for which the requester is authorized;

filtering out, from the requested document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and

if the filtered document is not empty, performing the steps of;

determining a most-restrictive one of the security levels indicated by the markup language tag syntax delimiting any security-sensitive sections that remain in the filtered document;

identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and

if any ciphers were identified, encrypting the filtered document using one of the identified ciphers and transmitting the encrypted filtered document to the requester at the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention depicts a method, system and program product for controlling levels of security and levels of encryption based on a predefined policy profile. This enables administrators and those who control the network to easily respond to changes in the requirements of the security levels for specific applications. It also allows for response to changes in personnel (such as someone being removed from a position that had topsecret security access) and accommodates variations in access by client devices.

199 Citations

15 Claims

1. A method of using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising steps of:
- identifying one or more security-sensitive document content sections in each of a plurality of structured documents encoded in a markup language by delimiting each of the security-sensitive sections in each of the structured documents using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section;
  
  receiving, at the server from a requester located at the client, a request for a particular one of the structured documents;
  
  determining a maximum security level for which the requester is authorized;
  
  filtering out, from the requested document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and
  
  if the filtered document is not empty, performing the steps of;
  
  determining a most-restrictive one of the security levels indicated by the markup language tag syntax delimiting any security-sensitive sections that remain in the filtered document;
  
  identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and
  
  if any ciphers were identified, encrypting the filtered document using one of the identified ciphers and transmitting the encrypted filtered document to the requester at the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as claimed in claim 1, wherein the filtering out step further comprises the step of filtering out, from the filtered document, all of the identified security-sensitive sections for which the indicated security level is higher than the security level of all ciphers available for decryption at the client.
  - 3. The method as claimed in claim 1, wherein an author who created the requested document is identified in a header associated with the requested document, and wherein the filtering out step further comprises the steps of:
    - determining a role of the identified author;
      
      consulting a mapping that correlates the determined role to an interpretation of the security levels indicated by the markup language tag syntax in the requested document; and
      
      using the interpretation from the mapping when determining whether the indited security levels are higher than the determined maximum security level for which the requester is authorized.
  - 4. The method as claimed in claim 3, further comprising the step of changing the interpretation of the security levels by changing the correlation it the mapping.
  - 5. The method as claimed in claim 3, wherein the identification of the author indicates a user group of which the author is a member, and the determined role is the role of the user group.
  - 6. The method as claimed in claim 1, wherein the security level provided by the cipher used to encrypt the filtered document is a least secure one of the security levels provided by the identified ciphers.
  - 7. The method according to claim 1, wherein the step of determining the main security level for which the requester is authorized further comprises the step of using an identifier and password of the requester to access a repository wherein requesters and their maximum authorized security levels are identified.
  - 8. The method according to claim 7, wherein the identifier and password of the requester are communicated with the request for the structured document.
  - 9. The method as claimed in claim 1, wherein the step of identifying any ciphers further comprises the step of consulting a repository where a mapping between ciphers and the security level provided by those ciphers is stored.
  - 10. The method as claimed in claim 9, further comprising the step of changing the security level which a particular cipher is capable of providing by changing the security level in the mapping for the particular cipher.
  - 11. The method as claimed in claim 1, wherein the cipher used for encrypting the filtered document is selected from the identified ciphers by selecting that one of the identified ciphers which is available for decryption on the client and which provides a least secure one of the security levels provided by the identified ciphers.
  - 12. The method as claimed in claim 1, wherein the requested structured document is dynamically composed from a plurality of subdocuments, at least one of which has at least one security-sensitive section and others of which may have zero or more security-sensitive sections.
  - 13. The method as claimed in claim 1, wherein the markup language in which the requested structured document is encoded is the Extensible Markup Language (“
    - XML”
      
      ).

14. A system for using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising:
- a plurality of structured documents encoded in a markup language, each of the structured documents identifying one or more security-sensitive document content sections therein by delimiting each of the security-sensitive sections using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section;
  
  means for receiving, at the server from a requester located at the client, a request for a particular one of the structured documents;
  
  means for determining a maximum security level for which the requester is authorized;
  
  means for filtering out, from the requested document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and
  
  means for, if the filtered document is not empty, (1) determining a most-restrictive one of the security levels indicated by the markup language tag be syntax delimiting any security-sensitive sections that remain in the filtered document;
  
  (2) identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and
  
  (3) if any ciphers were identified, encrypting the filtered document using one of the identified ciphers.

15. A computer program for us structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, the computer program product residing on programmable media and comprising:
- computer executable program code means for receiving, at the serer from a requester located at the client, a request for a structured document;
  
  computer executable program code means for locating the requested structured document among a plurality of structured documents encoded in a markup language, each of the structured documents identifying one or more security-sensitive document content sections therein by delimiting each of the security-sensitive sections using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section;
  
  computer executable program code means for determining a maximum security level for which the requester is authorized;
  
  computer executable program code means for filtering out, from the located document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and
  
  computer executable program code means for, if the filtered document is not empty, (1) determining a most-restrictive one of the security levels indicated by the markup language tag syntax delimiting any security-sensitive sections that remain in the filtered document;
  
  (2) identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and
  
  (3) if any ciphers were identified, encrypting the filtered document using one of the identified ciphers and transmitting the encrypted filtered document to the requester at the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kaminsky, David Louis, Kessler, Carl Shawn, Fletcher, James Corvin
Primary Examiner(s)
Caldwell, Andrew

Application Number

US09/240,387
Time in Patent Office

2,594 Days
Field of Search

713/151, 713/152, 713/154, 713/166
US Class Current

713/154
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 9/088   Usage controlling of secret...

Method, system and apparatus for selecting encryption levels based on policy profiling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

199 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and apparatus for selecting encryption levels based on policy profiling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links