Method and architecture for providing pervasive security to digital assets

US 7,260,555 B2
Filed: 02/12/2002
Issued: 08/21/2007
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for providing access control management to electronic data, the method comprising:

establishing a secured link between a server providing the access control management and a client machine when an authentication request is received from the client machine, the authentication request including an identifier identifying a user of the client machine to access the electronic data, wherein the electronic data is not from the server but secured in a format including security information and an encrypted data portion, the security information including a file key and access rules and controlling restrictive access to the encrypted data portion;

authenticating the user according to the identifier; and

activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing pervasive security to digital assets are disclosed. According to one aspect of the techniques, a server is configured to provide access control (AC) management for a user (e.g., a single user, a group of users, software agents or devices) with a need to access secured data. Within the server module, various access rules for the secured data and/or access privileges for the user can be created, updated and managed so that the user with the proper access privileges can access the secured documents if granted by the corresponding access rules in the secured data.

184 Citations

85 Claims

1. A method for providing access control management to electronic data, the method comprising:
- establishing a secured link between a server providing the access control management and a client machine when an authentication request is received from the client machine, the authentication request including an identifier identifying a user of the client machine to access the electronic data, wherein the electronic data is not from the server but secured in a format including security information and an encrypted data portion, the security information including a file key and access rules and controlling restrictive access to the encrypted data portion;
  
  authenticating the user according to the identifier; and
  
  activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method as recited in claim 1 further comprising maintaining an access control management, wherein the access control management comprises:
    - a rule manager including at least one set of rules for the electronic data; and
      
      an administration interface from which the rules for a designated place for the electronic data are created, managed, or updated.
  - 3. The method as recited in claim 2, wherein the designated place is a folder and all files in the folder are subject to the rules.
  - 4. The method as recited in claim 2, wherein the designated place is a repository and all files in the repository are subject to the rules.
  - 5. The method as recited in claim 2, wherein the rule manager provides a graphic user interface from which the rules can be created, managed or updated.
  - 6. The method as recited in claim 5, wherein parameters determining the rules from the graphic user interface are subsequently expressed in a markup language.
  - 7. The method as recited in claim 6, wherein the parameters expressed in the markup language are uploaded to the client machine after the user is authenticated.
  - 8. The method as recited in claim 7, wherein the markup language is Extensible Access Control Markup Language.
  - 9. The method as recited in claim 7, wherein the markup language is selected from a group consisting of HTML, XML and SGML.
  - 10. The method as recited in claim 2, wherein the access control management further comprises a user manager coupled to a database including a list of authorized users and respective access privileges associated with each of the authorized users.
  - 11. The method as recited in claim 10, wherein the authenticating of the user comprises:
    - looking up in the database for the user; and
      
      getting, from the database, access location information as to where the user is authorized to access the electronic data if information about the user is located in the database.
  - 12. The method as recited in claim 11, wherein the identifier further identifiers the client machine;
    - and wherein the authenticating of the user comprises determining, from the access location information, whether the client machine is permitted by the user to access the electronic data.
  - 13. The method as recited in claim 11, wherein the access location information pertains to locations or specific client machines from which the user is authorized to access the electronic data.
  - 14. The method as recited in claim 1 ,wherein the user key is in the client machine;
    - and wherein the activating of the user key comprises;
      
      sending an authentication message to the client machine; and
      
      activating the user key with the authentication message.
  - 15. The method as recited in claim 14, wherein the electronic data, when secured, includes a header that further includes the security information being encrypted and a signature signifying that the electronic data is secured.
  - 16. The method as recited in claim 1 further comprising associating the activated user key with the user locally.
  - 17. The method as recited in claim 16, wherein the electronic data, when secured, includes a header that includes the security information being encrypted and a signature signifying that the electronic data is secured;
    - the encrypted security information including the access rules and a file key, and wherein the method further comprises;
      
      receiving the header from the client machine;
      
      decrypting the security information in the header to retrieve the access rules therein; and
      
      retrieving the file key when the access rules are measured successfully against access privilege of the user.
  - 18. The method as recited in claim 17 further comprising sending the file key to the client machine in which the encrypted data portion can be decrypted with the file key by a cipher module executing in the client machine.

19. A method for providing access control management to electronic data in a client machine, the method comprising:
- authenticating a user attempting to access the electronic data;
  
  maintaining a private key and a public key, both associated with the user, wherein the electronic data, when secured, includes a header and an encrypted data portion, the header further includes security information controlling who, how, when or where the secured electronic data can be accessed and the encrypted data portion is an encrypted version of the electronic data according to a predetermined cipher scheme;
  
  encrypting the security information with the public key in the client machine when the electronic data is to be written into a store; and
  
  decrypting the security information with the private key in the client machine when the electronic data is to be accessed by an application.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The method as recited in claim 19, wherein the authentication of the user comprises:
    - establishing a link with the client machine from which the user is attempting to access the electronic data;
      
      demanding credential information from the user; and
      
      receiving the credential information from the client machine over the link.
  - 21. The method as recited in claim 20, wherein the credential information includes a pair of usemame and password provided by the user.
  - 22. The method as recited in claim 20, wherein the credential information includes biometric information captured from the user by an apparatus coupled to the client machine.
  - 23. The method as recited in claim 20, wherein the encrypting of the security information with the public key comprises:
    - receiving access rules and a file key, wherein the file key has been used to produce the encrypted data portion in the client machine;
      
      including the access rules and the file key into the security information; and
      
      encrypting the security information with the public key.
  - 24. The method as recited in claim 23 further comprising:
    - generating the header with the security information encrypted therein; and
      
      uploading the header to the client machine where the header is integrated with the encrypted data portion.
  - 25. The method as recited in claim 23, wherein the access rules are expressed in a markup language.
  - 26. The method as recited in claim 25, wherein the markup language is one of Extensible Access Control Markup Language, HTML, XML and SGML.
  - 27. The method as recited in claim 20, wherein the decrypting of the security information with the private key comprises:
    - receiving the header from the client machine over the link;
      
      parsing the security information from the header; and
      
      decrypting the security information with the private key.
  - 28. The method as recited in claim 27 further comprising:
    - obtaining access rules from the security information;
      
      determining whether the access rules accommodate access privilege of the user;
      
      when the determining succeeds,retrieving a file key from the security information; and
      
      sending the file key to the client machine over the link; and
      
      when the determining fails,sending an error message to the client machine over the link.
  - 29. The method as recited in claim 28, wherein the error message indicates that the user does not have the access privilege to access the electronic data.

30. A method for providing access control management to electronic data, the method comprising:
- receiving a request to access the electronic data in a store;
  
  determining security nature of the electronic data by intercepting the electronic data moving from the store through an operating system layer to an application for the data;
  
  when the security nature indicates that the electronic data is secured, the electronic data including a header and an encrypted data portion, the header including security information controlling restrictive access to the encrypted data portion and the encrypted data portion including an encrypted version of the electronic data according to a predetermined cipher scheme,determining from the security information if the user has necessary access privilege in the operating system layer to access the encrypted data portion without consulting with another machine; and
  
  obtaining a file key and decrypting the encrypted data portion with the file key only after the user is determined to have the necessary access privilege to access the encrypted data portion, and thereafter the application receives the electronic data in clear form.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 31. The method as recited in claim 30 further comprising retrieving a user key associated with a user making the request.
  - 32. The method as recited in claim 31 wherein said determining from the security information if the user has necessary access privilege comprises:
    - decrypting the security information with the user key;
      
      retrieving access rules from the security information; and
      
      measuring the access rules against the access privilege of the user.
  - 33. The method as recited in claim 32 further comprising:
    - retrieving the file key from the security information if the measuring of the access rules against the access privilege succeeds.
  - 34. The method as recited in claim 32 further comprising:
    - causing the client machine to display an error message to the user if the measuring of the access rules against the access privilege fails.
  - 35. The method as recited in claim 31, wherein the retrieving of the user key comprises:
    - establishing a link with a server executing an access control management;
      
      sending to the server an authentication request including an identifier identifying the user for the access control management to authenticate the user;
      
      forwarding the header to the server; and
      
      receiving the file key retrieved from the header.
  - 36. The method as recited in claim 35 further comprising:
    - activating a cipher module; and
      
      decrypting the encrypted data portion by the cipher module with the received file key.
  - 37. The method as recited in claim 36 further comprising loading the decrypted data portion into the application.
  - 38. The method as recited in claim 31, wherein the retrieving of the user key comprises:
    - establishing a link with a server executing an access control management;
      
      sending to the server an authentication request including an identifier identifying the user for the access control management to authenticate the user;
      
      receiving an authentication message after the user is authenticated; and
      
      activating the user key locally in the client machine.
  - 39. The method as recited in claim 38, wherein the user key is in an illegible format before the activating of the user key locally in the client machine.

40. A system for providing access control management to electronic data, the system comprising:
- a client machine executing a document securing module that operates in a path through which the electronic data is caused to pass when selected, the document securing module determining security nature of the electronic data,an access control server coupled to the client machine over a network, the access control server including an account manager managing all users who access the electronic data; and
  
  wherein the client machine and a user thereof are caused by the document securing module to be authenticated with the access control server when the security nature indicates that the electronic data is secured; and
  
  wherein access rules in the secured electronic data are retrieved with a user key associated with the user to test against access privilege of the user to determine if the user can access the secured electronic data.
- View Dependent Claims (41, 42, 43, 44, 45)
- - 41. The system as recited in claim 40, wherein the access privilege of the user is also tested against other rules imposed by the system.
  - 42. The system as recited in claim 40, wherein the document securing module activates a cipher module to decrypt an encrypted data portion in the secured electronic data with a file key obtained therefrom after the document securing module determines that the access privilege of the user is permitted by the access rules.
  - 43. The system as recited in claim 42, wherein the user key stays in the access control server that receives part of the secured electronic data;
    - and wherein the access rules and the file key are obtained from the part of the secured electronic data.
  - 44. The system as recited in claim 43, wherein the access control server forwards the file key to the client machine in a secured form over the network.
  - 45. The system as recited in claim 42, wherein the user key stays in the client machine and is activated when both the client machine and the user are authenticated by the access control server.

46. A system for providing access control management to electronic data, the system comprising:
- a storage device including at least an active place designated for keeping the electronic data secured, the secured electronic data including encrypted security information that further includes at least a set of access rules and a file key, wherein the access rules, expressed in a descriptive language, protects the tile key and controls restrictive access to the secured electronic data;
  
  a client machine coupled to the storage device and executing a document securing module operative to intercept the electronic data when the electronic data is caused to transport from the active place;
  
  an access control server coupled to the client machine over a network and receiving a part of the electronic data including the encrypted security information from the client machine, the encrypted security information being decrypted with a user key associated with a user attempting to access the electronic data after both the user and the client machine are authenticated;
  
  wherein the set of access rules are measured against access privilege of the user in the access control server, if successful, the file key is returned to the client machine to facilitate a recovery of the electronic data in clear mode.
- View Dependent Claims (50, 51, 52, 53, 54, 55)
- - 50. The software product as recited in claim 46, wherein the designated place is a repository and all files in the repository are subject to the rules.
  - 51. The software product as recited in claim 46, wherein the rule manager provides a graphic user interface from which the rules can be created, managed or updated.
  - 52. The software product as recited in claim 51, wherein parameters determining the rules from the graphic user interface are subsequently expressed in a markup language.
  - 53. The software product as recited in claim 52, wherein the parameters expressed in the markup language are uploaded to the client machine after the authenticating of the user succeeds.
  - 54. The software product as recited in claim 53, wherein the markup language is Extensible Access Control Markup Language.
  - 55. The software product as recited in claim 53, wherein the markup language is selected from a group consisting of HTML, XML and SGML.

47. A software product to be executable in a computing device for providing access control management to electronic data, the software product comprising:
- program code for establishing a secured link between a server supporting the access control management and a client machine when an authentication request is received therefrom, the authentication request including an identifier identifying a user from the client machine to access the electronic data not received from the server but in a secured format including a file key and security information and an encrypted data, the security information including access rules and controlling restrictive access to the encrypted data portion;
  
  program code for authenticating the user according to the identifier; and
  
  program code for activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules.
- View Dependent Claims (48, 49, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 48. The software product as recited in claim 47 further comprising program code for maintaining an access control management, wherein the access control management comprises:
    - a rule manager including at least one set of rules for the electronic data; and
      
      an administration interface from which the rules for a designated place for the electronic data are created, managed or updated.
  - 49. The software product as recited in claim 48, wherein the designated place is a folder and all files in the folder are subject to the rules.
  - 56. The software product as recited in claim 48, wherein the access control management further comprises a user manager coupled to a database including a list of authorized users and respective access privileges associated with each of the authorized users.
  - 57. The software product as recited in claim 56, wherein the program code for authenticating the user comprises:
    - program code for looking up in the database for the user; and
      
      program code for getting, from the database, access location information as to where the user is authorized to access the electronic data if the user is located in the database.
  - 58. The software product as recited in claim 57, wherein the identifier further identifiers the client machine;
    - and wherein the program code for authenticating the user comprises program code for determining, from the access location information, whether the client machine is permitted by the user to access the electronic data.
  - 59. The software product as recited in claim 57, wherein the access location information pertains to locations or specific client machines from which the user is authorized to access the electronic data.
  - 60. The software product as recited in claim 47, wherein the user key is in the client machine;
    - and wherein the program code for activating the user key comprises;
      
      program code for sending an authentication message to the client machine; and
      
      program code for activating the user key with the authentication message.
  - 61. The software product as recited in claim 60, wherein the electronic data, when secured, includes a header and an encrypted data portion;
    - and wherein the header includes security information that can be accessed with the activated user key.
  - 62. The software product as recited in claim 47 further comprising program code for associating the activated user key with the user locally.
  - 63. The software product as recited in claim 62, wherein the electronic data, when secured, includes a header and an encrypted data portion, the header includes security information and a file key;
    - and wherein the software product further comprises;
      
      program code for receiving the header from the client machine;
      
      program code for decrypting the header to retrieve, access rules in the security information; and
      
      program code for retrieving the file key when the access rules are measured successfully against access privilege of the user.
  - 64. The software product as recited in claim 63 further comprising sending the file key to the client machine in which the encrypted data portion can be decrypted with the file key by a cipher module executing in the client machine.

65. A software product to be executable in a computing device for providing access control management to electronic data in a client machine, the software product comprising:
- program code for authenticating a user attempting to access the electronic data;
  
  program code for maintaining a private key and a public key, both associated with the user, wherein the electronic data, when secured, includes a header and an encrypted data portion, the header further includes security information controlling restrictive access to the encrypted data portion and protecting the private key by access rules therein;
  
  program code for encrypting the security information with the public key in the client machine when the electronic data is to be written into a store; and
  
  program code for decrypting the security information with the private key in the client machine when the electronic data is to be accessed by an application.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 66. The software product as recited in claim 65, wherein the program code for authenticating the user comprises:
    - program code for establishing a link with the client machine from which the user is attempting to access the electronic data;
      
      program code for demanding credential information from the user; and
      
      program code for receiving the credential information from the client machine over the secured link.
  - 67. The software product as recited in claim 66, wherein the credential information includes a pair of username and password provided by the user.
  - 68. The software product as recited in claim 66, wherein the credential information includes biometric information captured from the user by an apparatus coupled to the client machine.
  - 69. The software product as recited in claim 66, wherein the program code for encrypting the security information with the public key comprises:
    - program code for receiving the access rules and a file key from the client machine over the link, wherein the file key has been used to produce the encrypted data portion in the client machine;
      
      program code for including the access rules and a file key into the security information; and
      
      program code for encrypting the security information with the public key.
  - 70. The software product as recited in claim 69 further comprising:
    - program code for generating the header with the security information encrypted therein; and
      
      program code for uploading the header to the client machine where the header is integrated with the encrypted data portion.
  - 71. The software product as recited in claim 70, wherein the access rules are expressed in a markup language.
  - 72. The software product as recited in claim 71, wherein the markup language is one of Extensible Access Control Markup Language, HTML, XML and SGML.
  - 73. The software product as recited in claim 66, wherein the program code for decrypting the security information with the private key comprises:
    - program code for receiving the header from the client machine over the link;
      
      program code for parsing the security information from the header; and
      
      program code for decrypting the security information with the private key.
  - 74. The software product as recited in claim 73 further comprising:
    - program code for obtaining access rules from the security information;
      
      program code for determining whether the access rules accommodate access privilege of the user;
      
      when the determining program code is executed successfully, program code for retrieving a file from the security information; and
      
      program code for sending the file key to the client machine over the link; and
      
      when the determining program code is executed unsuccessfully, program code for sending an error message to the client machine over the link.
  - 75. The software product as recited in claim 74 wherein the error message indicate that the user does not have the access privilege to access the electronic data.

76. A software product to be executable in a computing device for providing access control management to electronic data, the software product comprising:
- program code for receiving a request to access the electronic data in a store;
  
  program code for determining security nature of the electronic data by intercepting the electronic data moving from the store through an operating system layer to an application for the data;
  
  when the security nature indicates that the electronic data is secured, wherein the electronic data including a header and an encrypted data portion, the header including security information and the encrypted data portion including an encrypted version of the electronic data according to a predetermined encryption scheme,program code for determining from the security information if the user has necessary access privilege in the operating system layer to access the encrypted data portion; and
  
  program code for a file key from the security information and decrypting the encrypted data portion only after the access privilege of the user is permitted in view of the security information, and thereafter the application receives the electronic data in clear form.
- View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84, 85)
- - 77. The software product as recited in claim 76 further comprising program code for retrieving a user key associated with a user making the request.
  - 78. The software product as recited in claim 77 wherein the program code for determining from the security information, if the user has necessary access privilege, comprises:
    - program code for decrypting the security information with the user key;
      
      program code for retrieving access rules from the security information; and
      
      program code for measuring the access rules against the access privilege of the user.
  - 79. The software product as recited in claim 78 further comprising:
    - program code for causing the client machine to display an error message to the user if the measuring of the access rules against the access privilege fails.
  - 80. The software product as recited in claim 78, wherein the program code for retrieving the user key comprises:
    - program code for establishing a link with a server executing an access control management;
      
      program code for sending to the server an authentication request including an identifier identifying the user for the access control management to authenticate the user;
      
      program code for forwarding the header to the server; and
      
      program code for receiving a file key retrieved from the header.
  - 81. The software product as recited in claim 80 further comprising:
    - program code for activating a cipher module; and
      
      program code for decrypting the encrypted data portion by the cipher module with the received file key.
  - 82. The software product as recited in claim 81 further comprising program code for loading the decrypted data portion into the application.
  - 83. The software product as recited in claim 77, wherein the program code for retrieving the user key comprises:
    - program code for establishing a link with a server executing an access control management;
      
      program code for sending to the server an authentication request including an identifier identifying the user for the access control management to authenticate the user;
      
      program code for receiving an authentication message after the user is authenticated; and
      
      program code for activating the user key locally in the client machine.
  - 84. The software product as recited in claim 83, wherein the user key is in an illegible format before the activating of the user key locally in the client machine.
  - 85. The software product as recited in claim 83, wherein the computing device is a media player having a network capacity, the media player generating audio and/or video from the electronic data when the software product is executed in the media player.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Zuili, Patrick, Humpich, Serge, Lee, Chang-Ping, Garcia, Denis Jacques Paul, Hilderbrand, Hal, Vainstein, Klimenty, Ryan, Nicholas Michael, Huang, Weiqing, Rossmann, Alain, Supramaniam, Senthilvasan, Ouya, Michael Michio
Primary Examiner(s)
Backer; Firmin

Application Number

US10/076,254
Publication Number

US 20030110131A1
Time in Patent Office

2,016 Days
Field of Search

705/51, 705/50, 705/59, 713/150, 713/155, 713/182
US Class Current

705/51
CPC Class Codes

G06F 12/00   Accessing, addressing or al...

G06F 12/14   Protection against unauthor...

G06F 21/00   Security arrangements for p...

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/01   Protocols

H04L 9/40   Network security protocols

Method and architecture for providing pervasive security to digital assets

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

85 Claims

Specification

Use Cases

Quick Links

Others

Method and architecture for providing pervasive security to digital assets

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

85 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others