Method and architecture for providing pervasive security to digital assets
First Claim
Patent Images
1. A method for providing access control management to electronic data, the method comprising:
- establishing a secured link between a server providing the access control management and a client machine when an authentication request is received from the client machine, the authentication request including an identifier identifying a user of the client machine to access the electronic data, wherein the electronic data is not from the server but secured in a format including security information and an encrypted data portion, the security information including a file key and access rules and controlling restrictive access to the encrypted data portion;
authenticating the user according to the identifier; and
activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules.
6 Assignments
0 Petitions
Accused Products
Abstract
Techniques for providing pervasive security to digital assets are disclosed. According to one aspect of the techniques, a server is configured to provide access control (AC) management for a user (e.g., a single user, a group of users, software agents or devices) with a need to access secured data. Within the server module, various access rules for the secured data and/or access privileges for the user can be created, updated and managed so that the user with the proper access privileges can access the secured documents if granted by the corresponding access rules in the secured data.
184 Citations
85 Claims
-
1. A method for providing access control management to electronic data, the method comprising:
-
establishing a secured link between a server providing the access control management and a client machine when an authentication request is received from the client machine, the authentication request including an identifier identifying a user of the client machine to access the electronic data, wherein the electronic data is not from the server but secured in a format including security information and an encrypted data portion, the security information including a file key and access rules and controlling restrictive access to the encrypted data portion; authenticating the user according to the identifier; and activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for providing access control management to electronic data in a client machine, the method comprising:
-
authenticating a user attempting to access the electronic data; maintaining a private key and a public key, both associated with the user, wherein the electronic data, when secured, includes a header and an encrypted data portion, the header further includes security information controlling who, how, when or where the secured electronic data can be accessed and the encrypted data portion is an encrypted version of the electronic data according to a predetermined cipher scheme; encrypting the security information with the public key in the client machine when the electronic data is to be written into a store; and decrypting the security information with the private key in the client machine when the electronic data is to be accessed by an application. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for providing access control management to electronic data, the method comprising:
-
receiving a request to access the electronic data in a store; determining security nature of the electronic data by intercepting the electronic data moving from the store through an operating system layer to an application for the data; when the security nature indicates that the electronic data is secured, the electronic data including a header and an encrypted data portion, the header including security information controlling restrictive access to the encrypted data portion and the encrypted data portion including an encrypted version of the electronic data according to a predetermined cipher scheme, determining from the security information if the user has necessary access privilege in the operating system layer to access the encrypted data portion without consulting with another machine; and obtaining a file key and decrypting the encrypted data portion with the file key only after the user is determined to have the necessary access privilege to access the encrypted data portion, and thereafter the application receives the electronic data in clear form. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A system for providing access control management to electronic data, the system comprising:
-
a client machine executing a document securing module that operates in a path through which the electronic data is caused to pass when selected, the document securing module determining security nature of the electronic data, an access control server coupled to the client machine over a network, the access control server including an account manager managing all users who access the electronic data; and wherein the client machine and a user thereof are caused by the document securing module to be authenticated with the access control server when the security nature indicates that the electronic data is secured; and wherein access rules in the secured electronic data are retrieved with a user key associated with the user to test against access privilege of the user to determine if the user can access the secured electronic data. - View Dependent Claims (41, 42, 43, 44, 45)
-
-
46. A system for providing access control management to electronic data, the system comprising:
-
a storage device including at least an active place designated for keeping the electronic data secured, the secured electronic data including encrypted security information that further includes at least a set of access rules and a file key, wherein the access rules, expressed in a descriptive language, protects the tile key and controls restrictive access to the secured electronic data; a client machine coupled to the storage device and executing a document securing module operative to intercept the electronic data when the electronic data is caused to transport from the active place; an access control server coupled to the client machine over a network and receiving a part of the electronic data including the encrypted security information from the client machine, the encrypted security information being decrypted with a user key associated with a user attempting to access the electronic data after both the user and the client machine are authenticated; wherein the set of access rules are measured against access privilege of the user in the access control server, if successful, the file key is returned to the client machine to facilitate a recovery of the electronic data in clear mode. - View Dependent Claims (50, 51, 52, 53, 54, 55)
-
-
47. A software product to be executable in a computing device for providing access control management to electronic data, the software product comprising:
-
program code for establishing a secured link between a server supporting the access control management and a client machine when an authentication request is received therefrom, the authentication request including an identifier identifying a user from the client machine to access the electronic data not received from the server but in a secured format including a file key and security information and an encrypted data, the security information including access rules and controlling restrictive access to the encrypted data portion; program code for authenticating the user according to the identifier; and program code for activating a user key after the user is authenticated, wherein the user key is used to access the access rules in the security information, the file key can be retrieved to decrypt the encrypted data portion only if access privilege of the user is successfully measured by the access rules. - View Dependent Claims (48, 49, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. A software product to be executable in a computing device for providing access control management to electronic data in a client machine, the software product comprising:
-
program code for authenticating a user attempting to access the electronic data; program code for maintaining a private key and a public key, both associated with the user, wherein the electronic data, when secured, includes a header and an encrypted data portion, the header further includes security information controlling restrictive access to the encrypted data portion and protecting the private key by access rules therein; program code for encrypting the security information with the public key in the client machine when the electronic data is to be written into a store; and program code for decrypting the security information with the private key in the client machine when the electronic data is to be accessed by an application. - View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
-
-
76. A software product to be executable in a computing device for providing access control management to electronic data, the software product comprising:
-
program code for receiving a request to access the electronic data in a store; program code for determining security nature of the electronic data by intercepting the electronic data moving from the store through an operating system layer to an application for the data; when the security nature indicates that the electronic data is secured, wherein the electronic data including a header and an encrypted data portion, the header including security information and the encrypted data portion including an encrypted version of the electronic data according to a predetermined encryption scheme, program code for determining from the security information if the user has necessary access privilege in the operating system layer to access the encrypted data portion; and program code for a file key from the security information and decrypting the encrypted data portion only after the access privilege of the user is permitted in view of the security information, and thereafter the application receives the electronic data in clear form. - View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84, 85)
-
Specification