Access control method using token having security attributes in computer system

US 7,290,279 B2
Filed: 10/25/2002
Issued: 10/30/2007
Est. Priority Date: 04/17/2002
Status: Expired due to Fees

First Claim

Patent Images

1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:

a) assigning a first token having security attributes to a user process and the second token having security attributes to a file;

b) checking a request by the user process to access an arbitrary file;

c) determining whether the arbitrary file contains a third token having security attributes; and

d) if the arbitrary file contains no token, and permitting access to the arbitrary file, andif the arbitrary file contains the third token, and permitting access according to a determination based on the first token and the third token, andif the third token has a provision attribute, then removing all automatically provisioned tokens from the user process before providing the user process with a token for executing arbitrary file, then executing the arbitrary file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an access control method using a token having security attributes in a computer system when a user gains access to a specific file. The computer system adopts a token having encryption, modification, execution, and provision attributes to determine access permission or access denial between a user and a file in such a way that a file access request is controlled. The access control method enciphers a file and stores the enciphered file in a storage unit, so that it can maintain security of the file even though the storage unit is stolen. The access control method enables a system manager to read only enciphered contents of the file when the system manager performs a data backup operation, thereby eliminating limitations in commonly operating a system simultaneously with maintaining file security. The access control method enables programs for executing operations on behalf of a user to automatically obtain a corresponding token, confirms authority to execute the file, and prevents that the authority is stolen or drained due to a program error.

28 Citations

View as Search Results

10 Claims

1. An access control method using a token having security attributes in a computer system for determining access permission and access denial if a user process attempts to access a specific file stored in a storage unit, comprising the steps of:
- a) assigning a first token having security attributes to a user process and the second token having security attributes to a file;
  
  b) checking a request by the user process to access an arbitrary file;
  
  c) determining whether the arbitrary file contains a third token having security attributes; and
  
  d) if the arbitrary file contains no token, and permitting access to the arbitrary file, andif the arbitrary file contains the third token, and permitting access according to a determination based on the first token and the third token, andif the third token has a provision attribute, then removing all automatically provisioned tokens from the user process before providing the user process with a token for executing arbitrary file, then executing the arbitrary file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The access control method as set forth in claim 1, wherein the step (a) includes the steps of:
    - providing the user process with a name or number of the first token; and
      
      providing the file with the second token and an attribute related to the second token.
  - 3. The access control method as set forth in claim 1, wherein the tokens assigned in the step (a) have at least one of an encryption attribute for indicating permission related to encryption/decoding of a file, a modification attribute for indicating permission related to a modification such as file deletion or correction, an execution attribute for indicating permission related to file execution, and a provision attribute for assigning a corresponding token to an arbitrary user if the arbitrary user process attempts to execute the file.
  - 4. The access control method as set forth in claim 3, wherein the step (a) includes the steps of:
    - enciphering a file having the encryption attribute using a key related to a corresponding token; and
      
      storing the enciphered file.
  - 5. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to read a file having an encryption attribute, decoding a corresponding file on condition that the user has the same token as the file, and providing the user with the decoded file; and
      
      if the user does not have the same token as the file, providing a user process with an enciphered file state without decoding the file.
  - 6. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to read/write a file having the modification attribute, determining access denial on condition that the user does not have the same token as the file;
      
      determining access permission on condition that the user has the same token as the file;
      
      determining whether an encryption attribute is assigned to a corresponding file in case of correcting and storing the file;
      
      if the corresponding file has the encryption attribute, enciphering the file, and storing the enciphered file; and
      
      if the corresponding file has no encryption attribute, storing the corresponding file as it is.
  - 7. The access control method as set forth in one of claims 1 to 3, wherein the step (d) includes the steps of:
    - if a user attempts to execute a file having the execution attribute, determining access permission on condition that the user has the same token as the file, and executing the file; and
      
      determining an access denial on condition that the user does not have the same token as the file.
  - 8. The access control method as set forth in claim 1, wherein the step (a) includes the step of:
    - allowing a user process to receive all tokens assigned to a corresponding user if the user process gains access to the computer system, or allowing a user process to selectively receive the tokens if the user process gains access to the computer system.
  - 9. The method as set forth in claim 1, further comprising the step of:
    - if the user process generates a child process, providing the child process with all tokens contained in a parent process.

10. A computer-readable recording medium for storing a program therein, the program comprising:
- a first function for providing a token having security attributes, such as an encryption attribute, a modification attribute, an execution attribute, and a provision attribute, to a user permitted to access an arbitrary file and a corresponding file;
  
  a second function for decoding a corresponding file on condition that the user has the same token as the file and providing the user with the decoded file in the case where a user attempts to read a file having an encryption attribute, or providing a user process with an enciphered file state without decoding the file in the case where a user does not have the same token as the file;
  
  a third function for, in case of a write request of a user on a file having a modification attribute, determining an access denial on condition that a user does not have the same token as the file, determining access permission on condition that a user has the same token as the file, enciphering and storing the file on condition that a corresponding file has an encryption attribute, and directly storing the file as it is on condition that a corresponding file has no encryption attribute;
  
  a fourth function for, in case of an execution request of a file having an execution attribute, determining an access denial of a user who does not have the same token as the file, and executing a corresponding file for a user who has the same token as the file; and
  
  a fifth function for, in case of an execution request of a file having a provision attribute removing all tokens assigned to a user by the provision attribute;
  
  before providing the user with a corresponding token, and executing a corresponding file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Kim, Jeong Nyeo, Ko, Jong Gook, Lim, Jae Deok, Eun, Sung Kyong, Yu, Joon Suk, Doo, So Young
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/280,907
Publication Number

US 20030200436A1
Time in Patent Office

1,831 Days
Field of Search

726/2, 726/4, 726/9, 726/17, 726/20, 726/27, 713/182, 713/185
US Class Current

726/9
CPC Class Codes

G06F 21/6209 to a single file or object,...

G06F 21/6218 to a system of files or obj...

Access control method using token having security attributes in computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Access control method using token having security attributes in computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links