Method and apparatus for protecting file system based on digital signature certificate

US 7,328,341 B1
Filed: 08/09/2000
Issued: 02/05/2008
Est. Priority Date: 04/14/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for protecting a file system on a server computer, the method comprising:

generating a system security manager'"'"'s digital signature key pair and certificate;

storing the system security manager'"'"'s certificate onto a security kernel of an operating system on the server computer based upon a digital signature of the system security manager;

generating a user'"'"'s digital signature key pair and a user'"'"'s certificate signed using a secret key of the system security manager'"'"'s digital signature key pair;

setting an access authority of the file system for the user'"'"'s certificate;

identifying a user through a digital signature-based authentication using the system security manager'"'"'s certificate and the user'"'"'s certificate, when the user attempts to access the file system on the server computer; and

granting the user access authority for a file in accordance with the access authority of the file system set for the user'"'"'s certificate only when the identifying is successful.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protection for a file system is provided. The protection includes generating first digital signature keys and a system security manager'"'"'s certificate for a system security manager. A system security manager'"'"'s certificate is stored onto a security kernel when installing an operating system on a server computer. Second digital signature keys and a user'"'"'s certificate are generated for a general user. An access authority of the file system is set. A user is identified through a digital signature authentication method when the user tries to access the file system. The user is given access authority for the file in accordance with an identification result.

Citations

33 Claims

1. A method for protecting a file system on a server computer, the method comprising:
- generating a system security manager'"'"'s digital signature key pair and certificate;
  
  storing the system security manager'"'"'s certificate onto a security kernel of an operating system on the server computer based upon a digital signature of the system security manager;
  
  generating a user'"'"'s digital signature key pair and a user'"'"'s certificate signed using a secret key of the system security manager'"'"'s digital signature key pair;
  
  setting an access authority of the file system for the user'"'"'s certificate;
  
  identifying a user through a digital signature-based authentication using the system security manager'"'"'s certificate and the user'"'"'s certificate, when the user attempts to access the file system on the server computer; and
  
  granting the user access authority for a file in accordance with the access authority of the file system set for the user'"'"'s certificate only when the identifying is successful.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, further comprising:
    - performing a user registering/deleting process when the user is identified as the system security manager.
  - 3. The method as recited in claim 1, further comprising:
    - setting the access authority of the file system when the user is identified as the system security manager.
  - 4. The method as recited in claim 1, further comprising:
    - accessing and processing a file.
  - 5. The method as recited in claim 1, wherein generating the system security manager'"'"'s digital signature key pair and certificate comprises:
    - generating a public key of the system security manager'"'"'s digital signature key pair;
      
      generating the secret key of the system security manager'"'"'s digital signature key pair; and
      
      generating the system security manager'"'"'s certificate.
  - 6. The method as recited in claim 1, wherein identifying the user through a digital signature-based authentication comprises:
    - generating, at the server computer, random numbers;
      
      generating a digital signature to the random number;
      
      extracting a public key of the system security manager'"'"'s digital signature key pair from the system security manager'"'"'s certificate stored on the security kernel;
      
      verifying the user'"'"'s certificate using the extracted system security manager'"'"'s public key;
      
      extracting a public key of the user'"'"'s digital signature key pair and the access authority in the user'"'"'s certificate; and
      
      verifying the digital signature to the random number.
  - 7. The method as recited in claim 1, wherein granting the user the access authority comprises:
    - providing the user with the access authority to the file system when the user is a general user; and
      
      providing the user with registering/deleting authority, file system access setting authority and the file system access authority.
  - 8. The method as recited in claim 2, wherein performing the user registering/deleting process comprises:
    - determining whether user registration or deletion is selected;
      
      deleting data related to a user to be deleted when the user deletion is selected;
      
      registering a user when the user registration is selected;
      
      wherein registering the user comprises;
      
      providing the user to be registered with the access authority;
      
      generating a secret key and a public key of the user to be registered;
      
      generating a certificate of the user to be registered;
      
      encrypting and storing the secret key of the user to be registered; and
      
      storing the certificate of the user to be registered.
  - 9. The method as recited in claim 8, wherein the certificate of the user to be registered is generated by encrypting the access authority and the user'"'"'s public key.
  - 10. The method as recited in claim 3, wherein setting the access authority comprises:
    - selecting a file;
      
      selecting a user allowed to access the file; and
      
      setting the access authority to the file as an access authority of the user.
  - 11. The method as recited in claim 4, wherein accessing and processing the file comprises:
    - receiving a name of a file to be accessed;
      
      determining whether an access authority of the file to be accessed is equal to that of the system security manager;
      
      permitting the file to be accessed when the access authority of the file to be accessed is equal to that of the system security manager;
      
      determining whether the access authority of the file to be accessed is equal to that of the user trying to access thereto; and
      
      permitting the file to be accessed when the access authority of the file to be accessed is equal to that of the user trying to access thereto.

12. An apparatus for protecting a file system on a server computer, the apparatus comprising:
- a generator that generates a system security manager'"'"'s digital signature key pair and certificate;
  
  a storage that stores the system security manager'"'"'s certificate onto a security kernel of an operating system on the server computer based upon a digital signature of the system security manager;
  
  a generator that generates a user'"'"'s digital signature key pair and a user'"'"'s certificate signed using a secret key of the system security manager'"'"'s digital signature key pair;
  
  an access setter that sets an access authority of the file system for the user'"'"'s certificate;
  
  an identifier that identifies a user through a digital signature-based authentication using the system security manager'"'"'s certificate and the user'"'"'s certificate, when the user tries to access the file system on the server computer; and
  
  an authorizer that grants the user access authority for a file in accordance with the access authority of the file system set for the user'"'"'s certificate only when the identifying is successful.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus as recited in claim 12, further comprising:
    - a registrar/deleter that performs a registration/deletion of the user when the user is identified as the system security manager.
  - 14. The apparatus as recited in claim 12, further comprising:
    - an access setter that sets the access authority of the file system when the user is identified as the system security manager.
  - 15. The apparatus as recited in claim 12, further comprising:
    - an accessor that accesses a file and a processor that processes the file.
  - 16. The apparatus as recited in claim 12, wherein the generator that generates the system security manager'"'"'s digital signature key pair and system security manager'"'"'s certificate comprises:
    - a generator that generates a public key of the system security manager'"'"'s digital signature key pair;
      
      a generator that generates the secret key of the system security manager'"'"'s digital signature key pair; and
      
      a generator that generates a system security manager'"'"'s certificate.
  - 17. The apparatus as recited in claim 12, wherein the identifier comprises:
    - a generator that generates, at the server computer, random numbers;
      
      a generator that generates a digital signature to the random number;
      
      an extractor that extracts a public key of the system security manager'"'"'s digital signature key pair from a system security manager'"'"'s certificate stored on the security kernel;
      
      a verifier that verifies a user'"'"'s certificate using the extracted system security manager'"'"'s public key;
      
      an extractor that extracts a public key of the user'"'"'s digital signature key pair and the access authority in the user'"'"'s certificate; and
      
      a verifier that verifies the digital signature to the random number.
  - 18. The apparatus as recited in claim 12, wherein the authorizer comprises:
    - a provider that provides the user with the file system access authority to the file system when the user is a general user; and
      
      a provider that provides the user with registering/deleting authority, file system access setting authority and the file system access authority.
  - 19. The apparatus as recited in claim 13, wherein the registrar/deleter comprises:
    - a determiner that determines whether user registration or deletion is selected;
      
      a deleter that deletes data related to a user to be deleted when the user deletion is selected;
      
      a registrar that registers a user when the user registration is selected;
      
      wherein the registrar comprises;
      
      a provider that provides the user to be registered with the access authority;
      
      a generator that generates a user'"'"'s secret key and public key to be registered;
      
      a generator that generates a user'"'"'s certificate to be registered;
      
      an encrypter that encrypts the user'"'"'s secret key to be registered and a storage that stores the user'"'"'s secret key to be registered; and
      
      a storage that stores the user'"'"'s certificate to be registered.
  - 20. The apparatus as recited in claim 19, wherein the user'"'"'s certificate is generated by encrypting the access authority of the user and user'"'"'s public key.
  - 21. The apparatus as recited in claim 14, wherein the access setter includes:
    - a selector that selects a file;
      
      a selector that selects a user allowed to access the file; and
      
      an access setter that sets the access authority to the file as an access authority of the user.
  - 22. The apparatus as recited in claim 15, wherein the accessor and processor comprise:
    - a receiver that receives a name of a file to be accessed;
      
      a determiner that determines whether an access authority of the file to be accessed is equal to that of the security manager;
      
      a permitter that permits the file to be accessed when the access authority of the file to be accessed is equal to that of the security manager;
      
      a determiner that determines whether the access authority of the file to be accessed is equal to that of the user trying to access thereto; and
      
      a permitter that permits the file to be accessed when the access authority of the file to be accessed is equal to that of the user trying to access thereto.

23. A computer readable media storing instructions for executing a method for protecting a file system on a server computer, the computer readable medium comprising:
- a first generating code segment that generates a system security manager'"'"'s digital signature key pair and certificate;
  
  a storing code segment that stores a system security manager'"'"'s certificate onto a security kernel of an operating system on the server computer based upon a digital signature of the system security manager;
  
  a second generating code segment that generates a user'"'"'s digital signature key pair and a user'"'"'s certificate signed using a secret key of the system security manager'"'"'s digital signature key pair;
  
  an access setting code segment that sets an access authority of the file system for the user'"'"'s certificate;
  
  a user identifying code segment that identifies a user through a digital signature-based authentication using the system security manager'"'"'s certificate and the user'"'"'s certificate, when the user tries to access the file system on the server computer; and
  
  an access granting code segment that grants the user access authority for a file in accordance with the access authority of the file system set for the user'"'"'s certificate only when the identifying is successful.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer readable media as recited in claim 23, further comprising:
    - a registering/deleting code segment that performs a user registering/deleting process when the user is identified as the system security manager.
  - 25. The computer readable media as recited in claim 23, further comprising:
    - an access setting code segment that sets the access authority of the file system when the user is identified as the system security manager.
  - 26. The computer readable media as recited in claim 23, further comprising:
    - an accessing code segment that accesses a file and a processing code segment that processes a file.
  - 27. The computer readable media as recited in claim 23, the first generating code segment comprising:
    - a public key generating code segment that generates a public key of the system security manager'"'"'s digital signature key pair;
      
      a secret key generating code segment that generates the secret key of the system security manager'"'"'s digital signature key pair; and
      
      a certificate generating code segment that generates a system security manager'"'"'s certificate.
  - 28. The computer readable media as recited in claim 23, the user identifying code segment comprising:
    - a random number generating code segment that generates, at the server computer, random numbers;
      
      a digital signature generating code segment that generates a digital signature to the random number;
      
      a public key extracting code segment that extracts a public key of the system security manager'"'"'s digital signature key pair from the system security manager'"'"'s certificate stored on the security kernel;
      
      a certificate verifying code segment that verifies a user'"'"'s certificate using the extracted system security manager'"'"'s public key;
      
      a public key and access authority extracting code segment that extracts a public key of the user'"'"'s public digital signature key pair and the access authority in the user'"'"'s certificate; and
      
      a signature verifying code segment that verifies the digital signature to the random number.
  - 29. The computer readable media as recited in claim 23, wherein the access granting code segment comprises:
    - an access authorizing code segment that provides the user with the file system access authority to the file system when the user is a general user; and
      
      a registering/deleting authority code segment that providing the user with registering/deleting authority, file system access setting authority and the file system access authority.
  - 30. The method as recited in claim 24, wherein the registering/deleting code segment comprises:
    - a determining code segment that determines whether user registration or deletion is selected;
      
      a deleting code segment that deletes data related to a user to be deleted when the user deletion is selected;
      
      a registering code segment that registers a user when the user registration is selected;
      
      wherein the registering code segment comprises;
      
      an access authorizing code segment that providing the user to be registered with the access authority;
      
      a user key generating code segment that generates a secret key and a public key of the user to be registered;
      
      a certificate generating code segment that generates a certificate of the user to be registered;
      
      an encrypting and storing code segment that encrypts and stores the secret key of the user to be registered; and
      
      a storing code segment that stores the certificate of the user to be registered.
  - 31. The computer readable media as recited in claim 30, wherein the certificate is generated by encrypting the access authority and user'"'"'s public key.
  - 32. The computer readable media as recited in claim 25, wherein the access setting code segment comprises:
    - a file selecting code segment that selects a file;
      
      a user selecting code segment that select a user allowed to access the file; and
      
      an access authority setting code segment that sets the access authority to the file as an access authority of the user.
  - 33. The computer readable media as recited in claim 26, wherein the accessing and processing code segment comprises:
    - a name receiving code segment that receives a name of a file to be accessed;
      
      a first access determining code segment that determines whether an access authority of the file to be accessed is equal to that of the system security manager;
      
      a permitting code segment that permits the file to be accessed when the access authority of the file to be accessed is equal to that of the system security manager;
      
      an second access determining code segment that determines whether an access authority of the file to be accessed is equal to that of the user trying to access the file; and
      
      an access permitting code segment that permits the file to be accessed when the access authority of the file to be accessed is equal to that of the user trying to access the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secuve Co., Ltd.
Original Assignee
Secuve Co., Ltd.
Inventors
Kim, Jae-Myung, Eun, You-Jin, Lee, Min-Goo, Hong, Ki-Yoong
Primary Examiner(s)
Barrón; Gilberto
Assistant Examiner(s)
Dinh; Minh

Application Number

US09/926,594
Time in Patent Office

2,736 Days
Field of Search

None
US Class Current

713/165
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2149   Restricted operating enviro...

Method and apparatus for protecting file system based on digital signature certificate

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting file system based on digital signature certificate

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links