Secured data format for access control

US 7,380,120 B1
Filed: 02/12/2002
Issued: 05/27/2008
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. A system for providing access control management to electronic data, wherein the electronic data is structured in a format that provides restricted access to the electronic data therein, comprising:

a module configured to generate a header comprising a plurality of sets of encrypted security information corresponding to respective one of a plurality of groups of users, wherein the encrypted security information comprises a file key and access rules to control the restricted access to the electronic data and configured to generate an encrypted data portion encrypted with a plurality of file keys, each of the file keys corresponding to each of the sets, wherein the header is associated with the encrypted data portion to generate a secured file;

a module configured to obtain a respective one of the file keys associated with a corresponding one of the plurality of groups and to decrypt the set of the plurality of sets of encrypted security information associated with the respective one of the groups to allow access by the respective one of the groups according to the access rules;

a module configured to retrieve the respective one of the file keys from a memory store if the secured file is newly generated and the secured file is being stored in a storage place; and

a module configured to delete the one or more file keys from a memory store as soon as the newly generated secured file is stored in the storage place.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system for providing access control management to electronic data, techniques to secure the electronic data and keep the electronic data secured at all times are disclosed. According to one embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion. Only those who have the proper access privileges are permitted to retrieve the file key to encrypt/decrypt the encrypted data portion.

Citations

39 Claims

1. A system for providing access control management to electronic data, wherein the electronic data is structured in a format that provides restricted access to the electronic data therein, comprising:
- a module configured to generate a header comprising a plurality of sets of encrypted security information corresponding to respective one of a plurality of groups of users, wherein the encrypted security information comprises a file key and access rules to control the restricted access to the electronic data and configured to generate an encrypted data portion encrypted with a plurality of file keys, each of the file keys corresponding to each of the sets, wherein the header is associated with the encrypted data portion to generate a secured file;
  
  a module configured to obtain a respective one of the file keys associated with a corresponding one of the plurality of groups and to decrypt the set of the plurality of sets of encrypted security information associated with the respective one of the groups to allow access by the respective one of the groups according to the access rules;
  
  a module configured to retrieve the respective one of the file keys from a memory store if the secured file is newly generated and the secured file is being stored in a storage place; and
  
  a module configured to delete the one or more file keys from a memory store as soon as the newly generated secured file is stored in the storage place.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system as recited in claim 1, wherein the plurality of sets of encrypted security information in the header of the secured file facilitates the restricted access to the file.
  - 3. The system as recited in claim 1, wherein the plurality of sets of security information is encrypted with a key from the plurality of file keys associated with the one of a plurality of groups of users.
  - 4. The system as recited in claim 3, wherein the one of a plurality of groups of users includes one or more of human users, software agents, and devices;
    - and wherein the one of a plurality of groups of users is granted access privilege to access the file.
  - 5. The system as recited in claim 4, wherein the plurality of sets of encrypted security information comprises one of the plurality of file keys and access rules to restrict access to the file.
  - 6. The system as recited in claim 5, wherein the file key is retrieved to decrypt the encrypted data portion in the secured file when the access privilege of the one of a plurality of groups of users is consistent with access permissions by the access rules.
  - 7. The system as recited in claim 6, wherein the access rules are expressed in a markup language.
  - 8. The system as recited in claim 7, wherein the markup language is Extensible Access Control Markup Language.
  - 9. The system as recited in claim 7, wherein the markup language includes one or more of HTML, XML, and SGML.
  - 10. The system as recited in claim 1, wherein the secured file is configured to have a file extension identical to what the file originally has so that an application designated to access the file can be executed to access the secured file.
  - 11. The system as recited in claim 10, wherein each of the plurality of sets of encrypted security information comprises a flag to the application that the secured file being accessed can not be accessed as it is normally accessed.
  - 12. The system as recited in claim 11, wherein the flag is configured to be placed in a position of the secured file so that the flag will be accessed first when the secured file is accessed by the application.
  - 13. The system as recited in claim 10, wherein each of the plurality of sets of encrypted security information comprises the file key and access rules, the access rules controlling who and how the secured file can be accessed, and wherein the security information in the header is organized in such a way that the application is paused, upon detecting that the secured file is being accessed, for an access control module to determine whether the one of a plurality of groups of users requesting the secured file has proper access privileges to do so with respect to the access rules in the security information.
  - 14. The system as recited in claim 13, wherein the access control module operates in a path through which the secured file is confined to be loaded into the application.
  - 15. The system as recited in claim 1, wherein the file key is a symmetric cipher key.
  - 16. The system as recited in claim 1, wherein the electronic data is one or more of an electronic document, a multimedia file, dynamic or static data, executable code, an image file, streaming audio, streaming video, executable code, audio files, databases, database tables, database table records, collections of electronic files;
    - and collections of electronic documents.
  - 17. The method of claim 1, wherein each of the corresponding one of a plurality of groups of users has different access privileges.

18. A system for providing access control management to electronic data, wherein the electronic data is structured in a format that provides restricted access to the electronic data therein, comprising:
- a module configured to generate a header including plurality of encrypted file keys and a rule block having N encrypted segments, each of the N encrypted segments including a plurality of access rules facilitating the restricted access to a file including the electronic data, wherein N>
  
  =1 and an encrypted data portion including the electronic data encrypted according to a predetermined cipher;
  
  wherein the header is associated with the encrypted data portion to generate a secured file, and the file key can be retrieved to decrypt the encrypted data portion only when one of the respective Plurality of access rules in one of the N encrypted segments are measured successfully against access privileges associated with a one of a respective plurality of groups of designated users accessing the secured file;
  
  a module configured to retrieve the respective one of the file keys from a memory store if the secured file is newly generated and being stored in a storage place; and
  
  a module configured to delete the one or more file keys from a memory store as soon as the newly generated secured file is stored in the storage place.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 19. The system as recited in claim 18, wherein the header further comprises a user block having user information identifying who can access the secured file.
  - 20. The system as recited in claim 19, wherein the user block includes N encrypted segments, each including the file key.
  - 21. The system as recited in claim 20, wherein each of the N encrypted segments of the user block corresponds to one of the N encrypted segments of the rule block.
  - 22. The system as recited in claim 20, wherein each of the N encrypted segments of the user block further comprises a user identification identifying who can access the secured document.
  - 23. The system as recited in claim 20, wherein each of the N encrypted segments of the user block further comprises cipher information about the predetermined cipher to facilitate a decryption process of the encrypted data portion with the file key.
  - 24. The system as recited in claim 20, wherein the access rules in each of the N encrypted segments of the rule block determine at least an action with which the secured document can be accessed by the designated group of users associated with one of the N encrypted segments of the user block.
  - 25. The system as recited in claim 24, wherein the action comprises one or more of open, export, read, edit, play, listen to, or print.
  - 26. The system as recited in claim 20, wherein the access rules in each of the N encrypted segments of the rule block are expressed in a markup language.
  - 27. The system as recited in claim 26, wherein the markup language is Extensible Access Control Markup Language.
  - 28. The system as recited in claim 26, wherein the markup language is one or more of HTML, XML, and SGML.
  - 29. The system as recited in claim 20, wherein the N encrypted segments of the user block are respectively encrypted with the file key.
  - 30. The system as recited in claim 29, wherein an authorized designated group of users associated with one of the encrypted segments of the user block can view the access rules of each of the N encrypted segments of the rule block when access privilege of the authorized designated group of users is measured successfully with the access rules in one of the N encrypted segments in the rule block associated with the authorized designated group of users.
  - 31. The system as recited in claim 30, wherein the authorized designated group of users can update the access rules of each of the N encrypted segments of the rule block.
  - 32. The system as recited in claim 20, wherein the N encrypted segments of the user block remain encrypted every time the secured file is stored in a storage space.
  - 33. The system as recited in claim 18, wherein each of the N encrypted segments of the rule block comprises policies on how the secured file can be accessed.

34. In a system for providing access control management to electronic data, wherein the electronic data is structured in a format that provides restricted access to the electronic data therein, a method for generating the format, comprising:
- obtaining one of a plurality of file keys;
  
  encrypting the electronic data with one of a plurality of file keys according to a predetermined cipher to produce plurality of encrypted data portions;
  
  integrating a header comprising a plurality of sets of encrypted security information with the encrypted data portion to generate a secured file, wherein the encrypted security information comprises the file key and access rules to control the restricted access to the electronic data in the secured file, each set of the plurality of sets of encrypted security information associated with a corresponding one of a plurality of groups of users;
  
  if the secured file is being stored in a storage place, retrieving the file key from a memory store; and
  
  deleting the file key from a memory store as soon as the secured file is stored in the storage place.
- View Dependent Claims (35, 36, 37, 38, 39)
- - 35. The method of claim 34, wherein the encrypted security information comprises user information as to which of the corresponding one of a plurality of groups of users can access the secured file.
  - 36. The method of claim 35, wherein the plurality of sets of encrypted security information can only be decrypted by a key associated with the corresponding one of a plurality of groups of users identified in the user information in the plurality of sets of encrypted security information.
  - 37. The method of claim 35, wherein the corresponding one of a plurality of groups of users includes one or more of human users, software agents, and devices;
    - and wherein the users are granted access privileges to access the secured file.
  - 38. The method of claim 37 further comprising obtaining the access rules from either a default setting for a file place in which the secured file is to be placed or a manual setting in accordance with access privilege associated with a user from the corresponding one of a plurality of groups of users who is creating the secured file.
  - 39. The method of claim 34, wherein the obtaining of the file key comprises:
    - if the secured file is newly generated, generating the file key from the predetermined cipher.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC (Intellectual Ventures LLC)
Inventors
Garcia, Denis Jacques Paul
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Chai; Longbit

Application Number

US10/074,804
Time in Patent Office

2,296 Days
Field of Search

713/165, 713/182, 713/189, 713/152, 713200-202, 712/209, 380/277, 705 51- 57
US Class Current

713/160
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Secured data format for access control

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Secured data format for access control

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links