System and method for providing manageability to security information for secured items

US 7,562,232 B2
Filed: 07/25/2002
Issued: 07/14/2009
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. A computer readable storage medium having stored thereon computer program code, that if executed by a processor, causes the processor to access a secured item among a plurality of secured items by a method, the method comprising:

obtaining the secured item to be accessed, the secured item having a header portion and a data portion;

retrieving a security information pointer from the header portion of the secured item, wherein each of the plurality of secured items has the same security information pointer as the secured item, such that the plurality of secured items share common security information, wherein the security information includes at least an access rule and user privileges;

obtaining security information for the secured item using the security information pointer; and

permitting access to the secured item to the extent permitted by the security information, wherein the permitting comprises;

retrieving a file key from the header portion;

decrypting the data portion of the secured item using the file key;

retrieving at least one access rule from the security information; and

determining whether a requestor is permitted to access the secured item based on the at least one access rule and characteristics of the requestor.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved approaches for accessing secured digital assets (e.g., secured items) are disclosed. In general, digital assets that have been secured (secured digital assets) can only be accessed by authenticated users with appropriate access rights or privileges. Each secured digital asset is provided with a header portion and a data portion, where the header portion includes a pointer to separately stored security information. The separately stored security information is used to determine whether access to associated data portions of secured digital assets is permitted. These improved approaches can facilitate the sharing of security information by various secured digital assets and thus reduce the overall storage space for the secured digital assets. These improved approaches can also facilitate efficient management of security for digital assets.

508 Citations

32 Claims

1. A computer readable storage medium having stored thereon computer program code, that if executed by a processor, causes the processor to access a secured item among a plurality of secured items by a method, the method comprising:
- obtaining the secured item to be accessed, the secured item having a header portion and a data portion;
  
  retrieving a security information pointer from the header portion of the secured item, wherein each of the plurality of secured items has the same security information pointer as the secured item, such that the plurality of secured items share common security information, wherein the security information includes at least an access rule and user privileges;
  
  obtaining security information for the secured item using the security information pointer; and
  
  permitting access to the secured item to the extent permitted by the security information, wherein the permitting comprises;
  
  retrieving a file key from the header portion;
  
  decrypting the data portion of the secured item using the file key;
  
  retrieving at least one access rule from the security information; and
  
  determining whether a requestor is permitted to access the secured item based on the at least one access rule and characteristics of the requestor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer readable storage medium as recited in claim 1, wherein the requestor characteristics include at least a group association for the requestor.
  - 3. The computer readable storage medium as recited in claim 1, wherein the at least one access rule is provided in a markup language format.
  - 4. The computer readable storage medium as recited in claim 1, wherein a requestor desires to access the secured item, and wherein the method further comprises:
    - decrypting the security information after being obtained and before being used to determine whether access is permitted.
  - 5. The computer readable storage medium as recited in claim 4, wherein the decrypting of the security information uses a key associated with the requestor.
  - 6. The computer readable storage medium as recited in claim 5, wherein the key associated with the requestor is a user key.
  - 7. The computer readable storage medium as recited in claim 1, wherein the security information includes at least access rules, and the header portion includes at least the security information pointer and the file key.
  - 8. The computer readable storage medium as recited in claim 7, wherein when the permitting determines that the requestor is permitted to access the secured item, the permitting further comprises:
    - retrieving the file key from the header portion; and
      
      decrypting the data portion of the secured item using the file key.
  - 9. The computer readable storage medium as recited in claim 8, wherein the file key is an encrypted file key.
  - 10. The computer readable storage medium as recited in claim 9, wherein a requestor desires to access the secured item, and wherein the decrypting of the encrypted file key is performed using a key associated with the requestor.
  - 11. The computer readable storage medium as recited in claim 1, wherein the secured item is a secured file.
  - 12. The computer readable storage medium as recited in claim 1, wherein the secured item is a secured document.
  - 13. The computer readable storage medium as recited in claim 1, the method further comprising:
    - changing the security information associated with the security information pointers without having to change each of the plurality of secured items individually.
  - 14. The computer readable storage medium as recited in claim 1, wherein the security information pointers point directly to a storage location of the security information.
  - 15. The computer readable storage medium as recited in claim 1, wherein the security information pointers point to a security information table associated with the security information.
  - 16. The computer readable storage medium as recited in claim 1, wherein the security information pointers point to different versions of the security information providing different levels of access control depending on a user'"'"'s access privilege.

17. A system for accessing a secured item among a plurality of secured items, the secured item having a header portion and an encrypted data portion, the header portion including a security information pointer and a file key, wherein each of the plurality of secured items has the same security information pointer as the secured item, such that the plurality of secured items share common security information, the system comprising:
- a storage device configured to store the security information for the plurality of secured items, wherein the security information includes at least an access rule and user privileges;
  
  a first decryption module configured to;
  
  receive the security information pointer from the header portion of the secured item;
  
  receive the file key from the header portion of the secured item; and
  
  receive at least one access rule from the security information;
  
  an access analyzer operatively connected coupled to the storage device, the access analyzer configured to determine whether the encrypted data portion is permitted to be accessed by a requestor based on the security information, wherein the access analyzer determines whether the encrypted data portion is permitted to be accessed by the requestor based on the at least one access rule and characteristics of the requestor; and
  
  a second decryption module coupled to the access analyzer, the second decryption module configured to decrypt the encrypted data portion using the file key to produce an unencrypted data portion that the requestor is able to access, provided the access analyzer determines that the encrypted data portion is permitted to be accessed by the requestor.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system as recited in claim 17, wherein the requestor has user privileges associated therewith, and wherein the access analyzer determines whether the encrypted data portion is permitted to be accessed by the requestor based on applying the access rule and the user privileges to the requestor and the secured item.
  - 19. The system as recited in claim 17, further comprising:
    - a security management system configured to change the security information associated with the pointers without having to change each of the plurality of secured items individually.
  - 20. The system as recited in claim 17, wherein the pointers point directly to the storage device.
  - 21. The system as recited in claim 17, wherein the pointers point to a security information table associated with the security information in the storage device.
  - 22. The system as recited in claim 17, wherein the pointers point to different versions of the security information providing different levels of access control depending on a user'"'"'s access privilege.

23. A method for accessing a secured file stored in a storage device, comprising:
- obtaining the secured file to be accessed, the secured file having a header portion and a data portion, wherein the storage device is configured to store security information for a plurality of secured items, wherein the security information includes at least access rules;
  
  retrieving a security information pointer from the header portion of the secured file, wherein the plurality of secured items have the same security information pointer as the secured file, such that the plurality of secured items share the security information;
  
  obtaining, from the storage device, security information for the secured file using the security information pointer; and
  
  permitting access to the secured file to the extent permitted by the security information, wherein the permitting comprises;
  
  retrieving a file key from the header portion;
  
  decrypting the data portion of the secured file using the file key;
  
  retrieving at least one access rule from the security information; and
  
  determining whether a requestor is permitted to access the secured file based on the at least one access rule and requestor characteristics.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The method of claim 23, wherein the requester characteristics include at least a group association for the requester.
  - 25. The method of claim 23, wherein the at least one access rule is provided in a markup language format.
  - 26. The method of claim 23, wherein after obtaining security information for the secured file from the storage device, but before the permitting, the method further comprises:
    - decrypting the security information.
  - 27. The method of claim 26, wherein decrypting the security information is performed using a key associated with the requestor.
  - 28. The method of claim 27, wherein the key associated with the requester is a user key.
  - 29. The method claim 23, wherein the header portion includes at least the security information pointer and the file key.
  - 30. The method of claim 29, wherein when access to the secured file is permitted by the requestor, the permitting further comprises:
    - retrieving the file key from the header portion; and
      
      decrypting the data portion of the secured file using the file key.
  - 31. The method of claim 30, wherein the file key is an encrypted file key.
  - 32. The method of claim 31, wherein decrypting the data portion of the secured file using the file key is performed using a key associated with a requester requesting access to the secured file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Zuili, Patrick, Vainstein, Klimenty
Primary Examiner(s)
Sheikh; Ayaz R
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US10/206,486
Publication Number

US 20030120684A1
Time in Patent Office

2,546 Days
Field of Search

726/2, 726/4, 726/26
US Class Current

713/194
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/01   Protocols

System and method for providing manageability to security information for secured items

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

508 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

System and method for providing manageability to security information for secured items

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

508 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others