Dynamic file access control and management

US 7,660,902 B2
Filed: 11/20/2001
Issued: 02/09/2010
Est. Priority Date: 11/20/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by a proxy server, the method comprising:

receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file;

requesting, from an authentication server, an access policy associated with the associated user;

receiving, from the authentication server, the access policy associated with the associated user;

determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and

if the associated user has the authority to access the data file, then;

establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file;

requesting, over a second network connection, from the network attached storage system, the data block of the data file;

receiving, over the second network connection, from the network attached storage system, the data block of the data file;

encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block;

encapsulating within a packet;

the encrypted received data block; and

the established set of usage rights; and

sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic file access control and management system and method in accordance with the present invention may be a proxy file management system that includes one or more file system proxy servers that provide selective access and usage management to files available from one or more file systems or sources. The present invention may embody a secure transport protocol that tunnels distributed file systems, application independent usage controls connected to files on end-user computers, dynamically merging secondary content to a requested file, and applying bandwidth management to any of the foregoing. Embodied in the various implementations of the present invention is enhanced file security. Preferably, the proxy file management system is transparent to an end-user. A dynamic content management system may also be included that selectively adds content to requested files.

598 Citations

20 Claims

1. A method performed by a proxy server, the method comprising:
- receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file;
  
  requesting, from an authentication server, an access policy associated with the associated user;
  
  receiving, from the authentication server, the access policy associated with the associated user;
  
  determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and
  
  if the associated user has the authority to access the data file, then;
  
  establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file;
  
  requesting, over a second network connection, from the network attached storage system, the data block of the data file;
  
  receiving, over the second network connection, from the network attached storage system, the data block of the data file;
  
  encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block;
  
  encapsulating within a packet;
  
  the encrypted received data block; and
  
  the established set of usage rights; and
  
  sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as in claim 1 wherein the established set of usage rights includes one or more access restrictions, each usage restriction including:
    - a restriction type; and
      
      a set of parameters associated with the restriction type.
  - 3. A method as in claim 2 wherein the restriction type indicates that data from the encrypted received data block may only be e-mailed to recipients listed within the set of parameters.
  - 4. A method as in claim 1 wherein the access policy associated with the associated user includes a set of access conditions, each access condition including:
    - a condition type; and
      
      a set of parameters associated with the condition type.
  - 5. A method as in claim 4 wherein the condition type indicates that the associated user only has the authority to access the data file when a clock time falls between a first value listed in a first parameter of the set of parameters and a second value listed in a second parameter of the set of parameters.
  - 6. The method of claim 1, wherein said data file includes static content.
  - 7. The method of claim 1, wherein said data file includes dynamic content.
  - 8. The method of claim 1, wherein said encrypting said received data block is performed as a function of a shared session secret shared between said proxy server and said client machine.
  - 9. The method of claim 1, wherein said proxy server includes a user interface and the method further includes creating and/or editing said access policy and associating said access policy with said data file using said user interface.
  - 10. The method of claim 1 wherein the method further comprises:
    - encrypting each data block of the data file independently, using a unique initialization vector for each data block and one or more encryption/decryption keys; and
      
      communicating said one or more encryption/decryption keys to said client machine.

11. A proxy server, comprising:
- processing circuitry; and
  
  network communications circuitry;
  
  the processing circuitry and network communications circuitry being operative together to perform a method including;
  
  receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file;
  
  requesting, from an authentication server, an access policy associated with the associated user;
  
  receiving, from the authentication server, the access policy associated with the associated user;
  
  determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and
  
  if the associated user has the authority to access the data file, then;
  
  establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file;
  
  requesting, over a second network connection, from the network attached storage system, the data block of the data file;
  
  receiving, over the second network connection, from the network attached storage system, the data block of the data file;
  
  encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block;
  
  encapsulating within a packet;
  
  the encrypted received data block; and
  
  the established set of usage rights; and
  
  sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A proxy server as in claim 11 wherein the established set of usage rights includes one or more access restrictions, each usage restriction including:
    - a restriction type; and
      
      a set of parameters associated with the restriction type.
  - 13. A proxy server as in claim 12 wherein the restriction type indicates that data from the encrypted received data block may only be e-mailed to recipients listed within the set of parameters.
  - 14. A proxy server as in claim 11 wherein the access policy associated with the associated user includes a set of access conditions, each access condition including:
    - a condition type; and
      
      a set of parameters associated with the condition type.
  - 15. A proxy server as in claim 14 wherein the condition type indicates that the associated user only has the authority to access the data file when a clock time falls between a first value listed in a first parameter of the set of parameters and a second value listed in a second parameter of the set of parameters.
  - 16. The proxy server according to claim 11, wherein said data file includes static content.
  - 17. The proxy server according to claim 11, wherein said data file includes dynamic content.
  - 18. The proxy server according to claim 11, wherein said encrypting said received data block is performed as a function of a shared session secret shared between said proxy server and said client machine.
  - 19. The proxy server according to claim 11, wherein said proxy server further includes a user interface, configured to facilitate creation and editing of said access policy and association of said access policy with said data file.
  - 20. The proxy server according to claim 11:
    - wherein each data block of the data file is encrypted independently, using a unique initialization vector for each data block and one or more encryption/decryption keys; and
      
      wherein the one or more encryption/decryption keys are also provided to said client machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Hudson, Jonathan C., Graham, Todd D.
Primary Examiner(s)
Chankong; Dohm

Application Number

US09/989,479
Publication Number

US 20020178271A1
Time in Patent Office

3,003 Days
Field of Search

709227-229, 709/203, 709/217, 709/219, 707/9, 707/10
US Class Current

709/229
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

H04L 2463/101   applying security measures ...

H04L 47/25   with rate being modified by...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

Dynamic file access control and management

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

598 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic file access control and management

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

598 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links