Methods and systems for providing access control to electronic data
First Claim
Patent Images
1. A method for controlling access to electronic data, comprising:
- receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine;
establishing a secured link between the server machine and the client machine associated with the user;
validating the user according to the identifier;
sending an authentication message to the client machine in response to determining that the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data;
formatting the electronic data to include a header portion and an encrypted data portion;
controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion, wherein the encrypted security information is encrypted with the user key;
determining if user access to the electronic data is permitted by the access rules; and
decrypting the encrypted security information with the user key in response to determining that the user is permitted to access the electronic data.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques for providing pervasive security to digital assets are disclosed. According to one aspect of the techniques, a server is configured to provide access control (AC) management for a user (e.g., a single user, a group of users, software agents or devices) with a need to access secured data. Within the server module, various access rules for the secured data and/or access privileges for the user can be created, updated, and managed so that the user with the proper access privileges can access the secured documents if granted by the corresponding access rules in the secured data.
710 Citations
36 Claims
-
1. A method for controlling access to electronic data, comprising:
-
receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine; establishing a secured link between the server machine and the client machine associated with the user; validating the user according to the identifier; sending an authentication message to the client machine in response to determining that the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data; formatting the electronic data to include a header portion and an encrypted data portion; controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion, wherein the encrypted security information is encrypted with the user key; determining if user access to the electronic data is permitted by the access rules; and decrypting the encrypted security information with the user key in response to determining that the user is permitted to access the electronic data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable medium having executable instructions stored thereon, the instructions comprising:
-
instructions to receive authentication requests containing a user key and an identifier identifying a user and a client machine associated with the user; instructions to parse authentication requests to identify the user and the client machine contained within the identifier; instructions to establish a secured link with the client machine; instructions to authenticate the user according to the identifier; instructions to send an authentication message including the user key to the client machine in response to determining that the user is authenticated; instructions to activate the user key in the client machine when the authentication message is sent; instructions to provide access control management to electronic data wherein the electronic data includes an encrypted data portion and encrypted security information with access rules and a file key; and instructions to decrypt; using the user key, the file key; and using the file key, the encrypted data portion in response to determining that user access is permitted by the access rules. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer readable medium having instructions stored thereon, the instructions comprising:
-
instructions to receive a request to access secured electronic data at a server computer, wherein the electronic data includes a header and an encrypted data portion, the header further including encrypted security information including at least access rules and a file key, and wherein the request includes a user key, and an identifier identifying a user and a client machine associated with the user; instructions to establish a secured link between the server and the client machine associated with the user; instructions to authenticate the user in the server based on the user and client machine information in the identifier; instructions to decrypt the security information in the header of the requested secured electronic data using the user key; instructions to retrieve the file key retrieved from the header; instructions to retrieve access rules from the security information; instructions to determine from the access rules if the user has necessary access privileges to access the encrypted data portion; instructions to decrypt the encrypted data portion in response to determining that the user has necessary access privileges to access the encrypted data portion; and instructions to provide user access to the decrypted data portion via the secured link established between the server and the client machine associated with the user. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for providing access control management to electronic data, comprising:
-
a server machine; a link module executable in the server machine configured to establish a secured link between the server machine and a client machine when an access request containing an access request identifier identifying at least a user and an associated client machine is received at the server machine from the client machine; an authentication module executable in the server machine configured to authenticate the user and client machine according to the user and client machine identified in the access request identifier; a document securing module executable in the server machine configured to secure electronic data in a format including security information in a header that includes encrypted security information controlling access to the encrypted data portion and a signature signifying that the electronic data is secured, and an encrypted data portion; a key issuing module executable in the server machine configured to issue a user key after the user has been authenticated by the authentication module, wherein the user key is used to decrypt the encrypted security information, wherein the security information includes a set of access rules and a file key; a rule processing module executable in the server machine configured to decrypt and retrieve access rules from the security information and measure the retrieved access rules against the access privileges of the user requesting access to the secured document; a cipher module executable in the server machine configured to decrypt and retrieve the file key from the security information and subsequently decrypt the encrypted data portion using the file key; and a document release module executable in the server machine configured to fulfill the access request by releasing a decrypted version of a requested document to a user via the secured link established by the link module in response to determining that the authentication module has authenticated both the user and client machine and the and rule processing module determines that the user is permitted to access the requested electronic data. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
Specification