System and method for providing different levels of key security for controlling access to secured items
First Claim
Patent Images
1. A method for controlling access to a secured item, the secured item having at least a first portion and a second portion, both the first portion and the second portion being encrypted, said method comprising:
- receiving, by one or more computing devices, a request to access the secured item, the request being from a user at a client machine;
authenticating at least the user and the client machine;
retrieving a user key from a storage location, the storage location-corresponding to a level of security of the user key;
decrypting, the first portion of the secured item with the user key to acquire security information for the secured item that the user is requesting to access;
obtaining access rules associated with the secured item and access privileges associated with the user from the decrypted first portion of the secured item; and
determining user permission to gain access to the secured item by comparing the access privileges of the user to the access rules of the secured item.
4 Assignments
0 Petitions
Accused Products
Abstract
With files secured by encryption techniques, keys are often required to gain access to the secured files. Techniques for providing and using multiple levels of keystores for securing the keys are disclosed. The keystores store keys that are needed by users in order to access secured files. The different levels of keystores offer compromises between security and flexibility/ease of use.
-
Citations
50 Claims
-
1. A method for controlling access to a secured item, the secured item having at least a first portion and a second portion, both the first portion and the second portion being encrypted, said method comprising:
-
receiving, by one or more computing devices, a request to access the secured item, the request being from a user at a client machine; authenticating at least the user and the client machine; retrieving a user key from a storage location, the storage location-corresponding to a level of security of the user key; decrypting, the first portion of the secured item with the user key to acquire security information for the secured item that the user is requesting to access; obtaining access rules associated with the secured item and access privileges associated with the user from the decrypted first portion of the secured item; and determining user permission to gain access to the secured item by comparing the access privileges of the user to the access rules of the secured item. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method for controlling access to a secured item, the secured item having at least a header and an encrypted data portion, the header including encrypted security information, said method comprising:
-
receiving, by one or more computing devices, a request to access the secured item, the request being from a user at a client machine; authenticating at least the user and the client machine; determining a physical storage location of a user key associated with the user, wherein the physical storage location of the user key depends on the level of security needed for protection of the user key; retrieving the user key associated with the user from the determined physical location; decrypting, the encrypted security information in the header of the secured item using the user key; obtaining access rules associated with the secured item and access privileges associated with the user from the decrypted security information in the header of the secured item; and determining user permission to gain access to the secured item by comparing the access privileges of the user to the access rules of the secured item. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. An access control system that restricts user access to a secured item, said system comprising:
-
a central server having a server module configured to provide overall access control and having a central keystore; and a local server configured to be operatively connected to said central server, said local server including a local module that is configured to provide local access control and a local keystore, wherein the access control, performed by said central server or said local server, is configured to operate to permit or deny user access requests to the secured item by the users, wherein the secured item has an encrypted header and an encrypted data portion, wherein the encrypted header is able to be decrypted by the central server or the local server for a particular user through use of the user key for the particular user, wherein the header contains access rules associated with the secured item and access privileges associated with the user, wherein the access rules of the secured item are compared with the access privileges of the user to determine whether the user is permitted to gain access to the secured item, wherein a file key is obtained from the security information after it is determined that the user is permitted to gain access to the secured item, and wherein the file key is then used by the central server or the local server to decrypt the encrypted data portion; wherein said access control system further comprises; a plurality of client machines configured to be operatively connected to said central server and said local server, and wherein the user keys required for users to gain access to the secured items are persistently stored in one of said central keystore, said local keystore or said client machines, and wherein the user key for a particular user is stored to one of said central server, said local server or said client machines based on a security level associated with the particular user. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A non-transitory computer-readable medium having stored thereon computer-executable instructions for causing a computing device to access a secured item, the secured item having at least a first portion and a second portion, both the first portion and the second portion being encrypted, the instructions comprising:
-
instructions to receive, at a server, a request to access the secured item, the request being from a user at a client machine, and authenticating at least the user and the client machine; instructions to determine a physical storage location of a user key associated with the user, wherein the physical storage location of the user key depends on the level of security needed for protection of the user key; instructions to retrieve the user key associated with the user from the determined physical storage location; instructions to decrypt, at the server, the first portion of the secured item with the user key retrieved from the determined physical storage location to acquire security information for the secured item that the user is requesting to access; instructions to obtain access rules associated with the secured item and access privileges associated with the user from the decrypted first portion of the secured item; instructions to determine whether the user is permitted to gain access to the secured item by comparing the access privileges of the user to the access rules of the secured item; instructions to, after determining that the user is permitted to gain access to the secured item, obtain a file key from the security information; instructions to decrypt, at the server, the second portion of the secured item using the file key; and instructions to provide the decrypted second portion of the secured item to the client machine. - View Dependent Claims (49)
-
-
50. A non-transitory computer-readable medium having stored thereon computer-executable instructions for causing a computing device to control access to a secured item comprising:
-
instructions to receive, at a server, a request to access a secured item, the request being from a user at a client machine; instructions to authenticate at least the user and the client machine; instructions to retrieve a user key from a storage location, the storage location corresponding to a level of security of the user key; instructions to decrypt, at a server, a first portion of the secured item with the user key to acquire security information for the secured item that the user is requesting to access; instructions to obtain access rules associated with the secured item and access privileges associated with the user from the decrypted first portion of the secured item; instructions to determine whether the user is permitted to gain access to the secured item by comparing the access privileges of the user to the access rules of the secured item; instructions to, after determining that the user is permitted to gain access to the secured item, obtaining a file key from the security information; instructions to decrypt, at a server, a second portion of the secured item using the file key; and instructions to provide the decrypted second portion of the secured item to the client machine.
-
Specification