Multi-level cryptographic transformations for securing digital assets

US 7,930,756 B1
Filed: 03/31/2003
Issued: 04/19/2011
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

in response to a request from a requestor, obtaining security information from a header of a secure electronic file, the security information including at least encryption structure information, access rules to control access to the secure electronic file, user groups that are authorized to access the secure electronic file, and secrets used to decrypt the secure electronic file, wherein the secrets are associated with the user groups and security clearance levels authorized to access the secure electronic file, and wherein the access rules limit the availability of the secrets to requestors that;

are members of a user group that is authorized to access the secure electronic file; and

possess a security clearance level authorized to access the secure electronic file, wherein the security clearance level is associated with a content type and a confidentiality level of the secure electronic file;

attempting to decrypt, by a computing device, at least secure data of the secure electronic file for access by the requestor based on the encryption structure information, the access rules, the user groups, and the secrets; and

unsecuring, by the computing device, the secure data for access by the requestor in response to determining that at least the secure data of the secure electronic file is successfully decrypted.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enhanced multi-level cryptographic transformations that secure electronic files are disclosed. The secured electronic files contain not only secured data but also security information. The security information includes cryptographic structure information, access rules and secrets (e.g., keys). The cryptographic structure information explains the multi-level cryptographic transformations associated with securing or unsecuring the electronic files. The access rules and the secrets are used by the cryptographic transformations to secure the electronic files. Since the secured electronic files contain the cryptographic structure information, the particular cryptographic transformations (including their sequencing) can vary with each electronic file, if so desired. Typically, the secured electronic files are secured and managed by a file security system, such as a distributed security system.

709 Citations

35 Claims

1. A computer-implemented method comprising:
- in response to a request from a requestor, obtaining security information from a header of a secure electronic file, the security information including at least encryption structure information, access rules to control access to the secure electronic file, user groups that are authorized to access the secure electronic file, and secrets used to decrypt the secure electronic file, wherein the secrets are associated with the user groups and security clearance levels authorized to access the secure electronic file, and wherein the access rules limit the availability of the secrets to requestors that;
  
  are members of a user group that is authorized to access the secure electronic file; and
  
  possess a security clearance level authorized to access the secure electronic file, wherein the security clearance level is associated with a content type and a confidentiality level of the secure electronic file;
  
  attempting to decrypt, by a computing device, at least secure data of the secure electronic file for access by the requestor based on the encryption structure information, the access rules, the user groups, and the secrets; and
  
  unsecuring, by the computing device, the secure data for access by the requestor in response to determining that at least the secure data of the secure electronic file is successfully decrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method as recited in claim 1, wherein the encryption structure information interrelates the access rules, the user groups, and the secrets to describe a multi-stage cryptographic process.
  - 3. The computer-implemented method as recited in claim 2, wherein the encryption structure information is expressed in a markup language.
  - 4. The computer-implemented method as recited in claim 2, wherein the encryption structure information is a representation of an alterable encryption structure graph that represents the multi-stage encryption process that has been used to secure at least the secure data of the secure electronic file.
  - 5. The computer-implemented method as recited in claim 4, wherein the encryption structure graph is configured such that it comprises a plurality of nodes, each node requiring a successful decryption process to progress to a next node.
  - 6. The computer-implemented method as recited in claim 2, wherein one of the secrets is a file key that decrypts the secure electronic file, and wherein the file key is protected by multiple stages of encryption.
  - 7. The computer-implemented method as recited in claim 6, wherein attempting to decrypt, by the computing device, at least the secure data of the secure electronic file undoes the multiple stages of encryption to obtain the file key, and unsecuring the secure data for access by the requestor uses the file key to decrypt at least the secure data of the secure electronic file.
  - 8. The computer-implemented method as recited in claim 1, wherein the secrets included in the security information are themselves encrypted.
  - 9. The computer-implemented method as recited in claim 1, wherein the encryption stricture information is expressed in a markup language.
  - 10. The computer-implemented method as recited in claim 1, wherein the encryption structure information represents an encryption structure that has been used to secure at least the secure data of the secure electronic file.
  - 11. The computer-implemented method as recited in claim 1, wherein the encryption structure information represents an encryption structure graph that represents the multi-stage encryption process used to secure at least the secure data of the secure electronic file.
  - 12. The computer-implemented method as recited in claim 11, wherein the encryption structure graph is configured such that it comprises a plurality of nodes, each node requiring a successful decryption process to progress to a next node.

13. A tangible computer-readable medium having computer-executable instructions stored thereon for controlling-access to a secure electronic file, the instructions comprising:
- in response to a request from a requestor, instructions to obtain security information from the header of a secure electronic file, the security information including at least encryption structure information, access rules to control access to the secure electronic file, user groups that are authorized to access the secure electronic file, and secrets used to decrypt the secure electronic file, wherein the secrets are associated with the user groups and security clearance levels authorized to access the secure electronic file, and wherein the access rules limit the availability of the secrets to requestors that;
  
  are members of a user group that is authorized to access the secure electronic file; and
  
  possess a security clearance level authorized to access the secure electronic file, wherein the security clearance level is associated with a content type and a confidentiality level of the secure electronic file;
  
  instructions to attempt to decrypt at least the secure data of the secure electronic file for access by the requestor based on the encryption structure information, the access rules, the user groups, and the secrets; and
  
  instructions to unsecure the secure data for access by the requestor in response to determining that at least the secure data of the secure electronic file is successfully decrypted.

14. A system, comprising:
- a client device configured to produce a secure electronic file through a multi-stage encryption process, wherein the secure electronic file includes secure data that is secured by encryption and a header portion including at least security information, the security information including at least encryption structure information, access rules to control access to the secure electronic file, user groups that are authorized to access the secure electronic file, and secrets used to decrypt the secure electronic file, wherein the secrets are associated with the user groups and security clearance levels authorized to access the secure electronic file, and wherein the access rules limit the availability of the secrets to requestors that;
  
  are members of a user group that is authorized to access the secure electronic file; and
  
  possess a security clearance level authorized to access the secure electronic file, wherein the security clearance level is associated with a content type and a confidentiality level of the secure electronic file;
  
  wherein the encryption structure information interrelates the access rules, the user groups, and the secrets to describe the multi-stage encryption process or decryption thereof performed by the client device.
- View Dependent Claims (15)
- - 15. The system as recited in claim 14, wherein the secure electronic file is created by an authoring device.

16. A computer-implemented method for securing a plurality of electronic files through a multi-stage encryption process to produce a plurality of secure electronic files, wherein each of the plurality of secure electronic files has a header and data portion, the method comprising:
- encrypting, by a computing device, the data portion of the plurality of secure electronic files; and
  
  formatting, by the computing device, the header portion of the plurality of secure electronic files to include at least security information, wherein the security information includes at least encryption structure information, access rules to control access to the plurality of secure electronic files, user groups that are authorized to access the plurality of secure electronic files, and secrets used to decrypt the plurality of secure electronic files, wherein the secrets are associated with the user groups and security clearance levels authorized to access the plurality of secure electronic files, and wherein the access rules limit the availability of the secrets to requestors that;
  
  are members of a user group that is authorized to access the plurality of secure electronic files; and
  
  possess a security clearance level authorized to access the plurality of secure electronic files, wherein the security clearance level is associated with respective content types and confidentiality levels of the plurality of secure electronic files;
  
  wherein the encryption structure information interrelates the access rules, the user groups, and the secrets to describe the multi-stage encryption process or decryption thereof.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 17. The computer-implemented method as recited in claim 16, wherein the data portion is decrypted with a first key, and wherein the secrets are encrypted.
  - 18. The computer-implemented method as recited in claim 17, wherein the secrets are keys, and wherein one of the secrets is the first key.
  - 19. The computer-implemented method as recited in claim 17, wherein the multi-stage encryption structure information protects the first key.
  - 20. The method as recited in claim 16, wherein the access rules are encrypted and are decrypted, by the computing device, with a key associated with a user group corresponding to a particular requestor attempting to gain access to one of the plurality of secure electronic files.
  - 21. The computer-implemented method as recited in claim 16, wherein the access rules are expressed in a descriptive language.
  - 22. The computer-implemented method as recited in claim 21, wherein the descriptive language is a markup language.
  - 23. The computer-implemented method as recited in claim 16, wherein the encryption structure information is expressed in a descriptive language.
  - 24. The computer-implemented method as recited in claim 23, wherein the descriptive language is a markup language.
  - 25. The computer-implemented method as recited in claim 17, wherein the secrets comprise at least a protection key that is secured by at least one of the access rules, wherein the protection key is needed to access the first key.
  - 26. The computer-implemented method as recited in claim 17, wherein the data portion is decrypted, by the computing device, with a first key, and wherein the secrets include at least the first key and a second key, wherein the second key is used in decrypting the first key which is provided in the header portion in an encrypted format.
  - 27. The computer-implemented method as recited in claim 26, wherein the second key is provided to a particular requestor attempting to gain access to one of the plurality of secure electronic files in response to determining that the particular requestor is affiliated with a group that is permitted by at least one of the access rules to acquire the second key.
  - 28. The computer-implemented method as recited in claim 26, wherein each of the plurality of secure electronic files has a content type, wherein the secrets further comprise a third key, and wherein the particular requestor gains access to the third key in response to deter mining that the particular requestor possesses a security clearance level authorized to access electronic files of the content type.
  - 29. The computer-implemented method as recited in claim 28 wherein the secrets further comprise a fourth key, and wherein the particular requestor gains access to the fourth key in response to determining that the particular requestor possesses a sufficient security clearance level as compared to a confidentiality level assigned to one of the plurality of secure electronic files.
  - 30. The computer-implemented method as recited in claim 29, wherein the first key is encrypted in a serial manner by the second, third and fourth keys.
  - 31. The computer-implemented method as recited in claim 29, wherein the particular requestor gains access to the fourth key in response to determining that the particular requestor possesses the sufficient security clearance level.
  - 32. The computer-implemented method as recited in claim 16, wherein the encryption structure information is a representation of an encryption structure that has been used to secure at least the data portion of the plurality of secure electronic files.
  - 33. The computer-implemented method as recited in claim 16, wherein the encryption structure information is an encryption structure graph that represents the multi-stage encryption process used to secure at least the data portion of the plurality of secure electronic files.
  - 34. The computer-implemented method as recited in claim 33, wherein the encryption structure graph includes a plurality of nodes, each node requiring a successful decryption process to progress to a next node.
  - 35. The computer-implemented method as recited in claim 16, wherein the plurality of electronic files comprise word processing documents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Crocker, Steven Toye, Garcia, Denis Jacques Paul
Primary Examiner(s)
KIM, JUNG W

Application Number

US10/404,566
Time in Patent Office

2,941 Days
Field of Search

713/160
US Class Current

726/27
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Multi-level cryptographic transformations for securing digital assets

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

709 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level cryptographic transformations for securing digital assets

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

709 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links