Multi-factor content protection
First Claim
1. A computer program product for implementing a method of protecting sensitive content by controlling how the sensitive content is used and accessed at a recipient computing system which is part of a computing network of a central organization, the computer program product comprising a computer storage device at the recipient computing system which contains computer-executable instructions to implement at the recipient computing system the method, and wherein the method is comprised of:
- at the recipient computing system which includes a trusted agent, running a trusted application that requires use of sensitive content stored within the central organization, and whereinaccess and use of the sensitive content is controlled by a policy associated with the content, the policy defining access and use restrictions,the sensitive content is encrypted to a content key,and access and use of the sensitive content requires decryption of the associated policy and the content key and then using the sensitive content only in accordance with its associated policy;
at the recipient computing system, receiving from an access server of the central organization at least a portion of said policy and said content key, both of which are encrypted to (1) a trusted agent key maintained at said trusted agent, and (2) at least one other protection factor stored at the recipient computing system;
at the recipient computing system, decrypting the received portion of the policy and the content key using the trusted agent key and the at least one other protection factor;
at the recipient computing system, decrypting the content using the decrypted content key; and
at the recipient computing system, the trusted application then using the decrypted sensitive content subject to the access and use restrictions contained in said portion of said policy received from the access server of the central organization.
2 Assignments
0 Petitions
Accused Products
Abstract
Protecting content. A recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient'"'"'s use of managed content through interaction with a trusted agent at the recipient. The content is encrypted to a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted to an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted to a trusted agent key. The content key is further encrypted to additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key.
74 Citations
23 Claims
-
1. A computer program product for implementing a method of protecting sensitive content by controlling how the sensitive content is used and accessed at a recipient computing system which is part of a computing network of a central organization, the computer program product comprising a computer storage device at the recipient computing system which contains computer-executable instructions to implement at the recipient computing system the method, and wherein the method is comprised of:
-
at the recipient computing system which includes a trusted agent, running a trusted application that requires use of sensitive content stored within the central organization, and wherein access and use of the sensitive content is controlled by a policy associated with the content, the policy defining access and use restrictions, the sensitive content is encrypted to a content key, and access and use of the sensitive content requires decryption of the associated policy and the content key and then using the sensitive content only in accordance with its associated policy; at the recipient computing system, receiving from an access server of the central organization at least a portion of said policy and said content key, both of which are encrypted to (1) a trusted agent key maintained at said trusted agent, and (2) at least one other protection factor stored at the recipient computing system; at the recipient computing system, decrypting the received portion of the policy and the content key using the trusted agent key and the at least one other protection factor; at the recipient computing system, decrypting the content using the decrypted content key; and at the recipient computing system, the trusted application then using the decrypted sensitive content subject to the access and use restrictions contained in said portion of said policy received from the access server of the central organization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product for implementing a method of protecting sensitive content by controlling how the sensitive content is used and accessed at a recipient computing system which is part of a computing network of a central organization, the computer program product comprising a computer storage device at an access server of the central organization which contains computer-executable instructions to implement at the access server the method, and wherein the method is comprised of:
-
at the access server, receiving the sensitive content, and wherein access and use of the sensitive content at the is controlled by a policy associated with the content, the policy defining access and use restrictions, the sensitive content is encrypted to a content key, access and use of the sensitive content requires decryption of the associated policy and the content key and then using the sensitive content only in accordance with its associated policy, and the associated policy and content key are encrypted to an access server key maintained at the access server; at the access server, decrypting the associated policy and content key using the access server key; at the access server, preparing a version of the associated policy for the recipient computing system; and sending from the access server to the recipient computing system the version of the associated policy prepared for the recipient computing system, and the content key, both of which are encrypted to (1) a trusted agent key maintained at a trusted agent of the recipient computing system, and (2) at least one other protection factor stored at the recipient computing system, so that thereafter the recipient computing system is able to decrypt said version of the policy and the content key using the trusted agent key and the at least one other protection factor, and so that the recipient computing system is then able to decrypt the content using the decrypted content key so that the decrypted content can be used in accordance with the access and use restrictions defined by said version of the policy at a trusted application running at the recipient computing system. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification