Security Enhanced Data Platform
First Claim
1. A security enhanced data platform method comprising the steps of:
- providing a computer operating system;
customizing computer operating system'"'"'s kernel;
replacing the computer operating system'"'"'s kernel and core utilities with a multi-level access control system;
providing an email and messaging server as a host for sending and receiving messages;
allowing automation of email retention in compliance with a document retention policy;
providing a primary subsystem;
said primary subsystem is a document management system;
providing a set of client side tools to specify classifications and compartments for selected areas of a document;
separating document data from document metadata;
allowing encrypted documents to be stored and information about those documents to be stored in a database;
allowing for quick look up and access of secured documents;
providing a way to save the document in format required by the primary subsystem in order to allow the primary subsystem to enforce rules and privileges dictated to the primary subsystem;
monitoring and recording all activity within the primary subsystem;
recording all changes to the document and making said changes available for audit;
providing one or more supporting subsystems;
a first subsystem is a security enhanced database management system;
integrating said security enhanced database management system with the multi-level access control system;
securing data in the database as a whole including securing tables in the database, the columns in the tables, the rows in the tables, or the individual cells of the tables;
a second subsystem is a user authentication and authorization system;
offering native enhanced security by enforcing privileges specified by the user authentication and authorization system;
performing setup for a device including;
logging in and setting up a user account on the email and messaging server;
placing the user account in a device set up mode;
said email and messaging server generating a five-digit number and presenting it on a user interface;
said email and messaging server generating and storing a device unlock code;
said email and messaging server generating and storing a key;
placing the device into a setup mode;
said device receiving a numeric password from a user;
encrypting the numeric password using the device identifier (ID);
computing SHA-512 hash value of the encrypted password and storing the hash value on the device;
prompting user to enter the five-digit number provided by the email and messaging server;
connecting the device to the email and messaging server via Wireless Application Protocol (WAP) or desktop synchronization software;
sending the email and messaging server the entered five-digit number and the device ID;
looking up the five-digit number and accepting the device ID by the email and messaging server;
upon acceptance of the five-digit number, the email and messaging server storing the device ID for the user account;
encrypting the key using the device ID and sending the encrypted key to the device;
storing the encrypted key as an active key and as an archive of the original key by the device;
encrypting the unlock code using the device ID and then computing SHA-512 hash value of the encrypted unlock code;
sending the hash value of the encrypted unlock code to the device;
storing the received hash value of the encrypted unlock code by the device;
generating a device specific self-destruct code by the email and messaging server, and encrypting the device specific self-destruct code using the device ID;
computing SHA-512 hash value of the encrypted device specific self-destruct code by the email and messaging server;
sending the SHA-512 hash value of the encrypted device specific self-destruct code to the device;
storing the SHA-512 hash value of the encrypted device specific self-destruct code by the device; and
retrieving a permanent lock count from a configuration database by the device;
encrypting the permanent lock count using the device ID and sending the SHA-512 hash value of the encrypted unlock code to the email and messaging server; and
storing the SHA-512 hash value of the encrypted unlock code on the device;
a third subsystem is a workflow engine;
providing a runtime workflow engine used to route documents and data through a user defined approval process for actions on the documents or data;
a fourth subsystem is a secure two-factor authentication subsystem;
providing a secure two-factor authentication mechanism adding an additional authentication mechanism;
running a computer application on the device;
presenting a login screen on the device and prompting user to enter numeric password;
computing SHA-512 hash value of the numeric password and validating the computed SHA-512 hash value of the numeric password against stored hash value on the device;
in response to wrong password inputted, a check is made to determine how many times login has been attempted;
if the attempt is greater than the number of allowed login failures, the user is notified that the application has been locked and is prompted for the unlock code;
a fifth subsystem is a cryptographic engine; and
providing data protection, data authentication, user authentication and vetting, and communications protection and authentication.
0 Assignments
0 Petitions
Accused Products
Abstract
The security enhanced data platform is comprised of two primary subsystems and a host of supporting subsystems. The first primary subsystem is a document management system. A set of client side tools provides the user a way to specify classifications and compartments for selected areas of a document, and a way to save the document in the format required by the system in order to allow the system to enforce the rules and privileges dictated to the system. The second subsystem is a security enhanced database management system. In documents the system allows different user privilege requirements on the document as a whole as well as on pages, paragraphs, sentences, words, and/or letters of a word. A history of document changes is maintained to provide an audit trail after the fact of who did what changes, where those changes were made and when those changes were made.
-
Citations
18 Claims
-
1. A security enhanced data platform method comprising the steps of:
-
providing a computer operating system; customizing computer operating system'"'"'s kernel; replacing the computer operating system'"'"'s kernel and core utilities with a multi-level access control system; providing an email and messaging server as a host for sending and receiving messages; allowing automation of email retention in compliance with a document retention policy; providing a primary subsystem; said primary subsystem is a document management system; providing a set of client side tools to specify classifications and compartments for selected areas of a document; separating document data from document metadata; allowing encrypted documents to be stored and information about those documents to be stored in a database; allowing for quick look up and access of secured documents; providing a way to save the document in format required by the primary subsystem in order to allow the primary subsystem to enforce rules and privileges dictated to the primary subsystem; monitoring and recording all activity within the primary subsystem; recording all changes to the document and making said changes available for audit; providing one or more supporting subsystems; a first subsystem is a security enhanced database management system; integrating said security enhanced database management system with the multi-level access control system; securing data in the database as a whole including securing tables in the database, the columns in the tables, the rows in the tables, or the individual cells of the tables; a second subsystem is a user authentication and authorization system; offering native enhanced security by enforcing privileges specified by the user authentication and authorization system; performing setup for a device including; logging in and setting up a user account on the email and messaging server; placing the user account in a device set up mode; said email and messaging server generating a five-digit number and presenting it on a user interface; said email and messaging server generating and storing a device unlock code; said email and messaging server generating and storing a key; placing the device into a setup mode; said device receiving a numeric password from a user; encrypting the numeric password using the device identifier (ID); computing SHA-512 hash value of the encrypted password and storing the hash value on the device; prompting user to enter the five-digit number provided by the email and messaging server; connecting the device to the email and messaging server via Wireless Application Protocol (WAP) or desktop synchronization software; sending the email and messaging server the entered five-digit number and the device ID; looking up the five-digit number and accepting the device ID by the email and messaging server; upon acceptance of the five-digit number, the email and messaging server storing the device ID for the user account; encrypting the key using the device ID and sending the encrypted key to the device; storing the encrypted key as an active key and as an archive of the original key by the device; encrypting the unlock code using the device ID and then computing SHA-512 hash value of the encrypted unlock code; sending the hash value of the encrypted unlock code to the device; storing the received hash value of the encrypted unlock code by the device; generating a device specific self-destruct code by the email and messaging server, and encrypting the device specific self-destruct code using the device ID; computing SHA-512 hash value of the encrypted device specific self-destruct code by the email and messaging server; sending the SHA-512 hash value of the encrypted device specific self-destruct code to the device; storing the SHA-512 hash value of the encrypted device specific self-destruct code by the device; and
retrieving a permanent lock count from a configuration database by the device;
encrypting the permanent lock count using the device ID and sending the SHA-512 hash value of the encrypted unlock code to the email and messaging server; andstoring the SHA-512 hash value of the encrypted unlock code on the device; a third subsystem is a workflow engine; providing a runtime workflow engine used to route documents and data through a user defined approval process for actions on the documents or data; a fourth subsystem is a secure two-factor authentication subsystem; providing a secure two-factor authentication mechanism adding an additional authentication mechanism; running a computer application on the device; presenting a login screen on the device and prompting user to enter numeric password; computing SHA-512 hash value of the numeric password and validating the computed SHA-512 hash value of the numeric password against stored hash value on the device; in response to wrong password inputted, a check is made to determine how many times login has been attempted; if the attempt is greater than the number of allowed login failures, the user is notified that the application has been locked and is prompted for the unlock code; a fifth subsystem is a cryptographic engine; and providing data protection, data authentication, user authentication and vetting, and communications protection and authentication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
Specification