×

Security Enhanced Data Platform

  • US 8,161,527 B2
  • Filed: 01/23/2009
  • Issued: 04/17/2012
  • Est. Priority Date: 01/23/2009
  • Status: Active Grant
First Claim
Patent Images

1. A security enhanced data platform method comprising the steps of:

  • providing a computer operating system;

    customizing computer operating system'"'"'s kernel;

    replacing the computer operating system'"'"'s kernel and core utilities with a multi-level access control system;

    providing an email and messaging server as a host for sending and receiving messages;

    allowing automation of email retention in compliance with a document retention policy;

    providing a primary subsystem;

    said primary subsystem is a document management system;

    providing a set of client side tools to specify classifications and compartments for selected areas of a document;

    separating document data from document metadata;

    allowing encrypted documents to be stored and information about those documents to be stored in a database;

    allowing for quick look up and access of secured documents;

    providing a way to save the document in format required by the primary subsystem in order to allow the primary subsystem to enforce rules and privileges dictated to the primary subsystem;

    monitoring and recording all activity within the primary subsystem;

    recording all changes to the document and making said changes available for audit;

    providing one or more supporting subsystems;

    a first subsystem is a security enhanced database management system;

    integrating said security enhanced database management system with the multi-level access control system;

    securing data in the database as a whole including securing tables in the database, the columns in the tables, the rows in the tables, or the individual cells of the tables;

    a second subsystem is a user authentication and authorization system;

    offering native enhanced security by enforcing privileges specified by the user authentication and authorization system;

    performing setup for a device including;

    logging in and setting up a user account on the email and messaging server;

    placing the user account in a device set up mode;

    said email and messaging server generating a five-digit number and presenting it on a user interface;

    said email and messaging server generating and storing a device unlock code;

    said email and messaging server generating and storing a key;

    placing the device into a setup mode;

    said device receiving a numeric password from a user;

    encrypting the numeric password using the device identifier (ID);

    computing SHA-512 hash value of the encrypted password and storing the hash value on the device;

    prompting user to enter the five-digit number provided by the email and messaging server;

    connecting the device to the email and messaging server via Wireless Application Protocol (WAP) or desktop synchronization software;

    sending the email and messaging server the entered five-digit number and the device ID;

    looking up the five-digit number and accepting the device ID by the email and messaging server;

    upon acceptance of the five-digit number, the email and messaging server storing the device ID for the user account;

    encrypting the key using the device ID and sending the encrypted key to the device;

    storing the encrypted key as an active key and as an archive of the original key by the device;

    encrypting the unlock code using the device ID and then computing SHA-512 hash value of the encrypted unlock code;

    sending the hash value of the encrypted unlock code to the device;

    storing the received hash value of the encrypted unlock code by the device;

    generating a device specific self-destruct code by the email and messaging server, and encrypting the device specific self-destruct code using the device ID;

    computing SHA-512 hash value of the encrypted device specific self-destruct code by the email and messaging server;

    sending the SHA-512 hash value of the encrypted device specific self-destruct code to the device;

    storing the SHA-512 hash value of the encrypted device specific self-destruct code by the device; and

    retrieving a permanent lock count from a configuration database by the device;

    encrypting the permanent lock count using the device ID and sending the SHA-512 hash value of the encrypted unlock code to the email and messaging server; and

    storing the SHA-512 hash value of the encrypted unlock code on the device;

    a third subsystem is a workflow engine;

    providing a runtime workflow engine used to route documents and data through a user defined approval process for actions on the documents or data;

    a fourth subsystem is a secure two-factor authentication subsystem;

    providing a secure two-factor authentication mechanism adding an additional authentication mechanism;

    running a computer application on the device;

    presenting a login screen on the device and prompting user to enter numeric password;

    computing SHA-512 hash value of the numeric password and validating the computed SHA-512 hash value of the numeric password against stored hash value on the device;

    in response to wrong password inputted, a check is made to determine how many times login has been attempted;

    if the attempt is greater than the number of allowed login failures, the user is notified that the application has been locked and is prompted for the unlock code;

    a fifth subsystem is a cryptographic engine; and

    providing data protection, data authentication, user authentication and vetting, and communications protection and authentication.

View all claims
  • 0 Assignments
Timeline View
Assignment View
    ×
    ×