System for and method of managing access to a system using combinations of user information
First Claim
1. A method of controlling access to a system comprising:
- performing a test that includes comparing multiple input responses to multiple randomly selected questions with multiple corresponding pre-determined responses to the multiple questions; and
granting access to the system in the event the test is passed, by providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, wherein the keys correspond to a hierarchical position of the user in an entity owning the data, the keys are shared among all users at the hierarchical position, the keys allow encryption and decryption of data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention is directed to systems for and methods of controlling access to computer systems. A method in accordance with the present invention comprises performing a test that includes comparing input responses to randomly selected questions with corresponding pre-determined responses to the questions and granting access to the system in the event the test is passed. A first condition of passing the test is that each input response matches a corresponding pre-determined response. Once passing the test, the user is granted permissions to access data based on his position. For example, a corporate director generally has greater permissions than an engineer. Preferably, the user'"'"'s permissions determine an encryption key and a decryption key that the user is able to use to access protected data.
61 Citations
37 Claims
-
1. A method of controlling access to a system comprising:
-
performing a test that includes comparing multiple input responses to multiple randomly selected questions with multiple corresponding pre-determined responses to the multiple questions; and granting access to the system in the event the test is passed, by providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, wherein the keys correspond to a hierarchical position of the user in an entity owning the data, the keys are shared among all users at the hierarchical position, the keys allow encryption and decryption of data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of controlling access to an area from among different areas of a system, each of the different areas having a different hierarchical security classification, the method comprising:
-
selecting a combination of questions for presentation to a user; determining access permissions for the user to the area using a vector that associates a hierarchical classification of the user to the access permissions, wherein the vector contains permissions vectors for separate hierarchical classifications in a business entity; granting the user access to the area based on both responses to the combination of questions and the access permissions, such that the user can encrypt and decrypt data, automatically, without the user interfering, in the area belonging to users having a classification lower than the hierarchical classification, wherein a same number of questions are answered to determine access permissions to any of the different areas;
encrypting a response input by the user using an encryption key to generate an encrypted input response; andgranting access to the system in the event that the encrypted input response matches a corresponding encrypted system response. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A module for controlling access to a system comprising:
-
means for randomly selecting a combination of questions; and means for granting access to the system in the event multiple user responses to the questions match corresponding multiple pre-determined responses to the questions, wherein granting access comprises providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, the keys corresponding to a hierarchical position of the user in an entity, the keys are shared among all users at the hierarchical position, the keys encrypt and decrypt data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A module for controlling access to data on a system comprising:
-
a processor; a generator component for presenting a randomly selected combination of questions to a user for authenticating the user on the system; and a grant component for granting access to encrypt and decrypt the data based on permissions granted to the user and on responses of the user to the combination of questions, wherein the permissions correspond to a hierarchical classification of the user in an entity owning the data, the permissions stored in a single vector comprising a first sub-vector indicating the user'"'"'s membership in sections of the entity, the sections having different hierarchical levels, and from a second sub-vector indicating access rights to the data for each of the sections, wherein granting access to the system comprises granting access to one of an encryption key, a decryption key, or both, for accessing non-authentication data on the system. - View Dependent Claims (32)
-
-
33. A network of devices comprising:
-
one or more user devices; and an access control module for granting access to protected data to multiple users using the user devices, wherein the data have different hierarchical levels, access rights to the data for each user from the multiple users is determined in an authorization sequence and is based on a position of the user in an organization, on a vector associating access permissions to the protected data with the position, and on multiple responses of the user to a combination of randomly selected questions, the vector comprising permission vectors for separate hierarchical levels in a business entity, and a number of steps in the authorization sequence is independent of a hierarchical level of the data, wherein the protected data comprises any one or more of an encrypted disk partition, an encrypted file system, an encrypted portion of a database, an encrypted directory, an encrypted electronic folder, file, an encrypted data object, and further wherein encryption is performed automatically, without the user interfering. - View Dependent Claims (34, 35)
-
-
36. A method of granting a user access to encrypted data on a system comprising:
-
determining that the user has answered multiple randomly selected questions to thereby verify an identity of the user; providing the user a decryption key corresponding to a position of the user in an entity in response to verifying the identity of the user, wherein the decryption key is one of multiple decryption keys for the system each corresponding to a position in the entity;
determining from a name of the user and the decryption key, an owner, a department, and a data access permissions vector for the user; andusing the owner, the department, and the data access permissions vector to decrypt the encrypted data, automatically, without the user interfering.
-
-
37. A method of granting a user access to data on a system comprising:
-
determining that the user has provided pre-determined answers to multiple randomly selected questions, thereby authenticating the user, wherein a number of the questions is independent of a hierarchical classification of the data; determining permissions for the user to access the data based on a position of the user in an entity; and granting the user access to the data by encrypting the data, decrypting the data, or both using an encryption key and a corresponding decryption key corresponding to the position, wherein each of the encryption key and the decryption key encrypts or decrypts data owned by users at that position and at any lower positions, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.
-
Specification