System for and method of managing access to a system using combinations of user information

US 8,219,823 B2
Filed: 03/03/2006
Issued: 07/10/2012
Est. Priority Date: 03/04/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling access to a system comprising:

performing a test that includes comparing multiple input responses to multiple randomly selected questions with multiple corresponding pre-determined responses to the multiple questions; and

granting access to the system in the event the test is passed, by providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, wherein the keys correspond to a hierarchical position of the user in an entity owning the data, the keys are shared among all users at the hierarchical position, the keys allow encryption and decryption of data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems for and methods of controlling access to computer systems. A method in accordance with the present invention comprises performing a test that includes comparing input responses to randomly selected questions with corresponding pre-determined responses to the questions and granting access to the system in the event the test is passed. A first condition of passing the test is that each input response matches a corresponding pre-determined response. Once passing the test, the user is granted permissions to access data based on his position. For example, a corporate director generally has greater permissions than an engineer. Preferably, the user'"'"'s permissions determine an encryption key and a decryption key that the user is able to use to access protected data.

61 Citations

View as Search Results

37 Claims

1. A method of controlling access to a system comprising:
- performing a test that includes comparing multiple input responses to multiple randomly selected questions with multiple corresponding pre-determined responses to the multiple questions; and
  
  granting access to the system in the event the test is passed, by providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, wherein the keys correspond to a hierarchical position of the user in an entity owning the data, the keys are shared among all users at the hierarchical position, the keys allow encryption and decryption of data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein a first condition of passing the test is that each input response from the multiple input responses matches a corresponding one of the multiple pre-determined responses.
  - 3. The method of claim 1, further comprising presenting the multiple questions sequentially.
  - 4. The method of claim 1, further comprising presenting the multiple questions concurrently.
  - 5. The method of claim 1, further comprising presenting questions and candidate responses in a multiple choice format.
  - 6. The method of claim 1, wherein a first condition of passing the test is providing responses to only a pre-determined subset of the multiple questions presented to a user.
  - 7. The method of claim 1, wherein granting access to the system comprises decrypting non-authentication information on the system using a decryption key.
  - 8. The method of claim 1, further comprising selecting a question from the multiple questions for presentation based on a time that the question was last displayed.
  - 9. The method of claim 1, further comprising selecting a question from the multiple questions for presentation based on a number of times the question was displayed within a pre-determined time period.
  - 10. The method of claim 1, further comprising authorizing a user to access the system only if the user answers the questions in a pre-determined user-selected sequence different from a sequence presented to the user, does not answer one or more pre-determined user-selected questions presented to the user, or supplies a corresponding pre-determined user-selected incorrect answer to one or more of the questions.
  - 11. The method of claim 1, wherein the keys are of multiple encryption and decryption keys having increasing rights of access to the system.
  - 12. The method of claim 2, wherein a pre-determined response from the multiple pre-determined responses is a pre-determined correct answer that corresponds to a question from the multiple questions.
  - 13. The method of claim 2, wherein a pre-determined response from the multiple pre-determined responses is a pre-determined incorrect answer to a question from the multiple questions.
  - 14. The method of claim 2, wherein a second condition of passing the test is entering the multiple input responses into the system during the test in a pre-determined sequence different from the sequence that the multiple questions are displayed during the test.
  - 15. The method of claim 5, further comprising presenting candidate responses that include both correct and incorrect answers to the multiple questions.
  - 16. The method of claim 6, wherein the test is failed by selecting a question from the multiple questions for which there is no corresponding pre-determined response.

17. A method of controlling access to an area from among different areas of a system, each of the different areas having a different hierarchical security classification, the method comprising:
- selecting a combination of questions for presentation to a user;
  
  determining access permissions for the user to the area using a vector that associates a hierarchical classification of the user to the access permissions, wherein the vector contains permissions vectors for separate hierarchical classifications in a business entity;
  
  granting the user access to the area based on both responses to the combination of questions and the access permissions, such that the user can encrypt and decrypt data, automatically, without the user interfering, in the area belonging to users having a classification lower than the hierarchical classification, wherein a same number of questions are answered to determine access permissions to any of the different areas;
  
  encrypting a response input by the user using an encryption key to generate an encrypted input response; and
  
  granting access to the system in the event that the encrypted input response matches a corresponding encrypted system response.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, wherein the classification corresponds to a membership of the user in one or more of a corporation, a division, a department, a group, and a project.
  - 19. The method of claim 17, wherein the area of the system corresponds to any one or more of a disk partition, a file system, a portion of a database, a directory, an electronic folder, an electronic file, and a data object.
  - 20. The method of claim 17, wherein the combination of questions is randomly selected.
  - 21. The method of claim 17, wherein granting access to the area comprises determining permissions to the area corresponding to the classification.
  - 22. The method of claim 17, wherein the classification has a hierarchical structure that corresponds to an organizational structure of an entity.
  - 23. The method of claim 20, further comprising displaying the combination of questions using a user interface protocol.
  - 24. The method of claim 23, wherein the user interface protocol comprises displaying candidate responses to the questions as multiple choices.
  - 25. The method of claim 17, wherein granting access to the system comprises decrypting the area of the system using a decryption key corresponding to the encryption key.

26. A module for controlling access to a system comprising:
- means for randomly selecting a combination of questions; and
  
  means for granting access to the system in the event multiple user responses to the questions match corresponding multiple pre-determined responses to the questions, wherein granting access comprises providing a user with a key for encrypting data on the system, a key for decrypting data on the system, or both keys, the keys corresponding to a hierarchical position of the user in an entity, the keys are shared among all users at the hierarchical position, the keys encrypt and decrypt data belonging to users at positions lower than the hierarchical position, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The module of claim 26, further comprising means for presenting the combination of questions.
  - 28. The module of claim 26, wherein the means for randomly selecting a combination of questions comprises a memory for storing information for tracking questions presented to a user.
  - 29. The module of claim 27, wherein the means for presenting displays the combination of questions sequentially.
  - 30. The module of claim 27, wherein the means for presenting displays the combination of questions concurrently.

31. A module for controlling access to data on a system comprising:
- a processor;
  
  a generator component for presenting a randomly selected combination of questions to a user for authenticating the user on the system; and
  
  a grant component for granting access to encrypt and decrypt the data based on permissions granted to the user and on responses of the user to the combination of questions, wherein the permissions correspond to a hierarchical classification of the user in an entity owning the data, the permissions stored in a single vector comprising a first sub-vector indicating the user'"'"'s membership in sections of the entity, the sections having different hierarchical levels, and from a second sub-vector indicating access rights to the data for each of the sections, wherein granting access to the system comprises granting access to one of an encryption key, a decryption key, or both, for accessing non-authentication data on the system.
- View Dependent Claims (32)
- - 32. The module of claim 31, wherein the classification of the user corresponds to any one or more of a corporation identifier, a division identifier, a business identifier, a department identifier, a group identifier, and a user identifier.

33. A network of devices comprising:
- one or more user devices; and
  
  an access control module for granting access to protected data to multiple users using the user devices, wherein the data have different hierarchical levels, access rights to the data for each user from the multiple users is determined in an authorization sequence and is based on a position of the user in an organization, on a vector associating access permissions to the protected data with the position, and on multiple responses of the user to a combination of randomly selected questions, the vector comprising permission vectors for separate hierarchical levels in a business entity, and a number of steps in the authorization sequence is independent of a hierarchical level of the data, wherein the protected data comprises any one or more of an encrypted disk partition, an encrypted file system, an encrypted portion of a database, an encrypted directory, an encrypted electronic folder, file, an encrypted data object, and further wherein encryption is performed automatically, without the user interfering.
- View Dependent Claims (34, 35)
- - 34. The network of claim 33, wherein the position of a user corresponds to a membership of a user in any one of a corporate unit, a division, a business unit, a department, a group, and a team.
  - 35. The network of claim 33, wherein the vector associates multiple hierarchical positions with multiple access permissions.

36. A method of granting a user access to encrypted data on a system comprising:
- determining that the user has answered multiple randomly selected questions to thereby verify an identity of the user;
  
  providing the user a decryption key corresponding to a position of the user in an entity in response to verifying the identity of the user, wherein the decryption key is one of multiple decryption keys for the system each corresponding to a position in the entity;
  
  determining from a name of the user and the decryption key, an owner, a department, and a data access permissions vector for the user; and
  
  using the owner, the department, and the data access permissions vector to decrypt the encrypted data, automatically, without the user interfering.

37. A method of granting a user access to data on a system comprising:
- determining that the user has provided pre-determined answers to multiple randomly selected questions, thereby authenticating the user, wherein a number of the questions is independent of a hierarchical classification of the data;
  
  determining permissions for the user to access the data based on a position of the user in an entity; and
  
  granting the user access to the data by encrypting the data, decrypting the data, or both using an encryption key and a corresponding decryption key corresponding to the position, wherein each of the encryption key and the decryption key encrypts or decrypts data owned by users at that position and at any lower positions, and encryption and decryption are performed automatically, without the user interfering, in response to write and read commands, respectively, on the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Encrypthentica Limited
Original Assignee
Encrypthentica Limited
Inventors
Carter, Ernst B.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US11/367,085
Publication Number

US 20070107051A1
Time in Patent Office

2,321 Days
Field of Search

726/21, 726/2, 713/202, 713182-183, 713/166, 713/186, 707/749, 707/784, 707/786
US Class Current

713/182
CPC Class Codes

G06F 21/31 User authentication

G06F 21/6218 to a system of files or obj...

System for and method of managing access to a system using combinations of user information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

System for and method of managing access to a system using combinations of user information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others