Systems and methods for securely managing access to data

US 8,261,320 B1
Filed: 06/30/2008
Issued: 09/04/2012
Est. Priority Date: 06/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely managing access to data, the method comprising:

identifying a request to access encrypted data, the request being made by an application running on an insecure platform;

determining that a requestor has a right to access the encrypted data;

decrypting the encrypted data to provide decrypted data;

in response to identifying the request to access encrypted data and determining that the requestor has the right to access the encrypted data, permitting a secure platform to access the decrypted data, wherein;

an authorization platform performs at least one of the steps of identifying, including, submitting, receiving, decrypting, and permitting;

the insecure platform comprises an insecure virtual machine;

the secure platform comprises a first secure virtual machine;

the authorization platform comprises a second secure virtual machine;

a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine;

the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. The method may: determine that a requestor has a right to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A computer-implemented method for securely managing access to data may comprise identifying a request to access data that is encrypted, the request being made within an insecure platform. They method may: submit the request to a policy server, receive permission from the policy server to access the data, decrypt the data to provide decrypted data, and permit a secure platform to access the decrypted data. A system for securely managing access to data may comprise: an authorization platform, an authentication module, a policy-enforcement module, and a cryptography module.

98 Citations

View as Search Results

17 Claims

1. A computer-implemented method for securely managing access to data, the method comprising:
- identifying a request to access encrypted data, the request being made by an application running on an insecure platform;
  
  determining that a requestor has a right to access the encrypted data;
  
  decrypting the encrypted data to provide decrypted data;
  
  in response to identifying the request to access encrypted data and determining that the requestor has the right to access the encrypted data, permitting a secure platform to access the decrypted data, wherein;
  
  an authorization platform performs at least one of the steps of identifying, including, submitting, receiving, decrypting, and permitting;
  
  the insecure platform comprises an insecure virtual machine;
  
  the secure platform comprises a first secure virtual machine;
  
  the authorization platform comprises a second secure virtual machine;
  
  a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine;
  
  the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - the secure platform comprises a viewer/editor guest operating system secured by a hypervisor that manages the viewer/editor guest operating system and the insecure platform;
      
      the viewer/editor guest operating system has limited access to input/output devices.
  - 3. The computer-implemented method of claim 1, wherein the request comprises at least one of:
    - the encrypted data;
      
      an access-policy associated with the encrypted data;
      
      a proof of the right of the requestor to access the encrypted data.
  - 4. The computer-implemented method of claim 3, wherein determining that the requestor has the right to access the encrypted data further comprises:
    - determining, based on the proof and the access-policy, to allow access to the encrypted data;
      
      decrypting the encrypted data using a locally-stored decryption key.
  - 5. The computer-implemented method of claim 3, wherein determining that the requestor has the right to access the encrypted data further comprises:
    - including a signature with the request;
      
      submitting the request and the signature to a policy server, the policy server determining that the requestor has the right to access the encrypted data;
      
      receiving a decryption key from the policy server.
  - 6. The computer-implemented method of claim 1, wherein the hypervisor creates a communications channel between the first secure virtual machine and the authorization platform by allocating a region of memory that is:
    - shared by the first secure virtual machine and the proof-carrying authorization platform;
      
      secured against access by the insecure virtual machine.
  - 7. The computer-implemented method of claim 6, wherein:
    - the region of memory comprises curtained memory that prevents programs running on the insecure platform from accessing the decrypted data while the secure platform is allowed access to the decrypted data.

8. A computer-implemented method for securely managing access to data, the method comprising:
- identifying a request to access encrypted data, the request being made by an application running on an insecure platform;
  
  submitting the request to a policy server;
  
  receiving permission from the policy server to access the encrypted data;
  
  decrypting the encrypted data to provide decrypted data;
  
  instead of permitting the decrypted data to be accessed via the insecure platform from which the data was requested, permitting a secure platform to access the decrypted data, wherein;
  
  an authorization platform performs at least one of the steps of identifying, submitting, receiving, decrypting, and permitting;
  
  the insecure platform comprises an insecure virtual machine;
  
  the secure platform comprises a first secure virtual machine;
  
  the authorization platform comprises a second secure virtual machine;
  
  a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine;
  
  the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the request to access the encrypted data.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The computer-implemented method of claim 8, wherein:
    - the request to access the encrypted data comprises at least one of;
      
      the encrypted data;
      
      an access-policy associated with the encrypted data;
      
      a proof of a right of a requestor to access the encrypted data;
      
      submitting the request to the policy server comprises;
      
      including a signature with the request;
      
      submitting the request and the signature to the policy server.
  - 10. The computer-implemented method of claim 8, wherein:
    - the secure platform is programmed to enable at least one of;
      
      viewing the decrypted data;
      
      editing the decrypted data;
      
      the hypervisor limits I/O access of the first and second secure virtual machines to local I/O devices.
  - 11. The computer-implemented method of claim 10, wherein the local I/O devices consist of one or more of:
    - a keyboard;
      
      a mouse;
      
      a video card.
  - 12. The computer-implemented method of claim 8, further comprising:
    - creating a secure virtual network that facilitates communication between the secure platform and the proof-carrying authorization platform.
  - 13. The computer-implemented method of claim 8, wherein:
    - the insecure platform receives the encrypted data from a remote network device;
      
      the authorization platform receives the request to access the encrypted data, wherein identifying the request comprises receiving the request.
  - 14. The computer-implemented method of claim 8, wherein:
    - identifying the request to access encrypted data comprises receiving a request to create a file.
  - 15. The computer-implemented method of claim 14, further comprising:
    - creating the file, the file being created by an application running on the secure platform;
      
      encrypting the file to create the encrypted data;
      
      associating an access policy with the encrypted data.
  - 16. The computer-implemented method of claim 15, further comprising:
    - receiving a definition of the access policy from a user.

17. A system for securely managing access to data, the system comprising:
- an authorization platform programmed to receive a data-access request from an insecure platform;
  
  an authentication module in communication with the authorization platform, the authentication module being programmed to provide identity information of a user;
  
  a policy-enforcement module in communication with the authorization platform, the policy-enforcement module being programmed to use the identity information to determine whether to approve the data-access request;
  
  a cryptography module programmed to decrypt data identified by the data-access request to allow the data to be accessed on a secure platform instead of permitting the decrypted data to be accessed via the insecure platform from which the data was requested, wherein;
  
  the insecure platform comprises an insecure virtual machine;
  
  the secure platform comprises a first secure virtual machine;
  
  the authorization platform comprises a second secure virtual machine;
  
  a hypervisor manages the insecure virtual machine, the first secure virtual machine, and the second secure virtual machine;
  
  the authorization platform comprises a proof-carrying authorization platform that facilitates authentication information being included with the data-access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Witten, Brian, Serenyi, Denis
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/165,146
Time in Patent Office

1,527 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 16/958 Organisation or management ...

Systems and methods for securely managing access to data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for securely managing access to data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others