Cryptographically controlling access to documents
First Claim
1. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:
- obtaining a first document that includes a first identifier that identifies a second document;
obtaining a first key from security information associated with the first document;
obtaining the second document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted;
decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action; and
using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data.
2 Assignments
0 Petitions
Accused Products
Abstract
Aspects of the subject matter described herein relate to cryptographically controlling access to documents. In aspects, documents are encrypted to protect them from unauthorized access. A security principal seeking to access a document first obtains the document. The document includes an identifier that identifies security data associated with the document. The security data includes an encrypted portion that includes authorizations for security principals that have access to the document. A security principal having the appropriate key can decrypt its authorization in the security data to obtain one or more other keys that may be used to access the document. These other keys correspond to access rights that the security principal has with respect to the document.
-
Citations
23 Claims
-
1. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:
-
obtaining a first document that includes a first identifier that identifies a second document; obtaining a first key from security information associated with the first document; obtaining the second document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted; decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action; and using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method implemented at least in part by a computer, the method comprising:
-
receiving a first request for a first document; in response to the first request, sending the first document including a first identifier that identifies a second document; receiving a second request for a second document that includes encrypted data based on the first identifier, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted, the at least some of the security data that is encrypted being configured for decryption using a first key from security information associated with the first document to obtain an indication of an action that is authorized with respect to accessing the second document, the indication including a second key configured to be used for the decryption of the encrypted data to perform the action; and in response to the second request, sending the second document using a processing unit based on the first key. - View Dependent Claims (14, 15, 16, 17)
-
-
18. In a computing environment, an apparatus, comprising:
-
one or more processors; a requesting component, implemented using at least one of the one or more processors, configured to request a first document that includes a first identifier that identifies a second document, the requesting component further configured to request access to the second document, which includes a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted, the at least some of the security data being configured for decryption using a first key from security information associated with the first document to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action; a document locator, implemented using at least one of the one or more processors, configured to determine a location of the second document; and a cryptographic component, implemented using at least one of the one or more processors, configured to use the first key to obtain the second document from the location, the cryptographic component further configured to use the second key to decrypt an encrypted portion of the second document to perform the action on the second document. - View Dependent Claims (19, 20)
-
-
21. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:
-
obtaining a first version of a document that includes a first identifier that identifies a second version of the document; obtaining a first key from security information associated with the first version of the document; obtaining the second version of the document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second version of the document including a second identifier that identifies security data associated with the second version of the document, at least some of the security data being encrypted; decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second version of the document, the indication including a second key that corresponds to the action; and using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data. - View Dependent Claims (22, 23)
-
Specification