Cryptographically controlling access to documents

US 8,266,706 B2
Filed: 01/26/2007
Issued: 09/11/2012
Est. Priority Date: 01/26/2007
Status: Active Grant

First Claim

Patent Images

1. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:

obtaining a first document that includes a first identifier that identifies a second document;

obtaining a first key from security information associated with the first document;

obtaining the second document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted;

decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action; and

using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the subject matter described herein relate to cryptographically controlling access to documents. In aspects, documents are encrypted to protect them from unauthorized access. A security principal seeking to access a document first obtains the document. The document includes an identifier that identifies security data associated with the document. The security data includes an encrypted portion that includes authorizations for security principals that have access to the document. A security principal having the appropriate key can decrypt its authorization in the security data to obtain one or more other keys that may be used to access the document. These other keys correspond to access rights that the security principal has with respect to the document.

Citations

23 Claims

1. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:
- obtaining a first document that includes a first identifier that identifies a second document;
  
  obtaining a first key from security information associated with the first document;
  
  obtaining the second document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted;
  
  decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action; and
  
  using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer storage medium of claim 1, wherein obtaining the second document further comprises receiving the second document from the data store through at least an intermediary device.
  - 3. The computer storage medium of claim 1, further comprising sending a request for the security data and providing the second identifier with the request.
  - 4. The computer storage medium of claim 1, wherein the action comprises changing what entities are allowed to access the second document.
  - 5. The computer storage medium of claim 1, wherein the action comprises indicating that a document was modified at an indicated time.
  - 6. The computer storage medium of claim 1, wherein the action comprises creating a new version of the second document.
  - 7. The computer storage medium of claim 1, wherein the security data is included in the second document.
  - 8. The computer storage medium of claim 1, wherein the security data is not included in the second document.
  - 9. The computer storage medium of claim 1, wherein the second identifier is a hash of fields that are included in the security data.
  - 10. The computer storage medium of claim 1, wherein the second key that corresponds to the action is an encrypted key;
    - wherein the computer-executable instructions, when executed perform the actions, further comprising decrypting the encrypted key to provide a decrypted key; and
      
      wherein the computer-executable instructions for using the second key at the first device comprise computer-executable instructions for using the decrypted key to perform the action.
  - 11. The computer storage medium of claim 1, wherein the computer-executable instructions for using the second key at the first device comprise computer-executable instructions for using the second key to decrypt at least one third key that is included in the security data and for using the at least one third key to perform the action.
  - 12. The computer storage medium of claim 11, wherein the computer-executable instructions for using the second key at the first device comprise computer-executable instructions for decrypting the encrypted data using the at least one third key to perform the action.

13. A method implemented at least in part by a computer, the method comprising:
- receiving a first request for a first document;
  
  in response to the first request, sending the first document including a first identifier that identifies a second document;
  
  receiving a second request for a second document that includes encrypted data based on the first identifier, the second document including a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted, the at least some of the security data that is encrypted being configured for decryption using a first key from security information associated with the first document to obtain an indication of an action that is authorized with respect to accessing the second document, the indication including a second key configured to be used for the decryption of the encrypted data to perform the action; and
  
  in response to the second request, sending the second document using a processing unit based on the first key.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the second request was sent from a first device and wherein sending the second document comprises sending the second document to a second device in route to the first device.
  - 15. The method of claim 13, further comprising, forwarding the second request to a device that stores the second document and receiving the second document from the device before sending the second document.
  - 16. The method of claim 13, wherein the second request is received by a device that has access to a storage device upon which the second document is stored and further comprising retrieving the second document from the storage device.
  - 17. The method of claim 13, wherein the action that is authorized with respect to accessing the second document comprises decrypting the encrypted data included in the second document.

18. In a computing environment, an apparatus, comprising:
- one or more processors;
  
  a requesting component, implemented using at least one of the one or more processors, configured to request a first document that includes a first identifier that identifies a second document, the requesting component further configured to request access to the second document, which includes a second identifier that identifies security data associated with the second document, at least some of the security data being encrypted, the at least some of the security data being configured for decryption using a first key from security information associated with the first document to obtain an indication of an action that is authorized with respect to the second document, the indication including a second key that corresponds to the action;
  
  a document locator, implemented using at least one of the one or more processors, configured to determine a location of the second document; and
  
  a cryptographic component, implemented using at least one of the one or more processors, configured to use the first key to obtain the second document from the location, the cryptographic component further configured to use the second key to decrypt an encrypted portion of the second document to perform the action on the second document.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, further comprising a security data component configured to obtain the security data.
  - 20. The apparatus of claim 18, wherein the location of the second document comprises a data store external to a device upon which the requesting component operates.

21. A computer storage medium, not consisting of signals, having computer-executable instructions, which when executed perform actions, comprising:
- obtaining a first version of a document that includes a first identifier that identifies a second version of the document;
  
  obtaining a first key from security information associated with the first version of the document;
  
  obtaining the second version of the document, which includes encrypted data, at a first device from a data store that is located external to the first device using the first key, the second version of the document including a second identifier that identifies security data associated with the second version of the document, at least some of the security data being encrypted;
  
  decrypting at least a portion of the security data at the first device using the first key to obtain an indication of an action that is authorized with respect to the second version of the document, the indication including a second key that corresponds to the action; and
  
  using the second key at the first device to perform the action, including using the second key for decryption of the encrypted data.
- View Dependent Claims (22, 23)
- - 22. The computer storage medium of claim 21, wherein the computer- executable instructions for using the second key at the first device comprise computer-executable instructions for using the second key to decrypt at least one third key that is included in the security data and for using the at least one third key to perform the action.
  - 23. The computer storage medium of claim 21, wherein the second identifier includes a hash of fields that are included in the security data;
    - wherein at least one of the fields includes one or more authorizations for one or more respective security principals that are to have access to the second version of the document;
      
      wherein the computer-executable instructions, when executed perform the actions, further comprising;
      
      using an authorization in the one or more authorizations to decrypt the second key; and
      
      wherein the computer-executable instructions for using the second key at the first device comprise computer-executable instructions for using the second key at the first device in response to the authorization being used to decrypt the second key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Reid, Colin Wilson
Primary Examiner(s)
Zee, Edward

Application Number

US11/698,369
Publication Number

US 20080184039A1
Time in Patent Office

2,055 Days
Field of Search

726 26- 30, 707/9
US Class Current

726/26
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

Cryptographically controlling access to documents

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographically controlling access to documents

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links