Method and system for protecting electronic data in enterprise environment

US 8,341,407 B2
Filed: 04/01/2011
Issued: 12/25/2012
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

reading a classification level of a secured file from a header portion of the secured file; and

decrypting, by a computing machine, a file key using a clearance key, in response to a security clearance level of the clearance key being greater than or equal to the classification level of the secured file,wherein the file key is encrypted in a portion of the secured file, andwherein at least two user identifiers are assigned a security clearance level corresponding to the security clearance level of the clearance key, the at least two user identifiers are thereby granted access to use the clearance key, and represent members of a group of users assigned to the security clearance level, and access to use the clearance key is granted to members in the group, such that members in the group can access the secured file with the clearance key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Even with proper access privilege, when a secured file is classified, at least security clearance (e.g. a clearance key) is needed to ensure those who have the right security clearance can ultimately access the contents in the classified secured file. According to one embodiment, referred to as a two-0pronged access scheme, a security clearance key is generated and assigned in accordance with a user'"'"'s security access level. A security clearance key may range from most classified to non-classified. Depending on implementation, a security clearance key with a security level may be so configured that the key can be used to access secured files classified at or lower than the security level or multiple auxiliary keys are provided when a corresponding security clearance key is being requested. The auxiliary keys are those keys generated to facilitate access to secured files classified respectively less than the corresponding security or confidentiality level.

Citations

27 Claims

1. A method comprising:
- reading a classification level of a secured file from a header portion of the secured file; and
  
  decrypting, by a computing machine, a file key using a clearance key, in response to a security clearance level of the clearance key being greater than or equal to the classification level of the secured file,wherein the file key is encrypted in a portion of the secured file, andwherein at least two user identifiers are assigned a security clearance level corresponding to the security clearance level of the clearance key, the at least two user identifiers are thereby granted access to use the clearance key, and represent members of a group of users assigned to the security clearance level, and access to use the clearance key is granted to members in the group, such that members in the group can access the secured file with the clearance key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein reading the classification level comprises reading the classification level from a set of a plurality of classification levels.
  - 3. The method of claim 1, wherein the at least two user identifiers are assigned to the security clearance level based on a level of trust of users associated with the at least two user identifiers in an organization.
  - 4. The method of claim 3, wherein the level of trust pertains to job responsibility of the users associated with the at least two user identifiers in the organization or a role of the users associated with the at least two user identifiers in a task.
  - 5. The method of claim 3, wherein at least one of the users associated with the at least two user identifiers is a human user, a group of users or a member thereof, a software agent, a device, or an application.
  - 6. The method of claim 1, wherein at least one of the at least two user identifiers is additionally associated with a user key.
  - 7. The method of claim 6, wherein the header portion of the secured file is encrypted, further comprising decrypting the header portion with the user key after authentication by the at least one of the at least two user identifiers associated with the user key.
  - 8. The method of claim 7, wherein decrypting the header portion of the secured file comprises accessing an encrypted version of the file key.
  - 9. The method of claim 1, further comprising:
    - releasing or activating the clearance key for a corresponding user identifier of the at least two user identifiers when the corresponding user identifier is accessing the secured file.

10. A non-transitory computer-readable storage medium having instructions stored thereon, execution of which, by a computing device, causes the computing device to perform operations comprising:
- reading a classification level of a secured file from a header portion of the secured file; and
  
  decrypting a file key using a clearance key, in response to a security clearance level of the clearance key being greater than or equal to the classification level of the secured file,wherein the file key is encrypted in a portion of the secured file, andwherein at least two user identifiers are assigned a security clearance level corresponding to the security clearance level of the clearance key, the at least two user identifiers are thereby granted access to use the clearance key, and represent members of a group of users assigned to the security clearance level, and access to use the clearance key is granted to members in the group, such that members in the group can access the secured file with the clearance key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable storage medium of claim 10, wherein reading the classification level comprises reading the classification level from a set of a plurality of classification levels.
  - 12. The non-transitory computer-readable storage medium of claim 10, wherein the at least two user identifiers are assigned to the security clearance level based on a level of trust of users associated with the at least two user identifiers in an organization.
  - 13. The non-transitory computer-readable storage medium of claim 12, wherein the level of trust pertains to job responsibility of the users associated with the at least two user identifiers in the organization or a role of the users associated with the at least two user identifiers in a task.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein at least one of the users associated with the at least two user identifiers is a human user, a group of users or a member thereof, a software agent, a device, or an application.
  - 15. The non-transitory computer-readable storage medium of claim 10, wherein at least one of the at least two user identifiers is additionally associated with a user key.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the header portion of the secured file is encrypted, further comprising decrypting the header portion with the user key after authentication by the at least one of the at least two user identifiers associated with the user key.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein decrypting the header portion of the secured file comprises accessing an encrypted version of the file key.
  - 18. The non-transitory computer-readable storage medium of claim 10, the operations further comprising:
    - releasing or activating the clearance key for a corresponding user identifier of the at least two user identifiers when the corresponding user identifier is accessing the secured file.

19. A system comprising:
- one or more processors; and
  
  a memory storing software modules executed by the one or more processors comprising;
  
  a reading module configured to read a classification level of a secured file from a header portion of the secured file, anda decrypting module configured to decrypt a file key using a clearance key, in response to a security clearance level of the clearance key being greater than or equal to the classification level of the secured file,wherein the file key is encrypted in a portion of the secured file, andwherein at least two user identifiers are assigned a security clearance level corresponding to the security clearance level of the clearance key, the at least two user identifiers are thereby granted access to use the clearance key, and represent members of a group of users assigned to the security clearance level, and access to use the clearance key is granted to members in the group, such that members in the group can access the secured file with the clearance key.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19, wherein reading the classification level comprises reading the classification level from a set of a plurality of classification levels.
  - 21. The system of claim 19, wherein the at least two user identifiers are assigned to the security clearance level based on a level of trust of users associated with the at least two user identifiers in an organization.
  - 22. The system of claim 21, wherein the level of trust pertains to job responsibility of the users associated with the at least two user identifiers in the organization or a role of the users associated with the at least two user identifiers in a task.
  - 23. The system of claim 21, wherein at least one of the users associated with the at least two user identifiers is a human user, a group of users or a member thereof, a software agent, a device, or an application.
  - 24. The system of claim 19, wherein at least one of the at least two user identifiers is additionally associated with a user key.
  - 25. The system of claim 24, wherein the header portion of the secured file is encrypted, further comprising decrypting the header portion with the user key after authentication by the at least one of the at least two user identifiers associated with the user key.
  - 26. The system of claim 25, wherein decrypting the header portion of the secured file comprises accessing an encrypted version of the file key.
  - 27. The system of claim 19, further comprising:
    - a releasing or activating module configured to release or activate the clearance key for a corresponding user identifier of the at least two user identifiers when the corresponding user identifier is accessing the secured file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC (Intellectual Ventures LLC)
Inventors
Kinghorn, Gary Mark, Garcia, Denis Jacques Paul
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/078,109
Publication Number

US 20110296199A1
Time in Patent Office

634 Days
Field of Search

713/166, 713/182, 713/189, 713/160, 726/2, 380/277
US Class Current

713/166
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Method and system for protecting electronic data in enterprise environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting electronic data in enterprise environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links