Managing access to a resource

US 8,539,228 B1
Filed: 08/24/2006
Issued: 09/17/2013
Est. Priority Date: 08/24/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of managing access to a plurality of resources in a computer system, the method comprising:

associating first and second access rights with an application resource by a security driver separate from an operating system of the a computing device of the computer system,wherein the computer system comprises at least one processor and operatively associated memory,wherein the security driver is executed by the computing device and logically positioned between an application associated with the application resource and a data storage of the computing device, wherein the application is executed by the computing device,wherein the first access right defines a level of access granted to the application to a first resource selected from the plurality of resources,wherein the second access right defines a level of access granted to the application to a second resource selected from the plurality of resources,wherein the first access right comprises first authentication data for allowing the application access to an encryption key store to retrieve a first encryption key corresponding to the first resource and stored at the encryption key store in response to a first request from the application to access the first resource, wherein the encryption key store is located at a second computing device of the computer system,wherein the second access right comprises second authentication data for allowing the application to access the encryption key store to retrieve a second encryption key corresponding to the second resource and stored at the encryption key store in response to a second request from the application to access the second resource, andwherein the associating comprises incorporating the first access right, the second access right and the application resource in a single file; and

digitally signing the first access right, the second access right and the application resource by the security driver with a single digital signature.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of managing access to at least one resource in a computer system. The methods may comprise the step of associating access rights with an application resource. The access rights may define a level of access to the resource granted to the application. The methods may also comprise the step of digitally signing the access rights and the application resource. In various embodiments, the associating may comprise incorporating the access rights into a stream of a file including the application resource. Also, in various embodiments, the associating may comprise incorporating the access rights into an extended attribute of a file including the application resource.

Citations

14 Claims

1. A computer-implemented method of managing access to a plurality of resources in a computer system, the method comprising:
- associating first and second access rights with an application resource by a security driver separate from an operating system of the a computing device of the computer system,wherein the computer system comprises at least one processor and operatively associated memory,wherein the security driver is executed by the computing device and logically positioned between an application associated with the application resource and a data storage of the computing device, wherein the application is executed by the computing device,wherein the first access right defines a level of access granted to the application to a first resource selected from the plurality of resources,wherein the second access right defines a level of access granted to the application to a second resource selected from the plurality of resources,wherein the first access right comprises first authentication data for allowing the application access to an encryption key store to retrieve a first encryption key corresponding to the first resource and stored at the encryption key store in response to a first request from the application to access the first resource, wherein the encryption key store is located at a second computing device of the computer system,wherein the second access right comprises second authentication data for allowing the application to access the encryption key store to retrieve a second encryption key corresponding to the second resource and stored at the encryption key store in response to a second request from the application to access the second resource, andwherein the associating comprises incorporating the first access right, the second access right and the application resource in a single file; and
  
  digitally signing the first access right, the second access right and the application resource by the security driver with a single digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the associating comprises incorporating the first and second access rights into at least one stream of the file including the application resource.
  - 3. The method of claim 2, wherein the operating system of the computer system includes support for streams.
  - 4. The method of claim 1, wherein the access rights comprises data organized according to at least one of a binary format, an Extensible Markup Language (XML) script, and a Security Descriptor Definition Language (SDDL) script.
  - 5. The method of claim 1, wherein the first access right comprises a privilege setting within the computer system to be given to the application.
  - 6. The method of claim 1, wherein the first access right comprises a reference to a key for decrypting the at least one resource.
  - 7. The method of claim 1, wherein the digital signing is performed by an authorized entity within the computer system.
  - 8. The method of claim 1, wherein the plurality of resources includes at least one of the group consisting of a data unit and an executable.

9. A computer implemented method of managing access to a plurality of resources in a computer system, the method comprising:
- receiving a request from an application executed by a computing device of the computer system to access a first resource selected from the plurality of resources;
  
  determining, by a security driver executed by the computing device, whether a first access right associated with the application includes data for allowing the application to access to an encryption key store to retrieve a first encryption key stored at the encryption key store for decrypting the first resource, wherein the security driver is, separate from an operating system of the computing device, and logically positioned between the application and a data storage of the computing device, wherein the encryption key store is located at a second computing device of the computer system, and wherein the computer system comprises at least one processor and operatively associated memory;
  
  verifying by the security driver a single digital signature of an indication of at least the first access right and a component of the application;
  
  providing the application with the first encryption key when the first access right includes the data and the single digital signature is verified;
  
  receiving a second request from the application to access a second resource selected from the plurality of resources;
  
  determining, by the security driver, whether a second access right associated with the application includes data for allowing the application to access an encryption key store to retrieve a second encryption key stored at the encryption key store for decrypting the second resource, wherein the single digital signature is also of an indication of the second access right, wherein the first access right, the second access right and the component of the application are included in a single file;
  
  providing the application with the second encryption key.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, further comprising:
    - receiving a request to execute the application; and
      
      verifying if an originator of the request is authorized to execute the application.
  - 11. The method of claim 9, wherein the first access right comprises authentication information for accessing the encryption key store.
  - 12. The method of claim 9, wherein the first access right, the second access right, and the component of the application are included in separate streams of the single file.
  - 13. The method of claim 9, wherein the plurality of resources comprises at least one of the group consisting of a data unit and an executable.

14. A method of managing access to a plurality of resources in a computer system, the method comprising:
- receiving a request from an application executed by a computing device of the computer system to access a first resource selected from the plurality of resources;
  
  reading a first access right of the application by a security driver separate from an operating system of the computing device, wherein the computer system comprises at least one processor and operatively associated memory, wherein the security driver is executed by the computing device and logically positioned between an application associated with the application resource and a data storage of the computing device, wherein the first access right is stored in a stream of a file, wherein a component of the application is stored in a second stream of the file, wherein the first access right comprises data for allowing access to an encryption key store to retrieve a first encryption key corresponding to the first resource, and wherein the encryption key store is located at a second computing device of the computer system;
  
  verifying, by the security driver, the first access right of the application, wherein verifying the first access right comprises verifying a digital signature of an indication of the first access right and the component of the application; and
  
  providing the application with access to the first resource when the digital signature is verified and when the first access right indicate that the application is entitled to access the first resource, wherein the providing is performed by the security driver, and wherein the providing comprises;
  
  utilizing the first access right to allow access to the encryption key store to access the encryption key store and retrieve the first encryption key;
  
  providing the first encryption key to the application;
  
  receiving a request from the application for a second resource selected from the plurality of resources;
  
  reading a second access right of the application by the security driver, wherein the second access right is stored in the stream of the file, and wherein the second access right comprises data for allowing access to the encryption key store to retrieve a second encryption key corresponding to the second resource;
  
  verifying, by the security driver, the second access right of the application, wherein verifying the second access right comprises verifying the digital signature of the indication of the second access right, the component of the application, and an indication of the second access right; and
  
  providing the application with the second resource when the digital signature is verified when the second access right indicates that the application is entitled to access the second resource, wherein the providing is performed by the security driver, and wherein the providing comprises;
  
  utilizing the second access right to allow access to the encryption key store to retrieve the second encryption key; and
  
  providing the second encryption key to the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
OSR Open Systems Resources, Inc.
Inventors
Cariddi, Mark J., Noone, Scott J., Mason, W. Anthony, Viscarola, Peter G.
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US11/509,391
Time in Patent Office

2,581 Days
Field of Search

713/164, 713/165, 713/166, 713/176, 726/21, 726/27
US Class Current

713/164
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 9/088   Usage controlling of secret...

H04L 9/3247   involving digital signatures

Managing access to a resource

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Managing access to a resource

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links