System and method for securing data

US 8,806,207 B2
Filed: 12/22/2008
Issued: 08/12/2014
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. A method for securing data distributed by a first user to at least one recipient user, comprising the steps of:

(A) providing a client application and a receiver application;

(B) using said client application on a first computer;

(B)(1) authenticating said first user using a secure objects server, said secure objects server being distinct from said first computer, and(B)(2) said first user selecting data to be distributed as a secure data object, said selected data comprising multiple data items;

(B)(3) forming a single data object from said selected data comprising said multiple data items, wherein all of the selected data are integrated and referenced as said single data object;

(B)(4) said first user describing at least one manner in which said data object can be manipulated by a recipient user;

(B)(5) assigning one or more permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user, as described by said first user;

(B)(6) creating an access control list (ACL) for said data object;

(B)(7) saving said permissions and said ACL on said secure objects server;

(B)(8) encrypting the data object formed in (B)(3) with an encryption key obtained from said secure objects server to form said secure data object;

(B)(9) recording the encryption key in a database associated with said secure objects server;

(C) distributing said secure data object to at least one arbitrary recipient user; and

(D) upon receipt of said secure data object by a particular recipient user,(D)(1) using said receiver application on a second computer associated with said particular recipient user, connecting to said secure objects server, said secure objects server being distinct from said second computer, said second computer being distinct from said first computer;

(D)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user;

(D)(3) upon successful authentication of said particular recipient user by said secure objects server, said receiver application querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user;

(D)(2) said receiver application obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user;

(D)(3) said receiver application obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object;

(D)(4) upon successfully obtaining said decryption key from said secure objects server, said receiver application decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and

(D)(5) said receiver application recording particular log information about said particular recipient user'"'"'s access to said data items in said secure object, and(D)(6) said receiver application providing said particular log information to said secure objects server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method for securing data distributed by a first user to at least one recipient user, comprising the steps of; responding to a request from the first user to encrypt the data with a key; and recording the location of the key in a database, wherein on the database receiving a request from the at least one recipient user for authorization, providing the key to the at least one recipient user upon authorization.

151 Citations

27 Claims

1. A method for securing data distributed by a first user to at least one recipient user, comprising the steps of:
- (A) providing a client application and a receiver application;
  
  (B) using said client application on a first computer;
  
  (B)(1) authenticating said first user using a secure objects server, said secure objects server being distinct from said first computer, and(B)(2) said first user selecting data to be distributed as a secure data object, said selected data comprising multiple data items;
  
  (B)(3) forming a single data object from said selected data comprising said multiple data items, wherein all of the selected data are integrated and referenced as said single data object;
  
  (B)(4) said first user describing at least one manner in which said data object can be manipulated by a recipient user;
  
  (B)(5) assigning one or more permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user, as described by said first user;
  
  (B)(6) creating an access control list (ACL) for said data object;
  
  (B)(7) saving said permissions and said ACL on said secure objects server;
  
  (B)(8) encrypting the data object formed in (B)(3) with an encryption key obtained from said secure objects server to form said secure data object;
  
  (B)(9) recording the encryption key in a database associated with said secure objects server;
  
  (C) distributing said secure data object to at least one arbitrary recipient user; and
  
  (D) upon receipt of said secure data object by a particular recipient user,(D)(1) using said receiver application on a second computer associated with said particular recipient user, connecting to said secure objects server, said secure objects server being distinct from said second computer, said second computer being distinct from said first computer;
  
  (D)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user;
  
  (D)(3) upon successful authentication of said particular recipient user by said secure objects server, said receiver application querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user;
  
  (D)(2) said receiver application obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user;
  
  (D)(3) said receiver application obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object;
  
  (D)(4) upon successfully obtaining said decryption key from said secure objects server, said receiver application decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and
  
  (D)(5) said receiver application recording particular log information about said particular recipient user'"'"'s access to said data items in said secure object, and(D)(6) said receiver application providing said particular log information to said secure objects server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. A method according to claim 1 further comprising:
    - the database at said secure objects server receiving one or more rules arranged to constrain the at least one recipient user'"'"'s interaction with the data.
  - 3. A method according to claim 1, wherein the authentication of said particular recipient user in (D)(2) further comprises:
    - comparing an identification profile of the particular recipient user with pre-determined criteria, wherein the particular recipient user is authorized if the pre-determined criteria matches the identification profile.
  - 4. A method according to claim 3, wherein the identification profile includes at least one criterion characterizing a characteristic of the particular recipient user.
  - 5. A method according to claim 1, further comprising using a gatekeeper service to protect the database from unauthorized users.
  - 6. A method according to claim 1, wherein the data are included in a file wrapper as an encrypted data string.
  - 7. A method according to claim 6, wherein the file wrapper comprises a secure document arranged to be processed by said receiver application.
  - 8. A method according to claim 6, wherein the data object is provided with a secure envelope arranged to enclose the data with such that when the data are within the envelope, the at least one recipient user'"'"'s interaction with the data is constrained by rules established by the first user.
  - 9. The method according to claim 1, wherein the secure objects server comprises a logging service arranged to receive log information from receiver applications, said log information relating to activity on the data items by recipient users, the method further comprising:
    - (E) by said logging service at said secure objects server, receiving said particular log information from said receiver application.
  - 10. The method of claim 1, wherein the at least one processor is further configured to execute an interface enabling the first user to define the one or more rules to be applied.
  - 11. The method of claim 1wherein said describing in (B)(4) is performed in response said client application providing the first user with an option to elect one or more rules to constrain the manner in which said data object can be manipulated by a recipient user, and wherein said describing in (B)(4) comprises selecting at least some of said one or more rules.
  - 12. The method of claim 1 wherein the encryption key is the same as the decryption key.
  - 13. The method of claim 1 wherein the encryption key is generated by the secure objects server in response to a request from the client application.
  - 14. The method of claim 1 wherein said one or more permissions assigned by said first user in (B)(5) comprise authentication requirements.
  - 15. The method of claim 14 wherein the authentication requirements include one or more of:
    - a biometric scan requirement; and
      
      a password question requirement.
  - 16. The method of claim 14 wherein the authentication requirements require one or more of:
    - (a) the recipient user entering a password key;
      
      (b) the recipient user providing biometric verification;
      
      (c) checking the network address of the recipient user'"'"'s computer;
      
      (d) checking a computer identification code of the recipient user'"'"'s computer.
  - 17. The method of claim 1 wherein said selecting data in (B)(2) comprises:
    - dragging multiple data items into an interface of the client application.
  - 18. The method of claim 17 further comprising:
    - closing a data object in the interface of the client application to combine the files to form the single data object.
  - 19. The method of claim 1 wherein each data item selected in (B)(2) to be distributed comprises a data item selected from:
    - a file, an object, an address, and a pointer.
  - 20. The method of claim 1 further comprising:
    - upon receipt of said secure data object by said particular recipient user,dragging and dropping the secure data object into an interface of the receiver application.
  - 21. The method of claim 1 whereinupon receipt of said secure data object by the particular recipient user in (D), the particular recipient user initiates the receiver application.
  - 22. The method of claim 1 wherein the client application is embedded with an existing software or operating system application.
  - 23. The method of claim 1 wherein the recipient application is embedded with an existing software application.
  - 24. The method of claim 1 wherein said client application provides a list of permissions, and wherein said describing in (B)(4) comprises:
    - selecting one or more of said permissions.
  - 25. The method of claim 1 wherein the list of permissions comprises permissions relating to one or more of:
    - reading, writing, printing, copying, sharing, redistribution, and backup of the data object;
      
      time periods during which access to the data object is permitted;
      
      a person or group of persons allowed to access the data object; and
      
      one or more locations at which the data object can be accessed.

26. A non-transitory computer readable medium comprising instructions that when executed by a computer cause the computer to perform a method, in a system in which, using a client application on a first computer,(i) a first user selected data to be distributed as a secure data object, said selected data comprising multiple data items;
- and(ii) said first formed a single data object from said selected data, wherein all of the selected data are integrated and referenced as said single data object; and
  
  (iii) said first user described at least one manner in which said data object can be manipulated by a recipient user; and
  
  (iv) said first user caused assignment of permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user; and
  
  (v) said first user created an access control list (ACL) for said object; and
  
  (vi) said first user saved said permissions and said ACL on said secure objects server; and
  
  (vii) said first user caused encryption of the data object with an encryption key obtained from said secure objects server to form said secure data object; and
  
  (viii) said first user cause said secure data object to be distributed to at least one arbitrary recipient user,the method comprising;
  
  (a) upon receipt of said secure data object by a particular recipient user,(a)(1) connecting to said secure objects server, said secure objects server being distinct from said second computer;
  
  (a)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user;
  
  (a)(3) upon successful authentication of said particular recipient user by said secure objects server, querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user;
  
  (a)(2) obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user;
  
  (a)(3) obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object;
  
  (a)(4) upon successfully obtaining said decryption key from said secure objects server, decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and
  
  (a)(5) recording particular log information about said particular recipient user'"'"'s access to said data items in said secure data object, and (a)(6) providing said particular log information to said secure objects server.

27. A system comprising:
- (B) a secure objects server;
  
  (C) a client application on a first computer, distinct from said secure objects server; and
  
  (D) a recipient application on a second computer, distinct from said secure objects server and from said first computer,wherein said client application provides a first user interface to enable;
  
  (b)(i) a first user to select data to be distributed as a secure data object, said selected data comprising multiple data items; and
  
  (b)(ii) said first to form a single data object from said selected data, wherein all of the selected data are integrated and referenced as said single data object; and
  
  (b)(iii) said first user to describe at least one manner in which said data object can be manipulated by a recipient user; and
  
  (b)(iv) said first user to cause assignment of permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user; and
  
  (b)(v) said first user to create an access control list (ACL) for said object; and
  
  (b)(vi) said first user to save said permissions and said ACL on said secure objects server; and
  
  (b)(vii) said first user to cause encryption of the data object with an encryption key obtained from said secure objects server to form said secure data object; and
  
  wherein said receiver application is invoked upon receipt of said secure data object by a particular recipient user, and wherein said receiver application is constructed and adapted to;
  
  (c)(1) authenticate said particular recipient user with said secure objects server;
  
  (c)(2) upon successful authentication of said particular recipient user by said secure objects server, query said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user;
  
  (c)(2) obtain from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user;
  
  (c)(3) obtain from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object;
  
  (c)(4) upon successfully obtaining said decryption key from said secure objects server, decrypt said secure data object and provide said particular recipient user with access to said multiple data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and
  
  (c)(5) to record particular log information about said particular recipient user'"'"'s access to said data items in said secure data object, and(c)(6) provide said particular log information to said secure objects server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cocoon Data Holdings Limited
Original Assignee
Cocoon Data Holdings Limited
Inventors
Nussbaum, Lawrence Edward, Thompson, Stephen
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US12/809,758
Publication Number

US 20110040964A1
Time in Patent Office

2,059 Days
Field of Search

713/170, 726/4, 726/28, 380/278
US Class Current

713/170
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 2221/2115   Third party

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 9/3226   using a predetermined code,...

System and method for securing data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links