System and method for securing data
First Claim
Patent Images
1. A method for securing data distributed by a first user to at least one recipient user, comprising the steps of:
- (A) providing a client application and a receiver application;
(B) using said client application on a first computer;
(B)(1) authenticating said first user using a secure objects server, said secure objects server being distinct from said first computer, and(B)(2) said first user selecting data to be distributed as a secure data object, said selected data comprising multiple data items;
(B)(3) forming a single data object from said selected data comprising said multiple data items, wherein all of the selected data are integrated and referenced as said single data object;
(B)(4) said first user describing at least one manner in which said data object can be manipulated by a recipient user;
(B)(5) assigning one or more permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user, as described by said first user;
(B)(6) creating an access control list (ACL) for said data object;
(B)(7) saving said permissions and said ACL on said secure objects server;
(B)(8) encrypting the data object formed in (B)(3) with an encryption key obtained from said secure objects server to form said secure data object;
(B)(9) recording the encryption key in a database associated with said secure objects server;
(C) distributing said secure data object to at least one arbitrary recipient user; and
(D) upon receipt of said secure data object by a particular recipient user,(D)(1) using said receiver application on a second computer associated with said particular recipient user, connecting to said secure objects server, said secure objects server being distinct from said second computer, said second computer being distinct from said first computer;
(D)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user;
(D)(3) upon successful authentication of said particular recipient user by said secure objects server, said receiver application querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user;
(D)(2) said receiver application obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user;
(D)(3) said receiver application obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object;
(D)(4) upon successfully obtaining said decryption key from said secure objects server, said receiver application decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and
(D)(5) said receiver application recording particular log information about said particular recipient user'"'"'s access to said data items in said secure object, and(D)(6) said receiver application providing said particular log information to said secure objects server.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method for securing data distributed by a first user to at least one recipient user, comprising the steps of; responding to a request from the first user to encrypt the data with a key; and recording the location of the key in a database, wherein on the database receiving a request from the at least one recipient user for authorization, providing the key to the at least one recipient user upon authorization.
151 Citations
27 Claims
-
1. A method for securing data distributed by a first user to at least one recipient user, comprising the steps of:
-
(A) providing a client application and a receiver application; (B) using said client application on a first computer; (B)(1) authenticating said first user using a secure objects server, said secure objects server being distinct from said first computer, and (B)(2) said first user selecting data to be distributed as a secure data object, said selected data comprising multiple data items; (B)(3) forming a single data object from said selected data comprising said multiple data items, wherein all of the selected data are integrated and referenced as said single data object; (B)(4) said first user describing at least one manner in which said data object can be manipulated by a recipient user; (B)(5) assigning one or more permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user, as described by said first user; (B)(6) creating an access control list (ACL) for said data object; (B)(7) saving said permissions and said ACL on said secure objects server; (B)(8) encrypting the data object formed in (B)(3) with an encryption key obtained from said secure objects server to form said secure data object; (B)(9) recording the encryption key in a database associated with said secure objects server; (C) distributing said secure data object to at least one arbitrary recipient user; and (D) upon receipt of said secure data object by a particular recipient user, (D)(1) using said receiver application on a second computer associated with said particular recipient user, connecting to said secure objects server, said secure objects server being distinct from said second computer, said second computer being distinct from said first computer; (D)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user; (D)(3) upon successful authentication of said particular recipient user by said secure objects server, said receiver application querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user; (D)(2) said receiver application obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user; (D)(3) said receiver application obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object; (D)(4) upon successfully obtaining said decryption key from said secure objects server, said receiver application decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and (D)(5) said receiver application recording particular log information about said particular recipient user'"'"'s access to said data items in said secure object, and (D)(6) said receiver application providing said particular log information to said secure objects server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory computer readable medium comprising instructions that when executed by a computer cause the computer to perform a method, in a system in which, using a client application on a first computer,
(i) a first user selected data to be distributed as a secure data object, said selected data comprising multiple data items; - and
(ii) said first formed a single data object from said selected data, wherein all of the selected data are integrated and referenced as said single data object; and (iii) said first user described at least one manner in which said data object can be manipulated by a recipient user; and (iv) said first user caused assignment of permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user; and (v) said first user created an access control list (ACL) for said object; and (vi) said first user saved said permissions and said ACL on said secure objects server; and (vii) said first user caused encryption of the data object with an encryption key obtained from said secure objects server to form said secure data object; and (viii) said first user cause said secure data object to be distributed to at least one arbitrary recipient user, the method comprising; (a) upon receipt of said secure data object by a particular recipient user, (a)(1) connecting to said secure objects server, said secure objects server being distinct from said second computer; (a)(2) upon connection of said receiver application to said secure objects server, said secure objects server authenticating said particular recipient user; (a)(3) upon successful authentication of said particular recipient user by said secure objects server, querying said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user; (a)(2) obtaining from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user; (a)(3) obtaining from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object; (a)(4) upon successfully obtaining said decryption key from said secure objects server, decrypting said secure data object and providing said particular recipient user with access to said data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and (a)(5) recording particular log information about said particular recipient user'"'"'s access to said data items in said secure data object, and (a)(6) providing said particular log information to said secure objects server.
- and
-
27. A system comprising:
-
(B) a secure objects server; (C) a client application on a first computer, distinct from said secure objects server; and (D) a recipient application on a second computer, distinct from said secure objects server and from said first computer, wherein said client application provides a first user interface to enable; (b)(i) a first user to select data to be distributed as a secure data object, said selected data comprising multiple data items; and (b)(ii) said first to form a single data object from said selected data, wherein all of the selected data are integrated and referenced as said single data object; and (b)(iii) said first user to describe at least one manner in which said data object can be manipulated by a recipient user; and (b)(iv) said first user to cause assignment of permissions specific to said data object to control said at least one manner in which said data object can be manipulated by a recipient user; and (b)(v) said first user to create an access control list (ACL) for said object; and (b)(vi) said first user to save said permissions and said ACL on said secure objects server; and (b)(vii) said first user to cause encryption of the data object with an encryption key obtained from said secure objects server to form said secure data object; and wherein said receiver application is invoked upon receipt of said secure data object by a particular recipient user, and wherein said receiver application is constructed and adapted to; (c)(1) authenticate said particular recipient user with said secure objects server; (c)(2) upon successful authentication of said particular recipient user by said secure objects server, query said secure objects server for rules and permissions relating to said secure data object and to said particular recipient user, as assigned by the first user; (c)(2) obtain from said secure objects server said rules and permissions relating to said secure data object as assigned by the first user; (c)(3) obtain from said database associated with said secure objects server a decryption key for said secure data object, said decryption key corresponding to said encryption key that was used to encrypt the data object to form said secure data object; (c)(4) upon successfully obtaining said decryption key from said secure objects server, decrypt said secure data object and provide said particular recipient user with access to said multiple data items in said secure data object, said access being subject to constraints established by said first user as specified in said rules and permissions specific to said data object; and (c)(5) to record particular log information about said particular recipient user'"'"'s access to said data items in said secure data object, and (c)(6) provide said particular log information to said secure objects server.
-
Specification