Method of encrypting information for remote access while maintaining access control
First Claim
1. A method of controlling distribution of a segment of encrypted electronic information, comprising:
- receiving, at a user location, a user code and an identification of the segment;
transmitting the user code and the identification from the user location to a key server;
receiving, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
decrypting the segment with the decryption key into clear text in response to said receiving;
destroying the decryption key in response to said decrypting;
rendering the clear text;
limiting access to the clear text consistent with the at least one access policy; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capturing of the decryption key during the moment.
11 Assignments
0 Petitions
Accused Products
Abstract
The invention provides for encrypting electronic information such as a document so that only users with permission may access the document in decrypted form. The process of encrypting the information includes selecting a set of policies as to who may access the information and under what conditions. A remote server stores a unique identifier for the information and associates an encryption/decryption key pair and access policies with the information. Software components residing on the author'"'"'s computer retrieve the encryption key from the remote server, encrypt the information, and store the encrypted information at a location chosen by the author. A user wishing to access the information acquires the encrypted information electronically. Software components residing on the viewing user'"'"'s computer retrieve the associated decryption key and policies, decrypt the information to the extent authorized by the policies, and immediately delete the decryption key from the viewing user'"'"'s computer upon decrypting the information and rendering the clear text to the viewing user'"'"'s computer screen. The software components are also capable of prohibiting functional operations by the viewing user'"'"'s computer while the clear text is being viewed.
56 Citations
11 Claims
-
1. A method of controlling distribution of a segment of encrypted electronic information, comprising:
-
receiving, at a user location, a user code and an identification of the segment;
transmitting the user code and the identification from the user location to a key server;
receiving, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
decrypting the segment with the decryption key into clear text in response to said receiving;
destroying the decryption key in response to said decrypting;
rendering the clear text;
limiting access to the clear text consistent with the at least one access policy; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capturing of the decryption key during the moment.
-
-
2. A method of controlling distribution of a segment of encrypted electronic information, comprising:
-
receiving, at a user location from a key server, a decryption key for the segment;
immediately decrypting the segment with the decryption key after said receiving;
immediately destroying the decryption key after to said decrypting; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein said receiving, said immediately decrypting and said immediately destroying only permit the decryption key to be resident at the user location for a brief moment in time, and said defending resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
-
-
3. A method of controlling distribution of a segment of encrypted electronic information, comprising:
-
attempting to access the segment at a user location;
requesting from the user location to the key server a decryption key for the segment; receiving, at a user location from a key server, a the decryption key for the segment;
decrypting the segment with the decryption key in response to said receiving;
destroying the decryption key in response to said decrypting; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein processing between and including said receiving and said destroying occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capture of the decryption key during the moment.
-
-
4. A method of controlling distribution of a segment of encrypted electronic information, comprising:
-
receiving, at a user location from a key server, a decryption key for the segment;
immediately decrypting the segment into clear text with the decryption key after said receiving;
immediately rendering said clear text on a display;
immediately destroying the decryption key after one of said decrypting and said rendering; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein said receiving, said immediately decrypting and said immediately destroying only permit the decryption key to be resident at the user location for a brief moment in time, and said defending resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
-
-
5. A method of controlling distribution of a segment of encrypted electronic information, comprising:
-
attempting to access the segment at a user location, including receiving, at athe user location, a user code and an identification of the segment;
transmitting, in response to the attempting to access, the user code and the identification to a server;
receiving, at a user location from a key server, a decryption key for the segment in response to the user code representing a user authorized to view the segment;
decrypting the segment with the decryption key in response to said receiving;
destroying the decryption key in response to said decrypting; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capturing of the decryption key during the moment.
-
-
6. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to;
receive, at a user location, a user code and an identification of the segment;
transmit the user code and the identification from the user location to a key server;
receive, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
decrypt the segment with the decryption key into clear text in response to said receiving;
destroy the decryption key in response to said decrypting;
render the clear text;
limit access to the clear text consistent with the at least one access policy; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein said instructions require that computer processing between and including said receive the decryption key and said destroy the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend the decryption key resists capture of the decryption key during the moment.
-
7. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to;
receive, at a user location from a key server, a decryption key for the segment;
immediately decrypt the segment with the decryption key after said receiving;
immediately destroy the decryption key after said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein the decryption key will only be resident at the user location for a brief moment in time, and said defend the key resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
-
8. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to;
attempt to access the segment at a user location;
request from the user location to the key server a decryption key for the segment; receive, at a user location from a key server, a the decryption key for the segment;
decrypt the segment with the decryption key in response to said receiving;
destroy the decryption key in response to said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein said instructions require computer processing between and including said receive and said destroy to occur with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend resists capture of the decryption key during the moment.
-
9. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to;
receive, at a user location from a key server, a decryption key for the segment;
immediately decrypt the segment into clear text with the decryption key after said receiving;
immediately render said clear text on a display;
immediately destroy the decryption key in response to one of said decrypting and said rendering; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein the decryption key will only be resident at the user location for a brief moment in time, and said defend resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
-
10. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to;
receiveattempt to access the segment at a user location, including receiving, at a user location, a user code and an identification of the segment;
transmit, in response to the attempt to access, the user code and the identification to a server;
receive, at a user location from a key server, a decryption key for the segment in response to the user code representing a user authorized to view the segment;
decrypt the segment with the decryption key in response to said receiving;
destroy the decryption key in response to said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein said instructions require that computer processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend resists capturing of the decryption key during the moment.
-
11. A system for controlling distribution of a segment of encrypted electronic information, comprising:
-
means for receiving, at a user location, a user code and an identification of the segment;
means for transmitting the user code and the identification of the segment from the user location to a key server;
means for receiving, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
means for decrypting the segment with the decryption key into clear text in response to said receiving;
means for destroying the decryption key in response to said decrypting;
means for rendering the clear text;
means for limiting access to the clear text consistent with the at least one access policy; and
means for defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a time between operations performed by and including said means for receiving the decryption key and said means for destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said means for defending resists capturing of the decryption key during the moment.
-
Specification