Method and system for managing security tiers

US RE41,546 E1
Filed: 05/02/2007
Issued: 08/17/2010
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. In a system for providing restrictive access to contents in secured files, each of the secured files classified in accordance with one of N security levels, a A method for reorganizing the N security levels without implicating accessibilities to the secured files, each of the secured files classified in accordance with one of the N security levels, the method comprising:

determining, using a computing device, a new security level with respect to the N security levels, wherein a 1st security level is most restrictive and an Nth security level is least restrictive in among the N security levels;

generating, using the computing device, security parameters accordingly for the new security level, the new security level being ith less restrictive with respect to the 1st security level; and

mapping, using the computing device, an ith security level in the N security levels to an (i+1)th security level in the N security levels to accommodate the new security level such that there are now (N+1) security levels in the system, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of the each of the secured files can be accessed.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for reorganizing security levels without implicating accessibility to secured files classified in accordance to one of the security levels are disclosed. In a case of adding a new security level, the controllability or restrictiveness of the new security level is determined with respect to the most restrictive security level or the least security level in a set of existing security levels. A set of proper security parameters are then generated for the new security level and subsequently the existing security levels are reorganized to accommodate the new security level. In a case of removing a security level from the existing security levels, the security parameters for the security level to be deleted are either folded up or down to an immediate next security level, depending on implementation. As a result, the security parameters for the immediate next security level are updated to include those for the security level to be deleted such that the secured files classified at the security level to be deleted can still be accessed by those with proper clearance levels.

460 Citations

35 Claims

1. In a system for providing restrictive access to contents in secured files, each of the secured files classified in accordance with one of N security levels, a A method for reorganizing the N security levels without implicating accessibilities to the secured files, each of the secured files classified in accordance with one of the N security levels, the method comprising:
- determining, using a computing device, a new security level with respect to the N security levels, wherein a 1st security level is most restrictive and an Nth security level is least restrictive in among the N security levels;
  
  generating, using the computing device, security parameters accordingly for the new security level, the new security level being ith less restrictive with respect to the 1st security level; and
  
  mapping, using the computing device, an ith security level in the N security levels to an (i+1)th security level in the N security levels to accommodate the new security level such that there are now (N+1) security levels in the system, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of the each of the secured files can be accessed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the security parameters includes at least a clearance key and one or more of the parameters pertain to a designated group of users authorized to access the secured files classified at the new security level.
  - 3. The method of claim 2, wherein the clearance key is associated with the designated group of users, and together with a user key associated with each of the users, allows access to files secured at the ith security level can now be accessed .
  - 4. The method of claim 2, wherein, when if a user authorized to access secured files classified at the new security level logins logs into the system, the user is granted the clearance key, together with a user key authorized authorizing the user to access the secured files, those and secured files classified at the new security level can now be accessed by the users .
  - 5. The method of claim 4, wherein, the clearance key is a private key in a pair of a public key and the private key, those and the secured files are classified at the new security level with the public key.
  - 6. The method of claim 4, wherein, if the user is authorized at to access the ith security level in the original N security levels, the user is now granted a second user key and a second clearance key such that the contents in the secured files classified at the (i+1)th security level and below can be now accessed by the user.
  - 7. The method of claim 6 1, wherein the first key determines if the user is authorized to access the secured files classified at one of the N security levels or one of the (N+1) security levels, and the second key is in accordance with the one of the N security levels or the one of the (N+1) security levels.

8. In a system for providing restrictive access to contents in secured files, at least some of the secured files classified in accordance with one of N security levels, a A method for reorganizing the N security levels without implicating accessibilities to the secured files, at least some of the secured files classified in accordance with one of the N security levels, the method comprising:
- upon receiving a request to remove an ith security level out of the N security levels, determining, using a computing device, if an (i−
  
  1)th security level is a 1st security level or if an (i+1)th security level is an Nth security levels , wherein the 1st security level is most restrictive and the Nth security level is least restrictive in among the N security levels;
  
  whenif the (i−
  
  1)th security level is not the 1st security level and the (i+1)th security level is not the Nth security levels , merging, using the computing device, the ith security level with either the (i−
  
  1)th security level or the (i+1)th security level such that there are now (N−
  
  1) security levels in the system, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of the each of the secured files can be accessed.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein users authorized to access secured files classified at the ith security level can now access secured files classified at the (i−
    - 1)th security level if the ith security level is has been merged with the (i−
      
      1)th security level.
  - 10. The method of claim 8, wherein users authorized to access secured files classified at the ith security level can now access secured files classified at the (i+1)th security level if the ith security level is has been merged with the (i+1)th security level.
  - 11. The method of claim 8, wherein at least two keys are needed to access secured files classified at the ith security level, and after the ith security level is has been merged with the (i−
    - 1)th or (i+1)th security level, the at lest two keys are incorporated into the (i−
      
      1)th or (i+1)th security level as such that users authorized to access the secured files classified at the ith security level can still access the secured files.
  - 12. The method of claim 11, wherein, at the same time, the users can access secured files classified at the (i−
    - 1)th or (i+1)th security level.
  - 13. The method of claim 11, wherein the at least two keys include a first key associated with a designated group of users and a second key being a clearance key in accordance with the ith security level.
  - 14. The method of claim 13, wherein, when if the user logins logs into the system, the user is granted the at least two keys.
  - 15. The method of claim 8, further comprising:
    - whenif the (i−
      
      1)th security level is the 1st security level, denying the request to remove the ith security level out of the N security levels;
      
      or always folding down the ith security level with (i−
      
      1)th security level.
  - 16. The method of claim 8 further comprising:
    - whenif the (i−
      
      1)th security level is the N security level, denying the request to remove the ith security level out of the N security levels;
      
      or always folding up the ith security level with (i−
      
      1)th security level.

17. In a A system for providing restrictive access to contents in secured files, each of the secured files classified in accordance with one of N security levels, the system comprising:
- a first machine loaded with a software module to reorganize the N security levels without implicating accessibilities to the secured files, wherein the 1st security level is most restrictive and the Nth security level is least restrictive in the N security levels, when and wherein, if the software module is executed, the first machine performs operations of;
  
  if a request of for deleting an ith security level out of the N security levels is received, determining if an (i−
  
  1)th security level is a 1 st security level or if an (i+1)th security level is an Nth security levels , wherein the 1st security level is most restrictive and the Nth security level is least restrictive in the N security levels;
  
  and whenif the (i−
  
  1)th security level is not the 1st security level and the (i+1)th security level is not the Nth security levels , merging the ith security level with either the (i−
  
  1)th security level or the (i+1)th security level such that there are now (N−
  
  1) security levels in the system; and
  
  if a request of adding a new security level into the N security is received, determining a new security level with respect to the N security levels, wherein a 1 st security level is most restrictive and an Nth security level is least restrictive in the N security levels;
  
  generating security parameters accordingly for the new security level, the new security level being ith less restrictive with respect to the 1st security level;
  
  and mapping an ith security level in the N security levels to an (i+1)th security level in the N security levels to accommodate the new security level such that there are now (N+1) security levels in the system; and
  
  a second machine, coupled to the first machine over a network, associated with a user that is granted with at least two keys to access one of the secured files classified at one of the N security levels, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of the each of the secured files can be accessed.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein one of the two keys granted to the user is a clearance key in accordance with the one of the N security levels.
  - 19. The system of claim 18, wherein the two keys granted to the user are folded to either the (i−
    - 1)th security level or the (i+1)th security level, when if the user is authorized to access secured files classified at the ith security level.

20. A tangible computer-readable storage medium having stored thereon instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- determining a new security level with respect to the N security levels, wherein a 1st security level is most restrictive and an Nth security level is least restrictive among the N security levels;
  
  generating security parameters accordingly for the new security level, the new security level being ith less restrictive with respect to the 1st security level; and
  
  mapping an ith security level in the N security levels to an (i+1)th security level in the N security levels to accommodate the new security level such that there are (N+1) security levels in the system, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of the each of the secured files can be accessed.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The computer-readable storage medium according to claim 20, wherein the security parameters include at least a clearance key and one or more of the parameters pertain to a designated group of users authorized to access the secured files classified at the new security level.
  - 22. The computer-readable storage medium according to claim 21, wherein the clearance key is associated with the designated group of users, and together with a user key associated with each of the users, allows access to files secured at the ith security level.
  - 23. The computer-readable storage medium according to claim 21, wherein, if a user authorized to access secured files classified at the new security level logs into the system, the user is granted the clearance key, together with a user key authorizing the user to access the secured files, and secured files classified at the new security level can be accessed by the user.
  - 24. The computer-readable storage medium according to claim 23, wherein the clearance key is a private key in a pair of a public key and the private key, and the secured files are classified at the new security level with the public key.
  - 25. The computer-readable storage medium according to claim 23, wherein, if the user is authorized to access the ith security level in the N security levels, the user is granted a second user key and a second clearance key such that the contents in the secured files classified at the (i+1)th security level and below can be accessed by the user.
  - 26. The computer-readable storage medium according to claim 25, wherein the first key determines if the user is authorized to access the secured files classified at one of the N security levels or one of the (N+1) security levels, and the second key is in accordance with the one of the N security levels or the one of the (N+1) security levels.

27. A tangible computer-readable storage medium having stored thereon instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- upon receiving a request to remove an ith security level out of the N security levels, determining if an (i−
  
  1)th security level is a 1st security level or if an (i+1)th security level is an Nth security level, wherein the 1st security level is most restrictive and the Nth security level is least restrictive among the N security levels;
  
  if the (i−
  
  1)th security level is not the 1st security level and the (i+1)th security level is not the Nth security level, merging the ith security level with either the (i−
  
  1)th security level or the (i+1)th security level such that there are (N−
  
  1) security levels in the system, wherein each of the secured files includes an encrypted data portion and a security portion that controls restrictive access to the encrypted data portion, the security portion including a file key encrypted by at least a first key and a second key and further protected by a set of rules, and wherein both of the first key and the second key must be obtained by a user whose access privilege is satisfied by the rules before the contents of each of the secured files can be accessed.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The computer-readable storage medium according to claim 27, wherein users authorized to access secured files classified at the ith security level can access secured files classified at the (i−
    - 1)th security level if the ith security level has been merged with the (i−
      
      1)th security level.
  - 29. The computer-readable storage medium according to claim 27, wherein users authorized to access secured files classified at the ith security level can access secured files classified at the (i+1)th security level if the ith security level has been merged with the (i+1)th security level.
  - 30. The computer-readable storage medium according to claim 27, wherein at least two keys are needed to access secured files classified at the ith security level, and after the ith security level has been merged with the (i−
    - 1)th or (i+1)th security level, the at lest two keys are incorporated into the (i−
      
      1)th or (i+1)th security level such that users authorized to access the secured files classified at the ith security level can access the secured files.
  - 31. The computer-readable storage medium according to claim 30, wherein the users can access secured files classified at the (i−
    - 1)th or (i+1)th security level.
  - 32. The computer-readable storage medium according to claim 30, wherein the at least two keys include a first key associated with a designated group of users and a second key being a clearance key in accordance with the ith security level.
  - 33. The computer-readable storage medium according to claim 32, wherein, if the user logs into the system, the user is granted the at least two keys.
  - 34. The computer-readable storage medium according to claim 27, further comprising computer code for:
    - if the (i−
      
      1)th security level is the 1st security level, denying the request to remove the ith security level out of the N security levels;
      
      or always folding down the ith security level with (i−
      
      1)th security level.
  - 35. The computer-readable storage medium according to claim 27 further comprising computer code for:
    - if the (i−
      
      1)th security level is the N security level, denying the request to remove the ith security level out of the N security levels;
      
      or always folding up the ith security level with (i−
      
      1)th security level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Vainstein, Klimenty
Primary Examiner(s)
Elisca; Pierre E

Application Number

US11/797,367
Time in Patent Office

1,203 Days
Field of Search

705/57, 705/50, 705/51, 705/52, 705/58, 705/64, 705/71, 380/200, 380/201, 380/202, 380/228, 713/166, 713/200, 713/201, 713/202
US Class Current

705/57
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/42   Protocols for client-server...

Method and system for managing security tiers

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

460 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security tiers

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

460 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links