Method and apparatus for securing digital assets
First Claim
1. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for securing the electronic data in the format, the method comprising:
- generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme;
encrypting the first key with a second key, if the electronic data is not classified;
encrypting the first key with the second key together with a clearance key, if the electronic data is classified;
encrypting the second key to produce an encrypted version of the second key;
applying access rules to protect the encrypted version of the second key; and
integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules.
5 Assignments
0 Petitions
Accused Products
Abstract
Digital assets are in a secured form that only those with granted access rights can access. Even with the proper access privilege, when a secured file is classified, at least a security clearance key is needed to ensure those who have the right security clearance can ultimately access the contents in the classified secured file. According to one embodiment, a secured file or secured document includes two parts: a header, and an encrypted data portion. The header includes security information that points to or includes access rules, a protection key and a file key. The access rules facilitate restrictive access to the encrypted data portion and essentially determine who the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion and protected by the protection key. If the contents in the secured file are classified, the file key is jointly protected by the protection key as well as a security clearance key associated with a user attempting to access the secured file.
652 Citations
37 Claims
-
1. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for securing the electronic data in the format, the method comprising:
-
generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme; encrypting the first key with a second key, if the electronic data is not classified; encrypting the first key with the second key together with a clearance key, if the electronic data is classified; encrypting the second key to produce an encrypted version of the second key; applying access rules to protect the encrypted version of the second key; and integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23)
-
-
13. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for accessing the electronic data, the method comprising:
-
obtaining an authenticated user key associated with a user attempting to access the electronic data; retrieving access rules embedded in the format to determine if the a user has proper access privilege; retrieving a second key if the user is permitted to access the electronic data; if the contents in the electronic data are classified;
, obtaining a clearance key associated with the user;using the second key and the clearance key to ultimately retrieve a first key; if the contents in the electronic data are not classified;
, using the second key to retrieve the first key; anddecrypting, using the first key, an encryption data portion representing an encrypted version of the electronic data. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A machine non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, the method comprising:
-
generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme; encrypting the first key with a second key, if the electronic data is not classified; encrypting the first key with the second key together with a clearance key, if the electronic data is classified; encrypting the second key to produce an encrypted version of the second key; applying access rules to protect the encrypted version of the second key; and integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules.
-
-
22. A machine non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, the method comprising:
-
obtaining an authenticated user key associated with a user attempting to access the electronic data; retrieving access rules embedded in the format to determine if the a user has proper access privilege; retrieving a second key if the user is permitted to access the electronic data; if the contents in the electronic data are classified;
, obtaining a clearance key associated with the user;using the second key and the clearance key to ultimately retrieve a first key; if the contents in the electronic data are not classified;
, using the second key to retrieve a first key; anddecrypting, using the first key, an encryption data portion representing an encrypted version of the electronic data.
-
-
24. A method, comprising:
-
encrypting electronic data with a first key in a computing device; encrypting the first key with a second key, if the electronic data is not classified; encrypting the first key with the second key and a clearance key, if the electronic data is classified; encrypting the second key to produce an encrypted version of the second key; and integrating a header to include the encrypted first key and the encrypted second key. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A method, comprising:
-
determining if a user has proper access privilege to electronic data; retrieving, at a computing device, a second key if the user is permitted to access the electronic data; if contents in the electronic data are classified, obtaining a clearance key associated with the user and using the second key and the clearance key to retrieve a first key; if the contents in the electronic data are not classified, using the second key to retrieve the first key; and using the first key to decrypt an encrypted data portion representing an encrypted version of the electronic data. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A system, comprising:
-
a client module configured to control access to a secured document based on a user key; a store configured to store the secured document that includes a header with a file key and a protection key; a key store configured to store the user key and a clearance key, the clearance key being utilized to access the secured document when the secured document is also classified; and a cipher module configured to perform decrypting of the file key and the protection key, wherein the client module is configured to determine if a user has access privileges to the secured file using the decrypted user key, and if successful, the cipher module is configured to (1) decrypt the protection key with the user key and decrypt the file key, or (2) decrypt the protection key and the clearance key with the user key and decrypt the file key, if the secured document is also classified.
-
-
35. A system, comprising:
-
a processor; and a memory in communication with the processor, the memory for storing a plurality of processing instructions for directing the processor to; encrypt electronic data with a first key; encrypt the first key with a second key, if the electronic data is not classified; encrypt the first key with the second key and a clearance key, if the electronic data is classified; encrypt the second key to produce an encrypted version of the second key; and integrate a header to include the encrypted first key and the encrypted second key.
-
-
36. A non-transitory computer-readable storage medium having computer program code recorded thereon that, as a result of execution by a processor, causes the processor to perform functions comprising:
-
determining if a user has proper access privilege to electronic data; retrieving a second key if the user is permitted to access the electronic data; if the contents in the electronic data are classified, obtaining a clearance key associated with the user and using the second key and the clearance key to retrieve a first key; if the contents in the electronic data are not classified, using the second key to retrieve the first key; and using the first key to decrypt an encrypted data portion representing an encrypted version of the electronic data.
-
-
37. A non-signal computer-readable medium having instructions stored thereon, the instructions comprising:
-
instructions to encrypt electronic data with a first key; instructions to encrypt the first key with a second key, if the electronic data is not classified; instructions to encrypt the first key with the second key and a clearance key, if the electronic data is classified; instructions to encrypt the second key to produce an encrypted version of the second key; and instructions to integrate a header to include the encrypted first key and the encrypted second key.
-
Specification