Method and apparatus for securing digital assets

US RE43,906 E1
Filed: 12/09/2008
Issued: 01/01/2013
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for securing the electronic data in the format, the method comprising:

generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme;

encrypting the first key with a second key, if the electronic data is not classified;

encrypting the first key with the second key together with a clearance key, if the electronic data is classified;

encrypting the second key to produce an encrypted version of the second key;

applying access rules to protect the encrypted version of the second key; and

integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Digital assets are in a secured form that only those with granted access rights can access. Even with the proper access privilege, when a secured file is classified, at least a security clearance key is needed to ensure those who have the right security clearance can ultimately access the contents in the classified secured file. According to one embodiment, a secured file or secured document includes two parts: a header, and an encrypted data portion. The header includes security information that points to or includes access rules, a protection key and a file key. The access rules facilitate restrictive access to the encrypted data portion and essentially determine who the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion and protected by the protection key. If the contents in the secured file are classified, the file key is jointly protected by the protection key as well as a security clearance key associated with a user attempting to access the secured file.

652 Citations

37 Claims

1. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for securing the electronic data in the format, the method comprising:
- generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme;
  
  encrypting the first key with a second key, if the electronic data is not classified;
  
  encrypting the first key with the second key together with a clearance key, if the electronic data is classified;
  
  encrypting the second key to produce an encrypted version of the second key;
  
  applying access rules to protect the encrypted version of the second key; and
  
  integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23)
- - 2. The method of claim 1, wherein the access rules can be decrypted only with an authenticated user key associated with the user attempting to access the contents of the electronic data.
  - 3. The method of claim 1, wherein the generating of the encrypted data portion comprises:
    - determining a block size of blocks that are used to divide, respectively, the electronic data; and
      
      encrypting each of the blocks according to the predetermined cipher scheme.
  - 4. The method of claim 1, wherein the encrypting of the first key with the second key together with the clearance key, if the electronic data is classified, comprises:
    - encrypting the first key with the clearance key to produce an initial encrypted version of the first key; and
      
      encrypting the initial encrypted version of the first key with the second key to produce the encrypted version of the first key.
  - 5. The method of claim 1, wherein the clearance key corresponds to a confidential level that determines what classified secured files the clearance key can be used to retrieve the first key.
  - 6. The method of claim 5, wherein the confidential level ranges from most classified to non-classified.
  - 7. The method of claim 5, wherein the clearance key can be used together with the second key, if the access rules have been measured successfully against access privilege of a user attempting to access the contents in the electronic data, to retrieve the first key in the secured file classified at or lower than the confidential level of the clearance key.
  - 8. The method of claim 1, wherein the access rules are expressed in a descriptive language.
  - 9. The method of claim 8, wherein the descriptive language is a markup language.
  - 10. The method of claim 9, wherein the markup language is one of (i) SGML, (ii) HTML, (iii) WML, and (iv) XACML.
  - 11. The method of claim 1, wherein the encrypting of the second key to produce the encrypted version of the second key comprises:
    - obtaining a public user key associated with a user attempting to secure the electronic data; and
      
      encrypting the second key using the public user key according to the predetermine predetermined cipher scheme.
  - 12. The method of claim 1, wherein the encrypted version of the second key can be decrypted with a private user key associated with the user, provides that the private user key has been authenticated.
  - 23. The method of claim 1, wherein the encrypting of the first key with the second key together with the clearance key, if the electronic data is classified, comprises:
    - encrypting the first key with the second key to produce an initial encrypted version of the first key; and
      
      encrypting the initial encrypted version of the first key with the clearance key to produce the encrypted version of the first key.

13. In a system for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, a method for accessing the electronic data, the method comprising:
- obtaining an authenticated user key associated with a user attempting to access the electronic data;
  
  retrieving access rules embedded in the format to determine if the a user has proper access privilege;
  
  retrieving a second key if the user is permitted to access the electronic data;
  
  if the contents in the electronic data are classified;
  
  , obtaining a clearance key associated with the user;
  
  using the second key and the clearance key to ultimately retrieve a first key;
  
  if the contents in the electronic data are not classified;
  
  , using the second key to retrieve the first key; and
  
  decrypting, using the first key, an encryption data portion representing an encrypted version of the electronic data.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the access rules are also encrypted.
  - 15. The method of claim 14, wherein the retrieving of the access rules embedded in the format to determine if the user has proper access privilege comprises:
    - obtaining an authenticated user key associated with the user attempting to access the electronic data;
      
      decrypting the access rules with the authenticated user key; and
      
      testing if access privilege of the user is within the access rules.
  - 16. The method of claim 13, wherein the access rules are expressed in a descriptive language and control who or how the electronic data can be accessed.
  - 17. The method of claim 13, wherein the retrieving of the second key, if the user is permitted to access the electronic data, comprises:
    - obtaining an authenticated user key associated with the user attempting to access the electronic data; and
      
      decrypting the second key that is encrypted with the authenticated user key after it is determined that the user is permitted to access the electronic data.
  - 18. The method of claim 13, wherein the using of the second key and the clearance key to ultimately retrieve the first key comprises obtaining the first key by sequentially using the second key and the clearance key to decrypt an encrypted version of the first key.
  - 19. The method of claim 13, wherein the using of the second key and the clearance key to ultimately retrieve the first key comprises obtaining the first key by sequentially using the clearance key and the second key to decrypt an encrypted version of the first key.
  - 20. The method of claim 13, wherein the method is executed in a client machine from which the user attempts to access the electronic data.

21. A machine non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, the method comprising:
- generating an encrypted data portion by encrypting the electronic data with a first key according to a predetermined cipher scheme;
  
  encrypting the first key with a second key, if the electronic data is not classified;
  
  encrypting the first key with the second key together with a clearance key, if the electronic data is classified;
  
  encrypting the second key to produce an encrypted version of the second key;
  
  applying access rules to protect the encrypted version of the second key; and
  
  integrating a header with the encrypted data portion to produce a secured file, wherein the header includes the encrypted first key, the encrypted second key and the access rules.

22. A machine non-transitory computer readable medium having embodied thereon a program, the program being executable by a machine to perform a method for providing restrictive access to electronic data, wherein the electronic data is structured in a format that controls access to contents in the electronic data, the method comprising:
- obtaining an authenticated user key associated with a user attempting to access the electronic data;
  
  retrieving access rules embedded in the format to determine if the a user has proper access privilege;
  
  retrieving a second key if the user is permitted to access the electronic data;
  
  if the contents in the electronic data are classified;
  
  , obtaining a clearance key associated with the user;
  
  using the second key and the clearance key to ultimately retrieve a first key;
  
  if the contents in the electronic data are not classified;
  
  , using the second key to retrieve a first key; and
  
  decrypting, using the first key, an encryption data portion representing an encrypted version of the electronic data.

24. A method, comprising:
- encrypting electronic data with a first key in a computing device;
  
  encrypting the first key with a second key, if the electronic data is not classified;
  
  encrypting the first key with the second key and a clearance key, if the electronic data is classified;
  
  encrypting the second key to produce an encrypted version of the second key; and
  
  integrating a header to include the encrypted first key and the encrypted second key.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24, further comprising:
    - applying encrypted access rules to protect the encrypted version of the second key.
  - 26. The method of claim 24, wherein the encrypting electronic data with a first key further comprises:
    - dividing the electronic data into one or more blocks of data; and
      
      encrypting each block of data.
  - 27. The method of claim 24, wherein the clearance key corresponds to a security level.
  - 28. The method of claim 24, wherein the encrypting of the second key further comprises:
    - obtaining a public user key associated with a user; and
      
      encrypting the second key using the public user key.

29. A method, comprising:
- determining if a user has proper access privilege to electronic data;
  
  retrieving, at a computing device, a second key if the user is permitted to access the electronic data;
  
  if contents in the electronic data are classified, obtaining a clearance key associated with the user and using the second key and the clearance key to retrieve a first key;
  
  if the contents in the electronic data are not classified, using the second key to retrieve the first key; and
  
  using the first key to decrypt an encrypted data portion representing an encrypted version of the electronic data.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The method of claim 29, wherein the determining further comprises:
    - applying access rules to measure the access privilege of the user.
  - 31. The method of claim 29, wherein the clearance key corresponds to a security level.
  - 32. The method of claim 31, further comprising:
    - using the clearance key and the second key to retrieve the first key when the electronic data are classified at or lower than the security level of the clearance key.
  - 33. The method of claim 29, further comprising:
    - decrypting the second key using a private user key associated with the user.

34. A system, comprising:
- a client module configured to control access to a secured document based on a user key;
  
  a store configured to store the secured document that includes a header with a file key and a protection key;
  
  a key store configured to store the user key and a clearance key, the clearance key being utilized to access the secured document when the secured document is also classified; and
  
  a cipher module configured to perform decrypting of the file key and the protection key, whereinthe client module is configured to determine if a user has access privileges to the secured file using the decrypted user key, and if successful,the cipher module is configured to (1) decrypt the protection key with the user key and decrypt the file key, or (2) decrypt the protection key and the clearance key with the user key and decrypt the file key, if the secured document is also classified.

35. A system, comprising:
- a processor; and
  
  a memory in communication with the processor, the memory for storing a plurality of processing instructions for directing the processor to;
  
  encrypt electronic data with a first key;
  
  encrypt the first key with a second key, if the electronic data is not classified;
  
  encrypt the first key with the second key and a clearance key, if the electronic data is classified;
  
  encrypt the second key to produce an encrypted version of the second key; and
  
  integrate a header to include the encrypted first key and the encrypted second key.

36. A non-transitory computer-readable storage medium having computer program code recorded thereon that, as a result of execution by a processor, causes the processor to perform functions comprising:
- determining if a user has proper access privilege to electronic data;
  
  retrieving a second key if the user is permitted to access the electronic data;
  
  if the contents in the electronic data are classified, obtaining a clearance key associated with the user and using the second key and the clearance key to retrieve a first key;
  
  if the contents in the electronic data are not classified, using the second key to retrieve the first key; and
  
  using the first key to decrypt an encrypted data portion representing an encrypted version of the electronic data.

37. A non-signal computer-readable medium having instructions stored thereon, the instructions comprising:
- instructions to encrypt electronic data with a first key;
  
  instructions to encrypt the first key with a second key, if the electronic data is not classified;
  
  instructions to encrypt the first key with the second key and a clearance key, if the electronic data is classified;
  
  instructions to encrypt the second key to produce an encrypted version of the second key; and
  
  instructions to integrate a header to include the encrypted first key and the encrypted second key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Garcia, Denis Jacques Paul
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US12/331,083
Time in Patent Office

1,484 Days
Field of Search

380/281, 380283-284
US Class Current

713/165
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/42   Protocols for client-server...

Method and apparatus for securing digital assets

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

652 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing digital assets

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

652 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links