Methods and systems for providing access control to electronic data

US 7,913,311 B2
Filed: 08/10/2007
Issued: 03/22/2011
Est. Priority Date: 12/12/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for controlling access to electronic data, comprising:

receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine;

establishing a secured link between the server machine and the client machine associated with the user;

validating the user according to the identifier;

sending an authentication message to the client machine in response to determining that the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data;

formatting the electronic data to include a header portion and an encrypted data portion;

controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion, wherein the encrypted security information is encrypted with the user key;

determining if user access to the electronic data is permitted by the access rules; and

decrypting the encrypted security information with the user key in response to determining that the user is permitted to access the electronic data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing pervasive security to digital assets are disclosed. According to one aspect of the techniques, a server is configured to provide access control (AC) management for a user (e.g., a single user, a group of users, software agents or devices) with a need to access secured data. Within the server module, various access rules for the secured data and/or access privileges for the user can be created, updated, and managed so that the user with the proper access privileges can access the secured documents if granted by the corresponding access rules in the secured data.

710 Citations

36 Claims

1. A method for controlling access to electronic data, comprising:
- receiving an access request on a server machine for electronic data, wherein the request includes an identifier identifying a user and an associated client machine;
  
  establishing a secured link between the server machine and the client machine associated with the user;
  
  validating the user according to the identifier;
  
  sending an authentication message to the client machine in response to determining that the user is validated, wherein the authentication message includes a user key and a link to the requested electronic data;
  
  formatting the electronic data to include a header portion and an encrypted data portion;
  
  controlling access to the encrypted data portion of the electronic data by constructing the header portion to contain a signature signifying that the electronic data is secured, encrypted security information with access rules controlling access to the data portion, and a key that can be retrieved to decrypt the encrypted data portion, wherein the encrypted security information is encrypted with the user key;
  
  determining if user access to the electronic data is permitted by the access rules; and
  
  decrypting the encrypted security information with the user key in response to determining that the user is permitted to access the electronic data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the electronic data is one or more of streaming audio, streaming video, streaming multimedia, electronic files, electronic documents, images, executable code, audio files, databases, database tables, database table records, collections of electronic collections of electronic documents, stored passwords, stored ciphers, public encryption keys, private encryption keys, and multimedia files.
  - 3. The method of claim 2, wherein the streaming audio is one or more of MP3, audio streams created from Real Player applications, Windows Media audio streams, Streaming Download Project (SDP) streams, unicast data streams created from MICROSOFT™
    - Media Services (MMS) applications, and Real Time Streaming Protocol (RTSP) streams.
  - 4. The method of claim 2, wherein the streaming video is one or more of streaming Flash Video, SDP streams, MMS streams, and RTSP streams.
  - 5. The method of claim 2, wherein the images are one or more of Joint Photographic Experts Group (JPEG, JPG), Tagged Image File Format (TIFF), bitmapped graphics format (BMP, DIB), Portable Network Graphics (PNG), PICT (PICT, PCT, PIC), TARGA File Format (TGA, TPIC) files, PSD image files created from ADOBE™
    - PHOTOSHOP™
      
      applications, QTIF and QTI images created from QUICKTIME™
      
      applications, SGI and RGB images created from SILICON GRAPHICS™
      
      applications, and Graphics Interchange Format (GIF) images.
  - 6. The method of claim 2, wherein the multimedia files are one or more of Flash Video (FLV) files, FLC, FLI, and CEL files created from AUTODESK ANIMATOR™
    - applications, MOV, QT, and MQV files created from QUICKTIME™
      
      applications SWF objects created from SHOCKWAVE™
      
      Flash applications, Video for Windows (AVI), Digital Video (DV) files, and executable code.
  - 7. The method of claim 2, wherein the audio files are one or more of MPEG Layer-3 (MP3) files, MP3 playlists (M3U, M3URL), Audio Interchange File Format (AIFF, AIF, AIFC, CDDA) audio files, uLaw/AU audio (AU, SND, ULW) files, Musical Instrument Digital Interface (MIDI) files, QCP files created from QUALCOMM PUREVOICE™
    - applications, SD2 files created from SOUND DESIGNER II™
      
      applications, GSM, AMR, AAC, ADTS, CAF, Wave (WAV) files, and Broadcast Wave Format (BWF) audio files.
  - 8. The method of claim 1, wherein the user is one or more of a human user, a group of human users, a software agent, a group of software agents, a software application, a database query, devices, and executing computer processes that submit or spawn requests for electronic data and can be associated with a user key.
  - 9. The method of claim 1, wherein the client machine associated with the user is one or more of personal computers (PCs), computer terminals, mobile phones, personal digital assistants (PDAs), pocket PCs, smart phones, hand held computers, palmtop computers, laptop computers, tablet PCs, ultra-mobile PCs, and other wireless and non-wireless machines capable of establishing a secured link with the server machine.

10. A non-transitory computer readable medium having executable instructions stored thereon, the instructions comprising:
- instructions to receive authentication requests containing a user key and an identifier identifying a user and a client machine associated with the user;
  
  instructions to parse authentication requests to identify the user and the client machine contained within the identifier;
  
  instructions to establish a secured link with the client machine;
  
  instructions to authenticate the user according to the identifier;
  
  instructions to send an authentication message including the user key to the client machine in response to determining that the user is authenticated;
  
  instructions to activate the user key in the client machine when the authentication message is sent;
  
  instructions to provide access control management to electronic data wherein the electronic data includes an encrypted data portion and encrypted security information with access rules and a file key; and
  
  instructions to decrypt;
  
  using the user key, the file key; and
  
  using the file key, the encrypted data portion in response to determining that user access is permitted by the access rules.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer readable medium of claim 10, wherein the electronic data is one or more of streaming audio, streaming video, streaming multimedia, electronic files, electronic documents, images, executable code, audio files, databases, database tables, database table records, collections of electronic files, collections of electronic documents, stored passwords, stored ciphers, public encryption keys, private encryption keys, and multimedia files.
  - 12. The non-transitory computer readable medium of claim 11, wherein the streaming audio is one or more of MP3, audio streams created from Real Player applications, Windows Media audio streams, Streaming Download Project (SDP) streams, unicast data streams created from MICROSOFT™
    - Media Services (MMS) applications, and Real Time Streaming Protocol (RTSP) streams.
  - 13. The non-transitory computer readable medium of claim 11, wherein the streaming video is one or more of streaming Flash Video, SDP streams, MMS streams, and RTSP streams.
  - 14. The non-transitory computer readable medium of claim 11, wherein the images are one or more of Joint Photographic Experts Group (JPEG, JPG), Tagged Image File Format (TIFF), bitmapped graphics format (BMP, DIB), Portable Network Graphics (PNG), PICT (PICT, PCT, PIC), TARGA File Format (TGA, TPIC) files, PSD image files created from ADOBE™
    - PHOTOSHOP™
      
      applications QTIF and QTI images created from QUICKTIME™
      
      applications, SGI and RGB images created from SILICON GRAPHICS™
      
      applications, and Graphics Interchange Format (GIF) images.
  - 15. The non-transitory computer readable medium of claim 11, wherein the multimedia files are one or more of Flash Video (FLV) files, FLC, FLI, and CEL files created from AUTODESK ANIMATOR™
    - applications, MOV, QT, and MQV files created from QUICKTIME™
      
      applications, SWF objects created from SHOCKWAVE™
      
      Flash applications, Video for Windows (AVI), Digital Video (DV) files, and executable code.
  - 16. The non-transitory computer readable medium of claim 11, wherein the audio files are one or more of MPEG Layer-3 (MP3) files, MP3 playlists (M3U, M3URL), Audio Interchange File Format (AIFF, AIF, AIFC, CDDA) audio files, uLaw/AU audio (AU, SND, ULW) files, Musical Instrument Digital Interface (MIDI) files, QCP files created from QUALCOMM PUREVOICE™
    - applications SD2 files created from SOUND DESIGNER II™
      
      applications, GSM, AMR, AAC, ADTS, CAF, Wave (WAV) files, and Broadcast Wave Format (BWF) audio files.
  - 17. The non-transitory computer readable medium of claim 10, wherein the user is one or more of a human user, a group of human users, a software agent, a group of software agents, a software application, a database query, devices, and executing computer processes that submit or spawn requests for electronic data and can be associated with a user key.
  - 18. The non-transitory computer readable medium of claim 10, wherein the client machine associated with the user is one or more of personal computers (PCs), computer terminals, mobile phones, personal digital assistants (PDAs), pocket PCs, smart phones, hand held computers, pocket computers, palmtop computers, laptop computers, tablet PCs, ultra-mobile PCs and other wireless and non-wireless machines capable of establishing a secured link with the server machine.

19. A non-transitory computer readable medium having instructions stored thereon, the instructions comprising:
- instructions to receive a request to access secured electronic data at a server computer, wherein the electronic data includes a header and an encrypted data portion, the header further including encrypted security information including at least access rules and a file key, and wherein the request includes a user key, and an identifier identifying a user and a client machine associated with the user;
  
  instructions to establish a secured link between the server and the client machine associated with the user;
  
  instructions to authenticate the user in the server based on the user and client machine information in the identifier;
  
  instructions to decrypt the security information in the header of the requested secured electronic data using the user key;
  
  instructions to retrieve the file key retrieved from the header;
  
  instructions to retrieve access rules from the security information;
  
  instructions to determine from the access rules if the user has necessary access privileges to access the encrypted data portion;
  
  instructions to decrypt the encrypted data portion in response to determining that the user has necessary access privileges to access the encrypted data portion; and
  
  instructions to provide user access to the decrypted data portion via the secured link established between the server and the client machine associated with the user.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer readable medium of claim 19, wherein the electronic data is one or more of streaming audio, streaming video, streaming multimedia, electronic files, electronic documents, images, executable code, audio files, databases, database tables, database table records, collections of electronic files, collections of electronic documents, stored passwords, stored ciphers, public encryption keys, private encryption keys, and multimedia files.
  - 21. The non-transitory computer readable medium of claim 20, wherein the streaming audio is one or more of MP3, audio streams created from Real Player applications, Windows Media audio streams, Streaming Download Project (SDP) streams, unicast data streams created from MICROSOFT™
    - Media Services (MMS) applications, and Real Time Streaming Protocol (RTSP) streams.
  - 22. The non-transitory computer readable medium of claim 20, wherein the streaming video is one or more of streaming Flash Video, SDP streams, MMS streams, and RTSP streams.
  - 23. The non-transitory computer readable medium of claim 20, wherein the images are one or more of Joint Photographic Experts Group (JPEG, JPG), Tagged Image File Format (TIFF), bitmapped graphics format (BMP, DIB), Portable Network Graphics (PNG), PICT (PICT, PCT, PIC), TARGA File Format (TGA, TPIC) files, PSD image files created from ADOBE™
    - PHOTOSHOP™
      
      applications QTIF and QTI images created from QUICKTIME™
      
      applications, SGI and RGB images created from SILICON GRAPHICS™
      
      applications, and Graphics interchange Format (GIF) images.
  - 24. The non-transitory computer readable medium of claim 20, wherein the multimedia files are one or more of Flash Video (FLV) files, FLC, FLI, and CEL files created from AUTODESK ANIMATOR™
    - applications, MOV, QT, and MQV files created from QUICKTIME™
      
      applications, SWF objects created from SHOCKWAVE™
      
      Flash applications, Video for Windows (AVI), Digital Video (DV) files, and executable code.
  - 25. The non-transitory computer readable medium of claim 20, wherein the audio files are one or more of MPEG Layer-3 (MP3) files, MP3 playlists (M3U, M3URL), Audio Interchange File Format (AIFF, AIF, AIFC, CDDA) audio files, uLaw/AU audio (AU, SND, ULW) files, Musical Instrument Digital Interface (MIDI) files, QCP files created from QUALCOMM PUREVOICE™
    - applications, SD2 files created from SOUND DESIGNER II™
      
      applications, GSM, AMR, AAC, ADTS, CAF, Wave (WAV) files, and Broadcast Wave Format (BWF) audio files.
  - 26. The non-transitory computer readable medium of claim 20, wherein the user is one or more of a human user, a group of human users, a software agent, a group of software agents, a software application, a database query, devices, and executing computer processes that submit or spawn requests for electronic data and can be associated with a user key.
  - 27. The non-transitory computer readable medium of claim 20, wherein the client machine associated with the user is one or more of personal computers (PCs), computer terminals, mobile phones, personal digital assistants (PDAs), pocket PCs, smart phones, hand held computers, pocket computers, palmtop computers, laptop computers, tablet PCs, ultra-mobile PCs and other wireless and non-wireless machines capable of establishing a secured link with the server machine.

28. A system for providing access control management to electronic data, comprising:
- a server machine;
  
  a link module executable in the server machine configured to establish a secured link between the server machine and a client machine when an access request containing an access request identifier identifying at least a user and an associated client machine is received at the server machine from the client machine;
  
  an authentication module executable in the server machine configured to authenticate the user and client machine according to the user and client machine identified in the access request identifier;
  
  a document securing module executable in the server machine configured to secure electronic data in a format including security information in a header that includes encrypted security information controlling access to the encrypted data portion and a signature signifying that the electronic data is secured, and an encrypted data portion;
  
  a key issuing module executable in the server machine configured to issue a user key after the user has been authenticated by the authentication module, wherein the user key is used to decrypt the encrypted security information, wherein the security information includes a set of access rules and a file key;
  
  a rule processing module executable in the server machine configured to decrypt and retrieve access rules from the security information and measure the retrieved access rules against the access privileges of the user requesting access to the secured document;
  
  a cipher module executable in the server machine configured to decrypt and retrieve the file key from the security information and subsequently decrypt the encrypted data portion using the file key; and
  
  a document release module executable in the server machine configured to fulfill the access request by releasing a decrypted version of a requested document to a user via the secured link established by the link module in response to determining that the authentication module has authenticated both the user and client machine and the and rule processing module determines that the user is permitted to access the requested electronic data.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The system of claim 28, wherein the electronic data is one or more of:
    - streaming audio, streaming video, streaming multimedia, electronic files, electronic documents, images, executable code, audio files, databases, database tables, database table records, collections of electronic files;
      
      collections of electronic documents, stored passwords, stored ciphers, public encryption keys, private encryption keys, and multimedia files.
  - 30. The system of claim 29, wherein the streaming audio is one or more of MP3, audio streams created from Real Player applications, Windows Media audio streams, Streaming Download Project (SDP) streams, unicast data streams created from MICROSOFT™
    - Media Services (MMS) applications, and Real Time Streaming Protocol (RTSP) streams.
  - 31. The system of claim 29, wherein the streaming video is one or more of streaming Flash Video, SDP streams, MMS streams, and RTSP streams.
  - 32. The system of claim 29, wherein the images are-one or more of Joint Photographic Experts Group (JPEG, JPG), Tagged Image File Format (TIFF), bitmapped graphics format (BMP, DIB), Portable Network Graphics (PNG), PICT (PICT, PCT, PIC), TARGA File Format (TGA, TPIC) files, PSD image files created from ADOBE™
    - PHOTOSHOP™
      
      applications QTIF and QTI images created from QUICKTIME™
      
      applications, SGI and RGB images created from SILICON GRAPHICS™
      
      applications, and Graphics Interchange Format (GIF) images.
  - 33. The system of claim 29, wherein the multimedia files are one or more of Flash Video (FLV) files, FLC, FLI, and CEL files created from AUTODESK ANIMATOR™
    - applications, MOV, QT, and MQV files created from QUICKTIME™
      
      applications, SWF objects created from SHOCKWAVE™
      
      Flash applications, Video for Windows (AVI), Digital Video (DV) files, and executable code.
  - 34. The system of claim 29, wherein the audio files are one or more of MPEG Layer-3 (MP3) files, MP3 playlists (M3U, M3URL), Audio Interchange File Format (AIFF, AIF, AIFC, CDDA) audio files, uLaw/AU audio (AU, SND, ULW) files, Musical Instrument Digital Interface (MIDI) files, QCP files created from QUALCOMM PUREVOICE™
    - applications, SD2 files created from SOUND DESIGNER II™
      
      applications, GSM, AMR, AAC, ADTS, CAF, Wave (WAV) files, and Broadcast Wave Format (BWF) audio files.
  - 35. The system of claim 29, wherein the user is one or more of a human user, a group of human users, a software agent, a group of software agents, a software application, a database query, devices, and executing computer processes that submit or spawn requests for electronic data and can be associated with a user key.
  - 36. The system of claim 29, wherein the client machine associated with the user is one or more of personal computers (PCs), computer terminals, mobile phones, personal digital assistants (PDAs), pocket PCs, smart phones, hand held computers, pocket computers, palmtop computers, laptop computers, tablet PCs, ultra-mobile PCs and other wireless and non-wireless machines capable of establishing a secured link with the server machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Alain, Rossmann, Ouye, Michael Michio, Zuili, Patrick, Supramaniam, Senthilvasan, Humpich, Serge, Lee, Chang-Ping, Garcia, Denis Jacques Paul, Hilderbrand, Hal, Vainstein, Klimenty, Ryan, Nicholas Michael, Huang, Weiqing
Primary Examiner(s)
KIM, JUNG W

Application Number

US11/889,310
Publication Number

US 20080034205A1
Time in Patent Office

1,320 Days
Field of Search

None
US Class Current

726/28
CPC Class Codes

G06F 12/00   Accessing, addressing or al...

G06F 12/14   Protection against unauthor...

G06F 21/00   Security arrangements for p...

G06F 21/6209   to a single file or object,...

G06F 21/6227   where protection concerns t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 67/01   Protocols

H04L 9/40   Network security protocols

Methods and systems for providing access control to electronic data

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

710 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for providing access control to electronic data

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

710 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links