Multiple level access system -> Monitor Keywords
Fresh Patents
Monitor Patents Patent Organizer File a Provisional Patent Browse Inventors Browse Industry Browse Agents Browse Locations
site info Site News  |  monitor Monitor Keywords  |  monitor archive Monitor Archive  |  organizer Organizer  |  account info Account Info  |  
07/19/07 - USPTO Class 380 |  138 views | #20070165859 | Prev - Next | About this Page  380 rss/xml feed  monitor keywords

Multiple level access system

USPTO Application #: 20070165859
Title: Multiple level access system
Abstract: A method of securing an object at an access level includes selecting a profile for a user, including a credential having an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. A working key is generated by binding a domain value with a random value. The object is encrypted with the working key. A random value encryption key is generated based on the shared value by decrypting the credential public key encryption key with the profile key encryption key, decrypting the credential public key with the credential public key encryption key, generating an ephemeral key pair, and generating a shared value based on the ephemeral private key and the credential public key. The random value is encrypted with the random value encryption key, and the encrypted object, the ephemeral public key, and the encrypted random value are provided for an authorized recipient. (end of abstract)



Agent: Ip Strategies - Asheville, NC, US
Inventors: Edward M. Scheidt, Ersin Domangue
USPTO Applicaton #: 20070165859 - Class: 380255000 (USPTO)

Related Patent Categories: Cryptography, Communication System Using Cryptography

Multiple level access system description/claims


The Patent Description & Claims data below is from USPTO Patent Application 20070165859, Multiple level access system.

Brief Patent Description - Full Patent Description - Patent Application Claims
  monitor keywords

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This is a divisional of U.S. patent application Ser. No. 10/870,250, which was filed on Jun. 16, 2004, which in turn was a continuation of U.S. patent application Ser. No. 10/060,011, which was filed on Jan. 30, 2002, and is related to U.S. Provisional Patent Application Ser. No. 60/264,715, filed on Jan. 30, 2001, co-pending U.S. patent application Ser. No. 09/023,672, filed on Feb. 13, 1998, co-pending U.S. patent application Ser. No. 09/418,806, filed on Oct. 15, 1999, and co-pending U.S. patent application Ser. No. 10/060,039, filed on Jan. 30, 2002. The disclosures of all the related applications are incorporated herein in their entireties.

FIELD OF THE INVENTION

[0002] Generally, the present invention relates to techniques for controlling access to computer-based systems. In particular, the present invention relates to techniques for providing multiple-level access control to objects in a computer system.

BACKGROUND OF THE INVENTION

[0003] Access control can be defined as enforcing data-use or other object-use permissions that grant or deny access to content or applications. In this context, data-use can include a broad selection of functions such as reading, changing, executing, creating, overwriting, or deleting. The ability to change access permissions is another type of access that can be granted or denied.

[0004] Access control should be considered in a system approach in which a strong user (entity or member) identification and authorization (I&A) process plays a role. An exemplary system for user identification is described in a co-pending U.S. patent application Ser. No. 10/060,039, filed on Jan. 30, 2002, the entire disclosure of which is incorporated herein by this reference.

[0005] Thus, the goal is to provide access control to objects such as data and applications. It should be flexible and suitable for implementing a variety of different schemes, such as discretionary access controls (DAC) and mandatory access controls (MAC). The key management system should be suitable for implementing a role-based access control system (RBAC). These controls should support content-based access control architectures that provide a very granular object level enforcement or that enable an expanded access.

BRIEF SUMMARY OF THE PRESENT INVENTION

[0006] It is therefore an objective of the present invention to enforce domain member access control to CKM labeled data with cryptography--i.e. by using symmetric key algorithms, asymmetric key algorithms and cryptographic hash functions.

[0007] It is another objective of the present invention to enforce domain member access control to applications.

[0008] It is an additional objective of the present invention to control encryption (write) and decryption (read) of objects based on the content of the object.

[0009] It is also an objective of the present invention to allow credential application to restrict or broaden readership of labeled objects.

[0010] It is another objective of the present invention to provide a user interface paradigm that is intuitive and easy to use.

[0011] It is an additional objective of the present invention to provide sensitivity level or multiple-level access control such that access to credentials is dependant on the method of member identification.

[0012] It is also an objective of the present invention to enforce domain authority-dictated policies for multiple-level access control by credential category.

[0013] According to an exemplary aspect of the invention, a user's profile ("user profile") determines whether and how the user can encrypt (write) and decrypt (access) an object, which can be, for example, a data instance or a computer program. A user profile includes at least one credential, and each credential includes one or both of an asymmetric key pair: a credential public key (write authority) and a credential private key (access authority).

[0014] A user can encrypt (or write) an object with one or more particular credential public keys included in the user's profile, such that subsequent decryption of the encrypted object by another user (or the original user) requires corresponding or otherwise authorized credentials. Accordingly, a user can decrypt an encrypted object if the user possesses, in that user's profile, credentials corresponding to those with which the encrypted object was encrypted. A user can select one or more credentials with which to interact with a particular object or objects in general, or selection of credentials can be automated.

[0015] A credential and an object can correspond to a multiple-level access level ("MLA level") to effectuate a partitioned-access scheme, an access-up scheme, or an access-down scheme for encryption and decryption of objects. The MLA level of a credential can be assigned by a domain authority, whereas the MLA level of an object can be assigned based on the object's content or based on the credential(s) used to encrypt the object.

[0016] A user profile and one or more credentials included in the profile can be secured, in whole or in part, through one or more levels of encryption. Thus, a user can obtain access to the user's respective user profile and one or more particular credentials contained in the profile by providing the requisite data for respective decryption of the profile or the credentials. The requisite data can be encryption scheme data (such as one or more encryption keys, algorithm identifiers, key qualifiers, or algorithm qualifiers, for example) or instances of keying data used to generate encryption scheme data. Further, a user can provide the requisite data as required or during an identification protocol through which the user obtains access to the computer system. In either case, the requisite data can be preexisting or generated, in whole or in part, such as through a user identification and authorization scheme.

[0017] Access controls according to the present invention are enforced using cryptographic algorithms, either proprietary or standards-based. Basic read and write access is correlated to decrypt and encrypt access, respectively, through credentials. These credentials can also define different access sensitivity levels based on defined I&A. Credentials can also control access to applications.

[0018] The present invention extends enforcement through read and write access controls, using cryptography, whereas most systems, such as computer operating systems, use software to provide access enforcement. The system of the present invention can be used alone, or with operating system access controls to provide greater security. For example, the present invention can provide cryptographic enforcement of a computer file system read and write controls.

[0019] These models offer a flexible approach to I&A and can allow the domain authority to tailor I&A policies for a particular domain. The present invention can be viewed as defining different I&A schemes with different relative assurance levels that can be used within a single domain.

[0020] According to a particular aspect of the present invention, in a multi-level access system, a method of securing an object at a multiple-level access level includes receiving, from a user, a profile key encryption key corresponding to the multiple-level access level, selecting an object to secure, and selecting a profile associated with the user. The profile includes a domain value, an encrypted profile encryption key, and a credential. The credential includes an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. The method also includes selecting the credential based on a comparison of the multiple-level access level and the multiple-level access identifier, and generating a working key. Generating the working key includes generating a random value, and binding at least the domain value and the random value together to form the working key. The method also includes encrypting the object with the working key, and generating a random value encryption key. Generating the random value encryption key includes decrypting the encrypted credential public key encryption key with at least the profile key encryption key, decrypting the encrypted credential public key with at least the decrypted credential public key encryption key, generating an ephemeral key pair including an ephemeral private key and an ephemeral public key, generating a shared value based on at least the ephemeral private key and the decrypted credential public key, and generating the random value encryption key based on at least the shared value. The method also includes encrypting the random value with at least the random value encryption key, and providing the encrypted object, the ephemeral public key, and the encrypted random value for an authorized recipient. The profile can also include a profile initialization vector, in which case decrypting the encrypted credential public key encryption key can also include decrypting the encrypted credential public key encryption key with the profile key encryption key and the profile initialization vector. The credential can also include a credential initialization vector, in which case decrypting the encrypted credential public key can include decrypting the encrypted credential public key with the decrypted credential public key encryption key and the credential initialization vector. The multiple-level access level can correspond to the multiple-level access identifier, or the multiple-level access level can be identical to the multiple-level access identifier, lower than the multiple-level access identifier, or higher than the multiple-level access identifier.

Continue reading about Multiple level access system...
Full patent description for Multiple level access system

Brief Patent Description - Full Patent Description - Patent Application Claims

Click on the above for other options relating to this Multiple level access system patent application.
###
monitor keywords

How KEYWORD MONITOR works... a FREE service from FreshPatents
1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored.
3. Each week you receive an email with patent applications related to your keywords.  
Start now! - Receive info on patent apps like Multiple level access system or other areas of interest.
###


Previous Patent Application:
Pre-expiration purging of authentication key contexts
Next Patent Application:
Method for issuing ic card storing encryption key information
Industry Class:
Cryptography

###

Design/code © 2009 FreshContext LLC/Freshpatents.com. Website Terms and Conditions - Also read: About this Page
Patent data source: patents published by the United States Patent and Trademark Office (USPTO)
Information published here is for research/educational purposes only (and in conjunction with our Keyword Monitor) and is not meant to be used in place of the full USPTO patent document/images or a comprehensive patent archive search. Complete official applications are on file at the USPTO and often contain additional data/images (Freshpatents is currently text-only). FreshPatents.com is not affiliated with or endorsed by the USPTO or firms/individuals or products/designs/ideas related to listed patents.
FreshPatents.com Support
Thank you for viewing the Multiple level access system patent info.
IP-related news and info


Results in 0.11681 seconds


Other interesting Feshpatents.com categories:
Tyco , Unilever , Warner-lambert , 3m 174 		filepatents (1K)

* Protect your Inventions
* US Patent Office filing
patentexpress PATENT INFO