CA2118246A1 - Data enclave and trusted path system - Google Patents

Data enclave and trusted path system

Info

Publication number
CA2118246A1
CA2118246A1 CA002118246A CA2118246A CA2118246A1 CA 2118246 A1 CA2118246 A1 CA 2118246A1 CA 002118246 A CA002118246 A CA 002118246A CA 2118246 A CA2118246 A CA 2118246A CA 2118246 A1 CA2118246 A1 CA 2118246A1
Authority
CA
Canada
Prior art keywords
media
user
key
uid
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002118246A
Other languages
French (fr)
Inventor
William E. Boebert
Thomas R. Markham
Robert A. Olmsted
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secure Computing LLC
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2118246A1 publication Critical patent/CA2118246A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/009Trust

Abstract

2118246 9321581 PCTABScor01 A data communication system providing for the secure transfer and sharing of data via a local area network and/or a wide area network. The system includes a secure processing unit which communicates with a personal keying device and a crypto media controller attached to a user's workstation. The communication between these processing elements generates a variety of data elements including keys, identifiers, and attributes. The data elements are used to identify and authenticate the user, assign user security access rights and privileges, and assign media and device attributes to a data access device according to a predefined security policy.
The data elements are manipulated, combined, protected, and distributed through the network to the appropriate data access devices, which prevents the user from obtaining unauthorized data.

Description

- wo g3/2l58~ ' 2 A 6 PCI/IJS~3/03472 ~ ~

_ 1 _ CRYPTOGRAPHIC DATA SECUR~TY IN A SECURED COMPUTER SYSTEM
Field of_the Invention This invention relates generally to data communication systems, and more specif ically to ~ecure data processing on a data communication system.
Backaround of the I nvention Data ~ncla~e Individual~ working in a departmental computing environment typically have a substantial amoun~ of computin~ power on their de~ks in the form of per~onal computers and workstations. A workstation has a computational subsystem, keyboard, and d~splay for user interaction, and typically substantial amounts of local data storage in the form of fixed and removable m~dia.
In order for the individual in the departmental computing en~ironment to in_eract and share data, their workstations are typically attached to a local area network (LAN) which penmits the transfer of da ~ files and electronic mail between the workstations. In addition, " erver~" may be attached to the LAN to provide spe~ialized services, ~uch as the management of centralized databa~es, which are not practical for individual workstations.
Departmental computing environments are typically member~ of a larger organization or have other reasons t~ communicate wi~h computing facilities outside themselve5. They therefore make use of a special kind of s~rver, called a "gateway", to gain access to a wide area nstwork (W~N). WANs are often interconnected (called ninternetting") to provide world-wide data transmission paths.

Departmen~al Co~put~ng ~nvironment A typical overall departmental~computing 3~ environment is shown in Figure 1. In the departmental :
computer environment 1, large amounts of valua~le data is stored on magnetic or other electronic Media 2, 4 for processing in the Workstations 10 and file servers (not shown). This media offers the benefits of compact WO93/21581 PCT~US93/0~72 storage, easy retrieval, and in the case of removable Media 4 (e.g., "diskettes"), convenient sharing and distribution.
In addition, data is transmitted freely around the Local ~rea Network 12 and occasionally through a Gateway 14 to the Wide Area Ne~work 16 and Remote Sites 18. This transmission is necessary in order for the organization performing dep rtmental computing to perform its internal work and interact with the outside world.
There is also a requirement that certain operations, including but not lLmited to the transmission of data to the outside world, be restricted to indi~iduals who possess special privileges. Examples of such operations are messages (electronic mail) which are directi~e in nature, such as users to transfer funds, and operations such as the adding of new ~ ers or the granting of limited access to departmental data ~o users on the Wide Area Network l6 (remote login and file transfer).

Threats Against Department Computing Environment The threats against the departmental computing environment are shown in Figure 2.
The data in this environment is vulnerable to theft and tampering. Removable media can be stolen, copied, and returned with no sign that loss has occurred. The fruits of thousands of hours of labor can be stolen in a package that fits easily in a coat pocket. Crucial data can be modified or destroyed, either directly or through the agency of technical entities such as ~'viruses~, which are introduced into the Workstations lO and servers through the agency of `
corrupted media or through the wide area network ~5 connection. `~-- WO93J21~81 ~ 2 1~ PCT/US93/0~72 There are also threats to the privileged operations. Unauthorized individuals, ~asquerading as someone else, can cause disruptive or erroneous directives to be issued and thereby perpetrate sabotage and fraud. Nalicious ~hackers" with access to ~he wic'~
area network can use that network to "reach in" to tht departmental computing environmen~ and masquerade as authorized users or otherwise obtain access to data, which they can then transfer worldwide, again with no sign that compromise has occurred.
Accordingly, there is a need for techniques whereby a departmental computing system l can be converted into a "data enclave." Within such an enclave:
(l) Data can be restricted to a single organization, such as a go~ernment agency or a corporation.
(2~ Sharing of data between organizational elements (directorates, departments, projects, etc.) can be controlled. For example, it may be required ¦ that data such as a telephone directory be accessible by every employee, but data such as engineering drawings should not be allowed to ~ circulate throughout the whole corporation.
! 25 (3) Sharing of data between indiYiduals in organizational elements can be controlled. For example, even though an individual is a member of the engineering department, that individual may not have a "need to know" for all of the drawings in the department.
(4) Data is protected from technical attacks such as "viruses" and "worms."
(5) Intellectual property is protected irrespecti~e of whether it is on electronic media, being processed in a Workstation, or being transferred around the local area network.

~93/~1581 PCT/US~3/03472 c~ z .~.. 6 4 (6) The protections are achieved with minimum cost and disruption of operations, such as would occur if access to the wide area network were forbidden. `~
(7) Privileged operations are restricted to those users possessing the requisite privileges and cannot be invoked, through masquerading or other technical m~ans, by unauthorized users.

As shown in overview form in Figure 3, and as will be described more fully in the Detailed De~;cription ;
of the Invention, the facilities provided by the present invention convert a departmental computing environment into a 'Idata enclave" 20 with a well-defined perimeter 22. Sharing of data within the Enclave 20 is controlled, and movement of data within and outside the enclave can only be effected by authorized indivi~als with suitable privilege. There are no "sneak paths" or "holes that exist.
The present invention also minimizes the damage that can be done by privileged individuals who become subverted. Cryptographic keys are transmitted and stored entirely in enciphered form, and well-known techni~ues (called "antitamper" technology) can be used to protect an enclave key when it is in use inside a cryptographic device. Theft of elements of the present invention does not compromise any part of the operation of the invention.
Individuals desiring access to Nedia 2,4 have to deal with a Secure Computer 24, in this case a security server, only when Media 2,4 is initialized.
"Unlocking" a unit of Media 2,4 requires an operation no more complicated than using a television remote control.
Overhead and delay is concentrated at the time a Media
2,4 is "unlocked", and no delays or incompatibilities are introduced during operations using the Media 2 or 4.

- WO93/21581 P~T/US93~03472 S

Remotely invoked privileged operations at the security server 24 are under the positive control of the user. That control is cxyptographically protected and mutually authsnticated~
Identification and authentication of users to the security server 24 is both simpler and more robust than former Lmplementations such as passwords. The same basic steps are used for security operations dealing with Media 2,4 and dealing with the security server 24.
In the data protection area, the system associates Media 2 or 4 primarily with users ancl secondarily with machines or Workstations 10. This is a more natural structure than one where media is only useable on a single machine or Workstation lO.
Control logic computes allowed access at the last possible moment using the co~ination of an "ac~ass vector~ assigned to an individual and the nde~ice attributes" assigned to a particular Workstation lO, which can ba used to enforce a variety of security policies. For example, an individual's access to data may be restricted not only on the basis of the :
individual's attributes but also to protected physical locations. Thus an individual's access vector may grant 2~ "read" access to a unit of media which contains proprietary engineering data, but the comparison against the de~ice attributes making the access, may restrict display of the contents of the unit of media to those ~
machines inside a particular facility or office. ~::
Physical security measures can then be used to restrict who may be in the vicinity when the data is displayed.
Previous implementations in this area have permitted only an "all or nothing" approach to access. :

WO93/21581 PCT/US93/0~72 Trusted Path The problems addressed by the Trusted P~th functions arise because of the use of networks 12 and Workstations lO to communicate between human users and secure computers 24. Malicious hardware and/or software in the Workstation lO vr network, possibly operating in concert with a subverted user, has the ability to perform the following hostile actions.
(1) Masquerade as a secure computer. In this attack, a bogus secure romputer (not shown) i~
installed on the N4twork 12 and logically interposed between the legitimate Secure ! Computer 24 and the human user. The bogus secure computer then makes requests of the human user, displays forged or modified data, or otherwise induces the user ta perfonm some insecure act. For example, the bogus see~re computer may intercept and discard a message ~
giving a critical order, while all the tLme `
presenting displays to the human user which indicate that the message was sent.
(2) Masquerade as a user site. This is the symmetric attack to that described in the I previous paragraph. A bogus user site (not shown) is interposed ~etween the legitimate human user and the Secure Computer 24. This bogus user site then accesses data, or performs operations, which are in ~iolation of the security policy. The location of the bogus user site enables it to intercept responses from the Secure Computer 24, so that the legitimate user is unaware that a bogus site is `
on the network. The bulk of the so-called "hacker" attacks that appear in the popular 35 press are of this class. - ;

WO93/21581 2 ~ l ~3 2 ~ 6 PCT/~93~0~72 ~ ~
(3) ~asq~erade as another user~ In this attack, a subverted or malicious individual gains access to a legitimate site, but then is able t~
masguerade as a different, and in general more privileged, human user. The majority of the so-called "insider" attacks are of this fo~m.
t4) Surreptitiously transform data. This is a s~phisticated and extremely dangerous form of attack in which some intermediate elemen~ in the path between the human user 5 and the secure computer performs "two-faced" actions.
That is, the element displays one set of data to the human user S while sLmultaneously transmitting something else to the Secure Camputer 24. For example, malicious software in a Workstation may be programmed to detect a -~
funds transfer order, and then modify ~ne amount or the reoipient in ways not intended for use by the human user 5. ~-(5) Nisdirect or approPriate cryPtoaraphic keYs. --i In this attack, some intermediate element di~erts, copies, or otherwise appropriateæ `
cryptographic keys destined to some authorized user 5 and methods and redirects them to unauthorized persons who have obtained cryptographic devices and wish to use them to either de~rypt intercepted data or prepare and encipher forgeries of data to be submitted to the secure computer. ;
The Trusted Path, according to the present -invention, is used for security-relevant interactions between a human user and a Secure Computer 24. These interactions fall into four broad categories, as set 35 forth below. ~

Os3/2l~81 PCT~US93/0~72 r~3 r - - 8 (1) Identification and Authentication. In these ;~
operations, the human user is identifying himself or herself ~o the Secure Computer 24 for purposes of .~ecure processing. There are two aspec~s to identification and authentication: authenticating the identity of the human user and authenticating the location ~:
(e.g. a Workstation 10) from which the human user is accessing the Secure Computer 24. Both aspects are used by the 5ecure Computer 24 to ~-determine the nature of information it will ~-display to, or the kinds of actions it will permit to be initiated by, the human user. The ~:
use of both aspects enables the implementation of sophisticated security policies by the Secure Ccmputer 24. For example, an inclividual `~
may be authorized to access engineering drawings, but only from germinals located :
inside the engineering area; even though the individual i~ authorized for information, ~he :~:
policy may prohibit the individual from exercising the authorization when in a residence or temporary lodgings.
~2) Trusted Command Initiation. ~hese are operations perfoImed by the human user which have seriou~ security conse~uences; they will, in general, involve t~e exercise of some :~
special privilege by the userO An example of trusted command initiation is the decision to ~-override the security policy enforced by the secure computer and release data to persons who would normally be unauthorized to access it. :
Such a facility is necessary to prevent the .:
security policy from interfering with proper operation in exceptional or emergency situations. Another example is the exercise of a human user of the privilege to send an WO93/21581 ~ 2 ~ ~ PCT/US93/0~72 official, cryptographically authenticated message which has the effect of an order ox directive.
(3) Trusted Review. These are operations in which the human user wishes to be assure that some element of data contained in the Secure Computer 24 is exactly as the user intended.
For example, a human user may wish to perform a trusted review of the aforementioned directive prior to performing the trusted command which adds an authentica~or to the mes age and `~
releases it as "signed~ by that user.
~4~ Ke~ Mana~ement. In these operations, the user is obtaining cr~ptographic keys from some central key distribution center and loading them in to local c~yptographic devices 26 at the user's Workstation lO. ~~

The protocols of the Trusted Path are arranged so that all security alarms are raised at specified secure computers 24, and there is no user responsibility `~
for responding to an alarm. This feature is an improvement over traditional cryptographic checksum and ;
other means which display alarms to users and require them to notify the proper authorities, since it permits the present invention to provide securi~y for users 5 who may be in physica~ locations where such notification is not possible.
The protocols in the Trusted Path operate at Layers 5, 6, and 7 of the ISO standard for - communications protocols. This means that they are independent of the nature or topology of the network.
All prior means for achieving Trus~ed Path have depended somewhat on the nature or topology of the network.
The elements of the present invention are either free-standing units, parts of an already distinguished Secure Computer 24, or devices which W093/21581 ~, PCT/US93/~72 ? ~ ~! &~'3 1~
attach to existing interfaces to commercial Workstations lD. The only modification required to a commercial Workstation lO is a software modification. No security reliance is placed on this modification, so that it can be rapidly and e~onomically made to the software of a wide variety of commercial units.
The present invention uses a small number of special elemen~ in a wide variety of ways. Maximum use is made of the cryptographic devices, which are 10 typically the most expensiv~ parts of a data security ~-device. The same devices are used for media protection and authenticated interactions with the Secure Computer 24. Moreover, the elements of the invention are such that they can be constructed from readily available `~
commercial technology.
~ ~.
SummarY of the Invention _~
The presen~ invention provides a data enclave for securing data carried on physical units of fixed and 20 removable media in a network including a server and one `
or more workstations, with one or more of the ~-workstations includinq the physical units of fixed media. Protected storage is provided in the server and in each of the workstations, which also each include a crypto media controller in each workstation that can be used to read the fixed media and the removable media.
A personal keying device is assigned to each user in the enrlave, and an enclave key is held in the protected storage in the server and in each of the workstations, and used to protect other keys stored or transmitted on the network. E~ch user is provided a personal identification ~umber (PIN). A user unique identifier (user UID) is assigned to each user in the enclave and i5 stored in the user's personal keying device encrypted with the enclave key. User attributes are associated with each user to which a user UID has been assigned, and used to represent the privileges and ~ ~ WO93~21S81 PCT/US93/0~72 2~
11 ., other security xelated information that pertains to that user.
A media key is provided for each unit of media, and used to encrypt and protect data carried on the media, with the media keys stored in the personal keying devices. A media unique identifier (media ~ID) is provided for each unit of media, stored on the media, ~-and used to identify ~he corresponding media key for the unit of media stored in a personal keying device, and to identify media attributes assigned to the unit of media.
Media attributes are associated with each unit of media to which a media UID has been assigned, and used to represent the sensitivity or other security related --information that may pertain to the data carried on that 15 unit of media. --An access vector is associated with each media key ts form media key/access vector pairs, stor~ in the personal keying devices, and used to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs, with each access vector formed using the -~
corresponding media attributes and user attributes, and a set of access rules. The media key/access vector pairs are stored in the personal keying devices enciphered with a combined key including the user's UID, the user's PIN and the enclave key. Device attributes are assigned to each workstation, stored in that device's crypto media controller, and used to represent the security attributes of the workstations.
Each crypto media controller includes access control logic for restricting access to the data on the media based on the user's PIN, the access vector and the device attributes for the workstation from which access is attempted.

WOs3/2l~81 ~ ~ PCT/US93/0~72 ~

12 ~--According to another aspect of the in~ention, there is provided a Trusted Path ~or communication be~ween a workstation and a secure computer over a untrusted communication medium, the Trusted Path comprising a logic and control unit in the work~tation and in the secure computer, and an end-to-end authentication token exchange protocol used to assure the logic and control unit in the workstation is ~ommunicating with an authentic logic and control unit in the secure computer, and vice versa. ~he token exchange protocol operating by chaining transactions together so that a forged transaction entered into the --interaction between workstation and secure computer is detected the very next time a legitimate transaction is received by a logic and control unit. The system further including a cryptographic checksum protocol used -to assure ~ransac~ions between the logic and cont~l units have not been tampered with, the checksum protocol -~
authenticating single transactions between the workstation and the secure computer rather than sequences of transactions. The system also including an identification and authentication protocol in~oked when a user wishes to interact with the secure computer for some period of time, using the keyboard and display of the workstation and the untrusted communications medium, the period of interaction being a sessionl and the act of initiating a session called logon, and that of terminating one is called logout.

Brief Description of ~he Drawin~s The operational enhancements and features of the present invention become more apparent from a consideration of the drawings and following detailed description.
Figure 1 is a diagram illustrating a typical departmental computing environment incorporating a local area network with a wide area network.

WO93t21581 PCT/~S93~0~72 13 ~9Jt ~ 6 Figure 2 is a diagram illustrating possible threats against the departmental computing environment.
Figure 3 is an o~erall simplified block diagram of a secure data processing system illustrating the Data ~:~
Enclave implementation.
Figure 4 is a simplified block diagram of the main data processing elements in the apparatus ~:
implementing the present invention.
Figure 5 is a simplified block diagram of the Workstation data processing elements using a Workstation configuration supporting coprocessor cryptography.
Figure 6 is a simplified block diagram of the Workstation data processing elements usin~ a Workstation -~
configuration supporting inline cryptography.
Figure 6a is a pictorial diagram of a personal keyi~g de~ice illustrating the appearance, features, and :-functions. ~-Figure 6b is a schematic diagram of the data -:
elements created and utilized for the protection of data in the present invention.
Figure 7 is a simplified block diagram illustrating the steps for the extraction of user da~a at the Workstation, implemented in the Media Initialization and Key Generation phase of Data Enclave :~
operation.
Figure 8 is a simplified block diagram illustrating the step for preparation and sending of a "Request Packet", implemen~ed in the Media Initialization and Key Generation phase of Data Enclave operation.
Figure 9 is a simplified block diagram illustrating the step for receipt of a "Request Packet"
at the Security Ser~er, implemented in the Nedia Initialization and Key Generation phase of Data Enclave operation.

WO93/21581 PCTtUS93/03472 & 14 Figure lO is a simplified block diagram illustrating the steps for the checking of user identity and the generation of a Media UID, implemented in the Nedia Initialization and Key Generation phase of Data S Enclave operation.
Figure ll is a -simplified block diagram illustrating the steps for Access Vector generation, implemented in the Media Initialization and Key -Generation phase of Data Enclave operation.
Figure 12 is a simplified block diagram illustrating the steps for "Key Packet~' generation and storage, implemented in the ~edia Initialization and Key - Generation phase of Data Enclave operation.
Figure 13 is a simplified block diagram illustrating the steps for Media UID and nKey Packet"
assignment, implemented in the Media Initialization and ~
Rey Generation phase of Data ~nclave operativn. _~ ;
Figure 14 is a simplified block diagram illustrating the steps for extracting identification 20 data and forming a Request, implemented in the Key ;~
Assignment phase of Data Enclave operation.
Figure 15 is a simplified block diagram illustrating the step for the encryption and transmission of a "Request Packetn, implemented in the Key Assignment phase of Data Enclave operation.
Figure 16 is a simplified block diagram illustrating the steps for the computation of an Access Vector, implemented in the Key Assignment phase of Data Encla~e operation.
Figure 17 is a simplified block diagram illustrating the steps for key generation, storage, and transmission, implemented in the Key Assignment phase of Data Enclave operation.
Figure 18 is a simplified block diagram illustrating the step for the transfer of the key to the personal keying device, implemented in the Key Assignment phase of Data Enclave operation.

WO93/21581 2 ~ pcr/usg3/o3472 Figure l9 is a simplified block diagram illustrating the steps for Media Key and Access vector extraction, implemented in the Keying of Devices phase --of Data Enclave operation.
Figure 20 is a simplified block diagram illustra~ing the steps for Media Key and Access Vector use, implemen~ed in the Keying of Devices phase of Data Enclave operation.
Figure 21 is a simplified block diagram illustrating the steps for the initialization of the authentication process, implemented in the Identification and Authentication phase of Trusted Path -~
operation.
Figure 22 is a simplified block diagram illustrating the step for the authentication of identity and the establishment of privileges, implemented in the Identification and Authentication phase of Trusted Path operation.
Figure 23 is 2 simplified block diagram illustrating the step ~or the preparation and transmission of the ~esponse Packet", implemented in the Identification and Authentication phase of Trusted Path operation.
Figure 24 is a simplified block diagram illustrating the step for the completion of the authentication sequence, implemented in the Identification and Authentication phase of Trusted Path operation.
Figure 25 is a simplified block diagram illustrating the steps for the initiation of a privileged operation, implemented in the Privileged Services phase of Trusted Path operation.
Figure 26 is a simplified block diagram illustrating the steps for the determination of privileges, implemented in the Privileged Services phase of Trusted Path operation.

WO93/21581 PCT/US93/0~72 Figure 27 is a simplified block diagram illustrating the step for the acknowledgment of privileges, implemented in the Privileged Services phase of Trusted Path ~peration.
Figure 28 is a simplified block diagram illustrating the step for the display of the ~;
acknowledgment, Lmplemented in the Privileged Services -phase of Trusted Path operation.
Figure 29 is a block diagram of a secure data processing system illustra~ing the Trusted Path implementation.
Figure 30 is a simplified block diagram showing the elements of the Trusted Path when Workstation Unit 102 is used only for authenticated communications between Workstation 131 and Secure Computer 104.
Figure 31 is a simplified block diagram showing the elements of the Trusted Path when Workstatio ~ nit 102 is used for protection of critical and sensitive data at Workstation 131 as well as authenticated communica~ions between Workstation 131 and Secure Computer 104.
Figure 32 is a simplified block diagram illustrating the internal logic of Cryptographic Units 112 and 142.
Figure 33 is a flow diagram detailing the steps used by the Authentication Token Exchange Protocol to "chain" together transactions of other protocols in Trusted Path operation.
Figure 34 is a pictorial diagram displaying the "
locations of the user-visible elements of the Trusted Review Protocol used in Trusted Path operation.
Figure 35 shows an alternate embodiment of the Data Enclave system.
Figure 36 shows the configuration for initializing fixed media according to the alternate embodiment of Figure 35.

-- WOs3/2l581 ~17~ P~T/U~93/V~72 Figure 37 shows the configuration for initializing removable media accordi~g to the alternate , embodiment of Figure 35.

¦ 5 Detailed DescriPtion of the Invention In the following detailed description of the -~
preferred embodiments, reference is made to th~
accompanying drawings which form a part hereof, and in which is shown by way of illustration, specific embodLments in which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the present invention.
The term "logic" is used throughout the ensuing description with reference to the structure of various I electronic components of the invention. The term îs ! intended to ha~e a broad meaning, and to encomp~s~
hardware Lmplemenations, software implementations, and combinations ~hereof.
Processi~g Eleme~ts The present invention consists of processing elements and data elements. Thè interrelation of the processing elements is shown generally in Figures 3 and
4 (in part described above) and in more detail in Figures 5 and 6. The descriptions given below show cryptographic protection pro~ided only to those distinguished transmissions required in the operation of the invention. In such a case, the elements of the invention are preferably arranged with regard to the Workstation 10 as shown in Figure 5.
If it is desired to protect all transmissions over the Local Area Network 12, e.g., to prevent wiretapping or other monitoring by unauthorized personnel, then the Crypto Nedia Controller 26 could be used to encipher and decipher all data going out o~er the Network 12. In this case, the elements of the WO93/~1581 PCT/US93/03472 - ~
~-f'~ ?,~tl;3 ..
~ ~ - 18 invention could be arranged with regard to the Workstation lO as shown in Figure 6.

Security Ser~er The Security Server ~4, a secure computer, is a distinguished server tha~ perform~ gateway and security functions at ~he interface between the Local Area Network 12 and the Wide Area Network 16. It also performs the key management and backup functions for the cryptography in the Enclave 20. The Security Server 24 can be implemented in the form of a secure computer for example, as disclosed in U~S. Patent No. 4,621,321 to Boebert et al, entitled Secure Data Processing 5ystem Architecture", 4,713,753 to Boebert e~ al, ent:itled "Secure Data Processing System Architecture with Format Control", and 4,701,840 to Boebert et al, entitled ~-"Secure Data Processing System Architecture~
Perso~al Keyi~g Device Each user S is issued a Personal Keying Device 30. Personal Keying Devices 30 are used for key insertion and individual authentication. A Personal Keying De~ice 30 (shown in more detail in Figure 6a) preferably contains fixed or removable lectronic storage and processor 32, a keypad 34, a display 36, and a data transfer interface 38 that can be either wired or wireless (e.g., radio, infrared) and is compatible with an interface 31 on a Crypto Nedia Controller 26. The Personal Xeying Device 30 can be highly portable, e.g., pocket calculator size. Personal Keying Devices 30 may also be equipped with theft detection circuitry to prevent them from being physically removed from the enclave working area.

Crypto Media Controller - The standard media controller on each Workstation lO is replaced with a Crypto Nedia Controller 26. Crypto Media Controllers 26 perform key WO93/21581 J~ PCT/US93/0~72 ~;

19 ~':
management, media encryption and decryption, and authentication functions. A Crypto Nedia Controller 26 has the same interfaces as the standard media controllers, as well as a data transfer interface that is compatible with the one on the Personal Keying Device 30. The Crypto Media Controllers 26 can be the same size as the standard media controllers they replace.
Data Elements The present invention also includes a variety of data elements, as described below and schematically represented in Figure 6b.

E~clave Ke~
There is one Enclave Key 40 per organization. ;-It is held in protected storage in the Security Server 24 and the Crypto ~edia Controllers 26, and is used to protect Media Keys 42 when they are being trans,.~ted along the LAN 12.
Med~a Key There is one Media Key 42 assigned to each physical unit of the media, whether that unit is fixed 2 or removable 4. Assignment is done when the media is initialized at the Workstation lO. This key is used to protect the data on the Media 2 or 4.
2S Combiued Xeys Combined Keys 44 are generated in the operation `~
of the present invention from other data elements and keys. ;~

Media Unique Identif~er (Med~a UID) Each physical unit of media, whether fixed 2 or removable 4, is assigned a Media Unique Identifier 46 (Nedia UID). This number is generated by the Security Server 2~, and stored in whatever field the Media 2 or 4 - 35 software uses to identify physical units te.g., Volume Label). The Media UID 46 is used to find the appropriate Media Key 42 in the Personal Keying ~evice WO93/21~81 PCT/US93~0~72 ~ ~ 20 30, and to locate that data pertaining to the unit of media which is stored in the S~curity Server 24 (e.g., Media Attributes~.
User Unique Identifier (Us~r UID) Each individual who has potential access to encrypted media is assigned a User Unique Identifier 48 :.
(User UID) which is stored in that user's Personal Keying Device 30, encrypted with the Enclave Key 40.
The User UID 48 forms part of the key used ~o protect Nedia Keys 42 in the Personal Keying Device 30, and is used to extract that data pertaining to the user 5 which :~
is stored in the Security Server 24 (e.g., Vser Attributes).

Personal Ident~fication Number (PI~
Each user 5 is assigned a Personal Identification ~umber 50 (PIN), which is used to ~ rm ;~
- part of the key that protects Media Keys 42 in the Personal Keying De~ice 30.
Access Vector An Access Vector 52 is associated with each Media Key 42 stored in a Personal Keying Device 30. The ; Access Vector 52 is used to represent those possible conditions of access to the data enciphered with that Media Rey 42 that may apply to the individual assigned to that Personal Keying Device 30.

Media Attributas Media Attributes 54 are associated with each element of Media 2 or 4 to which a Nedia UID 46 has been assigned. Media Attributes 54 are used to represent the sensiti~ity or other security related information that may pertain to the data on that element of media.

- W093/21~81 PCT/US93/0~72 j~t~ 6 :~:

User Attributes A set of "User Attributes" 56 are associated with each user to which a User UID 48 has been assigned.
User Attributes 56 are used to represent the privileges and other security related information which pertains to that user.
Device Attributes Device Attributes 58 are assigned to each Crypto Nedia Controller 26, and reflects the Security Attri~utes 57 of the machine in which the Crypto Media Controller 26 is installed. Device Attributes 58 are combined with Access Vectors 52 to set limits on media access (e.g., read only). Device Attributes 58 are typically defined by the physical security measures which surround the Workstation l0 in which the Crypto Media Controller 26 is installed. For exampleO a -~
- Workstation l0 installed in an open environment ~y have De~ice Attributes 58 set to "Authorized to Process Public Data Only", whereas one in a closed engineering 20 facility may have Device Attributes 58 set to ~
"Authorized to Process Proprietary Engineering Data." -Re~uests Requests 60 are transmitted back and forth between the Crypto ~edia Controller 26 and Security Server 24 in the course of operations which require cooperation between the two devices. Requests 60 contain a variety of information depending on the nature of the operation being performed as well as optional integrity fields such as cyclic redundancy checks or check sums. ~`~

Countersigns The purpose of the Countersign 62 logic is to 35 prevent malicious code in the Workstations l0 from ~-masquerading as the Security Server 24, and thereby duping users 5 into taking inappropriate actions. Each W093/2158~ PCT/US93/0~72 ~, 2~ :
time a user 5 is identified to the Security Server 24 (e.y., each new session), the Security Server 24 generates a "freshn Countersign 62. Countersigns 62 are words, symbols, or phrases which are easy to remember -~
5 and which are generated by some process which makes it ::
computationally infeasible to guess from one Countersign 62 what the value of the next one will be. The Countersign 62 for a session is presented by the Security Server ~4 as a header to each message it sends 10 to the user 5 when communicating over a Trusted Path. :~
The present invention also provides a nTrusted Path. n A :~
Trusted Path is a loyical communications path between a human user 5 and the Secure Computer 24 (Figure 3). A :~
Trusted Path differs from other modes of communication ~:~
in that there is a high degree of assurance on the part of both parties that the communication is authentic;
that is, the human user is truly seeing what the s~cure computer intends the human user to see, and the secure Computer is making decisions on the basis of precisely what the human user has transmitted to it.
The Countersign 62 is displayed to the user 5 on the Personal Keying Device 30 when the Trusted Path is in effect, and is protected from the Workstations 10 and the communications media by cryptography and is computationally infeasible to guess. It's presence on the display of the Personal Keying Device 30 is a positive indication to a user that the communication in which the user is engaged, is taking place o~er a Trusted Path to the Security Server 24.
Countersigns 62 are arranged so that the logic in the Security Server 24 can, for any given Countersign 62, determine what the previous Countersign 62 in the sequence was. That is, given a Countersign 62, the Security Server 24 can compute or retrieve a correct value of the previous one, which is called the "last countersign" 62'.

,.......... .

WO g3~21~;81 PCI/US93/03472 ~3 _ The present invention makes use of cryptography to protect the data on Media 2 or 4 and uses an - innovative method to distribute and protect the cryptographic keys in order to achieve security, flexibility, and ease of use. The s~me cryptographic services are used to prevent unauthorized access through the Wide Area Network 16, or the unauthorized use of privileged services.
As described in more detail below, protection of ~he data on Media 2 or 4 takes place in three broad phases. The first phase, which is done very infrequently, is media initialization and key assignment -~
to the individual user 5 requesting the initialization. -The second phase, which is also infrequently done, is the assignment of a key for already-initialized ~edia 2 or 4 to additional individuals. The third phas ~ which is done more frequently, is the keying of devices, so access to the data may be made.
Media Initial~zatio~ and Key G~neration The media initialization and key generation `
phase generates a Media Key 42 and an Access Vector 52 for a unit of Media 2 or 4 and places them in enciphered form in the Personal Keying Device 30 assigned to the individual requesting the initialization. This data is also archived in the Security Server 24 so that it may be restored at a later time.

Key Assig~ment The key assignment phase assigns a Media Key/Access Vector pair, or combination, for an already-initialized unit of media to a new individual. The Media Key 42 will be a copy of the one generated when the unit of Media 2 or 4 was initialized. The Access Vector 52, since it depends on ~ser Attributes 56 as well as Nedia Attributes 54, will be newly computed.

,. _, ,. . . . . . . - ., - . . ... . . . ~

WO93~215X1 PCT/US93~03472 ~-j t~ ~
~ 24 Xeyi~g of De~ic~s The keying of d~vices phase automatically extracts the proper Media Key/Access Vector combination from the Personal Keying Device 3n, decrypts them and uses them to allow controlled access to the unit of Media 2 or 4. The Media Key/Access Vector combination are enciphered with a Combined Key 44 which includes the user's PIN 50. This restricts a particular Media Key/Access Vector combination to the indi~idual to whom it was assigned.

Media I~ltialization and Key Ge~eratio~
The operations in the Media Initializat;ion and :
Key Generation Phase occur when a blank unit of Media 2 or 4 is to be prepared for safe use in the Enclave 20.
This preparation involves initializing the Media 2 or 4, assigning a Media UID 46 to it, generating a NedL~ Key 42 which is unique to that unit of media, ~nd assigning a Media Key/Access Vector pair to the user 5, initializing the media.
¦ The operations in this phase are keyed to the ! diagrams in Figure 7 through Figure 13. The logic used to Lmplement the Trusted Path facilities is omitted from ~ these diagrams.
j 25 Ste~ l (Figurs 7) An indi~idual brings together a blank unit of physical Media 2 or 4 and his or her Personal Key~ing Device 30 to a Workstation lO which is equipped with a Crypto Media Controller 26 and attached to a Local Area Network 12. If the Media 4 is removable, this is done by carrying Media 4 and Personal Keying Device 30 to an appropriate Workstation lO. If Media 4 is permanently installed (Fixed Media 2), Personal Keying Device 30 is brought to the Workstation containing the fixed media controlled by Crypto Media Controller 26, and the Workstation lO is temporarily attached to the Local Area Network l2.

WO93/21~81 PCT/US93/0~72 if~ ,?,~

SteP 2 (Figure 7) The individual user 5 desiring access to ~edia 2 or 4 then enters his or her PIN 50 into Personal Keying Device 30 which transmits it to Crypto Media Controller 26, where it is stored for use in later steps. -~
SteP 3 (Figure 7~ ~-Crypto Media Controller 26 then extracts the encrypted User UID 48' from their Personal Keying De-~ce 30, decrypts the User UID 48 using the Enclave Key 4~, and stores it for use in later steps.
SteP 4 (Figure 8) Crypto Media Controller 26 forms a packet -~
consisting of the PIN 50~ the ~ser UID 48, and a Request 60 for media initialization. The request field will include the nature of the request and appropriate supporting data such as the Security Attributes ~ to be assigned to Media 2 or 4. Key Management Crypto 70 in Crypto Media Controller 26 enciphers it using the Enclave Key 40, and transmits it across the Local Area Network 12 to Security Server 24.
Ste~ 5 (Figure 9) Security Server 24 receives the encrypted packet 90, decrypts it using its copy of the Enclave Key 40, and stores the PIN 50, User UID 40, and Request 60 for use in later steps.
$te~ 6 (F~gure lO) Storage Search Logic 72 in Security Server 24 uses the User UID 48 to index User Attribute Data Base 80, which returns a pass value if the PIN 50 entered by the user 5 in Step 1 is the same as that stored in the data base, i.e., a valid PIN 50. User Attribute Data Base 80 returns a fail value if the PIN 50 entered by the user is invalid. A fail value will cause the ~ 35 initialization process to abort and a notification to be sent back to Crypto Nedia Controller 26, which will display it to the user 5 in an appropriate fashion. The W~93/~1581 PCT/US93/03472 ~ t~q~ 3 26 abort sequence is not diagrammed in the figures.
SteP 7 (Figura lO) Storage Search Logic 72 extracts the Media Attributes 54 from the Request and commands Media Attribute Data Base 82 to make an entry for the new element of Media 2 or 4. Since Nedia Attribute Data Base 82 is indexed by the Media UID 46, this has the effect of creating a new Media UID 46 which is sent to Crypto Media Controller 26 and saved for use in later steps.
Step 8 (Figure ll) Storage Search Logic 72 uses the User UID 48 to index User Attribute Data Base 80 and extract the set of Security Attributes 57 pertaining to this user, and passes these attributes to Security Policy Logic 86.
SteP 9 (Figure ll) Security Policy Logic 86 accepts the Media Attributes 54 and User Attributes 56, and; using _~set of rules defined by the administrators of the facility, computes an Access Vector 52 which defines limits on the access this user 5 may have to this unit of Media 2 or 4. This computation may involve the intervention of administrative personnel to authorize or deny the granting of certain privileges.
Step_lO (Figure 12) Key Management Crypto 70, with the optional aid of authorized individuals, then generates a Media Rey 42 for this unit of Media 2 or 4. The manner of generation can involve computation, access to stored tables, requests for inputs from authorized individuals, or any combination thereof. Other methods of key generation may also be used. The Nedia Key 42 and Access Vector 52 pair 9l are enciphered with a combined key 44 consisting of the User UID 48, the user's PIN 50 and the Enclave Xey 40.
Ste~ (Figure 12) The enciphered packet is sent to Storage Search Logic 72 where the User UID 48 and Nedia UID 46 are used 27 ~
to store the enciphered packet 92 in Crypto Key Data Base 84. The Media UID and the enciphered packet 92 are transmitted along the ~AN 12 to Crypto Media Controller 26.
? 5 Step 12 (~igure 13) -The ~edia UID 46 arrives at Crypto Media ~:
Controller 26 and is written to the appropriate location on Media 2 or 4 (e.g., Volume Label~.
SteP 13 (Figure 13) The enciphered ~edia Key/Access Vector pair packet 92 arrives at Crypto Media Controller 26 and the Media UID 46 is used as an index to store the enciphered ~:
: pair packet 92 in Personal Reying Device 30.

At this point the initialization process is -~
complete. The media can be identified and the individual Personal Keying Device 30 contains a ~edia Key 42 which can only be used by someone who has -~-ph~sical possession of that Personal Keying Device 30, ¦ 20 knows that individual~s PIN 50, and has the Media 2 or 4 controlled by a Crypto Media Controller 26 containing the Enclave Key 40. The indi~idual's Personal Keying Device 30 also contains an Access Vector 52 which defines further restrictions on access in a manner that is specific to the individual who has physical possession of that Personal Keying Device 30 and knows that individual's PIN 50.

Rey Assign~ent ::
The operations in the Key Assignment Phase of the invention occur when an already-initialized unit of `
Media 2 or 4 is to be shared with a user 5 other than the one who initialized it. In this case, the unit of - Nedia 2 or 4 has a Media Key 42 generated for it, and a Media Key/Access Vector pair 9l has been assigned to the initial user of the unit Media 2 or 4. The necessary steps are to copy the Media Key/Access Vector pair 9l to WO93/21~81 PCT/US93/0~72 :~

~ 28 the new user 5a The operations in this description are keyed to the diagrams in Figure 14 through Figure 18. The logic used to implement the Trusted Path facilities is omit~d from these diagrams.
SteP l ~F~gure 14) An indi~idual brings together a unit of physical Media 2 or 4 and his or her Personal Keying Device 30 to a Workstation lO which is equipped with 10 Crypto Media ~ontroller 26, and which is attached to the .
Local Area Network 12. If Media 2 or 4 is removable, this is done by carrying Media 4 and their Personal Keying Device 30 to an appropriate Workstation lO. If Media 2 or 4 is permanently installed (fixed media), Personal Keying Device 30 is brought to the computer containing the fixed Media 2 controlled by Crypto Media Controller 26.
SteP 2 (Figure 14) The individual desiring access to ~edia 2 or 4 then enters his or her PIN 50 into Personal Keying Device 30 which transmits it to Crypto Media Controller 26, where it is stored for use in later steps.
SteP 3 (Figure 14) Crypto Media Controller 26 then extracts the encrypted User UID 48 from Personal Keying De~ice 30, decrypts the User ~ID 48 using the Enclave Key 40 and stores it for use in later steps.
SteP 4 (Fi~ure 14) Storage Search ~ogic 72 in Crypto Nedia Controller 26 then reads the Media UID 46 off Media 2 or 4 and search~s Personal Keying Device 30 for a Media :
Key/Access Vector pair 9l for this unit of Media 2 or 4 for this user S. Finding none, it generates a Request 60 for key assignment.
Ste~ 5 (Figure 15) Key Management Crypto 70 forms a request packet 94 consisting of the PIN 50, User UID 48, Media UID 46 s? ? ~` G

and Request 60, encrypts it with the Enclave Key 40, and transmits it over the Local Area Network 12 to Security Server 24.
- St~p 6 (Figure 16) Security Server 24 receives the encrypted packet 94, decrypts it using its copy of the Encla~e xey 40, and stores the PIN 50, User UID 48, Media UID 46 and ~:
Request 60 for use in la~er steps.
Step 7 (Figure 16) Storage Search Logic 72 in Security Sexver 24 uses the User UID 48 to index User Attribute Data Base 80. User Attribute Data Base 80 returns a pass value if the PIN 50 entered by tAe user 5 was the same as that stored in the data base ~i.e. valid). ~ser Attribute Data Base 80 returns a fail valué if the PIN 50 entered by the user is invalid. A fail value will cause the assignment process to abort and a notification ~ be sent back to Crypto Media Controller 26, which will i - display it to the user in an appropriate fashion. The abort sequence is not diagrammed in the figures.
SteP 8 (Figure 16) The User UID 48 is used as an index into User Attribute Data Base 80 by Storage Search Logic 72, and the Sec~rity Attributes 57 of the user 5 requesting key assignment are extracted and passed to Security Policy Logic 86.
Ste~ 9 ~Figure 16) The Nedia UID 46 is used as an index into Media Attribute Data Base 82 by Storage Search Logic 72, and the Security Attributes 57 of the denoted item of Nedia 2 or 4 are extracted and passed to the Security Policy Logic 86.
SteP lO (Figure 16) Security Policy Logic 86 accepts these ~:
Attributes 57, and, using a set of rules defined by the administrators of the facility, computes an Access Vector 52 which defines limits on the access this user 5 WO93~21~81 ~7 ~ 6 PCT/US93/0~72 may have to this unit of Media 2 or 4. This computation may involve the intervention of administrative personnel to authorize the granting or denying of certain -~
privileges. This Access Vector 52 is saved for use in later steps.
Ste~ ll (Figure 17) The Nedia UID 46 is used by Storage Search Logic 72 to find an enciphered key packet in Crypto Key Data Base 84 which has been previously stored and which contains a M~dia Key 42 for this unit of media. Since the Media 2 or 4 has been initialized and assigned a ~edia UID 46, then at least one such packet must exist.
Any such packet will suffice, since all packets pertaining to a given unit of Nedia 2 or 4 will contain the same Media Key 42. When such a packet is found, the Media Key 42 is extracted from it for use in later steps. _~
Step 12 (Figure 17) A new Key Packet 93 is formed consisting of the Nedia Xey 42, Access Vector 52, User UID 48, and Media UID 46 and placed in Crypto Key Data Base 84 for archival storage and retrieval.
Step 13 (Figure 17) ~;
The Media Key and Access Vector pair 9l are enciphered with a Combined ~ey 44 consisting of the User UID 48, the user's PIN 50, and the Enclave Key 40, and the enciphered packet 92 is transmitted along the LAN 12 to Crypto ~edia Controller 26.
SteP 14 (Figure 18) The Nedia UID 46 is used as an index to store the enciphered Nedia Key/Access Vector pair 9l in -Personal Keying Device 30.
At this point the new individual's Personal Keying Device 80 contains a Nedia Key 42 which can only be used by someone who has physical possession of that Personal Keying Device 30, knows that individual's PIN
50, and has the Nedia 2 or 4 controlled by a Crypto WO93/21581 PCT/US93/0~72 '" 1 ~ ;i' ~? 1 ~
Media Controller 26 containing the Enclave Rey 40. The individual's Personal Keying Device 30 also contains an Access vectox 52, which defines further restrictions on - access in a manner that is specific ~o the individual 5 who has physical possession of that Personal Keying Device 30 and knows that individual's PIN 50.

Keying of De~i~es The operations in the Keying of Devices Phase occur when a Media Key/Access Vector pair 9l for a unit of Media 2 or 4 has been assigned to a user 5, and that user 5 wants to exercise the assigned accesses.
The steps in this description are keyed to the diagrams in Figures l9 and 20. The logic used to implement the -Trusted Path facilities is omitted from these diagrams.
Step l (Figure l9) -~;
An indi~idual user 5 establishes a dat~
transfer interface between his or her Personal ~eying Device 30 and any Crypto Media Controller 26 containing the Enclave Key 40, and between that Crypto Media Controller 26 and Media 2 or 4 the indi~idual user 5 desires to access. In the latter case, this will in~olve placing the unit of Media 4 into the appropriate device (e.g., diskette drive).
SteP_2 (Figure l9) The individual user 5 desiring access to Media 2 or 4 then enters his or her PIN 50 into Personal Keying Device 30 which transmits it to Crypto Media Controller 26, where it is stored for use in later steps.
Step 3 (Figure l9) Storage Search Logic 72 in Crypto Media Controller 26 reads the Media 2 or 4 and extracts the Media UID 46.

PCT/US93/0~72-:

SteP 4 (Figure 19) Using the Nedia UID 46, Storage 5earch Logic 72 searches Storage 78 in Personal Keying Device 30 and extracts the enciphered Media Key/Access Vector pair packet 92 and passes it to Key Nanagement Crypto 70.
Step 5 (Figure 19) The enciphered User UID 48' is fetched from Personal Xeying Device 30 and deciphered using the Enclave Key 40.
Ste~ 6 (Figure 19) The User UID 48, PIN 50~ and Enclave Key 40 are -then combined to form the Combined Key 44 to decrypt the ;
Nedia Xey/Access Vector packet 92. The Media Key 42 is passed to Data Crypto 74, and the Access Vector 52 is 1~ passed to Access Control Logic 76.
SteD 7 (Figure 20) Workstation's 10 internal logic makes a ~;equest -~
for data. That logic need not be aware the data is jprotected by cryptography. The request illustrated in ¦20 the figure is a ~readn request, but the handling of "write" requests are symmetric.
SteP 8 (Figure 20) -Enciphered data 3' is then fetched from Media 2 or 4.
SteP 9 (Figure 20) Da~a Crypto 74 deciphers the data using the Media Key 42 and passes data 3 to the Access Control Logic 76. ;
SteP 10 (Figure 20) -Access Control Logic 76 consults the Access Vector 52 and the Device Attributes 58 contained within itself and decides whether the desired mode of access (nread," "write," etc.) shall be permitted. If not, the data transfer is aborted and an error indication is sent to the Workstation 10.

WO93/21581 ,~ 2 f J PCT/US93/0~72 At this point the data has been transferred to the Workstation lO for processing. Removal of the Media 2 or 4 or the Personal Keying Device 30 from the Crypto Media Controller 26 will cause the complete reset of the Crypto Media Controller 26 and reguire the keying process be started from the beginning.

Trusted Path Identification and Authorization This phase of the operation involves ~he steps whereby a user 5 presents his or her identity to the Security Server 24 and has that identity authenticated and a set of privileges associated with the user ~ at the Security Server 24.
This operation is protected against forged identities and authentications, and so-called "replay~' attacks in which malicious software in other -~
Workstations lO masquerades as the authentications mechanism, accepts identification and authorization data (such as passwords) from an unwitting user 5, and then passes that data to an unauthorized individual.
The operation is also protected against compromise of the authentication data in the Personal Keying Device 30. The invention uses the Countersign logic to effect this protection. It will be recalled that Countersigns 62 come in a se~uence which is generated by the Security Server 24, but which is computationally infeasible for an outsider to guess.
Thus, for each Countersign 62, the Security Server 24 (but no one else) can determine the value of Last Countersign 62'.
The Last Countersign 62' for a given is stored in a distinguished location in that user's Personal Keying Device 30. At each identification and 35- authentication interaction the Last Countersign 62' i5 extracted from the Personal Keying Device 30 and compared with the Last Countersign 62' independently WO93/21581 PCT~S93/0~72 ~ ;9~ 34 generated or retrieved by the Security Servex 24. If ~;
the two values are unequal then it is known that the identification and authentication process has been compromised and suitable alarms are raised.
The manner in which this mechanism operates can be made clear from example. Assume that the sequence of -Countersigns 62 is "A, n nBrtl nc~/ etc. Further assume that a given user's Personal Keying Device 3Q contains the Last Countersign 62' value "An. Since it is computationally infeasible for an attacker to guess this value, the attacker's recourse is to either steal the Personal Keying Device 30 or copy the data from it.
If the attacker steals the Personal Keying ~
Device 30, then its absence will be noted and alarms -`
will be raised. If the attacker copies the Last Countersign 62' and by some subterfuge succeeds in being authenticated as the legitimate user 5, then the ~
identification and authentication process will update the Last Countersign 62' value in the spurious Personal Keying Device 30 to "B. n When the legitimate user 5 attempts identification and authentication, the Last Counterside 62' in his or her Personal Keying Device 30 will still be at "A"; the difference will be noted by ¦ the Security Server 24 and alarms raised.
! 25 Thus, the copying and successful use of data ¦ from a Personal Keying Device 30 will enable a false identity to be presented to the Security Server 24 only until the time at which the legitimate user 5 attempts identification and authentication.
The steps involved in this phase of the operation are keyed to the diagrams given in Figure 2l through Figure 24. The logic used in data protection is omitted from these diagrams.
SteP l (Figure 21) The User UID 48, encrypted with the Enclave Key (48') is extracted from the user's Personal Keying Device 30.

WO93/215~ A~ PCT/US93/03472 SteP 2 (Figure 21) The ~ast Countersign 62' (denoted "Old C/S" in Figure 21), encrypted with the Enclave Rey 40, is extracted from the user'~ Personal Keying Device 30.
5 Step 3 (Figure 21) The user 5 desiring access to operations on the Security Server 24 then enters his or her PIN SO through the keyboard on the Personal Keying Device 30.
SteP 4 (Figure 21) ~-The User UID 48' and Last Countersign 62' are ~ decrypted, combined with the PIN 50, and re-encrypted ; with the ~nclave Key 40 for transmission to the Securi~y Server 24.
SteP 5 (Figure 22) ; 15 The combined Last Countersign 62', PIN 50, and ! User UI~ 48 are decrypted using the Enclave Key 40 and ¦ passed to the storage search logic 72. That logi~
I searches the User Attributes Data Base 80 for the ¦ authentication record belonging to this user 5, compares ¦ 20 the User UID/PIN combination 92 that was entered against the stored value, and checks the Last Countersign 62' from the Personal Keying Device 30 against the stored value from the previous identification and i authentication interaction. Based on these checks the -~
logic computes a Result 94 ~e.g., "~ogin Successful,"
nLogin Failed") and in the case of successful identification, a set of privileges which that user may exercise in future interaction~ ~ith the Security Server 24. Also in the case of successful identification, the next Countersign 62 in the sequence is generated, stored in the User Attribute Data Base 80 as the new Last Countersign 62' and saved for use in the next step.
This value is denoted "New C/S" in the figures.
Ste~ 6 ~Figure 23) The Result 94 and the updated Countersign 62 value is encrypted with the Enclave Key 40 and transmitted to the Crypto Media Controller 26.

WOg3/21581 PCT/US93/03472 ~ i}-~ 36 , ., SteP 7 (Fi~ure 2~
The combined Result and updated Countersign 62 is decrypted. The updated Countersign 62 is encrypted with the Enclave Key 40 and stored in the user~s Personal Xeying Device 30 as the new value of Last Countersign 62'. The Countersign and result are displayed on the display portion of the Personal Keyins Device 30.
At this point, the user has been authenticated -to the Security Server 24 and assigned a set of Privileges 95, which may be invoked at a later time.
The Security Server 24 has also displayed to the user 5 the Countersign 62 that it will use in the session to authenticate itself to the user. -Pri~ileged Services This phase of the operation involves a u~r 5, whose identity has already been presented to and authenticated by the 5ecurity Server 24, invoking a ! 20 privileged operation by that Server 24. The user is identified to the Security Server 24 by the User UID 48.
The Security Server 24 is authenticated to the user by the Counter~ign 62.
The steps involved in this phase of the opera~ion are keyed to the diagrams given in Figure 25 to Figure 28. The logic used in data protection is omitted from these diagrams.
SteP 1 (Figure 25) The user 5 signals his or her desire to invoke a privileged operation by an appropriate entry in the keyboard 34 of the Personal Keying Device 30. This entry is shown as "ATTN" in the Figures. The User UID
48 is then extracted from the Personal Keying Device 30.

SteP 2 (Figure 25) The combination of the "ATTN" signal and the User UID 48 is encrypted with the Enclave Key 40 and WO93/21$81 ~ 3 ..J` 2 .~ PCr/US~3/0~72 transmitted to the Security Server 24.
Step 3 (Figure 26) The combination of the "ATTN~' signal and the User UID 48 is decrypted using the Enclave Key 40.
SteP 4 (Figure 26 T~e User UID 48 is transferred to the Storage Search Logic 72 and the "ATTN" signal is transferred to the Pri~ileged Operation Logic 73.
SteP 5 (Figure 26~ -The Storage Search Logic 72 then extracts the user~s Privileges 95 from the User Attribute Data Base 80 and passes them to the Pri~rileged Operation T,ogic 73. `~
Step 6 (Figure 27) The Storage Search Logic 72 extracts the Countersign 62 from the User Attribute Data Base 80 and passes it to the Key Management Crypto 70, which encrypts it wi~h the Enclave Key 40 and transmit~it to the Cryp~o Nedia Controller 26, which initiated the -~
request.
SteP 7 (Figure 28) The Crypto Media Controller 26 decrypts the Countersign 62 and causes it to be displayed on the Personal Keying Device 30.
At this point, both the user and the Security Server 24 are aware, in authenticated fashion, that a privileged operation is to be invoked. The invocation of the operation, which may involve multiple interactions, can then proceed. The operation is terminated by a series of steps which is symmetric to those presented above.
An alternate, preferred embodiment of the Trusted Path is described further below, with reference to Figures 29 - 34. The Trusted Path phase of the Data Enclave process is preferably implemented using the relevant aspects of this alternate embodiment. These aspects include Identification and Authentication, Trusted Command Initiation (Privileged Services) and Key WO93/215~1 PCT~S93/0~72 , O
~ 38 ::
Management.

AD~ANTAGES OVER PRIOR ~RT
The Data Enclave System of the present invention provides a number of advantages over the prior art, as outlined below.
Security The data enclave invention offers comprehensive ::

security to the data within the Enclave 20; there are no "sneak pa~hs" or "holes" that exist in appr~aches where the data is protected on media but the Wide Area Network 16 connections are open, or vice versa.
The invention minimizes the damage that can be ~
done by privileged individuals who become subverted. ~;
Cryptographic keys are transmitted and stored entirely in enciphered form. Well-known techniques (so-called "antitamper" technology) ran be used to protec~ ~e Enclave Key when it is stored in the Crypto Nedia Controllers 26 and the Security Server 24. Theft of elements of the invention such as the Personal Reying Device 30 and the Crypto Media Controllers 26 does not compromise any part of the operation of the in~ention. -~
Low Cost The invention u~es a small number of special elements in a wide variety of ways. Maximum use is made of the cryptographic devices, which are typically the most expensiYe paxts of a data security deviceO The same devices are used for media protection and authenticated intera~tions with the Security Server.
Ease of Use Individuals desiring access to media have to deal with the Security Server only when media is initialized. nUnlocking" a unit of media requires an operation no more complicated than using a TV remote control. Overhead and delay is concentrated at the time a media is "unlocked" and no delays or incompatibilities are introduced during operations using tne media.

WO 93/21581 'J 4 1 t ~ s? ~ n PCI`/U~i93/03472 Identification and authentication of users to the Security Server 24 is both simpler and more robust ~-than prior art such as passwords. The same basic steps are used for security operations dealing with media and 5 dealing with the Security Server 24. ~:
Exceptional or emergency situations can be -accommodated. A trusted command initiation can override a security policy enforced by the Security Server 24 and release data to persons who would normally be unauthorized to access it.
Flexible Control o$ Media In the data protection area, the system associates Nedia 2 or 4 prLmarily with users and :~
secondarily ~ith machines. This is a more natural structure than one where Media 2 or 4 is only useable on a single machine.
The access control logic, which computes~ ~:
allowed access at the last possible moment using the combination of an individual's Access Vector 52 and the Device Attributes 58 assigned to a particular Workstation, can be used to enforce a variety of security policies. For example, an individual's access to data may be restricted not only on the basis of the individual's attributes, but also to protected physical locations. Thus, an individual~s Access Vector 52 may grant "read" access to a unit of media which contains proprietary engineering data, but the comparison against the Device Attributes 58 of ~he Crypto Media Controller 26 making the access may restrict display of the contents of the unit of media to those machines inside a particular facility or office. Physical security measures can then be used to restrict who may be in the vicinity when the data is displayed. Prior art in this area permits only an nall or nothing" approach to accéss.

WO93/21581 PCr/US93/0~72 ~ r~ 4 0 ~;
~ ~ .
Shari~g a~d Backup of Media ~`
An individual's access to an initialized media :
can be restored, or a sec~nd individual granted access, ~-by bringing together the media, the requisite Personal -~
Keying D vice 30, and a Workstation l0 equipped with a Crypto Media Controller 26 that is keyed with the appropriate Enclave Key.
Positive Control of Privileged Operatio~s ~`~
Remotely invoked privileged operations at the Security Server 24 axe under the positive control of the user 5. That control is cryptographically protected and mutually authPnticated.

As also stated in the "Backgrsund of the Invention," the Trusted Path can be used independently of the Data Enclave. Described below is a pr~fer~jed embodiment of a Trustsd Path that is preferably used to Lmplement the Trusted Path operations of the Data ~:
Enclavs, but which has utility independent of the Data Enclave invention. The Trusted Path vf this embodiment can be used for security-relevant interactions between a human user and secure computer, which fall into four broad classes:
l. Identification and Authentication :
2. Trusted Command Initiation (privileged services) 3. Trusted Re~iew 4. Key Nanagement Gen~ral Arran~ement A general arrangement of the Trusted Path is shown in Figure 29. This arrangement consists of four subsystems: Personal Unit l0l, Workstation Unit 102, Untrusted Communications System 103, and part of Secure Computer 104. Personal Unit l0l communicates directly with Workstation Unit 102. Workstation Unit 102 WOg3/21S~ 3~ PCT/US93/0~72 ; 41 communicates with Secure Computer 104 o~er Untrusted Communications System 10~. It is the elements of Untrusted Communications Systems 103 which are the - source of the various threats to secure operation.
Personal Unit 101, Workstation Unit 102, Communications Subsystem 103 and Secure Computer 104 correspond in arrangement and at least general function to the Personal Keying Device 30, Workstation 10, Networks 12 (and 16) t and Security Server 24 of the Data Enclave 20, respectively.

, Detailed Arra~qement i Workstation_W~thout E~crvPt~on The Trusted Path comes in two forms, -Workstations 102 without encryption and Workstations 102 , with encryption. The first form of the Trusted Path is I for use with Workstations 102 that do not have a j cryptographic unit, such as a Crypto Media Controller I installed. In such Workstations 102 the key management ¦ 20 function is not necessary. This form of the Trusted ! Path is illustrated in Figure 30.

Perso~al Un~t Personal Unit 101 serves three purposes:
(1) It serves to identify a human user and the Workstation used by that human user to Secure Computer 1~4.
(2) It is used by the human user to verify that precisely those commands given by the human user to Secure Computer 104 are being executed by it, without tampering or modification by Untrusted Communications System 103.
(3) It is used by the human user to verify that critical and sensitive data in Secure Computer`
35 - 104 is being displayed to the human user by Untrusted Communications System 103 without tampering or modification.

- WO93/21581 PCT/US93/0~72 -c~ ~ Y ~ 42 The human user 5 interacts with Personal Unit lOl by means of Display 113 and Keyboard 114.
nteractions are controlled by Lcgic and Control ~nit 111. Personal Unit lOl uses Communication Unit 118 to transmi~ and receive data ~o and from Communication Unit 128 in Workstation Unit 102. Communications can be by means of wire, radio, fiber optics, infrared, or any other medium capable of handling digital values. There are three areas of data storage in Personal Unit lOl:
(1) User Identifier 115 is a number whi~h is f uniquely assigned to each human user. The number can be stored in its entirety in User Identifier l5, or split between that storage and a value which is entered by the human user ; l5 upon demand, i.e., a so-called Personal Identification Number or PIN.
(2) Crypftographic Key S~orage 116 is used t ~ old the keys used by Cryptographic Unit l12 to generate keystream. These keys are selected and loaded into Cryptographic Key Storage 116, when an instance of Personal Unit lOl is assigned to a human user.
(3) Authentication Token Storage 117 is used in the I Authentication Token Exchange Protocol, which is a unique feature of the Trusted Path. The working of this protocol is described later.

rffryptographic Unit 112 must be logically compatible with Cryptographic Unit 142 in Secure Computer I04; that is, given proper keying, it must be possible for one to decipher data which has been enciphered on the other.
Personal Unit lOl is envisioned as being implemented by means which enable trust to be placed in it, and packaged in a manner which resists tampering or undetected modification. It is also envisioned to be implemented in a manner which enables it to be readily WOg3/21581 PCT/US93/~3472 carried upon the person when not in use.

Works~ation u~it Workstation Unit 102 serves two purposes:
1. To identify a specific Workstation to Secure Computer 104.
2. To logically connect Personal ~nit 101 with Untrusted Communications System 103.

Logic and Control Unit 121 controls Communications Unit 128 and accesses Workstation Identifier 125 when required. Workstation Identifier 125 is either a fixed value or is set by some mechanical means from the outside of Workstation Unit 102. It is envisioned that Workstation Unit 102, in this form, is implemented in a manner which enables it to be readily attached to external data ports of existing Works~tions (e.g., RS232 data port or so-called "games ports").
Workstation Unit 102 is envisioned as being implemented by means which enable trust to be placed in itr and packaged in a manner which resists tampering or undetected modification. It is a~o en~isioned as being packaged in a manner which permits rapid and reliable d~termination that it is properly attached to a designated Workstation.

ntrusted Communications S~stem Untrusted Communications System 103 consists of two logical parts: Workstation 131 and Network 132.
Workstation 131 is a conventional workstation, personal computer, desk-top, lap-top, or palm-top computer with i an external data port to which Workstation Unit 102 can be attached, and software which enables data to be passed between Workstation Unit 102 and Network 132.
-- Network 132 is an~ combination of local and/or wide area networks operating in conjunction with zero or more direct connections to form a data path between WO93/21581 PCT/U~93/0~72 ~ 44 W kstation Unit 102 and Secure Computer 104.

Secure ComPuter Security Kernel 143 controls access to ~ritical and 5ensitive Data 144 according to a predefined security policy (e.g., based on clearances and classifications or notions of intellectual property or privacy). Logic and Control Unit 141 is a distinguished subsystem of Secure Computer 104 which controls the I lO interaction between Security gernel 143 and i Communication ~nit 148. Such subsystems are sometimes called ~terminal drivers", device controllers", or front-end processors".
Logic and Control Unit 14l is enhanced with `~
Cryptographic Unit 142 and the Authentication Token Exchange Protocol which is described later.
Cryptographic Key Storage l46 is used to hold the_~
cryptographic keys required for the operation of Cryptographic Unit 142. Cryptographic Unit l42 must be logically compatible with Cryptographic Unit 112 in Personal Unit lOl; that is, given proper keying, it must be possibl~ to decipher data which has been enciphered on the other.
Security Kernel 143 is enhanced to perform the 25 functions of Identification and Authentication, Trusted ~`
Command Initiation, and Trusted Review.

Workstations with EncrrPtio~
The second form of the Trusted Path is for use in Workstations 102, which have a cryptographic unit installed, and where the Trusted Path facilities are used to authenticate the movement of cryptographic keys from the Secure Computer 104 to the Workstation Unit 102. All operations supported in the previously described form are supported -as well. This form of the Trusted Path is illustrated in Figure 31.

WO93/21581 ~ 3 ~ ..?..~ ~ PCT/US93/0~72 The only difference in Personal Unit 101 in this form of the Trusted Path, is that Cryptographic Key - Storage 116 is expanded to hold cryptographic keys which ; - are destined for Cryptographic Unit 122 in Workstation Unit 112.
All of the previous functions of Workstation Unit 102 are supported. In addition, Cryptographic Unit 122 is provided to protect Critical and Sensitive Data 144 resident on fixed and removable media from theft, -tampering, or unauthorized access. Cryptographic Unit 122 may or may not be physically or logically identical with Cryptographic Units 112 and 142. The basic functions and operation of Workstation 102 are as described earlier.
Untrusted Communications System 103 is unchanged from the previous form.
All previous functions of Secure Compute~ 104 ;~
are retained and Security Kernel 143 is enhanced to ~-perform the additional ~unctions of Workstation Key Management as described earlier.

Ge~eral OPeration of ~rusted Path Following is a description of the operation of the Trusted Path. A general, overview description of the protocols is gi~en first, followed by a detailed description of the Trusted Path operation and the significance of the protocols.
Any physical communications protocols which are appropriate for the media connecting Communications Units 118 and 128, Communications Unit 128 and Workstation 131, and Network 132 and Communications Unit 148 can be used in the operation of the invention.

Authentication Token Exchanqe Protocol -The Authentication Token Exchange Protocol is an end-to-end authentication protocol which is used to assure Logic and Control Vnit 111 is interacting with an . . . --WOg3/21~8~ 3 PCT/US93/0~72 p 46 Authentic Logic and Control Unit 141 and ~ice versa.
The protocol operates by "chaining~ transactions together in such a fashion that a forged transaction that is ~ntered into the interaction, will be detected the very next time a legitimate transaction is recei~ed by Logic and Control Unit 141. The Authentication Token Exchange Protocol is described in detail later.

Crv~to~raphi~ Checksum Protocol The Cryptographic Checksum Protocol is an additional protocol which is used to assure transactions be~ween Logic and Control Units have not been tampered ~;
with. The Cryptographic Checksum Protocol differs from the Authentication Token Exchange Protocol in that it authenticates single transactions rather than sequences of transactions. Any cryptographic checksum or digital signature algorithm which meets reasonable stand ~ s of -`
cryptographic strength can be used in the present - invention. "
. .
Ident~fication and Authentication_Protocol The Identification and Authentication Protocol is invoked when a user wishes to interact with Secure Computer 104 for some period of time, using the keyboard and display of Workstation 131 and the communications facilities of Network 132. -The period of interaction is commonly called a session, the act of initiating a session is commonly called logon, and that of terminating one is commonly called logout. In addition, the Identification and Authentication Protocol may be restarted by Secure Computer 104 when the user requests some critical operation be performed.
The general operation of the Identification and Authentication Protocol, given with general reference to Figures 30-33, is as follows:

WO93/21581 PCT/US93/0~72 ` 2 .~ G

Step l The user establishes a physical communications link between Personal Unit lOl and Workstation Unit 102.
If the communications media is wired, this will involve connecting the two units. If it is wireless, it will involve placing the units in proper physical proximity.
SteP 2 The user presses an attention key on Personal Unit lOl and optionally enters a Personal Identification Number. Personal Unit lOl obtains Workstation Identifier 125 from Workstation Unit 102, constructs an Identification and Authentication Transaction, and causes it to be transmitted to Secure Computer lO4.
Step 3 Secure Computer 1~4 verifies that this is an authentic Identification and Authentication Transaction and begins a new session or other interaction wit~ the user.
Step 4 Secure Computer 104 constructs an Acknowledgment Transaction and causes it to be sent to Personal Unit lOl.
Step 5 Personal Unit lOl verifies that this is an authentic Acknowledgment Transaction and displays this fact to the user.
Individual transactions in the Identification and Authentication Protocol are authenticated by the Cryptographic Checksum Protocol. The fact that a given Identification and Authentication transaction is occurring in the proper context is authenticated by the Authentication Token Exchange Protocol. The Identification and Authentication Protocol is described in detail later.
Trusted Command Protocol The Trusted Command Protocol is invoked when a user wishes to exercise some privilege or cause Secure .,,.. , . , , .. , ~ . .

WO93~21~gl . PCT/US93/0~72 ~ 48 Computer 104 to perform some security-relevant operation. The general operation of the Trusted Command Protocol, given with general reference to Figures 30-33, is as follows: ~:
S~
The user, operating in conjunction with software in Workstation 131, selects the desired command from a menu of possible commands. Selection can be by means of a keyboard, mouse, or other input device that is part of the normal operation of Workstation 131.
Ste~ 2 . ,:
The software in Workstation 131 transmits the :-selected command to Personal Unit 101.
Step 3 Personal Unit 101 displays the selected command ::
to the userO
Step 4 _~ .
The user verifies that the displayed command is ;-that which he or she selected and so signifies on the keyboard of Personal Unit 101.
Step 5 Personal Unit 101 constructs a Trusted Command ;
Transaction and causes it to be transmitted to Secure Computer 104.
25 SteP 6 :
Secure Computer 104 verifies that this is an authentic Trusted Command Transaction, executes the appropriate command, constructs an Acknowledgment Transaction and displays this fact to the user.
Step 7 Personal Unit 101 verifies that this is an authentic Acknowledgment Transaction and displays this fact to the user.
Individual transactions in the Trusted Command Protocol are authenticated by the Cryptographic Checksum Protocol. The fact that a given Trusted Command Transaction is occurring in the proper context is .

wo 93/2l5g1 ~J i ~ 2 . 6 PCT/US93/0~72 authenticated by the Authentication Token Exchange Protocol. The Trusted Command Protocol is described in detail later.

Trusted Review Protocol The Trusted Review Protocol is used when a user wishes to be assured that an elemen~ of critical and sensitive data displayed on Workstation 131 is an accurate and proper representation of the critical and sensitive data as stored in Secure Computer 104. The general operation of the Trusted Review Protocol, given with general reference to Figures 30 - 33, is as follows:
Ste~ 1 The user causes the relevant element of critical and sensitive data to be transmitted from Secure Computer 104 and displayed on Workstatio~_~31. ~-SteP 2 By means of software in Workstation 131, the user selects the portion of critical and sensitive data whose representation is to be verified.
St~P 3 Software in Workstation 131 transmits the boundaries of the selected portion to Secure Computer 104.
SteP 4 Secure Computer 104 extracts the critical and sensitive data which resides within the selected boundaries ! places it in one or more Trusted Review Transactions, and causes it to be transmitted to Personal Unit 101.
Step_5 . Personal Unit 101 verifies the authenticity of ~ the Trusted Review Transactions and displays the selected portion of critical and sensitive data on its own display. :

WO93/21S81 ~ PCT/US93/0~72 9~

SteP 6 The user verifies that the values di~played on Personal Unit lOl are identical to those displayed on Workstation 131 and acknowledges this fact using the 5 keyboard of Personal Unit lOl. ~:
Step 7 Personal Unit lOl sends an Acknowledgment ' Transaction to Secure Computer 104.
j Individual transactions in th~ Trusted Re~iew -~ 10 Protocol are authenticated by the Cryptographic Checksum ¦ Pro~ocol. The fact ~hat a given Trusted Re~iew I Transaction is occurring in the proper context is ;~
! authenticated by the Authentication Token Exchange Protocol. The Trusted Review Protocol is described in detail later.

Workstakion_Ke~ Manaqem~nt Protocol The Workstation Key Management Protocol is a .. form of the Trusted Command Protocol and is used in the form sf the present invention where the critical and sensitive data stored on the individual Workstations is to be protected by cryptography, as for example, in the Data Enclave System 20 described above. The Workstation Key Nanagement Protocol is used to provide authenticated ; 25 distribution of cryptographic keys from Secura Computer - 104 to individual Workstation Units 102. The general operation of the protocol, given with general reference to Figures 30 - 33, is as follows: .
~;teP 1 The user approaches the select~d Workstation and initiates the Identification and Authentication Protocol.
Step 2 :
Workstation Unit 102 identifies the unit of ~dia for which a cryptographic key is required and transmits this identification to Personal Unit lOl. The identification is based.on the "volume identifier" or - WO93/21581 PCT/US93/0~72 ~ '? ,~ ~
~ 1 :
other unique designator which is carried on the media.
If the media has not been initialized, this information is transmitted to Personal Unit lOl.
steP 3 Personal Unit lOl constructs a Key Request Transaction and causes it to be tr~nsmitted through -~
Workstation Unit 102 and Subsystem 103 to Secure Computer 104.
SteP 4 Secure Computer 104 verifies that this is an :
authentic Key Request Transaction, selects the appropxiate key from a database kept as critical and :
sensitive data, or creates a new key in the case of uninitialized media, and causes the key to be 15 transmitted to Personal Unit lOl. -Step 5 Personal Unit lOl verifies that this iff~an authentic key, transmits it to the proper Workstation ~nit 102, and displays the successful completion of the keying process to the user.
Cryptographic keys are protected during trans-mission by being enciphered in a Key Encryption Key, for example (Enclave Key 40), which is loaded into each Workstation Unit 102 when they are installed.
Indi~idual transactions in the Workstation Key Management Protocol are authenticated by the Cryptographic Checksum Protocol. The fact that a given Key management Transaction is occurring in the proper context is authenticated by the Authentication Token 30 Exchange Protocol. :
Thus, the Key Generation and Assignment protocols described with respect to Data Enclave 20 operate substantially the same as the Key Management Protocol with the exception that, in the Key Management 35 Protocol, all interactions between the secure computer .
and the Workstation are validated by the Authentication ::
Token Exchange Protocol and users are identified using WO93/21~81 ~ PCT/U~93/03472 ~ 52 the Identification and Authentication Protocol.

D13:TAILED C~PERATION OF TRU~;TED PAT}I
Those operations which are individually unique to the present in~ention are described in detail. These are the Authentication Token Exchange Protocol, the Identification and Authentication Protocol, the Trusted Command Protocol, the Trusted Review Protocol, and the Workstation Key ~anagement Protocol.

Authentication Toke~ Excha~ge Proto~ol The Authentication Token Exchange Protocol makes use of two pseudo-random sequences of numbers: a Synchronized Keystream and an Authentication ~oken Sequence.

Synchro~ized Keystrea~s _~
Synchronized Keystreams are produced by Crypto-graphic Units 112 and 142. The logic of these units is shown in Figure 32. The actual keystreams are produced by algorithms in Keystream Generators 201 and 221. The sequence of numbers (called "Keystream Elements"~ in the keystream is a function of the cryptographic key kept in Cryptographic Key Buffers 202 and 222. The manner in which the keystre~m is generated may differ between the two units, but the resulting keystreams must be identical for the protocol to operate. In particular, a large, precomputed keystream sequence may be stored in Cryptographic Key Buffer 202 or 222 and simply copied by the respective Keystream Generator 201 or 221. (This technique is sometimes called a "one-time pad. ) Alternatively, a much shorter cryptographic key may be used to nseed" the mechanism in Keystream Generator 201 or 221, and the keystream produced in small quantities as required.
A low-level synchronization protocol is required to handle cases when transmission errors or ~ WO93~21~81 PCT/US93/0~72 ~.L~ i2i~

other difficulties cause the keystreams to lose synchronization. Such protocols make use of well-known techniques and are not described here.
~ Encryption is effected by combining the keystream with the data in Combining/Decombining Units - 203 and 223. These units may use methods such as "exclusive OR," module addition, or other well-known techniques. Decryption is effected by performing the inverse operation using identical keystream values. It is required for operation of the present in~ention that not only are the keystreams in Cryptographic Units l12 and 142 identical and synchronized, but that the techniques used for combining keystream with data be identical.
Authentication Token Se~ence The Authentication Token Sequence is p~duced - inside Secure Computer 104 by Authentication Token Generator 147 (Figures 30 and 3l~. The Authentication Tokens are generated in some fashion that makes it computationally infeasible to predict. What the value of the next token in the sequence should be is based on the value of the given token. The nature of the Authentication Token Exchange Protocol is such that no synchronization of the sequence with any other unit is required. Authentication Token Generator 147 also maintains a history file of Authentication Tokens for some preset interval. This history is used to differentiate masquerade attempts from alarms caused by faulty transmission or equipment failures. There is one Authentication Token Sequence for each user or other ;
distinguished operating entity.

Authent~catio~ Token Exchange Protocol The steps used by the Authentication Token Exchange Protocol to "chain" toge~her transactions of other protocols are shown in Figure 33. The steps WO93/21581 ~ o ~ PCT/US93/0~72 ~4 described below are keyed to that figure. Note that this protocol is for the generation and validation of tokens which appear as data fields in the transactions of other protocols. The description of each step that 5 follows is also referenced to Figures 30 - 32. -~

Step 1 The initial state of a protocol cyc~e is one in which Personal Unit 101 con~ains a value from some previous transaction and Secure Computer 104 is preparing to initiate a new transaction~ The Authentication Token Sequence has just generated Token Number m, and the Synchronized Keystream Sequences have just produced Keystre~m Element n. In such a ~ase, the 15 Authentication Token Storage 117 will contain a value -which is the result of enciphering Token m with - Keystream Element n. ~eystream Generators 201 and 221 will be ready to generate Keystream Element n+l, and Authentication Token Generator 147 will be ready to 20 generate Token m~l. -Step 2 A single cycle of the Authentication Token Exchange Protocol is initiated when some transaction is to be sent from Secure Computer 104 to Personal Unit 101. In this case, Logic and Control Unit 141 commands Authentication Tok~n Generator 147 to generate a token (in this case m~l) and commands Cryptographic Unit 142 to encipher it (in ~his case, with Keystream Element n+l~. The enciphered token is then transmitted to Personal Unit lO1 as a data field in a transaction ~ecord. Arrival of the transaction causes Personal Unit lOl to perform the next step in the cycle.
Step 3 Logic and Control Unit 111 causes the value stored in Authentication Token Storage 117 to be deciphered by Cryptographic Unit 112 using Keystream Element n; this yields the true value of Token m. Logic WO93/21581 PCT/US93/0~72 and Con~rol Unit 111 then immediately commands Cryptographic ~nit 112 to re-encipher Token m using Keystream Element n+2. The enciphered value is then returned to Secure Computer 104 in whatever transaction is used to ~echo~ or acknowledge the transaction sent from Secure Computer 104 to Personal Unit 101 in Step 2.
SteP 4 Logic and Control Unit 141 then causes the incoming enciphered value to be deciphered by Cryptographic Unit 142 using Keystream Element n~2.
This yields the value of the putative Token m which has cycled from Secure Computer 104 to Personal Un,t 101 and back again.
Step 5 The putative Token m value is then compared by Logic and Control Unit 141 with the value that has been retained by Authentication Token Generator 147.-~If the values are the same, the Logic and Control Unit 141 is j assured that the incoming transaction was properly ! 20 "chainedn to an outgoing one and is not erroneous or forged. If the values are not the same, Logic and Control Unit 141 invokes the low-level synchronization protocol to cause retransmit of the records. If some preset number of transmissions fails to yield an authenticated "chaining" then the Logic and Control Unit 141 raises an alarm.
SteP 6 Simultaneously with Step 5, Logic and Control Unit 111 in Personal Unit 101 updates Authentication Token Storage 117 with the new value, which is Token m~l enciphered with Keystream Element nll. At this point the protocol cycle has completed and the protocol is back in its initial state awaiting the start of a new cycle.
The low-level synchronization protocol may -require that Authentication Token Storage Unit 147 kéep a "window" of old values, so that a period of time WO93/21581 PCT/US93/03472 !

~ 56 exists in which a previous value can be retransmitted to Secure Computer 104 in cases where the comparison described in Step 5 fails.

5 Id~tification a~d Authentication Protocol The Identification and Authentication Protocol opera~ion is identical for both forms of the present invention. The description that follows is referenced to Figures 30 and 31.

Init~ation of Protocol The protocol is initiated when a user first establishes a communications link between Personal Unit lOl and Workstation Unit 102, when a user initiates an "attention" signal by pressing a key on Reyboard 114, or when a demand for user authentication is made by Secure Computer 104.
If the protocol was initiated from Personal Unit lOl, an Initiation Transaction is constructed by Logic and Control Unit lll consisting of the following elements:
(1) A distinguished value identifying this as an Initiation Transaction.
(2) A value which will enable Logic and Control Unit 141 to reply to the transaction (e.g., a network address).
(3) User Identifier 115, enciphered with a keystream which is reserved for this purpose.
(4) A value provided by the Cxyptographic Checksum Protocol which serves to validate the value and association of the above elements.

Authenticat~on~Demand Transa~tion Upon receipt of the Initiation Transaction, or upon demand by Security Kernel 143 for user authentication, ~ogic and Control Unit 14l constructs an Authentication Demand Transaction and transmits it to WO93/21581 PCT/US93/0~72
6,~

Logic and Control Unit 111. This transaction consists of the following elements:
(1) A distinguished value identifying this as an - Authentication Demand Transaction.
- 5 (2) An enciphered Authentication Token as described ~-in Step 2 of the Authentication Token Exchange Pro~ocol. If this transaction is in response to an Initiation Transaction, the User Identifier 115 in that transaction will be deciphered and used to select the proper sequence of Authentication Tokens. If this transaction is in response to a demand from Security Kernel 143, the user identifier (and therefore the denotation of the proper Token Sequence) will be included in the demand.
3. ~ value from the Cryptographic Checksum Pro~ocol which serYes to authenticate ~e value and association of the above eIements.

Authentication Res~o~se Transactio~
Upon receipt of this transaction, Logic and Control Unit 111 notifies the user by means of Display 113. If required, user enters a Personal Identification Number or other value or measurement which serves to identify the user. Logic and Control Unit 111 communicates with Logic and Control Unit 121 and obtains from it Norkstation Identifier 125. ~ogic and Control Unit 111 then constructs and sends to Logic and Control -Unit 141 an Authentication Response Transac~ion which :
consist of the following elements:
(1) A distinguished value identifying this as an Authentication Response Transaction. -(2) The Workstation Identifier 125, encîphered with -a keystream reserved for this purpose.
(3) The User Identifier 115, optionally supplemented with Personal Identification Number or other personal data, and enciphered WO93/21581 PCT/US93/0~72 with a keystream reserved for this purpose.
~4) An enciphered return Authentication ~oken as described in Step 3 of Authentication Token Exchange Protocol.
(5) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.

Upon receipt of this transaction, Logic and Control Unit 141 deciphers Workstation Identifier 125 and Vser Identifier 115, performs the operations described in Steps 4 and 5 of the Authentic~tion Token xchange Protocol, and if v~lidated, notifies Security Kernel 143 that the denoted user interacting from the denoted Workstation has been authenticated. If not validated, Logic and Control Unit 141 notifies Security Xernel 143 that an inYalid logon attempt has occurred and appropriate response should be made.

- 20 Ack~o~abe~3b~ n If the validation succeeds, ~ogic and Control Unit 141 constructs and sends to Logic and Control Unit 111 an Acknowledgment Transaction which consists of the following elements:
(1) A distinguished value identifying this as an Acknowledsment Transaction.
(2) The ~orkstation Identifier 125 and User Identifier 115, enciphered with the next element of the keystream reserved for this purpose.
(3) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.

-- 35 alidation of Response Vpon receipt of this transaction, Logic and Control Unit 111 performs Step 6 of the Authentication -~ WO93/21581 PCT/VS93/0~72 2.~

Token Exchange Protocol, notifies the user by means of Display 113 that the identification and authentication process is complete, and sends a transaction to Workstation 131 through Communications Vnits 118 and 128 that causes communications between Workstation 131 and Secure Computer 104 to be initiated in the case of logon, or to be continued in the case of an identification demand from Secure Computer 104 in the -~
middle of a session.
'' Trusted Command Protocol -The Trusted Command Protocol operation is identical for both forms of the present invention. The description that follows is referenced to Figures 30 and 15 31. -The protocol is initiated when a user selects a privileged command when interacting with Worksta~ion 131. The privileged nature of the command is recognized by Security Xernel 143 and it notifies Logic and Control Unit 141 to start the protocol for the selected privileged command.

User Conf~rmat~ou Demand Transaction Logic and Control Unit 141 constructs and sends to Logic and Control Unit 111 a User Confirmation Demand Transaction which consists of the following elements:
(1) A distinguished value identifying this as a User Confirmation Demand Transaction.
(2) An enciphered Authentication Token as described in Step 2 of the Authentication Token Exchange Protocol.
(3) A description or denotation of the privileged command and the relevant parameters formatted, --so it may be displayed on Display 113 of Personal Unit 101.
(4) A value from the Cryptographic Checksum ~-Protocol which serves to authenticate the value W093/21581 ~ PCT~US93/0~72 ~0 and association of the above elements.

User Respo~se ~ra~sact~on Upon receipt of this transaction, Logic and Control Unit 111 displaYs the description or denotation of the privileged co~mand on Display 113. The user visually checks that the description as displayed is of the command whose sel~ction initiated the protocol, and notifies ~ogic and Control ~nit 111 ~hrough Keyboard 114, whether the selection of the command is confirmed or denied. Upon receipt of this notification, Logic and Control Unit 111 constructs a User Response Transaction which consists of the followin~ elements:
~1) A distinguished value identifying this as a User Response Transaction.
(2) An indication of whether the command selection is confirmed or denied, enciphered usingL~a keystream reserved for this purpose~
(3) An enciphered return Authentication Token as described in Step 3 of Authentication Token Exchange Protocol.
(4) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.
Immediately subse~uent to the sending of this transaction, Logic and Control Unit 111 performs Step 6 of the Authentication Token Exchange Protocol.
Upon receipt of the User Response Transaction, Logic and Control Unit 141 deciphers the confirm/deny indicator and performs Steps 4 and 5 of the Authentication Token Exchange protocol. Logic and Control Unit 141 passes the confirm/deny indicator to Security Kernel 143. If confirm, the command is - 35 executed and Logic and Control Unit 141 is so notified.
If deny, Security Rernel 143 takes appropriate action such as retry or alarm.

.,~.. .....

WO93/21581 PCT~US93/0~72 ,~3~ i. 6 ~

Acknowledq~ent Transaction If the command is invoked, Logic and Control Vnit 14l constructs and sends to Logic and Control Unit 111 an Acknowledgment Transaction which consists of the following elemen~s:
(1) A distinguish~d value identifying this as an Acknowledgment Transaction.
(2) An enciphered Authentication Token as described in Step 2 of the Authentication Token ~xchange Protocol.
(3) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above element.

~
Upon receipt of this transaction, Logic and Control Unit lll displays the acknowledgment on-~isplay 113. Logic and Control Unit lll then constructs and sends to Logic and Control Unit 14l, a Notification Complete Transaction which consist of the following elements:
(l) A distinguished value identifying this as a Notification Complete Transaction.
(2) An enciphered return Authentication Token as described in Step 3 of Authentication Token Exchange Protocol.
(3) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.
Immediately subsequent to the sending of this transaction, Logic and Contxol Unit lll performs Step 6 of the Authentication Token Exchange Protocol.
Upon receipt of this transaction, Logic and Control Unit 14l performs Steps 4 and 5 of the Authentication Token Exchange Protocol and communicates to Security Kernel 143 that the user has been notified.

WO93/21581 PCT/US93/0~72 ~-~6~ 62 ~rust~d Review Protocol The Trusted Review Protocol operation is identical for both forms of the present invention. The description that follows is referenced to Figures 30 and 31.
The protocol is initiated when a user in~okes a Trusted Re~iew Command from Workstation 131. Security Kernel 143 recognizes this command and displays, ~ubject -~
to the restrictions of security policy, a window of information on its screen using the conventions of graphical or other user interfaces. Within this window, Security Kernel 143 also displays a review subwindow :
whose dimensions are such that all the data displayed on it can be identically displayed on Display 113 of Personal Unit 101. The position of the review subwindow can be moved within the main window using the ke ~ oard, mouse, or other input de~ice of Workstation 131. This arrangement is shown in Figure 34.
User Re~iew Demand Transa~tio~
When the user is satisfied that the review subwindow 134' is positioned over the portion of critical and sensitive data to be reviewed, he or she notifies Security Kernel 143 by means of the keyboard or other input device on Works~ation 131. Security Kernel 143 copies the portion of critical and sensitive data to be reYiewed from Critical and Sensitive Data 144 and sends it to Logic and Control Unit 141. Logic and Control Unit 141 then constructs and sends to Logic and Control Unit 111 a User Review Demand Transaction which -consists of the following elements:
(l) A distinguished value identifying this as a User Review Demand Transaction.
- 35 (2) An enciphered Authenticaticn Token as described in Step 2 of the Authentication Token Exchange Protocol. :

WO93/2~81 PCT/U~93/Q~72 .~13~"~ ~S

(3) The portion of critical and sensitive data formatted, so it may be displayed on Display ~, 113 of Personal Unit 101.
¦ ( 4 ) A ~alue from the Cryptographic Checksum Protocol which serves to authenticate the value ¦ and association of the above elements.
, - User Response Transaction Upon rereipt of this transaction, Logic and ;10 Control Unit 111 displays the portion of critical and sensitive data on Display 113. The user visually checks that the portion as displayed, is iden~ical to that shown on ~he review subwindow, and notifies Logic and Control Unit 111 through Keyboard 114 whe~her ~he review is confirmed or denied. Upon receipt of this ¦notification, Logic and Control Unit 111 constructs a User Response Transaction which consists of the following elements:
(1) A distinguished value identifying this as a User Response Transaction.
¦ (2) An indication of whether the review is confirmed or denied, enciphered using a keystream reserved for this purpose.
(3) An enciphered return Authentication Token as described in Step 3 of Authentication Token Exchange Protocol.
(4) A ~a~ue from the Cryptographic Checksum Protocol whi~h serves to authenticate the value and as~ociation of the above elements.
Immediately subsequent to the sending of this transaction, Logic and Control Unit 111 performs Step 6 of the Authentication Token Exchange Protocol.
Upon receipt of the User Response Transaction, Logic and Control Unit 141 deciphers the confirm/deny indicator and performs Steps 4 and 5 of the Authentication Token Exchange Protocol. Logic and WO93/21~81 PCT/US93/03472 ~
2~ 64 Control Unit 14l passes the confirm/deny indicator to Security Kernel 143. If confirm, processing proceeds and Logic and Control Unit 141 is so notified. If deny, Security Kernel 143 takes appropriate action such as retry or alarm.
, :.
~cknowledqme~t Tra~saction If the command is invoked, Logic and Control Unit 14l constructs and sends to Logic and Control Unit 111 ~n Acknowledgment Transaction which consists of the following elements:
(1) A distinguished value identifying this as an Acknowledgment Transaction.
(2) An enciphered Authen~ication Token as described in Step 2 of the Authentication Token Exchange Protocol.
¦ (3) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.

Notificatio~ Complete Tra~saction Upon receipt of this transaction, Logic and Control Unit lll displays the acknowledsment on Display 113. Logic and Control Vnit 111 then constructs a Notification Complete Transaction which consists of the following elements:
(1) A distinguished value identifying this as a Notification Complete Transaction.
(2) An enciphered return Authentication Token as described in Step 3 of Authentication Token Exchange Protocol.
(3) A value from the Cryptographic Checksum Protocol which serves to authenticate the value and association of the above elements.
-WO93/21~81 PCTfUS93/03472 Immediately subsequ~nt to the sending of this transaction, Logic and Control Vnit lll performs Step 6 of the Authentication Token Exchange Protocol.
. upon receipt of this transaction, Logic and ! 5 Control Unit 14l performs Steps 4 and 5 of the Authentica~ion Token Exchange Protocol and communicates to Security Kernel 143 that the user has been notiiied.

Adva~tag~s of Trusted Path Central~zed Detectio~ of Security Alarms The protocols of the invention are arranged so that all security alanms are raised at Secure Computer 104 and there is no user responsibility for rPsponding to an alarm. This feature is an improvement over 15 traditional cryptographic Checksum and other means which `~
display alarms to users and require them to no~ify the proper authorities, in that it permits the in~en~on to provide security for users who may be in physical ! locations where such notification is not possible.
Robust~ess If an attacker obtains an actual Personal Unit 101 or its logical equivalent, and obtains through analysis or subversion of personnel the keystream used in the Authentication Token Exchange Protocol, the protocol allows him a "window of opportunityn for masquerade which is terminated the very next time the legitimate user and Personal Unit 101 interacts with Secure Computer 104. This is because each interaction moves the sequence of Authentication Tokens inside Secure Computer 104, and this movement cannot be influenced from the outside. (If Secure Computer 104 is compromised, then all data is lost, anyway). The operation performed by the masquerading attacker will 35 cause a mismatch in the return Token when the legitimate -~
user attempts an interaction, and this mismatch will be detected at Secure Computer 104.

W093/21~81 PCT/US93/0~72 This robustness enables the user of weaker cryptographic algorithms or keys in environments where it is not safe or desirable to transport or use high-grade cryptography.
Positive Detection of Attack The Authentication Token Exchange Protocol is superior to traditional methods which rely on cryptographic cheoksums, in that it can positively dîfferentiate between alarms raised by communications failures and those raised by deliberate attempts to compromise security. This capability is granted by the Authentication Token sequence. If a mismatch in Tokens is detected in Step 5 of the Authentication Token Exchange Protocol, then the Token sequence can be searched backward to see if the returned Token matches exactly some earlier value. If it does, then Sec~re Computer 104 is assured, to the strength of the algoxithm that randomizes the Tokens, that the alarm was raised by an attacX. In addition, Secure Computer 104 knows that the keystream used in the Authentication Token Exchange Protocol has been compromised, and can identify the exact interaction where the compromise occurred.
Pos ~ tive Determ~nation of Securit~ Boundar~es The elements of the invention provide physical and verifiable indications of where the security boundaries of Secure Computer 104 are located.
Opera~ional Advantages Independence of Commun~cations~Means The protocols in this invention operate at Layer 5, 6, and 7 of the ISO standard for communications - 35 protocols. This means that they are independent of the nature of topology of the network which connects Workstation 131 to Secure Computer 104. All prior means WO93/21581 PCT/US93/0~72 ?~ 6 67 ~:
for achieving Trusted Path have depended, on a greater or lesser degree, on the nature or topology of this network.

Min~mal Intrusl~eness The elements of the invention are either free-standing units, parts of an already dis~inguished secure computer, or devices which attach to exi~ting interfaces to commercial workstations. The only modification required to a commercial workstation is a software modification so that data can pass from Workstation Unit 2 across the network to Secure Computer 104. No security reliance is placed on this modification, so that it can be rapidly and economically made to the software of a wide variety of commercial units.

Low Cost The elements of the invention are such that they can be constructed of readily available commercial technology.
:' AI,TERNATE EMBODI~ENT OF DATA ENCLA~E S~rSTE:M
An alternate embodiment of the Data Enclave System 20 is shown in Figs. 35, 36 and 37. Alternate embodiment 300 provides for operation of the Data Enclave System in a non-networked environment.

Data Elements The data elements of the alternate embodiment 300 correspond to those described with reference to embodiment 20.

Processi~g Elements Cryp~o SuPPort Center A Crypto Support Center 310 is provided for :~
each organization or set of organizations. ~he Crypto Support Center 3lO is used for archival storage and WO93/~1581 PCT/US93/0~72 A ~'~`' ? 4 6 68 distribution of cryptographic keys. Crypto Support Center 310 is permanently inst~lled in a secure area, and includes a Secure Computer 311 and a Communications Security Device 312. Secure Computer 311 may be of generally the same design as Security Server 24 as described and illustrate~ with reference to embodiment -20. However, there is no requirement that the Secure Computer 311 be networked to the work stations 340 within the organization.
Local Cr~pto SuPPort Device There is at least one local Crypto Support Device 320 for each organization. Each local Crypto Support Device 320 is portable, for example, lap-top computer size. Preferably, local Crypto Support Devices 320 are equipped with theft detection circuitry, such as that used to deter shoplifting. Local Crypto Sup~ort Devices 320 are used in key distribution and are equipped with a Communications Security Device 322 that is compatible with the Communication Device 312 in Crypto Support Center 310. Local Crypto Support Device 320 includes a Key Management Crypto 324 which functions substantially the same as the Key Management Crypto 70 described with reference to the embodiment 20 of the data enclave system, insofar as media initialization, key generation and key assignment are concerned. Crypto Support Devices 320 further include a disk drive 326, which may be used to read and write removable media 302, and a data interface 328, which may be coupled to a Cly~tO Media Controller in a Workstation 340. The interface can either be wired or wireless (for example, radio infra-red).

Personal KeYina Device Each user is issued a Personal Xeying Device 330 of the same design as Personal Keying Device 30 described above with reference to embodiment 20 of the W~93/215~1 PCT/US93/0~72 6g ~
Data Enclave System. Personal Keying Device 330 is used for key insertion and indi~idual authentication.
Personal Keying Device 330 includes electronic storage 331, a key pad, a display and a Data Transfer Interface 332, which is compatible with the Data Transfer Interface in the local Cr~pto support device 320.
Personal Keying Devices 330 may also be equipped with theft detection circuitry.

cryPto Media Controller Each work station 340 operating within the enclave 300 includes a Crypto Media Controller 342 of the same design as Crypto Media Controller 26, with the exception that Crypto Nedia Controller 342 does not include logic and func~ions for media initialixation and key generation, or key assignment for already ~:
initialized media. Crypto Media Controller 342-~urther includes a Data Interface 344 compatible with Data Interface 328 in the Local Crypto Support Device 320.
O~ERATION OF ALTERNATE EMBODIMENT 300 Alternate embodiment 300 is similar in many respects to embodiment 20, except that ~ocal Crypto Support DPvice 320 and Crypto Support Center 310 perform certain functions performed by Crypto Media Controller 26 and Security Server 24, re~pectively, embodiment 20.
Namely, those functions described in Steps 1 - 13 of the Media Initialization and Key Generation and the Key Assignment process (for initialized media) Steps 1 - 14 of embodiment 20. In addition, the Local Area Network 12 link used in embodiment 20 is replaced with the secure connsction established between ~ommunications Security Devices 312 and 322 in the Local Crypto Support Device 320 and Crypto Support Center 310.

WO93/21581 ~ PCT/US93/03472 k~ '~ ~7.J~-Media Initialization and KeY Assi~nment The following description of the media initialization and key assignment operation refers to Figs. 36 and 37.
S An individual brings together a blank unit of physical media 302, his or her Personal Keying De~ice 330, and the appropriate Local Crypto Support Device 320. If the media is fixed, Personal Keying Device 330 and local Crypto support device 320 are brought to the l0 Workstation 340 containing the fixed media 302. As shown in Fig. 36, data interfaces are then established ~:~
between Personal Keying De~ice 330 and Local Crypto Support Device 320 on the one hand and in between Local Crypto Support Device 320 and the Crypto Media Controller 342 for the fixed media on the other~ Once these interfaces ar~ established, a secure link is made bet~een Local Crypto Support De~ice 320 and Crypto ~-~
Support Center 310 using the Communication Security Devices 312 and 322. The Trusted Path Protocol of the .
present invention may be used to esta~lish a secure link~
If the media 302 is removable, the media 302 is brought to the Local Crypto Support De~ice 320, where it can be xead and written using Disk Drive 326. This configuration is shown in Figure 37.
The individual desiring access to Media 302 then enters his or her PIN 58 into Personal Keying De~ice 330 which transmits it to ~ocal Crypto Support Device 320. Local Crypto Support Device 320 extracts the encrypted User UID 56 from Personal Keying Device 330 and decrypts it using the Enclave Key 50.
Local Crypto Support Device 320 then initiates a secure connection to the Crypto Support Center 3l0 and transmits the User UID 56 to it.
Local Crypto Support Device 320 and the Crypto Support Center 310, with the optional aid of authorized individuals, generate a Media UID 54, Media Key 52, and WO93/21~81 PCT/US93~0~72 Access Vector 60 for use of the media 302. At the end of this process, the Media UID 54, Media Key 52, User UID 56, and Access Vector 60 are archi~ed together at the Crypto Support Cen~er 310 and stored temporarily in Local Crypto Support Device 320.
Local Crypto Support Device 320 then writes the Media UID 54 to an appropriate location on Media 302 ~e.g., Volume Label). It combines the User UID 56, Enclave Key 50, and PIN 58 to form a key with which it enciphers the Nedia Key/Access Vector pair 62. It uses the Media UID 54 to index storage 332 of Personal Keying Device 330 and stores the enciphered pair 62 in the appropriate location.
At this point, the initialization is complete.
Media 302 can be identified and the individual's - Personal Reying Device 330 contains a Media Key 52 which can only be used by an individual who has physie~l :
possession of that Personal Keying De~ice 330, knows that indi~idual's PIN 50, and has Media 302 controlled by a Crypto Media Controller 342, containing the Enclave Rey.

Kevi~g of Devices ~:
An individual establishes a data transfer interface between his or her Personal Keying Device 330 and any Crypto ~edia Controller 342 containing the Enclave Xey, and between that Crypto Media Controller 342 and the Media 302 the individual desires to access.
If the media 302 is removable, this will involve placing the unit of media 302 into the appropriate device ~e.g.
diskette drive) or the Workstation 340. From this point on, the alternate embodiment 300 operates in the same manner as the first described Data Enclave embodiment 20, as set forth in Steps 1-10 under the heading "Keying of Devices."

WO93/215gl PCT/US~3/03472 ~ `vl~ 72 ~ .
Kev Assiqnme~t for AlreadY Initialized Media Key assignment is performed in substantially the same fashion as Nedia Initialiæation and Key Generation, insofar as the configuration and interaction of the Personal Keying Device 330, Workstation 340, Local Crypto Support Device 330 and Support Center 310 interact to generate a Media Key/Access Vector pair 91 for the already initialized media 302 by reference to the archived Media Key 42 for ~he media.
The present invention is to be limited only in accordance ~ith the scope of the appended claims, since others skilled in the art may devise other embocliments still within the limits of the claims. The above-described detailed architectures are not meant to be limitingl and other equivalent forms may be substituted if desired.

Claims (7)

IN THE CLAIMS
1. A data enclave (20) for securing data carried on physical units of fixed (2) and removable (4) media, the data enclave (20) including a security server (24) connected over a network (12) to one or more workstations (10), wherein each workstation (10) includes a crypto media controller (26) used to read one of said physical units of media (2,4), the data enclave further comprising:
an enclave key (40) used to encrypt data transmitted within the data enclave (20), wherein a copy of the enclave key (40) is stored in the security server (24) and the workstations (10);
a personal keying device (30) for each user in the data enclave (20);
a personal identification number (PIN) (50) and a user unique identifier (user UID) (48) assigned to each user in the enclave (20), wherein each user UID(48) is encrypted with the enclave key and stored in the personal keying device (30) of the user associated with the user UID;
a set of user attributes (56) provided for each user, wherein each set of user attributes (56) represents user privileges and other security related information pertaining to a particular user and wherein each set of user attributes (56) is associated with the user UID (48) of its respective user;
a media key (42) for each physical unit of media (2,4), wherein the media key (42) is used to encrypt and protect data carried on the media, a media unique identifier (media UID) (46) for each physical unit of media (2,4); and a set of media attributes (54) provided for each physical unit of media (2,4), wherein each set of media attributes (54) represents sensitivity or othersecurity related information pertaining to data carried on a particular unit of media and wherein each set of media attributes (54) is associated with the mediaUID (46) of its respective physical unit of media (2,4);
wherein the security server (24) comprises:

security policy logic (86) for computing, from the set of user attributes assigned to a particular user (5) and the set of media attributes assigned to a particular unit of media (2,4), an access vector (52) which defines limits on access by the particular user (5) to the particular unit of media (2,4); and a key management crypto (70) for combining the access vector (52) and the media key (42) assigned to the particular unit of media (2,4) to form a media key/access vector pair (91) and for enciphering the media key/access vector pair(91) with a combined key formed from the enclave key (40) and the user UID
(48) and PIN (50) of the particular user (5);
wherein the personal keying device (30) comprises means (78) for storing the enciphered media key/access vector pair (91); and wherein the crypto media controller (26) comprises means (70, 72, 76) for controlling access to data on the particular unit of media (2,4) as a function of the PIN (50) of the particular user (5), the media UID (46) of the particular physical unit of media (2,4) and the media key/access vector pair (91) retrievedfrom the personal keying device (30) of the particular user (5).
2. A data enclave method for securing data carried on physical units of fixed (2) and removable (4) media in a data enclave (20) including a security server (24) connected over a network (12) to one or more workstations (10), wherein each workstation (10) includes a crypto media controller (26) used to read one of said physical units of media (2,4), the method comprising the steps of providing an enclave key (40) used to encrypt data transmitted within the data enclave (20);
storing a copy of the enclave key (40) in the security server (24) and the workstations (10);
providing a personal keying device (30) for each user in the data enclave (20);
assigning a personal identification number (PIN) (50) and a user unique identifier (user UID) (48) to each user in the enclave (20);

assigning a set of user attributes (56) for each user, wherein each set of user attributes (56) represents user privileges and other security related information pertaining to a particular user;
associating each set of user attributes (56) with the user UID (48) of its respective user;
encrypting each user UID (48) with the enclave key and storing each encrypted user UID (48') in the personal keying device (30) of the user associated with the user UID (48);
assigning a media key (42) and a media unique identifier (media UID) (46) for each physical unit of media (2,4), wherein the media key (42) is used to encrypt and protect data carried on the media;
assigning a set of media attributes (54) for each physical unit of media (2,4), wherein each set of media attributes (54) represents sensitivity or othersecurity related information pertaining to data carried on a particular unit of media;
associating each set of media attributes (54) with the media UID (46) of its respective physical unit of media (2,4);
computing, from the set of user attributes assigned to a particular user (5) and the set of media attributes assigned to a particular unit of media (2,4), anaccess vector (52) which defines limits on access by the particular user (5) to the particular unit of media (2,4);
combining the access vector (52) and the media key (42) assigned to the particular unit of media (2,4) to form a media key/access vector pair (91);
enciphering the media key/access vector pair (91) with a combined key formed from the enclave key (40) and the user UID (48) and PIN (50) of the particular user (5); and storing the enciphered media key/access vector pair (91) in the personal keying device (30) of the particular user (5); and controlling access to data on the particular unit of media (2,4) as a function of the PIN (50) of the particular user (5), the media UID (46) of the particular physical unit of media (2,4) and the media key/access vector pair (91) retrieved from the personal keying device (30) of the particular user (5).
3. A method according to claim 2 wherein the method further comprises the step of providing device attributes for each workstation (10), the device attributes representing security attributes of the workstations (10), and wherein the step of controlling access comprises the steps of:
determining the workstation (10) being used by the particular user (5);
retrieving the device attributes (58) associated with the workstation (10) being used by the particular user (5);
extracting the access vector (52) from the encrypted media key/access vector pair (91) retrieved from the personal keying device (30) of the particular user (5); and combining the retrieved device attributes (58) with the extracted access vector (52) to determine access rights by the particular user (5) on the particular workstation (10).
4. A method according to claim 2 wherein the method further comprises the steps of:
(a) providing key management crypto logic in each crypto media controller for (i) receiving a requesting user's PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) forming a first packet including the requesting user's PIN, the user UID and a request for initialization of a new unit of media, the request including the media attributes for the new unit of media;
(b) providing key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server, (c) providing storage search logic in the server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user's PIN received in the first packetmatches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization if the requesting user's PIN is not valid, (iv) extracting the media attributes from the request and commanding a media attribute data basestored in the server to make an entry for the new unit of media, and to create anew media UID for the new unit of media, and (v) indexing the user attribute data base with the user UID to extract the set of security attributes pertaining to the requesting user and passing the security attributes to security policy logic in the server;
(d) the security policy logic accepting the media attributes and the requesting user's security attributes and, using a set of rules and/or under thedirection of a system administrator, computing a new access vector which defineslimits on the access the requesting user will have to the new unit of media;
(e) the key management crypto in the server also (i) generating, with the optional aid of a system administrator, a new media key for the new unit of media, and (II) enciphering the new media key/access vector pair formed with thenew media key and the new access vector with a combined key including the user UID, the user PIN and the enclave key, to form a second packet;
(f) the storage seu?? logic also storing the enciphered second packet in crypto key data base stored in the server, the second packet indexed according to the requesting user's user UID and the new media UID;
(g) providing further logic for sending the new media UID and the second packet to the Workstation from which the first packet was received; and (h) providing storage search logic in the crypto media controller for (i) receiving the new media UID and writing it to an appropriate location on the newunit of media and (ii) storing the second packet containing the new media key/
access vector pair in the personal keying device attached to the Workstation using the new media UID as an index.
5. A method according to claim 2 further comprising the steps of:

(a) providing key management crypto logic in each crypto media controller for (i) receiving a requesting user's PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) reading the media UID
off an initialized unit of media and searching the personal keying device for a media key/access vector pair for the initialized unit of media for the requesting user using the user s PIN as an index, and (iv) if no pair is found generating arequest for a key assignment;
(b) the key management crypto logic in the workstations further (i) forming the first packet including the requesting user's PIN and user's UID, themedia UID for the initialized unit of media, and the request for key assignment,(ii) encrypting the first packet with the enclave key, and (iii) sending the packet to the security server over the network;
(c) providing key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server to obtain the requesting user's PIN and user UID, and the media UID and the request;
(d) providing storage search logic in the security server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user's PIN received in the first packetmatches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization set form in the first packet if the requesting users PIN is not valid, (iv) reading the user attribute data base using the user's PIN as an index and extracting the security attributes of the requesting user, and (v) passing the security attributes to security policy logic in the server;
(e) the security policy logic receiving the security attributes and computing a new access vector which defines limits on the access the user may have to the initialized unit of media, the new access vector computed using a set of rules and/or with the intervention of a system administrator;
(f) the storage search logic also (i) finding an enciphered key packet in a crypto key data base held in the security server which has-been previously stored and which contains the media key for the initialized unit of media, (ii) when a packet is found extracting the media key from it, and (iii) forming a newmedia key/access vector pair with the extracted media key and the new access vector, and a new key packet including the new media key/access vector pair, theuser UID, and the media UID, and placing the new key packet in the crypto key data base for archival purposes;
(g) the crypto key logic also enciphering the new media key/access vector pair with a combined key including the user UID, the user's PIN, and the enclave key, and transmitting the enciphered packet along the network to the crypto media controller; and (h) the crypto media controller using the media UID as an index to store the new media key/access vector pair in the personal keying device from which the user's PIN was entered whereby the personal keying device contains a media key which can only be used by someone who has physical possession of that personal keying device, knows the user PIN associated with the media key, and has physical possession of the unit of media controlled by a crypto media controller containing the enclave key, the access of the user further being restricted by the access vector paired with the media key.
6. A method according to claim 2, further comprising the steps of:
(a) the crypto media controller also (i) receiving a user PIN from a personal keying device from a user seeking access to an initialized unit of media under control of the crypto media controller;
(b) providing storage search logic in the crypto media controller for (i) reading the initialized unit of media and extracting the media UID, (ii) searching the storage in the personal keying device and extracting the enciphered media key/access vector pair for the media UID and passing it to a key management crypto in the crypto media controller;
(c) the key management crypto (i) fetching the user UID from the personal keying device and deciphering it using the enclave key, (ii) combining the user UID, the user PIN, and the enclave key to form a combined key to decrypt the media key/access vector pair, and passing the extracted media key toa data crypto and the access vector to the access control logic;
(d) the data crypto deciphering data on a unit of media using the media key and passing it to the access control logic, the data deciphered in response to a read or write request for the data by the Workstation;
(e) the access control logic controlling whether the desired mode of access is permitted based on the access vector and the device attributes contained within the crypto media controller, and aborting the attempted access to the data if the access is not permitted and otherwise permitting the access whereby data is transferred to a Workstation for procession; and (f) providing logic in the crypto media controller for causing a complete reset of the crypto media controller and requiring the keying process to be started from the beginning in the event that the personal keying device is uncoupled or the unit of media is removed from the Workstation.
7. A trusted path system for communication between a Workstation and a secure computer over an untrusted communication medium, comprising:
a logic and control unit in the Workstation and in the secure computer;
an end-to-end authentication token exchange protocol used to assure the logic and control unit in the Workstation is communicating with an authentic logic and control unit in the secure computer, and vice versa;
the token exchange protocol operating by chaining transactions together so that a forged transaction entered into the interaction between Workstation and secure computer is detected the very next time a legitimate transaction is received by a logic and control unit;
a cryptographic checksum protocol used to assure transactions between the logic and control units have not been tampered with, the checksum protocol authenticating single transactions between the Workstation and the secure computer rather than sequences of transaction; and an identification and authentication protocol invoked when a user wishes to interact with the secure computer for some period of time, using the keyboardand displaying of the Workstation and the untrusted communications medium, the period of interaction being a session, and the act of initiating a session called logon, and that of terminating one is called logout.
CA002118246A 1992-04-17 1993-04-15 Data enclave and trusted path system Abandoned CA2118246A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US07/870,556 US5276735A (en) 1992-04-17 1992-04-17 Data enclave and trusted path system
US07/870,556 1992-04-17

Publications (1)

Publication Number Publication Date
CA2118246A1 true CA2118246A1 (en) 1993-10-28

Family

ID=25355638

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002118246A Abandoned CA2118246A1 (en) 1992-04-17 1993-04-15 Data enclave and trusted path system

Country Status (9)

Country Link
US (3) US5276735A (en)
EP (2) EP0737907A3 (en)
JP (1) JPH07505970A (en)
AT (1) ATE154150T1 (en)
AU (2) AU667925B2 (en)
CA (1) CA2118246A1 (en)
DE (1) DE69311331T2 (en)
DK (1) DK0636259T3 (en)
WO (1) WO1993021581A2 (en)

Families Citing this family (641)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5504814A (en) * 1991-07-10 1996-04-02 Hughes Aircraft Company Efficient security kernel for the 80960 extended architecture
US6836548B1 (en) * 1991-10-29 2004-12-28 The Commonwealth Of Australia Communications security and trusted path method and means
USRE39802E1 (en) 1992-03-16 2007-08-28 Fujitsu Limited Storage medium for preventing an irregular use by a third party
JP3073590B2 (en) * 1992-03-16 2000-08-07 富士通株式会社 Electronic data protection system, licensor's device and user's device
US5276735A (en) * 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system
US5596718A (en) * 1992-07-10 1997-01-21 Secure Computing Corporation Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor
US5359660A (en) * 1993-10-07 1994-10-25 International Business Machines Corporation Local area network peripheral lock method and system
JPH07177142A (en) * 1993-10-27 1995-07-14 Hitachi Ltd Message guarantee system
US5509120A (en) * 1993-11-30 1996-04-16 International Business Machines Corporation Method and system for detecting computer viruses during power on self test
FR2716323B1 (en) * 1994-02-14 1996-05-03 France Telecom Secure system for interconnecting local networks via a public transmission network.
GB2287619A (en) * 1994-03-03 1995-09-20 Ibm Security device for data communications networks
US6185619B1 (en) 1996-12-09 2001-02-06 Genuity Inc. Method and apparatus for balancing the process load on network servers according to network and serve based policies
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
ES2117495B1 (en) * 1994-05-18 1999-04-01 Penta 3 S A CRYPTOGRAPHIC SYSTEM.
US5522077A (en) * 1994-05-19 1996-05-28 Ontos, Inc. Object oriented network system for allocating ranges of globally unique object identifiers from a server process to client processes which release unused identifiers
US6219726B1 (en) * 1994-07-27 2001-04-17 International Business Machines Corporation System for providing access protection on media storage devices by selecting from a set of generated control parameters in accordance with application attributes
US5907597A (en) 1994-08-05 1999-05-25 Smart Tone Authentication, Inc. Method and system for the secure communication of data
US5583933A (en) 1994-08-05 1996-12-10 Mark; Andrew R. Method and apparatus for the secure communication of data
US5727155A (en) * 1994-09-09 1998-03-10 Intel Corporation Method and apparatus for dynamically controlling a remote system's access to shared applications on a host system
US5944794A (en) * 1994-09-30 1999-08-31 Kabushiki Kaisha Toshiba User identification data management scheme for networking computer systems using wide area network
US5602916A (en) * 1994-10-05 1997-02-11 Motorola, Inc. Method and apparatus for preventing unauthorized monitoring of wireless data transmissions
US5864683A (en) 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
JPH08263438A (en) * 1994-11-23 1996-10-11 Xerox Corp Distribution and use control system of digital work and access control method to digital work
US5634012A (en) * 1994-11-23 1997-05-27 Xerox Corporation System for controlling the distribution and use of digital works having a fee reporting mechanism
US6963859B2 (en) * 1994-11-23 2005-11-08 Contentguard Holdings, Inc. Content rendering repository
US20050149450A1 (en) * 1994-11-23 2005-07-07 Contentguard Holdings, Inc. System, method, and device for controlling distribution and use of digital works based on a usage rights grammar
US7117180B1 (en) 1994-11-23 2006-10-03 Contentguard Holdings, Inc. System for controlling the use of digital works using removable content repositories
US6865551B1 (en) 1994-11-23 2005-03-08 Contentguard Holdings, Inc. Removable content repositories
MY121551A (en) * 1994-12-22 2006-02-28 Sony Corp Recording and reproducing system for protecting copyrighted data
US7133845B1 (en) * 1995-02-13 2006-11-07 Intertrust Technologies Corp. System and methods for secure transaction management and electronic rights protection
US6658568B1 (en) * 1995-02-13 2003-12-02 Intertrust Technologies Corporation Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management
US5689564A (en) * 1995-02-13 1997-11-18 Eta Technologies Corporation Personal access management system
US7124302B2 (en) * 1995-02-13 2006-10-17 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US6948070B1 (en) * 1995-02-13 2005-09-20 Intertrust Technologies Corporation Systems and methods for secure transaction management and electronic rights protection
US5892900A (en) 1996-08-30 1999-04-06 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US7143290B1 (en) * 1995-02-13 2006-11-28 Intertrust Technologies Corporation Trusted and secure techniques, systems and methods for item delivery and execution
US5696825A (en) * 1995-02-13 1997-12-09 Eta Technologies Corporation Personal access management system
EP1643340B1 (en) 1995-02-13 2013-08-14 Intertrust Technologies Corp. Secure transaction management
US5692049A (en) * 1995-02-13 1997-11-25 Eta Technologies Corporation Personal access management system
US5694472A (en) * 1995-02-13 1997-12-02 Eta Technologies Corporation Personal access management system
US5943422A (en) 1996-08-12 1999-08-24 Intertrust Technologies Corp. Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels
US7095854B1 (en) * 1995-02-13 2006-08-22 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US20060206397A1 (en) * 1995-02-13 2006-09-14 Intertrust Technologies Corp. Cryptographic methods, apparatus and systems for storage media electronic right management in closed and connected appliances
US5727061A (en) * 1995-02-13 1998-03-10 Eta Technologies Corporation Personal access management systems
US7133846B1 (en) * 1995-02-13 2006-11-07 Intertrust Technologies Corp. Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management
US5619574A (en) * 1995-02-13 1997-04-08 Eta Technologies Corporation Personal access management system
US6157721A (en) * 1996-08-12 2000-12-05 Intertrust Technologies Corp. Systems and methods using cryptography to protect secure computing environments
US5732214A (en) * 1995-02-28 1998-03-24 Lucent Technologies, Inc. System for universal archival service where transfer is initiated by user or service and storing information at multiple locations for user selected degree of confidence
US5835735A (en) * 1995-03-03 1998-11-10 Eastman Kodak Company Method for negotiating software compatibility
EP0818007B1 (en) * 1995-03-31 2006-05-10 The Commonwealth Of Australia Method and means for interconnecting different security level networks
US5699513A (en) * 1995-03-31 1997-12-16 Motorola, Inc. Method for secure network access via message intercept
US5621798A (en) * 1995-04-18 1997-04-15 Intel Corporation Method and apparatus for cooperative messaging
US6011847A (en) * 1995-06-01 2000-01-04 Follendore, Iii; Roy D. Cryptographic access and labeling system
JP4162099B2 (en) 1995-06-02 2008-10-08 富士通株式会社 Device having function to cope with virus infection and storage device thereof
US5754646A (en) * 1995-07-19 1998-05-19 Cable Television Laboratories, Inc. Method for protecting publicly distributed software
US5754657A (en) * 1995-08-31 1998-05-19 Trimble Navigation Limited Authentication of a message source
US5757924A (en) * 1995-09-18 1998-05-26 Digital Secured Networks Techolognies, Inc. Network security device which performs MAC address translation without affecting the IP address
US5812769A (en) * 1995-09-20 1998-09-22 Infonautics Corporation Method and apparatus for redirecting a user to a new location on the world wide web using relative universal resource locators
US5819285A (en) * 1995-09-20 1998-10-06 Infonautics Corporation Apparatus for capturing, storing and processing co-marketing information associated with a user of an on-line computer service using the world-wide-web.
US5717860A (en) * 1995-09-20 1998-02-10 Infonautics Corporation Method and apparatus for tracking the navigation path of a user on the world wide web
US5712979A (en) * 1995-09-20 1998-01-27 Infonautics Corporation Method and apparatus for attaching navigational history information to universal resource locator links on a world wide web page
US5799090A (en) * 1995-09-25 1998-08-25 Angert; Joseph C. pad encryption method and software
US5978813A (en) * 1995-09-25 1999-11-02 International Business Machines Corporation System for providing synchronization between a local area network and a distributing computer environment
US6075858A (en) * 1995-10-27 2000-06-13 Scm Microsystems (U.S.) Inc. Encryption key system and method
WO1997025675A1 (en) * 1996-01-10 1997-07-17 John Philip Griffits A secure pay-as-you-use system for computer software
US5913024A (en) * 1996-02-09 1999-06-15 Secure Computing Corporation Secure server utilizing separate protocol stacks
US5867647A (en) * 1996-02-09 1999-02-02 Secure Computing Corporation System and method for securing compiled program code
US5918018A (en) 1996-02-09 1999-06-29 Secure Computing Corporation System and method for achieving network separation
FR2745136B1 (en) * 1996-02-15 1998-04-10 Thoniel Pascal SECURE IDENTIFICATION METHOD AND DEVICE BETWEEN TWO TERMINALS
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US20060265336A1 (en) * 1996-02-26 2006-11-23 Graphon Corporation Automated system for management of licensed digital assets
US6075863A (en) * 1996-02-28 2000-06-13 Encanto Networks Intelligent communication device
FR2745967B1 (en) * 1996-03-07 1998-04-17 Bull Cp8 METHOD FOR SECURING ACCESS FROM A STATION TO AT LEAST ONE SERVER AND DEVICE IMPLEMENTING THE METHOD
EP1909318A3 (en) * 1996-03-19 2009-12-09 Hitachi, Ltd. Process management system
CN1908922B (en) * 1996-05-15 2012-11-07 英特托拉斯技术公司 Method and device for obtaining controlled content or information in DVD disc and method for operating DVD device
EP1798657A3 (en) 1996-05-15 2011-05-25 Intertrust Technologies Corp Cryptographic apparatus and method for electronic rights management of storage media
US7010697B2 (en) * 1996-06-28 2006-03-07 Protexis, Inc. System for dynamically encrypting information for secure internet commerce and providing embedded fulfillment software
WO1998003927A2 (en) 1996-07-22 1998-01-29 Cyva Research Corp Personal information security and exchange tool
US5710814A (en) * 1996-07-23 1998-01-20 Cheyenne Property Trust Cryptographic unit touch point logic
US6272538B1 (en) * 1996-07-30 2001-08-07 Micron Technology, Inc. Method and system for establishing a security perimeter in computer networks
US6993582B2 (en) * 1996-07-30 2006-01-31 Micron Technology Inc. Mixed enclave operation in a computer network
CN1214352C (en) * 1996-09-04 2005-08-10 英特托拉斯技术公司 Trusted infrastructure support system, method and techniques for secure electronic commerce, electronic transactions, commerce process control and automation distributted computing and rights manageme
US6003084A (en) * 1996-09-13 1999-12-14 Secure Computing Corporation Secure network proxy for connecting entities
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6072942A (en) * 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6144934A (en) * 1996-09-18 2000-11-07 Secure Computing Corporation Binary filter using pattern recognition
US5983350A (en) * 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
US5841870A (en) * 1996-11-12 1998-11-24 Cheyenne Property Trust Dynamic classes of service for an international cryptography framework
FR2756074B1 (en) * 1996-11-15 1999-03-05 Advanced Pc Technologies Apct PROCESS FOR SECURING AND CONTROL OF ACCESS TO INFORMATION FROM A COMPUTER PLATFORM EQUIPPED WITH A MICRO-COMPUTER
US5915087A (en) * 1996-12-12 1999-06-22 Secure Computing Corporation Transparent security proxy for unreliable message exchange protocols
WO1998032065A2 (en) * 1997-01-03 1998-07-23 Fortress Technologies, Inc. Improved network security device
US5968133A (en) * 1997-01-10 1999-10-19 Secure Computing Corporation Enhanced security network time synchronization device and method
HUP0100603A2 (en) * 1997-01-13 2001-06-28 John Overton Universal system for image archiving and method for universally tracking images
US7212632B2 (en) 1998-02-13 2007-05-01 Tecsec, Inc. Cryptographic key split combiner
US5896499A (en) * 1997-02-21 1999-04-20 International Business Machines Corporation Embedded security processor
US5920861A (en) 1997-02-25 1999-07-06 Intertrust Technologies Corp. Techniques for defining using and manipulating rights management data structures
US6233684B1 (en) 1997-02-28 2001-05-15 Contenaguard Holdings, Inc. System for controlling the distribution and use of rendered digital works through watermaking
US6131090A (en) * 1997-03-04 2000-10-10 Pitney Bowes Inc. Method and system for providing controlled access to information stored on a portable recording medium
US8914410B2 (en) * 1999-02-16 2014-12-16 Sonicwall, Inc. Query interface to policy server
US6408336B1 (en) 1997-03-10 2002-06-18 David S. Schneider Distributed administration of access to information
US6178505B1 (en) * 1997-03-10 2001-01-23 Internet Dynamics, Inc. Secure delivery of information in a network
US7912856B2 (en) * 1998-06-29 2011-03-22 Sonicwall, Inc. Adaptive encryption
US7821926B2 (en) * 1997-03-10 2010-10-26 Sonicwall, Inc. Generalized policy server
US7580919B1 (en) 1997-03-10 2009-08-25 Sonicwall, Inc. Query interface to policy server
US7272625B1 (en) 1997-03-10 2007-09-18 Sonicwall, Inc. Generalized policy server
US6182222B1 (en) * 1997-03-25 2001-01-30 Electronic Data Systems Corporation Secure data storage system and method
US6694433B1 (en) 1997-05-08 2004-02-17 Tecsec, Inc. XML encryption scheme
TW338865B (en) 1997-06-03 1998-08-21 Philips Eloctronics N V Authentication system
US7290288B2 (en) 1997-06-11 2007-10-30 Prism Technologies, L.L.C. Method and system for controlling access, by an authentication server, to protected computer resources provided via an internet protocol network
US6070243A (en) * 1997-06-13 2000-05-30 Xylan Corporation Deterministic user authentication service for communication network
WO1999001993A2 (en) 1997-07-02 1999-01-14 Siemens Aktiengesellschaft Operation and maintenance system for a mobile telecommunications network
US6021496A (en) * 1997-07-07 2000-02-01 International Business Machines Corporation User authentication from non-native server domains in a computer network
US6418466B1 (en) 1997-07-10 2002-07-09 International Business Machines Corporation Management of authentication discovery policy in a computer network
JPH1145507A (en) * 1997-07-24 1999-02-16 Toshiba Corp Information reproducing device, recognition device, and information processing system
US6119228A (en) * 1997-08-22 2000-09-12 Compaq Computer Corporation Method for securely communicating remote control commands in a computer network
US6671810B1 (en) 1997-09-18 2003-12-30 Intel Corporation Method and system for establishing secure communication over computer networks
GB2329499B (en) * 1997-09-19 2001-05-30 Ibm Method for controlling access to electronically provided services and system for implementing such method
GB2329497B (en) * 1997-09-19 2001-01-31 Ibm Method for controlling access to electronically provided services and system for implementing such method
US6256739B1 (en) * 1997-10-30 2001-07-03 Juno Online Services, Inc. Method and apparatus to determine user identity and limit access to a communications network
US6094721A (en) * 1997-10-31 2000-07-25 International Business Machines Corporation Method and apparatus for password based authentication in a distributed system
US6112181A (en) 1997-11-06 2000-08-29 Intertrust Technologies Corporation Systems and methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information
US7092914B1 (en) * 1997-11-06 2006-08-15 Intertrust Technologies Corporation Methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information
US6490680B1 (en) * 1997-12-04 2002-12-03 Tecsec Incorporated Access control and authorization system
CN1125458C (en) * 1997-12-29 2003-10-22 三星电子株式会社 Method and apparatus for protecting copyright of digital recording medium and copyright protected digital recording medium
US5991405A (en) * 1998-01-27 1999-11-23 Dsc Telecom, L.P. Method for dynamically updating cellular phone unique encryption keys
JPH11224284A (en) * 1998-02-09 1999-08-17 Fujitsu Ltd Distribution system and device for semiconductor design resources and medium for storing software for distribution device
US6216230B1 (en) 1998-02-11 2001-04-10 Durango Corporation Notebook security system (NBS)
US6189099B1 (en) 1998-02-11 2001-02-13 Durango Corporation Notebook security system (NBS)
US8077870B2 (en) * 1998-02-13 2011-12-13 Tecsec, Inc. Cryptographic key split binder for use with tagged data elements
US7095852B2 (en) * 1998-02-13 2006-08-22 Tecsec, Inc. Cryptographic key split binder for use with tagged data elements
US6754820B1 (en) * 2001-01-30 2004-06-22 Tecsec, Inc. Multiple level access system
US7079653B2 (en) * 1998-02-13 2006-07-18 Tecsec, Inc. Cryptographic key split binding process and apparatus
US6845453B2 (en) * 1998-02-13 2005-01-18 Tecsec, Inc. Multiple factor-based user identification and authentication
US6357010B1 (en) * 1998-02-17 2002-03-12 Secure Computing Corporation System and method for controlling access to documents stored on an internal network
US6178504B1 (en) * 1998-03-12 2001-01-23 Cheyenne Property Trust C/O Data Securities International, Inc. Host system elements for an international cryptography framework
US6321336B1 (en) 1998-03-13 2001-11-20 Secure Computing Corporation System and method for redirecting network traffic to provide secure communication
US6453419B1 (en) 1998-03-18 2002-09-17 Secure Computing Corporation System and method for implementing a security policy
US6182226B1 (en) 1998-03-18 2001-01-30 Secure Computing Corporation System and method for controlling interactions between networks
US6198823B1 (en) 1998-03-24 2001-03-06 Dsc Telecom, L.P. Method for improved authentication for cellular phone transmissions
WO1999050734A1 (en) * 1998-03-31 1999-10-07 At & T Corp. A method of and apparatus for computer security using a transmitting location device
US6446206B1 (en) * 1998-04-01 2002-09-03 Microsoft Corporation Method and system for access control of a message queue
US6529932B1 (en) 1998-04-01 2003-03-04 Microsoft Corporation Method and system for distributed transaction processing with asynchronous message delivery
US6205498B1 (en) 1998-04-01 2001-03-20 Microsoft Corporation Method and system for message transfer session management
US6295607B1 (en) 1998-04-06 2001-09-25 Bindview Development Corporation System and method for security control in a data processing system
US7246246B2 (en) * 1998-04-17 2007-07-17 Iomega Corporation System for keying protected electronic data to particular media to prevent unauthorized copying using a compound key
US6289344B1 (en) * 1998-05-11 2001-09-11 International Business Machines Corporation Context-sensitive authorization in an RDBMS
US6359711B1 (en) * 1998-05-20 2002-03-19 Steelcase Development Corporation System and method for supporting a worker in a distributed work environment
US6298047B1 (en) 1998-05-20 2001-10-02 Steelcase Development Inc. Method and apparatus for establishing a data link between a portable data communications device and an interface circuit
US6219790B1 (en) * 1998-06-19 2001-04-17 Lucent Technologies Inc. Centralized authentication, authorization and accounting server with support for multiple transport protocols and multiple client types
US6263445B1 (en) * 1998-06-30 2001-07-17 Emc Corporation Method and apparatus for authenticating connections to a storage system coupled to a network
US7165152B2 (en) * 1998-06-30 2007-01-16 Emc Corporation Method and apparatus for managing access to storage devices in a storage system with access control
US7756986B2 (en) 1998-06-30 2010-07-13 Emc Corporation Method and apparatus for providing data management for a storage system coupled to a network
US6442686B1 (en) 1998-07-02 2002-08-27 Networks Associates Technology, Inc. System and methodology for messaging server-based management and enforcement of crypto policies
US6336186B1 (en) 1998-07-02 2002-01-01 Networks Associates Technology, Inc. Cryptographic system and methodology for creating and managing crypto policy on certificate servers
US7103640B1 (en) * 1999-09-14 2006-09-05 Econnectix, Llc Network distributed tracking wire transfer protocol
US7111173B1 (en) 1998-09-01 2006-09-19 Tecsec, Inc. Encryption process including a biometric unit
US6678826B1 (en) * 1998-09-09 2004-01-13 Communications Devices, Inc. Management system for distributed out-of-band security databases
KR100484209B1 (en) * 1998-09-24 2005-09-30 삼성전자주식회사 Digital Content Encryption / Decryption Device and Method
US6684330B1 (en) 1998-10-16 2004-01-27 Tecsec, Inc. Cryptographic information and flow control
US7068787B1 (en) 1998-10-23 2006-06-27 Contentguard Holdings, Inc. System and method for protection of digital works
US7418504B2 (en) 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US6826616B2 (en) 1998-10-30 2004-11-30 Science Applications International Corp. Method for establishing secure communication link between computers of virtual private network
US10511573B2 (en) 1998-10-30 2019-12-17 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
EP1125419B1 (en) 1998-10-30 2009-08-26 VirnetX Inc. An agile network protocol for secure communications with assured system availability
US6502135B1 (en) 1998-10-30 2002-12-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US6820202B1 (en) * 1998-11-09 2004-11-16 First Data Corporation Account authority digital signature (AADS) system
US7047416B2 (en) * 1998-11-09 2006-05-16 First Data Corporation Account-based digital signature (ABDS) system
JP2000181803A (en) * 1998-12-18 2000-06-30 Fujitsu Ltd Electronic data keeping device with key management function and method therefor
US6510513B1 (en) * 1999-01-13 2003-01-21 Microsoft Corporation Security services and policy enforcement for electronic data
US6651087B1 (en) 1999-01-28 2003-11-18 Bellsouth Intellectual Property Corporation Method and system for publishing an electronic file attached to an electronic mail message
IL128814A (en) * 1999-03-03 2004-09-27 Packet Technologies Ltd Local network security
JP3776619B2 (en) * 1999-03-05 2006-05-17 株式会社東芝 Encryption communication terminal, encryption communication center apparatus, encryption communication system, and storage medium
US7095851B1 (en) 1999-03-11 2006-08-22 Tecsec, Inc. Voice and data encryption method using a cryptographic key split combiner
US7225333B2 (en) * 1999-03-27 2007-05-29 Microsoft Corporation Secure processor architecture for use with a digital rights management (DRM) system on a computing device
US7286665B1 (en) 1999-04-06 2007-10-23 Contentguard Holdings, Inc. System and method for transferring the right to decode messages
US7356688B1 (en) 1999-04-06 2008-04-08 Contentguard Holdings, Inc. System and method for document distribution
US6937726B1 (en) 1999-04-06 2005-08-30 Contentguard Holdings, Inc. System and method for protecting data files by periodically refreshing a decryption key
US6859533B1 (en) 1999-04-06 2005-02-22 Contentguard Holdings, Inc. System and method for transferring the right to decode messages in a symmetric encoding scheme
US6351811B1 (en) 1999-04-22 2002-02-26 Adapt Network Security, L.L.C. Systems and methods for preventing transmission of compromised data in a computer network
FR2793903A1 (en) * 1999-05-21 2000-11-24 Telediffusion Fse Protection of data that is to be transmitted over a network, e.g. the Internet, has a stage where data is encoded using a physical key associated with the computer and a stage where an electronic signature is attached to it
WO2000079457A1 (en) * 1999-06-17 2000-12-28 Internet Revenue Network, Inc. System and method for authentication over a public network
US7243236B1 (en) * 1999-07-29 2007-07-10 Intertrust Technologies Corp. Systems and methods for using cryptography to protect secure and insecure computing environments
JP3858527B2 (en) * 1999-08-10 2006-12-13 富士ゼロックス株式会社 Data generation apparatus, data verification apparatus and method
IL131847A0 (en) * 1999-09-09 2001-03-19 First Access Ltd Access validation system
US7391865B2 (en) 1999-09-20 2008-06-24 Security First Corporation Secure data parser method and system
AU7705200A (en) 1999-09-20 2001-04-24 Ethentica, Inc. Context sensitive dynamic authentication in a cryptographic system
US7260724B1 (en) 1999-09-20 2007-08-21 Security First Corporation Context sensitive dynamic authentication in a cryptographic system
US6853988B1 (en) 1999-09-20 2005-02-08 Security First Corporation Cryptographic server with provisions for interoperability between cryptographic systems
US6654890B1 (en) * 1999-10-01 2003-11-25 Intel Corporation Protection of laptop computers from theft in the stream of commerce
US6885748B1 (en) 1999-10-23 2005-04-26 Contentguard Holdings, Inc. System and method for protection of digital works
WO2001035388A1 (en) * 1999-11-05 2001-05-17 Sony Corporation Data decoding device and method, charging information processing device and method, data reproducing device and method, electronic money, electronic right of use, and terminal
CA2392037A1 (en) * 1999-11-22 2001-05-31 Ascom Hasler Mailing Systems, Inc. Generation and management of customer pin's
FI111567B (en) * 1999-12-27 2003-08-15 Nokia Corp A method for downloading a program module
US6904417B2 (en) * 2000-01-06 2005-06-07 Jefferson Data Strategies, Llc Policy notice method and system
JP2001219440A (en) * 2000-02-09 2001-08-14 Sony Disc Technology Inc Multi-cavity molding apparatus and its molding method
WO2001077789A1 (en) * 2000-04-06 2001-10-18 Thomas Wespel Method and device for changeably defining access rights to computer files
US6760841B1 (en) * 2000-05-01 2004-07-06 Xtec, Incorporated Methods and apparatus for securely conducting and authenticating transactions over unsecured communication channels
AU2001263028A1 (en) * 2000-05-09 2001-11-20 Northeastern University Stream-cipher method and apparatus
US20080005275A1 (en) * 2000-06-02 2008-01-03 Econnectix, Llc Method and apparatus for managing location information in a network separate from the data to which the location information pertains
US20040073617A1 (en) * 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
WO2002003603A1 (en) * 2000-06-30 2002-01-10 E L & Associates, Inc. Method and apparatus for encrypted electronic file access control
AU2001273267A1 (en) * 2000-07-07 2002-01-21 Bbnt Solutions Llc Systems and methods for implementing a quantum-cryptographic communications network
CN1193321C (en) * 2000-07-11 2005-03-16 卡巴闭锁系统公开股份有限公司 Method for initialisation of mobile data supports
US7047202B2 (en) * 2000-07-13 2006-05-16 Amit Jaipuria Method and apparatus for optimizing networking potential using a secured system for an online community
DE60135347D1 (en) * 2000-07-14 2008-09-25 Irdeto Access Bv ARCHITECTURE FOR SECURE PACKAGE-BASED DATA DISTRIBUTION
US7010691B2 (en) * 2000-08-04 2006-03-07 First Data Corporation ABDS system utilizing security information in authenticating entity access
US7558965B2 (en) * 2000-08-04 2009-07-07 First Data Corporation Entity authentication in electronic communications by providing verification status of device
US6983368B2 (en) * 2000-08-04 2006-01-03 First Data Corporation Linking public key of device to information during manufacture
CA2417916A1 (en) * 2000-08-04 2002-02-14 Lynn Henry Wheeler Method and apparatus for access authentication entity
US7096354B2 (en) * 2000-08-04 2006-08-22 First Data Corporation Central key authority database in an ABDS system
US7552333B2 (en) * 2000-08-04 2009-06-23 First Data Corporation Trusted authentication digital signature (tads) system
US6978369B2 (en) * 2000-08-04 2005-12-20 First Data Corporation Person-centric account-based digital signature system
US6789189B2 (en) * 2000-08-04 2004-09-07 First Data Corporation Managing account database in ABDS system
US7082533B2 (en) * 2000-08-04 2006-07-25 First Data Corporation Gauging risk in electronic communications regarding accounts in ABDS system
US7743259B2 (en) 2000-08-28 2010-06-22 Contentguard Holdings, Inc. System and method for digital rights management using a standard rendering engine
US6931545B1 (en) * 2000-08-28 2005-08-16 Contentguard Holdings, Inc. Systems and methods for integrity certification and verification of content consumption environments
US20030196109A1 (en) * 2000-08-28 2003-10-16 Contentguard Holdings, Inc. Method and apparatus for content transaction aggregation
US7073199B1 (en) 2000-08-28 2006-07-04 Contentguard Holdings, Inc. Document distribution management method and apparatus using a standard rendering engine and a method and apparatus for controlling a standard rendering engine
DE60124946T2 (en) * 2000-09-02 2007-05-31 Emageon, Inc., Birmingham METHOD AND COMMUNICATION MODULE FOR TRANSFERRING DICOM OBJECTS THROUGH DATA ELEMENT SOURCES
KR20030036788A (en) * 2000-09-14 2003-05-09 프로빅스, 인크. System for protecting objects distributed over a network
WO2002023797A1 (en) * 2000-09-14 2002-03-21 Probix, Inc. System for establishing an audit trail to protect objects distributed over a network
GB2368151A (en) * 2000-10-19 2002-04-24 One Zone Networks Determining access privilege to electronic data
US7324647B1 (en) 2000-10-23 2008-01-29 Bbn Technologies Corp. Quantum cryptographic key distribution networks with untrusted switches
DE10054224C2 (en) * 2000-11-01 2003-04-30 Komsa Kommunikation Sachsen Ag Method for data transmission and / or for the comparison of any data from a wide variety of database systems
US6334575B1 (en) * 2000-11-01 2002-01-01 Singular Technology Corp. Safety transaction method
US7343324B2 (en) * 2000-11-03 2008-03-11 Contentguard Holdings Inc. Method, system, and computer readable medium for automatically publishing content
US20020091643A1 (en) * 2001-01-11 2002-07-11 Ryuichi Okamoto Digital data distribution system
US7260636B2 (en) * 2000-12-22 2007-08-21 Emc Corporation Method and apparatus for preventing unauthorized access by a network device
US6912294B2 (en) 2000-12-29 2005-06-28 Contentguard Holdings, Inc. Multi-stage watermarking process and system
CA2330166A1 (en) * 2000-12-29 2002-06-29 Nortel Networks Limited Data encryption using stateless confusion generators
US7028009B2 (en) * 2001-01-17 2006-04-11 Contentguardiholdings, Inc. Method and apparatus for distributing enforceable property rights
CN101369299B (en) 2001-01-17 2010-06-09 康坦夹德控股股份有限公司 Method and apparatus for managing digital content usage rights
US20030220880A1 (en) * 2002-01-17 2003-11-27 Contentguard Holdings, Inc. Networked services licensing system and method
US7774279B2 (en) * 2001-05-31 2010-08-10 Contentguard Holdings, Inc. Rights offering and granting
US6754642B2 (en) 2001-05-31 2004-06-22 Contentguard Holdings, Inc. Method and apparatus for dynamically assigning usage rights to digital works
US7206765B2 (en) * 2001-01-17 2007-04-17 Contentguard Holdings, Inc. System and method for supplying and managing usage rights based on rules
US8069116B2 (en) * 2001-01-17 2011-11-29 Contentguard Holdings, Inc. System and method for supplying and managing usage rights associated with an item repository
US20070106903A1 (en) * 2001-01-30 2007-05-10 Scheidt Edward M Multiple Factor-Based User Identification and Authentication
GB0103736D0 (en) * 2001-02-15 2001-04-04 Hewlett Packard Co Transmission controls on data communication such as E-mail
US20020114453A1 (en) * 2001-02-21 2002-08-22 Bartholet Thomas G. System and method for secure cryptographic data transport and storage
US20020129285A1 (en) * 2001-03-08 2002-09-12 Masateru Kuwata Biometric authenticated VLAN
US20020133717A1 (en) * 2001-03-13 2002-09-19 Ciongoli Bernard M. Physical switched network security
US8271678B2 (en) * 2001-04-03 2012-09-18 Arbor Networks, Inc. Independent detection and filtering of undesirable packets
DE10117133B4 (en) * 2001-04-05 2005-07-07 T-Mobile Deutschland Gmbh Method and device for path control of IP connections in a subscriber-based communication network
US20020161454A1 (en) * 2001-04-26 2002-10-31 Masaki Mukai Information processing system, information processing apparatus, information terminal, and method for control thereof
US20020162021A1 (en) * 2001-04-30 2002-10-31 Audebert Yves Louis Gabriel Method and system for establishing a remote connection to a personal security device
US7363486B2 (en) * 2001-04-30 2008-04-22 Activcard Method and system for authentication through a communications pipe
US7225465B2 (en) * 2001-04-30 2007-05-29 Matsushita Electric Industrial Co., Ltd. Method and system for remote management of personal security devices
US7316030B2 (en) 2001-04-30 2008-01-01 Activcard Ireland, Limited Method and system for authenticating a personal security device vis-à-vis at least one remote computer system
US8028083B2 (en) * 2001-04-30 2011-09-27 Activcard Ireland, Limited Method and system for remote activation and management of personal security devices
US20030043852A1 (en) * 2001-05-18 2003-03-06 Bijan Tadayon Method and apparatus for verifying data integrity based on data compression parameters
US20020174347A1 (en) * 2001-05-18 2002-11-21 Imprivata, Inc. Authentication with variable biometric templates
US8275716B2 (en) * 2001-05-31 2012-09-25 Contentguard Holdings, Inc. Method and system for subscription digital rights management
US7222104B2 (en) * 2001-05-31 2007-05-22 Contentguard Holdings, Inc. Method and apparatus for transferring usage rights and digital work having transferrable usage rights
US8099364B2 (en) * 2001-05-31 2012-01-17 Contentguard Holdings, Inc. Digital rights management of content when content is a future live event
US6895503B2 (en) * 2001-05-31 2005-05-17 Contentguard Holdings, Inc. Method and apparatus for hierarchical assignment of rights to documents and documents having such rights
US6976009B2 (en) 2001-05-31 2005-12-13 Contentguard Holdings, Inc. Method and apparatus for assigning consequential rights to documents and documents having such rights
US8275709B2 (en) * 2001-05-31 2012-09-25 Contentguard Holdings, Inc. Digital rights management of content when content is a future live event
US6876984B2 (en) * 2001-05-31 2005-04-05 Contentguard Holdings, Inc. Method and apparatus for establishing usage rights for digital content to be created in the future
US20030009424A1 (en) * 2001-05-31 2003-01-09 Contentguard Holdings, Inc. Method for managing access and use of resources by verifying conditions and conditions for use therewith
US6973445B2 (en) * 2001-05-31 2005-12-06 Contentguard Holdings, Inc. Demarcated digital content and method for creating and processing demarcated digital works
US8001053B2 (en) * 2001-05-31 2011-08-16 Contentguard Holdings, Inc. System and method for rights offering and granting using shared state variables
US7152046B2 (en) * 2001-05-31 2006-12-19 Contentguard Holdings, Inc. Method and apparatus for tracking status of resource in a system for managing use of the resources
US7725401B2 (en) * 2001-05-31 2010-05-25 Contentguard Holdings, Inc. Method and apparatus for establishing usage rights for digital content to be created in the future
AU2002345577A1 (en) 2001-06-07 2002-12-23 Contentguard Holdings, Inc. Protected content distribution system
CN1539115A (en) * 2001-06-07 2004-10-20 ��̹�е¿عɹɷ����޹�˾ Method and apparatus for managing transfer of rights
US7774280B2 (en) * 2001-06-07 2010-08-10 Contentguard Holdings, Inc. System and method for managing transfer of rights using shared state variables
WO2002101490A2 (en) * 2001-06-07 2002-12-19 Contentguard Holdings, Inc. Cryptographic trust zones in digital rights management
US8209753B2 (en) * 2001-06-15 2012-06-26 Activcard, Inc. Universal secure messaging for remote security tokens
US20040218762A1 (en) 2003-04-29 2004-11-04 Eric Le Saint Universal secure messaging for cryptographic modules
US7127618B2 (en) * 2001-06-28 2006-10-24 Koninklijke Philips Electronics N.V. Data protection via reversible data damage
US7181015B2 (en) 2001-07-31 2007-02-20 Mcafee, Inc. Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique
US7002942B2 (en) * 2001-08-02 2006-02-21 Motorola, Inc. Method and apparatus for communicating information by splitting information among a plurality of proximal units
US7162036B2 (en) * 2001-08-06 2007-01-09 Igt Digital identification of unique game characteristics
US20040128508A1 (en) * 2001-08-06 2004-07-01 Wheeler Lynn Henry Method and apparatus for access authentication entity
US6685567B2 (en) * 2001-08-08 2004-02-03 Igt Process verification
US20030051172A1 (en) * 2001-09-13 2003-03-13 Lordemann David A. Method and system for protecting digital objects distributed over a network
KR100461984B1 (en) * 2001-10-06 2004-12-17 주식회사 테라스테크놀로지 Method for detecting Email virus and inducing clients to cure the detected virus
GB2370732B (en) * 2001-10-17 2003-12-10 Ericsson Telefon Ab L M Security in communications networks
US7162631B2 (en) * 2001-11-02 2007-01-09 Activcard Method and system for scripting commands and data for use by a personal security device
US7243853B1 (en) 2001-12-04 2007-07-17 Visa U.S.A. Inc. Method and system for facilitating memory and application management on a secured token
US7921450B1 (en) 2001-12-12 2011-04-05 Klimenty Vainstein Security system using indirect key generation from access rules and methods therefor
US7562232B2 (en) * 2001-12-12 2009-07-14 Patrick Zuili System and method for providing manageability to security information for secured items
US7631184B2 (en) 2002-05-14 2009-12-08 Nicholas Ryan System and method for imposing security on copies of secured items
USRE41546E1 (en) 2001-12-12 2010-08-17 Klimenty Vainstein Method and system for managing security tiers
US7478418B2 (en) 2001-12-12 2009-01-13 Guardian Data Storage, Llc Guaranteed delivery of changes to security policies in a distributed system
US10360545B2 (en) 2001-12-12 2019-07-23 Guardian Data Storage, Llc Method and apparatus for accessing secured electronic data off-line
US8006280B1 (en) 2001-12-12 2011-08-23 Hildebrand Hal S Security system for generating keys from access rules in a decentralized manner and methods therefor
US7921288B1 (en) 2001-12-12 2011-04-05 Hildebrand Hal S System and method for providing different levels of key security for controlling access to secured items
US7565683B1 (en) 2001-12-12 2009-07-21 Weiqing Huang Method and system for implementing changes to security policies in a distributed security system
US7930756B1 (en) 2001-12-12 2011-04-19 Crocker Steven Toye Multi-level cryptographic transformations for securing digital assets
US7681034B1 (en) 2001-12-12 2010-03-16 Chang-Ping Lee Method and apparatus for securing electronic data
US10033700B2 (en) * 2001-12-12 2018-07-24 Intellectual Ventures I Llc Dynamic evaluation of access rights
US7783765B2 (en) 2001-12-12 2010-08-24 Hildebrand Hal S System and method for providing distributed access control to secured documents
US7260555B2 (en) * 2001-12-12 2007-08-21 Guardian Data Storage, Llc Method and architecture for providing pervasive security to digital assets
US8065713B1 (en) 2001-12-12 2011-11-22 Klimenty Vainstein System and method for providing multi-location access management to secured items
US7178033B1 (en) 2001-12-12 2007-02-13 Pss Systems, Inc. Method and apparatus for securing digital assets
US7921284B1 (en) 2001-12-12 2011-04-05 Gary Mark Kinghorn Method and system for protecting electronic data in enterprise environment
US7380120B1 (en) 2001-12-12 2008-05-27 Guardian Data Storage, Llc Secured data format for access control
US7950066B1 (en) 2001-12-21 2011-05-24 Guardian Data Storage, Llc Method and system for restricting use of a clipboard application
AU2003219695A1 (en) * 2002-01-30 2003-09-02 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
US8176334B2 (en) 2002-09-30 2012-05-08 Guardian Data Storage, Llc Document security system that permits external users to gain access to secured files
US20030167399A1 (en) * 2002-03-01 2003-09-04 Yves Audebert Method and system for performing post issuance configuration and data changes to a personal security device using a communications pipe
US7748045B2 (en) * 2004-03-30 2010-06-29 Michael Frederick Kenrich Method and system for providing cryptographic document retention with off-line access
US8613102B2 (en) * 2004-03-30 2013-12-17 Intellectual Ventures I Llc Method and system for providing document retention using cryptography
JP2004030882A (en) * 2002-04-30 2004-01-29 Toshiba Corp Rendering device, copy control method, and program
US20030212911A1 (en) * 2002-05-13 2003-11-13 International Business Machines Corporation Secure control of access to data stored on a storage device of a computer system
US20030226040A1 (en) * 2002-06-03 2003-12-04 International Business Machines Corporation Controlling access to data stored on a storage device of a trusted computing platform system
US7085933B2 (en) * 2002-06-11 2006-08-01 Lenvo (Singapore) Pte, Ltd. Computer system apparatus and method for improved assurance of authentication
AU2003245574A1 (en) * 2002-06-21 2004-01-06 Probix, Inc. Method and system for protecting digital objects distributed over a network using an electronic mail interface
US7457416B1 (en) 2002-07-17 2008-11-25 Bbn Technologies Corp. Key distribution center for quantum cryptographic key distribution networks
US7353532B2 (en) * 2002-08-30 2008-04-01 International Business Machines Corporation Secure system and method for enforcement of privacy policy and protection of confidentiality
US7401352B2 (en) * 2002-08-30 2008-07-15 International Business Machines Corporation Secure system and method for enforcement of privacy policy and protection of confidentiality
US7512810B1 (en) * 2002-09-11 2009-03-31 Guardian Data Storage Llc Method and system for protecting encrypted files transmitted over a network
US20040139021A1 (en) 2002-10-07 2004-07-15 Visa International Service Association Method and system for facilitating data access and management on a secure token
US7627126B1 (en) 2002-10-15 2009-12-01 Bbn Technologies Corp. Systems and methods for implementing path length control for quantum cryptographic systems
US20060222180A1 (en) * 2002-10-15 2006-10-05 Elliott Brig B Chip-scale transmitter for quantum cryptography
US7836310B1 (en) 2002-11-01 2010-11-16 Yevgeniy Gutnik Security system that uses indirect password-based encryption
US7577838B1 (en) 2002-12-20 2009-08-18 Alain Rossmann Hybrid systems for securing digital assets
US7236597B2 (en) * 2002-12-20 2007-06-26 Bbn Technologies Corp. Key transport in quantum cryptographic networks
US7890990B1 (en) 2002-12-20 2011-02-15 Klimenty Vainstein Security system with staging capabilities
US7460670B1 (en) 2002-12-20 2008-12-02 Bbn Technologies Corp. Systems and methods for managing quantum cryptographic networks
US20040143733A1 (en) * 2003-01-16 2004-07-22 Cloverleaf Communication Co. Secure network data storage mediator
US20060053079A1 (en) * 2003-02-03 2006-03-09 Brad Edmonson User-defined electronic stores for marketing digital rights licenses
US20050004873A1 (en) * 2003-02-03 2005-01-06 Robin Pou Distribution and rights management of digital content
US20060053080A1 (en) * 2003-02-03 2006-03-09 Brad Edmonson Centralized management of digital rights licensing
US20050102515A1 (en) * 2003-02-03 2005-05-12 Dave Jaworski Controlling read and write operations for digital media
US20060167807A1 (en) * 2003-02-25 2006-07-27 Ali Aydar Dispute resolution in an open copyright database
US20060167804A1 (en) * 2003-02-25 2006-07-27 Ali Aydar Track listening and playing service for digital media files
US8117130B2 (en) * 2003-02-25 2012-02-14 Stragent, Llc Batch loading and self-registration of digital media files
US20060167813A1 (en) * 2003-02-25 2006-07-27 Ali Aydar Managing digital media rights through missing masters lists
CN101167059A (en) * 2003-02-25 2008-04-23 斯诺卡普股份有限公司 Content regulation
US20060167882A1 (en) * 2003-02-25 2006-07-27 Ali Aydar Digital rights management system architecture
US7370212B2 (en) 2003-02-25 2008-05-06 Microsoft Corporation Issuing a publisher use license off-line in a digital rights management (DRM) system
KR20040082822A (en) * 2003-03-20 2004-09-30 엘지전자 주식회사 User Authentication Method for Remote Control and Remote Control Apparatus
US7512242B2 (en) * 2003-03-21 2009-03-31 Bbn Technologies Corp. Systems and methods for quantum cryptographic key transport
US7706535B1 (en) 2003-03-21 2010-04-27 Bbn Technologies Corp. Systems and methods for implementing routing protocols and algorithms for quantum cryptographic key transport
US7430295B1 (en) 2003-03-21 2008-09-30 Bbn Technologies Corp. Simple untrusted network for quantum cryptography
JP2004302931A (en) * 2003-03-31 2004-10-28 Fujitsu Ltd Secret content management method
US20040221174A1 (en) * 2003-04-29 2004-11-04 Eric Le Saint Uniform modular framework for a host computer system
US8707034B1 (en) 2003-05-30 2014-04-22 Intellectual Ventures I Llc Method and system for using remote headers to secure electronic files
US20040249761A1 (en) * 2003-06-03 2004-12-09 Bea Systems, Inc. Self-service customer license management application providing transaction history
US7730543B1 (en) 2003-06-30 2010-06-01 Satyajit Nath Method and system for enabling users of a group shared across multiple file security systems to access secured files
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US20070113272A2 (en) 2003-07-01 2007-05-17 Securityprofiling, Inc. Real-time vulnerability monitoring
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
JP2005149466A (en) * 2003-08-01 2005-06-09 Yoshinobu Inada Sales management system of utilization right with respect to utilization object, sales server, terminal device and sales management method
US7555558B1 (en) 2003-08-15 2009-06-30 Michael Frederick Kenrich Method and system for fault-tolerant transfer of files across a network
FI120021B (en) * 2003-08-27 2009-05-29 Nokia Corp Obtaining authority information
US7389273B2 (en) * 2003-09-25 2008-06-17 Scott Andrew Irwin System and method for federated rights management
US8127366B2 (en) 2003-09-30 2012-02-28 Guardian Data Storage, Llc Method and apparatus for transitioning between states of security policies used to secure electronic documents
US7703140B2 (en) * 2003-09-30 2010-04-20 Guardian Data Storage, Llc Method and system for securing digital assets using process-driven security policies
GB0324364D0 (en) * 2003-10-17 2003-11-19 Nokia Corp Authentication of messages in a communication system
US20050086531A1 (en) * 2003-10-20 2005-04-21 Pss Systems, Inc. Method and system for proxy approval of security changes for a file security system
US10013535B2 (en) * 2003-11-21 2018-07-03 Ciena Corporation Software configuration of module dependent on history
US7831519B2 (en) * 2003-12-17 2010-11-09 First Data Corporation Methods and systems for electromagnetic initiation of secure transactions
US20050138371A1 (en) * 2003-12-19 2005-06-23 Pss Systems, Inc. Method and system for distribution of notifications in file security systems
US8010456B2 (en) * 2003-12-22 2011-08-30 International Business Machines Corporation Policy based application provisioning in a collaborative computing environment
US7907935B2 (en) 2003-12-22 2011-03-15 Activcard Ireland, Limited Intelligent remote device
US20050138380A1 (en) 2003-12-22 2005-06-23 Fedronic Dominique L.J. Entry control system
US7702909B2 (en) * 2003-12-22 2010-04-20 Klimenty Vainstein Method and system for validating timestamps
JP4350549B2 (en) * 2004-02-25 2009-10-21 富士通株式会社 Information processing device for digital rights management
US7515716B1 (en) 2004-02-26 2009-04-07 Bbn Technologies Corp. Systems and methods for reserving cryptographic key material
JP4649850B2 (en) * 2004-03-04 2011-03-16 ソニー株式会社 Content playback device, content recording device, network system, and content recording / playback method
US7697693B1 (en) 2004-03-09 2010-04-13 Bbn Technologies Corp. Quantum cryptography with multi-party randomness
JP3982520B2 (en) * 2004-06-02 2007-09-26 コニカミノルタビジネステクノロジーズ株式会社 Access management system and method, image forming apparatus, and computer program
US8271390B2 (en) * 2004-06-14 2012-09-18 Nokia Corporation Digital rights management (DRM) license manager
US20060005009A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method, system and program product for verifying an attribute of a computing device
US7707427B1 (en) * 2004-07-19 2010-04-27 Michael Frederick Kenrich Multi-level file digests
KR100698175B1 (en) * 2004-09-02 2007-03-22 엘지전자 주식회사 Method for protecting copy of multimedia data between terminals
US8312431B1 (en) * 2004-09-17 2012-11-13 Oracle America, Inc. System and computer readable medium for verifying access to signed ELF objects
US7802096B1 (en) * 2004-10-19 2010-09-21 Cisco Technology, Inc. Fallback key retrieval
US7814317B1 (en) * 2004-10-19 2010-10-12 Cisco Technology, Inc. Multiple password documents
CN101375284B (en) 2004-10-25 2012-02-22 安全第一公司 Secure data parser method and system
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US20060153367A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature system based on shared knowledge
US20060153369A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Providing cryptographic key based on user input data
US7693277B2 (en) * 2005-01-07 2010-04-06 First Data Corporation Generating digital signatures using ephemeral cryptographic key
US20060153370A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Generating public-private key pair based on user input data
US20060156013A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature software using ephemeral private key and system
US7490239B2 (en) * 2005-01-07 2009-02-10 First Data Corporation Facilitating digital signature based on ephemeral private key
US7869593B2 (en) * 2005-01-07 2011-01-11 First Data Corporation Software for providing based on shared knowledge public keys having same private key
US7936869B2 (en) * 2005-01-07 2011-05-03 First Data Corporation Verifying digital signature based on shared knowledge
US7593527B2 (en) * 2005-01-07 2009-09-22 First Data Corporation Providing digital signature and public key based on shared knowledge
US8725646B2 (en) 2005-04-15 2014-05-13 Microsoft Corporation Output protection levels
US8175277B2 (en) * 2005-04-28 2012-05-08 Cisco Technology, Inc. Intercepting a communication session in a telecommunication network
US20060265758A1 (en) 2005-05-20 2006-11-23 Microsoft Corporation Extensible media rights
US20060271493A1 (en) * 2005-05-24 2006-11-30 Contentguard Holdings, Inc. Method and apparatus for executing code in accordance with usage rights
CA2550560C (en) * 2005-06-17 2015-07-21 Kabushiki Kaisha Toshiba Information provision system, provision information copying device, user terminal device and user management device
US7707417B2 (en) * 2005-06-23 2010-04-27 Masami Yoshioka Secure transmission of data between clients over communications network
US7438078B2 (en) * 2005-08-05 2008-10-21 Peter Woodruff Sleeping bag and system
AU2006283504B2 (en) * 2005-08-24 2011-08-25 E. I. Du Pont De Nemours And Company Compositions providing tolerance to multiple herbicides and methods of use thereof
KR100763193B1 (en) * 2005-10-13 2007-10-04 삼성전자주식회사 System and Method for providing DRM license
WO2008054406A2 (en) 2005-11-18 2008-05-08 Orsini Rick L Secure data parser method and system
US8214640B2 (en) * 2005-12-05 2012-07-03 Alcatel Lucent Method of embedding information in implementation defined SIP header fields
US20070130455A1 (en) * 2005-12-06 2007-06-07 Elliott Brig B Series encryption in a quantum cryptographic system
US20070133798A1 (en) * 2005-12-14 2007-06-14 Elliott Brig B Quantum cryptography on a multi-drop optical network
US8082443B2 (en) * 2006-01-09 2011-12-20 Bbnt Solutions Llc. Pedigrees for quantum cryptography
US20070233568A1 (en) * 2006-03-10 2007-10-04 Provident Intellectual Property, Llc Microtransactions Using Points Over Electronic Networks
WO2007106844A2 (en) 2006-03-14 2007-09-20 Divx, Inc. Federated digital rights management scheme including trusted systems
US7950021B2 (en) 2006-03-29 2011-05-24 Imprivata, Inc. Methods and systems for providing responses to software commands
US7968823B2 (en) * 2006-06-07 2011-06-28 Engineered Glass Products, Llc Wireless inductive coupling assembly for a heated glass panel
US20070288387A1 (en) * 2006-06-07 2007-12-13 Joon Young Park Method and apparatus for effecting the return of a rights management object
US8151116B2 (en) * 2006-06-09 2012-04-03 Brigham Young University Multi-channel user authentication apparatus system and method
US20080005325A1 (en) * 2006-06-28 2008-01-03 Microsoft Corporation User communication restrictions
US7712143B2 (en) * 2006-09-27 2010-05-04 Blue Ridge Networks, Inc. Trusted enclave for a computer system
US7809955B2 (en) * 2006-10-17 2010-10-05 Blue Ridge Networks, Inc. Trustable communities for a computer system
CN103188081A (en) 2006-11-07 2013-07-03 安全第一公司 Systems and methods for distributing and securing data
CA2670597A1 (en) 2006-12-05 2008-06-12 Don Martin Improved tape backup method using a secure data parser
US7933835B2 (en) 2007-01-17 2011-04-26 The Western Union Company Secure money transfer systems and methods using biometric keys associated therewith
US8818904B2 (en) * 2007-01-17 2014-08-26 The Western Union Company Generation systems and methods for transaction identifiers having biometric keys associated therewith
US8504473B2 (en) 2007-03-28 2013-08-06 The Western Union Company Money transfer system and messaging system
US20080263672A1 (en) * 2007-04-18 2008-10-23 Hewlett-Packard Development Company L.P. Protecting sensitive data intended for a remote application
JP2009027525A (en) * 2007-07-20 2009-02-05 Nec Corp Optical transmission system and optical transmission method
CN102932136B (en) 2007-09-14 2017-05-17 安全第一公司 Systems and methods for managing cryptographic keys
US20090125564A1 (en) * 2007-11-13 2009-05-14 Walsh Robert E Method of controlling user access to multiple systems
US8997161B2 (en) * 2008-01-02 2015-03-31 Sonic Ip, Inc. Application enhancement tracks
EP2416541A1 (en) 2008-02-22 2012-02-08 Security First Corporation Systems and methods for secure workgroup management and communication
JP4572947B2 (en) * 2008-03-31 2010-11-04 ブラザー工業株式会社 Image generating apparatus and printing apparatus
US8458743B2 (en) * 2008-09-24 2013-06-04 Nec Europe Ltd. Method and a system for distributing TV content over a network
KR101635876B1 (en) 2009-01-07 2016-07-04 쏘닉 아이피, 아이엔씨. Singular, collective and automated creation of a media guide for online content
US8521821B2 (en) * 2009-03-17 2013-08-27 Brigham Young University Encrypted email based upon trusted overlays
AU2010249631B2 (en) 2009-05-19 2016-02-18 Security First Corp. Systems and methods for securing data in the cloud
US9742560B2 (en) 2009-06-11 2017-08-22 Microsoft Technology Licensing, Llc Key management in secure network enclaves
US8352741B2 (en) 2009-06-11 2013-01-08 Microsoft Corporation Discovery of secure network enclaves
US8271784B2 (en) 2009-10-15 2012-09-18 International Business Machines Corporation Communication between key manager and storage subsystem kernel via management console
WO2011060306A2 (en) 2009-11-12 2011-05-19 Salesforce.Com, Inc. Enterprise level business information networking for changes in a database
WO2011068738A2 (en) 2009-11-25 2011-06-09 Orsini Rick L Systems and methods for securing data in motion
CA2782825C (en) 2009-12-04 2016-04-26 Divx, Llc Elementary bitstream cryptographic material transport systems and methods
US9485218B2 (en) * 2010-03-23 2016-11-01 Adventium Enterprises, Llc Device for preventing, detecting and responding to security threats
AU2011235075B2 (en) 2010-03-31 2015-10-01 Security First Corp. Systems and methods for securing data in motion
US8601498B2 (en) 2010-05-28 2013-12-03 Security First Corp. Accelerator system for use with secure data storage
US8549585B2 (en) * 2010-06-14 2013-10-01 International Business Machines Corporation Method and apparatus to implement secured, layered logout from a computer system
US8344887B2 (en) * 2010-07-09 2013-01-01 Central Technology, Inc. System, control station, and method for controlling circulation of media materials
KR101731292B1 (en) * 2010-07-20 2017-05-02 삼성전자주식회사 Method and apparatus for managing consumption right of multimedia service
US8972746B2 (en) * 2010-12-17 2015-03-03 Intel Corporation Technique for supporting multiple secure enclaves
US8914534B2 (en) 2011-01-05 2014-12-16 Sonic Ip, Inc. Systems and methods for adaptive bitrate streaming of media stored in matroska container files using hypertext transfer protocol
US9467708B2 (en) 2011-08-30 2016-10-11 Sonic Ip, Inc. Selection of resolutions for seamless resolution switching of multimedia content
US8909922B2 (en) 2011-09-01 2014-12-09 Sonic Ip, Inc. Systems and methods for playing back alternative streams of protected content protected using common cryptographic information
US8964977B2 (en) 2011-09-01 2015-02-24 Sonic Ip, Inc. Systems and methods for saving encoded media streamed using adaptive bitrate streaming
US9589070B2 (en) 2011-10-10 2017-03-07 Salesforce.Com, Inc. Method and system for updating a filter logic expression representing a boolean filter
EP2850552B1 (en) * 2012-05-16 2019-05-08 Okta, Inc. Systems and methods for providing and managing distributed enclaves
RU2504835C1 (en) * 2012-06-06 2014-01-20 Открытое акционерное общество "Концерн "Системпром" System for protecting information containing state secrets from unauthorised access
US9313510B2 (en) 2012-12-31 2016-04-12 Sonic Ip, Inc. Use of objective quality measures of streamed content to reduce streaming bandwidth
US9191457B2 (en) 2012-12-31 2015-11-17 Sonic Ip, Inc. Systems, methods, and media for controlling delivery of content
EP2956887A1 (en) 2013-02-13 2015-12-23 Security First Corp. Systems and methods for a cryptographic file system layer
US20140279124A1 (en) * 2013-03-15 2014-09-18 Daniel M. Rotar System and method for providing access to user generated content
US9906785B2 (en) 2013-03-15 2018-02-27 Sonic Ip, Inc. Systems, methods, and media for transcoding video data according to encoding parameters indicated by received metadata
US10397292B2 (en) 2013-03-15 2019-08-27 Divx, Llc Systems, methods, and media for delivery of content
US9094737B2 (en) 2013-05-30 2015-07-28 Sonic Ip, Inc. Network video streaming with trick play based on separate trick play files
US9247317B2 (en) 2013-05-30 2016-01-26 Sonic Ip, Inc. Content streaming with client device trick play index
US9967305B2 (en) 2013-06-28 2018-05-08 Divx, Llc Systems, methods, and media for streaming media content
US9866878B2 (en) 2014-04-05 2018-01-09 Sonic Ip, Inc. Systems and methods for encoding and playing back video at different frame rates using enhancement layers
US10289867B2 (en) 2014-07-27 2019-05-14 OneTrust, LLC Data processing systems for webform crawling to map processing activities and related methods
US9729583B1 (en) 2016-06-10 2017-08-08 OneTrust, LLC Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance
US10019597B2 (en) 2016-06-10 2018-07-10 OneTrust, LLC Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design
US10181051B2 (en) 2016-06-10 2019-01-15 OneTrust, LLC Data processing systems for generating and populating a data inventory for processing data access requests
WO2016081942A2 (en) 2014-11-21 2016-05-26 Security First Corp. Gateway for cloud-based secure storage
JP5836528B1 (en) * 2015-05-29 2015-12-24 三菱日立パワーシステムズ株式会社 Communication connection device and communication system
US10706447B2 (en) 2016-04-01 2020-07-07 OneTrust, LLC Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments
US9892444B2 (en) 2016-04-01 2018-02-13 OneTrust, LLC Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments
US10176503B2 (en) 2016-04-01 2019-01-08 OneTrust, LLC Data processing systems and methods for efficiently assessing the risk of privacy campaigns
US11004125B2 (en) 2016-04-01 2021-05-11 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US9892441B2 (en) 2016-04-01 2018-02-13 OneTrust, LLC Data processing systems and methods for operationalizing privacy compliance and assessing the risk of various respective privacy campaigns
US11244367B2 (en) 2016-04-01 2022-02-08 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US9892442B2 (en) 2016-04-01 2018-02-13 OneTrust, LLC Data processing systems and methods for efficiently assessing the risk of privacy campaigns
US10026110B2 (en) 2016-04-01 2018-07-17 OneTrust, LLC Data processing systems and methods for generating personal data inventories for organizations and other entities
US10176502B2 (en) 2016-04-01 2019-01-08 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US9898769B2 (en) 2016-04-01 2018-02-20 OneTrust, LLC Data processing systems and methods for operationalizing privacy compliance via integrated mobile applications
US20220164840A1 (en) 2016-04-01 2022-05-26 OneTrust, LLC Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design
US9892443B2 (en) 2016-04-01 2018-02-13 OneTrust, LLC Data processing systems for modifying privacy campaign data via electronic messaging systems
US10423996B2 (en) 2016-04-01 2019-09-24 OneTrust, LLC Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments
US10796260B2 (en) 2016-06-10 2020-10-06 OneTrust, LLC Privacy management systems and methods
US11481710B2 (en) 2016-06-10 2022-10-25 OneTrust, LLC Privacy management systems and methods
US10909265B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Application privacy scanning systems and related methods
US11354434B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US11586700B2 (en) 2016-06-10 2023-02-21 OneTrust, LLC Data processing systems and methods for automatically blocking the use of tracking tools
US11727141B2 (en) 2016-06-10 2023-08-15 OneTrust, LLC Data processing systems and methods for synching privacy-related user consent across multiple computing devices
US11023842B2 (en) 2016-06-10 2021-06-01 OneTrust, LLC Data processing systems and methods for bundled privacy policies
US10496846B1 (en) 2016-06-10 2019-12-03 OneTrust, LLC Data processing and communications systems and methods for the efficient implementation of privacy by design
US11057356B2 (en) 2016-06-10 2021-07-06 OneTrust, LLC Automated data processing systems and methods for automatically processing data subject access requests using a chatbot
US11074367B2 (en) 2016-06-10 2021-07-27 OneTrust, LLC Data processing systems for identity validation for consumer rights requests and related methods
US11222139B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems and methods for automatic discovery and assessment of mobile software development kits
US10642870B2 (en) 2016-06-10 2020-05-05 OneTrust, LLC Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
US10572686B2 (en) 2016-06-10 2020-02-25 OneTrust, LLC Consent receipt management systems and related methods
US10606916B2 (en) 2016-06-10 2020-03-31 OneTrust, LLC Data processing user interface monitoring systems and related methods
US10944725B2 (en) 2016-06-10 2021-03-09 OneTrust, LLC Data processing systems and methods for using a data model to select a target data asset in a data migration
US11366909B2 (en) 2016-06-10 2022-06-21 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11354435B2 (en) 2016-06-10 2022-06-07 OneTrust, LLC Data processing systems for data testing to confirm data deletion and related methods
US10284604B2 (en) 2016-06-10 2019-05-07 OneTrust, LLC Data processing and scanning systems for generating and populating a data inventory
US10776514B2 (en) 2016-06-10 2020-09-15 OneTrust, LLC Data processing systems for the identification and deletion of personal data in computer systems
US10762236B2 (en) 2016-06-10 2020-09-01 OneTrust, LLC Data processing user interface monitoring systems and related methods
US10346638B2 (en) 2016-06-10 2019-07-09 OneTrust, LLC Data processing systems for identifying and modifying processes that are subject to data subject access requests
US10467432B2 (en) 2016-06-10 2019-11-05 OneTrust, LLC Data processing systems for use in automatically generating, populating, and submitting data subject access requests
US10592648B2 (en) 2016-06-10 2020-03-17 OneTrust, LLC Consent receipt management systems and related methods
US10706174B2 (en) 2016-06-10 2020-07-07 OneTrust, LLC Data processing systems for prioritizing data subject access requests for fulfillment and related methods
US10848523B2 (en) 2016-06-10 2020-11-24 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11403377B2 (en) 2016-06-10 2022-08-02 OneTrust, LLC Privacy management systems and methods
US11562097B2 (en) 2016-06-10 2023-01-24 OneTrust, LLC Data processing systems for central consent repository and related methods
US10997318B2 (en) 2016-06-10 2021-05-04 OneTrust, LLC Data processing systems for generating and populating a data inventory for processing data access requests
US11416589B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US10235534B2 (en) 2016-06-10 2019-03-19 OneTrust, LLC Data processing systems for prioritizing data subject access requests for fulfillment and related methods
US11341447B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Privacy management systems and methods
US11328092B2 (en) 2016-06-10 2022-05-10 OneTrust, LLC Data processing systems for processing and managing data subject access in a distributed environment
US11151233B2 (en) 2016-06-10 2021-10-19 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US10440062B2 (en) 2016-06-10 2019-10-08 OneTrust, LLC Consent receipt management systems and related methods
US10510031B2 (en) 2016-06-10 2019-12-17 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US10416966B2 (en) 2016-06-10 2019-09-17 OneTrust, LLC Data processing systems for identity validation of data subject access requests and related methods
US10878127B2 (en) 2016-06-10 2020-12-29 OneTrust, LLC Data subject access request processing systems and related methods
US11418492B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing systems and methods for using a data model to select a target data asset in a data migration
US11038925B2 (en) 2016-06-10 2021-06-15 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11144622B2 (en) 2016-06-10 2021-10-12 OneTrust, LLC Privacy management systems and methods
US10181019B2 (en) 2016-06-10 2019-01-15 OneTrust, LLC Data processing systems and communications systems and methods for integrating privacy compliance systems with software development and agile tools for privacy design
US11461500B2 (en) 2016-06-10 2022-10-04 OneTrust, LLC Data processing systems for cookie compliance testing with website scanning and related methods
US10565397B1 (en) 2016-06-10 2020-02-18 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US10803200B2 (en) 2016-06-10 2020-10-13 OneTrust, LLC Data processing systems for processing and managing data subject access in a distributed environment
US10452866B2 (en) 2016-06-10 2019-10-22 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US10289870B2 (en) 2016-06-10 2019-05-14 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US10896394B2 (en) 2016-06-10 2021-01-19 OneTrust, LLC Privacy management systems and methods
US10708305B2 (en) 2016-06-10 2020-07-07 OneTrust, LLC Automated data processing systems and methods for automatically processing requests for privacy-related information
US11520928B2 (en) 2016-06-10 2022-12-06 OneTrust, LLC Data processing systems for generating personal data receipts and related methods
US10430740B2 (en) 2016-06-10 2019-10-01 One Trust, LLC Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods
US10032172B2 (en) 2016-06-10 2018-07-24 OneTrust, LLC Data processing systems for measuring privacy maturity within an organization
US11336697B2 (en) 2016-06-10 2022-05-17 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11636171B2 (en) 2016-06-10 2023-04-25 OneTrust, LLC Data processing user interface monitoring systems and related methods
US10169609B1 (en) 2016-06-10 2019-01-01 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11138242B2 (en) 2016-06-10 2021-10-05 OneTrust, LLC Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
US10509920B2 (en) 2016-06-10 2019-12-17 OneTrust, LLC Data processing systems for processing data subject access requests
US10592692B2 (en) 2016-06-10 2020-03-17 OneTrust, LLC Data processing systems for central consent repository and related methods
US10586075B2 (en) 2016-06-10 2020-03-10 OneTrust, LLC Data processing systems for orphaned data identification and deletion and related methods
US11228620B2 (en) 2016-06-10 2022-01-18 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10607028B2 (en) 2016-06-10 2020-03-31 OneTrust, LLC Data processing systems for data testing to confirm data deletion and related methods
US10839102B2 (en) 2016-06-10 2020-11-17 OneTrust, LLC Data processing systems for identifying and modifying processes that are subject to data subject access requests
US10614247B2 (en) 2016-06-10 2020-04-07 OneTrust, LLC Data processing systems for automated classification of personal information from documents and related methods
US10706176B2 (en) 2016-06-10 2020-07-07 OneTrust, LLC Data-processing consent refresh, re-prompt, and recapture systems and related methods
US10678945B2 (en) 2016-06-10 2020-06-09 OneTrust, LLC Consent receipt management systems and related methods
US11200341B2 (en) 2016-06-10 2021-12-14 OneTrust, LLC Consent receipt management systems and related methods
US11157600B2 (en) 2016-06-10 2021-10-26 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US10275614B2 (en) 2016-06-10 2019-04-30 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11227247B2 (en) 2016-06-10 2022-01-18 OneTrust, LLC Data processing systems and methods for bundled privacy policies
US10685140B2 (en) 2016-06-10 2020-06-16 OneTrust, LLC Consent receipt management systems and related methods
US11651106B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11277448B2 (en) 2016-06-10 2022-03-15 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US11366786B2 (en) 2016-06-10 2022-06-21 OneTrust, LLC Data processing systems for processing data subject access requests
US11188862B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Privacy management systems and methods
US11651104B2 (en) 2016-06-10 2023-05-16 OneTrust, LLC Consent receipt management systems and related methods
US10713387B2 (en) 2016-06-10 2020-07-14 OneTrust, LLC Consent conversion optimization systems and related methods
US11146566B2 (en) 2016-06-10 2021-10-12 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11025675B2 (en) 2016-06-10 2021-06-01 OneTrust, LLC Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance
US10949565B2 (en) 2016-06-10 2021-03-16 OneTrust, LLC Data processing systems for generating and populating a data inventory
US10776517B2 (en) 2016-06-10 2020-09-15 OneTrust, LLC Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods
US10353673B2 (en) 2016-06-10 2019-07-16 OneTrust, LLC Data processing systems for integration of consumer feedback with data subject access requests and related methods
US10565161B2 (en) 2016-06-10 2020-02-18 OneTrust, LLC Data processing systems for processing data subject access requests
US11295316B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems for identity validation for consumer rights requests and related methods
US11416798B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing systems and methods for providing training in a vendor procurement process
US11343284B2 (en) 2016-06-10 2022-05-24 OneTrust, LLC Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance
US11438386B2 (en) 2016-06-10 2022-09-06 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10949170B2 (en) 2016-06-10 2021-03-16 OneTrust, LLC Data processing systems for integration of consumer feedback with data subject access requests and related methods
US10353674B2 (en) 2016-06-10 2019-07-16 OneTrust, LLC Data processing and communications systems and methods for the efficient implementation of privacy by design
US11188615B2 (en) 2016-06-10 2021-11-30 OneTrust, LLC Data processing consent capture systems and related methods
US10102533B2 (en) 2016-06-10 2018-10-16 OneTrust, LLC Data processing and communications systems and methods for the efficient implementation of privacy by design
US11416109B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Automated data processing systems and methods for automatically processing data subject access requests using a chatbot
US10282559B2 (en) 2016-06-10 2019-05-07 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US11301796B2 (en) 2016-06-10 2022-04-12 OneTrust, LLC Data processing systems and methods for customizing privacy training
US10242228B2 (en) 2016-06-10 2019-03-26 OneTrust, LLC Data processing systems for measuring privacy maturity within an organization
US10318761B2 (en) 2016-06-10 2019-06-11 OneTrust, LLC Data processing systems and methods for auditing data request compliance
US10509894B2 (en) 2016-06-10 2019-12-17 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11134086B2 (en) 2016-06-10 2021-09-28 OneTrust, LLC Consent conversion optimization systems and related methods
US10853501B2 (en) 2016-06-10 2020-12-01 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US10726158B2 (en) 2016-06-10 2020-07-28 OneTrust, LLC Consent receipt management and automated process blocking systems and related methods
US10783256B2 (en) 2016-06-10 2020-09-22 OneTrust, LLC Data processing systems for data transfer risk identification and related methods
US10706379B2 (en) 2016-06-10 2020-07-07 OneTrust, LLC Data processing systems for automatic preparation for remediation and related methods
US11544667B2 (en) 2016-06-10 2023-01-03 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11087260B2 (en) 2016-06-10 2021-08-10 OneTrust, LLC Data processing systems and methods for customizing privacy training
US10565236B1 (en) 2016-06-10 2020-02-18 OneTrust, LLC Data processing systems for generating and populating a data inventory
US10997315B2 (en) 2016-06-10 2021-05-04 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11392720B2 (en) 2016-06-10 2022-07-19 OneTrust, LLC Data processing systems for verification of consent and notice processing and related methods
US10452864B2 (en) 2016-06-10 2019-10-22 OneTrust, LLC Data processing systems for webform crawling to map processing activities and related methods
US10282692B2 (en) 2016-06-10 2019-05-07 OneTrust, LLC Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques
US11294939B2 (en) 2016-06-10 2022-04-05 OneTrust, LLC Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software
US11625502B2 (en) 2016-06-10 2023-04-11 OneTrust, LLC Data processing systems for identifying and modifying processes that are subject to data subject access requests
US11222309B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems for generating and populating a data inventory
US10909488B2 (en) 2016-06-10 2021-02-02 OneTrust, LLC Data processing systems for assessing readiness for responding to privacy-related incidents
US10585968B2 (en) 2016-06-10 2020-03-10 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US10204154B2 (en) 2016-06-10 2019-02-12 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11138299B2 (en) 2016-06-10 2021-10-05 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US10740487B2 (en) 2016-06-10 2020-08-11 OneTrust, LLC Data processing systems and methods for populating and maintaining a centralized database of personal data
US10454973B2 (en) 2016-06-10 2019-10-22 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10438017B2 (en) 2016-06-10 2019-10-08 OneTrust, LLC Data processing systems for processing data subject access requests
US10846433B2 (en) 2016-06-10 2020-11-24 OneTrust, LLC Data processing consent management systems and related methods
US10769301B2 (en) 2016-06-10 2020-09-08 OneTrust, LLC Data processing systems for webform crawling to map processing activities and related methods
US10885485B2 (en) 2016-06-10 2021-01-05 OneTrust, LLC Privacy management systems and methods
US10503926B2 (en) 2016-06-10 2019-12-10 OneTrust, LLC Consent receipt management systems and related methods
US10346637B2 (en) 2016-06-10 2019-07-09 OneTrust, LLC Data processing systems for the identification and deletion of personal data in computer systems
US11100444B2 (en) 2016-06-10 2021-08-24 OneTrust, LLC Data processing systems and methods for providing training in a vendor procurement process
US10706131B2 (en) 2016-06-10 2020-07-07 OneTrust, LLC Data processing systems and methods for efficiently assessing the risk of privacy campaigns
US10282700B2 (en) 2016-06-10 2019-05-07 OneTrust, LLC Data processing systems for generating and populating a data inventory
US11416590B2 (en) 2016-06-10 2022-08-16 OneTrust, LLC Data processing and scanning systems for assessing vendor risk
US11222142B2 (en) 2016-06-10 2022-01-11 OneTrust, LLC Data processing systems for validating authorization for personal data collection, storage, and processing
US11210420B2 (en) 2016-06-10 2021-12-28 OneTrust, LLC Data subject access request processing systems and related methods
US10289866B2 (en) 2016-06-10 2019-05-14 OneTrust, LLC Data processing systems for fulfilling data subject access requests and related methods
US11238390B2 (en) 2016-06-10 2022-02-01 OneTrust, LLC Privacy management systems and methods
US10873606B2 (en) 2016-06-10 2020-12-22 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10776518B2 (en) 2016-06-10 2020-09-15 OneTrust, LLC Consent receipt management systems and related methods
US10437412B2 (en) 2016-06-10 2019-10-08 OneTrust, LLC Consent receipt management systems and related methods
US11675929B2 (en) 2016-06-10 2023-06-13 OneTrust, LLC Data processing consent sharing systems and related methods
US10798133B2 (en) 2016-06-10 2020-10-06 OneTrust, LLC Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods
US10496803B2 (en) 2016-06-10 2019-12-03 OneTrust, LLC Data processing systems and methods for efficiently assessing the risk of privacy campaigns
US11475136B2 (en) 2016-06-10 2022-10-18 OneTrust, LLC Data processing systems for data transfer risk identification and related methods
US10152350B2 (en) * 2016-07-01 2018-12-11 Intel Corporation Secure domain manager
US10341332B2 (en) * 2016-07-26 2019-07-02 International Business Machines Corporation System and method for providing persistent user identification
US10498795B2 (en) 2017-02-17 2019-12-03 Divx, Llc Systems and methods for adaptive switching between multiple content delivery networks during adaptive bitrate streaming
US10691837B1 (en) 2017-06-02 2020-06-23 Apple Inc. Multi-user storage volume encryption via secure enclave
US10013577B1 (en) 2017-06-16 2018-07-03 OneTrust, LLC Data processing systems for identifying whether cookies contain personally identifying information
US10104103B1 (en) 2018-01-19 2018-10-16 OneTrust, LLC Data processing systems for tracking reputational risk via scanning and registry lookup
US10803202B2 (en) 2018-09-07 2020-10-13 OneTrust, LLC Data processing systems for orphaned data identification and deletion and related methods
US11544409B2 (en) 2018-09-07 2023-01-03 OneTrust, LLC Data processing systems and methods for automatically protecting sensitive data within privacy management systems
US11144675B2 (en) 2018-09-07 2021-10-12 OneTrust, LLC Data processing systems and methods for automatically protecting sensitive data within privacy management systems
WO2022011142A1 (en) 2020-07-08 2022-01-13 OneTrust, LLC Systems and methods for targeted data discovery
WO2022016278A1 (en) * 2020-07-21 2022-01-27 Royal Bank Of Canada Facial recognition tokenization
US11444976B2 (en) 2020-07-28 2022-09-13 OneTrust, LLC Systems and methods for automatically blocking the use of tracking tools
WO2022032072A1 (en) 2020-08-06 2022-02-10 OneTrust, LLC Data processing systems and methods for automatically redacting unstructured data from a data subject access request
WO2022060860A1 (en) 2020-09-15 2022-03-24 OneTrust, LLC Data processing systems and methods for detecting tools for the automatic blocking of consent requests
US20230334158A1 (en) 2020-09-21 2023-10-19 OneTrust, LLC Data processing systems and methods for automatically detecting target data transfers and target data processing
WO2022099023A1 (en) 2020-11-06 2022-05-12 OneTrust, LLC Systems and methods for identifying data processing activities based on data discovery results
CN112532380B (en) * 2020-11-12 2023-01-31 北京工业大学 Cloud storage data deterministic deletion method based on SGX technology
US11687528B2 (en) 2021-01-25 2023-06-27 OneTrust, LLC Systems and methods for discovery, classification, and indexing of data in a native computing system
US11442906B2 (en) 2021-02-04 2022-09-13 OneTrust, LLC Managing custom attributes for domain objects defined within microservices
WO2022170254A1 (en) 2021-02-08 2022-08-11 OneTrust, LLC Data processing systems and methods for anonymizing data samples in classification analysis
WO2022173912A1 (en) 2021-02-10 2022-08-18 OneTrust, LLC Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system
US11775348B2 (en) 2021-02-17 2023-10-03 OneTrust, LLC Managing custom workflows for domain objects defined within microservices
WO2022178219A1 (en) 2021-02-18 2022-08-25 OneTrust, LLC Selective redaction of media content
EP4305539A1 (en) 2021-03-08 2024-01-17 OneTrust, LLC Data transfer discovery and analysis systems and related methods
US11562078B2 (en) 2021-04-16 2023-01-24 OneTrust, LLC Assessing and managing computational risk involved with integrating third party computing functionality within a computing system
US11233727B1 (en) 2021-08-27 2022-01-25 King Abdulaziz University System and method for securing SDN based source routing
US11620142B1 (en) 2022-06-03 2023-04-04 OneTrust, LLC Generating and customizing user interfaces for demonstrating functions of interactive user environments

Family Cites Families (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4238854A (en) * 1977-12-05 1980-12-09 International Business Machines Corporation Cryptographic file security for single domain networks
US4227253A (en) * 1977-12-05 1980-10-07 International Business Machines Corporation Cryptographic communication security for multiple domain networks
US4264782A (en) * 1979-06-29 1981-04-28 International Business Machines Corporation Method and apparatus for transaction and identity verification
US4393269A (en) * 1981-01-29 1983-07-12 International Business Machines Corporation Method and apparatus incorporating a one-way sequence for transaction and identity verification
US4578530A (en) * 1981-06-26 1986-03-25 Visa U.S.A., Inc. End-to-end encryption system and method of operation
US4825050A (en) * 1983-09-13 1989-04-25 Transaction Security Corporation Security transaction system for financial data
SE442249B (en) * 1983-11-17 1985-12-09 Ericsson Telefon Ab L M PROCEDURE AND DEVICE FOR VERIFICATION OF PERSONAL IDENTIFICATION NUMBER AND CHECKING INSERT NUMBER SERIES IN IDENTIFICATION MEDIA
US4652698A (en) * 1984-08-13 1987-03-24 Ncr Corporation Method and system for providing system security in a remote terminal environment
US4713753A (en) * 1985-02-21 1987-12-15 Honeywell Inc. Secure data processing system architecture with format control
JPH0762862B2 (en) * 1985-09-17 1995-07-05 カシオ計算機株式会社 Authentication method in IC card system
JPH01175057A (en) * 1987-12-28 1989-07-11 Toshiba Corp Dynamic control method for security
US4918653A (en) * 1988-01-28 1990-04-17 International Business Machines Corporation Trusted path mechanism for an operating system
US4980913A (en) * 1988-04-19 1990-12-25 Vindicator Corporation Security system network
US4888801A (en) * 1988-05-02 1989-12-19 Motorola, Inc. Hierarchical key management system
US5046094A (en) * 1989-02-02 1991-09-03 Kabushiki Kaisha Toshiba Server-aided computation method and distributed information processing unit
US5191611A (en) * 1989-04-03 1993-03-02 Lang Gerald S Method and apparatus for protecting material on storage media and for transferring material on storage media to various recipients
CA1329657C (en) * 1989-04-03 1994-05-17 Gerald S. Lang Method and apparatus for protecting material on storage media
US5065429A (en) * 1989-04-03 1991-11-12 Lang Gerald S Method and apparatus for protecting material on storage media
US5048085A (en) * 1989-10-06 1991-09-10 International Business Machines Corporation Transaction system security method and apparatus
AU640181B2 (en) * 1989-12-26 1993-08-19 Digital Equipment Corporation Method for securing terminal and terminal apparatus for use with the method
US5052040A (en) * 1990-05-25 1991-09-24 Micronyx, Inc. Multiple user stored data cryptographic labeling system and method
GB9017683D0 (en) * 1990-08-13 1990-09-26 Marconi Gec Ltd Data security system
US5148479A (en) * 1991-03-20 1992-09-15 International Business Machines Corp. Authentication protocols in communication networks
US5272754A (en) * 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
FR2685510B1 (en) * 1991-12-19 1997-01-03 Bull Cps PROCESS FOR AUTHENTICATION, BY AN EXTERNAL MEDIUM, OF A PORTABLE OBJECT CONNECTED TO THIS MEDIA BY THE INTERMEDIATE OF A TRANSMISSION LINE, AND SYSTEM FOR IMPLEMENTATION
US5276735A (en) * 1992-04-17 1994-01-04 Secure Computing Corporation Data enclave and trusted path system

Also Published As

Publication number Publication date
US5276735A (en) 1994-01-04
EP0636259B1 (en) 1997-06-04
AU667925B2 (en) 1996-04-18
AU4284793A (en) 1993-11-18
EP0737907A2 (en) 1996-10-16
DK0636259T3 (en) 1997-07-07
ATE154150T1 (en) 1997-06-15
JPH07505970A (en) 1995-06-29
DE69311331D1 (en) 1997-07-10
AU5081196A (en) 1996-07-18
EP0737907A3 (en) 1997-03-26
AU678937B2 (en) 1997-06-12
WO1993021581A2 (en) 1993-10-28
US5499297A (en) 1996-03-12
WO1993021581A3 (en) 1994-01-06
EP0636259A1 (en) 1995-02-01
DE69311331T2 (en) 1997-10-30
US5502766A (en) 1996-03-26

Similar Documents

Publication Publication Date Title
CA2118246A1 (en) Data enclave and trusted path system
US5237614A (en) Integrated network security system
US5991406A (en) System and method for data recovery
US5491752A (en) System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
US6931549B1 (en) Method and apparatus for secure data storage and retrieval
US5272754A (en) Secure computer interface
JP4463979B2 (en) Apparatus and method for storing, verifying and using cryptographically camouflaged cryptographic keys
US6272632B1 (en) System and method for controlling access to a user secret using a key recovery field
US7395436B1 (en) Methods, software programs, and systems for electronic information security
US5802178A (en) Stand alone device for providing security within computer networks
US5692124A (en) Support of limited write downs through trustworthy predictions in multilevel security of computer network communications
AU674560B2 (en) A method for premitting digital secret information to be recovered.
US6173402B1 (en) Technique for localizing keyphrase-based data encryption and decryption
US5832228A (en) System and method for providing multi-level security in computer devices utilized with non-secure networks
US5475758A (en) User authenticating system and method in wide area distributed environment
US5828832A (en) Mixed enclave operation in a computer network with multi-level network security
US20110040965A1 (en) Enterprise security system
EP0888677A1 (en) An authentication system based on periodic challenge/response protocol
EP1716468A1 (en) System and method for preventing identity theft using a secure computing device.
WO1999046691A1 (en) Internet, intranet and other network communication security systems utilizing entrance and exit keys
Johnson et al. A secure distributed capability based system
EP1131911B1 (en) Method and apparatus for secure distribution of authentication credentials to roaming users
Said et al. A multi-factor authentication-based framework for identity management in cloud applications
US7110858B2 (en) Object identification uses prediction of data in distributed network
Siddiqui A three-tiered java application for secure transactions over internet

Legal Events

Date Code Title Description
EEER Examination request
FZDE Discontinued