CA2118297C - Distributed cryptographic object method - Google Patents
Distributed cryptographic object methodInfo
- Publication number
- CA2118297C CA2118297C CA002118297A CA2118297A CA2118297C CA 2118297 C CA2118297 C CA 2118297C CA 002118297 A CA002118297 A CA 002118297A CA 2118297 A CA2118297 A CA 2118297A CA 2118297 C CA2118297 C CA 2118297C
- Authority
- CA
- Canada
- Prior art keywords
- label
- encrypted
- objects
- ookeyman
- system memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims description 31
- 238000002372 labelling Methods 0.000 claims description 11
- 238000013475 authorization Methods 0.000 claims 8
- 238000004590 computer program Methods 0.000 claims 2
- 230000007246 mechanism Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 8
- 230000008520 organization Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002860 competitive effect Effects 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1458—Protection against unauthorised use of memory or access to memory by checking the subject access rights
- G06F12/1491—Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
A system for increasing the security of a computer system, while giving an individual user a large amount of flexibility and power. To give users the most power and flexibility, a standard object that has the capability to embed objects is used. To allow users ever. more flexibility, a standard object tracking mechanism is used that allows users to distribute multiple encrypted embedded objects to other individuals in a single encrypted object. By effecting compartmentalization of every object by label attributes and algorithm attributes, multi-level multimedia security is achieved.
Description
DISTRIBUTED CRYPTOGRAPHIC OBJECT METHOD
Inventor: M. Greg Shanton 1 Field of the Invention 2 The present invention relates generally to a system 3 that can be used to restrict access to computer data. In 4 particular, the system of the present invention restricts access in a flexible way, identifying objects for 6 restriction and nesting restriction requirements through 7 the use of embedded objects.
8 Background of the Invention 9 While the specter of "spies" eagerly trying to obtain the defense information of various countries is very much 11 still present in the defense and intelligence community, an 12 equally massive threat now exists from technological or 13 commercial "spies" who desire to obtain commercial and 14 technical information from competing companies. These agents use sophisticated means similar to those used by the 16 defense and intelligence community in order to obtain 17 commercially valuable information that reveals the plans 18 and commercial activities of competitors thereby allowing 19 the aggressor company to obtain a competitive advantage in the marketplace. Theft of commercially valuable 21 information is a very real and ever present threat.
22 To combat this type of commercial spying, various 23 complex systems have evolved to protect company proprietary 24 information. These systems involve physical controls over personnel as well as over the data flowing in and out of a 26 company. For example, most computer systems used within 27 companies require a password to be entered before the ~113~7 ..
1 system can be accessed. It is frequently the case that 2 confidential or company proprietary information must be 3 passed electronically from one location to another in order 4 to convey that information within the company in a timely fashion. Such electronic communication is easily 6 susceptible to interception if not protected in some other 7 form.
8 Cryptographic systems have evolved to fill the needs 9 of companies and individuals wanting to protect the proprietary commercial information of a company from 11 competitors and those who generally should not have that 12 information.
13 Encryption of data is therefore a critical requirement 14 in denying access to confidential information from those who are not so authorized. Cryptographic "keys" are an 16 essential part of the information encryption process. The 17 cryptographic key, or "key" for short, is a sequence of 18 letters, numbers, or bytes of information which are 19 manipulated by a cryptographic algorithm to transform data from plain (readable) text to a series of unintelligible 21 text or signals known as encrypted or cipher text. The key 22 is then used by the receiver of the cipher text to decrypt 23 the message back to plain text. However, for two people to 24 communicate successfully using keys, each must use the same key, assuming that the same encryption/decryption algorithm 26 is used on both ends of the communication.
27 Various methods have evolved to manage the 28 distribution of keys. Such methods of distribution are 211~c~7 1 collectively referred to as "key management". The function 2 of key management is to perform the process of generating, 3 distributing, changing, replacing, storing, checking on, 4 and destroying cryptographic keys. Under normal operational circumstances, the key manager begins and ends 6 a cryptographic session by controlling access to the 7 algorithm used to encrypt and decrypt plain text objects.
8 Thus, a user who wants to encrypt an object or decrypt an 9 object must first access the key manager so that an encryption algorithm may be chosen.
11 Simple encryption of data being communicated between 12 two points only provides one level of security, however.
13 Encryption limits data communication to those who have the 14 key. Anyone who has the key is privy to any communication at any location. That is, if a group of people are working 16 on a particular project, they will all presumably share a 17 key for decrypting information relating to the project.
18 Some of the project group may be working in one location, 19 while the rest of the group may be located in a distant city. If one member of the group wants to send a 21 communication to a particular member in the other city, the 22 key will afford him no protection because everyone in the 23 project shares the same key. Likewise, if someone wants to 24 communicate a message to a subset of the group, for example, only to management personnel, this key would again 26 provide her with no extra security. In another case, 27 someone may want to send a message that is capable of being 28 read only at a particular computer terminal, or of being 1 printed only at a particular printer. In these and other 2 cases, multilevel multimedia key access, or individual keys 3 issued to each person, would provide a solution, albeit one 4 that is quite unwieldy, inflexible, and difficult to manage by a security officer or key administrator.
6 A secure method of labelling files or messages that 7 are sent from a sending user to a receiving user over a 8 network can provide a level of protection in addition to 9 cryptographic protection. A file "label" for purposes of this invention means a series of letters or numbers, which 11 may or may not be encrypted, separate from but associated 12 with the sending of a message, which identifies the person, 13 location, equipment, and/or organization which is permitted 14 to receive the associated message. Using a secure labelling regimen, a network manager or user can be assured 16 that only those messages meant for a certain person, group 17 of persons, and/or location(s) are in fact received, 18 decrypted, and read by the intended receiver. Thus, a 19 sending user can specify label conditions that limit access to the transmitted message. For example, many people 21 within a company may have the key necessary to read a data 22 file that a sender may transmit from his computer terminal 23 to other terminals at another site within his company. The 24 sender may, however, wish to restrict reception to those persons present at a particular terminal. By employing a 26 secure labelling technique in addition to encryption, the 27 sender can be assured that people having the correct key to 28 decrypt the message but working at different terminals will 2~ i82Q7 ~
not receive or be allowed to access the communication.
Access may be limited to particular people as well.
3 A system that can limit access on an object level 4 'would be more flexible and would offer still more protection. Access could be specified on an object-by-6 object basis, and objects could be embedded within other 7 objects, providing an access hierarchy for users.
8 - The ability to cryptographically secure objects g ensures the authentication and data integrity of the particular object or objects in question. If a device were 11 able to cryptographically control an object(s) or nested 12 object(s), then that device would have total control over 13 the entire object and all other objects within it. This 14 type of control over the knowledge/information flow would allow for clear data separation, and at some levels could 16 become a transparent method. A system that is able to do 17 this would be able to achieve multi-level multimedia 18 security, 19 Summary of the Invention It is therefore an objective of the present invention 21 to provide a system to insure that properly specified kinds 22 of information in a network system flows only to designated 23 locations and to further insure that such information is 24 only read by those individuals who are designated to review that information.
~ ' 2 ~ 7 -1 It is a further objective of the present invention to 2 provide a system that recognizes objects and permits or 3 denies access on the object level.
4 It is an additional objective of the present invention to provide a system in which objects may be embedded within 6 other objects, resulting in an access hierarchy for users 7 of the system.
8 It is another objective of the present invention to 9 provide a system in which access control is transparent to the user.
11 These and other objectives and advantages of the 12 present invention will be apparent to those of ordinary 13 skill in the art upon inspection of the detailed 14 description, drawings, and appended claims.
The definition and concept of objects varies greatly 16 depending on with whom you consult. Everything around you 17 in your daily life is an object. Your car, your car keys, 18 books, people, desks, etc. Objects are entities by 19 themselves, but they may contain other objects, in either single or multiple configurations. Objects can change 21 their make up dynamically by inheritance. Objects can 22 inherit the attributes of other objects and the inheritance 23 features can change dynamically "on the fly" during the 24 operation of the objects.
In the context of the present invention, an object can 26 come in a vast number of forms, shapes or sizes and can be 27 either passive or active, dynamic or static. An object may 28 stay dormant until it is acted upon, or it may be an active ~, 1 participant, dynamically auditing and verifying every 2 transaction that occurs in a system. Examples of what an 3 object can be include a bit of information, a byte of 4 information, Sound Clips, Video Clips, Graphic Images, text, charts, tables, forms, controls, MDIForms, variables, 6 executable files, video files, binary files, text files, 7 data files, container files, graphic files, application 8 file(s), Library files, a directory, a collection of 9 directories, a hard disk, multiple hard disks, any hardware component, any software component, a complete computer 11 system, a single network, multiple networks.
12 Thus, an object is any distinct, separate entity. In 13 a computer or data communication context, entities that may 14 be treated as objects include:
1) Program objects, representing applications such as 16 word processors, spreadsheets, games, etc., as well 17 as utilities and operating systems;
18 2) Folder objects, representing collections of other 19 objects;
3) Data file objects, including information such as 21 text, memos, letters, spreadsheets, video, and 22 sound; and 23 4) Device objects, such as printers, fax modems, 24 plotters, and CD-ROM drives.
In object linking and embedding, an object can be any 26 user-selected group of data, such as a block of text, a set 27 of spreadsheet cells, a chart, sounds, or a graphical 28 image. This data can be embedded in or linked to another 1 document created by a different application. For example, 2 a folder may represent a directory and may contain a group 3 of files, or it may represent a group of programs. Folders 4 can also contain other folders.
In object-oriented programming, a program consists of 6 a set of related but self-contained objects that can 7 contain both code and data.
8 The present invention is able to increase the security 9 of the system, while at the same time giving the individual user a large amount of flexibility and power. To give 11 users the most power and flexibility, a standard object 12 that has the capability to embed objects is used. To allow 13 users even more flexibility, a standard object tracking 14 mechanism is used that allows users to distribute multiple encrypted embedded objects to other individuals in a single 16 encrypted object. By being able to compartment every 17 object by label attributes and algorithm attributes, 18 multi-level multimedia security is achieved. Multi-level 19 security is achieved because encrypted objects may be nested within other objects which are also encrypted, 21 possibly within other objects, resulting in multiple layers 22 of encryption. Multimedia security is achieved because 23 objects are encrypted. Where other encryption systems 24 encrypt only files or other data, the system of the present invention encrypts any object, encompassing all forms of 26 media. Thus, the nesting of individually encrypted objects 27 provides security that is multi-level and multimedia.
28 Brief Description of the Drawings 2 ~ ~
1 FIG. 1 shows a block diagram of the system of the 2 present invention.
3 FIG. 2 shows a block diagram of the system of the 4 present invention when an embedded encrypted object is activated.
6 FIG. 3 shows an object containing ten embedded 7 encrypted objects at five various levels.
8 FIG. 4 shows an encrypted object that contains a web 9 of embedded encrypted objects nested within it.
FIG. 5 shows a sample organizational chart.
11 FIG. 6 shows the present invention used in conjunction 12 with the dynamic structure of a sample organizational 13 chart.
14 FIG. 7 shows a larger, more complicated sample organizational chart.
16 FIG. 8 shows the present invention used in conjunction 17 with the dynamic structure of the larger, more complicated 18 sample organizational chart.
19 Detailed Description of the Invention Definitions 21 OOKeyMan stands for the Object-Oriented Key Manager.
22 OOKeyMan is a Microsoft WindowsTM stand alone application.
23 The Auto Application Interface is an intelligent front 24 end and back end interface between a standard Microsoft Windows 3.1 application and OOKeyMan.
26 An Encrypted Embedded object is an encrypted OOKeyMan 27 object which can contain a single plain text object that 28 has been encapsulated within the encrypted object, or it 21 I g23~
1 can contain an infinite web of encrypted objects matched 2 with plain text objects or other cipher text objects.
3 A container object is an object that contains other 4 objects. These cbjects can be either cipher text or plain text. This is the transport vehicle for a standard object 6 mechanism that embeds objects. A non-container object is 7 an object that does not contain other objects.
8 Multi-Level Multimedia Security is defined as the 9 ability to have simultaneous control over the knowledge/information flow of numerous media formats while 11 allowing for clear data separation. At some levels the 12 multi-level multimedia security becomes transparent.
13 Examples of multi-media objects would include a file that 14 contained two or more of the following: sound objects, video objects, graphic V, text objects, chart objects, 16 table objects, and form objects.
17 Disclosure 18 The present invention, known as the Distributed 19 Cryptographic Object Method ("DCOM"), is able to control which objects are visible to a specific user, which object 21 attributes are inherited by other objects, which objects 22 are available for use, and which level of system 23 implementation can become transparent.
24 The main function of the DCOM is to securely manage and track encrypted objects. The DCOM can securely manage 26 and track a single encrypted object, or it can securely 27 manage and track encrypted objects embedded within other 28 encrypted objects. The capability to securely manage and 21 1~97 1 track encrypted objects within other encrypted objects is 2 only limited by storage space.
3 Referring to FIG. 1, the DCOM system is described.
4 The DCOM has a standard Multi-Level Security object interface 2 that interfaces with the plain text container 6 object's encrypted embedded objectts) 4. It does this 7 through a st~n~rd application 6 that has the capability to 8 embed an object in a container object, such as Microsoft's 9 Object Package for Windows. After the Encrypted object(s) is/are embedded in a standard container object(s) 10 and 11 the container object(s) 10 is/are encrypted, the original 12 encrypted object(s) and the new encrypted container 13 object(s) is/are ready for transport.
14 The new encrypted object(s) can be easily transported/routed over any network that supports binary 16 travel without modification. The original encrypted 17 objects can be deleted because all information from the 18 original encrypted objects is encapsulated in the embedded 19 encrypted object. All of the nested embedded encrypted objects will appear to a user as a single encrypted object 21 until extracted with a standard object embedding/extracting 22 mechanism through the DCOM process. To activate an 23 embedded encrypted object, the user simply selects the 24 encrypted object to initiate the DCOM process, launching the OOKeyMan application, as shown in FIG. 2. The 26 user/encrypted object authentication process is started and 27 if the user/encrypted object is/are approved, the following 1 encrypted object information can be returned and used by 2 the user:
3 A. Plain Text Ob-ect Name 4 B. Plain Text Ob-ect Location C. Plain Text Ob-ect Application 6 D. Plain Text Ob-ect Environment 7 E. Plain Text Ob-ect Date 8 F. Plain Text Ob-ect Time 9 G. Plain Text Ob ect Digital Signature H. Code word Object Tracking Label 11 I. Cluster Object Tracking Label 12 J. Device Object Tracking Label 13 K. Use Object Label 14 L. Algorithm Object Type At this point, the authenticated user is given the 16 option to decrypt the requested embedded encrypted object 17 12. After decryption, a check is done to match the 18 encrypted object's plain text object application to the 19 correct Intelligent Auto Application Interface 14. If the correct Auto Application Interface is not found, a notice 21 is returned and the object is copied to a temporary 22 location 16, otherwise the Auto Application Interface 23 process is started. During this process the encrypted 24 object is matched to the appropriate authenticated application object 18 according to the returned encrypted 26 object information. The correct authenticated application 27 object 18 is then activated with the plain text object 20.
28 Due to the relative dynamic nature of objects, the DCOM is 29 able to accomplish all tasks "on the fly".
The scope of the DCOM directly correlates to the level 31 at which the DCOM was embedded into the system. The scope 32 of the DCOM would cover the implemented embedded system 33 level and all system levels above that, appearing 34 transparent to all levels beneath the implemented embedded 211~7 , 1 system level. For instance, if the DCOM were was embedded 2 at the Open System Interconnection ("OSI") 7 Application 3 layer, then the scope of the DCOM would cover objects on 4 that level and above. In this scenario, the DCOM could run transparent to OSI levels 1 through 6. On the basis of 6 current technology, this implementation would produce the 7 most flexible DCOM. At this level and above, the DCOM is 8 able to provide multi-level multi-media security while 9 staying at the document level. This cross-application compatibility or document-level security is critical to the 11 evolving component based document centered computer system 12 desktop. The DCOM achieves cross-application multi-level 13 multi-media security at the document level through its use 14 of Object-Based Security.
The current implementation of the DCOM at the 16 application layer is called the Object-Oriented Key Manager 17 (OOKeyMan). Currently, OOKeyMan is a Microsoft Windows 3.1 18 stand alone application, but the DCOM can be applied to 19 other environments. OOKeyMan provides Document-Level Security through its use of Object Based Security.
21 Some examples of where the DCOM can be applied to 22 ensure the authentication and data integrity of objects 23 include:
24 IBM's OS/2 2.X and above IBM's System Object Method(SOM) 26 Microsoft's Object Package 27 Microsoft's Object Linking and Embedding 1.0(0LE 1.0) 28 Microsoft's Object Linking and Embedding 2.0(0LE 2.0) 29 Microsoft's Windows NT 3.1 Microsoft's Cairo (Future Operating System) 31 Microsoft's Chicago (Future Operating System) 32 Taligent (joint venture future 33 Operating System of Macintosh and IBM) 211$2~7 ..
1 Macintosh's Compound Document Standard 2 Macintosh Operating System 3 Novell 4 Novell Netware Directory Services(NDS) Unix Object-Oriented Systems 6 Virtual/Alternate Reality Systems 7 Future Object-Oriented Operating Systems 8 By applying the DCOM to the above examples, the 9 security of a system can be moved to a more abstract object level. By securing objects with cryptography, a level of 11 security is achieved much higher than that of common access 12 control mechanisms such as password or pass phrase 13 protection.
14 The steps for embedding an Encrypted Embedded OOKeyMan Object(s) are as follows:
16 1. User Creates a plain text Object by using a 17 standard application;
18 2. User Encrypts Object(s) with OOKeyMan;
19 3. User uses a standard Container Object;
4. Using Standard object to embed Encrypted Embedded 21 OOKeyMan object(s) into Container Object;
22 5. Encrypt Container Object;
23 6. Repeat Steps 1 through 5 until all Objects are 24 encrypted;
7. Multi-Level Multimedia Security achieved at the 26 document level.
27 Examples of The Distributed Cryptographic Object 28 Method 29 The following resources were used in the following examples:
31 Software:
32 MS-DOS 5.0 21~2~7 . .
1 Microsoft Windows 3.1 2 Microsoft Word for Windows 2.0c 3 Standard Microsoft Object Package 4 WordPerfect 5.2 for Windows OOKeyMan l.Ob 6 Auto Application Interface for Word 1.0 7 Auto Application for WordPerfect 5.2 for Windows 8 1.0 9 Hardware:
486 50MHz DX with 16 megabytes of RAM
11 The next two examples demonstrate some of the 12 capabilities of the DCOM through the OOKeyMan 13 implementation. The examples involve two of the most 14 popular standard Microsoft Windows applications on the market today; WordTM for Windows~ and WordPerf~t for 16 Windows~. The examples also use a standard object, 17 Standard Microsoft Object Package, to embed the encrypted 18 files in a standard container object. The interfaces used 19 for these examples were the Auto Application Interface for Word for Windows 1.0 and the Auto Application for 21 WordPerfect 5.2 for Windows 1Ø
22 The first example shows the ability for OOKeyMan to 23 securely manage and track single or multiple embedded 24 encrypted objects within other encrypted objects. This is done with a single application.
26 The second example shows the ability for OOKeyMan to 27 securely manage and track single or multiple embedded 28 encrypted objects within other encrypted objects. The 29 embedded encrypted objects can even be part of encrypted objects from other applications. This example is performed 31 in a cross-application manner between Word for Windows and 32 WordPerfect for Windows.
~1182~7 ..
1 Example 1: Document Level Multi-Level Multimedia 2 Security 3 (using Microsoft Word for Windows and WordPerfect 5.2 4 for Windows) OOKeyMan Process:
6 1. Lock Object 7 A. User creates an object~s) in Word for Windows or 8 WordPerfect for Windows;
9 B. User Initiates OOKeyMan sequence;
C. User Selects object(s) to Encrypt;
11 D. User Selects Labels for object;
12 E. User Selects an algorithm for encryption;
13 F. User Selects Lock Object;
14 G. OOKeyMan Object Manager performs Setup and Internal Checks;
16 H. OOKeyMan Object Manager Calls Key Management 17 System object;
18 I. OOKeyMan Object Manager Calls Cryptographic 19 Algorithm object;
J. OOKeyMan Object Manager waits for Selected 21 Algorithm object to finish and create the 22 encrypted object;
23 K. Encrypted OOKeyMan Object Created;
24 i. Results in Encapsulation of a. Plain Text Object 26 b. Plain Text Object Name 27 c. Plain Text Object Location 28 d. Plain Text Object Application 1 e. Plain Text Object Environment 2 f. Plain Text Object Date 3 g. Plain Text Object Time 4 h. Plain Text Object Digital Signature i. Code word Object Tracking Label 6 j. Cluster Object Tracking Label 7 k. Device Object Tracking Label 8 l. Use Object Label 9 m. Algorithm Object Type ii. Results in New Encrypted Object being 11 created 12 iii. Results in Plain Text Object Being Delete if 13 Requested 14 L. OOKeyMan Object Manager Returns To Word for 15 Windows or WordPerfect for Windows.
16 2. Unlock Object 17 A. User creates an encrypted object(s) using Word 18 for Windows or WordPerfect for Windows;
19 B. User Initiates OOKeyMan sequence;
C. User Selects object(s) to Decrypt;
21 D. User Selects Unlock object;
22 E. OOKeyMan Decrypt Object;
23 F. OOKeyMan Object Manager performs Setup and 24 Internal Checks;
G. OOKeyMan Object Manager Calls Key Management 26 System object;
27 H. OOKeyMan Object Manager Calls Algorithm object;
211~7 .. , 1 I. OOKeyMan Object Manager waits for Selected 2 Algorithm object to finish and create the 3 decrypted object;
4 J. If the User/encrypted Object are authenticated the plain text object is activated along with 6 Word for Windows or WordPerfect for Windows.
7 3. Preview Object 8 A. User creates an encrypted object(s) in Word for 9 Windows or WordPerfect for Windows;
B. User Initiates OOKeyMan sequence;
11 C. User Selects object(s) to Preview;
12 D. User selects Preview Object;
13 E. OOKeyMan Display Header Object;
14 F. OOKeyMan Object Manager performs Setup and Internal Checks;
16 G. OOKeyMan Object Manager Calls Key Management 17 System object;
18 H. OOKeyMan Object Manager waits for Selected 19 Algorithm object to finish and create the Header object.
21 Example 2: Cross-Application Multi-Level Multimedia 22 Security at The Document Level 23 (Between Microsoft Word for Windows and WordPerfect 24 5.2 for Windows) OOKeyMan Process:
26 1. Lock Object 27 A. User creates an object(s)in Word for Windows or 28 WordPerfect for Windows;
1 B. User Initiates OOKeyMan sequence;
2 C. User Selects object(s) to ~ncrypt;
3 D. User Selects Labels for object;
4 E. User Selects an algorithm for encryption;
F. User Selects Lock Object;
6 G. OOKeyMan Object Manager performs Setup and 7 Internal Checks;
8 H. OOKeyMan Object Manager Calls Key Management 9 System object;
I. OOKeyMan Object Manager Calls Cryptographic 11 Algorithm object;
12 J. OOKeyMan Object Manager waits for Selected 13 Algorithm object to finish and create the 14 encrypted object;
K. Encrypted OOKeyMan Object Created;
16 i. Results in Encapsulation of 17 a. Plain Text Object 18 b. Plain Text Object Name 19 c. Plain Text Object Location d. Plain Text Object Application 21 e. Plain Text Object Environment 22 f. Plain Text Object Date 23 g. Plain Text Object Time 24 h. Plain Text Object Digital Signature i. Code word Object Tracking Label 26 j. Cluster Object Tracking Label 27 k. Device Object Tracking Label 28 l. Use Object Label 2 ~ 7 1 m. Algorithm Object Type 2 ii. Results in New Encrypted Object being 3 created 4 iii. Results in Plain Text Object Being Delete if Requested 6 L. OOKeyMan Object Manager Returns To Word for 7 Windows or WordPerfect for Windows.
8 2. Unlock Object 9 A. User creates an encrypted object(s) in Word for Windows or WordPerfect for Windows;
11 B. User Initiates OOKeyMan sequence;
12 C. User Selects object(s) to Decrypt;
13 D. User Selects Unlock object;
14 E. OOKeyMan Decrypt Object;
F. OOKeyMan Object Manager performs Setup and 16 Internal Checks;
17 G. OOKeyMan Object Manager Calls Key Management 18 System object;
19 H. OOKeyMan Object Manager Calls Algorithm object;
I. OOKeyMan Object Manager waits for Selected 21 Algorithm object to finish and create the 22 decrypted object.
23 J. If the User/encrypted Object are authenticated 24 the plain text object is activated along with Word for Windows or WordPerfect for Windows.
26 3. Preview Object 27 A. User creates an encrypted object(s) in Word for 28 Windows or WordPerfect for Windows;
~1182~7 1 B. User Initiates OOKeyMan sequence;
2 C. User Selects object(s) to Preview;
3 D. User selects Preview Object;
4 E. OOKeyMan Display Header Object;
F. OOKeyMan Object Manager Setup and Internal 6 Checks;
7 G. OOKeyMan Object Manager Calls Key Management 8 System object;
9 H. OOKeyMan Object Manager waits for Selected Algorithm object to finish and create the Header 11 object.
12 Example 3: Standard Distributive Cryptographic Object 13 Method Process(DCOMP) OOKeyMan Process:
16 1. Lock Object 17 A. User creates an object(s);
18 B. User Initiates OOKeyMan sequence;
19 C. User Selects object(s) to Encrypt;
D. User Selects Labels for object;
21 E. User Selects an algorithm for encryption;
22 F. User Selects Lock Object;
23 G. OOKeyMan Object Manager performs Setup and 24 Internal Checks;
H. OOKeyMan Object Manager Calls Key Management 26 System object;
27 I. OOKeyMan Object Manager Calls Cryptographic 28 Algorithm object;
2 ~ 7 -1 J. OOKeyMan Object Manager waits for Selected 2 Algorithm object to finish and create the 3 encrypted object;
4 K. Encrypted OOKeyMan Object Created;
i. Results in Encapsulation of 6 a. Plain Text Object 7 b. Plain Text Object Name 8 c. Plain Text Object Location 9 d. Plain Text Object Application e. Plain Text Object Environment 11 f. Plain Text Object Date 12 g. Plain Text Object Time 13 h. Plain Text Object Digital Signature 14 i. Code word Object Tracking Label j. Cluster Object Tracking Label 16 k. Device Object Tracking Label 17 1. Use Object Label 18 m. Algorithm Object Type 19 ii. Results in New Encrypted Object being created 21 iii. Results in Plain Text Object Being Delete if 22 Requested 23 L. OOKeyMan Object Manager Returns To Application 24 Object.
2. Unlock Object 26 A. User creates an encrypted object(s);
27 B. User Initiates OOKeyMan sequence;
28 C. User Selects objectts) to Decrypt;
21 1~237 1 D. User Selects Unlock object;
2 E. OOKeyMan Decrypt Object;
3 F. OOKeyMan Object Manager performs Setup and 4 Internal Checks;
G. OOKeyMan Object Manager Calls Key Management 6 System object;
7 H. OOKeyMan Object Manager Calls Algorithm object 8 I. OOKeyMan Object Manager waits for Selected 9. Algorithm object to finish and create the decrypted object.
11 3. Preview Object 12 A. User creates an encrypted object(s);
13 B. User Initiates OOKeyMan sequence;
14 C. User Selects object(s) to Preview;
D. User selects Preview Object;
16 E. OOKeyMan Display Header Object;
17 F. OOKeyMan Object Manager performs Setup and 18 Internal Checks;
19 G. OOKeyMan Object Manager Calls Key Management System object;
21 H. OOKeyMan Object Manager waits for Selected 22 Algorithm object to finish and create the Header 23 object.
24 The DCOM process can be applied to a vast number of areas in the real world. Whether it be the physical 26 topology of the local area network/wide area network 27 environment or the dynamic structure of an organization, ~1182~
_.
1 the DCOM process will change dynamically to reflect the 2 current state of the object in question.
3 FIG. 3 and FIG. 4 show an encrypted object that 4 contains a web of embedded encrypted objects nested within the other encrypted objects. The object shown in FIG. 3 6 contains ten embedded encrypted objects at five various 7 levels. The encrypted object embedded in level 5 was 8 embedded in an object in level four, level four objects in 9 level 3 and so on. The plain text object containing the level 5 encrypted object can then be encrypted for further 11 security. This single encrypted object encapsulates all of 12 the data associated with the encrypted objects within it 13 and therefore the entire encrypted object can then be sent 14 out via any transport mechanism supporting binary file transfer.
16 FIG. 4 shows an encrypted object that contains a web 17 of embedded encrypted objects nested within it. All of the 18 attached embedded encrypted objects are fused together 19 resulting in a single encapsulated encrypted object. The DCOM is powerful enough to dynamically adapt to accommodate 21 N dimensional objects. In the very near future computing 22 systems incorporating technology such as Virtual/Alternate 23 Reality and Cyberspace, will need systems that can secure 24 N dimensions.
The single encrypted objects shown in both FIGS. 3 and 26 4 can act as a secure package and can be sent out for 27 distribution to an entire organization (e.g. E-mail). This 28 single encrypted object can represent a branch(s), 2~18~7 1 department(s), or even an entire company. Every employee 2 would receive the single encrypted file, but they would 3 only be able to unravel the portions that corresponded to 4 them and acquire no knowledge of other existing embedded encrypted objects. For example, FIG. 5 displays a sample 6 organization chart. When applied, the DCOM would control 7 the knowledge/information flow of the organization and 8 would allow for clear data separation, further 9 compartmentalization through multiple algorithm use, and document-level security. With the improved communication 11 paths, an organization would become more efficient. FIG.
12 6 demonstrates the use of the DCOM in conjunction with the 13 dynamic structure of a sample organization. Since the DCOM
14 is dynamic in nature, it can adapt to any organizational size or type (For example, see FIGS. 7 and 8).
16 Preferred and alternate embodiments of the present 17 invention have now been described in detail. It is to be 18 noted, however, that this description of these specific 19 embodiments is merely illustrative of the principles underlying the inventive concept. It is therefore 21 contemplated that various modifications of the disclosed 22 embodiments will, without departing from the spirit and 23 scope of the invention, be apparent to persons skilled in 24 the art.
Inventor: M. Greg Shanton 1 Field of the Invention 2 The present invention relates generally to a system 3 that can be used to restrict access to computer data. In 4 particular, the system of the present invention restricts access in a flexible way, identifying objects for 6 restriction and nesting restriction requirements through 7 the use of embedded objects.
8 Background of the Invention 9 While the specter of "spies" eagerly trying to obtain the defense information of various countries is very much 11 still present in the defense and intelligence community, an 12 equally massive threat now exists from technological or 13 commercial "spies" who desire to obtain commercial and 14 technical information from competing companies. These agents use sophisticated means similar to those used by the 16 defense and intelligence community in order to obtain 17 commercially valuable information that reveals the plans 18 and commercial activities of competitors thereby allowing 19 the aggressor company to obtain a competitive advantage in the marketplace. Theft of commercially valuable 21 information is a very real and ever present threat.
22 To combat this type of commercial spying, various 23 complex systems have evolved to protect company proprietary 24 information. These systems involve physical controls over personnel as well as over the data flowing in and out of a 26 company. For example, most computer systems used within 27 companies require a password to be entered before the ~113~7 ..
1 system can be accessed. It is frequently the case that 2 confidential or company proprietary information must be 3 passed electronically from one location to another in order 4 to convey that information within the company in a timely fashion. Such electronic communication is easily 6 susceptible to interception if not protected in some other 7 form.
8 Cryptographic systems have evolved to fill the needs 9 of companies and individuals wanting to protect the proprietary commercial information of a company from 11 competitors and those who generally should not have that 12 information.
13 Encryption of data is therefore a critical requirement 14 in denying access to confidential information from those who are not so authorized. Cryptographic "keys" are an 16 essential part of the information encryption process. The 17 cryptographic key, or "key" for short, is a sequence of 18 letters, numbers, or bytes of information which are 19 manipulated by a cryptographic algorithm to transform data from plain (readable) text to a series of unintelligible 21 text or signals known as encrypted or cipher text. The key 22 is then used by the receiver of the cipher text to decrypt 23 the message back to plain text. However, for two people to 24 communicate successfully using keys, each must use the same key, assuming that the same encryption/decryption algorithm 26 is used on both ends of the communication.
27 Various methods have evolved to manage the 28 distribution of keys. Such methods of distribution are 211~c~7 1 collectively referred to as "key management". The function 2 of key management is to perform the process of generating, 3 distributing, changing, replacing, storing, checking on, 4 and destroying cryptographic keys. Under normal operational circumstances, the key manager begins and ends 6 a cryptographic session by controlling access to the 7 algorithm used to encrypt and decrypt plain text objects.
8 Thus, a user who wants to encrypt an object or decrypt an 9 object must first access the key manager so that an encryption algorithm may be chosen.
11 Simple encryption of data being communicated between 12 two points only provides one level of security, however.
13 Encryption limits data communication to those who have the 14 key. Anyone who has the key is privy to any communication at any location. That is, if a group of people are working 16 on a particular project, they will all presumably share a 17 key for decrypting information relating to the project.
18 Some of the project group may be working in one location, 19 while the rest of the group may be located in a distant city. If one member of the group wants to send a 21 communication to a particular member in the other city, the 22 key will afford him no protection because everyone in the 23 project shares the same key. Likewise, if someone wants to 24 communicate a message to a subset of the group, for example, only to management personnel, this key would again 26 provide her with no extra security. In another case, 27 someone may want to send a message that is capable of being 28 read only at a particular computer terminal, or of being 1 printed only at a particular printer. In these and other 2 cases, multilevel multimedia key access, or individual keys 3 issued to each person, would provide a solution, albeit one 4 that is quite unwieldy, inflexible, and difficult to manage by a security officer or key administrator.
6 A secure method of labelling files or messages that 7 are sent from a sending user to a receiving user over a 8 network can provide a level of protection in addition to 9 cryptographic protection. A file "label" for purposes of this invention means a series of letters or numbers, which 11 may or may not be encrypted, separate from but associated 12 with the sending of a message, which identifies the person, 13 location, equipment, and/or organization which is permitted 14 to receive the associated message. Using a secure labelling regimen, a network manager or user can be assured 16 that only those messages meant for a certain person, group 17 of persons, and/or location(s) are in fact received, 18 decrypted, and read by the intended receiver. Thus, a 19 sending user can specify label conditions that limit access to the transmitted message. For example, many people 21 within a company may have the key necessary to read a data 22 file that a sender may transmit from his computer terminal 23 to other terminals at another site within his company. The 24 sender may, however, wish to restrict reception to those persons present at a particular terminal. By employing a 26 secure labelling technique in addition to encryption, the 27 sender can be assured that people having the correct key to 28 decrypt the message but working at different terminals will 2~ i82Q7 ~
not receive or be allowed to access the communication.
Access may be limited to particular people as well.
3 A system that can limit access on an object level 4 'would be more flexible and would offer still more protection. Access could be specified on an object-by-6 object basis, and objects could be embedded within other 7 objects, providing an access hierarchy for users.
8 - The ability to cryptographically secure objects g ensures the authentication and data integrity of the particular object or objects in question. If a device were 11 able to cryptographically control an object(s) or nested 12 object(s), then that device would have total control over 13 the entire object and all other objects within it. This 14 type of control over the knowledge/information flow would allow for clear data separation, and at some levels could 16 become a transparent method. A system that is able to do 17 this would be able to achieve multi-level multimedia 18 security, 19 Summary of the Invention It is therefore an objective of the present invention 21 to provide a system to insure that properly specified kinds 22 of information in a network system flows only to designated 23 locations and to further insure that such information is 24 only read by those individuals who are designated to review that information.
~ ' 2 ~ 7 -1 It is a further objective of the present invention to 2 provide a system that recognizes objects and permits or 3 denies access on the object level.
4 It is an additional objective of the present invention to provide a system in which objects may be embedded within 6 other objects, resulting in an access hierarchy for users 7 of the system.
8 It is another objective of the present invention to 9 provide a system in which access control is transparent to the user.
11 These and other objectives and advantages of the 12 present invention will be apparent to those of ordinary 13 skill in the art upon inspection of the detailed 14 description, drawings, and appended claims.
The definition and concept of objects varies greatly 16 depending on with whom you consult. Everything around you 17 in your daily life is an object. Your car, your car keys, 18 books, people, desks, etc. Objects are entities by 19 themselves, but they may contain other objects, in either single or multiple configurations. Objects can change 21 their make up dynamically by inheritance. Objects can 22 inherit the attributes of other objects and the inheritance 23 features can change dynamically "on the fly" during the 24 operation of the objects.
In the context of the present invention, an object can 26 come in a vast number of forms, shapes or sizes and can be 27 either passive or active, dynamic or static. An object may 28 stay dormant until it is acted upon, or it may be an active ~, 1 participant, dynamically auditing and verifying every 2 transaction that occurs in a system. Examples of what an 3 object can be include a bit of information, a byte of 4 information, Sound Clips, Video Clips, Graphic Images, text, charts, tables, forms, controls, MDIForms, variables, 6 executable files, video files, binary files, text files, 7 data files, container files, graphic files, application 8 file(s), Library files, a directory, a collection of 9 directories, a hard disk, multiple hard disks, any hardware component, any software component, a complete computer 11 system, a single network, multiple networks.
12 Thus, an object is any distinct, separate entity. In 13 a computer or data communication context, entities that may 14 be treated as objects include:
1) Program objects, representing applications such as 16 word processors, spreadsheets, games, etc., as well 17 as utilities and operating systems;
18 2) Folder objects, representing collections of other 19 objects;
3) Data file objects, including information such as 21 text, memos, letters, spreadsheets, video, and 22 sound; and 23 4) Device objects, such as printers, fax modems, 24 plotters, and CD-ROM drives.
In object linking and embedding, an object can be any 26 user-selected group of data, such as a block of text, a set 27 of spreadsheet cells, a chart, sounds, or a graphical 28 image. This data can be embedded in or linked to another 1 document created by a different application. For example, 2 a folder may represent a directory and may contain a group 3 of files, or it may represent a group of programs. Folders 4 can also contain other folders.
In object-oriented programming, a program consists of 6 a set of related but self-contained objects that can 7 contain both code and data.
8 The present invention is able to increase the security 9 of the system, while at the same time giving the individual user a large amount of flexibility and power. To give 11 users the most power and flexibility, a standard object 12 that has the capability to embed objects is used. To allow 13 users even more flexibility, a standard object tracking 14 mechanism is used that allows users to distribute multiple encrypted embedded objects to other individuals in a single 16 encrypted object. By being able to compartment every 17 object by label attributes and algorithm attributes, 18 multi-level multimedia security is achieved. Multi-level 19 security is achieved because encrypted objects may be nested within other objects which are also encrypted, 21 possibly within other objects, resulting in multiple layers 22 of encryption. Multimedia security is achieved because 23 objects are encrypted. Where other encryption systems 24 encrypt only files or other data, the system of the present invention encrypts any object, encompassing all forms of 26 media. Thus, the nesting of individually encrypted objects 27 provides security that is multi-level and multimedia.
28 Brief Description of the Drawings 2 ~ ~
1 FIG. 1 shows a block diagram of the system of the 2 present invention.
3 FIG. 2 shows a block diagram of the system of the 4 present invention when an embedded encrypted object is activated.
6 FIG. 3 shows an object containing ten embedded 7 encrypted objects at five various levels.
8 FIG. 4 shows an encrypted object that contains a web 9 of embedded encrypted objects nested within it.
FIG. 5 shows a sample organizational chart.
11 FIG. 6 shows the present invention used in conjunction 12 with the dynamic structure of a sample organizational 13 chart.
14 FIG. 7 shows a larger, more complicated sample organizational chart.
16 FIG. 8 shows the present invention used in conjunction 17 with the dynamic structure of the larger, more complicated 18 sample organizational chart.
19 Detailed Description of the Invention Definitions 21 OOKeyMan stands for the Object-Oriented Key Manager.
22 OOKeyMan is a Microsoft WindowsTM stand alone application.
23 The Auto Application Interface is an intelligent front 24 end and back end interface between a standard Microsoft Windows 3.1 application and OOKeyMan.
26 An Encrypted Embedded object is an encrypted OOKeyMan 27 object which can contain a single plain text object that 28 has been encapsulated within the encrypted object, or it 21 I g23~
1 can contain an infinite web of encrypted objects matched 2 with plain text objects or other cipher text objects.
3 A container object is an object that contains other 4 objects. These cbjects can be either cipher text or plain text. This is the transport vehicle for a standard object 6 mechanism that embeds objects. A non-container object is 7 an object that does not contain other objects.
8 Multi-Level Multimedia Security is defined as the 9 ability to have simultaneous control over the knowledge/information flow of numerous media formats while 11 allowing for clear data separation. At some levels the 12 multi-level multimedia security becomes transparent.
13 Examples of multi-media objects would include a file that 14 contained two or more of the following: sound objects, video objects, graphic V, text objects, chart objects, 16 table objects, and form objects.
17 Disclosure 18 The present invention, known as the Distributed 19 Cryptographic Object Method ("DCOM"), is able to control which objects are visible to a specific user, which object 21 attributes are inherited by other objects, which objects 22 are available for use, and which level of system 23 implementation can become transparent.
24 The main function of the DCOM is to securely manage and track encrypted objects. The DCOM can securely manage 26 and track a single encrypted object, or it can securely 27 manage and track encrypted objects embedded within other 28 encrypted objects. The capability to securely manage and 21 1~97 1 track encrypted objects within other encrypted objects is 2 only limited by storage space.
3 Referring to FIG. 1, the DCOM system is described.
4 The DCOM has a standard Multi-Level Security object interface 2 that interfaces with the plain text container 6 object's encrypted embedded objectts) 4. It does this 7 through a st~n~rd application 6 that has the capability to 8 embed an object in a container object, such as Microsoft's 9 Object Package for Windows. After the Encrypted object(s) is/are embedded in a standard container object(s) 10 and 11 the container object(s) 10 is/are encrypted, the original 12 encrypted object(s) and the new encrypted container 13 object(s) is/are ready for transport.
14 The new encrypted object(s) can be easily transported/routed over any network that supports binary 16 travel without modification. The original encrypted 17 objects can be deleted because all information from the 18 original encrypted objects is encapsulated in the embedded 19 encrypted object. All of the nested embedded encrypted objects will appear to a user as a single encrypted object 21 until extracted with a standard object embedding/extracting 22 mechanism through the DCOM process. To activate an 23 embedded encrypted object, the user simply selects the 24 encrypted object to initiate the DCOM process, launching the OOKeyMan application, as shown in FIG. 2. The 26 user/encrypted object authentication process is started and 27 if the user/encrypted object is/are approved, the following 1 encrypted object information can be returned and used by 2 the user:
3 A. Plain Text Ob-ect Name 4 B. Plain Text Ob-ect Location C. Plain Text Ob-ect Application 6 D. Plain Text Ob-ect Environment 7 E. Plain Text Ob-ect Date 8 F. Plain Text Ob-ect Time 9 G. Plain Text Ob ect Digital Signature H. Code word Object Tracking Label 11 I. Cluster Object Tracking Label 12 J. Device Object Tracking Label 13 K. Use Object Label 14 L. Algorithm Object Type At this point, the authenticated user is given the 16 option to decrypt the requested embedded encrypted object 17 12. After decryption, a check is done to match the 18 encrypted object's plain text object application to the 19 correct Intelligent Auto Application Interface 14. If the correct Auto Application Interface is not found, a notice 21 is returned and the object is copied to a temporary 22 location 16, otherwise the Auto Application Interface 23 process is started. During this process the encrypted 24 object is matched to the appropriate authenticated application object 18 according to the returned encrypted 26 object information. The correct authenticated application 27 object 18 is then activated with the plain text object 20.
28 Due to the relative dynamic nature of objects, the DCOM is 29 able to accomplish all tasks "on the fly".
The scope of the DCOM directly correlates to the level 31 at which the DCOM was embedded into the system. The scope 32 of the DCOM would cover the implemented embedded system 33 level and all system levels above that, appearing 34 transparent to all levels beneath the implemented embedded 211~7 , 1 system level. For instance, if the DCOM were was embedded 2 at the Open System Interconnection ("OSI") 7 Application 3 layer, then the scope of the DCOM would cover objects on 4 that level and above. In this scenario, the DCOM could run transparent to OSI levels 1 through 6. On the basis of 6 current technology, this implementation would produce the 7 most flexible DCOM. At this level and above, the DCOM is 8 able to provide multi-level multi-media security while 9 staying at the document level. This cross-application compatibility or document-level security is critical to the 11 evolving component based document centered computer system 12 desktop. The DCOM achieves cross-application multi-level 13 multi-media security at the document level through its use 14 of Object-Based Security.
The current implementation of the DCOM at the 16 application layer is called the Object-Oriented Key Manager 17 (OOKeyMan). Currently, OOKeyMan is a Microsoft Windows 3.1 18 stand alone application, but the DCOM can be applied to 19 other environments. OOKeyMan provides Document-Level Security through its use of Object Based Security.
21 Some examples of where the DCOM can be applied to 22 ensure the authentication and data integrity of objects 23 include:
24 IBM's OS/2 2.X and above IBM's System Object Method(SOM) 26 Microsoft's Object Package 27 Microsoft's Object Linking and Embedding 1.0(0LE 1.0) 28 Microsoft's Object Linking and Embedding 2.0(0LE 2.0) 29 Microsoft's Windows NT 3.1 Microsoft's Cairo (Future Operating System) 31 Microsoft's Chicago (Future Operating System) 32 Taligent (joint venture future 33 Operating System of Macintosh and IBM) 211$2~7 ..
1 Macintosh's Compound Document Standard 2 Macintosh Operating System 3 Novell 4 Novell Netware Directory Services(NDS) Unix Object-Oriented Systems 6 Virtual/Alternate Reality Systems 7 Future Object-Oriented Operating Systems 8 By applying the DCOM to the above examples, the 9 security of a system can be moved to a more abstract object level. By securing objects with cryptography, a level of 11 security is achieved much higher than that of common access 12 control mechanisms such as password or pass phrase 13 protection.
14 The steps for embedding an Encrypted Embedded OOKeyMan Object(s) are as follows:
16 1. User Creates a plain text Object by using a 17 standard application;
18 2. User Encrypts Object(s) with OOKeyMan;
19 3. User uses a standard Container Object;
4. Using Standard object to embed Encrypted Embedded 21 OOKeyMan object(s) into Container Object;
22 5. Encrypt Container Object;
23 6. Repeat Steps 1 through 5 until all Objects are 24 encrypted;
7. Multi-Level Multimedia Security achieved at the 26 document level.
27 Examples of The Distributed Cryptographic Object 28 Method 29 The following resources were used in the following examples:
31 Software:
32 MS-DOS 5.0 21~2~7 . .
1 Microsoft Windows 3.1 2 Microsoft Word for Windows 2.0c 3 Standard Microsoft Object Package 4 WordPerfect 5.2 for Windows OOKeyMan l.Ob 6 Auto Application Interface for Word 1.0 7 Auto Application for WordPerfect 5.2 for Windows 8 1.0 9 Hardware:
486 50MHz DX with 16 megabytes of RAM
11 The next two examples demonstrate some of the 12 capabilities of the DCOM through the OOKeyMan 13 implementation. The examples involve two of the most 14 popular standard Microsoft Windows applications on the market today; WordTM for Windows~ and WordPerf~t for 16 Windows~. The examples also use a standard object, 17 Standard Microsoft Object Package, to embed the encrypted 18 files in a standard container object. The interfaces used 19 for these examples were the Auto Application Interface for Word for Windows 1.0 and the Auto Application for 21 WordPerfect 5.2 for Windows 1Ø
22 The first example shows the ability for OOKeyMan to 23 securely manage and track single or multiple embedded 24 encrypted objects within other encrypted objects. This is done with a single application.
26 The second example shows the ability for OOKeyMan to 27 securely manage and track single or multiple embedded 28 encrypted objects within other encrypted objects. The 29 embedded encrypted objects can even be part of encrypted objects from other applications. This example is performed 31 in a cross-application manner between Word for Windows and 32 WordPerfect for Windows.
~1182~7 ..
1 Example 1: Document Level Multi-Level Multimedia 2 Security 3 (using Microsoft Word for Windows and WordPerfect 5.2 4 for Windows) OOKeyMan Process:
6 1. Lock Object 7 A. User creates an object~s) in Word for Windows or 8 WordPerfect for Windows;
9 B. User Initiates OOKeyMan sequence;
C. User Selects object(s) to Encrypt;
11 D. User Selects Labels for object;
12 E. User Selects an algorithm for encryption;
13 F. User Selects Lock Object;
14 G. OOKeyMan Object Manager performs Setup and Internal Checks;
16 H. OOKeyMan Object Manager Calls Key Management 17 System object;
18 I. OOKeyMan Object Manager Calls Cryptographic 19 Algorithm object;
J. OOKeyMan Object Manager waits for Selected 21 Algorithm object to finish and create the 22 encrypted object;
23 K. Encrypted OOKeyMan Object Created;
24 i. Results in Encapsulation of a. Plain Text Object 26 b. Plain Text Object Name 27 c. Plain Text Object Location 28 d. Plain Text Object Application 1 e. Plain Text Object Environment 2 f. Plain Text Object Date 3 g. Plain Text Object Time 4 h. Plain Text Object Digital Signature i. Code word Object Tracking Label 6 j. Cluster Object Tracking Label 7 k. Device Object Tracking Label 8 l. Use Object Label 9 m. Algorithm Object Type ii. Results in New Encrypted Object being 11 created 12 iii. Results in Plain Text Object Being Delete if 13 Requested 14 L. OOKeyMan Object Manager Returns To Word for 15 Windows or WordPerfect for Windows.
16 2. Unlock Object 17 A. User creates an encrypted object(s) using Word 18 for Windows or WordPerfect for Windows;
19 B. User Initiates OOKeyMan sequence;
C. User Selects object(s) to Decrypt;
21 D. User Selects Unlock object;
22 E. OOKeyMan Decrypt Object;
23 F. OOKeyMan Object Manager performs Setup and 24 Internal Checks;
G. OOKeyMan Object Manager Calls Key Management 26 System object;
27 H. OOKeyMan Object Manager Calls Algorithm object;
211~7 .. , 1 I. OOKeyMan Object Manager waits for Selected 2 Algorithm object to finish and create the 3 decrypted object;
4 J. If the User/encrypted Object are authenticated the plain text object is activated along with 6 Word for Windows or WordPerfect for Windows.
7 3. Preview Object 8 A. User creates an encrypted object(s) in Word for 9 Windows or WordPerfect for Windows;
B. User Initiates OOKeyMan sequence;
11 C. User Selects object(s) to Preview;
12 D. User selects Preview Object;
13 E. OOKeyMan Display Header Object;
14 F. OOKeyMan Object Manager performs Setup and Internal Checks;
16 G. OOKeyMan Object Manager Calls Key Management 17 System object;
18 H. OOKeyMan Object Manager waits for Selected 19 Algorithm object to finish and create the Header object.
21 Example 2: Cross-Application Multi-Level Multimedia 22 Security at The Document Level 23 (Between Microsoft Word for Windows and WordPerfect 24 5.2 for Windows) OOKeyMan Process:
26 1. Lock Object 27 A. User creates an object(s)in Word for Windows or 28 WordPerfect for Windows;
1 B. User Initiates OOKeyMan sequence;
2 C. User Selects object(s) to ~ncrypt;
3 D. User Selects Labels for object;
4 E. User Selects an algorithm for encryption;
F. User Selects Lock Object;
6 G. OOKeyMan Object Manager performs Setup and 7 Internal Checks;
8 H. OOKeyMan Object Manager Calls Key Management 9 System object;
I. OOKeyMan Object Manager Calls Cryptographic 11 Algorithm object;
12 J. OOKeyMan Object Manager waits for Selected 13 Algorithm object to finish and create the 14 encrypted object;
K. Encrypted OOKeyMan Object Created;
16 i. Results in Encapsulation of 17 a. Plain Text Object 18 b. Plain Text Object Name 19 c. Plain Text Object Location d. Plain Text Object Application 21 e. Plain Text Object Environment 22 f. Plain Text Object Date 23 g. Plain Text Object Time 24 h. Plain Text Object Digital Signature i. Code word Object Tracking Label 26 j. Cluster Object Tracking Label 27 k. Device Object Tracking Label 28 l. Use Object Label 2 ~ 7 1 m. Algorithm Object Type 2 ii. Results in New Encrypted Object being 3 created 4 iii. Results in Plain Text Object Being Delete if Requested 6 L. OOKeyMan Object Manager Returns To Word for 7 Windows or WordPerfect for Windows.
8 2. Unlock Object 9 A. User creates an encrypted object(s) in Word for Windows or WordPerfect for Windows;
11 B. User Initiates OOKeyMan sequence;
12 C. User Selects object(s) to Decrypt;
13 D. User Selects Unlock object;
14 E. OOKeyMan Decrypt Object;
F. OOKeyMan Object Manager performs Setup and 16 Internal Checks;
17 G. OOKeyMan Object Manager Calls Key Management 18 System object;
19 H. OOKeyMan Object Manager Calls Algorithm object;
I. OOKeyMan Object Manager waits for Selected 21 Algorithm object to finish and create the 22 decrypted object.
23 J. If the User/encrypted Object are authenticated 24 the plain text object is activated along with Word for Windows or WordPerfect for Windows.
26 3. Preview Object 27 A. User creates an encrypted object(s) in Word for 28 Windows or WordPerfect for Windows;
~1182~7 1 B. User Initiates OOKeyMan sequence;
2 C. User Selects object(s) to Preview;
3 D. User selects Preview Object;
4 E. OOKeyMan Display Header Object;
F. OOKeyMan Object Manager Setup and Internal 6 Checks;
7 G. OOKeyMan Object Manager Calls Key Management 8 System object;
9 H. OOKeyMan Object Manager waits for Selected Algorithm object to finish and create the Header 11 object.
12 Example 3: Standard Distributive Cryptographic Object 13 Method Process(DCOMP) OOKeyMan Process:
16 1. Lock Object 17 A. User creates an object(s);
18 B. User Initiates OOKeyMan sequence;
19 C. User Selects object(s) to Encrypt;
D. User Selects Labels for object;
21 E. User Selects an algorithm for encryption;
22 F. User Selects Lock Object;
23 G. OOKeyMan Object Manager performs Setup and 24 Internal Checks;
H. OOKeyMan Object Manager Calls Key Management 26 System object;
27 I. OOKeyMan Object Manager Calls Cryptographic 28 Algorithm object;
2 ~ 7 -1 J. OOKeyMan Object Manager waits for Selected 2 Algorithm object to finish and create the 3 encrypted object;
4 K. Encrypted OOKeyMan Object Created;
i. Results in Encapsulation of 6 a. Plain Text Object 7 b. Plain Text Object Name 8 c. Plain Text Object Location 9 d. Plain Text Object Application e. Plain Text Object Environment 11 f. Plain Text Object Date 12 g. Plain Text Object Time 13 h. Plain Text Object Digital Signature 14 i. Code word Object Tracking Label j. Cluster Object Tracking Label 16 k. Device Object Tracking Label 17 1. Use Object Label 18 m. Algorithm Object Type 19 ii. Results in New Encrypted Object being created 21 iii. Results in Plain Text Object Being Delete if 22 Requested 23 L. OOKeyMan Object Manager Returns To Application 24 Object.
2. Unlock Object 26 A. User creates an encrypted object(s);
27 B. User Initiates OOKeyMan sequence;
28 C. User Selects objectts) to Decrypt;
21 1~237 1 D. User Selects Unlock object;
2 E. OOKeyMan Decrypt Object;
3 F. OOKeyMan Object Manager performs Setup and 4 Internal Checks;
G. OOKeyMan Object Manager Calls Key Management 6 System object;
7 H. OOKeyMan Object Manager Calls Algorithm object 8 I. OOKeyMan Object Manager waits for Selected 9. Algorithm object to finish and create the decrypted object.
11 3. Preview Object 12 A. User creates an encrypted object(s);
13 B. User Initiates OOKeyMan sequence;
14 C. User Selects object(s) to Preview;
D. User selects Preview Object;
16 E. OOKeyMan Display Header Object;
17 F. OOKeyMan Object Manager performs Setup and 18 Internal Checks;
19 G. OOKeyMan Object Manager Calls Key Management System object;
21 H. OOKeyMan Object Manager waits for Selected 22 Algorithm object to finish and create the Header 23 object.
24 The DCOM process can be applied to a vast number of areas in the real world. Whether it be the physical 26 topology of the local area network/wide area network 27 environment or the dynamic structure of an organization, ~1182~
_.
1 the DCOM process will change dynamically to reflect the 2 current state of the object in question.
3 FIG. 3 and FIG. 4 show an encrypted object that 4 contains a web of embedded encrypted objects nested within the other encrypted objects. The object shown in FIG. 3 6 contains ten embedded encrypted objects at five various 7 levels. The encrypted object embedded in level 5 was 8 embedded in an object in level four, level four objects in 9 level 3 and so on. The plain text object containing the level 5 encrypted object can then be encrypted for further 11 security. This single encrypted object encapsulates all of 12 the data associated with the encrypted objects within it 13 and therefore the entire encrypted object can then be sent 14 out via any transport mechanism supporting binary file transfer.
16 FIG. 4 shows an encrypted object that contains a web 17 of embedded encrypted objects nested within it. All of the 18 attached embedded encrypted objects are fused together 19 resulting in a single encapsulated encrypted object. The DCOM is powerful enough to dynamically adapt to accommodate 21 N dimensional objects. In the very near future computing 22 systems incorporating technology such as Virtual/Alternate 23 Reality and Cyberspace, will need systems that can secure 24 N dimensions.
The single encrypted objects shown in both FIGS. 3 and 26 4 can act as a secure package and can be sent out for 27 distribution to an entire organization (e.g. E-mail). This 28 single encrypted object can represent a branch(s), 2~18~7 1 department(s), or even an entire company. Every employee 2 would receive the single encrypted file, but they would 3 only be able to unravel the portions that corresponded to 4 them and acquire no knowledge of other existing embedded encrypted objects. For example, FIG. 5 displays a sample 6 organization chart. When applied, the DCOM would control 7 the knowledge/information flow of the organization and 8 would allow for clear data separation, further 9 compartmentalization through multiple algorithm use, and document-level security. With the improved communication 11 paths, an organization would become more efficient. FIG.
12 6 demonstrates the use of the DCOM in conjunction with the 13 dynamic structure of a sample organization. Since the DCOM
14 is dynamic in nature, it can adapt to any organizational size or type (For example, see FIGS. 7 and 8).
16 Preferred and alternate embodiments of the present 17 invention have now been described in detail. It is to be 18 noted, however, that this description of these specific 19 embodiments is merely illustrative of the principles underlying the inventive concept. It is therefore 21 contemplated that various modifications of the disclosed 22 embodiments will, without departing from the spirit and 23 scope of the invention, be apparent to persons skilled in 24 the art.
Claims (15)
1. A method for providing multi-level multimedia security in a data network, comprising the steps of:
A) accessing an object-oriented key manager;
B) selecting an object to encrypt;
C) selecting a label for the object;
D) selecting an encryption algorithm;
E) encrypting the object according to the encryption algorithm;
F) labelling the encrypted object;
G) reading the object label;
H) determining access authorization based on the object label; and I) decrypting the object if access authorization is granted.
A) accessing an object-oriented key manager;
B) selecting an object to encrypt;
C) selecting a label for the object;
D) selecting an encryption algorithm;
E) encrypting the object according to the encryption algorithm;
F) labelling the encrypted object;
G) reading the object label;
H) determining access authorization based on the object label; and I) decrypting the object if access authorization is granted.
2. The method of claim 1, wherein the object is an application document, and further comprising the steps of:
A) creating an object in an application prior to accessing the object-oriented key manager; and B) returning the encrypted object to the application prior to reading the object label.
A) creating an object in an application prior to accessing the object-oriented key manager; and B) returning the encrypted object to the application prior to reading the object label.
3. The method of claim 1, further comprising the step of embedding the encrypted object in a second object after labelling the encrypted object.
4. The method of claim 3, further comprising the steps of:
A) selecting a second label for the second object;
B) selecting an encryption algorithm;
C) encrypting the second object; and D) labelling the second encrypted object with a second object label.
A) selecting a second label for the second object;
B) selecting an encryption algorithm;
C) encrypting the second object; and D) labelling the second encrypted object with a second object label.
5. The method of claim 4, further comprising the steps of:
A) reading the second object label;
B) determining access authorization based on the second object label; and C) decrypting the second object if access authorization is granted.
A) reading the second object label;
B) determining access authorization based on the second object label; and C) decrypting the second object if access authorization is granted.
6. The method of claim 1, wherein the label is a plurality of labels.
7. The method of claim 4, wherein the second label is a second plurality of labels.
8. A system for providing multi-level multimedia security in a data network, comprising:
A) digital logic means, the digital logic means comprising:
1) a system memory means for storing data;
2) an encryption algorithm module, comprising logic for converting unencrypted objects into encrypted objects, the encryption algorithm module being electronically connected to the system memory means for accessing data stored in the first system memory;
3) an object labelling subsystem, comprising logic means for limiting object access, subject to label conditions, the object labelling subsystem being electronically connected to the system memory means for accessing data stored in the system memory means and the object labelling subsystem being further electronically connected to the encryption algorithm module to accept inputs from the encryption algorithm module;
4) a decryption algorithm module, comprising logic for converting encrypted objects into unencrypted objects, the decryption algorithm module being electronically connected to the system memory means for accessing data stored in the system memory means; and 5) an object label identification subsystem, comprising logic for limiting object access, subject to label conditions, the object label identification subsystem being electronically connected to the system memory means for accessing data stored in the system memory means and the object label identification subsystem being further electronically connected to the decryption algorithm module to accept inputs from the decryption algorithm module;
B) the encryption algorithm module working in conjunction with the object labelling subsystem to create an encrypted object such that the object label identification subsystem limits access to an encrypted object.
A) digital logic means, the digital logic means comprising:
1) a system memory means for storing data;
2) an encryption algorithm module, comprising logic for converting unencrypted objects into encrypted objects, the encryption algorithm module being electronically connected to the system memory means for accessing data stored in the first system memory;
3) an object labelling subsystem, comprising logic means for limiting object access, subject to label conditions, the object labelling subsystem being electronically connected to the system memory means for accessing data stored in the system memory means and the object labelling subsystem being further electronically connected to the encryption algorithm module to accept inputs from the encryption algorithm module;
4) a decryption algorithm module, comprising logic for converting encrypted objects into unencrypted objects, the decryption algorithm module being electronically connected to the system memory means for accessing data stored in the system memory means; and 5) an object label identification subsystem, comprising logic for limiting object access, subject to label conditions, the object label identification subsystem being electronically connected to the system memory means for accessing data stored in the system memory means and the object label identification subsystem being further electronically connected to the decryption algorithm module to accept inputs from the decryption algorithm module;
B) the encryption algorithm module working in conjunction with the object labelling subsystem to create an encrypted object such that the object label identification subsystem limits access to an encrypted object.
9. The system of claim 8, wherein the digital logic means further comprises means for embedding a first object within a second object.
10. The system of claim 8, wherein the digital logic means further comprises means for accessing computer program applications stored in the system memory means.
11. The system of claim 9, wherein the digital logic means further comprises means for accessing computer program applications stored in the system memory means.
12. A system for providing multi-level multimedia security in a data network, comprising:
A) means for accessing an object-oriented key manager;
B) means for selecting an object to encrypt;
C) means for selecting a label for the object;
D) means for selecting an encryption algorithm;
E) means for encrypting the object;
F) means for labelling the encrypted object;
G) means for reading the object label;
H) means for determining access authorization based on the label; and I) means for accessing the object if access authorization is granted.
A) means for accessing an object-oriented key manager;
B) means for selecting an object to encrypt;
C) means for selecting a label for the object;
D) means for selecting an encryption algorithm;
E) means for encrypting the object;
F) means for labelling the encrypted object;
G) means for reading the object label;
H) means for determining access authorization based on the label; and I) means for accessing the object if access authorization is granted.
13. The system of claim 12, wherein the object is an application document and the wherein the system further comprises:
A) means for creating an object in an application prior to accessing the object-oriented key manager; and B) means for returning the encrypted object to the application prior to reading the object label.
A) means for creating an object in an application prior to accessing the object-oriented key manager; and B) means for returning the encrypted object to the application prior to reading the object label.
14. The system of claim 13, further comprising means for embedding an object within a second object.
15. The system of claim 14, further comprising:
A) means for reading the second object label;
B) means for determining access authorization based on the second object label; and C) means for decrypting the second object if access authorization is granted.
A) means for reading the second object label;
B) means for determining access authorization based on the second object label; and C) means for decrypting the second object if access authorization is granted.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US08/138,857 | 1993-10-18 | ||
| US08/138,857 US5369702A (en) | 1993-10-18 | 1993-10-18 | Distributed cryptographic object method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2118297A1 CA2118297A1 (en) | 1995-04-19 |
| CA2118297C true CA2118297C (en) | 1999-07-13 |
Family
ID=22483974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002118297A Expired - Lifetime CA2118297C (en) | 1993-10-18 | 1994-10-17 | Distributed cryptographic object method |
Country Status (2)
| Country | Link |
|---|---|
| US (3) | US5369702A (en) |
| CA (1) | CA2118297C (en) |
Families Citing this family (217)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
| US5680452A (en) * | 1993-10-18 | 1997-10-21 | Tecsec Inc. | Distributed cryptographic object method |
| US5369702A (en) * | 1993-10-18 | 1994-11-29 | Tecsec Incorporated | Distributed cryptographic object method |
| US5974141A (en) * | 1995-03-31 | 1999-10-26 | Mitsubishi Corporation | Data management system |
| US6744894B1 (en) | 1994-04-01 | 2004-06-01 | Mitsubishi Corporation | Data management system |
| JPH07271865A (en) | 1994-04-01 | 1995-10-20 | Mitsubishi Corp | Method for managing copyright of data base |
| US7036019B1 (en) | 1994-04-01 | 2006-04-25 | Intarsia Software Llc | Method for controlling database copyrights |
| KR960008583A (en) * | 1994-08-26 | 1996-03-22 | 윌리암 티. 엘리스 | Data Processing Systems and Methods for Managing Data Processing Systems |
| US6449717B1 (en) | 1994-09-30 | 2002-09-10 | Mitsubishi Corporation | Data copyright management system |
| EP0704785B1 (en) * | 1994-09-30 | 2003-11-19 | Mitsubishi Corporation | Data copyright management system |
| US7302415B1 (en) | 1994-09-30 | 2007-11-27 | Intarsia Llc | Data copyright management system |
| US6741991B2 (en) * | 1994-09-30 | 2004-05-25 | Mitsubishi Corporation | Data management system |
| US5838906A (en) | 1994-10-17 | 1998-11-17 | The Regents Of The University Of California | Distributed hypermedia method for automatically invoking external application providing interaction and display of embedded objects within a hypermedia document |
| US6424715B1 (en) | 1994-10-27 | 2002-07-23 | Mitsubishi Corporation | Digital content management system and apparatus |
| EP1691316A1 (en) | 1994-10-27 | 2006-08-16 | Intarsia Software LLC | Data copyright management system |
| EP0715241B1 (en) | 1994-10-27 | 2004-01-14 | Mitsubishi Corporation | Apparatus for data copyright management system |
| US5943422A (en) | 1996-08-12 | 1999-08-24 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
| US5892900A (en) * | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| EP1643340B1 (en) | 1995-02-13 | 2013-08-14 | Intertrust Technologies Corp. | Secure transaction management |
| US6157721A (en) | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
| US7143290B1 (en) * | 1995-02-13 | 2006-11-28 | Intertrust Technologies Corporation | Trusted and secure techniques, systems and methods for item delivery and execution |
| US6948070B1 (en) | 1995-02-13 | 2005-09-20 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
| US7124302B2 (en) * | 1995-02-13 | 2006-10-17 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| US6658568B1 (en) | 1995-02-13 | 2003-12-02 | Intertrust Technologies Corporation | Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management |
| US7133846B1 (en) | 1995-02-13 | 2006-11-07 | Intertrust Technologies Corp. | Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management |
| US8639625B1 (en) | 1995-02-13 | 2014-01-28 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
| US6011847A (en) * | 1995-06-01 | 2000-01-04 | Follendore, Iii; Roy D. | Cryptographic access and labeling system |
| US5625693A (en) * | 1995-07-07 | 1997-04-29 | Thomson Consumer Electronics, Inc. | Apparatus and method for authenticating transmitting applications in an interactive TV system |
| US5852664A (en) * | 1995-07-10 | 1998-12-22 | Intel Corporation | Decode access control for encoded multimedia signals |
| US5812669A (en) * | 1995-07-19 | 1998-09-22 | Jenkins; Lew | Method and system for providing secure EDI over an open network |
| US5872914A (en) * | 1995-08-31 | 1999-02-16 | International Business Machines Corporation | Method and apparatus for an account managed object class model in a distributed computing environment |
| US5713018A (en) * | 1995-09-27 | 1998-01-27 | Sun Microsystems, Inc. | System and method for providing safe SQL-level access to a database |
| US8595502B2 (en) | 1995-09-29 | 2013-11-26 | Intarsia Software Llc | Data management system |
| US5787175A (en) * | 1995-10-23 | 1998-07-28 | Novell, Inc. | Method and apparatus for collaborative document control |
| US7801817B2 (en) | 1995-10-27 | 2010-09-21 | Makoto Saito | Digital content management system and apparatus |
| US5867708A (en) * | 1995-11-20 | 1999-02-02 | International Business Machines Corporation | System, method, and article of manufacture for adding concurrency to a binary class in an object oriented system |
| US5878428A (en) * | 1995-11-20 | 1999-03-02 | International Business Machines Corporation | System, method, and article of manufacture for adding transactional recovery to a binary class in an object oriented system |
| US5873092A (en) * | 1995-12-14 | 1999-02-16 | International Business Machines Corporation | Information handling system, method, and article of manufacture including persistent, distributed object name services including shared properties |
| US6782538B1 (en) | 1995-12-14 | 2004-08-24 | International Business Machines Corporation | Object oriented information handling system including an extensible instance manager |
| US5802276A (en) * | 1996-01-03 | 1998-09-01 | International Business Machines Corporation | Information handling system, method, and article of manufacture including a vault object for encapsulation of object security credentials |
| US5765153A (en) * | 1996-01-03 | 1998-06-09 | International Business Machines Corporation | Information handling system, method, and article of manufacture including object system authorization and registration |
| JP2000503154A (en) | 1996-01-11 | 2000-03-14 | エムアールジェイ インコーポレイテッド | System for controlling access and distribution of digital ownership |
| US5809506A (en) * | 1996-01-22 | 1998-09-15 | International Business Machines Corporation | Method for creating an object base of persisent application objects in an object oriented programming environment and apparatus related thereto |
| US5815709A (en) * | 1996-04-23 | 1998-09-29 | San Microsystems, Inc. | System and method for generating identifiers for uniquely identifying object types for objects used in processing of object-oriented programs and the like |
| SE506853C2 (en) | 1996-06-20 | 1998-02-16 | Anonymity Prot In Sweden Ab | Method of data processing |
| DE19744293C1 (en) * | 1996-06-26 | 1999-07-01 | Fraunhofer Ges Forschung | Method of encoding and decoding of multimedia data with definition and multimedia data blocks |
| DE19625635C1 (en) * | 1996-06-26 | 1997-12-04 | Fraunhofer Ges Forschung | Encryption and decryption of multimedia data |
| US7770230B2 (en) * | 2002-04-22 | 2010-08-03 | Arvato Digital Services Canada, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US5809145A (en) * | 1996-06-28 | 1998-09-15 | Paradata Systems Inc. | System for distributing digital information |
| US7356847B2 (en) * | 1996-06-28 | 2008-04-08 | Protexis, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US7010697B2 (en) | 1996-06-28 | 2006-03-07 | Protexis, Inc. | System for dynamically encrypting information for secure internet commerce and providing embedded fulfillment software |
| CA2182254C (en) * | 1996-07-29 | 2000-02-15 | Weidong Kou | Generic file format for multiple security requirements |
| US6993582B2 (en) * | 1996-07-30 | 2006-01-31 | Micron Technology Inc. | Mixed enclave operation in a computer network |
| US6272538B1 (en) | 1996-07-30 | 2001-08-07 | Micron Technology, Inc. | Method and system for establishing a security perimeter in computer networks |
| US6023765A (en) * | 1996-12-06 | 2000-02-08 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role-based access control in multi-level secure systems |
| US5917911A (en) * | 1997-01-23 | 1999-06-29 | Motorola, Inc. | Method and system for hierarchical key access and recovery |
| US7212632B2 (en) | 1998-02-13 | 2007-05-01 | Tecsec, Inc. | Cryptographic key split combiner |
| WO1998039876A1 (en) * | 1997-03-06 | 1998-09-11 | Skylight Software, Inc. | Cryptographic digital identity method |
| US5991877A (en) * | 1997-04-03 | 1999-11-23 | Lockheed Martin Corporation | Object-oriented trusted application framework |
| US6212636B1 (en) | 1997-05-01 | 2001-04-03 | Itt Manufacturing Enterprises | Method for establishing trust in a computer network via association |
| MXPA99010114A (en) * | 1997-05-07 | 2004-09-10 | Neomedia Tech Inc | Scanner enhanced remote control unit and system for automatically linking to on-line resources. |
| US6694433B1 (en) | 1997-05-08 | 2004-02-17 | Tecsec, Inc. | XML encryption scheme |
| JP2001526857A (en) * | 1997-05-09 | 2001-12-18 | ネオメディア テクノロジーズ,インク. | Method and system for accessing electronic resources via machine-readable data on intelligent documents |
| US7325077B1 (en) * | 1997-08-21 | 2008-01-29 | Beryl Technical Assays Llc | Miniclient for internet appliance |
| US6259789B1 (en) * | 1997-12-12 | 2001-07-10 | Safecourier Software, Inc. | Computer implemented secret object key block cipher encryption and digital signature device and method |
| US8077870B2 (en) * | 1998-02-13 | 2011-12-13 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
| US7079653B2 (en) * | 1998-02-13 | 2006-07-18 | Tecsec, Inc. | Cryptographic key split binding process and apparatus |
| US7095852B2 (en) * | 1998-02-13 | 2006-08-22 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
| US7668782B1 (en) * | 1998-04-01 | 2010-02-23 | Soverain Software Llc | Electronic commerce system for offer and acceptance negotiation with encryption |
| US6223288B1 (en) | 1998-05-22 | 2001-04-24 | Protexis Inc. | System for persistently encrypting critical software file to prevent installation of software program on unauthorized computers |
| JP4763866B2 (en) | 1998-10-15 | 2011-08-31 | インターシア ソフトウェア エルエルシー | Method and apparatus for protecting digital data by double re-encryption |
| US6330677B1 (en) * | 1998-10-27 | 2001-12-11 | Sprint Communications Company, L. P. | Object-based security system |
| US7673323B1 (en) | 1998-10-28 | 2010-03-02 | Bea Systems, Inc. | System and method for maintaining security in a distributed computer network |
| US6158010A (en) | 1998-10-28 | 2000-12-05 | Crosslogix, Inc. | System and method for maintaining security in a distributed computer network |
| JP3497088B2 (en) * | 1998-12-21 | 2004-02-16 | 松下電器産業株式会社 | Communication system and communication method |
| KR100305964B1 (en) * | 1999-10-22 | 2001-11-02 | 구자홍 | Method for providing user adaptive multiple levels of digest stream |
| US7131008B1 (en) | 1999-11-22 | 2006-10-31 | Sun Microsystems, Inc. | Mechanism for dynamically constructing customized implementations to enforce restrictions |
| US7051067B1 (en) * | 1999-11-22 | 2006-05-23 | Sun Microsystems, Inc. | Object oriented mechanism for dynamically constructing customized implementations to enforce restrictions |
| US6792537B1 (en) | 1999-11-22 | 2004-09-14 | Sun Microsystems, Inc. | Mechanism for determining restrictions to impose on an implementation of a service |
| US6721888B1 (en) | 1999-11-22 | 2004-04-13 | Sun Microsystems, Inc. | Mechanism for merging multiple policies |
| US6609115B1 (en) * | 1999-12-30 | 2003-08-19 | Ge Medical Systems | Method and apparatus for limited online access to restricted documentation |
| US7257836B1 (en) * | 2000-04-24 | 2007-08-14 | Microsoft Corporation | Security link management in dynamic networks |
| US6754819B1 (en) * | 2000-07-06 | 2004-06-22 | General Dynamics Decision Systems, Inc. | Method and system for providing cryptographic services in a distributed application |
| US7051069B2 (en) * | 2000-09-28 | 2006-05-23 | Bea Systems, Inc. | System for managing logical process flow in an online environment |
| EP1199899B1 (en) * | 2000-10-16 | 2004-04-21 | Alcatel | Method and apparatus for providing a user of a mobile communication terminal or a group of users with an information message with an adaptive content |
| US7362868B2 (en) * | 2000-10-20 | 2008-04-22 | Eruces, Inc. | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
| US20030021417A1 (en) | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
| US20020066038A1 (en) * | 2000-11-29 | 2002-05-30 | Ulf Mattsson | Method and a system for preventing impersonation of a database user |
| US20020116633A1 (en) * | 2001-01-19 | 2002-08-22 | Takuya Kobayashi | Data processor |
| US7499948B2 (en) | 2001-04-16 | 2009-03-03 | Bea Systems, Inc. | System and method for web-based personalization and ecommerce management |
| US20030041050A1 (en) * | 2001-04-16 | 2003-02-27 | Greg Smith | System and method for web-based marketing and campaign management |
| US7392546B2 (en) | 2001-06-11 | 2008-06-24 | Bea Systems, Inc. | System and method for server security and entitlement processing |
| US7266699B2 (en) * | 2001-08-30 | 2007-09-04 | Application Security, Inc. | Cryptographic infrastructure for encrypting a database |
| US7093298B2 (en) * | 2001-08-30 | 2006-08-15 | International Business Machines Corporation | Apparatus and method for security object enhancement and management |
| US7472342B2 (en) * | 2001-10-24 | 2008-12-30 | Bea Systems, Inc. | System and method for portal page layout |
| US7103773B2 (en) * | 2001-10-26 | 2006-09-05 | Hewlett-Packard Development Company, L.P. | Message exchange in an information technology network |
| DE60130902T2 (en) * | 2001-11-23 | 2008-07-17 | Protegrity Research & Development | Method for detecting intrusion into a database system |
| US7562232B2 (en) | 2001-12-12 | 2009-07-14 | Patrick Zuili | System and method for providing manageability to security information for secured items |
| US7565683B1 (en) | 2001-12-12 | 2009-07-21 | Weiqing Huang | Method and system for implementing changes to security policies in a distributed security system |
| US7681034B1 (en) | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
| US7260555B2 (en) | 2001-12-12 | 2007-08-21 | Guardian Data Storage, Llc | Method and architecture for providing pervasive security to digital assets |
| US10360545B2 (en) | 2001-12-12 | 2019-07-23 | Guardian Data Storage, Llc | Method and apparatus for accessing secured electronic data off-line |
| US7783765B2 (en) | 2001-12-12 | 2010-08-24 | Hildebrand Hal S | System and method for providing distributed access control to secured documents |
| US8006280B1 (en) | 2001-12-12 | 2011-08-23 | Hildebrand Hal S | Security system for generating keys from access rules in a decentralized manner and methods therefor |
| US7478418B2 (en) | 2001-12-12 | 2009-01-13 | Guardian Data Storage, Llc | Guaranteed delivery of changes to security policies in a distributed system |
| US7930756B1 (en) | 2001-12-12 | 2011-04-19 | Crocker Steven Toye | Multi-level cryptographic transformations for securing digital assets |
| US8065713B1 (en) | 2001-12-12 | 2011-11-22 | Klimenty Vainstein | System and method for providing multi-location access management to secured items |
| US7178033B1 (en) | 2001-12-12 | 2007-02-13 | Pss Systems, Inc. | Method and apparatus for securing digital assets |
| US7921284B1 (en) | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
| US7631184B2 (en) | 2002-05-14 | 2009-12-08 | Nicholas Ryan | System and method for imposing security on copies of secured items |
| US10033700B2 (en) | 2001-12-12 | 2018-07-24 | Intellectual Ventures I Llc | Dynamic evaluation of access rights |
| USRE41546E1 (en) | 2001-12-12 | 2010-08-17 | Klimenty Vainstein | Method and system for managing security tiers |
| US7921288B1 (en) | 2001-12-12 | 2011-04-05 | Hildebrand Hal S | System and method for providing different levels of key security for controlling access to secured items |
| US7380120B1 (en) | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
| US7921450B1 (en) | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
| US7350226B2 (en) * | 2001-12-13 | 2008-03-25 | Bea Systems, Inc. | System and method for analyzing security policies in a distributed computer network |
| US7950066B1 (en) | 2001-12-21 | 2011-05-24 | Guardian Data Storage, Llc | Method and system for restricting use of a clipboard application |
| US8176334B2 (en) | 2002-09-30 | 2012-05-08 | Guardian Data Storage, Llc | Document security system that permits external users to gain access to secured files |
| US8613102B2 (en) | 2004-03-30 | 2013-12-17 | Intellectual Ventures I Llc | Method and system for providing document retention using cryptography |
| US7748045B2 (en) * | 2004-03-30 | 2010-06-29 | Michael Frederick Kenrich | Method and system for providing cryptographic document retention with off-line access |
| AU2003239326A1 (en) * | 2002-05-01 | 2003-11-17 | Bea Systems, Inc. | Enterprise application platform |
| US7725560B2 (en) * | 2002-05-01 | 2010-05-25 | Bea Systems Inc. | Web service-enabled portlet wizard |
| US20040010598A1 (en) * | 2002-05-01 | 2004-01-15 | Bea Systems, Inc. | Portal setup wizard |
| US20040022390A1 (en) * | 2002-08-02 | 2004-02-05 | Mcdonald Jeremy D. | System and method for data protection and secure sharing of information over a computer network |
| US7512810B1 (en) | 2002-09-11 | 2009-03-31 | Guardian Data Storage Llc | Method and system for protecting encrypted files transmitted over a network |
| US7836310B1 (en) | 2002-11-01 | 2010-11-16 | Yevgeniy Gutnik | Security system that uses indirect password-based encryption |
| US7890990B1 (en) | 2002-12-20 | 2011-02-15 | Klimenty Vainstein | Security system with staging capabilities |
| US7577838B1 (en) | 2002-12-20 | 2009-08-18 | Alain Rossmann | Hybrid systems for securing digital assets |
| US7591000B2 (en) | 2003-02-14 | 2009-09-15 | Oracle International Corporation | System and method for hierarchical role-based entitlements |
| US6917975B2 (en) * | 2003-02-14 | 2005-07-12 | Bea Systems, Inc. | Method for role and resource policy management |
| US7653930B2 (en) | 2003-02-14 | 2010-01-26 | Bea Systems, Inc. | Method for role and resource policy management optimization |
| US8831966B2 (en) | 2003-02-14 | 2014-09-09 | Oracle International Corporation | Method for delegated administration |
| US7483904B2 (en) * | 2003-02-20 | 2009-01-27 | Bea Systems, Inc. | Virtual repository content model |
| US7415478B2 (en) | 2003-02-20 | 2008-08-19 | Bea Systems, Inc. | Virtual repository complex content model |
| US7293286B2 (en) | 2003-02-20 | 2007-11-06 | Bea Systems, Inc. | Federated management of content repositories |
| US7562298B2 (en) * | 2003-02-20 | 2009-07-14 | Bea Systems, Inc. | Virtual content repository browser |
| US7840614B2 (en) * | 2003-02-20 | 2010-11-23 | Bea Systems, Inc. | Virtual content repository application program interface |
| US7810036B2 (en) | 2003-02-28 | 2010-10-05 | Bea Systems, Inc. | Systems and methods for personalizing a portal |
| US20040230917A1 (en) * | 2003-02-28 | 2004-11-18 | Bales Christopher E. | Systems and methods for navigating a graphical hierarchy |
| US20040230557A1 (en) * | 2003-02-28 | 2004-11-18 | Bales Christopher E. | Systems and methods for context-sensitive editing |
| US8707034B1 (en) | 2003-05-30 | 2014-04-22 | Intellectual Ventures I Llc | Method and system for using remote headers to secure electronic files |
| US10339336B2 (en) | 2003-06-11 | 2019-07-02 | Oracle International Corporation | Method and apparatus for encrypting database columns |
| US7730543B1 (en) | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
| JP2005050286A (en) * | 2003-07-31 | 2005-02-24 | Fujitsu Ltd | Network-node machine and information network system |
| US7555558B1 (en) | 2003-08-15 | 2009-06-30 | Michael Frederick Kenrich | Method and system for fault-tolerant transfer of files across a network |
| US8127366B2 (en) | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
| US7703140B2 (en) | 2003-09-30 | 2010-04-20 | Guardian Data Storage, Llc | Method and system for securing digital assets using process-driven security policies |
| US20050097353A1 (en) * | 2003-10-10 | 2005-05-05 | Bea Systems, Inc. | Policy analysis tool |
| US20050097352A1 (en) * | 2003-10-10 | 2005-05-05 | Bea Systems, Inc. | Embeddable security service module |
| US7644432B2 (en) * | 2003-10-10 | 2010-01-05 | Bea Systems, Inc. | Policy inheritance through nested groups |
| US20050251851A1 (en) * | 2003-10-10 | 2005-11-10 | Bea Systems, Inc. | Configuration of a distributed security system |
| US20050102536A1 (en) * | 2003-10-10 | 2005-05-12 | Bea Systems, Inc. | Dynamically configurable distributed security system |
| US20050262362A1 (en) * | 2003-10-10 | 2005-11-24 | Bea Systems, Inc. | Distributed security system policies |
| US20050086531A1 (en) * | 2003-10-20 | 2005-04-21 | Pss Systems, Inc. | Method and system for proxy approval of security changes for a file security system |
| US20050138371A1 (en) * | 2003-12-19 | 2005-06-23 | Pss Systems, Inc. | Method and system for distribution of notifications in file security systems |
| US7702909B2 (en) * | 2003-12-22 | 2010-04-20 | Klimenty Vainstein | Method and system for validating timestamps |
| US20050203921A1 (en) * | 2004-03-11 | 2005-09-15 | Newman Aaron C. | System for protecting database applications from unauthorized activity |
| US8782405B2 (en) * | 2004-03-18 | 2014-07-15 | International Business Machines Corporation | Providing transaction-level security |
| US7774601B2 (en) | 2004-04-06 | 2010-08-10 | Bea Systems, Inc. | Method for delegated administration |
| US20050240714A1 (en) * | 2004-04-13 | 2005-10-27 | Bea Systems, Inc. | System and method for virtual content repository deployment |
| US7236989B2 (en) * | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for providing lifecycles for custom content in a virtual content repository |
| US7475091B2 (en) * | 2004-04-13 | 2009-01-06 | Bea Systems, Inc. | System and method for viewing a virtual content repository |
| US20050228816A1 (en) * | 2004-04-13 | 2005-10-13 | Bea Systems, Inc. | System and method for content type versions |
| US7580953B2 (en) | 2004-04-13 | 2009-08-25 | Bea Systems, Inc. | System and method for schema lifecycles in a virtual content repository that integrates a plurality of content repositories |
| US7162504B2 (en) * | 2004-04-13 | 2007-01-09 | Bea Systems, Inc. | System and method for providing content services to a repository |
| US7240076B2 (en) | 2004-04-13 | 2007-07-03 | Bea Systems, Inc. | System and method for providing a lifecycle for information in a virtual content repository |
| US7246138B2 (en) * | 2004-04-13 | 2007-07-17 | Bea Systems, Inc. | System and method for content lifecycles in a virtual content repository that integrates a plurality of content repositories |
| US20060028252A1 (en) * | 2004-04-13 | 2006-02-09 | Bea Systems, Inc. | System and method for content type management |
| US7236975B2 (en) * | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for controlling access to anode in a virtual content repository that integrates a plurality of content repositories |
| US7236990B2 (en) * | 2004-04-13 | 2007-06-26 | Bea Systems, Inc. | System and method for information lifecycle workflow integration |
| US20050228784A1 (en) * | 2004-04-13 | 2005-10-13 | Bea Systems, Inc. | System and method for batch operations in a virtual content repository |
| US8661332B2 (en) * | 2004-04-30 | 2014-02-25 | Microsoft Corporation | Method and apparatus for document processing |
| US7383500B2 (en) | 2004-04-30 | 2008-06-03 | Microsoft Corporation | Methods and systems for building packages that contain pre-paginated documents |
| US7392533B2 (en) * | 2004-05-19 | 2008-06-24 | Microsoft Corporation | System and method for management of a componentized electronic document retrievable over a network |
| US7681042B2 (en) * | 2004-06-17 | 2010-03-16 | Eruces, Inc. | System and method for dis-identifying sensitive information and associated records |
| JP4527605B2 (en) * | 2004-06-21 | 2010-08-18 | 三星エスディアイ株式会社 | Electrolytic solution for lithium ion secondary battery and lithium ion secondary battery including the same |
| US7707427B1 (en) | 2004-07-19 | 2010-04-27 | Michael Frederick Kenrich | Multi-level file digests |
| WO2007001328A2 (en) * | 2004-07-29 | 2007-01-04 | Infoassure, Inc. | Information-centric security |
| DE102004063964B4 (en) * | 2004-10-20 | 2010-12-16 | Vita-X Ag | computer system |
| US20070174271A1 (en) * | 2005-02-18 | 2007-07-26 | Ulf Mattsson | Database system with second preprocessor and method for accessing a database |
| CN101204036A (en) * | 2005-04-25 | 2008-06-18 | 泰克塞科公司 | Encryption treatment and operational control with tape label data cell |
| US20060282681A1 (en) * | 2005-05-27 | 2006-12-14 | Scheidt Edward M | Cryptographic configuration control |
| US8176410B1 (en) * | 2005-09-13 | 2012-05-08 | Adobe Systems Incorporated | System and/or method for content cropping |
| US7752205B2 (en) | 2005-09-26 | 2010-07-06 | Bea Systems, Inc. | Method and system for interacting with a virtual content repository |
| US7483893B2 (en) | 2005-09-26 | 2009-01-27 | Bae Systems, Inc. | System and method for lightweight loading for managing content |
| US7917537B2 (en) | 2005-09-26 | 2011-03-29 | Oracle International Corporation | System and method for providing link property types for content management |
| US7953734B2 (en) * | 2005-09-26 | 2011-05-31 | Oracle International Corporation | System and method for providing SPI extensions for content management system |
| US7818344B2 (en) | 2005-09-26 | 2010-10-19 | Bea Systems, Inc. | System and method for providing nested types for content management |
| US20070079117A1 (en) * | 2005-10-04 | 2007-04-05 | Bhogal Kulvir S | Method for passing selectively encrypted attributes of specific versions of objects in a distributed system |
| WO2007096890A2 (en) * | 2006-02-27 | 2007-08-30 | Sentrigo Inc. | Device, system and method of database security |
| US8127145B2 (en) * | 2006-03-23 | 2012-02-28 | Harris Corporation | Computer architecture for an electronic device providing a secure file system |
| US8041947B2 (en) * | 2006-03-23 | 2011-10-18 | Harris Corporation | Computer architecture for an electronic device providing SLS access to MLS file system with trusted loading and protection of program execution memory |
| US8060744B2 (en) * | 2006-03-23 | 2011-11-15 | Harris Corporation | Computer architecture for an electronic device providing single-level secure access to multi-level secure file system |
| US7979714B2 (en) * | 2006-06-02 | 2011-07-12 | Harris Corporation | Authentication and access control device |
| US8463852B2 (en) | 2006-10-06 | 2013-06-11 | Oracle International Corporation | Groupware portlets for integrating a portal with groupware systems |
| US8127133B2 (en) * | 2007-01-25 | 2012-02-28 | Microsoft Corporation | Labeling of data objects to apply and enforce policies |
| US8904391B2 (en) * | 2007-04-23 | 2014-12-02 | International Business Machines Corporation | Policy-based access control approach to staff activities of a business process |
| US20100031321A1 (en) | 2007-06-11 | 2010-02-04 | Protegrity Corporation | Method and system for preventing impersonation of computer system user |
| US8063737B2 (en) * | 2007-06-25 | 2011-11-22 | WidePoint Corporation | Emergency responder credentialing system and method |
| US8566942B2 (en) * | 2009-09-23 | 2013-10-22 | Mcafee, Inc. | System, method, and computer program product for tracking the migration of objects to determine whether to perform a network based check |
| US8856530B2 (en) | 2011-09-21 | 2014-10-07 | Onyx Privacy, Inc. | Data storage incorporating cryptographically enhanced data protection |
| US9529996B2 (en) | 2011-10-11 | 2016-12-27 | Citrix Systems, Inc. | Controlling mobile device access to enterprise resources |
| US9280377B2 (en) | 2013-03-29 | 2016-03-08 | Citrix Systems, Inc. | Application with multiple operation modes |
| US8910239B2 (en) | 2012-10-15 | 2014-12-09 | Citrix Systems, Inc. | Providing virtualized private network tunnels |
| US9971585B2 (en) | 2012-10-16 | 2018-05-15 | Citrix Systems, Inc. | Wrapping unmanaged applications on a mobile device |
| US9170800B2 (en) | 2012-10-16 | 2015-10-27 | Citrix Systems, Inc. | Application wrapping for application management framework |
| EP2725554A1 (en) * | 2012-10-23 | 2014-04-30 | Thomson Licensing | Methods and devices for optimising rendering of an encrypted 3d graphical object |
| WO2014177938A2 (en) | 2013-03-15 | 2014-11-06 | Assa Abloy Ab | Digital credential with embedded authentication instructions |
| US10284627B2 (en) | 2013-03-29 | 2019-05-07 | Citrix Systems, Inc. | Data management for an application with multiple operation modes |
| US9985850B2 (en) | 2013-03-29 | 2018-05-29 | Citrix Systems, Inc. | Providing mobile device management functionalities |
| US9355223B2 (en) | 2013-03-29 | 2016-05-31 | Citrix Systems, Inc. | Providing a managed browser |
| US9928380B2 (en) * | 2013-05-07 | 2018-03-27 | International Business Machines Corporation | Managing file usage |
| US10078759B1 (en) * | 2018-01-19 | 2018-09-18 | Griffin Group Global, LLC | System and method for data sharing via a data structure having different-scheme-derived portions |
| US10068099B1 (en) * | 2018-01-19 | 2018-09-04 | Griffin Group Global, LLC | System and method for providing a data structure having different-scheme-derived portions |
| WO2019143931A1 (en) * | 2018-01-19 | 2019-07-25 | Griffin Group Global, LLC | System and method for providing a prediction-based data structure having different-scheme-derived portions |
| PT115479B (en) | 2019-04-29 | 2021-09-15 | Mediceus Dados De Saude Sa | COMPUTER SYSTEM AND METHOD OF OPERATION TO MANAGE ANNIMIZED PERSONAL DATA |
| US11509459B2 (en) | 2019-05-10 | 2022-11-22 | Conduent Business Services, Llc | Secure and robust decentralized ledger based data management |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4218582A (en) * | 1977-10-06 | 1980-08-19 | The Board Of Trustees Of The Leland Stanford Junior University | Public key cryptographic apparatus and method |
| US4405829A (en) * | 1977-12-14 | 1983-09-20 | Massachusetts Institute Of Technology | Cryptographic communications system and method |
| US4424414A (en) * | 1978-05-01 | 1984-01-03 | Board Of Trustees Of The Leland Stanford Junior University | Exponentiation cryptographic apparatus and method |
| US4713753A (en) * | 1985-02-21 | 1987-12-15 | Honeywell Inc. | Secure data processing system architecture with format control |
| US4864616A (en) * | 1987-10-15 | 1989-09-05 | Micronyx, Inc. | Cryptographic labeling of electronically stored data |
| JPH0622345B2 (en) * | 1988-01-14 | 1994-03-23 | 東京電力株式会社 | Mobile communication system |
| US4984272A (en) * | 1988-11-30 | 1991-01-08 | At&T Bell Laboratories | Secure file handling in a computer operating system |
| US4962533A (en) * | 1989-02-17 | 1990-10-09 | Texas Instrument Incorporated | Data protection for computer systems |
| US5191611A (en) * | 1989-04-03 | 1993-03-02 | Lang Gerald S | Method and apparatus for protecting material on storage media and for transferring material on storage media to various recipients |
| US5065429A (en) * | 1989-04-03 | 1991-11-12 | Lang Gerald S | Method and apparatus for protecting material on storage media |
| US5052040A (en) * | 1990-05-25 | 1991-09-24 | Micronyx, Inc. | Multiple user stored data cryptographic labeling system and method |
| US5204961A (en) * | 1990-06-25 | 1993-04-20 | Digital Equipment Corporation | Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols |
| US5369707A (en) * | 1993-01-27 | 1994-11-29 | Tecsec Incorporated | Secure network method and apparatus |
| US5369702A (en) * | 1993-10-18 | 1994-11-29 | Tecsec Incorporated | Distributed cryptographic object method |
| US5680452A (en) * | 1993-10-18 | 1997-10-21 | Tecsec Inc. | Distributed cryptographic object method |
-
1993
- 1993-10-18 US US08/138,857 patent/US5369702A/en not_active Expired - Lifetime
-
1994
- 1994-09-13 US US08/304,867 patent/US5717755A/en not_active Expired - Lifetime
- 1994-10-17 CA CA002118297A patent/CA2118297C/en not_active Expired - Lifetime
-
1997
- 1997-09-10 US US08/927,043 patent/US5898781A/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| US5717755A (en) | 1998-02-10 |
| US5898781A (en) | 1999-04-27 |
| US5369702A (en) | 1994-11-29 |
| CA2118297A1 (en) | 1995-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2118297C (en) | Distributed cryptographic object method | |
| US5680452A (en) | Distributed cryptographic object method | |
| US10382406B2 (en) | Method and system for digital rights management of documents | |
| Blaze | Key Management in an Encrypting File System. | |
| US8683223B2 (en) | Selective encryption within documents | |
| US5369707A (en) | Secure network method and apparatus | |
| US6668321B2 (en) | Verification of identity of participant in electronic communication | |
| US8630421B2 (en) | Cryptographic key backup and escrow system | |
| US7873168B2 (en) | Secret information management apparatus and secret information management system | |
| KR101296195B1 (en) | A method for controlling access to file systems, related system, SIM card and computer program product for use therein | |
| US20040022390A1 (en) | System and method for data protection and secure sharing of information over a computer network | |
| KR20020041809A (en) | Multiple encryption of a single document providing multiple level access privileges | |
| EP0885417A2 (en) | Access control/crypto system | |
| JPH09179768A (en) | File ciphering system and file deciphering system | |
| US20040190722A1 (en) | Encrypted content recovery | |
| Hughes et al. | A universal access, smart-card-based, secure file system | |
| JP2003271782A (en) | Personal information management system | |
| Ito et al. | Group cipher system for intranet security | |
| WO2023069444A1 (en) | Personal data protection | |
| Prevelakis et al. | Controlling the dissemination of electronic documents | |
| Adamouski | Encryption technology other than PKI | |
| Ballenger | Modeling security in local area networks | |
| Epstein et al. | Using fortezza for transparent file encryption | |
| Zadeh | Cryptography on the Internet | |
| MALIK | Data Protection and Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20141017 |