EP1618700A2 - Server-based cryptography - Google Patents

Server-based cryptography

Info

Publication number
EP1618700A2
EP1618700A2 EP04750211A EP04750211A EP1618700A2 EP 1618700 A2 EP1618700 A2 EP 1618700A2 EP 04750211 A EP04750211 A EP 04750211A EP 04750211 A EP04750211 A EP 04750211A EP 1618700 A2 EP1618700 A2 EP 1618700A2
Authority
EP
European Patent Office
Prior art keywords
descriptors
descriptor
server
node
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP04750211A
Other languages
German (de)
French (fr)
Other versions
EP1618700A4 (en
Inventor
Edward M. Scheidt
C. Jay Wack
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tecsec Inc
Original Assignee
Tecsec Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/418,312 external-priority patent/US7539855B1/en
Application filed by Tecsec Inc filed Critical Tecsec Inc
Publication of EP1618700A2 publication Critical patent/EP1618700A2/en
Publication of EP1618700A4 publication Critical patent/EP1618700A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]

Definitions

  • the present invention relates to data security, key management, and server-based cryptography.
  • the traditional cryptographic usage has been limited to point to point, box-to-box, and/or user-to-user implementations.
  • the basic elements of cryptography are the algorithm (the mathematical transposition or substitution of numbers in a defined manner); and the key management scheme, that is, the system by which keys are created, transported, used, tracked, and destroyed.
  • implementing cryptographic security over such information can require that each of a myriad of nodes or end-users possesses the cryptographic means to independently access encrypted information.
  • numerous end-users can possess the same cryptographic means to independently access (or decrypt) encrypted data.
  • this type of scheme suffers from at least one significant problem. As the number of end-users increases, the likelihood of unauthorized access to a single implementation of such cryptographic means also increases. And where such means includes all, or even most, of the pieces required to access encrypted data, wholesale compromise of the cryptographic scheme becomes easier. Therefore, it would be desirable to provide server-based cryptography so as to minimize such risk.
  • the present invention includes a cryptographic system and method, in which advantageous key management and/or server-based cryptographic schemes are advanced. Additionally, or alternatively, the present invention effectuates a virtual domain scheme. According to one exemplary embodiment, the present invention can be embodied in a method of securing data in a system comprising a server communicatively connected to a node.
  • the method can include acts of providing a set of descriptors associated with the data, where the set of descriptors comprises a first plurality of descriptors and a second plurality of descriptors, and each descriptor of the set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending said first key component from the node to the server; providing a working key by binding together, at the server, the first key component and the respective values of each of the second plurality of descriptors; and encrypting the data with the working key.
  • At least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon.
  • the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
  • the at least one descriptor of the set of descriptors can be provided by the server.
  • the present invention can be embodied in a method of securing data in a system comprising a server communicatively connected to a node.
  • the method can include acts of providing a set of descriptors associated with the data, where the set of descriptors comprises a first plurality of descriptors and at least one additional descriptor, and each descriptor of the set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending the first key component from the node to the server; providing a working key by binding together, at the server, the first key component and the respective values of each of the at least one additional descriptor; and encrypting the data with the working key.
  • At least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon.
  • the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
  • the at least one descriptor of the set of descriptors can be provided by the server.
  • the present invention can be embodied in a system for securing data, and includes a set of descriptors associated with the data, a node, and a server communicatively connected to the node.
  • the set of descriptors includes a first plurality of descriptors and a second plurality of descriptors, and each descriptor of the set of descriptors has a respective value associated therewith.
  • the node is adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors, while the server is adapted to receive the first key component from the node; to provide a working key by binding together the first key component and the respective values of each of the second plurality of descriptors; and to encrypt the data with the working key.
  • At least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon.
  • the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
  • the at least one descriptor of the set of descriptors can be provided by the server.
  • the present invention can be embodied in a system for securing data, and includes a set of descriptors associated with the data, a node, and a first server communicatively connected to the node.
  • the set of descriptors includes a first plurality of descriptors and at least one additional descriptor, and each descriptor of the set of descriptors has a respective value associated therewith.
  • the node is adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors, while the first server is adapted to receive the first key component from the node, to provide a working key by binding together the first key component and the respective values of each of the at least one additional descriptor, and to encrypt the data with the working key.
  • at least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon.
  • the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
  • at least one descriptor of the set of descriptors can be provided by the first server.
  • the system can further include a policy agent, and a plurality of servers comprising the first server and at least one additional server.
  • the at least one descriptor of the set of descriptors is provided by at least two servers of the plurality of servers, and the policy agent is adapted to control at least one of access to and use of the at least one descriptor according to a security policy.
  • Figure la shows an exemplary embodiment of the present invention, in which a system includes a set of descriptors, and a server communicatively connected to a node.
  • Figure lb shows an exemplary instance of descriptors according to the present invention.
  • Figure lc shows another exemplary instance of descriptors according to the present invention.
  • Figure 2a shows an exemplary method according to the present invention.
  • Figure 2b shows another exemplary method according to the present invention.
  • Figure 3 shows another exemplary aspect according to the present invention, in which secured communications between enterprises is effectuated via a virtual domain.
  • the present invention provides a means for controlling the access to and/or use of information by a user.
  • the present invention provides a key management solution that is partially located on a client side (or node) and partially located on a server side.
  • the present invention additionally provides the leveraging of cryptography in a virtual domain trust model. Accordingly, the information flow between members of a virtual domain can be enforced through virtual domain cryptography.
  • a virtual domain trust model can be established, for example, by two or more servers sharing parameters and keys.
  • Servers within this trust model can serve one or more roles, such as for example, providing key management (for example, key administration, key or key-data retention), centralizing security control over the virtual domain itself and/or members of the virtual domain, effectuating immediate revocation of a member or the domain itself, in whole or in part, effectuating inter- and intra-domain data scalability, managing databases, and managing security policies associated with identity, accountability, authorization, authentication, and/or access control.
  • a server can provide other servers and or other domain members with a communication channel for maintaining a key management cycle in concert with an information process cycle.
  • a client-based model uses a server to establish a key management state for further processing, whether off-line or on-line. Accordingly, a virtual domain trust domain provides an efficient risk-to-cost ratio in effectuating a communications scheme bridging two or more servers.
  • a system 1 for securing data 14 can include a server 10; a node 12 communicatively connected to the server; and a set of descriptors 16 associated with data 14.
  • the node and server are communicatively connected via one or more wireless and/or hard-wired connections.
  • the set of descriptors 16 is associated with data 14.
  • the particular association technique employed is not necessarily limited to any particular technique(s), and therefore, any manner of association (logical and/or physical) within the scope of the invention can be employed, such as for example, indices, pointers, mapping, physical and/or logical organization, etc.
  • the set of descriptors 16 includes a first plurality of descriptors 17 and a second plurality of descriptors 18.
  • the set of descriptors 16 includes a first plurality of descriptors 17 and at least one additional descriptor 19.
  • each descriptor has a respective value (not shown) associated therewith.
  • a value is defined as one or more bits of information, and may or may not be unique to the particular descriptor associated therewith.
  • Node 12 is adapted to provide a first cryptographic key component by binding together the respective values of each of the first plurality of descriptors. Binding is defined as any method of creating a value from two or more data instances, such that the method will create the same value each time given the same two or more data instances.
  • the first key component is created from the first plurality of descriptors.
  • node 12 can employ the first key, in whole or in part, in a cryptographic action, such as for example, cryptographically securing information exchanges with server 10.
  • node 12 is adapted to send the first key to server 10, which can take place either in a direct transfer or an indirect transfer (for example, by physical transportation of a storage device to the server.)
  • at least one of the descriptors can be provided to node 12 by a user via a token having the at least one descriptor stored thereon.
  • a token is a portable memory storage device, such as a floppy disk, a smartcard, a Universal Serial Bus (“USB”) fob, a PCMCIA card, for example.
  • a token can include a plurality of descriptors and/or a credential set (at least one credential) assigned to a particular user.
  • a credential includes any combination of roles, rules, and permissions assigned to a user. Accordingly, a user's credential set can be used to define at least one of a readership level, an authorship level, and an access level of a particular user.
  • a credential, or portion thereof can be applied as a descriptor to particular data.
  • a user can optionally be given the opportunity to select one or more descriptors and/or credentials available to him/her, in which case specific constraints on the readership and/or use of the data can be defined by the user, with such constraints being defined, in whole or in part, by the selected descriptors.
  • data 14 can be a document written by a user, and can have a set of descriptors associated therewith.
  • a descriptor is one or more bits of information that describes data.
  • a descriptor can be associated with data 14 automatically or manually.
  • a descriptor can be based on or limited by one or more credentials.
  • Logic determines which descriptor(s) to associate with data, and can be provided by one or more users, default schemes, and artificial intelligence or data evaluation methodologies, including but not limited to, context-based language evaluation, statistical evaluation or content evaluation.
  • node 12 can include the token (where the token is communicatively connected to the node), and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token.
  • a token can be a smart card, a Personal Digital Assistant ("PDA"), or any other portable device that is capable of storing and providing information.
  • Server 10 is adapted to receive the first key component from node 12.
  • server 10 provides a working key by binding together the first key component and the respective values of each of the second plurality of descriptors.
  • server 10 provides the working key by binding together the first key component and the at least one additional descriptor 19. In either case, binding is defined the same as above.
  • server 10 encrypts data 14 using the working key, such that data 14 is now secured.
  • one or more servers exchange at least one domain cryptographic parameter and/or keys (not shown) to allow the creation of a virtual domain, which provides an established trust based on one or more policies corresponding to the parameters and/or keys.
  • server 10 provides one or more descriptors of the set of descriptors 16.
  • FIG. 2a illustrates an exemplary method, according to another exemplary embodiment of the present invention, of securing data in a system comprising a server communicatively connected to a node.
  • such a method can include acts of providing a set of descriptors in association with the data (210); providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors (220); sending the first key component from the node to the server (230); providing a working key by binding together, at the server, the first key component and the respective values of each of the second plurality of descriptors (240); and encrypting the data with the working key (250).
  • Figure 2b illustrates an alternative exemplary method, according to yet another exemplary embodiment of the present invention, of securing data in a system comprising a server communicatively connected to a node.
  • such a method can include acts of providing a set of descriptors in association with the data (210); providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors (220); sending the first key component from the node to the server (230); providing a working key by binding together, at the server, the first key component and the respective values of each of the at least one additional descriptor (240'); and encrypting the data with the working key (250).
  • At least one descriptor of the set of descriptors can be provided by a user via a token having the at least one descriptor stored thereon.
  • the node includes the token, and the act of providing the first key component (220) is performed, at least in part, on the token.
  • the node includes a token, and the act of providing the first key component (220) is performed, at least in part, on the token.
  • At least one descriptor of the set of descriptors is provided by the server.

Abstract

A system for securing data includes a set of descriptors associated with data, a node, and a server. The set of descriptors include a first group of descriptors, and at least one additional descriptor. Each descriptor has a respective, associated value. The node provides a first component by binding together the respective values of each of the first group of descriptors. The server receives the first component from the node, provides a key by binding together the first component and the respective values of each of the additional descriptor, and encrypts the data with the key. The user (via a token) and/or the server can provide at least one of the descriptors. At least one server can establish a trusted cryptographic virtual domain that exhibits an established trust based on the descriptors that are policy enforced.

Description

SERVER-BASED CRYPTOGRAPHY
Cross-Reference to Related Applications
This disclosure claims the priority benefit of, and incorporates by reference in its entirety, U.S. Provisional Patent Application Ser. No. 60/373,132, filed on April 17, 2002. Additionally, this disclosure is related to, and incorporates by reference in their entireties, USPN 5,375,169, entitled "Cryptographic Key Management Method and Apparatus," and issued on December 20, 1994 to SCHEIDT et al.; and USPN 5,787,173, entitled "Cryptographic Key Management Method and Apparatus," and issued on July 28, 1998 to SCHEIDT et al.
Field of the Invention
The present invention relates to data security, key management, and server-based cryptography.
Background of the Invention
In recent years, as distributed processing and open architectures have become more widely employed, it has become apparent that the idea of defining a point-to-point relationship can be overwhelming and nearly impossible. The Internet was designed to afford connectivity; the term "point of presence" was coined because everyone on the
Internet is connected to everyone else.
The traditional cryptographic usage has been limited to point to point, box-to-box, and/or user-to-user implementations. In these scenarios, the basic elements of cryptography are the algorithm (the mathematical transposition or substitution of numbers in a defined manner); and the key management scheme, that is, the system by which keys are created, transported, used, tracked, and destroyed.
In the world of digital cryptography, there are not very many key management schemes from which to choose. The first modern scheme was based on private keys (symmetric), in which two or more participants share a single key. Several decades ago, a British mathematician discovered a prime number relationship that allowed the utilization of one number (key) to encrypt and another to decrypt (asymmetric). This key pair relationship is the basis for public/private key cryptography. However, key management schemes can suffer from a significant deficiency. The movement of cryptographic keys from sender to receiver can become exceedingly difficult when attempting to achieve a finer, more precise separation of information. Therefore, it would desirable to provide a more efficient key management scheme that still allows for data separation. Further, in one-to-many information distribution environments, such as a server/client arrangement, implementing cryptographic security over such information can require that each of a myriad of nodes or end-users possesses the cryptographic means to independently access encrypted information. For example, numerous end-users can possess the same cryptographic means to independently access (or decrypt) encrypted data. However, this type of scheme suffers from at least one significant problem. As the number of end-users increases, the likelihood of unauthorized access to a single implementation of such cryptographic means also increases. And where such means includes all, or even most, of the pieces required to access encrypted data, wholesale compromise of the cryptographic scheme becomes easier. Therefore, it would be desirable to provide server-based cryptography so as to minimize such risk.
Brief Summary of the Invention
The present invention includes a cryptographic system and method, in which advantageous key management and/or server-based cryptographic schemes are advanced. Additionally, or alternatively, the present invention effectuates a virtual domain scheme. According to one exemplary embodiment, the present invention can be embodied in a method of securing data in a system comprising a server communicatively connected to a node. Accordingly, the method can include acts of providing a set of descriptors associated with the data, where the set of descriptors comprises a first plurality of descriptors and a second plurality of descriptors, and each descriptor of the set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending said first key component from the node to the server; providing a working key by binding together, at the server, the first key component and the respective values of each of the second plurality of descriptors; and encrypting the data with the working key. According to an optional exemplary aspect of the invention, at least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon. Additionally, or alternatively, the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
According to yet another exemplary aspect of the invention, the at least one descriptor of the set of descriptors can be provided by the server. According to another exemplary embodiment, the present invention can be embodied in a method of securing data in a system comprising a server communicatively connected to a node. Accordingly, the method can include acts of providing a set of descriptors associated with the data, where the set of descriptors comprises a first plurality of descriptors and at least one additional descriptor, and each descriptor of the set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending the first key component from the node to the server; providing a working key by binding together, at the server, the first key component and the respective values of each of the at least one additional descriptor; and encrypting the data with the working key.
According to an optional exemplary aspect of the invention, at least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon. Additionally, or alternatively, the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
According to yet another exemplary aspect of the invention, the at least one descriptor of the set of descriptors can be provided by the server. According to a further exemplary embodiment, the present invention can be embodied in a system for securing data, and includes a set of descriptors associated with the data, a node, and a server communicatively connected to the node. The set of descriptors includes a first plurality of descriptors and a second plurality of descriptors, and each descriptor of the set of descriptors has a respective value associated therewith. The node is adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors, while the server is adapted to receive the first key component from the node; to provide a working key by binding together the first key component and the respective values of each of the second plurality of descriptors; and to encrypt the data with the working key.
According to an optional exemplary aspect of the invention, at least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon. Additionally, or alternatively, the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token.
According to yet another exemplary aspect of the invention, the at least one descriptor of the set of descriptors can be provided by the server.
According to still yet another exemplary embodiment, the present invention can be embodied in a system for securing data, and includes a set of descriptors associated with the data, a node, and a first server communicatively connected to the node. The set of descriptors includes a first plurality of descriptors and at least one additional descriptor, and each descriptor of the set of descriptors has a respective value associated therewith. The node is adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors, while the first server is adapted to receive the first key component from the node, to provide a working key by binding together the first key component and the respective values of each of the at least one additional descriptor, and to encrypt the data with the working key. According to an optional exemplary aspect of the invention, at least one descriptor of the set of descriptors can be provided by the user via a token having the at least one descriptor stored thereon. Additionally, or alternatively, the node can include the token (where the token in communicatively connected to the node), and providing the first key component can be performed, at least in part, on the token. According to yet another exemplary aspect of the invention, at least one descriptor of the set of descriptors can be provided by the first server.
According to still yet another exemplary aspect of the invention, the system can further include a policy agent, and a plurality of servers comprising the first server and at least one additional server. The at least one descriptor of the set of descriptors is provided by at least two servers of the plurality of servers, and the policy agent is adapted to control at least one of access to and use of the at least one descriptor according to a security policy.
Brief Description of the Drawings
The present invention is illustrated by way of example and not in limitation in the figures of the accompanying drawings, in which:
Figure la shows an exemplary embodiment of the present invention, in which a system includes a set of descriptors, and a server communicatively connected to a node. Figure lb shows an exemplary instance of descriptors according to the present invention.
Figure lc shows another exemplary instance of descriptors according to the present invention. Figure 2a shows an exemplary method according to the present invention.
Figure 2b shows another exemplary method according to the present invention.
Figure 3 shows another exemplary aspect according to the present invention, in which secured communications between enterprises is effectuated via a virtual domain.
Detailed Description of the Invention
The present invention provides a means for controlling the access to and/or use of information by a user. To accomplish this, the present invention provides a key management solution that is partially located on a client side (or node) and partially located on a server side. The present invention additionally provides the leveraging of cryptography in a virtual domain trust model. Accordingly, the information flow between members of a virtual domain can be enforced through virtual domain cryptography. A virtual domain trust model can be established, for example, by two or more servers sharing parameters and keys. Servers within this trust model can serve one or more roles, such as for example, providing key management (for example, key administration, key or key-data retention), centralizing security control over the virtual domain itself and/or members of the virtual domain, effectuating immediate revocation of a member or the domain itself, in whole or in part, effectuating inter- and intra-domain data scalability, managing databases, and managing security policies associated with identity, accountability, authorization, authentication, and/or access control. Additionally, optionally, a server can provide other servers and or other domain members with a communication channel for maintaining a key management cycle in concert with an information process cycle. Also, optionally, a client-based model uses a server to establish a key management state for further processing, whether off-line or on-line. Accordingly, a virtual domain trust domain provides an efficient risk-to-cost ratio in effectuating a communications scheme bridging two or more servers.
Reference is now made to Figure la, which shows a system according to an exemplary embodiment of the present invention. As shown in Figure la, a system 1 for securing data 14 can include a server 10; a node 12 communicatively connected to the server; and a set of descriptors 16 associated with data 14. The node and server are communicatively connected via one or more wireless and/or hard-wired connections. As shown in Figure la, the set of descriptors 16 is associated with data 14. Notably, the particular association technique employed is not necessarily limited to any particular technique(s), and therefore, any manner of association (logical and/or physical) within the scope of the invention can be employed, such as for example, indices, pointers, mapping, physical and/or logical organization, etc. As shown in Figure lb, in one exemplary embodiment of the present invention the set of descriptors 16 includes a first plurality of descriptors 17 and a second plurality of descriptors 18. As shown in Figure lc, in another exemplary embodiment of the present invention, the set of descriptors 16 includes a first plurality of descriptors 17 and at least one additional descriptor 19. In either embodiment, each descriptor has a respective value (not shown) associated therewith. A value is defined as one or more bits of information, and may or may not be unique to the particular descriptor associated therewith.
Node 12 is adapted to provide a first cryptographic key component by binding together the respective values of each of the first plurality of descriptors. Binding is defined as any method of creating a value from two or more data instances, such that the method will create the same value each time given the same two or more data instances. Here, the first key component is created from the first plurality of descriptors. Optionally, node 12 can employ the first key, in whole or in part, in a cryptographic action, such as for example, cryptographically securing information exchanges with server 10.
Further, node 12 is adapted to send the first key to server 10, which can take place either in a direct transfer or an indirect transfer (for example, by physical transportation of a storage device to the server.) According to an optional exemplary aspect of the invention, at least one of the descriptors can be provided to node 12 by a user via a token having the at least one descriptor stored thereon. A token is a portable memory storage device, such as a floppy disk, a smartcard, a Universal Serial Bus ("USB") fob, a PCMCIA card, for example. In yet another exemplary aspect of the invention, a token can include a plurality of descriptors and/or a credential set (at least one credential) assigned to a particular user. A credential includes any combination of roles, rules, and permissions assigned to a user. Accordingly, a user's credential set can be used to define at least one of a readership level, an authorship level, and an access level of a particular user. Here, a credential, or portion thereof, can be applied as a descriptor to particular data.
Additionally, a user can optionally be given the opportunity to select one or more descriptors and/or credentials available to him/her, in which case specific constraints on the readership and/or use of the data can be defined by the user, with such constraints being defined, in whole or in part, by the selected descriptors.
For example, data 14 can be a document written by a user, and can have a set of descriptors associated therewith. A descriptor is one or more bits of information that describes data. A descriptor can be associated with data 14 automatically or manually. A descriptor can be based on or limited by one or more credentials. Logic determines which descriptor(s) to associate with data, and can be provided by one or more users, default schemes, and artificial intelligence or data evaluation methodologies, including but not limited to, context-based language evaluation, statistical evaluation or content evaluation. For example, the following are illustrative descriptors of data (a document): 1. a corporate document; 2. associated with program alpha;
3. contains corporate financial data;
4. is budgetary in nature;
5. readership and modifiability requires Executive Access Level; 6. limited to "read only" access by anyone except the author;
7. non-transferable after the initial transfer;
8. non-savable to disk by anyone other than the author;
9. a signature value of the author; 10. unique value of the server;
11. server unique identifier for the document movement;
12. node or token unique identifier;
13. client unique identifier for the document;
14. a value to associate with any spawned version of the original document; 15. time and or date stamp from the server on the transaction and assignment of values and descriptors;
16. default descriptors ;
17. system required descriptors; and
18. any other descriptors required or desired. Additionally, or alternatively, node 12 can include the token (where the token is communicatively connected to the node), and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token. This latter aspect can be highly desirable, as execution of the binding function on the token can heighten the security of the cryptographic scheme by executing this binding process in a secured processing environment. Thus, here a token can be a smart card, a Personal Digital Assistant ("PDA"), or any other portable device that is capable of storing and providing information. Server 10 is adapted to receive the first key component from node 12. Additionally, server 10 provides a working key by binding together the first key component and the respective values of each of the second plurality of descriptors. Alternatively, server 10 provides the working key by binding together the first key component and the at least one additional descriptor 19. In either case, binding is defined the same as above. Next, server 10 encrypts data 14 using the working key, such that data 14 is now secured.
According to still yet another exemplary aspect of the invention, one or more servers exchange at least one domain cryptographic parameter and/or keys (not shown) to allow the creation of a virtual domain, which provides an established trust based on one or more policies corresponding to the parameters and/or keys.
In a further exemplary aspect of the invention, optionally server 10 provides one or more descriptors of the set of descriptors 16.
Once secured, access to and/or use of data 14 will require that anyone seeking such access and/or use must possess and/or have access to the appropriate descriptors required. It should be noted that each and every descriptor initially used in securing data 14 is not necessarily required for subsequent access and/or use of data 14 once secured. Thus, the same, equivalent, and or higher-ranking descriptors can be required for such access and/or use. Optionally, a descriptor hierarchy can be provided. These descriptor relationships can provide highly advantageous flexibility in effectuating a secured data distribution environment. Figure 2a illustrates an exemplary method, according to another exemplary embodiment of the present invention, of securing data in a system comprising a server communicatively connected to a node. Accordingly, such a method can include acts of providing a set of descriptors in association with the data (210); providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors (220); sending the first key component from the node to the server (230); providing a working key by binding together, at the server, the first key component and the respective values of each of the second plurality of descriptors (240); and encrypting the data with the working key (250). Figure 2b illustrates an alternative exemplary method, according to yet another exemplary embodiment of the present invention, of securing data in a system comprising a server communicatively connected to a node. Accordingly, such a method can include acts of providing a set of descriptors in association with the data (210); providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors (220); sending the first key component from the node to the server (230); providing a working key by binding together, at the server, the first key component and the respective values of each of the at least one additional descriptor (240'); and encrypting the data with the working key (250).
According to an exemplary optional aspect of the invention, at least one descriptor of the set of descriptors can be provided by a user via a token having the at least one descriptor stored thereon. Further, optionally, the node includes the token, and the act of providing the first key component (220) is performed, at least in part, on the token. According to another exemplary aspect of the invention, the node includes a token, and the act of providing the first key component (220) is performed, at least in part, on the token.
According to still yet another exemplary aspect of the invention, at least one descriptor of the set of descriptors is provided by the server.
The invention has been described in detail, with reference to one or more exemplary embodiments. It should be understood, however, that the invention is not necessarily limited to the specific processes and arrangements shown and described above, but may be amenable to numerous variations within the scope of the invention. It will be apparent to one skilled in the art that the manner of making and using the claimed invention has been adequately disclosed in the above-written description of the aspects and embodiments taken together with the drawings.
It will be understood that the above description of the embodiments of the present invention are amenable to various modifications, changes and adaptations, and the same are intended to be comprehended within the meaning and range of equivalents of the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative and enabling, rather than a restrictive, sense.

Claims

We claim:
1. In a system comprising a server communicatively connected to a node, a method of securing data by a user associated with the node, comprising: providing a set of descriptors associated with the data, wherein said set of descriptors comprises a first plurality of descriptors and a second plurality of descriptors, and each descriptor of the set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending said first key component from the node to the server; providing a working key by binding together, at the server, said first key component and the respective values of each of the second plurality of descriptors; and encrypting the data with said working key.
2. The method of claim 1, wherein at least one descriptor of said set of descriptors is provided by the user via a token having the at least one descriptor stored thereon.
3. The method of claim 2, wherein
the node includes the token, and providing said first key component is performed, at least in part, on the
token.
4. The method of claim 1, wherein the node includes a token, and providing said first key component is performed, at least in part, on the token.
5. The method of claim 1, wherein at least one descriptor of said set of descriptors is provided by the server.
6. In a system comprising a server communicatively connected to a node, a method of securing data by a user associated with the node, comprising: providing a set of descriptors associated with the data, wherein said set of descriptors comprises a first plurality of descriptors and at least one additional descriptor, and each descriptor of said set of descriptors has a respective value associated therewith; providing a first key component by binding together, at the node, the respective values of each of the first plurality of descriptors; sending said first key component from the node to the server; providing a working key by binding together, at the server, said first key component and the respective values of each of the at least one additional descriptor; and encrypting the data with said working key.
7. The method of claim 6, wherein at least one descriptor of said set of descriptors is provided by the user via a token having the at least one descriptor stored thereon.
8. The method of claim 7, wherein the node includes the token, and providing said first key component is performed, at least in part, on the token.
9. The method of claim 6, wherein the node includes a token, and providing said first key component is performed, at least in part, on the token.
10. The method of claim 6, wherein at least one descriptor of said set of descriptors is provided by the server.
1 1. A system for securing data, said system comprising: a set of descriptors associated with the data, wherein said set of descriptors comprises a first plurality of descriptors and a second plurality of descriptors, and each descriptor of said set of descriptors has a respective value associated therewith; a node adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors; and a server communicatively connected to said node; wherein said server is adapted to receive the first key component from said node, to provide a working key by binding together the first key component and the respective values of each of the second plurality of descriptors, and to encrypt the data with the working key.
12. The system of claim 11, wherein at least one descriptor of said set of descriptors is provided by a user via a token having the at least one descriptor stored thereon.
13. The system of claim 12, wherein said node includes the token, and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token.
14. The system of claim 11, wherein said node includes a token, and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token.
15. The system of claim 11, wherein at least one descriptor of said set of descriptors is provided by said server.
16. A system for securing data, said system comprising: a set of descriptors associated with the data, wherein said set of descriptors comprises a first plurality of descriptors and at least one additional descriptor, and each descriptor of said set of descriptors has a respective value associated therewith; a node adapted to provide a first key component by binding together the respective values of each of the first plurality of descriptors; and a first server communicatively connected to said node; wherein said first server is adapted to receive the first key component from the node, to provide a working key by binding together the first key component and the respective values of each of the at least one additional descriptor, and to encrypt the data with the working key.
17. The system of claim 16, wherein at least one descriptor of said set of descriptors is provided by a user via a token having the at least one descriptor stored thereon.
18. The system of claim 17, wherein said node includes the token, and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token.
19. The system of claim 16, wherein said node includes a token, and the respective values of each of the first plurality of descriptors are bound together, at least in part, on the token.
20. The system of claim 16, wherein at least one descriptor of the set of descriptors is provided by said first server.
21. The system of claim 16, further comprising: a plurality of servers comprising said first server and at least one
additional server; and a policy agent; wherein at least one descriptor of said set of descriptors is provided by at least two servers of said plurality of servers, and said policy agent is adapted to control at least one of access to and use of the at least one descriptor according to a policy.
EP04750211A 2003-04-17 2004-04-16 Server-based cryptography Withdrawn EP1618700A4 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/418,312 US7539855B1 (en) 2002-04-17 2003-04-17 Server-based cryptography
PCT/US2004/011756 WO2004095754A2 (en) 2003-04-17 2004-04-16 Server-based cryptography

Publications (2)

Publication Number Publication Date
EP1618700A2 true EP1618700A2 (en) 2006-01-25
EP1618700A4 EP1618700A4 (en) 2010-04-28

Family

ID=33309527

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04750211A Withdrawn EP1618700A4 (en) 2003-04-17 2004-04-16 Server-based cryptography

Country Status (2)

Country Link
EP (1) EP1618700A4 (en)
WO (1) WO2004095754A2 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0695997A2 (en) * 1994-08-01 1996-02-07 AT&T Corp. Methods for providing secure access to shared information
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
US5999629A (en) * 1995-10-31 1999-12-07 Lucent Technologies Inc. Data encryption security module

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0566811A1 (en) * 1992-04-23 1993-10-27 International Business Machines Corporation Authentication method and system with a smartcard
JPH08263438A (en) * 1994-11-23 1996-10-11 Xerox Corp Distribution and use control system of digital work and access control method to digital work

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5590199A (en) * 1993-10-12 1996-12-31 The Mitre Corporation Electronic information network user authentication and authorization system
EP0695997A2 (en) * 1994-08-01 1996-02-07 AT&T Corp. Methods for providing secure access to shared information
US5999629A (en) * 1995-10-31 1999-12-07 Lucent Technologies Inc. Data encryption security module

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2004095754A2 *

Also Published As

Publication number Publication date
EP1618700A4 (en) 2010-04-28
WO2004095754A2 (en) 2004-11-04
WO2004095754A3 (en) 2005-03-03

Similar Documents

Publication Publication Date Title
US10673626B2 (en) Threshold secret share authentication proof and secure blockchain voting with hardware security modules
CN108885741B (en) Tokenization method and system for realizing exchange on block chain
US10432394B2 (en) Method and system for sharing encrypted content
US9609024B2 (en) Method and system for policy based authentication
RU2501081C2 (en) Multi-factor content protection
US20050027979A1 (en) Secure transmission of data within a distributed computer system
US11582034B2 (en) Secure, decentralized, automated platform and multi-actors for object identity management through the use of a block chain technology
US11588629B2 (en) Secure, decentralized, automated platform and multi-actors for object identity management through the use of a block chain technology
Benantar The Internet public key infrastructure
CN115883154A (en) Access certificate issuing method, block chain-based data access method and device
WO2022076352A1 (en) zkMFA: ZERO-KNOWLEDGE BASED MULTI-FACTOR AUTHENTICATION SYSTEM
CN107360252B (en) Data security access method authorized by heterogeneous cloud domain
Durán et al. An architecture for easy onboarding and key life-cycle management in blockchain applications
US20230028854A1 (en) System and method of cryptographic key management in a plurality of blockchain based computer networks
Vogt et al. How Quantum Computers threat security of PKIs and thus eIDs
CN115834047A (en) Continuous trusted data sharing method based on block chain
Popescu et al. A security architecture for object-based distributed systems
US7539855B1 (en) Server-based cryptography
Vijayakumar et al. Hierarchical key management scheme for securing mobile agents with optimal computation time
Jakubeit et al. SSI-AWARE: Self-sovereign identity authenticated backup with auditing by remote entities
WO2004095754A2 (en) Server-based cryptography
Tbatou et al. A Novel Architecture of a Strong and Mutual Authentication Protocol for Distributed Systems.
EP4315744A1 (en) Method and apparatus for providing and using a virtual representation of a user
Jahan Secure Access to Outsourced Data from Resource-Constrained Devices
EP4046322A1 (en) Method for controlling validity of an attribute

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20051117

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL HR LT LV MK

DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20100325

17Q First examination report despatched

Effective date: 20100622

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/00 20060101ALI20120503BHEP

Ipc: H04L 9/08 20060101AFI20120503BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20121101