CA2256934C - System for electronic repository of data enforcing access control on data retrieval - Google Patents
System for electronic repository of data enforcing access control on data retrieval Download PDFInfo
- Publication number
- CA2256934C CA2256934C CA002256934A CA2256934A CA2256934C CA 2256934 C CA2256934 C CA 2256934C CA 002256934 A CA002256934 A CA 002256934A CA 2256934 A CA2256934 A CA 2256934A CA 2256934 C CA2256934 C CA 2256934C
- Authority
- CA
- Canada
- Prior art keywords
- document
- repository
- data
- access control
- vault
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 claims description 32
- 230000008569 process Effects 0.000 claims description 21
- 238000000151 deposition Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 9
- 238000013475 authorization Methods 0.000 claims description 6
- 238000013500 data storage Methods 0.000 claims description 3
- 230000015654 memory Effects 0.000 claims description 2
- 238000012552 review Methods 0.000 abstract description 7
- 230000009471 action Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000001419 dependent effect Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000012553 document review Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
When an electronic document is made available for review by other entities, it is often convenient to store the document in a repository or database managed by a third party. A system is provided in which the originator of the document is able to ensure the integrity and security of its document filed with a third party repository without having to trust the administrator of the repository. Both the document originator and the repository administrator have vault environments which are secure extensions of their respective work spaces. The vault of the document originator encrypts a document that it receives from the originator, prior to forwarding it on to the vault of the repository. On receipt of the encrypted document, the repository's vault signs the encrypted document itself before storing the document in the electronic repository and returns to the originator's vault proof of deposit of the encrypted document in the form of a copy of the signed encrypted document. An access control list identifying access ownership privileges for the document are also stored in the repository. Updates to the access control list are under the control of document originator, or another computer designated by the document originator. When a request is made to view the document, it is made from the vault of the requesting party (a secure extension of the requesting party's work space) to the repository's vault. The repository's vault retrieves a copy of the encrypted document which it forwards, along with the requestor's identity to the originator's vault. The originator's vault verifies that the access control is valid, then verifies that the requestor is authorized to view the document from the access control list, then decrypts the document and forwards the decrypted document directly to the requestor's vault. The requestor provides proof of receipt of the decrypted document.
Description
SYSTEM FOR ELECTRONIC REPOSITORY OF DATA
ENFORCING ACCESS CONTROL ON DATA RETRIEVAL
Field of the Invention The present invention is directed to the field of electronic data storage, and provides, in particular, a secure data repository and exchange system administered by a third party data custodian in which access control is enforced on data retrieval.
Background of the Invention Recent parallel advances in network communications and public key infrastructure ("PKI") technology have prompted businesses and institutions to begin to utilize electronic documentation for record-keeping and for transactions of all types. With improvements in transmission integrity and security, it can be confidently assumed that documents sent electronically over the Internet and other open networks will arrive intact and tamper-free. Database management systems coupled with modern computer memories capable of storing several gigabytes of data have made it practical for businesses and institutions to simply dispense with maintaining paper records whose bulk necessitates real estate costs.
Typically, data originating in one entity may have to be transmitted to others for any number of reasons such as deposit, review, etc. The data elements could be of the form of unstructured document files or structured records, such as bank account and other financial information. Using the example of unstructured data, it may be necessary to forward a document from the originating system to other computers in the same system or to computers residing on different systems for the purposes of review. This could occur equally in a business situation (e.g., a proposal for a joint venture or complex bid tender) as in an institutional setting (e.g., a graduate thesis to be reviewed by faculty advisers prior to submission to a university thesis review committee). The document has been created electronically since this will facilitate revisions and additions (particularly if it is lengthy) without having to re-type the entire document each time.
Having the document in an electronic form also facilitates review of it because the document in this form is easily transmissible. However, rather than circulating the document, the document creator can let the intended reviewers know that it is available and provide them with access to it. To review the document, the authorized reviewers must be given access to the storage location ofthe document.
There are a number of reasons why the document creator will not want to store the document locally.
If local document storage means giving open access, behind its firewall, to other entities, a security risk (the threat ofhackers) is created. Access into local storage also compromises data management, since one inadvertent action by a reviewer could erase the document file.
Also, the lack of system and/or network availability may defeat any perceived convenience to reviewers in giving them direct access to the document in storage. System availability refers to whether the document originator's local machine or LAN is made available at all times to accommodate reviewers, while network availability refers to the constraint that it may be difficult for the network to make available multiple points to the local storage location if several reviewers seek access at one time.
There could also be reasons in a business or institutional situation that independent verification must be provided to show that a document originator has made its submission of a document on a certain date (e.g., a commercial tender).
One solution is to use the repository of a third party, particularly one in the business of providing the service of a secure data repository and who is able, if required, to provide proof of deposit.
US Patent Nos. 5,615,28 and 5,748,738, both entitled "System and Method for Electronic Transmission Storage and Retrieval of Authenticated Documents" and both assigned to Document Authentication Systems, Inc., describe a system which provides data integrity and non-repudiation
ENFORCING ACCESS CONTROL ON DATA RETRIEVAL
Field of the Invention The present invention is directed to the field of electronic data storage, and provides, in particular, a secure data repository and exchange system administered by a third party data custodian in which access control is enforced on data retrieval.
Background of the Invention Recent parallel advances in network communications and public key infrastructure ("PKI") technology have prompted businesses and institutions to begin to utilize electronic documentation for record-keeping and for transactions of all types. With improvements in transmission integrity and security, it can be confidently assumed that documents sent electronically over the Internet and other open networks will arrive intact and tamper-free. Database management systems coupled with modern computer memories capable of storing several gigabytes of data have made it practical for businesses and institutions to simply dispense with maintaining paper records whose bulk necessitates real estate costs.
Typically, data originating in one entity may have to be transmitted to others for any number of reasons such as deposit, review, etc. The data elements could be of the form of unstructured document files or structured records, such as bank account and other financial information. Using the example of unstructured data, it may be necessary to forward a document from the originating system to other computers in the same system or to computers residing on different systems for the purposes of review. This could occur equally in a business situation (e.g., a proposal for a joint venture or complex bid tender) as in an institutional setting (e.g., a graduate thesis to be reviewed by faculty advisers prior to submission to a university thesis review committee). The document has been created electronically since this will facilitate revisions and additions (particularly if it is lengthy) without having to re-type the entire document each time.
Having the document in an electronic form also facilitates review of it because the document in this form is easily transmissible. However, rather than circulating the document, the document creator can let the intended reviewers know that it is available and provide them with access to it. To review the document, the authorized reviewers must be given access to the storage location ofthe document.
There are a number of reasons why the document creator will not want to store the document locally.
If local document storage means giving open access, behind its firewall, to other entities, a security risk (the threat ofhackers) is created. Access into local storage also compromises data management, since one inadvertent action by a reviewer could erase the document file.
Also, the lack of system and/or network availability may defeat any perceived convenience to reviewers in giving them direct access to the document in storage. System availability refers to whether the document originator's local machine or LAN is made available at all times to accommodate reviewers, while network availability refers to the constraint that it may be difficult for the network to make available multiple points to the local storage location if several reviewers seek access at one time.
There could also be reasons in a business or institutional situation that independent verification must be provided to show that a document originator has made its submission of a document on a certain date (e.g., a commercial tender).
One solution is to use the repository of a third party, particularly one in the business of providing the service of a secure data repository and who is able, if required, to provide proof of deposit.
US Patent Nos. 5,615,28 and 5,748,738, both entitled "System and Method for Electronic Transmission Storage and Retrieval of Authenticated Documents" and both assigned to Document Authentication Systems, Inc., describe a system which provides data integrity and non-repudiation
2 assurance using a proprietary Windows~ client to communicate with the data repository service.
An important consideration not addressed in these patents is that the integrity and access to the data stored in the repository not be dependent on the actions of the third party that administers the document repository. In other words, the data custodian should not be able, through either inadvertent or malicious actions, to modify the contents of the data without that action being detected by the system users. Moreover, the data custodian should not be able to alter a user's privilege to, or restriction from, access to a data element.
In the above-described system of USP's 5,615,268 and 5,748,738, the data repository service is trusted not to reveal data to other users. There is no provision in this system for data privacy using encryption technology.
Summary of the Invention Therefore, it is an object of the present invention to provide an electronic document storage and exchange system in which the documents are physically stored in a repository administered by a third party, but in which users have access to their documents and share them with each other.
It is also an object of the invention to provide a system in which the integrity and access to the data stored in the repository is not dependent on the actions of the third party administrator.
Accordingly, in one aspect, the present invention is directed to secure electronic data storage and retrieval system, that consists of a data repository, a repository manager for managing storage and retrieval of encrypted electronic data of a depositing computer into and out of the data repository, and an agent program of the depositing computer. The agent program is accessible to the repository manager whether the depositing computer is online or offline. The agent program also has means to decrypt, on authentication of a requesting computer, the encrypted electronic data of the
An important consideration not addressed in these patents is that the integrity and access to the data stored in the repository not be dependent on the actions of the third party that administers the document repository. In other words, the data custodian should not be able, through either inadvertent or malicious actions, to modify the contents of the data without that action being detected by the system users. Moreover, the data custodian should not be able to alter a user's privilege to, or restriction from, access to a data element.
In the above-described system of USP's 5,615,268 and 5,748,738, the data repository service is trusted not to reveal data to other users. There is no provision in this system for data privacy using encryption technology.
Summary of the Invention Therefore, it is an object of the present invention to provide an electronic document storage and exchange system in which the documents are physically stored in a repository administered by a third party, but in which users have access to their documents and share them with each other.
It is also an object of the invention to provide a system in which the integrity and access to the data stored in the repository is not dependent on the actions of the third party administrator.
Accordingly, in one aspect, the present invention is directed to secure electronic data storage and retrieval system, that consists of a data repository, a repository manager for managing storage and retrieval of encrypted electronic data of a depositing computer into and out of the data repository, and an agent program of the depositing computer. The agent program is accessible to the repository manager whether the depositing computer is online or offline. The agent program also has means to decrypt, on authentication of a requesting computer, the encrypted electronic data of the
3 depositing computer retrieved from the data repository on request of the requesting computer.
Preferably, the repository manager can digitally sign the encrypted electronic data prior to storage in the data repository, and then forward a copy of the signed encrypted data to the agent program, so that the agent program can verify against the signed encrypted data, the retrieved encrypted electronic data following decryption.
In another aspect, the present invention provides a system and method for securely authenticating user access to electronic data stored in a data repository managed by a repository manager unrelated to a source of the data, in which an access control list of user authorizations is associated with the electronic data when stored in the data repository. The source is responsible for updating the access control list, and maintains evidence of the current access control list.
Evidence of the current access control list is also provided to any user computer which has effected the update. The source verifies that the updated access control list stored with the electronic data in the data repository is accurate before releasing the data to the requesting computer.
The use of the invention is particularly advantageous in a system having a large number of documents accessible to and accessed by a large number of users. The centralization of user access information improves system efficiency since it avoids duplication of the information. Moreover, the use of a powerful, centralized search authority permits richer searching -paxameters need not be limited to document identity, but could conceivably include other identifiers, such as creation time, identity of document originator, etc.
The invention may be realized in the form of media encoded with program code to effect the above-described system or processes.
Brief Description of the Drawings Embodiments of the invention will now be described in detail in association with the accompanying
Preferably, the repository manager can digitally sign the encrypted electronic data prior to storage in the data repository, and then forward a copy of the signed encrypted data to the agent program, so that the agent program can verify against the signed encrypted data, the retrieved encrypted electronic data following decryption.
In another aspect, the present invention provides a system and method for securely authenticating user access to electronic data stored in a data repository managed by a repository manager unrelated to a source of the data, in which an access control list of user authorizations is associated with the electronic data when stored in the data repository. The source is responsible for updating the access control list, and maintains evidence of the current access control list.
Evidence of the current access control list is also provided to any user computer which has effected the update. The source verifies that the updated access control list stored with the electronic data in the data repository is accurate before releasing the data to the requesting computer.
The use of the invention is particularly advantageous in a system having a large number of documents accessible to and accessed by a large number of users. The centralization of user access information improves system efficiency since it avoids duplication of the information. Moreover, the use of a powerful, centralized search authority permits richer searching -paxameters need not be limited to document identity, but could conceivably include other identifiers, such as creation time, identity of document originator, etc.
The invention may be realized in the form of media encoded with program code to effect the above-described system or processes.
Brief Description of the Drawings Embodiments of the invention will now be described in detail in association with the accompanying
4 drawings, in which:
Figure 1 is a schematic diagram of a document repository system utilizing a third party custodian;
Figure 2 is a schematic diagram, similar to Figure 1, showing a vault document repository system utilized in the preferred embodiment of the present invention;
Figure 3 is a flow diagram illustrating the process of document creation, according to the invention;
Figure 4, consisting of Figures 4A and 4B, is a flow diagram illustrating the process of document retrieval according to the invention;
Figure 5 is a flow diagram showing a process, according to the preferred embodiment of the invention, for providing immutability of access control for document retrieval; and Figure 6 is a flow diagram illustrating a process for assigning ownership privileges over stored documents, according to the invention.
Detailed Descr~tion of the Preferred 'Embodiments A conventional arrangement for a document repository system utilizing a third party custodian is illustrated in Figure 1. A document originator 100 can deposit documents via its connection 102 with a remote document repository service 104, such as a database, administered by a third party.
As the owner of the deposited documents, the document originator 100 can assign access to the documents. For example, the document originator may assign a business partner 106 to have a "read" privilege, which means that the assigned business partner is allowed to retrieve the document via its connection 108 to the document repository service 104, but cannot make changes to the document on deposit.
Figure 1 is a schematic diagram of a document repository system utilizing a third party custodian;
Figure 2 is a schematic diagram, similar to Figure 1, showing a vault document repository system utilized in the preferred embodiment of the present invention;
Figure 3 is a flow diagram illustrating the process of document creation, according to the invention;
Figure 4, consisting of Figures 4A and 4B, is a flow diagram illustrating the process of document retrieval according to the invention;
Figure 5 is a flow diagram showing a process, according to the preferred embodiment of the invention, for providing immutability of access control for document retrieval; and Figure 6 is a flow diagram illustrating a process for assigning ownership privileges over stored documents, according to the invention.
Detailed Descr~tion of the Preferred 'Embodiments A conventional arrangement for a document repository system utilizing a third party custodian is illustrated in Figure 1. A document originator 100 can deposit documents via its connection 102 with a remote document repository service 104, such as a database, administered by a third party.
As the owner of the deposited documents, the document originator 100 can assign access to the documents. For example, the document originator may assign a business partner 106 to have a "read" privilege, which means that the assigned business partner is allowed to retrieve the document via its connection 108 to the document repository service 104, but cannot make changes to the document on deposit.
5 In such conventional systems, the document deposited by the document originator 100 is normally not encrypted so that the business partner 106 will be able to review the document on demand. This is because there are problems associated with decrypting documents in the prior art. Document decryption requires access to the private key of the document originator 100.
To give access to its private key, the document originator 100 must either make itself available online during all times that decryption might be requested in order to perform the decryption itself (the issue of system availability), or must set up a scheme in advance to make its private key available directly to the business partner 106 or through a trusted proxy (not shown).
U.S. Patent No. 5,491,750 of International Business Machines Corporation, is for "Method and Apparatus for Three-Pac-ty Entity Authentication and Key Distribution Using Message Authentication Codes". This patent describes a system which allows for the distribution of secret session-management keys shared by two or more communication partners after the communication partners have been authenticated through a trusted intermediary. However, the keys generated under this scheme, and others like it, are short-lived and intended to be used as little as absolutely necessary. It is not clear that such a scheme would be appropriate to provide securely transmit decryption keys between communication partners in a document review system, with a persistent document repository.
Thus, in conventional systems where documents are deposited for a period of time and are not encrypted (Figure 1 ), the third party administrator of the repository service 104 must be trusted with maintaining the integrity of the document.
The document repository system of the preferred embodiment of the present invention is built using the IBM Vault Registry product, the subject of U.S. Patent 6,105,131, titled "Secure Server and Method of Operation for a Distributed Information System", issued on August 15, 2000 assigned to IBM Corporation.
To give access to its private key, the document originator 100 must either make itself available online during all times that decryption might be requested in order to perform the decryption itself (the issue of system availability), or must set up a scheme in advance to make its private key available directly to the business partner 106 or through a trusted proxy (not shown).
U.S. Patent No. 5,491,750 of International Business Machines Corporation, is for "Method and Apparatus for Three-Pac-ty Entity Authentication and Key Distribution Using Message Authentication Codes". This patent describes a system which allows for the distribution of secret session-management keys shared by two or more communication partners after the communication partners have been authenticated through a trusted intermediary. However, the keys generated under this scheme, and others like it, are short-lived and intended to be used as little as absolutely necessary. It is not clear that such a scheme would be appropriate to provide securely transmit decryption keys between communication partners in a document review system, with a persistent document repository.
Thus, in conventional systems where documents are deposited for a period of time and are not encrypted (Figure 1 ), the third party administrator of the repository service 104 must be trusted with maintaining the integrity of the document.
The document repository system of the preferred embodiment of the present invention is built using the IBM Vault Registry product, the subject of U.S. Patent 6,105,131, titled "Secure Server and Method of Operation for a Distributed Information System", issued on August 15, 2000 assigned to IBM Corporation.
6 The IBM Vault Registry product provides an enhanced web server environment that implements a secure extension, called a vault, of the client's environment. This system relies on the modern transmission technology described in the Background of the Invention, that electronic transmission of documents and other data will arrive intact and error free. Resources contained within a client's vault are available only when accessed from the client using strong authentication via certified public keys. Depending on the environment, access may be through the client's web browser.
The information content of the vault is encrypted for privacy. Each vault on a server has a unique encryption key and mechanisms that inhibit access to the keys except through the trust path approved by the owner of the vault, such as through a browser. Programs that run within a vault are isolated by operating system services to ensure such programs:
a) operate in a process with a system identity (a virtual logon) so that the identity is available to dependent processes without the possibility of alteration by a program operating in the vault;
b) have access to the data content of the vault in which they are running -but to no other;
c) are approved for running in the vault by the owner of the vault; and d) are signed to prevent tampering and "Trojan horse" attacks.
Programs operating in a vault can deposit information in the same vault or other vaults having secure access to each other's public keys. Normally, these vaults will be located on the same vault server, but can be on different vault servers with access to a common Certificate Authority to provide the public key information. In the context of a vault repository, "deposit" can mean different things.
In one implementation, deposit can refer to encrypting the data in the encryption key of the target vault and signing the data in the signature key of the depositing vault. Vault programs cannot directly access either encryption or signature keys. This is done through an API. Optionally, the "deposit" function can place information in a queue contained in the target vault. Another option
The information content of the vault is encrypted for privacy. Each vault on a server has a unique encryption key and mechanisms that inhibit access to the keys except through the trust path approved by the owner of the vault, such as through a browser. Programs that run within a vault are isolated by operating system services to ensure such programs:
a) operate in a process with a system identity (a virtual logon) so that the identity is available to dependent processes without the possibility of alteration by a program operating in the vault;
b) have access to the data content of the vault in which they are running -but to no other;
c) are approved for running in the vault by the owner of the vault; and d) are signed to prevent tampering and "Trojan horse" attacks.
Programs operating in a vault can deposit information in the same vault or other vaults having secure access to each other's public keys. Normally, these vaults will be located on the same vault server, but can be on different vault servers with access to a common Certificate Authority to provide the public key information. In the context of a vault repository, "deposit" can mean different things.
In one implementation, deposit can refer to encrypting the data in the encryption key of the target vault and signing the data in the signature key of the depositing vault. Vault programs cannot directly access either encryption or signature keys. This is done through an API. Optionally, the "deposit" function can place information in a queue contained in the target vault. Another option
7 provides a "return receipt" that ensures that the information was deposited and that a program in the target vault opened the data. All of these "deposit" functions provide a means to pass information among vaults in such a way that:
a) their origin process cannot be denied;
b) their content cannot be viewed by those with the ability to inspect inter-process communication buffers; and c) delivery is guaranteed.
If an application does not choose to queue data to the target vault, it can elect to store the information in a file, database or use any other system services that can treat the data as an "opaque" item (e.g., serializing it for object persistence). This opaque information can be managed by standard system techniques for the purpose of backup and recovery. However, its content can only be decrypted by a program running in the context of the vault that owns it using the SecureDepositor application programming interfaces.
Using the IBM Vault Registry product, the preferred embodiment of the invention has been developed as illustrated schematically in Figure 2.
As in the system of Figure 1, in the scheme illustrated in Figure 2 a document originator 200 can deposit documents via its connection 202 with a document repository service 204, and as the owner of the deposited documents, can assign levels of access to the documents to third parties 206, such as business partners, who gain access to the documents in the document repository service 204 via their own network connections 208. However, unlike the system described above, users of the document repository system are not obliged to trust the third party to maintain the integrity of documents filed in the repository.
a) their origin process cannot be denied;
b) their content cannot be viewed by those with the ability to inspect inter-process communication buffers; and c) delivery is guaranteed.
If an application does not choose to queue data to the target vault, it can elect to store the information in a file, database or use any other system services that can treat the data as an "opaque" item (e.g., serializing it for object persistence). This opaque information can be managed by standard system techniques for the purpose of backup and recovery. However, its content can only be decrypted by a program running in the context of the vault that owns it using the SecureDepositor application programming interfaces.
Using the IBM Vault Registry product, the preferred embodiment of the invention has been developed as illustrated schematically in Figure 2.
As in the system of Figure 1, in the scheme illustrated in Figure 2 a document originator 200 can deposit documents via its connection 202 with a document repository service 204, and as the owner of the deposited documents, can assign levels of access to the documents to third parties 206, such as business partners, who gain access to the documents in the document repository service 204 via their own network connections 208. However, unlike the system described above, users of the document repository system are not obliged to trust the third party to maintain the integrity of documents filed in the repository.
8 The document repository system 204 of the preferred embodiment comprises two components, an application server 210 and a vault controller 214. The application server (AS) is a program to administer the database repository 212, which may be on the same machine or may be remotely located on a closed network. The vault controller 214 includes a number of components, user vaults 216, 218 which are assigned on an individual basis to document originators 200 and business partners 206, an AS vault 220 assigned to the application server 210, and a vault supervisor program 222.
A user vault 216 or 218 can be accessed only by the user (document originator 200 or business partner 206) to whom the vault has been assigned, upon proper authentication.
The individual vaults do not have direct access to the document database 212, access is through the AS vault 220 and the application server 210.
The application server component 210 does not run on a trusted computing base, but can execute on any platform. The application server has a reciprocating component which runs in the AS vault 220 assigned to it in the vault server 214. The AS vault 220 can communicate with the application server 210, and through the application server, has access to the document database 212.
Figure 3 is a flow diagram illustrating the process of document creation, according to the preferred embodiment of the invention. Using the IBM Vault Registry environment, a personal vault is notionally a secure extension of the vault owner's environment. Thus, the interaction between the process steps in Figure 3 are shown between the vaults of the document originator and the application server.
When creating a document in the data repository, the document is first sent from the desktop of the user who created or originated it, to the user's (document originator's) personal vault (block 300), where the document is "signed" with the user vault's private signing key (block 302).
A user vault 216 or 218 can be accessed only by the user (document originator 200 or business partner 206) to whom the vault has been assigned, upon proper authentication.
The individual vaults do not have direct access to the document database 212, access is through the AS vault 220 and the application server 210.
The application server component 210 does not run on a trusted computing base, but can execute on any platform. The application server has a reciprocating component which runs in the AS vault 220 assigned to it in the vault server 214. The AS vault 220 can communicate with the application server 210, and through the application server, has access to the document database 212.
Figure 3 is a flow diagram illustrating the process of document creation, according to the preferred embodiment of the invention. Using the IBM Vault Registry environment, a personal vault is notionally a secure extension of the vault owner's environment. Thus, the interaction between the process steps in Figure 3 are shown between the vaults of the document originator and the application server.
When creating a document in the data repository, the document is first sent from the desktop of the user who created or originated it, to the user's (document originator's) personal vault (block 300), where the document is "signed" with the user vault's private signing key (block 302).
9 An electronic signature of a data element is a guarantee, provided by the signatory, of the integrity of that data element. A signature may be computed by first computing the data element's digest.
The digest is a relatively small structure (e.g. 128 bits for MD2 or MDS
digest) with specific properties to guarantee security. First, it is a one-way function, which means that given a digest, it is impossible to obtain the original document that produced it. In addition, given a digest, it is impossible (or computationally infeasible) to find a second pre-image, which would have the same digest. The digest is also collision-resistant. This means that two different pre-images are highly unlikely to produce the same digest.
The data element's digest is then encrypted with the user vault application's private signing key (block 304). In the preferred embodiment, both symmetric and public-key asymmetric cryptography technology are utilized.
With public key cryptography, an application has two keys, a public key and a private key, referred to as a key pair. The private key is held locally by the application, and is discussed in further detail below. The public key is made available to all users, usually through a directory service, such as X.500 distributed directory. Public key distribution is well known in the art, and is not discussed in further detail in the present specification.
When public key cryptography is used, a data element encrypted with the public key may only be decrypted with the corresponding private key. Similarly, a data element encrypted with the private key may only be decrypted with the public key.
In symmetric key technology, a single key is used for both encryption and decryption. In current practice, encryption/decryption and key generation are much faster in symmetric key technology than with public-key asymmetric technology.
Data is normally encrypted using a randomly generated symmetric key. Then, the symmetric key is itself encrypted using the user's public encryption key, and is stored with the document so that it becomes part of the document.
Continuing with Figure 3, the encrypted document and the electronic signature are forwarded to the application server's vault for filing in the document database (block 306). On receiving the encrypted document (block 308), the application running in the application server's vault notarizes the signature (block 310) by re-signing it with its own private signing key.
The notarization of a signature, in an electronic context, means that a third party, which acts as a "notary", certifies the content of a signature. (All of the duties attending the legal office of notary, as conferred by a government authority, are not intended to be covered by the references in this specification to "notary" and "notarization".) In general, electronic notarization of a signature is done as an extra precaution, in order to prevent unauthorized modification of the signature at a later time. In the case of the present invention, notarization of the user's digital signature prevents the user from replacing or modifying the original document in the document repository. A check of the notarized signature associated with the document would reveal any inconsistencies.
A notarized electronic signature contains two pieces of information, the originator's signature of the given data element and the notary's signature of the originator's signature.
The notary's signature should be computed over the originator's signature and the current time stamp.
The application running in the application server's vault then signs the document it has received (block 312). Because the data it receives from the document originator is encrypted, the application server actually has no knowledge of the contents of the document. Therefore, according to the invention, this second signature is computed over the encrypted document, and the originator's notarized signature. The application server's signature constitutes a non-repudiation receipt, providing proof to the document originator (depositor) that the repository service received the document. The creation of the document in the repository may then not be denied later by the repository service.
The encrypted document, the document originator's notarized signature, and the non-repudiation receipt are all stored in the application server's repository or the application database (block 314).
The non-repudiation receipt is sent to the vault of the document originator (block 316). The vault of the document originator checks the correctness of the non-repudiation receipt (block 318) by verifying the signature of the encrypted document. The document originator's vault also checks the currency of the time stamp in the notarized signature (block 320). The tolerance for the time stamp is application dependent. If either of these tests fail, an error message is returned to the AS vault (block 322) and logged in the system. If the receipt is correct and current, the application running in the user's vault returns the non-repudiation receipt to the originating user (block 324) to be cached locally for future reference, in the event proof is required that the document has been stored in the repository.
It is possible that the document originator may sign and/or encrypt the document using his own proprietary technique, before submitting it to his vault for storage. However, the document repository is not sensitive to the content of the document being stored.
Hence, an encrypted document will be re-signed and re-encrypted by the user's vault, as any other document would be handled.
Figure 4 is a flow diagram illustrating the steps, according to the preferred embodiment of the invention, which must take place to permit a document to be retrieved by a requestor who has been authorized under the document originator's access control list (ACL). The establishment and maintenance of ACLs is discussed in detail below.
As in Figure 3, the process steps shown in Figure 4 are the actions and interactions between the vaults of the document originator, application server and requestor, on the basis that the personal vaults of each are notional secure extensions oftheir respective work spaces, as provided in the IBM
Vault Registry product or an environment with similar properties.
Beginning with Figure 4A, the requestor makes a request to his vault application to retrieve a document from the application server repository (block 400), and the requestor's vault application, in turn, forwards the request for the document to the application server's vault (block 402).
The application server's vault application receives the access request (block 404) and retrieves the encrypted document, the originator's notarized signature and the signed ACL
from the application database (block 406).
The application server's vault application sends the encrypted document, the notarized signature and the signed ACL to the vault of the document originator. The application server's vault also sends the requestor's identity vault to the originator's vault (block 408).
The originator's vault checks that the requestor is authorized to retrieve the document (block 412).
Document access control is enabled, in the preferred embodiment, through access control lists used to restrict document access only to authorized entities. An access control list is associated with a document and must be checked when a requestor sends a request to retrieve a document. A requestor will only be given a copy of the document if it has access. The requestor can verify access in advance of making a request if capability lists are used. If the requestor is not authorized to access the document, an error message is returned to the originator and is logged in the system (block 414).
Continuing with Figure 4B, if the requestor is authorized to receive the document, the originator's vault application decrypts the document (block 416) and verifies the notarized signature (block 418).
Since the originator's original signature was computed over the unencrypted document contents, only those users with access to the document contents are able to verify the signature. If the received signature does not correspond with the decrypted document, then it will be clear that it is not the same version of the document as deposited, and the originator will return an error message to the S application server (block 420).
If the signature is verified, the originator forwards the decrypted document and the notarized signature to the requestor's vault (block 422).
On receipt of the decrypted document, the requestor's vault application attempts to verify the originator's notarized signature using the notary's public signature key (block 424). If the requestor is unable to verify it, an error message is returned to the originator and logged in the system (block 426).
If the originator's notarized signature can be verified, the requestor's vault signs the notarized signature that it received with the document. This signature is computed over the notarized signature, as well as the current time stamp, and constitutes a delivery receipt (block 428) proving that the document was retrieved from the repository. The requestor's vault returns the decrypted document along with the non-repudiation receipt it has generated to the requestor's desktop (block 430). The requestor's vault also forwards the non-repudiation receipt to the application server's vault (block 432). The application server verifies the signature of the requestor vault on the receipt (block 434). If the signature does not correspond to the document, the receipt is marked as incorrect or as "missing receipt", and is cached, if the application includes this storage function (block 436). If the signature can be verified, the application server vault stores the receipt in the application database as proof that the requestor did retrieve the document (block 438).
Immutability of Access Control for Document Retrieval As discussed above, in a data repository, there is a requirement for document access control. This means that only those users authorized by the document's owner, are able to view the document, and that document access permissions may only be modified by the document's owner (i.e., the document originator) and those other users that have been authorized by the document's owner to modify the given document's access control list. It is important to have assurance that even the repository administrator does not have the power to modify a document's access permissions without authorization from the document's owner.
There are two different types of application requirements for establishing the immutability of document access control. Document access should be checked:
1) when a user performs a search to find all documents that it is authorized to view; and 2) when a user performs an actual retrieval of a document.
All applications must enforce access control on document retrieval (access type 2 above). For this type of access, the repository must guarantee that the access control of a document cannot possibly be modified by an unauthorized user, such as a business competitor.
Some applications must also enforce access control on document search, particularly in situations where users have no means to determine which documents they have been granted access, except through the application server of the repository. A system that enforces immutability of access control on both document search and retrieval is the subject matter of our concurrently filed application titled "System for Electronic Repository of Data Enforcing Access Control on Data Search and Retrieval" (IBM Docket No. CA998-040).
In some applications it is not essential for a user to be able to query the document repository for all documents that it is authorized to see. For example, this knowledge may be communicated off line through business meetings, by email or over the telephone. In such a case, the user already knows what documents it has access to, and therefore, the requestor's knowledge of its own document access cannot be affected by actions of the repository.
In the preferred embodiment, each document has, associated with it, an access control list (ACL) which identifies the access authorization to the document for different users.
In order to guarantee immutability, each ACL is processed in the document originator's vault as illustrated in Figure 5.
Each ACL is associated with a version number and a time stamp of its latest modification. When an ACL is updated (block 500), its version number is incremented (block 502) and the old time stamp associated with the ACL is replaced with the most current time stamp (block 504). A token, which is intended to guarantee the immutability of the ACL, is created from the current version number and time stamp now associated with the ACL. The token is signed by the document originator's vault (block 506). A data structure, such as a text string or binary structure, is produced by attaching the token to the ACL (block 508). The data structure is signed by the owner's vault to eliminate the possibility of it being substituted (block 510), and forwarded, together with the ACL
and token, to the AS vault for storage in the document repository (block 512).
The ACL token is also forwarded to the vault of any user with authorized access to the document, for storage with the user's access application on its desktop (block 514) for future ACL verification.
The signed token is forwarded to the document originator's desktop for storage (block 516).
Because it is holding a copy of the signed token, the document originator becomes the final arbiter of whether the document ACL is up-to-date or not.
When a business partner wants to retrieve a document, the AS vault application sends the encrypted document to the originator's vault as described above (block 408 of Figure 4A). Together with the document, the notorized signature, and the requester's ID, the AS vault will also send to the originator's vault the signed ACL. In order to verify the requestor's authorization (block 412 of Figure 4A), the originator's vault then performs the following checks:
1. verifies the correctness of the ACL signature;
2. verifies that the version number and time stamp match what's stored inside the originator's vault; and 3. checks in the verified ACL that the requester has access to the indicated document.
With this technique, nobody can modify the ACL stored in the application database, without that change being detected by the originator's vault.
As described above, each user which owns documents in the repository, keeps on its desktop the signed tokens of the correct version of each ACL. The ACL versions kept by the user's vault are verified by comparing the signed token stored on the user's desktop with the one stored in the user's vault. This comparison can be performed at different times; one good opportunity to verify the ACLs stored inside a user's vault is during logon, so that every time the user logs on, the user's ACLs are verified.
If ACL verification fails, the user's vault application can automatically stop honoring all requests to retrieve the document protected by the ACL. This state of document inaccessibility would persist until the user either creates a new ACL, or re-certifies the existing ACL. The process of re-certification of the existing ACL would include synchronizing the ACL token stored in the user's vault with the token stored on the user's desktop.
In this embodiment, the actual ACL is stored in the application database. If a user wants to perform a search of documents he is authorized to, this search can only be performed by application server's vault application, the only program with direct access to the application database. However, any misinformation by a "malicious" application server about a user's access rights to a document can be checked. The application server does not have access to the signed ACL
token on the user's workstation or in the user's vault. The user will discover that its token does not correspond with the information received from the application server the next time the user verifies the token (see Back-up and Recovery section below). This will be particularly useful in a system designed in such a way that access to a document can only be granted, but not later removed.
Assignment of Ownership Privileges Some environments require that a document originator be able to allow someone else to modify the access list of the given document. For example, if the owner is not available, another authorized user will have the ability to update the given document's access control.
According to a preferred embodiment of the invention, this function can be implemented as illustrated in Figure 6. When ACL update is attempted, the updating user must be able to present the up-to-date signed token for the ACL (block 600). The signed token is sent to the updating user's own vault (block 602) which passes the signed token to the originator's vault (block 604). The originator's vault checks the validity ofthe token (block 606) by comparing it with the signed token it has in its own storage. The originator's vault also checks the authority of the updating user (block 610).
If the token is invalid or the updating user does not have ownership privileges assigned in the ACL
of this document, then the document originator's vault will detect this, refuse the update and return an error message to the user's vault (blocks 608).
If the originator's vault can verify the signing user's access to the document, and that the version number, and time stamp of the ACL token are current (block 706), the ACL is updated (block 710) CA9~)8-030 and a new token is generated and signed (block 712), and stored in the originator's vault (block 714).
The new signed token is sent to the updater's vault (block 716). The updater's vault returns the new token to the updater's desktop for storage (block 718). The new signed token may also, optionally, be forwarded to the application server's vault for storage in the repository (block 720).
This procedure requires that only one person may perform an ACL update at any given time. For example, if a document originator John will be leaving for vacation, he can permit a co-worker, Mary, to update the ACL of his document in his absence from the office by giving Mary his up-to-date token for the ACL of the document. Mary then issues an ACL update by presenting the token through her vault to John's vault. Mary receives the new signed token for the ACL which she returns to John on his return to the office. After installing the new token, John can issue his own ACL update.
Data Backup and Recovery Occasionally it may be necessary for the administrator of the document repository to restore the document database from a previous backup. This may be necessary, for example, in case of a catastrophic database failure, such as a disk crash. The data that needs to be included in a backup are the documents themselves, the ACLs (whether stored in the application database or in the owner's vaults), the capability lists (for the systems that implement them, as described above), and the verification tokens of ACLs and capability lists.
Following a data restoration, updates made after the most recent backup may be lost. For the purposes of the present invention, this could include ACL and capability list updates. When this occurs, the verification tokens stored on user desktops may not correspond with the tokens in the corresponding vaults, denying users proper access.
Therefore, the following system has been implemented to provide a standard for data restoration in different situations. It is assumed that the backup was taken at TIME1, while the restoration occurred at a later TIME2 based on the state of the data at TIME 1 that the requestor did retrieve the document.
Where a complete data restore of the document database, ACLs, capability lists and corresponding tokens stored in the vaults is performed, users authorized to access a document before TIMEI, can also access it after TIME2. This means that if a user was authorized before TIME 1, but the authority was revoked after TIME 1 but before TIME2, the user will have document access until the document originator performs a check of the ACL token. All users should therefore do an ACL and capability list check following a complete data restoration.
Where only the document database was restored, while the ACLs, the capability lists and the vault-stored tokens are untouched, users may find that they are authorized to access a document which does not exist in the database because the document has been added after TIMEI, but subsequently lost in the database restore. Since all tokens are up-to-date, no other anomalies will occur.
Another case involves a system in which capability lists are not used, but the ACLs are stored in the application database. Where the document database and the ACL have been restored, while the vault-stored tokens have not, users will find that all documents whose ACL
changed after TIME 1 are inaccessible. This is because the ACL tokens in the application database do not match the tokens stored in the individual owners' vaults. To deal with this, all document originators will have to update the ACLs. One way to do this is for the administrator to send the old ACLs (which were in effect at TIMED to document originators, and ask them to re-install the corresponding tokens in their vaults. This update would be manual, not automatic, and an owner's documents would be inaccessible until the owner has performed the update.
For situations where database inconsistencies must be avoided, the repository administrator may disable access to all documents after a restore, until the originator takes corrective action. This disabling of access may apply to all documents stored in the repository, or to only a subset of the documents, whose consistency is the most critical. In this case, the repository administrator must be relied upon to preserve consistency of the system. However, as described above, the administrator in any case does not have the power to grant or revoke users' access to a document.
In order to minimize the ability of orchestrated attack on the system, it is important to separate the roles between the administrator of the vault server and the corresponding local vault storage, on the one hand, and the database administrator, on the other.
Preferred embodiments of the invention implemented by means of the IBM Vault Registry product have been described. However, it will be obvious to the person skilled in the art that the present invention could be implemented using other products that provide similar functions, such as secure vault-like environments located locally with each user's desktop.
Modifications of this nature and others that would be obvious to the person skilled in the art are intended to be covered by the scope of the appended claims.
The digest is a relatively small structure (e.g. 128 bits for MD2 or MDS
digest) with specific properties to guarantee security. First, it is a one-way function, which means that given a digest, it is impossible to obtain the original document that produced it. In addition, given a digest, it is impossible (or computationally infeasible) to find a second pre-image, which would have the same digest. The digest is also collision-resistant. This means that two different pre-images are highly unlikely to produce the same digest.
The data element's digest is then encrypted with the user vault application's private signing key (block 304). In the preferred embodiment, both symmetric and public-key asymmetric cryptography technology are utilized.
With public key cryptography, an application has two keys, a public key and a private key, referred to as a key pair. The private key is held locally by the application, and is discussed in further detail below. The public key is made available to all users, usually through a directory service, such as X.500 distributed directory. Public key distribution is well known in the art, and is not discussed in further detail in the present specification.
When public key cryptography is used, a data element encrypted with the public key may only be decrypted with the corresponding private key. Similarly, a data element encrypted with the private key may only be decrypted with the public key.
In symmetric key technology, a single key is used for both encryption and decryption. In current practice, encryption/decryption and key generation are much faster in symmetric key technology than with public-key asymmetric technology.
Data is normally encrypted using a randomly generated symmetric key. Then, the symmetric key is itself encrypted using the user's public encryption key, and is stored with the document so that it becomes part of the document.
Continuing with Figure 3, the encrypted document and the electronic signature are forwarded to the application server's vault for filing in the document database (block 306). On receiving the encrypted document (block 308), the application running in the application server's vault notarizes the signature (block 310) by re-signing it with its own private signing key.
The notarization of a signature, in an electronic context, means that a third party, which acts as a "notary", certifies the content of a signature. (All of the duties attending the legal office of notary, as conferred by a government authority, are not intended to be covered by the references in this specification to "notary" and "notarization".) In general, electronic notarization of a signature is done as an extra precaution, in order to prevent unauthorized modification of the signature at a later time. In the case of the present invention, notarization of the user's digital signature prevents the user from replacing or modifying the original document in the document repository. A check of the notarized signature associated with the document would reveal any inconsistencies.
A notarized electronic signature contains two pieces of information, the originator's signature of the given data element and the notary's signature of the originator's signature.
The notary's signature should be computed over the originator's signature and the current time stamp.
The application running in the application server's vault then signs the document it has received (block 312). Because the data it receives from the document originator is encrypted, the application server actually has no knowledge of the contents of the document. Therefore, according to the invention, this second signature is computed over the encrypted document, and the originator's notarized signature. The application server's signature constitutes a non-repudiation receipt, providing proof to the document originator (depositor) that the repository service received the document. The creation of the document in the repository may then not be denied later by the repository service.
The encrypted document, the document originator's notarized signature, and the non-repudiation receipt are all stored in the application server's repository or the application database (block 314).
The non-repudiation receipt is sent to the vault of the document originator (block 316). The vault of the document originator checks the correctness of the non-repudiation receipt (block 318) by verifying the signature of the encrypted document. The document originator's vault also checks the currency of the time stamp in the notarized signature (block 320). The tolerance for the time stamp is application dependent. If either of these tests fail, an error message is returned to the AS vault (block 322) and logged in the system. If the receipt is correct and current, the application running in the user's vault returns the non-repudiation receipt to the originating user (block 324) to be cached locally for future reference, in the event proof is required that the document has been stored in the repository.
It is possible that the document originator may sign and/or encrypt the document using his own proprietary technique, before submitting it to his vault for storage. However, the document repository is not sensitive to the content of the document being stored.
Hence, an encrypted document will be re-signed and re-encrypted by the user's vault, as any other document would be handled.
Figure 4 is a flow diagram illustrating the steps, according to the preferred embodiment of the invention, which must take place to permit a document to be retrieved by a requestor who has been authorized under the document originator's access control list (ACL). The establishment and maintenance of ACLs is discussed in detail below.
As in Figure 3, the process steps shown in Figure 4 are the actions and interactions between the vaults of the document originator, application server and requestor, on the basis that the personal vaults of each are notional secure extensions oftheir respective work spaces, as provided in the IBM
Vault Registry product or an environment with similar properties.
Beginning with Figure 4A, the requestor makes a request to his vault application to retrieve a document from the application server repository (block 400), and the requestor's vault application, in turn, forwards the request for the document to the application server's vault (block 402).
The application server's vault application receives the access request (block 404) and retrieves the encrypted document, the originator's notarized signature and the signed ACL
from the application database (block 406).
The application server's vault application sends the encrypted document, the notarized signature and the signed ACL to the vault of the document originator. The application server's vault also sends the requestor's identity vault to the originator's vault (block 408).
The originator's vault checks that the requestor is authorized to retrieve the document (block 412).
Document access control is enabled, in the preferred embodiment, through access control lists used to restrict document access only to authorized entities. An access control list is associated with a document and must be checked when a requestor sends a request to retrieve a document. A requestor will only be given a copy of the document if it has access. The requestor can verify access in advance of making a request if capability lists are used. If the requestor is not authorized to access the document, an error message is returned to the originator and is logged in the system (block 414).
Continuing with Figure 4B, if the requestor is authorized to receive the document, the originator's vault application decrypts the document (block 416) and verifies the notarized signature (block 418).
Since the originator's original signature was computed over the unencrypted document contents, only those users with access to the document contents are able to verify the signature. If the received signature does not correspond with the decrypted document, then it will be clear that it is not the same version of the document as deposited, and the originator will return an error message to the S application server (block 420).
If the signature is verified, the originator forwards the decrypted document and the notarized signature to the requestor's vault (block 422).
On receipt of the decrypted document, the requestor's vault application attempts to verify the originator's notarized signature using the notary's public signature key (block 424). If the requestor is unable to verify it, an error message is returned to the originator and logged in the system (block 426).
If the originator's notarized signature can be verified, the requestor's vault signs the notarized signature that it received with the document. This signature is computed over the notarized signature, as well as the current time stamp, and constitutes a delivery receipt (block 428) proving that the document was retrieved from the repository. The requestor's vault returns the decrypted document along with the non-repudiation receipt it has generated to the requestor's desktop (block 430). The requestor's vault also forwards the non-repudiation receipt to the application server's vault (block 432). The application server verifies the signature of the requestor vault on the receipt (block 434). If the signature does not correspond to the document, the receipt is marked as incorrect or as "missing receipt", and is cached, if the application includes this storage function (block 436). If the signature can be verified, the application server vault stores the receipt in the application database as proof that the requestor did retrieve the document (block 438).
Immutability of Access Control for Document Retrieval As discussed above, in a data repository, there is a requirement for document access control. This means that only those users authorized by the document's owner, are able to view the document, and that document access permissions may only be modified by the document's owner (i.e., the document originator) and those other users that have been authorized by the document's owner to modify the given document's access control list. It is important to have assurance that even the repository administrator does not have the power to modify a document's access permissions without authorization from the document's owner.
There are two different types of application requirements for establishing the immutability of document access control. Document access should be checked:
1) when a user performs a search to find all documents that it is authorized to view; and 2) when a user performs an actual retrieval of a document.
All applications must enforce access control on document retrieval (access type 2 above). For this type of access, the repository must guarantee that the access control of a document cannot possibly be modified by an unauthorized user, such as a business competitor.
Some applications must also enforce access control on document search, particularly in situations where users have no means to determine which documents they have been granted access, except through the application server of the repository. A system that enforces immutability of access control on both document search and retrieval is the subject matter of our concurrently filed application titled "System for Electronic Repository of Data Enforcing Access Control on Data Search and Retrieval" (IBM Docket No. CA998-040).
In some applications it is not essential for a user to be able to query the document repository for all documents that it is authorized to see. For example, this knowledge may be communicated off line through business meetings, by email or over the telephone. In such a case, the user already knows what documents it has access to, and therefore, the requestor's knowledge of its own document access cannot be affected by actions of the repository.
In the preferred embodiment, each document has, associated with it, an access control list (ACL) which identifies the access authorization to the document for different users.
In order to guarantee immutability, each ACL is processed in the document originator's vault as illustrated in Figure 5.
Each ACL is associated with a version number and a time stamp of its latest modification. When an ACL is updated (block 500), its version number is incremented (block 502) and the old time stamp associated with the ACL is replaced with the most current time stamp (block 504). A token, which is intended to guarantee the immutability of the ACL, is created from the current version number and time stamp now associated with the ACL. The token is signed by the document originator's vault (block 506). A data structure, such as a text string or binary structure, is produced by attaching the token to the ACL (block 508). The data structure is signed by the owner's vault to eliminate the possibility of it being substituted (block 510), and forwarded, together with the ACL
and token, to the AS vault for storage in the document repository (block 512).
The ACL token is also forwarded to the vault of any user with authorized access to the document, for storage with the user's access application on its desktop (block 514) for future ACL verification.
The signed token is forwarded to the document originator's desktop for storage (block 516).
Because it is holding a copy of the signed token, the document originator becomes the final arbiter of whether the document ACL is up-to-date or not.
When a business partner wants to retrieve a document, the AS vault application sends the encrypted document to the originator's vault as described above (block 408 of Figure 4A). Together with the document, the notorized signature, and the requester's ID, the AS vault will also send to the originator's vault the signed ACL. In order to verify the requestor's authorization (block 412 of Figure 4A), the originator's vault then performs the following checks:
1. verifies the correctness of the ACL signature;
2. verifies that the version number and time stamp match what's stored inside the originator's vault; and 3. checks in the verified ACL that the requester has access to the indicated document.
With this technique, nobody can modify the ACL stored in the application database, without that change being detected by the originator's vault.
As described above, each user which owns documents in the repository, keeps on its desktop the signed tokens of the correct version of each ACL. The ACL versions kept by the user's vault are verified by comparing the signed token stored on the user's desktop with the one stored in the user's vault. This comparison can be performed at different times; one good opportunity to verify the ACLs stored inside a user's vault is during logon, so that every time the user logs on, the user's ACLs are verified.
If ACL verification fails, the user's vault application can automatically stop honoring all requests to retrieve the document protected by the ACL. This state of document inaccessibility would persist until the user either creates a new ACL, or re-certifies the existing ACL. The process of re-certification of the existing ACL would include synchronizing the ACL token stored in the user's vault with the token stored on the user's desktop.
In this embodiment, the actual ACL is stored in the application database. If a user wants to perform a search of documents he is authorized to, this search can only be performed by application server's vault application, the only program with direct access to the application database. However, any misinformation by a "malicious" application server about a user's access rights to a document can be checked. The application server does not have access to the signed ACL
token on the user's workstation or in the user's vault. The user will discover that its token does not correspond with the information received from the application server the next time the user verifies the token (see Back-up and Recovery section below). This will be particularly useful in a system designed in such a way that access to a document can only be granted, but not later removed.
Assignment of Ownership Privileges Some environments require that a document originator be able to allow someone else to modify the access list of the given document. For example, if the owner is not available, another authorized user will have the ability to update the given document's access control.
According to a preferred embodiment of the invention, this function can be implemented as illustrated in Figure 6. When ACL update is attempted, the updating user must be able to present the up-to-date signed token for the ACL (block 600). The signed token is sent to the updating user's own vault (block 602) which passes the signed token to the originator's vault (block 604). The originator's vault checks the validity ofthe token (block 606) by comparing it with the signed token it has in its own storage. The originator's vault also checks the authority of the updating user (block 610).
If the token is invalid or the updating user does not have ownership privileges assigned in the ACL
of this document, then the document originator's vault will detect this, refuse the update and return an error message to the user's vault (blocks 608).
If the originator's vault can verify the signing user's access to the document, and that the version number, and time stamp of the ACL token are current (block 706), the ACL is updated (block 710) CA9~)8-030 and a new token is generated and signed (block 712), and stored in the originator's vault (block 714).
The new signed token is sent to the updater's vault (block 716). The updater's vault returns the new token to the updater's desktop for storage (block 718). The new signed token may also, optionally, be forwarded to the application server's vault for storage in the repository (block 720).
This procedure requires that only one person may perform an ACL update at any given time. For example, if a document originator John will be leaving for vacation, he can permit a co-worker, Mary, to update the ACL of his document in his absence from the office by giving Mary his up-to-date token for the ACL of the document. Mary then issues an ACL update by presenting the token through her vault to John's vault. Mary receives the new signed token for the ACL which she returns to John on his return to the office. After installing the new token, John can issue his own ACL update.
Data Backup and Recovery Occasionally it may be necessary for the administrator of the document repository to restore the document database from a previous backup. This may be necessary, for example, in case of a catastrophic database failure, such as a disk crash. The data that needs to be included in a backup are the documents themselves, the ACLs (whether stored in the application database or in the owner's vaults), the capability lists (for the systems that implement them, as described above), and the verification tokens of ACLs and capability lists.
Following a data restoration, updates made after the most recent backup may be lost. For the purposes of the present invention, this could include ACL and capability list updates. When this occurs, the verification tokens stored on user desktops may not correspond with the tokens in the corresponding vaults, denying users proper access.
Therefore, the following system has been implemented to provide a standard for data restoration in different situations. It is assumed that the backup was taken at TIME1, while the restoration occurred at a later TIME2 based on the state of the data at TIME 1 that the requestor did retrieve the document.
Where a complete data restore of the document database, ACLs, capability lists and corresponding tokens stored in the vaults is performed, users authorized to access a document before TIMEI, can also access it after TIME2. This means that if a user was authorized before TIME 1, but the authority was revoked after TIME 1 but before TIME2, the user will have document access until the document originator performs a check of the ACL token. All users should therefore do an ACL and capability list check following a complete data restoration.
Where only the document database was restored, while the ACLs, the capability lists and the vault-stored tokens are untouched, users may find that they are authorized to access a document which does not exist in the database because the document has been added after TIMEI, but subsequently lost in the database restore. Since all tokens are up-to-date, no other anomalies will occur.
Another case involves a system in which capability lists are not used, but the ACLs are stored in the application database. Where the document database and the ACL have been restored, while the vault-stored tokens have not, users will find that all documents whose ACL
changed after TIME 1 are inaccessible. This is because the ACL tokens in the application database do not match the tokens stored in the individual owners' vaults. To deal with this, all document originators will have to update the ACLs. One way to do this is for the administrator to send the old ACLs (which were in effect at TIMED to document originators, and ask them to re-install the corresponding tokens in their vaults. This update would be manual, not automatic, and an owner's documents would be inaccessible until the owner has performed the update.
For situations where database inconsistencies must be avoided, the repository administrator may disable access to all documents after a restore, until the originator takes corrective action. This disabling of access may apply to all documents stored in the repository, or to only a subset of the documents, whose consistency is the most critical. In this case, the repository administrator must be relied upon to preserve consistency of the system. However, as described above, the administrator in any case does not have the power to grant or revoke users' access to a document.
In order to minimize the ability of orchestrated attack on the system, it is important to separate the roles between the administrator of the vault server and the corresponding local vault storage, on the one hand, and the database administrator, on the other.
Preferred embodiments of the invention implemented by means of the IBM Vault Registry product have been described. However, it will be obvious to the person skilled in the art that the present invention could be implemented using other products that provide similar functions, such as secure vault-like environments located locally with each user's desktop.
Modifications of this nature and others that would be obvious to the person skilled in the art are intended to be covered by the scope of the appended claims.
Claims (17)
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. A secure electronic data storage and retrieval system, comprising:
a data repository;
a repository manager for managing storage and retrieval of encrypted electronic data of a depositing computer into and out of the data repository;
an agent program of the depositing computer, accessible to the repository manger whether the depositing computer is online or offline, the agent program having means to decrypt, on authentication of a requesting computer, the encrypted electronic data of the depositing computer retrieved from the data repository on request of the requesting computer.
a data repository;
a repository manager for managing storage and retrieval of encrypted electronic data of a depositing computer into and out of the data repository;
an agent program of the depositing computer, accessible to the repository manger whether the depositing computer is online or offline, the agent program having means to decrypt, on authentication of a requesting computer, the encrypted electronic data of the depositing computer retrieved from the data repository on request of the requesting computer.
2. The system, according to claim 1, where the repository manager is further adapted to digitally sign the encrypted electronic data prior to storage in the data repository, and to forward a copy of the signed encrypted data to the agent program of the depositing computer, and wherein the agent program of the depositing computer is adapted to verify against the signed encrypted data, the retrieved encrypted electronic data following decryption.
3. The system, according to claim 1 or 2, wherein the agent program is further adapted to forward the decrypted electronic data to the requesting computer.
4. The system, according to claim 3, wherein the agent program is a secure extension of the depositing computer and is adapted to manage communications between the depositing computer and the repository manager.
5. The system, according to claim 4, further comprising a server having communication links with the repository manager, the depositing computer and the requesting computer, the server housing:
the agent program of the depositing computer;
a second environment comprising a secure extension of the repository manager, said second environment adapted to manage communications to and from other environments on the server with the repository manager; and at least a third environment comprising a secure extension of the requesting computer, said third environment adapted to manage communications to and from other environments on the server with the requesting computer.
the agent program of the depositing computer;
a second environment comprising a secure extension of the repository manager, said second environment adapted to manage communications to and from other environments on the server with the repository manager; and at least a third environment comprising a secure extension of the requesting computer, said third environment adapted to manage communications to and from other environments on the server with the requesting computer.
6. The system, according to claim 4 or 5, wherein the agent program of the depositing computer comprises means to encrypt and digitally sign electronic data received from the depositing computer, and to forward the encrypted electronic data and signature to the repository manager for storage in the data repository.
7. A process for securely authenticating user access to electronic data stored in a data repository managed by a repository manager unrelated to a source of the electronic data, comprising:
associating an access control list of user authorizations with the electronic data when stored in the data repository;
effecting updates to the access control list from the source of the electronic data;
storing the updated access control list with the electronic data stored in the data repository;
storing evidence of the updated access control list at the source of the electronic data and at any user computer to have effected the update; and verifying accuracy of the updated access control list stored with the electronic data in the data repository with the evidence stored at the source before releasing the electronic data to a requesting authorized user.
associating an access control list of user authorizations with the electronic data when stored in the data repository;
effecting updates to the access control list from the source of the electronic data;
storing the updated access control list with the electronic data stored in the data repository;
storing evidence of the updated access control list at the source of the electronic data and at any user computer to have effected the update; and verifying accuracy of the updated access control list stored with the electronic data in the data repository with the evidence stored at the source before releasing the electronic data to a requesting authorized user.
8. The process, according to claim 7, wherein the step of effecting updates to the access control list comprises:
identifying a revision level of the updated access control list; and associating a current time stamp with the updated access control list, and wherein the step of storing evidence comprises:
creating a token of the revision level and current time stamp; and storing the token at every user with access to the electronic data in the data repository.
identifying a revision level of the updated access control list; and associating a current time stamp with the updated access control list, and wherein the step of storing evidence comprises:
creating a token of the revision level and current time stamp; and storing the token at every user with access to the electronic data in the data repository.
9. The process of claim 8, further comprising:
attaching the token to the updated access control list to form a data structure;
digitally signing the data structure; and storing the signed data structure with the updated access control list in the data repository and at the source, and wherein the step of verifying accuracy of the updated access control list comprises:
verifying and decrypting the signed data structure at the source; and comparing the verified data structure with the updated access control list retrieved from the data repository.
attaching the token to the updated access control list to form a data structure;
digitally signing the data structure; and storing the signed data structure with the updated access control list in the data repository and at the source, and wherein the step of verifying accuracy of the updated access control list comprises:
verifying and decrypting the signed data structure at the source; and comparing the verified data structure with the updated access control list retrieved from the data repository.
10. The process of claim 8, wherein the step of storing evidence further comprises:
digitally signing the token; and storing the signed token at the source.
digitally signing the token; and storing the signed token at the source.
11. The process of claim 10, further comprising:
forwarding the digitally signed token to a user authorized by the source to update the access control list; and on presentation of the digitally signed token by the user authorized to update the access control list, verifying the token signature at the source; and comparing the verified token with the revision level and current time stamp associated with the updated access control list retrieved from the data repository.
forwarding the digitally signed token to a user authorized by the source to update the access control list; and on presentation of the digitally signed token by the user authorized to update the access control list, verifying the token signature at the source; and comparing the verified token with the revision level and current time stamp associated with the updated access control list retrieved from the data repository.
12. A process for secure storage and retrieval of electronic data in a remote data repository, comprising:
digitally signing the electronic data at source;
encrypting the electronic data at the source;
forwarding the encrypted electronic data to the data repository;
digitally signing the encrypted electronic data at the data repository to produce a deposit receipt;
storing the encrypted electronic data and deposit receipt in the data repository; and returning a copy of the deposit receipt to the source.
digitally signing the electronic data at source;
encrypting the electronic data at the source;
forwarding the encrypted electronic data to the data repository;
digitally signing the encrypted electronic data at the data repository to produce a deposit receipt;
storing the encrypted electronic data and deposit receipt in the data repository; and returning a copy of the deposit receipt to the source.
13. The process, according to claim 12, further comprising:
receiving a request from a requesting user, for access to the stored electronic data;
retrieving the encrypted electronic data and forwarding the retrieved data to the source;
verifying the requesting user as authorized to access the electronic data; and if verified, decrypting the retrieved data.
receiving a request from a requesting user, for access to the stored electronic data;
retrieving the encrypted electronic data and forwarding the retrieved data to the source;
verifying the requesting user as authorized to access the electronic data; and if verified, decrypting the retrieved data.
14. The process, according to claim 13, further comprising:
associating an access control list of user authorizations with the electronic data when stored in the data repository;
effecting updates to the access control list from the source of the electronic data;
storing the updated access control list with the electronic data stored in the data repository;
and storing evidence of the updated access control list at the source and at every user with authorized access to the electronic data in the data repository.
associating an access control list of user authorizations with the electronic data when stored in the data repository;
effecting updates to the access control list from the source of the electronic data;
storing the updated access control list with the electronic data stored in the data repository;
and storing evidence of the updated access control list at the source and at every user with authorized access to the electronic data in the data repository.
15. The process, according to claim 14, wherein the step of verifying the requesting user as authorized comprises locating the requesting user on the updated access control list.
16. The process, according to claim 15, further comprising the step of verifying accuracy of the updated access control list stored with the electronic data in the data repository with the evidence stored at the source before releasing the electronic data to the requesting user.
17. A computer-readable memory for storing the instructions for use in the execution in a computer of any one of the processes of claims 7 to 16.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002256934A CA2256934C (en) | 1998-12-23 | 1998-12-23 | System for electronic repository of data enforcing access control on data retrieval |
| JP31630999A JP3640338B2 (en) | 1998-12-23 | 1999-11-08 | Secure electronic data storage and retrieval system and method |
| KR1019990050520A KR100339188B1 (en) | 1998-12-23 | 1999-11-15 | System for electronic repository of data enforcing access control on data retrieval |
| US09/459,239 US6839843B1 (en) | 1998-12-23 | 1999-12-10 | System for electronic repository of data enforcing access control on data retrieval |
| DE19960977A DE19960977B4 (en) | 1998-12-23 | 1999-12-17 | System for an electronic data archive with enforcement of access control during data retrieval |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002256934A CA2256934C (en) | 1998-12-23 | 1998-12-23 | System for electronic repository of data enforcing access control on data retrieval |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2256934A1 CA2256934A1 (en) | 2000-06-23 |
| CA2256934C true CA2256934C (en) | 2002-04-02 |
Family
ID=4163117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002256934A Expired - Lifetime CA2256934C (en) | 1998-12-23 | 1998-12-23 | System for electronic repository of data enforcing access control on data retrieval |
Country Status (5)
| Country | Link |
|---|---|
| US (1) | US6839843B1 (en) |
| JP (1) | JP3640338B2 (en) |
| KR (1) | KR100339188B1 (en) |
| CA (1) | CA2256934C (en) |
| DE (1) | DE19960977B4 (en) |
Families Citing this family (92)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2256936C (en) * | 1998-12-23 | 2002-04-02 | Hamid Bacha | System for electronic repository of data enforcing access control on data search and retrieval |
| US20020029339A1 (en) * | 2000-02-28 | 2002-03-07 | Rick Rowe | Method and apparatus for facilitating monetary and commercial transactions and for securely storing data |
| US7363633B1 (en) * | 2000-04-24 | 2008-04-22 | Microsoft Corporation | Registering and storing dependencies among applications and objects in a computer system and communicating the dependencies to a recovery or backup service |
| KR20000063706A (en) * | 2000-07-31 | 2000-11-06 | 이동기 | Data security method using security key algorithm in computer storage |
| JP2002063167A (en) * | 2000-08-16 | 2002-02-28 | Fuji Xerox Co Ltd | Method and device for managing object |
| JP2002083080A (en) * | 2000-09-08 | 2002-03-22 | Toyo Commun Equip Co Ltd | Electronic notarization system |
| US7200869B1 (en) * | 2000-09-15 | 2007-04-03 | Microsoft Corporation | System and method for protecting domain data against unauthorized modification |
| FR2820848B1 (en) * | 2001-02-13 | 2003-04-11 | Gemplus Card Int | DYNAMIC MANAGEMENT OF LIST OF ACCESS RIGHTS IN A PORTABLE ELECTRONIC OBJECT |
| DE60227247D1 (en) | 2001-02-22 | 2008-08-07 | Bea Systems Inc | SYSTEM AND METHOD FOR ENCRYPTING MESSAGES AND REGISTERING IN A TRANSACTION PROCESSING SYSTEM |
| US7085811B2 (en) * | 2001-03-27 | 2006-08-01 | Pitney Bowes Inc. | Sender elected messaging services |
| BR0211184A (en) * | 2001-06-07 | 2004-08-10 | Contentguard Holdings Inc | Method for managing access and resource use by verifying conditions and conditions for use with resources |
| DE10131464B4 (en) * | 2001-06-29 | 2006-04-20 | Bayer Industry Services Gmbh & Co. Ohg | Process for the low-corrosive and low-emission co-incineration of highly halogenated waste in waste incineration plants |
| US20030065792A1 (en) * | 2001-09-28 | 2003-04-03 | Clark Gregory Scott | Securing information in a design collaboration and trading partner environment |
| US7068309B2 (en) * | 2001-10-09 | 2006-06-27 | Microsoft Corp. | Image exchange with image annotation |
| US7383232B2 (en) * | 2001-10-24 | 2008-06-03 | Capital Confirmation, Inc. | Systems, methods and computer program products facilitating automated confirmations and third-party verifications |
| US7831488B2 (en) * | 2001-10-24 | 2010-11-09 | Capital Confirmation, Inc. | Systems, methods and computer readable medium providing automated third-party confirmations |
| DE10211023C1 (en) * | 2002-03-13 | 2003-10-30 | Siemens Ag | Document protection method for archive system using storage of corresponding descriptor document protected by archive signature |
| US7146367B2 (en) * | 2002-05-14 | 2006-12-05 | Advectis, Inc. | Document management system and method |
| US20030226024A1 (en) * | 2002-06-04 | 2003-12-04 | Qwest Communications International Inc. | Secure internet documents |
| US7904720B2 (en) * | 2002-11-06 | 2011-03-08 | Palo Alto Research Center Incorporated | System and method for providing secure resource management |
| US7454622B2 (en) | 2002-12-31 | 2008-11-18 | American Express Travel Related Services Company, Inc. | Method and system for modular authentication and session management |
| DE10307996B4 (en) * | 2003-02-25 | 2011-04-28 | Siemens Ag | Method for encrypting and decrypting data by different users |
| US20040199787A1 (en) * | 2003-04-02 | 2004-10-07 | Sun Microsystems, Inc., A Delaware Corporation | Card device resource access control |
| US8176320B1 (en) * | 2003-09-11 | 2012-05-08 | Voice Signals Llc | System and method for data access and control |
| US7263685B2 (en) * | 2003-09-12 | 2007-08-28 | Intel Corporation | Synchronizing use of a device by multiple software components in accordance with information stored at the device |
| JP2005108063A (en) * | 2003-10-01 | 2005-04-21 | Hitachi Ltd | Electronic local government shared server using encryption data converter, and electronic local government terminal using encryption data decoding device |
| GB0400270D0 (en) * | 2004-01-07 | 2004-02-11 | Nokia Corp | A method of authorisation |
| US7499913B2 (en) | 2004-01-26 | 2009-03-03 | International Business Machines Corporation | Method for handling anchor text |
| US8296304B2 (en) | 2004-01-26 | 2012-10-23 | International Business Machines Corporation | Method, system, and program for handling redirects in a search engine |
| US7293005B2 (en) | 2004-01-26 | 2007-11-06 | International Business Machines Corporation | Pipelined architecture for global analysis and index building |
| US7424467B2 (en) * | 2004-01-26 | 2008-09-09 | International Business Machines Corporation | Architecture for an indexer with fixed width sort and variable width sort |
| US7720817B2 (en) | 2004-02-04 | 2010-05-18 | Netapp, Inc. | Method and system for browsing objects on a protected volume in a continuous data protection system |
| US7426617B2 (en) | 2004-02-04 | 2008-09-16 | Network Appliance, Inc. | Method and system for synchronizing volumes in a continuous data protection system |
| US7315965B2 (en) | 2004-02-04 | 2008-01-01 | Network Appliance, Inc. | Method and system for storing data using a continuous data protection system |
| US7783606B2 (en) | 2004-02-04 | 2010-08-24 | Netapp, Inc. | Method and system for remote data recovery |
| US7904679B2 (en) | 2004-02-04 | 2011-03-08 | Netapp, Inc. | Method and apparatus for managing backup data |
| US7827603B1 (en) * | 2004-02-13 | 2010-11-02 | Citicorp Development Center, Inc. | System and method for secure message reply |
| US20050289016A1 (en) * | 2004-06-15 | 2005-12-29 | Cay Horstmann | Personal electronic repository |
| EP1612636A1 (en) * | 2004-07-01 | 2006-01-04 | Tecnostore AG | Method for archiving data with automatic encryption and decryption |
| US20060026286A1 (en) * | 2004-07-06 | 2006-02-02 | Oracle International Corporation | System and method for managing user session meta-data in a reverse proxy |
| US20060010323A1 (en) * | 2004-07-07 | 2006-01-12 | Xerox Corporation | Method for a repository to provide access to a document, and a repository arranged in accordance with the same method |
| CA2574885A1 (en) * | 2004-07-23 | 2006-02-02 | Privit, Inc. | Privacy compliant consent and data access management system and method |
| US8028135B1 (en) | 2004-09-01 | 2011-09-27 | Netapp, Inc. | Method and apparatus for maintaining compliant storage |
| US7461064B2 (en) * | 2004-09-24 | 2008-12-02 | International Buiness Machines Corporation | Method for searching documents for ranges of numeric values |
| JP4551172B2 (en) * | 2004-09-29 | 2010-09-22 | 富士通株式会社 | Electronic document storage device, program, and electronic document reference device |
| EP1643402A3 (en) * | 2004-09-30 | 2007-01-10 | Sap Ag | Long-term authenticity proof of electronic documents |
| US7664751B2 (en) * | 2004-09-30 | 2010-02-16 | Google Inc. | Variable user interface based on document access privileges |
| US7603355B2 (en) | 2004-10-01 | 2009-10-13 | Google Inc. | Variably controlling access to content |
| US7774610B2 (en) | 2004-12-14 | 2010-08-10 | Netapp, Inc. | Method and apparatus for verifiably migrating WORM data |
| DE102005011166A1 (en) * | 2005-03-09 | 2006-09-14 | Bundesdruckerei Gmbh | Computer system and method for signing, signature verification and / or archiving |
| US7484657B2 (en) * | 2005-07-14 | 2009-02-03 | International Business Machines Corporation | On-demand physically secure data storage |
| US8417693B2 (en) * | 2005-07-14 | 2013-04-09 | International Business Machines Corporation | Enforcing native access control to indexed documents |
| US20070027841A1 (en) * | 2005-07-26 | 2007-02-01 | Williams Michael G | Messaging middleware dynamic, continuous search and response agent system |
| US7784087B2 (en) | 2005-08-04 | 2010-08-24 | Toshiba Corporation | System and method for securely sharing electronic documents |
| US20070073816A1 (en) * | 2005-09-28 | 2007-03-29 | Shruti Kumar | Method and system for providing increased information and improved user controls for electronic mail return receipts |
| US9258125B2 (en) | 2005-10-06 | 2016-02-09 | International Business Machines Corporation | Generating evidence of web services transactions |
| US8307406B1 (en) | 2005-12-28 | 2012-11-06 | At&T Intellectual Property Ii, L.P. | Database application security |
| US9942271B2 (en) * | 2005-12-29 | 2018-04-10 | Nextlabs, Inc. | Information management system with two or more interactive enforcement points |
| US8621549B2 (en) | 2005-12-29 | 2013-12-31 | Nextlabs, Inc. | Enforcing control policies in an information management system |
| US8677499B2 (en) * | 2005-12-29 | 2014-03-18 | Nextlabs, Inc. | Enforcing access control policies on servers in an information management system |
| US8627490B2 (en) * | 2005-12-29 | 2014-01-07 | Nextlabs, Inc. | Enforcing document control in an information management system |
| US7752401B2 (en) | 2006-01-25 | 2010-07-06 | Netapp, Inc. | Method and apparatus to automatically commit files to WORM status |
| US9118656B2 (en) * | 2006-01-26 | 2015-08-25 | Imprivata, Inc. | Systems and methods for multi-factor authentication |
| US7961076B2 (en) * | 2006-02-28 | 2011-06-14 | International Business Machines Corporation | Methods and apparatuses for remote control of vehicle devices and vehicle lock-out notification |
| US8949933B2 (en) * | 2006-08-15 | 2015-02-03 | International Business Machines Corporation | Centralized management of technical records across an enterprise |
| JP4419102B2 (en) | 2007-09-03 | 2010-02-24 | 富士ゼロックス株式会社 | Information management apparatus, information management system, and information management program |
| US20090100109A1 (en) * | 2007-10-16 | 2009-04-16 | Microsoft Corporation | Automatic determination of item replication and associated replication processes |
| US8015149B1 (en) | 2008-01-15 | 2011-09-06 | Adobe Systems Incorporated | Asset repository |
| US7758047B2 (en) * | 2008-03-18 | 2010-07-20 | Colas Sean J | Word game using stylized letters that share at least one common side |
| GB2461344A (en) * | 2008-07-04 | 2010-01-06 | Canford Audio Plc | Secure recording of interviews using a hashed algorithm to produce an authentication code |
| US8332359B2 (en) * | 2008-07-28 | 2012-12-11 | International Business Machines Corporation | Extended system for accessing electronic documents with revision history in non-compatible repositories |
| US8782086B2 (en) * | 2009-08-27 | 2014-07-15 | Cleversafe, Inc. | Updating dispersed storage network access control information |
| US8510185B2 (en) | 2011-06-27 | 2013-08-13 | Capital Confirmation, Inc. | Systems and methods for obtaining automated third-party audit confirmations including client physical signatures, pin access, and multiple responders |
| US8484105B2 (en) * | 2011-06-27 | 2013-07-09 | Capital Confirmation, Inc. | System and method for providing business audit responses from legal professional |
| US8543475B2 (en) | 2011-06-27 | 2013-09-24 | Capital Confirmation, Inc. | System and method for obtaining automated third-party confirmations in receivables factoring |
| US8856530B2 (en) | 2011-09-21 | 2014-10-07 | Onyx Privacy, Inc. | Data storage incorporating cryptographically enhanced data protection |
| CN103023862A (en) * | 2011-09-21 | 2013-04-03 | 索尼公司 | Method, server and system used for integrity protection and authentication |
| US20130091562A1 (en) * | 2011-10-05 | 2013-04-11 | Hitachi, Ltd. | Computer |
| US9542536B2 (en) | 2012-01-13 | 2017-01-10 | Microsoft Technology Licensing, Llc | Sustained data protection |
| US11861696B1 (en) | 2013-02-14 | 2024-01-02 | Capital Confirmation, Inc. | Systems and methods for obtaining accountant prepared financial statement confirmation |
| NL2010454C2 (en) * | 2013-03-14 | 2014-09-16 | Onlock B V | A method and system for authenticating and preserving data within a secure data repository. |
| US9465800B2 (en) * | 2013-10-01 | 2016-10-11 | Trunomi Ltd. | Systems and methods for sharing verified identity documents |
| KR102224470B1 (en) * | 2013-12-26 | 2021-03-09 | 주식회사 케이티 | Method and system for managing genetic data providing read selectively about personal genetic encryption data |
| WO2016100920A1 (en) * | 2014-12-18 | 2016-06-23 | Bittorrent, Inc. | Distributed device management and directory resolution |
| ES2858553T3 (en) * | 2015-04-16 | 2021-09-30 | Trunomi Ltd | Systems and methods for electronically sharing private documents using pointers |
| EP3329397A4 (en) * | 2015-07-27 | 2019-05-01 | Doring, Simon | A non-hierarchical binary modular system for the organisation, storage, delivery and management of content in multiple locatable private networks on an overarching platform |
| KR101975120B1 (en) | 2017-12-08 | 2019-08-23 | 안종원 | Strip separation device for label sheet a manufacture |
| CN108717426B (en) * | 2018-05-04 | 2021-01-05 | 苏州朗动网络科技有限公司 | Enterprise data updating method and device, computer equipment and storage medium |
| US11113258B2 (en) | 2019-05-08 | 2021-09-07 | Bank Of America Corporation | Artificially-intelligent, continuously-updating, centralized-database-identifier repository system |
| US20210352077A1 (en) * | 2020-05-05 | 2021-11-11 | International Business Machines Corporation | Low trust privileged access management |
| US20230297702A1 (en) * | 2022-03-16 | 2023-09-21 | UserClouds, Inc. | Token generation and management |
| CN115459929A (en) * | 2022-09-06 | 2022-12-09 | 中国建设银行股份有限公司 | Security verification method, apparatus, electronic device, system, medium, and product |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5491750A (en) * | 1993-12-30 | 1996-02-13 | International Business Machines Corporation | Method and apparatus for three-party entity authentication and key distribution using message authentication codes |
| JP3498268B2 (en) | 1994-09-14 | 2004-02-16 | 日本電信電話株式会社 | Document communication management method |
| US5629980A (en) | 1994-11-23 | 1997-05-13 | Xerox Corporation | System for controlling the distribution and use of digital works |
| US5615268A (en) * | 1995-01-17 | 1997-03-25 | Document Authentication Systems, Inc. | System and method for electronic transmission storage and retrieval of authenticated documents |
| US5748738A (en) * | 1995-01-17 | 1998-05-05 | Document Authentication Systems, Inc. | System and method for electronic transmission, storage and retrieval of authenticated documents |
| CA2202118A1 (en) * | 1996-04-29 | 1997-10-29 | Mitel Corporation | Protected persistent storage access for mobile applications |
| US6526512B1 (en) | 1996-05-20 | 2003-02-25 | Ncr Corporation | Access key codes for computer resources |
| US6181336B1 (en) * | 1996-05-31 | 2001-01-30 | Silicon Graphics, Inc. | Database-independent, scalable, object-oriented architecture and API for managing digital multimedia assets |
| TW313642B (en) | 1996-06-11 | 1997-08-21 | Ibm | A uniform mechanism for using signed content |
| US6105131A (en) * | 1997-06-13 | 2000-08-15 | International Business Machines Corporation | Secure server and method of operation for a distributed information system |
-
1998
- 1998-12-23 CA CA002256934A patent/CA2256934C/en not_active Expired - Lifetime
-
1999
- 1999-11-08 JP JP31630999A patent/JP3640338B2/en not_active Expired - Fee Related
- 1999-11-15 KR KR1019990050520A patent/KR100339188B1/en not_active IP Right Cessation
- 1999-12-10 US US09/459,239 patent/US6839843B1/en not_active Expired - Lifetime
- 1999-12-17 DE DE19960977A patent/DE19960977B4/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| KR100339188B1 (en) | 2002-05-31 |
| US6839843B1 (en) | 2005-01-04 |
| CA2256934A1 (en) | 2000-06-23 |
| KR20000047640A (en) | 2000-07-25 |
| JP2000200209A (en) | 2000-07-18 |
| DE19960977B4 (en) | 2007-07-26 |
| JP3640338B2 (en) | 2005-04-20 |
| DE19960977A1 (en) | 2000-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2256934C (en) | System for electronic repository of data enforcing access control on data retrieval | |
| US6950943B1 (en) | System for electronic repository of data enforcing access control on data search and retrieval | |
| US11074357B2 (en) | Integration of a block chain, managing group authority and access in an enterprise environment | |
| US6738907B1 (en) | Maintaining a soft-token private key store in a distributed environment | |
| JP4853939B2 (en) | Offline access in document control systems | |
| CN111800268A (en) | Zero knowledge proof for block chain endorsements | |
| JP2007511821A (en) | Distributed document version control | |
| US11841957B2 (en) | Implementation of a file system on a block chain | |
| US20220141014A1 (en) | Storing secret data on a blockchain | |
| GB2598296A (en) | Digital storage and data transport system | |
| US11263333B2 (en) | Multi-subject device access authorization | |
| GB2485284A (en) | Distributing digital objects to specific target systems using target system identifiers. | |
| Li | Secured cloud storage scheme based on blockchain | |
| US20230107805A1 (en) | Security System | |
| Kowalski | CRYPTOBOX V2. | |
| Gawande et al. | A Survey of Various Security Management Models for Cloud Computing Storage Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20181224 |
|
| MKEX | Expiry |
Effective date: 20181224 |