Claims
- 1. A method for evaluating an access right, the method comprising:
receiving a set of access rules associated with a secured file; obtaining respective rule items from the access rules; obtaining respective parameters corresponding to the rule items; comparing the parameters and the rule items, respectively; granting the access right if the comparing of the parameters and the rule items is considered successful; and denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- 2. The method as recited in claim 1, wherein the receiving of the set of access rules associated with the secured file comprises:
activating a user key associated with a user attempting to access the secured file after the user has been authenticated; and decrypting, with the user key, security information that is encrypted and associated with the secured file, to retrieve the access rules.
- 3. The method as recited in claim 2, wherein the set of access rules is expressed in a descriptive language.
- 4. The method as recited in claim 3, wherein the descriptive language is a markup language.
- 5. The method as recited in claim 3, wherein the markup language is selected from a group consisting of XACML, HTML, XML and SGML.
- 6. The method as recited in claim 2, wherein the rule items in the access rules jointly define how the secured file can be accessed.
- 7. The method as recited in claim 6, wherein one or more of the rule items in the access rules define when and by whom the secured file can be accessed.
- 8. The method as recited in claim 6, wherein at least one of the rule items in the access rules defines what application or application type the secured file can be accessed with.
- 9. The method as recited in claim 6, wherein at least one of the rule items in the access rules defines who or what group the secured file can be accessed by.
- 10. The method as recited in claim 2, wherein each of the respective parameters corresponding to the rule items is associated with a system providing logic information to each of the respective parameters.
- 11. The method as recited in claim 10, wherein at least one of the respective parameters is a user identifier identifying the user, another one of the respective parameters is an application identifier identifying what application being activated to access the secured file, and still another one of the respective parameters indicates a current time.
- 12. The method as recited in claim 11, wherein the comparing of the parameters and the rule items comprises comparing each of the rule items logically with one of the respective parameters.
- 13. The method as recited in claim 12, wherein the comparing of the each of the rule items logically with that one of the respective parameters comprises:
(a) producing a successful logic when the one of the respective parameters is within a definition defined by the each of the rule items; (b) producing a failure logic when the one of the respective parameters is not within or is beyond the definition defined by the each of the rule items; and (c) repeating, respectively, (a) and (b) till each of the rule items is respectively tested against one of the respective parameters.
- 14. The method as recited in claim 13, wherein the comparing of the parameters and the rule items is considered successful when the successful logic is produced every time (a) is carried out.
- 15. The method as recited in claim 13, wherein the comparing of the parameters and the rule items is considered unsuccessful when the failure logic is produced from (b).
- 16. The method as recited in claim 10, wherein the system is one of (i) a client machine, (ii) a server machine and (iii) a combination of the client machine and the server machine.
- 17. The method as recited in claim 1, wherein the parameters are imposed upon a user attempting to access the secured file by a system in which the secured file resides or is downloaded.
- 18. An apparatus for evaluating an access right, the apparatus comprising:
a memory store for storing an executable module; a processor, coupled to the memory store and when executing the executable module, causing the processor to perform operations of: receiving a set of access rules originally embedded in a secured file; obtaining respective rule items from the access rules; obtaining respective parameters corresponding to the rule items; comparing the parameters and the rule items, respectively; granting the access right if the comparing of the parameters and the rule items is considered successful; and denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- 19. The apparatus as recited in claim 18 is a client machine operating an operating system.
- 20. The apparatus as recited in claim 19, wherein the operating system is one of (i) Windows operating system, (ii) Mac OS, (iii) Linux and (iv) Unix.
- 21. The apparatus as recited in claim 18, wherein the executable module is embedded in the operating system and executed by the processor only when the secured file is being accessed.
- 22. The apparatus as recited in claim 18, wherein the executable module, when executed by the processor, operates in the operating system and intercepts the secured file when data representing the secured file is being loaded to an application executed by a user to access the secured file.
- 23. The apparatus as recited in claim 19, wherein the executable module operates transparently to the user.
- 24. The apparatus as recited in claim 22, wherein the executable module retrieves the set of access rules from security information encrypted and associated with the secured file.
- 25. The apparatus as recited in claim 24, wherein the set of access rules is expressed in a descriptive language.
- 26. The apparatus as recited in claim 25, wherein the descriptive language is a markup language.
- 27. The apparatus as recited in claim 18, wherein the rule items in the access rules jointly define how the secured file can be accessed.
- 28. The apparatus as recited in claim 27, wherein one or more of the rule items in the access rules define when and by whom the secured file can be accessed.
- 29. The apparatus as recited in claim 27, wherein at least one of the rule items in the access rules defines what application or application type the secured file can be accessed with.
- 30. The apparatus as recited in claim 27, wherein at least one of the rule items in the access rules defines who or what group the secured file can be accessed by.
- 31. The apparatus as recited in claim 18, wherein at least one of the respective parameters is a user identifier identifying the user, one of the respective parameters is an application identifier identifying what application being activated to access the secured file, another one of the respective parameters indicates a current time.
- 32. The apparatus as recited in claim 31, wherein the comparing of the parameters and the rule items comprises comparing each of the rule items logically with one of the respective parameters.
- 33. The apparatus as recited in claim 32, wherein the comparing of the each of the rule items logically with that one of the respective parameters comprises:
(a) producing a successful logic when the one of the respective parameters is within a definition defined by the each of the rule items; (b) producing a fail logic when the one of the respective parameters is not within or is beyond the definition defined by the each of the rule items; and (c) repeating, respectively, (a) and (b) till each of the rule items is respectively tested against one of the respective parameters.
- 34. The apparatus as recited in claim 33, wherein the comparing of the parameters and the rule items is considered successful when the success logic is produced every time (a) is carried out.
- 35. The apparatus as recited in claim 33, wherein the comparing of the parameters and the rule items is considered unsuccessful when the fail logic is produced from (b).
- 36. The apparatus as recited in claim 35, wherein the executable module retrieves a file key from the secured file and activates a cipher module to decrypt an encrypted data portion in the secured file with the file key.
- 37. A method for evaluating an access right, the method comprising:
obtaining a system rule set and an access rule set, wherein the access rule set is associated with the secured file; evaluating, respectively, each of items in the system rule set and the access rule set; granting the access right if the evaluating of each of the items in the system rule set and the access rule set produces a logic pass; and denying the access right if the evaluating of one of the items in the system rule set or the access rule set produces a logic failure.
- 38. The method as recited in claim 35, wherein the secured file includes a header and an encrypted data portion; and wherein the obtaining of the system rule set and the access rule set comprises decrypting security information in the header to obtain the access rule set therein.
- 39. The method as recited in claim 38 further comprising:
intercepting a file being requested by a user; and determining if the file is secured or non-secured.
- 40. The method as recited in claim 39 further comprising:
retrieving a file key from the header after the access right is granted; and decrypting the encrypted data portion with the file key.
- 41. A method for evaluating an access right, the method comprising:
obtaining a first system rule set and a second system rule set; determining if one of the first and second system rule sets has a property of overriding other system rule sets; if one of the first and second system rule sets has a property of overriding other system rule sets,
obtaining rule items from the one of the first and second system rule; obtaining respective parameters corresponding to the rule items; comparing the parameters and the rule items, respectively; granting the access right if the comparing of the parameters and the rule items is considered successful; and denying the access right if the comparing of the parameters and the rule items is considered unsuccessful; if one of the first and second system rule sets does not have a property of overriding other system rule sets,
obtaining respective rule items from the first and second system rule sets; obtaining respective parameters corresponding to the rule items of the first and second system rule sets; comparing the parameters and the rule items of the first and second system rule sets, respectively; granting the access right if the comparing of the parameters and the rule items is considered successful; and denying the access right if the comparing of the parameters and the rule items is considered unsuccessful.
- 42. The method as recited in claim 41, wherein the first system rule set is deployed at a first level in a system and the second system rule set is deployed at a second level in the system.
- 43. The method as recited in claim 42, wherein the first level is not identical to the second level.
- 44. The method as recited in claim 43, wherein the first level is identical to the second level.
- 45. The method as recited in claim 41, wherein the one of the first and second system rule sets that has a property of overriding other system rule sets is deployed by a system operate or a user with higher access privilege than that of other users.
- 46. The method as recited in claim 41, wherein the first and second system rule sets are expressed either in binary data or a descriptive language.
CROSS-REFERENCE TO RELATED APPLICATION
[0001] This application is a continuation-in-part of U.S. patent application Ser. No. 10/076,254, filed Feb. 12, 2002, and entitled “Method and Architecture for Providing Pervasive Security to Digital Assets”, which claims the benefits of U.S. Provisional Application No. 60/339,634, filed Dec. 12, 2001, and entitled “Pervasive Security Systems,” both are hereby incorporated by reference for all purposes.
Provisional Applications (1)
|
Number |
Date |
Country |
|
60339634 |
Dec 2001 |
US |
Continuation in Parts (1)
|
Number |
Date |
Country |
Parent |
10076254 |
Feb 2002 |
US |
Child |
10127109 |
Apr 2002 |
US |