The invention provides for encrypting electronic information such as a document so that only users with permission may access the document in decrypted form. The process of encrypting the information includes selecting a set of policies as to who may access the information and under what conditions. A remote server stores a unique identifier for the information and associates an encryption/decryption key pair and access policies with the information. Software components residing on the author's computer retrieve the encryption key from the remote server, encrypt the information, and store the encrypted information at a location chosen by the author. A user wishing to access the information acquires the encrypted information electronically. Software components residing on the viewing user's computer retrieve the associated decryption key and policies, decrypt the information to the extent authorized by the policies, and immediately delete the decryption key from the viewing user's computer upon decrypting the information and rendering the clear text to the viewing user's computer screen. The software components are also capable of prohibiting functional operations by the viewing user's computer while the clear text is being viewed.
|
2. A method of controlling distribution of a segment of encrypted electronic information, comprising:
receiving, at a user location from a key server, a decryption key for the segment;
immediately decrypting the segment with the decryption key after said receiving;
immediately destroying the decryption key after to said decrypting; and
defending the decryption key at the user location when the decryption key is resident at the user location; wherein said receiving, said immediately decrypting and said immediately destroying only permit the decryption key to be resident at the user location for a brief moment in time, and said defending resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
3. A method of controlling distribution of a segment of encrypted electronic information, comprising:
attempting to access the segment at a user location;
requesting from the user location to the key server a decryption key for the segment;
receiving, at a user location from a key server, a the decryption key for the segment;
decrypting the segment with the decryption key in response to said receiving;
destroying the decryption key in response to said decrypting; and defending the decryption key at the user location when the decryption key is resident at the user location; wherein processing between and including said receiving and said destroying occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capture of the decryption key during the moment.
7. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to:
receive, at a user location from a key server, a decryption key for the segment;
immediately decrypt the segment with the decryption key after said receiving;
immediately destroy the decryption key after said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein the decryption key will only be resident at the user location for a brief moment in time, and said defend the key resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
4. A method of controlling distribution of a segment of encrypted electronic information, comprising:
receiving, at a user location from a key server, a decryption key for the segment;
immediately decrypting the segment into clear text with the decryption key after said receiving;
immediately rendering said clear text on a display;
immediately destroying the decryption key after one of said decrypting and said rendering; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein said receiving, said immediately decrypting and said immediately destroying only permit the decryption key to be resident at the user location for a brief moment in time, and said defending resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
9. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to:
receive, at a user location from a key server, a decryption key for the segment;
immediately decrypt the segment into clear text with the decryption key after said receiving;
immediately render said clear text on a display;
immediately destroy the decryption key in response to one of said decrypting and said rendering; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein the decryption key will only be resident at the user location for a brief moment in time, and said defend resists capture of the decryption key during the brief moment in time, such that it is difficult to improperly capture the decryption key at the user location.
8. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to:
attempt to access the segment at a user location;
request from the user location to the key server a decryption key for the segment;
receive, at a user location from a key server, a the decryption key for the segment;
decrypt the segment with the decryption key in response to said receiving;
destroy the decryption key in response to said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location; wherein said instructions require computer processing between and including said receive and said destroy to occur with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend resists capture of the decryption key during the moment.
5. A method of controlling distribution of a segment of encrypted electronic information, comprising:
attempting to access the segment at a user location, including receiving, at a the user location, a user code and an identification of the segment;
transmitting, in response to the attempting to access, the user code and the identification to a server;
receiving, at a user location from a key server, a decryption key for the segment in response to the user code representing a user authorized to view the segment;
decrypting the segment with the decryption key in response to said receiving;
destroying the decryption key in response to said decrypting; and
defending the decryption key at the user location when the decryption key is resident at the user location; wherein a processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capturing of the decryption key during the moment.
1. A method of controlling distribution of a segment of encrypted electronic information, comprising:
receiving, at a user location, a user code and an identification of the segment;
transmitting the user code and the identification from the user location to a key server;
receiving, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
decrypting the segment with the decryption key into clear text in response to said receiving;
destroying the decryption key in response to said decrypting;
rendering the clear text;
limiting access to the clear text consistent with the at least one access policy; and
defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defending resists capturing of the decryption key during the moment.
10. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to:
receive attempt to access the segment at a user location, including receiving, at a user location, a user code and an identification of the segment;
transmit, in response to the attempt to access, the user code and the identification to a server; receive, at a user location from a key server, a decryption key for the segment in response to the user code representing a user authorized to view the segment;
decrypt the segment with the decryption key in response to said receiving;
destroy the decryption key in response to said decrypting; and
defend the decryption key at the user location when the decryption key is resident at the user location; wherein said instructions require that computer processing between and including said receiving the decryption key and said destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend resists capturing of the decryption key during the moment.
0. 11. A system for controlling distribution of a segment of encrypted electronic information, comprising:
means for receiving, at a user location, a user code and an identification of the segment;
means for transmitting the user code and the identification of the segment from the user location to a key server;
means for receiving, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
means for decrypting the segment with the decryption key into clear text in response to said receiving;
means for destroying the decryption key in response to said decrypting;
means for rendering the clear text;
means for limiting access to the clear text consistent with the at least one access policy; and
means for defending the decryption key at the user location when the decryption key is resident at the user location;
wherein a time between operations performed by and including said means for receiving the decryption key and said means for destroying the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said means for defending resists capturing of the decryption key during the moment.
6. A system for controlling access to a segment of encrypted electronic content, comprising:
a computer readable medium containing instructions designed to operate in conjunction with computer hardware and other computer software to:
receive, at a user location, a user code and an identification of the segment;
transmit the user code and the identification from the user location to a key server;
receive, at a user location from a key server in response to the user code representing a user authorized to view the segment, a decryption key for the segment and at least one access policy associated with the segment;
decrypt the segment with the decryption key into clear text in response to said receiving;
destroy the decryption key in response to said decrypting;
render the clear text;
limit access to the clear text consistent with the at least one access policy; and
defend the decryption key at the user location when the decryption key is resident at the user location;
wherein said instructions require that computer processing between and including said receive the decryption key and said destroy the decryption key occurs with sufficient speed such that the decryption key is only resident at the user location for a moment, and said defend the decryption key resists capture of the decryption key during the moment.
|
|||||||||||||||||||||||||||||||||||||
, on a computer readable medium such as on the hard drive of a particular user's computer. Registration with the central remote server 206 determines which functions within the suite of software tools are available to a particular user. The software tools include a Configuration Utility 226, an Administrator Utility 228, and an Application Interface 230. In the embodiment using Adobe Acrobat Exchange, the Application Interface is a “Plug-In,” which uses SDK and Plug-In Standard Interface. The three software tools run in conjunction with base viewing or playback software 232, such as Adobe Acrobat Exchange, a web browser, a word processor, an audio or video playing application, a custom data processing, or a specialized low-level device driver, such as a hard disk driver, video driver, or audio driver. The base software package 232 will depend on the type of data stream to be encrypted/decrypted.
The secure remote server 206 is a server which is remote from an authoring or viewing user 208, 216. The server 206 maintains a database 236 of encryption keys and associated decryption keys for distribution to registered or authorized users. The remote server 206 also maintains a database which associates registered document segments, which are identified by unique segment IDs, with authoring users, user access profiles, document access policies and options, and associated encryption/decryption keys. The remote server 206 does not actually store registered documents or segments, but instead relates identifying information about a document to the associated information.
The remote server 206 also tracks and maintains records of requests to view documents and to obtain document decryption keys 238. The records may be used to monitor the system for suspicious activity. For example, a single user requesting the decryption key for a document several times during a specific time period might be an indication of suspicious activity. The server can then provide an alert message to a pager, e-mail or fax, thus allowing timely investigation of the activity. The request information may also be used for the purposes of non-repudiation or as a basis for billing in situations where access to the system or access to protected information is being sold.
All communication between the remote server 206 and a user's computer 222, 224 is encrypted using Secure Socket Layer (SSL) protocols. Once an SSL tunnel has been negotiated between a user's machine 222, 224 and the secure server 206, a session key is negotiated. Thus, communications to and from the secure server 206 and a user's computer 222, 224 are doubly encrypted.
Registration with the remote server 206 of a user or automated system wishing to use the system is done separately from any communication for registering a document or viewing a document. A user wishing to register documents for viewing by other users, or viewing registered document registered by other users, must contact the server independently, possibly through a separate human Coordinator 240 or separate network link which can collect payment for the authoring, viewing, and other services, can verify the identity of the user and provide the server with user identification information and user authorization profiles.
The server may be a single server, a set of synchronized servers, or dual servers with a shared database.
The Configuration Utility 226 defines a local user (authoring or viewing) on the user's computer 222, 224. The Configuration Utility 226 establishes the communication parameters for a local user and the remote server 206. For example, the Configuration Utility 226 will query the user to define a local user profile, to include name, password and other identifying information. This local user profile must match the information provided by a user to the Coordinator 240 at the remote server 206.
The Configuration Utility 226 is also responsible for maintaining information regarding the authentication and secure communication method used by the local user, for example, certificate, secret passphrase, smart card, etc. The Configuration Utility 226 maintains information about the local user's secure communication method, for example, the certificate and certification authority for a certificate based secure communication system.
The Administrator Utility 226 is a network client application used by the human Coordinator 240 and other users to control access to documents selected for encryption by defining policies associated with a document. The Administrator Utility 228 is a software program residing on the user's computer 222, 224. The Coordinator 240 or authoring user 208 uses the Administrator Utility 228 to define policies related to a particular user. For example, the Coordinator 240 can use the Administrator Utility 228 to control the functions available to a particular authoring user 208, which might depend on the fees paid by the authoring user 208, or the Coordinator 240 can control the amount of access an authoring user 208 can allow to viewing users 216. Other policies that an individual can define using the Administrator Utility 228 are site policies, group policies, and default policies.
The Administrator Utility 228 allows the Coordinator 240 or authoring or viewing user 208, 216 to determine what documents have been registered by a particular user by accessing the registered user database 236. The Administrator Utility 228 also allows an authoring user to permanently disable the viewing of documents by deleting the associated decryption key from the server. The Administrator Utility 228 also allows an authoring user 208 to initially define the policies related to his documents and to change the policies after the documents have initially been registered.
The Administrator Utility 228 allows a normal authoring user 208 to create, edit, and delete time windows, network specifications and policy templates; view the list of registered documents; and view and edit the policies of documents that are registered. The Administrator Utility 228 allows the Coordinator 240 to create, edit, and delete users and user policies; create, edit, and delete groups of users and group polices; create, edit, and delete document groups and document group policies; define and modify the Site and Default polices; create, edit, and delete document override policies; and view the activity log and set up notification policies
The Application Interface 230 of the preferred embodiment is a standard “Plug-In” to Adobe Acrobat Exchange using SDK and Plug-In Standard Interface. The Plug-In 230 provides a user screen interface to allow the user to access the particular functions associated with registering and viewing documents and communicating with the server. The Plug-In Screen may be integral to the Adobe User Interface Window or may be a separate window. In the preferred embodiment, the Plug-In 230 modifies the Adobe User Interface Window by adding functional “buttons” such as register, create policies, tag, encrypt, view and decrypt.
The Plug-In 230 allows encryption and decryption of PDF files using encryption keys from the remote server 206. The Plug-In 230 connects to the server 206, authenticates the user to the server, registers documents with the server, selects policies at the server as they have been defined -by the authoring user 208 using the Administrator Utility 228.
In addition, the Plug-In 230 blocks certain functions at the viewing user's computer 224 that are otherwise available in Adobe Acrobat Exchange. For example, if the authoring user 208 has limited access to a document so that a viewing user 216 is prohibited from printing a viewed document, the Plug-In 230 temporarily disables the print function of Adobe Acrobat Exchange. Among the functions that the Plug-In 230 can disable are print, copy, cut, paste, save, and other functions. Other functions may be disabled or limited as appropriate for the type of file viewed and the access level. The Application Interface 230 is designed in such a way that it does not disclose either the decryption key or the clear text or unencrypted representation of the protected information content in electronic form.
The Graphical User Interface (“GUI”)supports standard user interface objects such as push buttons, text input fields, lists, menus, and message boxes. The GUI is controlled by the mouse and keypad. The GUI has multiple windows that allow real time setup of server configuration such as who may register a document, who may view a document, when a document may be viewed and on which host the document key and viewing information resides.
A user who wishes to register or to access information must first register and be recognized by the server 206, as represented by reference numeral 1042, 1044 in FIG. 2. The user 208, 216 contacts the server 206 independently, possibly through a separate human Coordinator 240 or separate network link which can collect payment for the authoring, viewing and other services; verify the identity of the user; and provide the server with user identification information and user authorization profiles. Once the user 208, 216 is registered with the server 206, the suite of software tools is provided to the user.
The user must have installed the base software 230, such as Adobe Acrobat Exchange, on his computer. The user then installs the Application Interface 230 provided by the Coordinator 240, as well as the Administrator and Configuration Utilities 228, 226. In one embodiment, upon running the Application Interface 230, the Application Interface 230 will install the Administrator and Configuration Utilities 228, 226 on the user's machine. There is no network activity involved in the installation of the Application Interface 230, Administrator, or Configuration Utilities 228, 226.
Once a user 208, 216 is registered and the Configuration Utility 226 has set up identification and encryption information for the user 208, 216, the user authorized to do so can use the Administrator Utility 228 to create policies associated with a specific document. An authoring user 208 wishing to register a document creates policies to define who, when and how a document may be viewed or otherwise accessed.
The authoring user 208 runs the Administrator Utility 228 which has been installed on his machine 222 and instructs the Administrator Utility 228 to create policies for a document. The Administrator Utility 228 will request the information provided during set up to the Configuration Utility 226 such as username, passphrase, and method of authentication to verify the user's identity. The Administrator Utility 228 will also ask on which server the authoring user 208 wishes to register his document. The Administrator Utility 228 will then establish a connection to the remote server through the Application Interface 230.
The remote server 206 and the authoring or viewing user's computer 222, 224 communicating with the server 206 will negotiate a standard Secure Socket Layet (SSL) encryption tunnel, as represented in
Once the SSL tunnel is established, the user's computer 222, 224 and the server 206 negotiate a secondary session key, as represented in
Once the doubly encrypted communication link is established between the authoring user's computer 222 and the server 206, the authoring user's computer 222 provides login and authentication information to the server 206, 1050. The server 206 authenticates the authoring user's 208 identity and verifies that the authoring user 208 has authority to use the system by checking a database of registered users 236 maintained on the server. The information provided by the authoring user 208 to the Configuration Utility 226 is compared to the information provided by the user to the Coordinator 240 during the independent user registration process 1042, 1044. The database 234 contains all of the access controls related to a particular user, so that if a user is only authorized to view documents, he will not be allowed to use the system to register or encrypt documents.
After the server 206 authenticates the authoring user 208 and verifies that the authoring user 208 is authorized to register documents, the Administrator Utility 228 allows the authoring use 208 to create policies applicable to a particular viewing user 216, a group of viewing users, or a default policy for all other users. The policies are then communicated to the server 206, 1051. Policies define who may view a document, when, and under what conditions. Policies are created by combining a set of constraints including allowable or denied users and groups, time ranges, and Internet Protocol (IP) addresses. Access to a document by a viewing user 216 is determined by combining the user policy, document policy, as well as possibly the group policy and document group policy. If the Coordinator 240 has created a document override policy for a document, then the override takes precedence over the regular document policy defined by the authoring user. Policies include limiting who may view a document or portion of a document and the time frame during which a user may view the document.
The Administrator Utility 228 also allows the authoring user 208 to create options. Options specify what functions of the base software 232 are temporarily disabled so that the viewing user 216 is prohibited from accessing them while viewing the document. An option can also enforce a watermark on printing. For example, the authoring user 208 can prohibit a particular viewing user 216 from printing, saving, or copying a particular document or portion of a document. These Options are defined by the authoring user 208 using the Administrator Utility 228, but the options are enforced by the Application Interface 230.
An authoring user 208 wishing to encrypt a document will open the document on his computer 222. The Application Interface 230 must also be loaded before the document or information can be encrypted. In the preferred embodiment, the Plug-In 230 adds menu items to the menu bar in Adobe Acrobat Exchange such as “tag” and “encrypt” “Tag” allows the authoring user 208 to select segments of the document to be encrypted. The authoring user 208 can assign different policies to different tagged segments of a single document, i.e., policies are associated with segments. A segment may consist of any subset of the entire document or the entire document. Once the document has been segmented or “tagged,” the authoring user selects “encrypt” from the menu bar. If the authoring user 208 has not already logged into the remote server 206, the Plug-In 230 will force a log in to the remote server 206 through the Administrator Utility 228. A log-in screen is provided and the authoring user 208 must log-in to the server 206. The server 206 authenticates the authoring user 208 and verifies that the authoring user 208 is authorized to register documents.
Once the authoring user has been authenticated, the authoring user is asked to associate the overall document with a policy, and this information is communicated to the remote server 1052. This policy becomes the default policy for any portions of the document which are not tagged and associated with a specific policy. The Plug-In 230 assigns a unique segment ID for each tagged segment after the authoring user has tagged all segments and has instructed the Plug-In 230 to go ahead with the encryption. The PlugIn 230 transmits the segment IDs to the server 206. The server 206 generates a random encryption key for each segment ID and communicates the encryption key to the authoring user's computer 222, 1054. The server 206 stores the segment ID, the key associated with the particular segment ID, and the policy associated with a particular segment ID in the central database 234, and then transmits the key to the Plug-In 230 at the authoring user's computer 222. The Plug-In 230 at the authoring user's computer 222 encrypts the segment, immediately destroys or removes the key from the authoring user's machine 222, and then deletes the clear text for the segment from the Plug-In 230. Thus, key lifetime is very short on the authoring user's machine. The encryption key is never stored on the authoring user's machine where it is accessible, such as the hard disk. The key can even be obfuscated while in the memory of the authoring user's machine. The duration of the key's existence depends on the speed of the computer which actually performs the encryption, since the key is destroyed immediately after the encryption. In the preferred embodiment, 128-bit RC4 is used for document and segment encryption.
Once all segments have been encrypted, the Plug-In 230 produces a hash of the entire document and sends the hash to the server as document identification, 1055. The server 206 stores the hash with the keys associated with the document. Thus, the document is never transmitted to the server 206, only the segment IDs and hash.
A pop-up window asks the authoring user 208 where he wishes to store the encrypted document. By default, the encrypted document overwrites the clear text document on the authoring user's machine 222.
A user wishing to view a document must have installed the Configuration Utility 226, Administrator Utility 228, and the Application Interface 230 on his computer 224. The viewing user 216 must be independently registered with the Coordinator 240 as a user. The viewing user 216 must also have installed the base software application 232 for viewing the document, such as Adobe Acrobat Exchange. The viewing user 216 must enter the Configuration Utility 226 and provide user set up information.
If the viewing user 216 has not opened the Configuration Utility 226, the Administrator Utility 228 and the Application Interface 230, these programs will automatically be opened once the information to be accessed has been selected, and the system has recognized that the information is encrypted.
Once the Configuration Utility 226 has opened, it will request the user to provide information defining both the viewing user 216 and the viewing user's computer 224. If the viewing user 216 is a new user, the viewing user 216 will select a button on the Configuration Utility's interface window indicating that a new user profile needs to be provided. The Configuration Utility 226 will provide a query screen to the user and the user will input identification information, such as a user name. The identification information will be checked against the information provided to the server 206 or Coordinator 240 during the independent user registration process.
The Application Interface 230 will check to see if the user is logged onto the remote server 206. If the viewing user 216 has not logged onto the remote server, the Application Interface 230 provides a pop-up window so that the user can log in to the server. An SSL tunnel and session key are negotiated, 1056, 1058. The viewing user's computer 224 provides login and authentication information to the server 206, 1060. Once logged into the server 206, the Application Interface 230 requests access to the document or information 1062 by asking the server 206 for the decryption key for the first segment of the document or information to be accessed. The server 206 uses the segment ID to check the database to find the policies associated with the segment and thus to determine whether the viewing user 216 is authorized to access this segment or the document as a whole.
If the viewing user 216 is not authorized to access the segment, the viewing user 216 is so informed. If the user 216 is authorized to access the segment, the server 206 sends the decryption key and options for that segment to the Application Interface 230 at the viewing user's computer 224 and the Application Interface 230 decrypts the segment using the decryption key. After decrypting the segment, the Application Interface 230 immediately discards/destroys the key, renders the decrypted segment to the screen, and then destroys the decrypted version of the segment. When the viewing user moves to a different segment, the process is repeated.
The Application Interface 230 enforces the options which were assigned by the authoring user 230 to the segment viewed by the viewing user 216. For example, if the authoring user 208 assigned that the viewing user 216 cannot print the clear text document or segment, then the Plug-In 230 disables the print function of Adobe Acrobat Exchange while the clear text document or segment is available to the viewing user 216. Other functions which can be controlled or disabled by the Plug-In 230 are save, copy, paste, and print with watermark. For other base software packages such as audio 230, the functions controlled by the Application Interface 230 could be play, copy, and save unencrypted. Thus, using the options, the viewing user 216 has no ability to permanently acquire the clear text document or data.
The secure central database 234 resides on the remote server 206. It may be a distributed or shared database residing on multiple remote servers 206. In the preferred embodiment the database 234 is maintained in Berkley DB software. All records maintained in the central database 234 are encrypted and the database is password protected. The Coordinator 240 controls the database 234 and has access to the database 234 using the password.
All keys for encryption and decryption are maintained in the database 234. The database 234 provides a structure for associating segment IDs with an associated decryption key, policies for accessing that segment, and options for accessing that segment. The authoring user 208 may change a policy associated with a segment ID through the Administrator Utility 228 on his computer. The change in policy is communicated to the remote server 206 and the database 234 is updated accordingly. The update policy function allows an authoring user 208 to revoke access to a segment or document by a user or group of users.
The authoring user 208 can destroy the decryption key or the association of a decryption key to a segment or document on the database 234 using the Administrator Utility 228. By destroying the decryption key or the association of the decryption key with a Segment or Document, the authoring user 208 destroys the ability to decrypt the information, effectively shredding all copies of the information.
Regular backups of the database 234 are made without shutting down the whole database 234.
One or more preferred embodiments have been described to illustrate the invention(s). Additions, modifications, and/or omissions may be made to the preferred embodiment(s) without departing from the scope or spirit of the invention(s). It is the intent that the following claims encompass all such additions, modifications, and/or variations to the fullest extent permitted by law.
Pensak, David A., Cristy, John J., Singles, Steven J.
| Patent | Priority | Assignee | Title |
| 10552636, | Nov 14 2011 | ESW Holdings, Inc. | Security systems and methods for encoding and decoding digital content |
| 10607029, | Nov 14 2011 | ESW Holdings, Inc. | Security systems and methods for encoding and decoding content |
| 11244074, | Nov 14 2011 | ESW Holdings, Inc. | Security systems and methods for social networking |
| 11741264, | Nov 14 2011 | ESW Holdings, Inc. | Security systems and methods for social networking |
| 11775686, | Nov 14 2011 | ESW Holdings, Inc. | Security systems and methods for encoding and decoding content |
| 7916870, | Nov 03 2006 | Verizon Patent and Licensing Inc | Systems and methods for document control using public key encryption |
| 8170213, | Dec 27 2007 | EMC IP HOLDING COMPANY LLC | Methodology for coordinating centralized key management and encryption keys cached through proxied elements |
| 8555342, | Dec 23 2009 | EMC IP HOLDING COMPANY LLC | Providing secure access to a set of credentials within a data security mechanism of a data storage system |
| 8681994, | Nov 03 2006 | Verizon Patent and Licensing Inc. | Systems and methods for document control using public key encryption |
| Patent | Priority | Assignee | Title |
| 4605820, | Nov 10 1983 | VISA U S A , INC , A CORP OF DE | Key management system for on-line communication |
| 4803108, | May 01 1987 | Essex Specialty Products, Inc. | Honeycomb reinforcing sheet for the reinforcement of panels and method of reinforcing panels |
| 4937863, | Mar 07 1988 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Software licensing management system |
| 5058164, | May 03 1990 | NATIONAL SEMICONDUCTOR CORPORATION, A CORP OF DE | Encryption of streams of addressed information to be used for program code protection |
| 5098124, | Sep 06 1990 | AMERICAN VEHICULAR SCIENCES LLC | Padding to reduce injuries in automobile accidents |
| 5263157, | Feb 15 1990 | International Business Machines Corporation | Method and system for providing user access control within a distributed data processing system by the exchange of access control profiles |
| 5349893, | Feb 20 1992 | RIMAT ADVANCED TECHNOLOGIES, LTD | Impact absorbing armor |
| 5356177, | Jun 25 1993 | Davidson Textron Inc. | Side impact protection apparatus |
| 5410598, | Oct 14 1986 | Electronic Publishing Resources, Inc. | Database usage metering and protection system and method |
| 5410602, | Sep 27 1993 | MOTOROLA SOLUTIONS, INC | Method for key management of point-to-point communications |
| 5432849, | Aug 22 1990 | International Business Machines Corporation | Secure cryptographic operations using control vectors generated inside a cryptographic facility |
| 5438508, | Jun 28 1991 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | License document interchange format for license management system |
| 5440631, | Apr 24 1992 | Fijitsu Limited | Information distribution system wherein storage medium storing ciphered information is distributed |
| 5509070, | Dec 15 1992 | SL Patent Holdings LLC | Method for encouraging purchase of executable and non-executable software |
| 5586186, | Jul 15 1994 | Microsoft Technology Licensing, LLC | Method and system for controlling unauthorized access to information distributed to users |
| 5604801, | Feb 03 1995 | IBM Corporation | Public key data communications system under control of a portable security device |
| 5629980, | Nov 23 1994 | CONTENTGUARD HOLDINGS, INC | System for controlling the distribution and use of digital works |
| 5673316, | Mar 29 1996 | International Business Machines Corporation | Creation and distribution of cryptographic envelope |
| 5689560, | Apr 25 1994 | International Business Machines Corporation | Method and apparatus for enabling trial period use of software products: method and apparatus for allowing a try-and-buy user interaction |
| 5708709, | Dec 08 1995 | Oracle America, Inc | System and method for managing try-and-buy usage of application programs |
| 5727065, | Nov 14 1994 | Hughes Electronics Corporation | Deferred billing, broadcast, electronic document distribution system and method |
| 5754646, | Jul 19 1995 | Cable Television Laboratories, Inc. | Method for protecting publicly distributed software |
| 5765152, | Oct 13 1995 | DIGIMARC CORPORATION AN OREGON CORPORATION | System and method for managing copyrighted electronic media |
| 5796825, | Jan 16 1996 | Symantec Corporation | System for automatic decryption of file data on a per-use basis and automatic re-encryption within context of multi-threaded operating system under which applications run in real-time |
| 5809145, | Jun 28 1996 | Arvato Digital Services LLC | System for distributing digital information |
| 5818936, | Mar 15 1996 | EMC Corporaton | System and method for automically authenticating a user in a distributed network system |
| 5822524, | Jul 21 1995 | Infovalue Computing, Inc. | System for just-in-time retrieval of multimedia files over computer networks by transmitting data packets at transmission rate determined by frame size |
| 5883955, | Jun 07 1995 | DIGITAL RIVER, INC | On-line try before you buy software distribution system |
| 5892900, | Aug 30 1996 | INTERTRUST TECHNOLOGIES CORP | Systems and methods for secure transaction management and electronic rights protection |
| 5933498, | Jan 11 1996 | HANGER SOLUTIONS, LLC | System for controlling access and distribution of digital property |
| 5956034, | Aug 13 1996 | Rovi Technologies Corporation | Method and apparatus for viewing electronic reading materials |
| 5978475, | Jul 18 1997 | BT AMERICAS INC | Event auditing system |
| 5997077, | Aug 23 1997 | Volkswagen AG | Deformable structure for protection of vehicle occupants |
| 6002772, | Sep 29 1995 | PIRACY PROTECTION LLC | Data management system |
| 6064736, | Sep 15 1997 | OPENTV, INC | Systems, methods and computer program products that use an encrypted session for additional password verification |
| 6182220, | Mar 30 1998 | UNILOC 2017 LLC | System and method for building and exchanging encrypted passwords between a client and server |
| 6245408, | May 19 1999 | Hexcel Corporation | Honeycomb core with controlled crush properties |
| 6289450, | May 28 1999 | EMC Corporation | Information security architecture for encrypting documents for remote access while maintaining access control |
| 6308256, | Aug 18 1999 | Oracle America, Inc | Secure execution of program instructions provided by network interactions with processor |
| 6339825, | May 28 1999 | EMC Corporation | Method of encrypting information for remote access while maintaining access control |
| 6401204, | Jun 05 1996 | Siemens Aktiengesellschaft | Process for cryptographic code management between a first computer unit and a second computer unit |
| 6449721, | May 28 1999 | EMC Corporation | Method of encrypting information for remote access while maintaining access control |
| 6499106, | Jan 15 1999 | Sony Corporation; Sony Electronics INC | Method and apparatus for secure distribution of information recorded of fixed media |
| 6547280, | Nov 21 1998 | Cellbond Limited | Energy-absorbing structures |
| 6658566, | Mar 13 1997 | CP8 Technologies | Process for storage and use of sensitive information in a security module and the associated security module |
| 6682128, | Feb 04 1998 | OAKWOOD ENERGY MANAGEMENT, INC | Composite energy absorber |
| 6711553, | Feb 25 2000 | Kent Ridge Digital Labs | Method and apparatus for digital content copy protection |
| 6732106, | Dec 08 2000 | Sovereign Peak Ventures, LLC | Digital data distribution system |
| 20010055396, |
| Date | Maintenance Fee Events |
| Jan 18 2012 | ASPN: Payor Number Assigned. |
| Date | Maintenance Schedule |
| Mar 30 2013 | 4 years fee payment window open |
| Sep 30 2013 | 6 months grace period start (w surcharge) |
| Mar 30 2014 | patent expiry (for year 4) |
| Mar 30 2016 | 2 years to revive unintentionally abandoned end. (for year 4) |
| Mar 30 2017 | 8 years fee payment window open |
| Sep 30 2017 | 6 months grace period start (w surcharge) |
| Mar 30 2018 | patent expiry (for year 8) |
| Mar 30 2020 | 2 years to revive unintentionally abandoned end. (for year 8) |
| Mar 30 2021 | 12 years fee payment window open |
| Sep 30 2021 | 6 months grace period start (w surcharge) |
| Mar 30 2022 | patent expiry (for year 12) |
| Mar 30 2024 | 2 years to revive unintentionally abandoned end. (for year 12) |