[go: up one dir, main page]

GB2312767A - Protected persistent storage access by applets - Google Patents

Protected persistent storage access by applets Download PDF

Info

Publication number
GB2312767A
GB2312767A GB9708608A GB9708608A GB2312767A GB 2312767 A GB2312767 A GB 2312767A GB 9708608 A GB9708608 A GB 9708608A GB 9708608 A GB9708608 A GB 9708608A GB 2312767 A GB2312767 A GB 2312767A
Authority
GB
United Kingdom
Prior art keywords
applet
applets
access
domain
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9708608A
Other versions
GB9708608D0 (en
Inventor
Richard Deadman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsemi Semiconductor ULC
Original Assignee
Mitel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitel Corp filed Critical Mitel Corp
Publication of GB9708608D0 publication Critical patent/GB9708608D0/en
Publication of GB2312767A publication Critical patent/GB2312767A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Description

1. 2312767 PROTECTED PERSISTENT STORAGE ACCESS FOR MOBILE APPLICATIONS
This invention relates to the field of computer networks and in particular to a method of processing computer applets in a secure manner. 5
With the advent of object based programming, it has become possible to transmit applets via a network such as the internet to various computers connected to the network. An applet is a small self-contained application program which can cause a computer to perform a particular function, and contains both in!;tructions f or the computer to operate and data which is to be processed in its operation.
various programming languages have been designed to create applets, such as Telescript, SafeTCL, Java. CyberAgents and ClearLake Agents. By the use of interpreters, the various applets can be hardware independent, that is, the same applet can be received and processed by computer hardware having different operating systems. For example, the same applet would be able to be received and processed by a MacIntosh operating system and by one of the Microsoft Windows operating systems on an Intel processor based (e.g. IBM) personal computer type operating system., It has been speculated that the programs and data that computers that receive applets use would provide all that a computer would need, to be able to be fully functional and which would result in a significantly less expensive computer than at present.
This is because the computer would be expected to use the network as a mass storage repository of programs and data. Programs would be paid for on a use basis, rather than on an up-front-payment and unlimited use basis. However this presupposes that a user would be prepared to allow mass storage to be out of his control. to store 2.
critical data, specially written programs, etc. For the reason of security, it had been believed to be desirable andlor necessary to provide a local mass storage associated with each or with most computers. 5 With the storage of data on a local mass storage device, the problem of security arises in relation to the reception from the network of applets, since those applets could access and transmit or corrupt files. 10 The security problem has been handled in one of two ways. The first is to restrict the use of applets to a closed or managed system, wherein software components can be given domain names and all possible execution sites can be populated with lists of allowed domains.
For example, in the CyberAgents program, domains are used to control execution and security on remote sites.
A domain is a jurisdiction group of applets that share access rights.
The second way of handling security is to isolate the applets from important system resources, as noted earlier above. Applets received from an uncontrolled system network such as the internet have been restricted from being able to access mass storage devices, and have been relegated to providing fancy graphics and to providing a graphical user interface for client-server computing. Programs to create applets in open uncontrolled systems, are e.g. Telescript, SafeTCL and Java. For example, Java can cause a computer to display a window and provide the content of the window and play sounds, but cannot write to the computer disk drive.
While use of either of these schemes produces the required security to ensure that rogue applets do not cause damage to a computer's resources, such as the 3.
files, they also place restriction on the usability of open system mobile applets. If a downloaded applet cannot access the disk drive to provide persistent local storage for the user, the usability of applets written 5 using such an isolation scheme is very limited.
Operating systems approach security by providing usage rights over directories and files. By assigning the applet application engine to a user group, the applets executed by the application engine are restricted to accessing those files available to,t!ha application engine itself. While this provides security to other file system files outside the reach of the application engine, it does not provide security between applets.' Similarly, some applet application engines, such as Sun's HotJava, provide access control lists.
These lists specify which subset of the application engines accessible files can be accessed by applets.
This provides extended security, but does not solve the problem of providing security to data between applets.
HotJava also specifies a method by which access to files can be granted to applets through the use of a dialog box to the user of the applet, wherein the user is required to enter a security authorization.
This provides greater security between applets but is intrusive and requires that the user understand the sensitivity and origin (virtual ownership) of data in each file.
If the application engine can determine the source of the applet, access rights can be set according to certain rules. Java can detect if an applet originates within a firewall (a software barrier to outside access to a local (internal) network); the HotJava Browser allows different security rights to applets loaded on each side of the firewall. Read and 4.
write access can be granted to internal applications only.
General Magic's Telescript technology provides a generic set of authorities and permits. Agents within a region all contain the same authority - this is similar to the concept of user domains. Each Telescript agent has only one authority. Permits control the execution of instructions or the access and usage of a resource. Telescript does not specify how a Telescript place negotiates usage rights for a resource with an agent of a certain authority, or stores the access rights for each resource instance.
The term "persistent storage" will be used in this specification as a generic term for all media which is store or carry files, data or programs which are to be protected, and can include, but is not restricted to el ectronic random access memory, floppy or hard disk drives, buses, etc.
Features of an arrangement to be described, by way of example in illustration of the present invention is that it provides comparatively secure access to persistent storage for distributed applet code within an open uncontrolled computing environment. It protects files from unauthorized use by unknown mobile applets while still providing access to the file system for these applets. This involves negotiating access rights for the unknown applet.
In a particular embodiment illustrative of the invention, a method of processing an applet includes storing a file in a persistent storage medium (PSM), the file including an access control list, and transmitting an applet from a server, the applet including at least one of applet identification data and a private key encrypted domain identifier and public key pair, a maximum file size indicator, and a specification of required storage operations, receiving the applet by
5.
an application engine, and in the event the domain identifier is included in the applet, decrypting the domain identifier using the public key, checking at least one of the applet identification data and decrypted domain identifier against the access control list for a match, and in the event a match is found. allowing the operations specified in the applet on a file stored in:a persistent storage medium which allow access to the applet as specified in the file access control list.
In,another lllustrative.embodiment, a method.of providing an applet includes receiving applets in an application engine, the applets comprising specifications of operations to be performed,'and a oze of the applets being comprised of at least one of applet identification data and private key encrypted domains processing the applets to an extent to which access to files contained in a persistent storage medium is not required, in the event applets are comprised of private key encrypted domains, decrypting the domains, checking at least one of the applet identification data and decrypted domains against a control list, and processing the applets which the at least one of applet identification data and decrypted domains match entries in the Control list'to access the files contained in persistent storage medium required by the applets.
In yet another illustrative embodiment,,a method of processing an applet includes storing an access control list which contains an identity of applets or domains that can have access to files stored in a persistent medium, and giving access to the access control medium by applets which contain an identity or a domain corresponding to an entry on the list..
in a further illustrative odiment,, an applet application engine includes an access 6.
control list, the engine and list stored in a memory of a computer, and apparatus for providing an applet comprising an identification of at least one of an applet identifier and a domain for comparison with the list and determination of a match, and apparatus for allowing access to an otherwise protected computer resource in the event of the match.
Arrangements which are given by way of example, and which are helpful in understanding the invention, io will now be described with reference to the accompanying drawings, in which:
Figure 1 is a block schematic diagram of a network on which the present invention can be implemented, is Figure 2 is a block schematic diagram of a computer used in the network of Figure 1, on which the present invention can be implemented, Figure 3 is an illustration of a representative applet which may be used in carrying out the present invention, and Figure 4 illustrates a representative method of operation illustrative of the invention.
Figure 1 illustrates an open and uncontrolled network, and is comprised of a server 1, which interfaces a network 3, to which various computers 5 are or can be connected. The network 3 can be a wide area network, the internet, a telephone network, etc.
In operation, the server 1 applies applets to the network 3 for reception by one or more computers 5.
A computer which receives the applet, which is a complete object based program, processes it using the data contained therein. As noted above, in prior art open systems the applet was restricted from being able to access persistent storage.
Figure 2 illustrates the basic architecture of a representative computer system 5. A microprocessor 7, random access memory 8 (RAM), a keyboa rd 9, a network interface,device 10 such as a modem, a hard disk drive 11 persistent storage device, and a display subsystem 12 to which a display 13 is connected, are connected to. or are in communication with, a bus 14.
In addition, random access memory 16 (RAM)', which may be part of or merged with RAN 8, is connected or in communication with bus 14. RAN 16 contains applet application engine. which is comprised of an interpreter for the particular applet language used, and a software command structure to cause microprocessor 7 to process the applets..For example, for the Java is language,, an applet application engine can be HotJava, available from Sun Microsystems Inc..
In operation of a prior art system, applets are received from the server 1 via the network 3 and network interface 10, are interpreted by microprocessor
7 using the interpreter in application engine 16 and the interpreted instructions are processed by microprocessor 7 to cause the display subsystem 12 to display graphics, etc. on display 13. The application engine will not access persistent storage media such as the hard disk drive 11, to avoid corruption etc. of files as described therein, and therefore cannot use data or other programs stored therein. Such a system is thus considerably limited.
In an arrangement illustrative of tlie present invention, the application engine 16 contains a public key decryption prograin 18 and an access control list 20 of authorized applets and/or domains which may he allowed to access persistent storage media.
In the illustrative arrangement, when applets are received via the network interface, access 8. rights to the persistent storage media are negotiated using the application engine 16. Access rights need not be restricted and access negotiated only to persistent storage media; any resource of the computer or controlled or accessed by the computer can be restricted and access thereto negotiated.
Access rights are negotiated by (a) authentication; the applet application engine verifies the identity or domain of all applets 10 requesting access to persistent storage; (b) usage rights negotiation; this involves verifying the applet's authority to read, write or append to a file. Methods to ensure that an applet has access rights to a particular file are described below.
It should be noted that in an open uncontrolled system, central authentication or domain management is not possible. For this reason, the negotiation of access rights is conducted between the application engine, the file and the applet; 20 (c) quality of service; maximum disk usage for an application is set. Limits are preferably placed on access rights which give the bounds within which the granted resource may be used. By acting as an intermediary between the unknown applet and the disk resource, the application engine negotiates and enforces access rights. For disk files, this involves acting as an intermediary for all disk actions. If a target file will grow beyond a predetermined size, a write can be denied or the user can be asked for override permission, which effectively allows growth of the access rights by an incremented amount. The application engine can specify an override zone, above which the access right will not be allowed to grow.
9.
As a safety mechanism, file versioning way be provided by the application engine to ensure that any modifications or deletions to files can he recovered in the event of damage to the file system. Access control list 20 is used by the application engine to specify what default and file specific access rights are for individual persistent storage objects (files).
Each applet should be associated with a server site that uniquely identifies the applet. If loaded from the World Wide Web, for example, this identity can be the universal resource locator (URL) of the applet. When an applet creates a new file, it can specify which applets have which rights on the file.
Domains are groups of applets which share access rights. Using private key encryption and an encrypted message supplied by the applet, the application engine can ensure that an applet belongs to a specified domain. Applet files contain a header which contains the access control list for a set of domains and public keys for each domain.
Figure 3 illustrates an applet 22, which contains a payload 24 comprised of an object based application program including data, and a header 26. The header 26 contains a public key or keys 28, and an application control list 30. It also contains an identification of the applet (e.g. the URL if used on the World Wide Web), which can be encrypted at the server using a private key, for decryption under control of the application engine 16 using a public key 28. The header also contains an encrypted set of domains e.g. domain messages, which can be decrypted using a public key 28.
An applet can belong to more than one domain at a time. It is the responsibility of the domain 10.
owners to ensure that the private key used to generate encrypted domain authentication messages is kept secure As noted above, the encrypted message may encrypt the applet identification using the private key This ensures that the encrypted message has not been copied from another applet in an attempt to borrow that applet's domain capabilities. Any attempt to clone the server applet to another 'machine and then be able to read domain owned files would then cause the encrypted message to not match the applet identification, invalidating the applet's domain within the application engine.
A combination of access methods is preferably used to provide secure persistent storage access to applets. Both applet identification and preferably domains are implemented as keys within the access control list for a file.
The language classes for file access in the application engine 16 for the particular language used, e.g. Java should be amended to allow access to the file system based on the applet's identification and domain. Applets should be modified as indicated above with respect to Figure 3 to optionally include their domain, and by the use of public key encryption thereof and/or their identification. Each file with access rights associated with it is contained in the access control list 20 (Figure 2) in a file stored in RAM 16 accessible by the application engine, e.g. a browser program. The application engine retained in RAM 16 negotiates access rights for each loaded applet. Access rights contain quality of service information that defines how each resource can be accessed, including maximum size changes. Each change to the file system is checked to see if it would violate access rights. This includes 11.
the right to access, change or create a file and limits on the size of changes.
The structure of the access control list is preferred to be:
<Filename: > <<AccessMode.... >:<IDorDomain.... >;...> where:
Filename Contains one or more file names, each of which may contain wildcards AccessMode Is one of Read, Write, Append.
Delete, NewFile, List, Query# (MMaxSize:x) IDorDomain Is either a URL specifying an applet, or a (DomainName:publicKey) is pair For example, an entry where all files in the "/public" directory are readable, "/private" can have new files created by applet, URL "http://www.foo.bar/applet.class" and applets of domain I'MyDomainll have write access to the file 11/private/foo.bar" with add mode set to 5000 bytes, could appear as:
/public/ Read /private/ NewFile /private/foo.bar Write, (MaxSize:5000) http://www.foo.barlapplet.class; (MyDomain: 987654321) A message send within the application engine would appear as shown in the flow chart of Figure 4. in which time runs from top to bottom of the figure.
In this example the applet requests to open the file to write 4000 bytes. The access control list (ACL) is queried by the application engine. The request 12.
is approved, and the file is opened. When 3500 bytes are added, the write to the file succeeds. An attempt to write a further 1000 bytes does not succeed and they are not written, since they exceed the application engine's stored access rights (4000 bytes) for the applet over the file.
Thus it may be seen that there has been described a method by which applets can access files stored on persistent storage media, or can access other, computer system resources in an open system that would otherwise be protected, in a secure manner, without concern that a rogue applet has adopted the domain of another applet, or concern that a file can be stolen or corrupted. The method also provides protection against is overrunning the storage media due to-excessive file size production. Yet at the same time it allows more sophisticated functioning of a computer connected to an open system, since files and other resources at, controlled by or connected to the local computer can be used in processing of applets.
A person understanding this description may now conceive of alternative structures and embodiments.or variations of the above. All those which fall within the scope of the claims appended hereto are considered to be part of the present invention.
13.

Claims (1)

1. A method of processing an applet including (a) storing a file in a persistent storage medium (PSK), the file including an access control list, (b) transmitting an applet from a server. the applet including at least one of applet identification data and a private key encrypted domain identifier and public key pair, a maxi num f ile size indicator, and a specification of required operations, (c) receiving said applet by an application engine, (d) in the event the domain identifier is included in the applet, decrypting the domain identifier using the public key, is (e) checking said at least one of said applet identification data and decrypted domain identifier against the access control list for a match, and, (f) in the event a match is found, allowing said operations specified in the applet on a file stored in a persistent storage medium which allow access to the applet as specified in the file access control list.
2. A method as defined in claim 1 including terminating performing of said operation specified in the applet in the event said operation would result in a file size in the persistent storage medium that exceeds said maximum file size indicated in the applet.
3. A method as defined in claim 1 including not performing said operation in the event a match is not found.
14.
4. A method of processing applets including (a) receiving applets in an application engine, said applets comprising specifications of operations to be performed, and some of said applets being comprised of at least one of applet identification data and private key encrypted domains, (b) processing said applets to an extent to which access to files contained in a persistent storage medium is not required, (c) in the event applets are comprised of private key encrypted domains, decrypting said domains, (d) checking said at least one of said applet identification data and decrypted domains against a control list, and is (e) processing those of said applets of which said at least one of applet identification data and decrypted domains match entries in said control list to access said.files contained in persistent storage medium required by said applets.
5. A method of processing an applet including storing an access control list which contains an identity of applets or domains that can have access to files stored in a persistent medium, and giving access to said persistent medium by applets which contain an identity or a domain corresponding to an entry on the list.
6. A method as defined in claim 5 including using an application control engine stored in a computer to inspect said applets, check said access control list and process said applets identified on said access control list to operate on a file stored in said access control medium.
15.
7. A method as defined in claim 6 including checking an applet for a file size limitation specification carried by said applet, and failing to operate on said file in the event operation specified by the applet would result in a file size in excess of maid file size.
8. A method as defined in claim 5 in which at least one of said identity and domain carried by the applet is private key encrypted and includes a corresponding public key, and including the steps of decrypting to authenticate said at least one of said identity and domain using the public key, said giving access step being carried out only in the event the decrypted said at least one of said identity and domain is authenticated.
9. An applet application engine including an access control list, said engine and list being stored in a memory of a computer, and means for providing an applet having an identification of at least one of an applet identifier and a domain for comparison with said list and determination of a match, and means for allowing access to an otherwise protected computer resource in the event of said match.
10. An engine as claimed in claim 9, In Which the computer resource is a persistent storage medium.
11. An engine as claimed in claim 9 further including a public key decryption means, said applet having a private key encrypted identifier or domain and public key, for decryption by said decryption means.
16.
12. A computer software applet including a private key encrypted authentication code defining a domain of said applet.
13. A method as claimed in any one of claims 1, 4, or 5 substantially as described herein with reference to the accompanying drawings.
14. An applet application engine as claimed in claim 9 substantially as described herein with reference to the accompanying drawings.
15. A computer software applet as claimed in claim 12 substantially as described herein with reference to the accompanying drawings.
GB9708608A 1996-04-29 1997-04-28 Protected persistent storage access by applets Withdrawn GB2312767A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US63880796A 1996-04-29 1996-04-29

Publications (2)

Publication Number Publication Date
GB9708608D0 GB9708608D0 (en) 1997-06-18
GB2312767A true GB2312767A (en) 1997-11-05

Family

ID=24561525

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9708608A Withdrawn GB2312767A (en) 1996-04-29 1997-04-28 Protected persistent storage access by applets

Country Status (3)

Country Link
CA (1) CA2202118A1 (en)
DE (1) DE19717900C2 (en)
GB (1) GB2312767A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999045454A1 (en) * 1998-03-02 1999-09-10 Computer Associates Think, Inc. Method and agent for the protection against the unauthorised use of computer resources
US6223287B1 (en) 1998-07-24 2001-04-24 International Business Machines Corporation Method for establishing a secured communication channel over the internet
GB2367925A (en) * 2000-05-25 2002-04-17 Sealedmedia Ltd Digital rights management
EP1105996A4 (en) * 1998-08-21 2005-08-17 Visto Corp System and method for enabling secure access to services in a computer network
DE19960977B4 (en) * 1998-12-23 2007-07-26 International Business Machines Corp. System for an electronic data archive with enforcement of access control during data retrieval
EP1769366A4 (en) * 2004-04-30 2007-08-22 Research In Motion Ltd SYSTEM AND METHOD FOR CONTROLLING OPERATION ON AN ELECTRONIC DEVICE
US7509685B2 (en) 2001-06-26 2009-03-24 Sealedmedia Limited Digital rights management
US8045958B2 (en) 2005-11-21 2011-10-25 Research In Motion Limited System and method for application program operation on a wireless device
US8332906B2 (en) 2006-02-27 2012-12-11 Research In Motion Limited Method of customizing a standardized IT policy

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004302516A (en) * 2003-03-28 2004-10-28 Ntt Docomo Inc Terminal device and program

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0570123A1 (en) * 1992-05-15 1993-11-18 Addison M. Fischer Computer system security method and apparatus having program authorization information data structures

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5414844A (en) * 1990-05-24 1995-05-09 International Business Machines Corporation Method and system for controlling public access to a plurality of data objects within a data processing system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0570123A1 (en) * 1992-05-15 1993-11-18 Addison M. Fischer Computer system security method and apparatus having program authorization information data structures

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Dialog record 01887837 of Computer Shopper, v16, n2, Feb 1996, p 581(2) *
Dialog record 01939746 of PC Magazine, v15, n11, 11 June 1996, p 221(5) *

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999045454A1 (en) * 1998-03-02 1999-09-10 Computer Associates Think, Inc. Method and agent for the protection against the unauthorised use of computer resources
AU767894B2 (en) * 1998-03-02 2003-11-27 Computer Associates Think, Inc. Method and agent for the protection against the unauthorised use of computer resources
US7383569B1 (en) 1998-03-02 2008-06-03 Computer Associates Think, Inc. Method and agent for the protection against the unauthorized use of computer resources
US6223287B1 (en) 1998-07-24 2001-04-24 International Business Machines Corporation Method for establishing a secured communication channel over the internet
EP1105996A4 (en) * 1998-08-21 2005-08-17 Visto Corp System and method for enabling secure access to services in a computer network
DE19960977B4 (en) * 1998-12-23 2007-07-26 International Business Machines Corp. System for an electronic data archive with enforcement of access control during data retrieval
GB2367925A (en) * 2000-05-25 2002-04-17 Sealedmedia Ltd Digital rights management
GB2367925B (en) * 2000-05-25 2004-09-15 Sealedmedia Ltd Digital rights management
US7509685B2 (en) 2001-06-26 2009-03-24 Sealedmedia Limited Digital rights management
US10474841B2 (en) 2002-12-12 2019-11-12 Blackberry Limited System and method of owner application control of electronic devices
US9542571B2 (en) 2002-12-12 2017-01-10 Blackberry Limited System and method of owner application control of electronic devices
US9033216B2 (en) 2002-12-12 2015-05-19 Blackberry Limited System and method of owner application control of electronic devices
US7815100B2 (en) 2004-04-30 2010-10-19 Research In Motion Limited System and method of owner application control of electronic devices
US8887988B2 (en) 2004-04-30 2014-11-18 Blackberry Limited System and method of owner application control of electronic devices
US7546956B2 (en) 2004-04-30 2009-06-16 Research In Motion Limited System and method of operation control on an electronic device
EP1763744A4 (en) * 2004-04-30 2007-10-24 Research In Motion Ltd System and method of owner application control of electronic devices
EP1769366A4 (en) * 2004-04-30 2007-08-22 Research In Motion Ltd SYSTEM AND METHOD FOR CONTROLLING OPERATION ON AN ELECTRONIC DEVICE
US8045958B2 (en) 2005-11-21 2011-10-25 Research In Motion Limited System and method for application program operation on a wireless device
US8254884B2 (en) 2005-11-21 2012-08-28 Research In Motion Limited System and method for application program operation on a wireless device
US8699999B2 (en) 2005-11-21 2014-04-15 Blackberry Limited System and method for application program operation on a wireless device
US8332906B2 (en) 2006-02-27 2012-12-11 Research In Motion Limited Method of customizing a standardized IT policy
US8544057B2 (en) 2006-02-27 2013-09-24 Blackberry Limited Method of customizing a standardized IT policy
US8689284B2 (en) 2006-02-27 2014-04-01 Blackberry Limited Method of customizing a standardized IT policy
US9621587B2 (en) 2006-02-27 2017-04-11 Blackberry Limited Method of customizing a standardized IT policy

Also Published As

Publication number Publication date
GB9708608D0 (en) 1997-06-18
CA2202118A1 (en) 1997-10-29
DE19717900A1 (en) 1997-10-30
DE19717900C2 (en) 2000-05-25

Similar Documents

Publication Publication Date Title
US8341406B2 (en) System and method for providing different levels of key security for controlling access to secured items
US6272631B1 (en) Protected storage of core data secrets
Wright et al. NCryptfs: A Secure and Convenient Cryptographic File System.
US7330981B2 (en) File locker and mechanisms for providing and using same
US7631184B2 (en) System and method for imposing security on copies of secured items
JP4777651B2 (en) Computer system and data storage method
US8307067B2 (en) Protecting encrypted files transmitted over a network
US9286484B2 (en) Method and system for providing document retention using cryptography
US7299364B2 (en) Method and system to maintain application data secure and authentication token for use therein
EP1320011B1 (en) Method and architecture for providing pervasive security to digital assets
US7562232B2 (en) System and method for providing manageability to security information for secured items
EP2316095B1 (en) Licensing protected content to application sets
US20030110169A1 (en) System and method for providing manageability to security information for secured items
CN109923548A (en) Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process
JP2003228520A (en) Method and system for offline access to secured electronic data
KR20030036787A (en) System for establishing an audit trail to protect objects distributed over a network
JP3917125B2 (en) Document security system
GB2312767A (en) Protected persistent storage access by applets
JP3905170B2 (en) Processing system and client device
JP2005309846A (en) Database protection system
Puliafito et al. Design and development of a practical security model for a mobile agent system
JPH10105470A (en) Method for authenticating file access
Mossop et al. Security models in the password-capability system
US20020138434A1 (en) Method and apparatus in a data processing system for a keystore
CN120654260A (en) CMS system file protection method, device, system and storage medium

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)