IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0240387
(1999-01-29)
|
발명자
/ 주소 |
- Fletcher,James Corvin
- Kaminsky,David Louis
- Kessler,Carl Shawn
|
출원인 / 주소 |
- International Business Machines Corporation
|
인용정보 |
피인용 횟수 :
80 인용 특허 :
11 |
초록
▼
The present invention depicts a method, system and program product for controlling levels of security and levels of encryption based on a predefined policy profile. This enables administrators and those who control the network to easily respond to changes in the requirements of the security levels f
The present invention depicts a method, system and program product for controlling levels of security and levels of encryption based on a predefined policy profile. This enables administrators and those who control the network to easily respond to changes in the requirements of the security levels for specific applications. It also allows for response to changes in personnel (such as someone being removed from a position that had topsecret security access) and accommodates variations in access by client devices.
대표청구항
▼
What is claimed is: 1. A method of using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising steps of: identifying one or more security-sensitive document content sections in each of a plurality of structured
What is claimed is: 1. A method of using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising steps of: identifying one or more security-sensitive document content sections in each of a plurality of structured documents encoded in a markup language by delimiting each of the security-sensitive sections in each of the structured documents using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section; receiving, at the server from a requester located at the client, a request for a particular one of the structured documents; determining a maximum security level for which the requester is authorized; filtering out, from the requested document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and if the filtered document is not empty, performing the steps of: determining a most-restrictive one of the security levels indicated by the markup language tag syntax delimiting any security-sensitive sections that remain in the filtered document; identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and if any ciphers were identified, encrypting the filtered document using one of the identified ciphers and transmitting the encrypted filtered document to the requester at the client. 2. The method as claimed in claim 1, wherein the filtering out step further comprises the step of filtering out, from the filtered document, all of the identified security-sensitive sections for which the indicated security level is higher than the security level of all ciphers available for decryption at the client. 3. The method as claimed in claim 1, wherein an author who created the requested document is identified in a header associated with the requested document, and wherein the filtering out step further comprises the steps of: determining a role of the identified author; consulting a mapping that correlates the determined role to an interpretation of the security levels indicated by the markup language tag syntax in the requested document; and using the interpretation from the mapping when determining whether the indited security levels are higher than the determined maximum security level for which the requester is authorized. 4. The method as claimed in claim 3, further comprising the step of changing the interpretation of the security levels by changing the correlation it the mapping. 5. The method as claimed in claim 3, wherein the identification of the author indicates a user group of which the author is a member, and the determined role is the role of the user group. 6. The method as claimed in claim 1, wherein the security level provided by the cipher used to encrypt the filtered document is a least secure one of the security levels provided by the identified ciphers. 7. The method according to claim 1, wherein the step of determining the main security level for which the requester is authorized further comprises the step of using an identifier and password of the requester to access a repository wherein requesters and their maximum authorized security levels are identified. 8. The method according to claim 7, wherein the identifier and password of the requester are communicated with the request for the structured document. 9. The method as claimed in claim 1, wherein the step of identifying any ciphers further comprises the step of consulting a repository where a mapping between ciphers and the security level provided by those ciphers is stored. 10. The method as claimed in claim 9, further comprising the step of changing the security level which a particular cipher is capable of providing by changing the security level in the mapping for the particular cipher. 11. The method as claimed in claim 1, wherein the cipher used for encrypting the filtered document is selected from the identified ciphers by selecting that one of the identified ciphers which is available for decryption on the client and which provides a least secure one of the security levels provided by the identified ciphers. 12. The method as claimed in claim 1, wherein the requested structured document is dynamically composed from a plurality of subdocuments, at least one of which has at least one security-sensitive section and others of which may have zero or more security-sensitive sections. 13. The method as claimed in claim 1, wherein the markup language in which the requested structured document is encoded is the Extensible Markup Language ("XML"). 14. A system for using structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, comprising: a plurality of structured documents encoded in a markup language, each of the structured documents identifying one or more security-sensitive document content sections therein by delimiting each of the security-sensitive sections using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section; means for receiving, at the server from a requester located at the client, a request for a particular one of the structured documents; means for determining a maximum security level for which the requester is authorized; means for filtering out, from the requested document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and means for, if the filtered document is not empty, (1) determining a most-restrictive one of the security levels indicated by the markup language tag be syntax delimiting any security-sensitive sections that remain in the filtered document; (2) identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and (3) if any ciphers were identified, encrypting the filtered document using one of the identified ciphers. 15. A computer program for us structured documents to specify selective encryption requirements for document content to be transmitted from a server to a client, the computer program product residing on programmable media and comprising: computer executable program code means for receiving, at the serer from a requester located at the client, a request for a structured document; computer executable program code means for locating the requested structured document among a plurality of structured documents encoded in a markup language, each of the structured documents identifying one or more security-sensitive document content sections therein by delimiting each of the security-sensitive sections using markup language tag syntax, wherein the markup language tag syntax is encoded in the markup language and indicates a security level of the delimited security-sensitive section; computer executable program code means for determining a maximum security level for which the requester is authorized; computer executable program code means for filtering out, from the located document, all of the identified security-sensitive sections for which the indicated security level is higher than the determined maximum security level for which the requester is authorized, thereby creating a filtered document; and computer executable program code means for, if the filtered document is not empty, (1) determining a most-restrictive one of the security levels indicated by the markup language tag syntax delimiting any security-sensitive sections that remain in the filtered document; (2) identifying, from one or more ciphers that are available to the server for encryption, any ciphers which are capable of providing the determined most-restrictive security level; and (3) if any ciphers were identified, encrypting the filtered document using one of the identified ciphers and transmitting the encrypted filtered document to the requester at the client.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.