IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
UP-0989479
(2001-11-20)
|
등록번호 |
US-7660902
(2010-04-02)
|
발명자
/ 주소 |
- Graham, Todd D.
- Hudson, Jonathan C.
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
328 인용 특허 :
73 |
초록
▼
A dynamic file access control and management system and method in accordance with the present invention may be a proxy file management system that includes one or more file system proxy servers that provide selective access and usage management to files available from one or more file systems or sou
A dynamic file access control and management system and method in accordance with the present invention may be a proxy file management system that includes one or more file system proxy servers that provide selective access and usage management to files available from one or more file systems or sources. The present invention may embody a secure transport protocol that tunnels distributed file systems, application independent usage controls connected to files on end-user computers, dynamically merging secondary content to a requested file, and applying bandwidth management to any of the foregoing. Embodied in the various implementations of the present invention is enhanced file security. Preferably, the proxy file management system is transparent to an end-user. A dynamic content management system may also be included that selectively adds content to requested files.
대표청구항
▼
What is claimed is: 1. A method performed by a proxy server, the method comprising: receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associ
What is claimed is: 1. A method performed by a proxy server, the method comprising: receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file; requesting, from an authentication server, an access policy associated with the associated user; receiving, from the authentication server, the access policy associated with the associated user; determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and if the associated user has the authority to access the data file, then: establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file; requesting, over a second network connection, from the network attached storage system, the data block of the data file; receiving, over the second network connection, from the network attached storage system, the data block of the data file; encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block; encapsulating within a packet: the encrypted received data block; and the established set of usage rights; and sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer. 2. A method as in claim 1 wherein the established set of usage rights includes one or more access restrictions, each usage restriction including: a restriction type; and a set of parameters associated with the restriction type. 3. A method as in claim 2 wherein the restriction type indicates that data from the encrypted received data block may only be e-mailed to recipients listed within the set of parameters. 4. A method as in claim 1 wherein the access policy associated with the associated user includes a set of access conditions, each access condition including: a condition type; and a set of parameters associated with the condition type. 5. A method as in claim 4 wherein the condition type indicates that the associated user only has the authority to access the data file when a clock time falls between a first value listed in a first parameter of the set of parameters and a second value listed in a second parameter of the set of parameters. 6. The method of claim 1, wherein said data file includes static content. 7. The method of claim 1, wherein said data file includes dynamic content. 8. The method of claim 1, wherein said encrypting said received data block is performed as a function of a shared session secret shared between said proxy server and said client machine. 9. The method of claim 1, wherein said proxy server includes a user interface and the method further includes creating and/or editing said access policy and associating said access policy with said data file using said user interface. 10. The method of claim 1 wherein the method further comprises: encrypting each data block of the data file independently, using a unique initialization vector for each data block and one or more encryption/decryption keys; and communicating said one or more encryption/decryption keys to said client machine. 11. A proxy server, comprising: processing circuitry; and network communications circuitry; the processing circuitry and network communications circuitry being operative together to perform a method including: receiving, over a first network connection, a Network File System (NFS) based request from a client machine for a data block of a data file from a remote network attached storage system, the request having an associated user, the data block having a fixed preconfigured size associated with the data file; requesting, from an authentication server, an access policy associated with the associated user; receiving, from the authentication server, the access policy associated with the associated user; determining, from the access policy associated with the associated user and metadata associated with the data file, the metadata being stored on the remote network attached storage system, if the associated user has the authority to access the data file; and if the associated user has the authority to access the data file, then: establishing a set of usage rights based on the access policy associated with the associated user and the metadata associated with the data file; requesting, over a second network connection, from the network attached storage system, the data block of the data file; receiving, over the second network connection, from the network attached storage system, the data block of the data file; encrypting the received data block, such that only an authorized client module executing on the client machine by the associated user can decrypt the encrypted received data block; encapsulating within a packet: the encrypted received data block; and the established set of usage rights; and sending, over a secure channel, the packet to the client machine such that only the authorized client module can access the encrypted received data block and only when such access is in accordance with the established set of usage rights, said authorized client module running transparently to the associated user, logically interposed between an application layer and an operating system kernel layer. 12. A proxy server as in claim 11 wherein the established set of usage rights includes one or more access restrictions, each usage restriction including: a restriction type; and a set of parameters associated with the restriction type. 13. A proxy server as in claim 12 wherein the restriction type indicates that data from the encrypted received data block may only be e-mailed to recipients listed within the set of parameters. 14. A proxy server as in claim 11 wherein the access policy associated with the associated user includes a set of access conditions, each access condition including: a condition type; and a set of parameters associated with the condition type. 15. A proxy server as in claim 14 wherein the condition type indicates that the associated user only has the authority to access the data file when a clock time falls between a first value listed in a first parameter of the set of parameters and a second value listed in a second parameter of the set of parameters. 16. The proxy server according to claim 11, wherein said data file includes static content. 17. The proxy server according to claim 11, wherein said data file includes dynamic content. 18. The proxy server according to claim 11, wherein said encrypting said received data block is performed as a function of a shared session secret shared between said proxy server and said client machine. 19. The proxy server according to claim 11, wherein said proxy server further includes a user interface, configured to facilitate creation and editing of said access policy and association of said access policy with said data file. 20. The proxy server according to claim 11: wherein each data block of the data file is encrypted independently, using a unique initialization vector for each data block and one or more encryption/decryption keys; and wherein the one or more encryption/decryption keys are also provided to said client machine.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.