Password based key derivation function for ntp
US-2019273612-A1 · Sep 5, 2019 · US
Method, entity and system for managing access to data through a late dynamic binding of its associated metadata
US11258798B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11258798-B2 |
| Application number | US-201815906833-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 27, 2018 |
| Priority date | Feb 27, 2018 |
| Publication date | Feb 22, 2022 |
| Grant date | Feb 22, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method, an entity, and a system for managing access to data. The data is associated with metadata. At least one predetermined access policy for accessing metadata includes, for each client, at least one identifier relating to the client. An entity receives from at least one client device, a data access request that includes at least one identifier relating to the client. The entity determines, based on the associated access policy, whether the metadata access is authorized. If yes, the entity determines, based on the associated access policy, associated first data allowing to access the metadata. The entity accesses, based on the first data, the associated metadata. The entity accesses, based on the accessed metadata and the associated access policy, at least a part of the associated data, as a late dynamic binding of the metadata with the associated data (or a part of it).
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for managing access to data, the data being associated with metadata, at least one predetermined access policy for accessing metadata including, for each of at least one client, at least one identifier relating to the client, the method comprising: a) receiving, by an entity, from at least one client device, a data access request for accessing data, the data access request including at least one identifier relating to a requesting client, as a user identity; b) receiving, by the entity, from the at least one client device, a submitted user credential; c) authenticating the requesting client that uses the at least one client device, by the entity, based on the submitted user credential; d) determining by the entity, based on an associated access policy, whether the metadata access is or is not authorized, as an access decision; e) in response to (i) receiving the submitted user credential, (ii) authenticating the requesting client, and (iii) determining the access decision, generating by the entity an associated first key for decrypting the metadata, using a key derivation function, the key derivation function being dependent on the user identity and the submitted user credential which have been determined to authorize the metadata access; f) accessing the metadata, by the entity, using the associated first key for decrypting the metadata; g) accessing, by the entity, based on the accessed metadata and the associated access policy, at least a part of the data associated with the metadata, as a late dynamic binding of the metadata with the at least a part of the data associated with the metadata; and h) discarding, by the entity, the associated first key for decrypting the metadata. 2. The method according to claim 1 , wherein, to carry out step d), the method further comprises: receiving, by the entity, at least one captured context signal, the access decision being further dependent on the at least one captured context signal. 3. The method according to claim 1 , wherein the associated first key for decrypting the metadata is a key for decrypting encrypted metadata. 4. The method according to claim 1 , wherein, the metadata includes second data allowing the entity to access the at least a part of the data associated with the metadata, the step g) comprises the following steps: determining, by the entity, based on the accessed metadata, an associated second data; and accessing, by the entity, based on the associated second data, the at least a part of the data associated with the metadata. 5. The method according to claim 4 , wherein the second data includes at least one location relating to the at least a part of the data associated with the metadata, the at least one location relating to the at least a part of the data associated with the metadata identifying the at least one location within at least one data repository storing the at least a part of the data associated with the metadata. 6. The method according to claim 1 , wherein the metadata includes at least one location relating to the associated access policy. 7. The method according to claim 1 , wherein, the at least a part of the data associated with the metadata being stored within at least one data repository, the metadata being stored within at least one metadata repository, the at least one metadata repository is separate from the at least one data repository. 8. The method according to claim 7 , wherein the associated access policy for accessing metadata is stored within the at least one data repository or the at least one metadata repository. 9. An entity for managing access to data, the data being associated with metadata, at least one predetermined access policy for accessing metadata including, for each of at least one client, at least one identifier relating to the client, the entity including at least one processor and at least one memory having instructions stored thereon that when executed by the at least one processor cause the at least one processor to: receive, from at least one client device, a data access request for accessing data, the data access request including at least one identifier relating to a requesting client, as an user identity; receive, from the at least one client device, a submitted user credential; authenticate the requesting client that uses the at least one client device, by the entity, based on the submitted user credential; determine, based on an authentication result and an associated access policy, whether the metadata access is or is not authorized, as an access decision; in response to (i) receiving the submitted user credential, (ii) authenticating the requesting client device, and (iii) determining the access decision, generate by the entity an associated first key for decrypting the metadata, using a key derivation function, the key derivation function being dependent on the user identity and the submitted user credential which have been determined to authorize the metadata access; access, using the associated first key for decrypting the metadata, the metadata; access, based on the accessed metadata and the associated access policy, at least a part of the data associated with the metadata, as a late dynamic binding of the metadata with the at least a part of the data associated with the metadata; and discard, by the entity, the associated first key for decrypting the metadata. 10. A system for managing access to data, the system comprising at least one entity and at least one device, the data being associated with metadata, at least one predetermined access policy for accessing metadata including, for each of at least one client, at least one identifier relating to the client, each of the at least one entity including at least one processor and at least one memory having instructions stored thereon that when executed by the at least one processor cause the at least one processor to: receive, from at least one client device, a data access request for accessing data, the data access request including at least one identifier relating to a requesting client; receive, from the at least one client device, a submitted user credential; authenticate the requesting client that uses the at least one client device, by the entity, based on the submitted user credential; determine, based on an authentication result and an associated access policy, whether the metadata access is or is not authorized, as an access decision; in response to (i) receiving the submitted user credential, (ii) authenticating the requesting client, and (iii) determining the access decision, generate by the entity an associated first key for decrypting the metadata, using a key derivation function, the key derivation function being dependent on the at least one identifier relating to the client and the submitted user credential which have been determined to authorize the metadata access; access the metadata, based on the generated first data, using the associated first key for decrypting the metadata; access, based on the accessed metadata and the associated access policy, at least a part of the data associated with the metadata, as a late dynamic binding of the metadata with the at least a part of the data; and discard, by the entity, the associated first key for decrypting the metadata.
Assignees
Inventors
Classifications
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
File encryption · CPC title
Tools and structures for managing or administering access control systems · CPC title
Access rights, e.g. capability lists, access control lists, access tables, access matrices · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11258798B2 cover?
- A method, an entity, and a system for managing access to data. The data is associated with metadata. At least one predetermined access policy for accessing metadata includes, for each client, at least one identifier relating to the client. An entity receives from at least one client device, a data access request that includes at least one identifier relating to the client. The entity determines…
- Who is the assignee on this patent?
- Thales Dis France Sas, Thales Dis Cpl Usa Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).