User-specific watermark for maintaining security of data files
US-12153654-B2 · Nov 26, 2024 · US
Restricting security key transfer from a key management server in an enterprise
US2021367768A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021367768-A1 |
| Application number | US-202016877539-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 19, 2020 |
| Priority date | May 19, 2020 |
| Publication date | Nov 25, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An enterprise key management server operates in association with a location service that maintains information defining at least one physical boundary of the enterprise. Upon receipt at the key management server of a request that requires release of key material, an additional security check is performed. When the request is received from a GPS-enabled storage device, the key management server queries the location service to determine whether that device is within the boundary. If so, the key material is released. If the requesting device does not provide its location, or if the location service determines that the device is not within the boundary, the key management server fails the request so that the key material is not released. In this manner, the disclosure of the key material to a device that is no longer within the confines of the enterprise, e.g., because it has been stolen, is averted.
First claim
Opening claim text (preview).
1 . A method to protect key material in an enterprise, the enterprise having a physical environment, comprising: maintaining first information that defines at least one physical boundary of the physical environment; responsive to receipt of a request associated with a device, determining whether the request is associated with second information that identifies a physical location of the device; upon a determination that the request is associated with the second information, comparing the second information with the first information to determine whether the device is within the physical environment; and upon a determination that the device is within the physical environment, releasing the key material for use in association with the device. 2 . The method as described in claim 1 wherein the physical boundary is one of: a geographic region, a geographic location within the geographic region, a physical facility with the geographic location, and a physical space associated with the physical facility. 3 . The method as described in claim 1 wherein the second information is Global Positioning System (GPS) data. 4 . The method as described in claim 1 further including taking a given action upon a determination either (a) that the request is not associated with the second information, or (b) that the device is not within the physical environment. 5 . The method as described in claim 4 wherein the given action is one of: failing the request, flagging the request, logging the request for further evaluation, sandboxing the request, and issuing an alert. 6 . The method as described in claim 1 wherein the device is network-attached storage and the key material is maintained according to a key management protocol. 7 . An apparatus associated with an enterprise, the enterprise having a physical environment, comprising: a processor; computer memory holding computer program instructions executed by the processor to protect key material, the computer program instructions comprising program code configured to: maintain first information that defines at least one physical boundary of the physical environment; responsive to receipt of a request associated with a device, determine whether the request is associated with second information that identifies a physical location of the device; upon a determination that the request is associated with the second information, compare the second information with the first information to determine whether the device is within the physical environment; and upon a determination that the device is within the physical environment, release the key material for use in association with the device. 8 . The apparatus as described in claim 7 wherein the physical boundary is one of: a geographic region, a geographic location within the geographic region, a physical facility with the geographic location, and a physical space associated with the physical facility. 9 . The apparatus as described in claim 7 wherein the second information is Global Positioning System (GPS) data. 10 . The apparatus as described in claim 7 wherein the program code is further configured to take a given action upon a determination either (a) that the request is not associated with the second information, or (b) that the device is not within the physical environment. 11 . The apparatus as described in claim 10 wherein the given action is one of: failing the request, flagging the request, logging the request for further evaluation, sandboxing the request, and issuing an alert. 12 . The apparatus as described in claim 7 wherein the device is network-attached storage and the key material is maintained according to a key management protocol. 13 . A computer program product in a non-transitory computer readable medium for use in a data processing system in an enterprise to protect key material, the enterprise having a physical environment, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to: maintain first information that defines at least one physical boundary of the physical environment; responsive to receipt of a request associated with a device, determine whether the request is associated with second information that identifies a physical location of the device; upon a determination that the request is associated with the second information, compare the second information with the first information to determine whether the device is within the physical environment; and upon a determination that the device is within the physical environment, release the key material for use in association with the device. 14 . The computer program product as described in claim 13 wherein the physical boundary is one of: a geographic region, a geographic location within the geographic region, a physical facility with the geographic location, and a physical space associated with the physical facility. 15 . The computer program product as described in claim 13 wherein the second information is Global Positioning System (GPS) data. 16 . The computer program product as described in claim 13 wherein the program code is further configured to take a given action upon a determination either (a) that the request is not associated with the second information, or (b) that the device is not within the physical environment. 17 . The computer program product as described in claim 16 wherein the given action is one of: failing the request, flagging the request, logging the request for further evaluation, sandboxing the request, and issuing an alert. 18 . The computer program product as described in claim 13 wherein the device is network-attached storage and the key material is maintained according to a key management protocol.
Assignees
Inventors
Classifications
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
Location-sensitive, e.g. geographical location, GPS · CPC title
Providing cryptographic facilities or services · CPC title
- G06F21/6209Primary
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
- H04L9/088Primary
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021367768A1 cover?
- An enterprise key management server operates in association with a location service that maintains information defining at least one physical boundary of the enterprise. Upon receipt at the key management server of a request that requires release of key material, an additional security check is performed. When the request is received from a GPS-enabled storage device, the key management server …
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6209. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Nov 25 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).