KR20170082608A - Security evaluation systems and methods for secure document control - Google Patents

Abstract

The system can be decomposed into one or more parts. Can be evaluated to give a security score to each of the components. A composite security score can be generated for the system based on the attenuation metrics that characterize the security score and the view security degradation of the system. The attenuation measurement index can be applied to the composite security score to obtain the current composite security score. The composite security score may be used to control access to the document, either alone or in some other additional criteria.

Description

TECHNICAL FIELD [0001] The present invention relates to a security evaluation system and method for secure document control,

This application is a continuation-in-part of US Provisional Application No. 62 / 051,251, filed September 16, 2014 entitled " Utilization of Security Metrics for Document Control ", and entitled " Secure Transaction ecosystem " filed November 11, U.S. Provisional Application No. 62 / 078,143, which is hereby incorporated by reference in its entirety. This application is also related to U.S. Patent Application Serial No. 14 / 523,577 entitled " Autonomous Control System and Method ", filed October 24, 2014, entitled " Security Assessment System and Method "filed February 27, No. 14 / 634,652, filed September 15, 2015, and U.S. Patent Application Serial No. 14 / 855,196 entitled " Security Assessment System and Method for Secure Document Control, " filed September 15, 2015, do.

Information control and security can be difficult because the content owner can lose control of the document each time they transmit or provide the document from someone else. The systems and methods described herein can secure a document to ensure access to the document, and / or the information contained in the document may be limited only to those authorized to access it. For example, a network printer, which may be shared by multiple individuals, may provide different levels of access to sensitive information. The systems and methods described herein can be used to secure network printers to prevent unauthorized documents from being printed. Alternatively, the systems and methods described herein may secure other devices (e.g., PCs, smart phones, scanners, etc.) that can access the document to prevent access to any kind of unauthorized documents. Document control is not only enterprise / organization security policy and foster compliance, but also for example, legal confidentiality standards and parental obedience.

Documents protected by the systems and methods described herein may include any electronic or physical representation of the data in whole or in part, or any portion thereof, of a database, photograph, file, email, financial transaction, image, For example, some embodiments described herein can secure the information to ensure access to that information limited to those authorized to access regulated information and / or sensitive information (RSI). have. The RSI may include any sensitive information such as payment card information (PCI), electronic voting data, financial, SOX, HIPPA or other regulatory or sensitive information. The RSI can be stored in one or more electronic files, and in some cases can only be part of a file. A holistic approach to security can be provided, in which access to the RSI can be controlled by the data owner and can also be limited to authorized devices and individuals. The RSI can also be protected when delivered between physical digital media and / or acquired by unauthorized entities. For example, even if the unauthorized person gains physical access to the RSI, they may not be able to read, use or utilize the RSI. The described approach can provide a complete ecosystem to protect RSI. In some embodiments, the described approach can be phased in, thereby gradually improving security when components of the ecosystem are developed and rolled out.

The systems and methods described herein may be used in conjunction with the following security features: authentication (ability to specifically identify individuals and / or devices), authorization (ability to specify, restrict and / or enforce access rights) Or access can be recorded so that the change or access can not be denied after the fact), data confidentiality (assurance that the protected information is available only to those authorized to access it), data integrity Warranty) and / or availability (assurance that the protected information is available to authorized users).

The systems and methods described herein may include one or more computers, which may also be referred to as processors. The computer may be a programmable machine or machines capable of performing arithmetic and / or logic operations. In some embodiments, the computer may include a processor, a memory, a data storage device, and / or other generally known or new components. The computer may also include software that directly directs the operation of the components described above. The computer can be referenced by terms commonly used by those skilled in the art in related arts such as servers, PCs, mobile devices, routers, switches, data sensors, distributed computers and other forms. The computer can facilitate communication between users and / or other computers, provide a database, perform analysis and / or modification of data, and / or perform other functions. It will be understood by those skilled in the art that the terms used herein are interchangeable and that any computer capable of performing the described functions may be used. The computers may be interconnected via a network or networks. Networks can communicate with each other. Those skilled in the art will appreciate that connections between computers may in some cases be wired (e.g., Ethernet, coaxial, optical or other wired connection) or wireless (e.g., Wi-Fi, WiMax, It will be appreciated. Connection between computers can use any protocol such as connection oriented protocol such as TCP or connectionless protocol such as UDP. Any connection over which at least two computers can exchange data may be network based. In some embodiments, the computer used in the described systems and methods may be a special purpose computer configured specifically for document security. For example, a device may comprise a special processor, memory and communication components, etc., which are configured together to evaluate and secure the document and / or perform other functions described herein.

The systems and methods disclosed herein may provide security to documents in one or more systems based on a quantum security model (QSM). QSM is a security measurement and comparison methodology. QSM can provide a canonicalization methodology that allows systems to be disassembled and interdependencies to be understood and measured more accurately by evaluating the first components in a consistent manner. The QSM provides a way to normalize the final evaluation of the first component to a quantifiable score. The Q SM allows a resource owner to specify what evaluation (signing) organizations are aware of and accepting. The QSM method can be used to evaluate both the current and anticipated future security status of the system or device. The QSM can allow an individual resource owner to specify and verify the security score of an asset before allowing access. QSM has the ability to operate to mutually authenticate assets before they share resources or services. In the systems and methods described herein, the QSM may be used to control access to a collection of personal files ("protected files") or files.

A common measurement can be achieved through an evaluation process performed on a device, system or entity ("asset") in the QSM, where the agreed renewable, independently verifiable security level determination is required. ("qS"), and the quantum security unit pronounced as ("qSec") may be a standard unit of measurement for security of the system based on QSM. qSec is a time value similar to the position of a particle in quantum physics so that it can be optimally evaluated and optimally known only at the moment the measurement is performed by the observer. After the measurement, the position of the particles can only be measured with a certain degree of accuracy with deterioration with time. The quantum measure qSec can share this property. It is assumed that the system can be viewed as a secure waveform system in terms of security and that quantum mechanics can be applied. System security is a characteristic of this system. Depending on the normal function and operation of the system and its environment, the passage of time can have an impact on the security of the system. As a result, the security of the system can be dynamic and the known state of security can be naturally temporary. Thus, the system can be expressed as a waveform system and the system security as a quantum characteristic. Similar to the position of the particle, the security of the system can be defined to be quantifiable using the principle of quantum mechanics for measurement. Measurement results can provide a security measure expressed in quantum security units, where a zero value indicates that the system has completely lost any security, and increasing the value increases security.

The value represented by a qSec can be derived from the criteria that must be evaluated during the system security measurement process. Each criterion may have a range of common values associated with their impact on security. Each criterion may also have a corresponding evaluation process that produces results within that range. The reference weighting method may be applied to each criterion and the common value range may be a security value scale for what the quantum security measure indicated as qSec represents. For example, the qSec value may represent a unique value in matrix dynamics. Different observers at different time periods may interpret this value differently in their viewpoints and may wish to apply their own probability filters to the qSec value or to perform their own measurement process to determine the qSec value of the system have. The value can thus be predetermined to use qSec measurements in a meaningful manner when classifying system security. This pre-decision can be performed automatically, can be set by the user, and / or can be set at system initialization or before.

1 illustrates a security module according to an embodiment of the present invention.
2 shows a security score fetcher according to an embodiment of the present invention.
Figure 3 illustrates an asset in accordance with an embodiment of the present invention.
Figure 4 shows an asset assessment in accordance with an embodiment of the present invention.
Figures 5A-5D illustrate asset subdivisions according to an embodiment of the present invention.
6 shows a basic score security certificate according to an embodiment of the present invention.
7 illustrates a basic score security certificate according to an embodiment of the present invention.
8 illustrates a security score deterioration according to an embodiment of the present invention.
9 shows a security requirement certificate according to an embodiment of the present invention.
10 illustrates a basic score security certificate according to an embodiment of the present invention.
11 shows a security requirement certificate according to an embodiment of the present invention.
12 illustrates a normalized security score comparison according to an embodiment of the present invention.
13 illustrates a normalized security score comparison according to an embodiment of the present invention.
Figure 14 illustrates security verification in accordance with an embodiment of the present invention.
15 illustrates a security comparison according to an embodiment of the present invention.
16 illustrates security verification in accordance with an embodiment of the present invention.
17 illustrates security cross-validation in accordance with an embodiment of the present invention.
18 illustrates security verification in accordance with an embodiment of the present invention.
19 illustrates security verification in accordance with an embodiment of the present invention.
Figure 20 illustrates security verification in accordance with an embodiment of the present invention.
Figure 21 illustrates security verification in accordance with an embodiment of the present invention.
22 illustrates an improved security requirement certificate according to an embodiment of the present invention.
Figure 23 shows a protected document in accordance with an embodiment of the present invention.
24A-24B illustrate security verification in accordance with an embodiment of the present invention.
Figure 25 illustrates security verification in accordance with an embodiment of the present invention.
Figure 26 shows a protected document in accordance with an embodiment of the present invention.
Figure 27 illustrates a protected document in accordance with one embodiment of the present invention.
Figure 28 illustrates an example lens system in accordance with an embodiment of the present invention.
Figure 29 illustrates a secure transaction system in accordance with an embodiment of the present invention.

1 is a security module 100 according to an embodiment of the present invention. The security module 100 may include physical memory such as the processor 110 and the rules database 122 and / or the certificate database 124. The rules database 122 may store various access control rules as described in detail below. The certificate database 124 may store various certificates for devices, documents, users, etc., as described in detail below. The security module 100 may include a scoring module 132 that can derive and / or update a security score, a validation module 134 that may determine whether a security rule is met, and / or a security rule and / And may include submodules such as the manually defined enabling module 136. By performing security verification, or any device described herein as a QSM enable device or a QSM device, may include the security module 100, and may also perform verification and / or other processes associated with the described QSM The security module 100 may include a security module.

2 is a security score fetcher 200 according to an embodiment of the present invention. An evaluation process may be performed on the asset to determine its security level. To obtain this result, a normalized security score indicating the security level of the asset can be generated at the conclusion of the evaluation. ("Security objectives") for the primitive functions of the isolated property (the purpose, the purpose) of the isolated asset by a predefined grouping ("security category") 220 for assembly purposes RTI ID = 0.0 > 210). ≪ / RTI > For each security objective 210, an evaluation may be performed for each of the security category of the asset and the security score, and a security score ("objective score") within the range assigned to the security objective may be generated. The importance of each score can vary from asset to asset, even by example. When all objective scores have been generated, they are combined using a predefined objective score set method (e.g., a weighted average) to generate a normalized security score ("NSS") 230. FIG. 3 is an asset 230 according to an embodiment of the present invention that illustrates specific examples of security categories 220 and security objectives 210 that may be used in some embodiments. For example, the asset 230 can store, process, and transport a security category 220 that may correspond to the raw functions (e.g., data storage, data processing, and data transfer) performed by the asset 230 have. Each security category 220 may have authorization (AZ), confidentiality (C), integrity (I), availability (AV), nonrepudiation (NR), and authentication (AI) security objectives 210. The ASS for asset 230 provides an indication of how well the asset 230 conforms to the security objective 210 based on the degree to which each functional category associated with the security category 220 scores in the security objective 210 .

4 is an asset assessment 300 in accordance with an embodiment of the present invention.

Any assets are complex (for example, composed of many subcomponents). In the case of these complex assets, measurement techniques such as the technique of FIG. 4 can be performed independently on each sub-component to derive the NSS value for each sub-component. These sub-component values may be combined to produce the NSS of the top-level asset. The asset may be selected for evaluation, and the evaluation may begin at step 305. One or more security categories may be identified, and each security category 220 may be evaluated 310. FIG. Each security category 220 may include one or more security objectives 210, and each security objective 210 may be evaluated at step 315. The security module 100 may determine whether a security objective score can be calculated for the security objective 210. [ In the affirmative case, a security objective score calculation may be initiated at 325, and the security objective score may be generated at 330. Examples of security objective score calculations are described in more detail below. When the score is calculated (335), the next security objective may be selected (330). If a security objective score can not be calculated for the security objective 210 (320), the security module 100 may determine whether the asset should be parted (340). Some assets may be too complex to directly derive security objective scores, or may include components, devices and / or systems that have already been evaluated. To accommodate these situations, assets can be part of the.

Figures 5A-5D are asset portion examples 1700 and 1750 in accordance with embodiments of the present invention. 5A illustrates this principle using a laptop as an example, wherein the laptop is divided into a CPU, an operating system, and a GPU component. Fig. 5B shows, as another example, a water purification plant, in which a water plant plant is divided into a catchment system, a purification system and a drinking water system component. As shown, some sub-assets may only contribute to a single security category score, while other assets may be able to contribute to multiple security categories. Figure 5c shows how the sub-assets in Figure 5a can be further broken down into specific sub-drivers under the driver sub-asset and specific applications under the application sub-asset. In the city, the virtual machine (VM) sub-asset of the application sub-asset is further decomposed into applications running under the VM. This process can be repeated as needed until all sub-assets are accurately evaluated. Figure 5d illustrates further decomposition of the integer sub-assets of the integer subsystem in Figure 5b, indicating that the QSM may be applied to any reference infrastructure components or assets that require evaluation regardless of the type of asset. Anyone with knowledge of the domain to which the asset belongs may follow this method and may recursively add any complex system until the system is composed of a raw component (the evaluation can be performed or the sub-assets performed) It can be decomposed into assets. In water plant plant examples, these may be fences, guards, and fasteners that can be closely analyzed and quantified to affect physical security.

Referring again to FIG. 4, if partial segmentation is not possible, the default security objective score may be reassigned (345) and evaluation (300) may move to the next security objective (315). Once the subdivision is done 340, the security module 100 may define a sub-asset 350 and define a sub-asset weighting equation 355. As described above, the sub-asset can also be divided into itself, in which case the analysis can be performed on further divided assets. For each sub-asset 360, an asset equation 365 may be performed and a security objective score 370 may be generated. All objective scores may be evaluated 375 and the security category scores 380 evaluated. If there are many security categories 220 for evaluation then the next security category 220 can be selected 310 and the above evaluation can also be performed for the security objectives 210 of the next security category 220 have.

When all the security categories 220 have been evaluated, the asset evaluation can end (385). In the case of the asset 230 of FIG. 3, a full 18 evaluation may be performed by three security categories 220, each with six security objectives 210.

The NSS can securely store the security level according to the time at which the digital assets are evaluated in the base security score certificate (BSSC), using the objective score set and derived security rules based on encryption techniques such as public personal certificates . 6 is a BSSC 2700 in accordance with an embodiment of the present invention. The BSSC 700 may include a score for each security objective 210 and category 220. In the case of the asset 230 of the example of FIG. 3, the BSSC 700 may be three of the security category 200 scores (SCS), each of which in turn may be six of the security objectives 210. FIG. 7 is an example BSSC 700 of the asset 230 of FIG. The example of BSSC (700) includes a base security score (BSS) represented by the BSS = (transfer SCS), (storage SCS), (processing SCS) or _{BSS = ((Tc, T I} , T AZ, T AI, T _{AV, T NR), (S} C, S I, S AZ, S AI, S AV, S NR), (P C, P I, P AZ, P AI, P AV, P NR)), where C = Confidentiality, I = integrity, AZ = authorization, AI = authentication, AV = availability, and NR = non-repudiation. The BSSC 700 may be signed by, for example, an individual, enterprise, regulatory agency, or government agency. The BSSC 700 may include the date / time the certificate was issued and the date / time when the certificate expired. The BSSC 700 may also include the attenuation factor of the NSS, which is described in detail below.

Taking into account the transient nature of security, the meaning of security can be used in the computation of the security degradation of the probability that the high degradation probability of the post measurement, the security decay rate (ROD) algorithm, occurs because the final NSS evaluation indicated in the BSSC has been performed. The ROD can be used to determine the actual security score for the system given the elapsed time since the BSSC was originally issued. The algorithm for calculating the ROD can be based on the metric selected for system scoring. Final evaluation (and optionally other security rules or recorded asset usage history) By using the NSS and the objective score set as inputs over time, a new NSS score can be calculated for more accurate general security comparisons.

Figure 8 is a security score detuning 900 in accordance with an embodiment of the present invention. Line 910 illustrates system security without having an ROD value that remains constant over time. However, the longer the system is running, the more compromised the system can become. This deterioration in security is shown in line 920, where line 920 shows a linear ROD of 0.01 per unit of time. Lines 930 and 940 illustrate the security of the system over time, taking into account events that may adversely affect the security of the system. Line 930 represents four security events that degrade system security, but does not cause a change in ROD. Line 940 describes the same four events, but it is assumed that each of these events also changes the ROD value. 8 may be the result, for example, of connecting a USB device to the system, connecting the system to an untrusted network, browsing to a malicious web site, or installing a download application.

To allow assets to maintain a history of important events, the QSM can support the concept of certificate chains or the Security Score Chain (SSC). The BSSC can provide a base certificate from any SSC. The asset can change the score and sign a new certificate as a BSSC. When creating the SSC, the asset may contain a record of why the modification was made. In FIG. 8, an update to the SSC may be made to reflect changes to the ROD after each event on lines 930, 940, and to document the events that caused these changes. If the BSSC is given as an ROD, the new security score can make adjustments for any attenuation (e.g., as shown in line 940) since it has a date / time newly issued on this connection . The expiration date / time can not be extended beyond the expiration of the BSSC, but can be shortened appropriately. Also, where appropriate, the ROD can be modified to reflect new risks and concerns.

FIG. 9 is a security requirements certificate (SRC) 1400 in accordance with an embodiment of the present invention. Similar to the BSSC, the SRC includes a security requirement weight (SRW) for each security objective 210 score (SOS), a security weight for each security objective 21O, an authorized BSSC and SSC signer, and / And may be a securely signed document with a password containing

The NSS can be the highest level score within the QSM and can also be calculated by applying the security requirement weight in the security requirement certificate to the drafting objective score of the base security score. Mathematically, the SRW may be implemented, for example, in a BSSC (three security category weights (SCW) (which may be a weighted percentage that contributes to each category contributing to the NSS), SCW each security objective weight (SOW) For example, in the case of the examples of Figures 3 and 7, SRW = (transport SCW (transport SOW), store SCW (store SOW), process SCW (treatment SOW)) or _{SRW = (SCW (T C,} T I, T AZ, T AI, T AV, T NR), SCW (S C, S I, S AZ, S AI, S AV, S NR) , SCW (P _C , P _I , P _AZ , P _AI , P _AV , P _NR ).

The NSS can be used to evaluate the security posture of a given asset over time ([Delta] T). This score can be used, for example, to authenticate an asset, grant access, compare the security utility of the asset, or determine whether an improvement should be made to a given asset. The NSS can be calculated as follows. NSS = (BSS * SRW) - (ROD *? T). Therefore, NSS NSS = the case of the example of Figs. 3 and _{7 (SCW T * (T C} * TW C + T I * TW I + T AZ * TW AZ + T AI * TW AI + T AV * TW AV + T NR _{* TW NR) + SCW S *} (S C * SW C + S I * SW I + S AZ * SW AZ + S AI * SW AI + S AV * SW AV + S NR * SW NR) + SCW P * ( P _C * PW _C + P _I * PW _I + P _AZ * PW _AZ + P _AI * PW _AI + P _AV * PW _AV + P _NR * PW _NR ) * (ROD * (T _CURRENT -T _ISSUED )) Can be calculated.

10 is a bass security score certificate 150 in accordance with an embodiment of the present invention. In this example, BSS = ((6.05, 3.47, 3.83, 4.89, 5.42, 3.46), (6.52, 4.45, 5.78, 5.09, 6.43, 4.80), (4.52, 4.89, 2.69, 3.68, 6.79, 2.64). The ROD was 0.13 / day, and the certificate was issued on February 22, 2014, and expired on August 24, 2014. 11 is a security requirement certificate 1600 according to an embodiment of the present invention. In this example, SRW = (0%, 0%, 0%, 0%, 0%, 0%, 0%), 65% (25%, 40%, 5%, 5%, 25% , 35% (17%, 17%, 17%, 16%, 17%, 16%)). A weighting of 0.0 for weighted transport security objectives indicates that this special property owner is indifferent to the transfer activity or does not use the transfer activity. Such a scenario may exist in the form of a stand-alone machine or a smart card, which has no storage means for data storage but has storage and processing capabilities. The minimum required NSS listed in the SRC and the current date or TCURRENT = March 23, 2014. Detailed calculations for the storage portion are described below, and other detailed calculations are omitted.

Storage portion = 0.65 * (0.25 * 6.05 + 0.4 * 3.47 + 0.05 * 3.83 + 0.05 * 4.89 + 0.25 * 5.42 + 0.0 * 3.46) = 3.05

NSS = (0 + 3.05 + 1.93) - (0.013 * (March 23, 2014 - February 22, 2014) = (4.98 - (0.013 * 29)) = 4.6

The calculated NSS can be compared with the stored minimum NSS value, and if the value is greater than or equal to the minimum NSS value, the value can be approved. In this example, the device is rejected because the calculated 4.6 NSS is below the SRC tolerance (5.0).

The NSS values can be compared and collated so that the security level index can be applied to the security of the asset. 12 is an NSS comparison according to an embodiment of the present invention. The NSS value 410 may be compared to the NSS index 420 to determine whether the NSS for the asset represents the minimum required security level. For example, the NSS index 420 may indicate that an asset with a value of 5.5 or higher has an acceptable security level, and an asset with a score of 5.5 or less does not have an acceptable security level. In the example of FIG. 12, the asset has a NSS of 6.8 and therefore exceeds requirement 5.5. In addition, two or more assets may be compared to determine whether they have the same or a similar security level, or which of the assets is more secure. 13 is an NSS comparison 500 in accordance with one embodiment of the present invention. In this example, Asset 1 has a 6.8 NSS value 510 and Asset 2 has a NSS value of 520 (520), Asset 2 may be considered more secure than Asset 1. Based on a given set of scores and a agreed upon security objective and category according to a generic security measurement method, the transitivity can provide a reproducible, independently verifiable security comparison in which the security comparison is agreed have.

Extended security comparisons can be performed that can measure more specific security contributions of an asset, typically using an NSS and an objective score set. 14 is a security verification 600 according to an embodiment of the present invention. Asset 610 (e.g., a USB device) may have a calculated NSS (e.g., 6.8) and QSM enable system 620 may verify asset security 600 before interacting with the asset . The system 620 is asked to perform an operation (e.g., a write operation to the USB device) that utilizes the asset, e.g., via user input. Asset 610 sends its NSS 640 to system 620. The system 620 may evaluate the NSS (e.g., by performing a comparison as shown in FIG. 12). If the NSS evaluation indicates adequate security, the operation can proceed. Otherwise, the operation can be prevented.

In one example of FIG. 15, another security comparison 2100 is shown in an embodiment of the present invention, where two different systems are compared. System # 1 has a lower NSS score than System # 2, but System # 1 has a higher category score for storage confidentiality than System # 2. Such comparisons can be used to determine which product to buy (e.g., which product best suits your security needs) or determine which system should be upgraded first, or to make other decisions about system security Can be used.

16 is a security validation 800 in accordance with an embodiment of the present invention in which the BSSC of an asset 810 may be used to interact with a corporate network 820. The asset 810 may be a network 820, And may also provide a BSSC 830. The network 820 may evaluate the BSSC and determine if the asset 810 is secure 840. In this example, the asset 810 Has an NSS in its BSSC below the threshold that the network 820 requires and the network 820 denies access to the asset 810.

The SOS can provide a probabilistic assessment determined by computing security metrics that can describe the likelihood of compromise. This probability equation can be expressed as SOS = P (compromise | security measure ≠ concern). SOS is a probabilistic probability of compromising an asset due to an enforced security measure that does not protect against anxiety, where the concern is a stochastic representation of the time that an actor with a given motivation can use the achievement. Concern = P (Time | Actor | Motivation | Achievement).

The time can be extended and transferred in the BSSC, as represented by the ROD, so that the SOS can be a set of values. ROD can indicate how sensitive SOS is to time exposure. A high ROD indicates that the concern for the asset increases more over time than the low ROD.

For example, the NSS can range from 0 to 10, where 0 is unsecured and 10 is completely secure. If a given asset has a validity period of 770 days (or the time until a patch or update is needed), and there are no factors contributing to reducing or extending this expiration date, one way to calculate the ROD is 10 It could be to take the maximum NSS value and divide it by 770 days. ROD = (maximum NSS value) / (100% compromise possibility date) = 10/770 = 0.13 days. The score is zero at the end of 770 days, regardless of the security of the system, by reducing the NSS calculated by the ROD x time change (date). In other words, the system can be considered unsafe without any action. In practice, there may be some minimum value somewhere above zero where the system can be considered insecure, and this value can be represented as the minimum NSS in the SRC.

Other examples may include ammunition bunkers in military installations. An arched door in a bunker can contribute to a component of security ("S ₁ "). Arched doors are assessed at the 6-hour penetration level, and vendor testing is limited to access, resulting in a 60% rate for skilled attackers, which increases by 5% every hour after the 6 hour cycle. Therefore, S ₁ is 0.95 at the ROD stage, 0.6 at 6 hours, and then decays normal 0,05 per hour thereafter. By this explicitly stated in the BSS of the arched door, the commander commands the guard to traverse the bunkers every three hours to reset the boundaries (basically reset the door ROD). Together these two factors can contribute to S ₁ in the case of a constant 0.95 door.

The SRC can specify which signer is recognized and accepted by the resource when evaluating the BSSC of the asset being sought to gain access to the resource. This can protect the resource against attempts to falsify the security score by creating a BSSC signed by an unauthorized signer. In addition, the ability to specify a trusted signer may allow for changes in the security metric used and an assessment scale for the NSS. For example, security measures may be based on the Sandia RAM Series evaluation, and the specifications of this Sandia RAM series allow conversion from Sandia RAM series evaluation to NSS in the range of 0-100. can do. Similarly, other embodiments may use the CARVER methodology or a couple of comparative evaluations, and may also use the QSM0-10 scale. Similarly, one embodiment may utilize proprietary metrics and scales from 0.00 to 1.00. Any combination and all combinations described above may be used in the evaluation of the composite system and the NSS and QSM methodologies may allow inclusion thereof. The QSM can take into account known deficiencies in the methodology by increasing the damping factor and reducing the NSS due to any measurement criterion. Thus, the current system and evaluation can be used in the short term until valid QSM evaluation can be performed.

The improved authentication and authorization process between assets can take advantage of the common security measurement and comparison methods described above. This can be done by forcing the real-time evaluation to derive the NSS and the objective score set of the asset or by using the information stored in the BSSC from the historical evaluation as well as using the asset's damping rate algorithm. Additional security rules, such as those stored in the BSSC, may be used as authentication and authorization criteria. Security level provisioning may be performed in one manner for one of the assets used in the authentication or authorization process, as described in the example security verification described above. In some embodiments, two validations (or all forms of verification when two or more assets attempt to authenticate or authorize each other) may be performed, each validating the security level of another asset. 16 is a cross-security verification 1000 according to an embodiment of the present invention. In this example, the laptop 1010 validates the corporate network 1020 and the enterprise network 1020 can validate the BSSC of the laptop 1020, and each asset also has sufficient capacity for other assets to allow interaction You can decide individually whether you have security.

In some embodiments, the enforcement of security rules during the validation process may attempt to re-evaluate one or more assets participating in authentication or authorization. 18 is a security verification 1100 according to an embodiment of the present invention. The BSSC of the asset (laptop 1110) may be used to interact with the enterprise network 1120. Asset 1110 may attempt to connect to network 1120 and may provide that BSSC 1130 to the network. The network 1120 can evaluate the BSSC and determine if the asset 1110 is secure. In this example, the asset 1110 has an NSS below the threshold required by the network 1120 in its BSSC, and the network 1120 denies access to the asset 1110. Asset 1110 may be evaluated by security module 100 in response 1150. As described above, the NSS value may deteriorate with time. In addition, new security features can be implemented on the asset over time. Thus, a reassessment 1150 for an updated BSSC may generate a new NSS value. In this example, the new value indicates that the asset 1110 is secure enough to communicate with the network 1120. Asset 1110 may perform a second attempt to connect with network 1120 and may provide the updated BSSC 1160 to network 1120. [ The network 1120 may determine whether the asset 1110 is secure 1170.

The QSM evaluation of devices such as servers, PCs, and routers, such as built-in processing capabilities, can be performed automatically. This can be accomplished by performing a combination of backend databases, scanning of configuration information on the computer, and / or QSM processing using an automated penetration testing tool to generate an NSS. Whereby the service provider or network may require at least a minimum security state for the devices that wish to access the service that may be subject to a full QSM evaluation.

This automation can take steps to further preemptively protect the QSM devices. If a new behavior or other concern is identified, the trailing database can be searched for registered devices that are susceptible to pre-operations and can take pre-operations. This action can be, for example, a NSS of a lower device, invalidating the certificate and / or advising the property owner that the devices must disable certain services or install patches or updates, I can advise my concern. Due to the nature of any computer network, these prior services may require periodic communication between the devices and the back-end services in some embodiments.

Automated evaluation and certificate generation can also allow real-time evaluation to be performed for access to systems where even a few days old certificates can have, for example, high security requirements that are unacceptable, for example. These high security systems may require current (e.g., the day, week, etc.) certificates. Which may be automatically adjusted in some embodiments. With this automated QSM evaluation, the system may require re-evaluation and re-authentication for every request to use system resources in some embodiments.

The following additional examples illustrate scenarios in which the QSM may be used for authentication and / or authorization. For the purposes of this section, it may be assumed that the devices in the QSM have an SSC. Devices or systems with their own computational resources may also be assumed to have an SMC. An example of a device that may not have SRC is a USB memory stick. Since many USB memory sticks do not have their own computational resources, they can not compare the SRC with the SSC they received, so there is no reason for them to have an SRC. Also, for devices that do not have their own computational resources, the SSC may simply be a BSSC since this device can not update the SSC from the BSSC.

Devices using QSM can use SSC to perform device authentication and authorization network access. Such authentication and authorization may be reciprocal so that each entity can mutually authenticate and authorize as described above. By using automated QSM assessment tools, these mutual authentication can be extended to external devices that may require temporary or temporary access to network resources, such as connecting access points in corporate offices and accessing online stores. have. The resource owner may not require physical evaluation of all devices that may require temporary access to the resources of all devices to meet the need for downloading or accessing the QSM evaluation as part of the registration or signing process. The QSM tool can then generate an automated BSSC based on automated scans as described above and then the device can participate in a mutual authentication exchange before access to the network resources is granted.

Figure 19 is a security verification 1800 in accordance with one embodiment of the present invention. Upon connection to the network, the device may provide the SSC to the network (1810). Since the SSC is a password-signed certificate, the SSC can be device-specific. Thus, authentication for the network of the device (rather than the user) can be used. The network can use the SSC for logging purposes to identify any device that can act in a malicious or suspicious manner. The network administrator may, in some embodiments, use the SSC to determine whether the connection to the network is allowed based on the current security level of the device. Devices that meet this requirement may be allowed to connect to the network 1820. In addition to simply granting or denying access, the SSC can be used to determine which network segments the device is authorized to access. For example, a device in which a network fails to meet the security requirements of the enterprise may be deployed in the guest network so that the device can access the Internet, but access to enterprise resources is prevented (1830).

20 is a security verification 1900 according to an embodiment of the present invention. The devices use the SSC to authorize or authorize the network itself. The networks themselves may have password-signed SSCs so that the device can identify the network to which the device is attempting to connect. This methodology can eliminate network spoofing whether it is wired, wireless or cellular. The user and / or system administrator can use the SSC to define which network the device will use. For example, a business administrator can configure a laptop so that it only has access to a corporate network, a designated home-work router at an employee's home, and a designated cellular network. Employees can not connect their devices to any other network. In this example, the laptop can send its SSC to the network (1910). The network may ignore the SSC if the SSC is not evaluated for NSS compliance. In this case, the laptop may reject the connection to the network (1930) because the SRC is not satisfied.

In addition, the SSC can be provisionally updated, so the system administrator can allow the network to connect to a less secure network. The SSC of the device may be updated to indicate that the network to which it is connected is not secure. With the resulting reduction in SSC, the corporate network can force the device to re-evaluate before allowing the device to reconnect to the network. For example, these techniques can be useful when employees travel with their laptops. In addition, the user or system administrator can use the network SSC to authorize which device resources the network can be allowed to access. For example, the firewall of the device may prevent a network that does not meet the security level from being allowed to access the file share, and may prevent the web server from running on that device.

21 is a security verification 2000 according to an embodiment of the present invention. In addition to authentication and authorization of the network, the computer can authenticate and authorize devices based on the SSC. For example, a USB storage device may include an SSC and may send an SSC to the computer when connected to the computer (2010). If the SSC does not match any criteria (e.g., does not adequately encrypt data at rest), the host computer may prevent the user from copying information to the USB stick (2020). In addition, if the host computer is able to detect the nature of the data being copied, a determination 2020 of whether to allow it to be copied can be made based on the combination of the data itself and the SSC of the destination device. Similar examples may be present in many different types of devices. In some embodiments, handshaking between devices may be changed to ensure that SSCs are always transmitted. For example, as part of the USB handshaking protocol, both host and slave devices may share their SSC. Whereby the devices can perform mutual authentication and authorization.

Devices may also use the SSC to allow access to the sensitive information of the device itself. For example, a device with a trusted computing space may be configured to only allow access to the encryption information for that device if the SSC meets any criteria. The trust computing processor may detect an attempt to access the encrypted volume and then determine whether the current SSC meets the criteria for the encrypted volume. Even if the user knows the decryption key, the device can prevent the device (which can be compromised) from decrypting the information because it is no longer trusted. Specially designed computing devices that utilize discrete components for sensitive storage devices that may require an SSC to comply with SRC can thereby be implemented. Basically, sensitive storage components can be viewed as individual devices by the system.

The hardware and software products may use the user provided SRC and the desired SSC provided (within the available range) to automatically configure the parameters and settings to configure the SOS to ensure compliance. And can provide functionality and security by removing responsibility from the user to determine which combination of parameters is available in the product configuration. Similarly, resource owners may require any services or devices that are disabled or stopped while accessing their resources. By utilizing both the automatic configuration and the QSM automatic evaluation process, this type of dynamic configuration can meet security requirements.

SSC can provide products to purchase information. Product manufacturers can provide SSCs for their products online, enabling customers to make direct comparisons between products in their secure environment. Similarly, Web sites can let potential customers submit SRCs to learn which products meet their security requirements. This allows customers to determine which products offer the desired security enhancement or performance before making a purchase decision. A system may be developed to perform simulations of the system to learn how to implement new products or configurations. Manufacturers can determine the total number of security they can provide to the user and also present a security amount to add to their competitors for a given security SRC.

QAM Document Control

The protected document may be encrypted using a public / private key pair for an authorized recipient or group of recipients. The private key may be generated and stored in a specially designated QSM Authorizer. The authorizer may be, for example, the security module 100, and the authorizing module 136 and / or other elements are configured to process the improved SRC 2200 and associated document control methods described below. A public / private key pair can be stored in a database with a globally unique ID (GUID) for the public / private key pair. The protected document may, for example, be configured in the form of a compressed archive containing the file (s) to be protected along with the SRC. A set of authorization key value pairs may be used to define the permissions for each GUID. In addition, the SRC may define which applications are allowed to operate on the protected file, for example, by validating the application's BSSC and the host device's BSSC.

Figure 22 illustrates an improved SRC 2200 in accordance with an embodiment of the present invention. The enhanced SRC 2200 is similar to the other SRCs described above, but additionally has one or more access control lists (ACLs). An ACL can define an application by permission to perform a task on a file. For example, the SRC 2200 of FIG. 22 may include a printing ACL that may include a list of applications allowed to print files, a view ACL that may include a list of applications that are allowed to view files, An edit ACL that may include a list of allowed applications, and a copy / send ACL that may contain a copy of the file and / or a list of applications allowed to transmit. The ACLs in the example of the SRC 2200 are not limited to the possible types of ACLs of the complete list that can be implemented. The authorizer is responsible for assuring that the requestor and machine or application attempting to access the data is authorized according to the ACLs and also meets the minimum security requirements in accordance with the BSSCs.

23 shows a protected document 2300 according to an embodiment of the present invention. The encrypted document 2300 may include an enhanced SRC 2310, unencrypted metadata 2320, and an encrypted document attribute 2330 that may contain data to be protected. The unauthorized individual can see that the document is present and view the unencrypted portion, but the protected content in the encrypted document attribute 2320 can remain secure. The protected document 2300 can be digitally signed and can assure the authenticity and authenticity of the document 2300 in an encrypted manner. In addition, changes to the document can similarly be digitally signed.

24A-24B illustrate security verifications 2400 and 2450 in accordance with an embodiment of the present invention. QSM document control can provide additional levels of security for viewing, printing, or editing of documents. For example, the view of the document may be specified as a QSM-enabled application or it may be based on the QSM value of the host computer as defined by the ACL and SSC (or BSSC in some embodiments), respectively. Requesting a QSM-enabled application on a trusted host computer can provide improved protection because the QSM application can provide QSM document protection. For example, other users can view the document without providing the ability to print or edit the document with just the security settings. Specialized viewer applications can also be used to make it very difficult for a user to copy a file because only the versions that are visible to the user permanently stored on the user's computer are encrypted protected documents. When looking at a document, it may be desirable to look at the computer externally, such as by restricting viewing of a given document based on where the computer is viewed geographically or physically, or based on, for example, You can restrict documents based on factors. For example, viewing documents can be restricted to corporate computers while they are in the corporate network.

The system requirements to display the document protected by the QSM may be as wide as the QSM score, for example, or as narrow as the user, system, QSM score, and physical location. When setting the permitted viewer and system permissions, it may be necessary to use the QSM application for display. Permission to view may be granted by the document owner on the basis of, for example, a user, viewing system or a combination thereof. The document owner is allowed to view a document and can tell which system the user is coming from. When a user assists a protected QSM document, the entire protected document (encrypted version in addition to the SRC) can be sent to the QSM Authorizer with information about the user requesting the view. The protected document may be encrypted with a key known only to the QSM author, which forces the viewer to use the authorizer to decrypt the message. This can prevent a compromised viewer system or a system in which the QSM score falls below the required level bypassing the security measures for the document.

24A, the QSM enabled laptop 2410 may attempt to access the protected document. The SRC for the laptop itself, the SCR for the program attempting to access the document, and the ID of the laptop 2410 and / or the laptop user may be sent to the QSM author 2420 along with the document for validation 2430. QSM author 2420 may examine the document requirements and credentials and may determine that the security level and software for laptop 2410 are sufficiently high. The QSM author 2420 may also provide access to the laptop 2410 and / or the user of the laptop 2410 against the ACL 2410 to determine whether the laptop 2410 and / or the user has been granted access to the protected document You can check. Access to the document may be provided 2440 if the security level is high enough and the laptop 2410 and / or the user is on the ACL. 24B, the QSM-enabled laptop 2410 may attempt to access the protected document. The SRC itself for the laptop 2410, the SRC for the program attempting to access the document and the ID of the laptop 2410 and / or the laptop user may be sent with the document to the QSM author 2420 for validation 2460 have. The QSM author 2420 may check the document requirements and credentials and the identity and may determine that one or more of the SRCs do not meet the requirements for access and / or that the laptop 2410 and / or the user does not have access permission . Thus access to the document may be denied (2470).

In many cases, similar information is often disseminated to a number of audiences with a different level of "need-to-know ". QSM documents can be used to simply protect documents at the content or perragraph level rather than at the document level. Content marking (e.g., ferragraph classification) can automatically encrypt information based on the author's markings. A user's attempt to view or print a document can only see a segment of the document to which they are granted access. This "edit" can occur either transparently (i. E., Marking of an authorized segment is completely gone) or opaque (i. Security verification may be performed as described above and the document may be encrypted as required by the security level of the user before the document is presented to the viewer.

For example, FIG. 26 illustrates a protected document 2600 in accordance with one embodiment of the present invention. The document 2600 may include a plurality of levels of information including unclassified information 2630, confidential information 2632, 2634 and protected top secret information 2636, 2638. Even the lowest level of the non-classification information 2630 can be protected. The authorized user for the secret level can only view the content in the non-classified information 2630 and secret information 2632, 2634 levels. A user authorized for the top secret level can view all protected documents including top secret content 2636 and 2638. [ Each of the personal content sections may have its own security requirements, or may be classified as being at a protection level as shown. Additionally, content access can also be restricted based on ACLs. The ACL may be used in conjunction with security requirements to define device and / or user permissions for the protected information. Thus, in one example, a user may have printing and viewing permissions for some secret content 2636, but only view permissions for other top secret content 2638, as defined in the ACL.

Access to the document may also be limited based on the number of times a given document has been viewed, where the viewing computer is located geographically, when the viewer is viewing the document, on what network the viewer is on, etc. have. For example, viewing documents can be restricted to enterprise computers while they are on the corporate network.

Editing protected documents can be similar in nature to viewing documents. In some embodiments, a special editor may be needed to ensure that QSM protection is maintained. The document control metadata may limit the user to editing only specific areas or pages. When using QSM document control for editing, versioning can also be controlled. To allow for file size optimization, the user can control how to maintain many versions of the document. The versioning may be set, for example, to 1 (no versioning), 0 (unrestricted version), n (number of versions for maintenance other than the current version).

The QSM can also control printing and / or reproduction. When setting printing permissions, the use of a QSM application for viewing and editing may be necessary in some embodiments. Authorization of printing may be granted by the document owner on the basis of, for example, a user, printer, or combination thereof. The owner can say that the user is authorized to print the document. The owner can also tell which printer (or printer set) is allowed to print the document. The QSM score and / or QSM certificate may be used to determine authorization. In addition, any user may be authorized to print only on a particular printer.

A company or organization can establish an information classification using a Security Level Definitions Certificate (SLDC). The SLDC may include security requirements for each classification along with labels for each classification. The SLDC may be loaded into a device that generates a QSM-enabled application and a QSM protected document. In addition, the SLDC may determine whether the document should be protected in all its parts. For example, a user can manually select the classification of a document (or parts of a document). Applications can automatically apply the necessary security measures. In addition, the applications and devices themselves can automatically recognize sensitive information, and then automatically protect the information or prompt the user to verify the classification. In addition, the SLDC can ensure that minimal security is in place for the document, and can be modified by the user to increase security (e.g., by categorizing a portion of the document as high security) security. The security level can be assessed and / or customized by the user. When applications and devices apply SLDC settings to protected documents, they can use real-world requirements rather than relying on user-friendly labels. This allows documents to be opened (or restricted) on various platforms where labels can be applied in different ways.

25 illustrates a security verification 2500 in accordance with one embodiment of the present invention. When the user wishes to print a protected QSM document, the entire protected document (encrypted version with SRC) is sent to the printer along with information about the user requesting the printed copy and / or information about the user's computer . The protected document may be encrypted with a key known only to the QSM author, which forces the printer to use the authorizer to decrypt the message. After confirming that the grantor is allowed to print the document, the author can manually use the proven SSL protocol to transfer the decrypted document back to the printer and, in some embodiments, update the document's SRC . This can prevent a compromised printer or a printer whose QSM scores drop below the required level to bypass security measures for the document. In the verification 2500 of FIG. 25, the QSM enabled laptop 2510 may attempt to print the protected document. The ID and / or laptop user of the SRC and document and laptop 2410 for the laptop 2510 are transferred to the QSM enabled printer 2530. The SRC and document for the SRCM printer 2530 for the laptop 2510 may be sent to the QSM author 2520 for verification 2530. [ The QSM authorizer 2520 may check the document requirements and credentials and determine that the security level of the laptop 2510 and the printer 2530 is sufficiently high and that the laptop 2410 and the printer 2530 and / As shown in FIG. Therefore, the permission of the printer of the document may be granted (2560).

QSM  Document control hardware examples

Hardware designed to create or process documents can be configured to directly manipulate QSM protected documents. For example, printers, imaging devices, and fax machines can all be uniquely configured to support QSM document control. A simple implementation of an anti-tamper can be a mechanism configured to make an attempt to access the processing area of the printer unavailable for secure storage (where the BSSC and SRC are stored).

The special QSM device may include a secure processor and a storage area with tamper resistant security measures. An example security processor and storage area that may be suitable for use with a QSM device is disclosed in U.S. Patent Application Serial No. 14 / 523,577 entitled " Autonomous Control System and Method ", which is incorporated herein by reference in its entirety. May provide a secure physical layer comprising a monitoring and operation module configured to periodically analyze the connection status in real time between any number of devices or systems and operate against pre-programmed out-of-boundary conditions. Using a secure processor to monitor QSM protected documents may be a security method to remove unauthorized attempts to access or process protected documents.

For example, a printer (e.g., a digital image such as a copier, printer, fax machine, register, etc., or any device that creates a hard or physical representation of a document) may be QSM enabled. QSM document control allows the protected document itself to transmit and maintain security controls within the document. The QSM-enabled printer can coordinate the QSM-protected document by providing the document and printer BSSC to the authorized authorizer. After confirming that the grantor is authorized to print the document, the authorizer can use the manually proven SSL protocol to send the decrypted document back to the printer and update the document's SRC. Alternatively, if the printer has its own asymmetric key pair, the supplicant can encrypt the document with the printer ' s public key and send the document to the device. The printer security processor then clears the document of the device by decrypting and printing the document.

In some embodiments, the printer may have a secure segment storage device. The secure print job can be printed without being monitored and then collected by the user after inserting the necessary pins (or using the physical key) to unlock the storage tray. In some embodiments, the printer may be configured to embed invisible watermarks representing, for example, users and printers that have printed hard copies. This allows the leaked document to be tracked back to the original. In some embodiments, the printer can use special paper and / or ink that can react to the bright light of the scanner and the copier, which makes the original (and any copy) unreadable.

Any device, such as a fax machine, a scanner / copier, and a medical imaging device, such as an MRI, X-RAY, and CT scanner, may also be used as an imaging device (e.g., a digital camera that captures an image and generates a file containing the image) QSM Enabled. The QSM enabled digital imaging device can automatically provide a protected document. The user can automatically protect a single document and / or the entire "session" so that the imaging device can encrypt as soon as the user acquires the image. The "session" may be the last until the user chooses to terminate the QSM session, or until the imaging device goes to power off or sleep mode. For example, the imaging device may encrypt an image (and optionally metadata) with a public key registered with the device. Whereby only the user can access the image until the time they make a decision to authorize the other user or device. In addition to protecting images, QSM can support users in maintaining copyright and licensing protection and in providing ownership of user work.

A communication device, such as a fax machine, may also be QSM enabled. With a QSM-enabled fax machine, a shared fax machine (such as that found in an office or commercial office service store location) can securely send and receive documents. In either case where the device does not have a BSSC or the BSSC does not have a sufficiently high score, the device may refuse the connection or the user may fall back to the standard fax protocol. The user or administrator can control these actions.

When sending a fax from a QSM-enabled fax machine, the process can proceed as follows. The user can enter the recipient's phone number with either the pre-shared PIN or the recipient's public QSM certificate. The user can scan the cover page and the protected document.

Upon receiving the fax, the QSM-enabled fax machine stores the fax as a QSM-protected document. Figure 27 illustrates a protected document 2700 in accordance with one embodiment of the present invention. In the document of this example, the cover page 2722 may not be encrypted so that anyone can understand how the document should be distributed. Cover page 2722 may be stored at the same level as SRC 2710 and other unencrypted metadata. A confirmation page can be generated that can provide timestamps, page counts and / or resolution details. The confirmation page may be useful to ensure that the premises fax is received without indicating the details of the fax itself. The confirmation page may also be used for billing purposes. The content of the fax document 2730 may be encrypted with the user's public key obtained from the user supply pin or authorizer. The fax may be stored as an encrypted protected document until the intended recipient has proven ownership through either providing the correct private key or a pre-shared PIN. Only after ownership has been set up, the fax machine can cause the document to be printed. It may be possible to copy the protected document to a USB stick (QSM or non-QSM enabled) or other storage device so that ownership can be set using another system.

Hardware designed to create or process a document may be designed or retrofitted to directly handle the protected document. For example, the computer may be able to display the optical properties or coordinates of the lens to partially display the information on the lens partially and on a special monitor or printed page in a manner that requires lens or monitor or special printed media to be able to create protection information (E.g., a glass, a goggle, or a view screen), such as a QSM refinement lens having input and output properties through a physical or wireless connection to a physically changeable computer.

28 illustrates an exemplary lens system according to an embodiment of the present invention. These lenses may require some form of biometric information (such as a retinal scan) to solve the surveillance (such as QSM cert). This chart establishes a mutually authenticated cryptographically secure channel where part or all of the protected data is displayed on the lens and / or part or all of the protected data is displayed on the monitored or printed page. This simple version is a way of making 3D movies and Yuzu, but here you need special glasses to look at stereoscopic images. In another version, such as the example of FIG. 28, code 2810 may be provided instead of protected data. The lens 2800 may then receive the directly protected data in an encrypted form and decrypt and display the protected data 2820 for the downstream user. When the user needs to remove the glasses or otherwise break the protective connection, then a biological ID verification may be required to reset the protective connection. Two-factor authentication can be used in addition to supplying a biological token to alert biologic attacks against an answer. For example, in addition to providing a retinal or fingerprint scan, the user can also be provided with a visual or speech challenge that requires a response for verifying a specific motion or ID.

Similar to imaging, similar to parts marked on a computer and classified documents, elements, ferragraphs, images, HPPA items, RSI, etc. can be identified or appropriately tagged. These elements can then be controlled through the ACL maintained in the improved SRC. Similarly, a field or digital form within the database may be identified, and the entered information may be protected by an ACL of the digital form or record. Protected information can be maintained and forwarded from that point forward as a document.

Point of Sale Information Management System (POSD) can be transformed into a protected document, so that scanning for a credit card or accepting payment from some other device may not expose RSI to unauthorized individuals or devices. POSD may have an isolated, encrypted secure storage device containing a QSM certificate to ensure that the device is unaltered and / or authentic to the customer and the retailer. For example, FIG. 29 illustrates a secure transaction echo system 2900 in accordance with one embodiment of the present invention. The exemplary POSD may include a credit card processor and / or a cash register 2920. [ These devices may use the QSM to protect credit card data as described above. When the authorizer 2930 determines that the QSM certificate of the display device (e.g., computer 2940 and / or printer 2950) is consistent with the rules for displaying sensitive credit card data, display of the data is allowed , While the burd granting device may be denied access to the data. This protects the credit card RSI from theft or fraud.

The protection of the document can be extended to a physical card such as a credit card, a government ID, and can access a badge containing RSI. The information may be provided in a protected form on the physical medium so that when the card is lost or copied, the protected form may not provide access to the RSI. Furthermore, in order to ensure that the card is authenticated, some form of encrypted watermark, tag or identifier may be embedded in the card, which links the card issuer and the identity of the person who issued the card.

Plug-ins or add-ons may be applied to integrate applications commonly used to send, view, or process sensitive data, such as mail servers, mail client web servers, web browsers, and the like. These plug-ins can implement QSM control on data based on SLDC. Plug-ins can protect employees from sending sensitive information (either purposely or intentionally) without first securing the sensitive information. For example, a social security number or credit card number typed within the email can be automatically protected and relayed to a QSM-enabled application or a secure mail application. In some embodiments, a special type of information typed into the document (e.g., a social security number) may be automatically detected and the user may set an arbitrary security level by an attempted program, Is provided in the document.

A special monitor can be used for protection program processing. These monitors may have a system-changeable electroluminescent (or similar) glass or filter capable of altering or masking the protected document in a manner that prohibits unauthorized users from viewing or shooting the protected document. In such a monitor, non-RSI content can be viewed on the screen at any time, but RSI content is not visible to unauthorized users. This monitor can have built-in biometric or proximity detection so that it can display only when an authorized user is present. In a proximity tag implementation, the transmitting device (NFC tag embedded in the access medium) may have user ID information that can be securely transmitted to the monitor. The monitor may submit a challenge to further validate the identity, for example, before displaying the protected document. In the next step, the verification code may also be sent to the user ' s mobile phone and may require input of code prior to initiating a viewable protection session. This session ends if proximity is no longer detected. In another embodiment, an authorized user wearing a special lens system cryptographically verified by the system may need to process or change the information displayed on the monitor to make the protected document properly. Alternatively, the protected document may be transmitted to the lens, and the synchronization process may align the displayed page with the clock of the lens so that the protected document projected on the lens is aligned with the unprotected document displayed on the monitor . In a monitor-only implementation, a combination of visible and non-visible components can be displayed such that the automatic digital camera can increase its shutter speed to a point earlier than the shutter makes a document (i.e., Quot; interlaced "or" phased "portion that can be blocked by a single imager by the brain, but can be fully captured by the photograph). If the camera is to be manually set to a slow shutter speed, unprotected documents can supersaturize the image and render the RSI unreadable.

Secure Document Control Example

To save money, businesses and / or individuals often share printers. This can leave sensitive information on the printer and expose the information to individuals who do not need to access the information. Control of QSM documents combined with special QSM printers can prevent access to printed material, except for authorized individuals. The printer can wait for the user to print the document until the user is still in the printer (by requiring a PIN), or can wait for a larger print job to be stored in security trays accessible only with the appropriate PIN or physical key have. The QSM document control can also provide non-regeneration of the print job. Customers can not discuss how many pages a customer can print for a given period since the printer job can be cryptographically supported.

With QSM document control, commercial printer services can be provided to customers with the security to quantify. Customers do not have to worry about stealing employees who are soft copying their data because the data can be secured so only the printers in the service can access the data. Even if an employee steals a file, an authorized person can prevent the employee from actually doing anything with that file. Moreover, malicious printing service personnel may attempt to steal a physical copy of the document, but the likelihood of this happening can be greatly reduced. Since the QSM control can limit the number of copies that can be printed, it is necessary to take a hard physical copy of the above malicious employee to another location for copying. In addition, storage can use physically controlled printers to prevent employees from accessing printed material without an intended recipient.

QSM document control can be used to secure health records according to HIPAA requirements. Documents can be decomposed into different access levels (similar to government classification) based on actual needs. The insurance company may be granted access, for example, to see that any test is actually performed, although it is not the result of the test. QSM protected documents can be prevented from opening on untrusted computers. Physicians can access e-mail from their personal computers, but they can access patient records or attachments that are physically sensitive on their secure QSM network or need to be on a trusted computer or at a hospital.

A QSM-enabled closed circuit television (CCTV) imaging device can automatically encrypt a photo or video feed to prevent unauthorized users from viewing it. The imaging device may only be configured to allow any user access or to restrict access to any computer. In addition to providing secure transmission of CCTV feeds, QSM document control can also provide encryption evidence of where the pictures were taken. This can be useful evidence in criminal or civil legal cases where the authenticity of the image is a problem.

Similar to the security of CCTV feeds, QSM document authenticity can be useful when cryptographically proven facts analyze secured logs with QSM document control or use them as legal evidence. Each log entry can be individually protected automatically, thus ensuring that the log is not altered or altered. QSM document control can maintain the authenticity of the document, but can not directly maintain the accuracy of the log. However, since the QSM score of the device can be known at the time the log entry is created, the relative integrity of the log can also be known.

For example, entities such as government entities can use multiple security classifications that can be used to determine which individuals are accessing which information. With QSM document control, documents can maintain their security regardless of their environment. The classification level of a document can prevent the document from being viewed on a machine that does not have authorized access. For example, a top secret document may not be viewed carelessly only on machines that have a rating for confidential information. This can counteract inadvertent leakage and counter intentional compromise by internal threats. The QSM-enabled machine allows the user to generate versions of unprotected documents. As a result, non-QSM machines may not be able to decrypt the information because only the QSM licensor has the necessary keys. In the case of classified networks and information, the QSM author can only be accessed from the classified network, which means that the document may not be decrypted if it has been removed from the classification network. Due to the sensitivity of the classification documents, the QSM authorizer can enforce both the QSM machine and the QSM user / group authorizations. The user may have certificates associated with their logins that can be used by the QSM authorizer to verify whether the user has the required tolerance level.

In viewing a physical document with protected RSI, non-RSI can be seen in plain text, but any protected RSI can only be viewed as an encrypted string "OR" as in the example of FIG. 26, It is shown as a signature. Devices such as smartphone tablets can be used to view documents and can be used to digitally decrypt, superimpose, and display protected RSIs in the form of "augmented reality " Smartphones and tablets are biologically tied to users through fingerprint sensors or other security devices. The smartphone may not be released unless the user is authenticated to provide identity verification (e. G., Affirmative fingerprint identification). Commercial QR reader applications can use the device's camera to view protected physical documents or to retrieve encoded or encrypted RSIs. The SRC is embedded in the application, and the ACL can verify that the user can see the SRC before the user decrypts the SRC. After verification of the authorization to the user, the application may use character recognition (OCR) or QR (Random Access Memory) in superimposing the decoded / decrypted RSI in place of reading the protected RSI and on the screen instead of or in addition to the encoded / A scanning algorithm can be used. Once the SRC permission is granted, the user can read the document into the application for editing, storing or transporting. In other embodiments, a WSJ-mountable lens may also utilize this increased sincerity scheme.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention. Indeed, it will be clear to those skilled in the art, after having read the foregoing description, that other embodiments may be practiced.

In addition, it should be understood that any drawings emphasizing functions and advantages are provided by way of example. The above described methodologies and systems are sufficiently flexible and configurable so that each can be used in a different way than they represent.

At least one "or" at least one "in the description, claims and drawings, where" at least one "is often used in the specification, claims and drawings, do.

Finally, the claims that include the expression language "means for" or "for the purpose of" It is the intention of the applicant to be interpreted under 112 (f). Claims that do not explicitly include the phrase "means for" or "step for," 112 (f).

Claims (80)

A system for controlling document access,
A security module including a processor and physical memory,
Receive a certificate including a security score from a device attempting to access a portion of the secure electronic file;
Compare the security score to a file access rule for the secure electronic file in the memory to determine whether the security score satisfies a file access rule,
When the security score satisfies a file access rule, providing access to a portion of the secure electronic file, and
And to reject access to a portion of the secure electronic file when the security score does not satisfy the file access rule.
The method according to claim 1,
The processor may further comprise:
The user of the device and / or the device determines whether file access is authorized based on the access control information stored in the memory;
Provide access to a portion of the secure electronic file when a user of the device and / or the device is authorized to access the file; And
A document access control system configured and arranged to deny access to a portion of a secure electronic file when a user of the device and / or device is not authorized to access the file.
The method according to claim 1,
Wherein the processor is further configured and arranged to protect the secure electronic file.
The method of claim 3,
To protect the secure electronic file,
Encrypting the electronic file;
Generating a public / private key pair; And
And storing the private key in a memory.
The method according to claim 1,
The processor is also configured and arranged to generate a file access rule.
6. The method of claim 5,
Creating the file access rule comprises:
Identifying a portion of the electronic file to be protected; And
And defining a security score required for accessing the identified portion.
6. The method of claim 5,
Creating the file access rule comprises:
Identifying a plurality of portions of the secure electronic file to be protected; And
And defining a security score necessary to access each of the identified portions, wherein at least two portions of the identified portions have different required security scores.
The method according to claim 1,
Wherein the security score comprises a current normalized security score.
The method according to claim 1,
Wherein the file access rule comprises a security rating index.
The method according to claim 1,
Providing access to a portion of a secure access electronic file includes generating an indication of acceptable security for the device.
The method according to claim 1,
Wherein the secure electronic file comprises a document.
The method according to claim 1,
Providing access to a portion of a secure electronic file includes viewing, editing, printing, copying, or transferring a portion of the secure electronic file, or a combination thereof.
13. The method of claim 12,
The access control information provides different authorizations for at least two of viewing, editing, printing, copying, and transferring of secure electronic files.
The method according to claim 1,
Rejecting access to a portion of the secure electronic file includes blocking view, edit, print, copy, or transfer to a portion of the secure electronic file.
14. The method of claim 13,
Wherein the access control information provides different authorizations for at least two of viewing, editing, printing, copying, and transfer to a portion of the secure electronic file.
A method of controlling document access,
Receiving, by a processor of a security module including a processor and physical memory, a certificate comprising a security score from a device attempting to access a portion of the secure electronic file;
Comparing a security score with a file access rule for the secure electronic file in the memory to determine whether the security score meets a file access rule by the processor;
Providing access to a portion of the secure electronic file by the processor when the security score satisfies a file access rule; And
Rejecting access to a portion of the secure electronic file by the processor when the security score does not satisfy the file access rule.
17. The method of claim 16,
The user of the device and / or the device by the processor determining whether file access is permitted based on the access control information stored in the memory;
Providing access to a portion of the secure electronic file by the processor when the user of the device and / or the device is authorized to access the file; And
Rejecting access to a portion of the secure electronic file by the processor when the user of the device and / or the device is not authorized to access the file.
17. The method of claim 16,
Further comprising: protecting the secure electronic file by the processor.
The method of claim 3,
Wherein protecting the secure electronic file comprises:
Encrypting the electronic file;
Generating a public / private key pair; And
Storing the private key in a memory.
The method according to claim 1,
Further comprising generating a file access rule by the processor.
20. The method of claim 19,
Wherein the step of generating the file access rule comprises:
Identifying a portion of the electronic file to be protected; And
And defining a security score required for accessing the identified portion.
20. The method of claim 19,
Wherein the step of generating the file access rule comprises:
Identifying a plurality of portions of the secure electronic file to be protected; And
And defining a security score needed to access each of the identified portions, wherein at least two portions of the identified portions have different required security scores.
17. The method of claim 16,
Wherein the security score comprises a current normalized security score.
17. The method of claim 16,
Wherein the file access rule comprises a security rating index.
The method according to claim 1,
Wherein providing access to a portion of the secure access electronic file comprises generating an indication of acceptable security for the device.
17. The method of claim 16,
And the secure electronic file is a document.
17. The method of claim 16,
Providing access to a portion of a secure electronic file includes viewing, editing, printing, copying, or transferring a portion of the secure electronic file, or a combination thereof.
28. The method of claim 27,
The access control information provides different authorizations for at least two of viewing, editing, printing, copying, and transferring of secure electronic files.
The method according to claim 1,
Rejecting access to a portion of the secure electronic file includes blocking view, edit, print, copy, or transfer a portion of the secure electronic file.
20. The method of claim 19,
Wherein the access control information provides different authorizations for at least two of viewing, editing, printing, copying, and transfer to a portion of the secure electronic file.
A system for controlling access to a document,
A device processor, and a file processing device including a device security module including device physical memory,
The device processor comprising:
Transfer security device files; And
The file processing device is configured and arranged to send a certificate including a security score to request access to a secure electronic file;
An authorizer comprising a licensing processor and an authorizer security module comprising authorizer physical memory,
The licensor processor,
Receive the certificate and secure electronic file;
Compare a security score and a file access rule for the secure electronic file in the licensor memory to determine whether the security score meets a file access rule;
Provide access to a portion of the secure electronic file by converting the secure electronic file to an accessible version when the security score satisfies the file access rule and also sending the accessible version to the file processing device;
And to reject access to a portion of the secure electronic file when the security score does not satisfy the file access rule.
32. The method of claim 31,
The author,
The user of the device and / or the device determining whether file access is authorized based on the access control information stored in the memory;
Providing access to a portion of a secure electronic file when a user of the device and / or the device is authorized to access the file; And
Rejecting access to a portion of the secure electronic file when the user of the device and / or the device is not authorized to access the file.
32. The method of claim 31,
Wherein the licensor processor is further configured and arranged to protect secure electronic files.
34. The method of claim 33,
To protect the secure electronic file,
Encrypting the electronic file;
Generating a public / private key pair; And
And storing the private key in a memory.
32. The method of claim 31,
And the licensor processor is further configured and arranged to generate the file access rule.
36. The method of claim 35,
Creating the file access rule comprises:
Identifying a portion of the secure electronic file to be protected; And
And defining a required security score to access the identified portion.
36. The method of claim 35,
Generating the access rule comprises:
Identifying multiple portions of the secure electronic file to be protected; And
And defining a required security score to access each of the identified portions, wherein at least two of the identified portions have different required security scores.
32. The method of claim 31,
Wherein the security score comprises a current normalized security score.
32. The method of claim 31,
Wherein the access rule comprises a security rating index.
32. The method of claim 31,
Providing access to a portion of the secure electronic file comprises:
And generating an indication of accessible security for the device.
32. The method of claim 31,
Wherein the secure electronic file comprises a document.
32. The method of claim 31,
The device processor comprising:
Receiving the accessible version; And
A document access control system configured and arranged to perform processing associated with viewing, editing, printing, copying, or transmitting of the accessible version or a combination thereof.
43. The method of claim 42,
Wherein the access control information provides different authorizations for at least two of viewing, editing, copying, and transferring of a portion of the secure electronic file.
32. The method of claim 31,
Wherein the secure electronic file is stored in the device memory.
32. The method of claim 31,
Further comprising a second file processing device comprising a second device security module comprising a second device processor and a second device physical memory,
The second device processor comprising:
Select a secure electronic file for access;
Instruct the depository device to access the secure access file; And
Wherein the second file processing device is configured and arranged to send a second certificate comprising a second security score for requesting access to the secure access file,
The licensor processor may further include:
Receive a second certificate;
Compare the second security score with an access rule for a secure electronic file in the licensor memory to determine whether a second security score satisfies a second access rule;
When the security score and the second security score both satisfy the access rule, providing access to the secure electronic file; And
And wherein when the security score and the second security score both do not satisfy the access rule, the access control unit is configured and arranged to reject access to a portion of the secure electronic file.
46. The method of claim 45,
The device processor may further comprise:
Receive a second certificate from the second device processor; And
And a second certificate along with the certificate.
46. The method of claim 45,
The second device processor is further configured and arranged to transmit the first secure electronic file; And
The device processor is also configured and arranged to receive a secure electronic file prior to sending the secure electronic file.
46. The method of claim 45,
Wherein the secure electronic file is stored in the device memory, in a second device memory, or both.
A document access control method,
Transmitting a secure electronic file by a processor of a device security module comprising a device processor and physical memory;
Sending, by the device processor, a certificate including a security score for the processing device to request access to a secure electronic file;
Receiving the certificate and the secure electronic file by an issuer processor of the issuer security module;
Comparing the security score with a file access rule for a secure electronic file in the licensor memory to determine whether the security score satisfies the access rule by the licensor processor;
When the security score satisfies the access rule, transforming the secure electronic file into the accessible version by the licensor processor and sending the accessible version to the file processing device to access a portion of the secure electronic file ; And
Rejecting access to a portion of the secure electronic file by the licensor processor when the security score does not satisfy the access rule.
50. The method of claim 49,
Determining by the licensor processor whether a user of the device and / or the device is authorized to access the file based on the access control information stored in the memory;
Providing access to a portion of the secure electronic file by the licensor processor when the user of the device and / or the device is authorized to access the file; And
Rejecting access to a portion of the secure electronic file by the licensor processor if the user of the device and / or the device is not authorized to access the file.
50. The method of claim 49,
And protecting the secured electronic file by the licensor processor.
52. The method of claim 51,
Wherein protecting the secure electronic file comprises:
Encrypting the electronic file;
Generating a public / private key pair; And
Storing the private key in a memory.
50. The method of claim 49,
And generating the file access rule by the licensor processor.
54. The method of claim 53,
Wherein the step of generating the file access rule comprises:
Identifying a portion of the electronic file to be protected; And
And defining a security score required for accessing the identified portion.
54. The method of claim 53,
Wherein the step of generating the file access rule comprises:
Identifying a plurality of portions of the secure electronic file to be protected; And
And defining a security score needed to access each of the identified portions, wherein at least two portions of the identified portions have different required security scores.
50. The method of claim 49,
Wherein the security score comprises a current normalization security score.
50. The method of claim 49,
Wherein the access rule includes a security rating index.
50. The method of claim 49,
Wherein providing access to a portion of the secure electronic file comprises:
And generating an indication of accessible security for the device.
50. The method of claim 49,
Wherein the secure electronic file comprises a document.
50. The method of claim 49,
Receiving a version accessible by the device processor; And
Performing processing related to viewing, editing, printing, copying, or transferring of the accessible version, or a combination thereof, by the device processor.
64. The method of claim 60,
Wherein the access control information provides different authorizations for at least two of viewing, editing, copying, and transferring of a portion of the secure electronic file.
50. The method of claim 49,
Wherein the secure electronic file is stored in the device memory.
50. The method of claim 49,
Selecting a secure electronic file for access by a second file processing device comprising a second device security module comprising a second device processor and a second device physical memory; However,
Instructing the depository device to access the secure access file by the second device processor;
Transmitting by the second device processor a second certificate including a second security score for the second processing device to request access to the secure access file;
Receiving a second certificate by the licensing processor;
Comparing the second security score with an access rule for a secure electronic file in the licensor memory to determine whether the second security score satisfies a second access rule by the licensor processor;
Providing access to the secure electronic file by the licensor processor when the security score and the second security score both satisfy the access rule; And
Rejecting access to a portion of the secure electronic file by the grantor processor when the security score and the second security score both do not satisfy the access rule.
64. The method of claim 63,
Receiving a second certificate from the second device processor by the device processor; And
And sending a second certificate with the certificate by the device processor.
64. The method of claim 63,
Transmitting the first secure electronic file by the second device processor; And
And sending a secure electronic file by the device processor.
64. The method of claim 63,
Wherein the secure electronic file is stored in the device memory, in a second device memory, or both.
As a security evaluation method,
Receiving a decomposition of the system by the processor into one or more parts;
Evaluating each of the components by the processor to give a security score for each of the components;
Generating a composite security score for the system based on security scores by the processor;
Generating an attenuation measurement index characterizing the prospective security degradation of the system by the processor;
Applying the attenuation measurement index to the composite security score to obtain a current composite security score by a processor;
Providing a current composite security score by a processor;
Selectively generating an indication of acceptable security for the system based on a comparison of a current composite security index and a security rating index; And
And controlling authorization for collection of digital files or digital files based on an indication of security acceptable by the processor.
68. The method of claim 67,
Security requirements that include an indication of acceptable security, an indication of acceptable security, a set of authorization key value pairs, and validation data for validating the application's benefit score certificate on the system, including a collection of digital files or digital files And generating a certificate.
68. The method of claim 67,
Further comprising the step of applying an encrypted digital signature including an indication of trustworthiness and an indication of authorized to each of the digital files in a collection of digital files or digital files, Each time there is a change in the collection of files, is updated or applied as a second encrypted digital signature.
68. The method of claim 67,
Further comprising controlling access and authorization to portions of the digital file based on an indication of acceptable security, including selectively displaying portions of the file or visually covering the displayed portions of the file Assessment Methods.
68. The method of claim 67,
Further comprising enforcement of attributes, settings and permissions to permit printing, copying, displaying, editing and / or transferring of the digital file based on an indication of acceptable security.
68. The method of claim 67,
Further comprising automatic enforcement of security controls that define attributes, settings, and permissions associated with the document for physical instantiation of the document.
68. The method of claim 67,
And associating a security attribute specified in the file with a hardware device to cause the device to implement an associated physical security method.
As a security evaluation system,
Receive decomposition of the system into one or more parts;
Evaluating each of the components by the processor to give a security score for each of the components;
Generate a composite security score for the system based on security scores;
Generating an attenuation measurement index characterizing the prospective security degradation of the system;
Applying the attenuation measure index to the composite security score to obtain a current composite security score;
Currently providing a composite security score; And
A processor configured to selectively generate an indication of acceptable security for the system based on a comparison of the current composite security index and the security rating index; And
And a document processing device in communication with the processor and configured to control authorization for collection of digital files or digital files based on an indication of acceptable security.
75. The method of claim 74,
The processor may also include a compressed archive containing a collection of digital files or digital files and validation data for validating an indication of acceptable security, a set of authorization key value pairs, and a bonus score certificate of the application on the system The security evaluation system comprising:
75. The method of claim 74,
The processor is further configured to apply an encrypted digital signature, including an indication of trustworthiness, an indication of authorizer, to each of the digital files in a collection of digital files or digital files, wherein the digital signature is applied at file creation, Or whenever there is a change in the collection of digital files, is updated or applied as a second encrypted digital signature.
75. The method of claim 74,
The document processing device also controls access and authorization to portions of the digital file based on an indication of acceptable security, including selectively displaying portions of the file or visually covering the displayed portions of the file The security assessment system comprising:
75. The method of claim 74,
The document processing device is further configured to enforce attributes, settings and permissions to permit printing, copying, displaying, editing and / or transferring of a digital file based on an indication of acceptable security.
79. The method of claim 78,
The document processing device is also configured to automatically enforce security controls that define attributes, settings, and permissions associated with a document for physical instantiation of the document.
79. The method of claim 78,
Wherein the document processing device is further configured to associate a security attribute specified in the file with a hardware device to cause the device to implement an associated physical security method.

Images