AU2008201530A1 - Means for providing protection for digital assets - Google Patents

Description

04-04-'08 14:33 FROM-DCC SYDNEY +61292621080 T-852 P005/070 F-789 0 0 Australian Patents Act 1990 Regulation 3.2 SORIGINAL COMPLETE SPECIFICATION STANDARD PATENT 0 0 Cci 0 Invention Title; Means for providing protection for digital assets The following statement is a full description of this invention, including the best method of performing it known to me:- P/00/i 1 5951 COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:33 FROM-DCC SYDNEY +61292621080 T-852 P006/070 F-789 0 -1- 00 MEANS FOR PROVIDING PROTECTION

FOR

SDIGITAL

ASSETS

o s Technical Field The present invention relates to the security and protection of digital data, 0^ information, files and the like, and in particular, to a method, system and computer software for providing protection for digital assets; i.e. digital data, O information, files and the like, that facilitates digital assets to be controlled, 00 10 managed and/or monitored from a central facility.

Background Art A Digital Asset (DA) is a digital text, graphic, sound, electronic record, etc., and includes digital data, information, files and the like, and is preferably, but not necessarily, identified as an item of value, confidential information and/or intellectual property whose compromise would cause significant damage to an individual, enterprise, organisation or the like. Unauthorized access to a DA may constitute potentially significant damage to interests of the rightful owner, licensee, etc..

There is heightening awareness of the increasing exposure of digital assets to misappropriation, misuse or damage. This awareness may take the form of a general feeling of unease, a sense of helplessness, even a denial of its relevance.

Threats are multiplied by steadily increasing proliferation of distributed equipment (for example laptop computers). Many organisations are exposed by, for example, the ability of a person to leave an office with a pocket full of computer disks, or send via email files, containing potentially millions of dollars of confidential information, intellectual property or data vital to the security of the nation, or embarrassing or compromising a nation's international relations.

Corporate information officers are faced with potential or actual demands for effective DA protection. A solution is not presently known which is cost- COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:33 FROM-DCC SYDNEY +61292621080 T-852 P007/070 F-789 -2- 00 effective, allows efficient authorized access, has pre-emptive capability and is Cl itself subject to external monitoring.

Digital assets resident on central mainframe systems and totally restricted to that platform are generally least at risk. However, increasingly, application systems require DA's be distributed to remote processors including highly mobile PC's, Ssuch as laptop computers. Current security tools are largely irrelevant when the SDA's reside on a distributed processor's hard disk. Loss of custodial control of Sthe distributed processor increases the likelihood of unauthorized personnel or 00 10 other users accessing DA's for whatever purpose they might desire.

0 SPresently, systems are not available that enable real-time implementation of functions providing control intervention and action to recover or deny unauthorized access to digital assets. Protection should be able to be applied whether a terminal holding a DA is network connected or unconnected. Most existing defence mechanisms are passive in action, in that they rely on denying access or service, as per an originally installed security tool.

Specific instances of existing threats can include: Stolen machines, potentially resulting in loss of confidential information or intellectual property; Stolen HDD, potentially resulting in loss of confidential information or intellectual property; Unknown /unauthorized copying of digital assets, potentially resulting in loss of confidential information or intellectual property (HDD, FD, CD, Printer); Digital assets are not universally protected when distributed; No real-time control of relationships eg. for custodians, digital assets and laptops; No 'audit strength' management verification of approved relationship Custodians, Digital Assets and laptops; Unusual or suspect patterns of unconnected laptop operations are not monitored, queried or responded to in terms of changed digital asset access; Digital asset content within a file may not be identified as a digital asset and consequently not receive the required protection.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:34 FROM-DCC SYDNEY +61292621080 T-852 P008/070 F-789 00O -3- 00 Cl In a networked data communications system, users have access to terminals which Sare capable of requesting and receiving information from local or remote information sources that may contain digital assets. In such a system a terminal o 5 may be a type of processing system, computer or computerised device, a personal computer a mobile or cellular phone, a mobile data terminal, a portable Scomputer, a personal digital assistant (PDA), a pager, a thin client, or any other Ce Vn' similar type of electronic device, The capability of the terminal to request and/or Sreceive information can be provided by an application program, hardware or other N 10 such entity. A terminal may be provided with associated devices, for example a O storage device such as a hard disk drive or solid state drive, both internal and C1 external.

A computer network as referenced in this specification should be taken to include all forms of connected or communicating computers or terminals having at least two terminals adapted to communicate with each other. That is, the term computer network should be taken to include any type of terminal, computer, computerised device, personal digital assistant peripheral computer equipment, computerised accessory, mobile or cellular phone, digital electronic device or other similar type of computerised electronic device or part thereof which is rendered such that it is capable of communicating with at least one of any of the aforementioned entities.

The communication of information or data can occur over any computer network, data communications network, telecommunications network, wireless network, internetwork, intranetwork, LAN, WAN, the Internet and developments thereof, transient or temporary network, combinations of the above or any other type of network providing for communication between computerised, electronic or digital devices.

This identifies a need for a method, system and/or computer readable medium of instructions for providing protection for digital assets which overcomes or at least ameliorates the problems inherent in the prior art.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:34 FROM-DCC SYDNEY +61292621080 T-852 P009/070 F-789 -4- 00 Disclosure Of Invention In a broad form of the present invention, the invention seeks to provide a Digital SAsset Protection (DAP) system designed to enable an enterprise to apply extended control over creation, custody, copy distribution and access of certain intellectual O 5 assets (Digital Assets). Authorized custodians of encrypted DA copies may have their custodian authorization status varied or cancelled at any time with 0 consequent variation to particular DA copy access. DA copies may also have Stheir protection level status varied at any time with similar possible re-statement o and application of changes to allowable DA access.

00 0 O Preferably, the DAP system operates on a client-server basis with both push and pull characteristics. A required frequency of network connection can be monitored to ensure application of current protection level variations. Custody of DAP client resident equipment can also be monitored. The DAP system administration function may cause a client terminal to be disabled or DA access constrained at any time. DA's are preferably held encrypted in both master and copy situations. The extent of client use of DA's can also be managed.

The DAP system seeks to protect against unauthorized access, or where such access is initiated to deny DA availability, by destroying the distributed copy and/or the means to decrypt. In order to achieve this, the DAP system seeks to verify that a specific terminal is in the custody of an authorized custodian and has the correct storage device, for example HDD, installed. Relevant to protection levels required (plevels), the DAP system can maintain the encrypted status of all DAs in the system. Where attempts to access DAs are deemed invalid and are detected, the DAP system response may result in, for example, over-written destruction of decryption keys, DAs, clients, HDD contents and/or BIOS.

At least three significant issues are thereby addressed: Knowledge of the location of every digital asset (text, graphic, sound, video, etc.); Central and real-time control of distributed existence and access; COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:34 FROM-DCC SYDNEY +61292621080 T-852 P010/070 F-789 00 00 0 Attempts to circumvent control can be recorded, defeated and the related Cl digital asset copy destroyed, The DAP system can enable real-time corporate control of all occurrences of corporate DAs at any point on a distributed network and can exercise control over DAs even if the terminal does not connect to the network. DA's are preferably O held encrypted and transmitted encrypted. Encrypt/decrypt keys can be controlled ln via a separate key server.

00 10 The present invention can also address the common situation in organisations Swhere any user can use any (within reason) workstation or terminal. In this

C

situation there is not necessarily a one-to-one relationship between a user and a particular terminal, except, for example, perhaps in the case of a laptop computer, where a one-to-one rule may be enforced. This embodiment of the invention addresses multiple-users per workstation. Also, group-based security is addressed, enabling all members of a workgroup to be treated under a common security policy.

The term "custodian" is used throughout the specification and should be read as a reference to an individual custodian or a group of individual custodians. For example, where a group of individuals, such as a workgroup or team, is provided with common security privileges, then the workgroup or team can be collectively referred to as a custodian.

Files are encrypted/decrypted using an encryption/decryption key. The encryption key (or equivalently the decryption key) itself can be further encrypted with a public/private key which depends, for example, on the custodian and custodian level of authorisation. The encryption key itself may also be further encrypted with, for example, a custodian password.

Use of the term "encryption key" or "decryption key" as used herein should be taken as a reference to any type of digital key, certificate, credential, password or the like which effects cryptographic concealment of digital assets. This includes all forms of encryption keys, for example, symmetric keys, private keys, public COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:34 FROM-DCC SYDNEY +61292621080 T-852 P011/070 F-789 00 -6- 00 O keys, further encrypted encryption keys, simple passwords, and the like. An C encryption key or decryption key could also be further encrypted using external data present on some external device, such as, but not restricted to, USB storage, smart card, finger print, iris scan or other biometric information.

In a broad form the present invention provides a system for providing protection Sfor identified digital assets, the system including: It a central control system; S(2) a client terminal able to communicate via a computer network with OQ lo the central control system; S(3) client software resident on the client terminal; ,1 a master copy of a digital asset stored on the central control system; an encrypted copy of the digital asset stored on the client terminal, with an encryption key for the encrypted copy of the digital asset stored on the central control system and the client terminal; whereby, the client software resident on the client terminal controls access by a custodian to the copy of the digital asset stored on the client terminal, and the custodian's level of access to the copy of the digital asset stored on the client terminal can be altered from the central control system.

According to a particular embodiment of the present invention, when access is initially requested to the encrypted copy of the digital asset by the custodian the client software attempts to communicate with the central control system and authenticate the initial access request.

In a particular embodiment, the present invention further provides that when access is properly requested to the encrypted copy of the digital asset residing on the client terminal, and the client terminal is disconnected from the central control system, the copy of the digital asset can be decrypted and used by a custodian with defence mechanisms active.

Preferably, the digital asset is assigned a level of protection, and the at least one custodian is assigned a level of authorisation. Different levels of protection/authorisation can allow varying use of each copy of the digital asset.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:34 FROI-DCC SYDNEY +61292621080 T-852 P012/070 F-789 O0 -7- 00 0 C In a particular embodiment, the present invention further provides: if the central control system authenticates the initial access d request, a private decryption key is used to enable the encrypted copy of the digital asset to be decrypted; or, if the central control system does not authenticate the initial Oaccess request, the decryption key is not available to be used to decrypt the Sencrypted copy of the digital asset.

00 10 Preferably, after the initial access request to the central control system, when 0 further access to the copy of the digital asset is requested by a custodian the client C terminal is not required to further connect to the central control system as a unique key has been allocated and resides on the client terminal. The client software can perform authorisation checks.

In a further particular embodiment, the central control system includes a communications controller and a encryption key register. In yet a further particular embodiment, the central control system includes a digital asset register to store current and previous master copies of the digital asset. In yet a further particular embodiment, the central control system includes a digital asset register to register and store each encrypted copy that has been distributed at the request of a properly authenticated client terminal. In yet a further particular embodiment, the central control system includes a digital asset transaction log record. In yet a further particular embodiment, the central communications controller includes a client communications module and a central communications module.

The present invention according to another possible aspect provides that the central control system is provided by at least two physical servers. The present invention according to still another possible aspect provides that the communications controller is resident on a first server, and the encryption key register is resident on a second server. The present invention according to still another possible aspect provides that all functions other than the communications controller are resident on the second server. The present invention according to still another possible aspect provides that the encryption key register stores COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-84-'88 14:34 FROM-DCC SYDNEY +612926210880 T-852 P013/070 F-789 -8- 00 O additional information for the authentication of any request to copy a digital asset. The present invention according to still another possible aspect provides Sthat the additional information relates to the identity of the custodian and/or a specific authorised client terminal.

An aspect of the embodiment utilising separate servers, which may be more than otwo physical servers, is that encryption keys are not held on the same machine as C¢3 tn the encrypted DAs. Likewise, authentication factors can be held separately to active data authenticated by such factors.

010 00 0 In one form, each client software package uniquely controls the decryption process for a particular client terminal. In a further form, the client software controls access and/or destruction of the copy of the digital asset.

In a particular embodiment of the present invention, the client software includes a poison pill module. In this form, the poison pill module can cause the destruction of the copy of the digital asset. In a further particular embodiment of the present invention, the poison pill module checks a value identifying the client terminal, or a component thereof, against an expected value. In one form, the poison pill module checks a component of a hash-sum value, combined with custodian information, a client terminal and hardware reference against expected values.

In a further particular embodiment of the present invention, the client software includes a power-on control monitor; the client software includes a communications handler; the client software includes an exception handler; the client software includes an encryption handler; and the client software includes an I/O interruption handler.

Preferably, authorisation and protection levels can be updated on the central control system and transmitted to the client software on the client terminal.

In a further broad form the present invention provides a method of providing protection for digital assets, the method including the steps of: COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P014/070 F-789 (0 -9- 00 O storing an encrypted master copy of a digital asset on a central C control system; storing a separate encrypted copy of the digital asset on a client terminal provided with client software, the client terminal able to communicate via a computer network with the central control system; storing an encryption key for the encrypted copy of the digital asset Son the central control system and the client terminal; and, Clt when access is properly requested by an authorised custodian to the Sencrypted copy of the digital asset residing on the client terminal, and the client terminal is disconnected from the central control system, the client software Scontrols access to the copy of the digital asset.

In a particular embodiment, if preset authorisation criteria are not met the client software can effect destruction of the encryption key, the copy of the digital asset on the client terminal, the contents of memory and/or storage facilities of the client terminal, and/or BIOS information for the client terminal. In yet a further particular embodiment, the copy of the digital asset is destroyed if successful network connection to the central control system is not achieved after a preset number of attempts and/or a preset time period. In yet a further particular embodiment, the central control system tracks the location of all copies of each digital asset. In yet a further particular embodiment, a newly created digital asset is uploaded to the central control system to create a master copy of the digital asset. In yet a further particular embodiment, the copy of the digital asset is periodically re-encrypted and redistributed. In a further particular embodiment of the present invention, print and copy functions of the client terminal can be optionally disabled by the client software.

In still a further broad form the present invention provides a computer readable medium of instructions for providing protection for digital assets in a system including: a central control system; a client terminal able to communicate via a computer network with the central control system; a master copy of a digital asset stored on the central control system; COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P015/070 F-789 00 an encrypted copy of the digital asset stored on the client terminal, Cl with the encryption key for the encrypted copy of the digital asset stored on the Scentral control system and the client terminal; whereby the computer readable medium of instructions is adapted to o 5 control access by a custodian to the copy of the digital asset stored on the client terminal, and the custodian's level of access to the copy of the digital asset stored Son the client terminal can be altered from the central control system.

en SPreferably, according to one embodiment, the client software controls the Cl 00 10 decryption process, and/or, the client software includes a poison pill module.

0 Brief description Of Figures The present invention should become apparent from the following description, which is given by way of example only, of a preferred but non-limiting embodiment thereof, described in connection with the accompanying figures.

Figure 1 illustrates a processing system forming part of the invention.

Figure 2 illustrates an embodiment of the present invention, wherein the figure shows an overview of the system.

Figure 3 illustrates an embodiment of the present invention, wherein the figure shows the central control system.

Figure 4 illustrates an embodiment of the present invention, wherein the figure shows the client terminal and client software.

Figure 5 illustrates the pclient installation process.

Figure 6 illustrates a pclient POST check process.

Figure 7 illustrates a pclient integrity check process.

Figure 8 illustrates a pclient integrity violation process.

Figure 9 illustrates a pelient Kill process.

Figure 10 illustrates a pclient custodian authentication process.

Figure II illustrates a pelient DA encryption/decryption/interdiction process.

Figure 12 illustrates a pclient DA copy management process.

Figure 13 illustrates a pelient DA copy upload process.

Figure 14 illustrates a pclient log management process.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P016/070 F-789 00 -11- O Figure 15 illustrates a pcentral installation process.

Cl Figure 16 illustrates a pcentral customisation and administration process.

pi Figure 17 illustrates a pcentral audit checks process.

Figure 18 illustrates a pcentral administration process dependent on GUI location.

Figure 19 illustrates a pcentral pclient/custodian authentication process.

O Figure 20 illustrates the architecture design of a particular embodiment.

l Figure 21 illustrates the database design of a particular embodiment.

SFigure 22 illustrates the pclient architecture design of a particular 00 10 embodiment.

00 Modes For Carrying Out The Invention The following modes are described in order to provide a more precise understanding of the subject matter of the present invention.

I. Preferred embodiment In the figures, incorporated to illustrate the features of the present invention, like reference numerals are used to identify like parts throughout the figures.

A particular embodiment of the present invention can be realised using a processing system providing a client terminal, an example of which is shown in figure 1. In particular, the processing system 10 generally includes at least a processor 11, a memory 12, an input device 13 and an output device 14, coupled together via a bus 15. An external interface 16 can be provided for coupling the processing system 10 to a remote storage device 17 associated with a central control system) which houses a database(s) 18. The memory 12 can be any form of memory device, for example, volatile or non-volatile memory, solid state storage devices, magnetic devices, etc. The input device 13 can include, for example, a keyboard, pointer device, voice control device, etc. The output device 14 can include, for example, a display device, monitor, printer, etc. The remote storage device 17 can be any form of storage means, for example, volatile or nonvolatile memory, solid state storage devices, magnetic devices, etc.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P017/070 F-789 00 *-12- 0 Cl In use, the processing system 10 is adapted to allow data or information to be p: stored in and/or retrieved from the database 17. The processor 11 receives instructions via the input device 13 and displays results to a user via the output device 14. It should be appreciated that the processing system 10 may be any form of processing system, computer terminal, server, specialised hardware, or Sthe like.

SReferring now to figure 2, an overview of the digital asset protection system is 00 1o illustrated. The system 200 includes the central control system 210 and a client O terminal 220 which are able to communicate via computer network 230. Client Cl software 240 is resident on the client terminal 220. A master copy of a digital asset 250 is stored on the central control system 210. An encrypted copy of the digital asset 260 is stored on the client terminal 220 and the central control system 210. The encrypted copy of the digital asset 260 corresponds to the encrypted master copy of the digital asset 250 but with a different key. A master key is not sent to the client terminal.

The encryption key (or equivalently the decryption key) is stored in an encryption key register 270 on the central control system 210. A copy of the encryption/decryption key is stored on the client terminal 220 which controls access to the encrypted copy of the digital asset 260. The encryption key stored on the client terminal 220 is unique to that particular client terminal 220, a copy of this encryption key is stored in the encryption key register 270 on the central control system 210. Only when a user 280 initially requests access to the encrypted copy of the digital asset 260 via the client terminal input/output means 290, does the client software 240 attempt to initiate communication with the central control system 210 via the network 230 and authenticate the access request. Subsequent requests for access to the encrypted copy of the digital asset 260 via the client terminal input/output means 290 do not require the client software 240 to initiate communication with the central control system 210 via the network 230 as the client terminal 220 now contains the unique encryption key and access to the copy of the digital asset 250 is controlled by client software 240.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P018/070 F-789 -13- 00 0 0^ The user 280 is only granted access to the encrypted copy of the digital asset 260 when the user 280 is an authorised custodian having been assigned access privileges to the digital asset. When access is properly requested by an authorised custodian to the encrypted copy of the digital asset 260 residing on the client terminal 220, and the client terminal 220 is disconnected from the central control Ssystem 210, the copy of the digital asset 260 can be decrypted and used by the It custodian 280 with defence mechanisms active. Hence, it is not always necessary that the client terminal 220 be in communication with the central control system l 10 210 to allow an authorised custodian access to the encrypted copy of the digital asset 260.

It is possible that more than one custodian 280 can be assigned access to a master copy of the digital asset 250. A digital asset is assigned a level of protection and the custodian 280 is assigned a level of authorisation. The copy of the digital asset 260 is always stored on the client terminal 220 in an encrypted format, also preferably, the master copy of the digital asset 250 is also stored on the central control system 210 in an encrypted format. Different levels of digital asset protection and custodian authorisation allow varying use of the copy of the digital asset 260 by the custodian 280. Varying use of the copy of the digital asset 260 includes, for example, that the digital asset 260 is provided to the custodian 280 as "read only", "update", "locked", etc..

When access to the copy of the digital asset 260 is requested at the client terminal 220 which is in communication with the central control system 210, if the central control system 210 authenticates the access request, the decryption key on the client terminal 220 is used to enable the encrypted copy of the digital asset 260 to be decrypted. If the central control system 210 does not authenticate the access request, the decryption key is not available to be used to decrypt the encrypted copy of the digital asset 260, for example the client terminal 220 may contain an old decryption key that is no longer valid due to the encryption key register 270 having been updated. The central control system 210 can also contain an exact copy of the encrypted copy of the digital asset 260 in addition to the master copy of the digital asset 250.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:35 FROM-DCC SYDNEY +61292621080 T-852 P019/070 F-789 00 -14- 0 C,1 Referring to figure 3, the central control system 210 includes a communications Lcontroller 310 and an encryption key register 270. The central control system 210 also includes a digital asset register 320 which is able to store current and o 5 previous master copies of digital assets. The digital asset register 320 registers and stores each uniquely encrypted copy that has been distributed at the request of Sa properly authenticated client terminal 220. Preferably, the central control lt system 210 also includes a digital asset log record 330. The central Scommunications controller 310 includes a client communications module 340, Cl 10 which controls communications with the client terminal 220, and a central O communications module 350, which controls communications within the central C1 control system 210.

As is illustrated in figure 3, the central control system 210 is split over at least a first physical server 360 and a second physical server 370. The functions of the central control system 210 are allocated to one or other of the physical servers 360 or 370 to provide additional security. For example, external access to the central control system 210 is only by way of the first physical server 360.

Records of digital assets stored on the central control system 210 are accessed only by way of the second physical server 370. Hence, the first physical server 360 can act as a secure gateway between the computer network 230 and the digital asset register 320 and the encryption key register 270.

The encryption key register 270 can also store additional information for the authentication of any access request to a copy of a digital asset 260. Such additional information could relate to the identity of the custodian and/or details of an authorised client terminal 220.

Referring to figure 4, the client software package 240 resident on a client terminal 220 uniquely controls the decryption process for a particular copy of the digital asset 260 on a particular client terminal 220. The client software 240 also controls access and/or destruction of the copy of the digital asset 260 on the client terminal 220.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date (Y-Md) 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P020/070 F-789 00 0 C) The client software package 240 includes a poison pill module 400. The poison Cl pill module 400 can cause the destruction of the copy of the digital asset 260.

The poison pill module 400 checks a retrieved value or reference number for the client terminal 220, or a component thereof, against an expected value or reference number; which can be stored in, for example, the poison pill module itself, in another part of the client software 240, or in the digital asset encryption Skey register 270. Preferably, the poison pill module 400 checks a component of a Shash-sum value, combined with custodian information and a client terminal and o hardware reference code(s) (for example a hard disk drive (HDD) reference 10 code(s)) against expected values.

0 C1 The client software 240 can additionally include a power-on control monitor as an additional security measure. The client software 240 is also provided with a communications interface which handles communications via the computer network 230. Additional modules or functions are included in the client software 240 as described elsewhere.

At any required time the authorisation and protection levels can be updated on the central control system 210 and transmitted to the client software 240 on the client terminal 220. The frequency of computer network 230 access can also be monitored by the client software 240, and if the frequency of access is not satisfactory access requests to the copy of the digital asset 260 may be denied.

If certain criteria are not met the client software 240 can cause the destruction of the encryption/decryption key on the client terminal 220, the copy of the digital asset 260 itself, the contents of memory and/or storage facilities of the client terminal 220, and/or BIOS information for the client terminal 220. The copy of the digital asset 260 can also be destroyed if successful network connection to the central control system 210 is not achieved after a preset number of attempts and/or preset time period. The central control system digital asset transaction log record 230 can, for example, record the location of all copies of each digital asset and log record events. There can be provided separate copy registries recording copy states.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P021/070 F-789 00 -16- O When a new digital asset is created on a client terminal 220, the digital asset is Cl uploaded encoded to the central control system 210 via the network 230 to create a master copy of the digital asset 250. This can the be assigned an d< encryption/decryption key which is stored in the encryption key register 270 and the encrypted copy of the digital asset retransmitted to the client terminal 220.

Copies of the digital asset are preferably periodically re-encrypted and Sredistributed.

SII. Various embodiments 00 o The following description describes further non-limiting embodiments of the C, present invention.

Architecture General Digital Assets (DAs) are identified by an enterprise, organisation, creator, etc.

and the required level of protection (plevel) is assigned. Individuals, or groups of individuals, (custodians) are identified as approved to receive copies of DAs. A custodian may be treated as a group of individuals in many instances, for example, multiple-users per workstation or common workgroup-based security. A custodian is assigned a protection level appropriate to his or her 'need to know' status. This 'Custodian plevel' is matched to DA plevels on an equal or less basis when responding to request for DA copy distribution. A Digital Asset Protection (DAP) central control facility tracks all DA masters and distributed copies during their lifetime and seeks to protect against unauthorized access or possession. DAs may only be accessed as facilitated by the DAP central control facility (pcentral, i.e. central control system). DAs are held encrypted wherever located and copies are uniquely encrypted for each custodian.

DAs may be generated by custodians in which case the DAP system can upload the new DA and create a DA master for enterprise authorized availability.

Varying restrictions regarding access are applied to DA copies relative to the plevel assigned to each DA. Protection against unauthorized access or possession of DAs (copies) is afforded for custodians when both network connected and unconnected. Levels of protection and authorizations may be varied in real time COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P022/070 F-789 00 -17- O and applied to the custodian's pclient at the next network connect. Distributed Cl copies are each uniquely encrypted. Only authorized custodians may receive a copy. Each copy is uniquely encrypted for that custodian. Each DA master and copy is assigned a protection level (plevel) which defines the degree of protection to be afforded this DA master of copy. The encryption/decryption key can also depend on the plevel to ensure higher levels of security. Distributed DA copies O remain subject to DAP pclient control. Pclients control decryption, access and cn Spossible destruction of copies. Protection control variables may be modified in Sreal-time and become operational as soon as the variable is downloaded to the 00 10 pclient. Relationship between machines, hardware, HDD's, custodians and clients Sare controlled and may be queried in real time.

Each copy is distributed and distribution is preferably time-stamped and logged.

DAs are held and transmitted in encrypted form as required. Each encrypted DA master and copy is subject to a unique and separately managed key. Each DA distributed (uniquely encrypted) copy has the receiving custodian recorded.

Where a custodian attempts to pass a DA to another point, the result would be an encrypted file without key. This ensures that copies may not be shared between distributed clients.

Where DA encryption is aged beyond a set time period, the DA can be reencrypted and redistributed, This increases difficulty when attempting remote encryption-cracking. Encrypted DAs and respective key are preferably not ever transmitted together. Encryption keys are separately controlled from the central site.

Connection to the network immediately invokes execution of a process to audit distributed DAs and their resident custodial locations. DA custodians which no longer have authorization for specific DAs may have those DAs deleted and overwritten. Where a laptop possession is determined to be unauthorized, the connection point can be immediately made known to physical asset security control for recovery.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P023/070 F-789 0 -18o A Poison Pill function is provided that can be activated which may C, delete/overwrite distributed DAs, destroy the DAP client (pclient), inactivate BIOS after a set number of power-ons 3 rd power-on), or immediately if activated by a DAP system administrator. Poison pill code and invocation points o 5 are checked for unchanged presence and any unauthorized modification is logged and optionally the device is inhibited from accessing the DA. Laptops can have O printing and copying of DAs optionally disabled by routing copying and printing t and print screen functions through the poison pill module. The poison pill can destroy all function and data if there is an attempt to interfere with the poison 0 t10 pill. Periodic character comparisons with the DA client registry at DAP Central 0 S(pcentral) can occur. There can also be allowance made for inclusion in a 'ghost' C, image load, if required.

Logical Design General The DAP system peentral functions preferably operate from two (or more) logical servers. Server 1 communicates only with the pcentral communications handler and has no other communications connections. An objective is to isolate encryption keys and critical control and protection variables from general browser access. Server 1 may be physically located outside the system programming operating envelope. No staff would have uncontrolled access to server 1 content.

Server 1 Server 2 pcentral pclient Poison pill Y Poison pill registry Poison pill S-key Y Encryption selector I-Key Y M-Key Encryptor Y I-Key Interdictor Y S-Key Machine Y Custodian Custodian Y Machine Passwords Y Client client Bio-metrics Y Read handler Y Write handler Y DA Master COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 S4-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P024/070 F-789 00 0 0 0 Y DA Copies DA copies Y Msg Sig handler Msg Sig handler Y Comms handler Comms handler Y Logrec handler Y Admin Handler server 1 Y Admin Handler server 2 The process on the client machine is as follows: Seq Logical action DAP action DAP Note Modules follows called 1 Turn on machine Do start up checks AA,BB,CC Do authentication XX3 Kill if any check fails GG1, 2 2 Do BIOS execs 3 Start DOS 4 Start Windows 4.1 Determine if client Connect to network, machine network is servers connecting to DAP Upload/download and control servers Yes action any transactions. NN Reset POST-count to '0' 4.2 Determine if client Post-count Post-count AA machine network +1.

connected to DAP If post-count exceeds GG control servers No maximum then lock/kill DAP client and DA content COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P025/070 F-789 00 0 0 e, Ci 0 0 cn 0, 5 Start applications 6.1 Application executes Request DA read an Open file as input authorization, Interdiction DD command: detect DA =ON (file unique) catalog access (I/O May require interrupt) fingerprint/password intervention if plevel is high value 6.2 Application executes Request DA read an Open file as authorization, Interdiction DD output command: =ON (file unique) detect DA catalog access (I/O interrupt) or query is this to be a DA output file? 7 Read file: detect Decrypt (block by block) RR2 request to read block (I/O interrupt) 8 Assemble I/O Normal application Workspace plain text function,

FF

prefer encrypted? Phrase checker detects output DA subject 9 Output? Unencrypted

DD

representation other than display is barred by Interdict module Write file: File DA or For non-DA Phrase FF 10.1 non-DA is identified checker can end plain text at Open command, write (see note 10.1) RRI Encrypt (block by block) Record encrypted on HD COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:36 FROM-DCC SYDNEY +61292621080 T-852 P026/070 F-789 I -21- 00 0 0 ci 0 e Ci 0 0 In oo 11 Close file: DA Create DAP upload Catalog entry known transaction, DD and recognized Interdict =OFF (file unique) 12 Close application 13 Close Windows 14 Close DOS 15 Power OFF 1. Turn on Machine: 1.1. Test critical DAP content has not been varied/hacked.

1.2. Check allowable number of 'power-on' iterations since last connect has not s been exceeded.

6. Open file: 6.1 Request access authorization 6.2 Turn interdict ON.

10.1 DA recogniser. If phrase checker encounters a DA sensitive phrase then close plain-text output, open a DA output with same name plus DA and continue writing to end of file. Resultant two files may need to be concatenated as a single DA file for future processing.

Physical Design General DAP at four levels: Implementation at hardware and BIOS level options is a possible embodiment of the present invention when implementing multiple unrelated DAP clients on a terminal. Where a person is a custodian for two or more independently varying DAP systems, each DAP system's client may reside on the same laptop. However they will necessarily stand on a single hardware and BIOS feature set. Where this causes a difficulty to arise, then independent client resident machines (multiple laptops) would be required.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 -UrM1j-DCC SYDNFy 00 0 0 ci 0 0 en 0 ci 00 0 0 ci rnu pp 0 5 N~yT- 52 P027/0 7 0g 8 1) i es D I-D and CID) write in te f c An u sa e re t d c m nt i temporary rile, hrfr itreta t 7 il~e: nSaedcet E oSure theefo e iter ep atsag ure ti M As Windows cOPies (i~eC e ycd sAt8 rquir Interact hardware srl qi~n may require St thrdbyr terminal s er cnb e .m othe boar fa r )should be 0 fThee hs alseot As B10 inter ct and the return to base of defectiv Thies a s 1B 31 S variation to t ie-i I JAP. MOf deqfec al atoie d ac n s to b conditioned, and g o May facilitatedlremot S O f t w a r e ,g o t i n s t a l l e d A b e b yth o r z e d a lco n t r o Aointeract At Windows interact Architectur natosController ornun'atinsbetween distributed clients,. cnrlPoeue r ade c~aeyt Central COMM unicator: Between Pcentral main procedures. Trhis unit manages all Co Protection vericat. n between main Procedures of p cenr l m m unicat. an 0 Peration Co to Displays. unitl n n nsh h A Co no This un tM anages real r m d sp a an i te cio with the D A? adr ini trt Oper ating request, are exe cu e in ra timeo r -e u r d connection W heren r al tine o Unavailable, a transaction is W hee f r i m ae a ci n W e becomes active. uudcr~ ncto forimmdiae atio isrequired link Client Comunicator: we eurdln "etween Pcenral and Plients. lCOing transactions ar. irs.hc~ Ide tif~ d ali at d b for be ngPassed to appropriate a T i procedure C O M 8 N O: A c 5 53 9 R eceived by Ii' A u tra ia. T im. re (H :m j 15 5 D ate (Y -MA jd 2O W _04 _04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P028/070 F-789 00 -23- O Procedure: On successful network connection and DAP connect checks, send a C,1 reset to command to the Client/POST/power on routine. Operate module NN S(reset power-on count to o 5 DA Control Register Operate module FF (Establish control for off-line DA create). This unit maintains Scontent and status of current and historic Digital Assets known to this DAP.

Ce ltn) Databases required: Active DA's, Archive DA's 10 Active DA's: 00 SRecord current encrypted master content and pointer to the Key register for encrypt/decrypt function key.

Archive DA's: Maintain a date/time stamped record of previous DA's or DA versions and may be recalled and reinstated as 'Active DA' if required.

DA Key Register This unit is the point of control for all components of the DAP system. It is accessed only by the communication controller, which establishes validity of any access request. This access validation is complemented by a Key Register function, which also validates the access. Essential relationships between DA's, encryption keys, custodians, machines, and DA protection levels (plevel) are maintained. Active and Archive records are maintained. Archive records are available for perusal and possible reinstatement if required. All interrelationships may be varied in real-time and can be immediately actioned. This action may extend to warning of missing laptops, missing laptops being reconnected to the network, and attempts to execute illegal functions.

Custodians are personnel identified as authorized at a particular DA protection level (plevel) to interact with DAs. Custodians are allocated client content and may, but not necessarily, have a laptop or desktop identified as the client 'home'.

Alternatively, an individual or group may have access to applications and files through any number of workstations in an organisation, although they may also COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P029/070 F-789 o0 -24- O have a specific machine 'allocated' to them (eg. hot-desking). This inter- C relationship is frequently validated and any exception conditions are immediately Sutilized to protect DAs and deny access. DA protection is afforded in various ways depending upon the state of network connection.

Databases: Active keys (file, encrypt key, client), Archive keys, Active custodian o (machine, plevel), Archive custodian, SActive: 00 10 Master Keys: o Are allocated to individual master DAs held by DA Master Register.

Interim Keys: Are allocated to individual Custodian/clients to allow off-line creation of DAs.

Such creation will result in pcentral being unaware of DAs created off-line.

Therefore the pclient function creating the off-line DA can queue a transaction to upload the new DA. The new DA will be re-encrypted, recorded by Client Register as a DA and transmitted back to the creating pelient. This can ensure that all DAs remain in synch and are available across the DAP.

Custodians: A real-time record of persons authorized at various plevel's to have custody of a DA with equivalent or lesser 'plevel'. This authorization may be changed in realtime and can be applied to pclient at next network connection. DAs which are at the pclient and now not authorized, can be archived to pcentral and deleted from pelient. Subsequent reinstatement may require pelient to re-acquire necessary DAs. A register of available DAs can only be seen up to the authorized 'plevel'.

Machines: A real-time record of terminals (eg. laptops and desktops) assigned to or used by a custodian. The machine value is checked for current exceptions reported lost/stolen). HDD in an invalid machine. Exception handling response may vary from a message to pclient to a Kill routine which will destroy all DA info on the pclient and may also destroy the pclient application software.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P030/070 F-789 o0 0 0 C1 Archive: SAll changes to status of active records can be archived. Archives can be used to Srecover various statistics and also for audit of correct practice.

Master Keys Interim Keys o Custodians t Machines 00 10 DA Register SThis unit maintains date and time-stamped encrypted images of currently active c and historic versions of DAs. These images are client unique as required and are available for reinstatement. Current images may be used as an image comparison with distributed copies. Hidden characters may be included for enhanced control of copy identification. The master image is the actual DA as known to the DAP system. Variations from this master would require various DAP responses.

Databases: Active pelient (images), Archive pclient.

DAP Log Record This unit maintains a time-stamped transaction by transaction record of all activity throughout the DAP system. It is used for disaster recovery across the system. It is also used as a source of information to be analyzed for operational and functional correctness of the DAP system.

Hackers attempting to compromise the DAP system will probably seek to scrub log files. Therefore all scrubbing is to be validated before executing.

Architecture pclient pclient setup and initialize (use Skey for setup encryption) pclient control Startup (hands-on or secure CD) Integrity (PCLOl, PCL05), (BIOS, and DOS) Violations (PCL02), and DOS) COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P031/070 F-789 0 -26- O Poison pill Change administration (PCL09) (BIOS and SRead (PCL03, PCL10) (application, Windows, DOS, Write (PCL04, PCL1 (application, Windows, DOS, pclient administration Response requests o Machine custody check (PCLO6) ec t Plevel synch check SChanges (BIOS and 0010 DA plevels (PCL07) Custodian plevels (PCL08) Communications and signals POST level Power-on Control Monitor: DAP is potentially exposed where a distributed laptop is not presented to the network. Non-presentation precludes timely validation of DAP status etc. In such cases various power-related factors can be limited, for example the number of power-on's between successive network connections, length of power-on, or a given duration of date time. Exceeding this limit may optionally trigger an automatic pelient response which may be extremely drastic in the interests of denying access by unauthorized or no longer authorized persons to the DAs currently resident on the machine. (Operate module AA) Check physical machine value against value recorded in poison pill on HDD from pcentral key register, A mismatch indicates HDD in wrong machine. If this machine is also not connected to network then do KILL to data and pclient. If network connected reports to pcentral and seeks response before continuing. Any interrupt does KILL. (Operate module LL) Non-DAP bypass DAP can allow immediate and unrestricted bypass for all non-DA records. This is done to avoid any unnecessary processing overheads for records, which do not require this (identified by encrypted plevel of protection). This bypass is COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P032/070 F-789 00 -27- 0 protected and monitored to ensure it is not a point of system corruption. Bypasses C,1 may be recorded on the DAP Log Record for later perusal. (Operate module TT) Communication interface All interactions DAP Central are managed through this module.

Exception handler tn Exceptions identified by pclient and pcentral resident functions or advised by O pcentral Communications Controller are handled at this point. It is considered 00 10 that a focal point enables multiple exceptions to be considered in sum and may o attract a higher-level protection response than would apply for a single exception.

Client creates DA A custodian may create a DA whilst machine not connected network/pcentral. All output files created in the session opening a DA with a selected plevel to be centrally logged for subsequent analysis. This requirement to be coupled with a mandatory network connection or Kill. (Operate module EE) Encryption handler This unit can apply all encryption and decryption routines. Encryption whilst network connected does not rely on pcentral to complete encryption process.

Encryption whilst not connected to rely on module RR. (Operate module RR).

I/O interruption handler (Operate module DD (Interdict local output function)) This unit manages interdiction of local output attempts of DA data (encrypted or decrypted). The I/O commands, for example, including Print screen, Copy file to HDD, FDD or CD burn, Print file, Print Screen; are interdicted at device interface level and constrained as required by 'plevel' status.

This unit is protected by operating within the control of Poison Pill and attempts to subvert will cause immediate Kill to be activated and message to that effect transmitted to pcentral.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P033/070 F-789 00 -28- 0 If the Custodian attempts to create a file (not initially identified as a DA) the cl following process may apply to trap this event and apply correct DAP control.

CL| The file will be assembled on the local machine's temporary workspace. A Save will be attempted by either a timed save via Windows product or a manual initiated save via the Save icon. In either case this unit will interdict the write attempt. Module JJ will be called and a DA key phrase recognition table checked Sagainst created content. If no match proceed as per non-DA material. If match Ce Vn found call encryption prior to Write and create txn to Central. It is anticipated that O this routine can be progressively hardened with possible H/W function and 00 10 frequent validation of integrity.

Cl Poison Pill Operate module BB (poison pill validity check) Operate module CC (Missing machine reported, HDD mismatch) Operate module GG (Kill) This unit contains the protection devices at the pclient level. Certain interfaces between Sub-Window functions, pclient and pcentral are managed by this module.

It can be frequently validated and possibly re-established without operator intervention. Any identification of attempts to subvert integrity can be responded to via this module.

Checks are maintained between this pclient and the machine identification value(s). This checks identifies any situation where a HDD has been removed from an authorized machine and inserted in an unknown machine.

Guardian interface This unit can optionally be provided to manage relation to Guardian requirements as applicable to pclient. Guardian function audits and protection integrity may be checked at any time. Protection mechanisms may be reloaded with variations to maximize pclient level protection.

DAP multiples interface COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:37 FROM-DCC SYDNEY +61292621080 T-852 P034/070 F-789 00 -29o This unit can manage the relationship between requirements instituted by 1 hierarchical DAP systems. It expected that independent and concurrent DAP Sinvolvement by an individual can be implemented via a shadow client with the shadow managing all functions required to be unique.

o Coding structures:

O

O

t'-,I

O

O

t'-,I 0 In -i 00 0 0 ci DAP exec Pcentral pclient Procedures PCO01-PCO11 PCL01-PCL12 Modules AACO-ZZCO

AACL-ZZCL

Data structures DSCO01-DSCO10 DSCLOI-DSCLnn xxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx XXXXXXXXXXXXXXXXXXXXx xxxxxx xxxxxx xxxxxx DAP install Pcentral pclient Procedures IPCOnn IPCLnn Modules IMCOaa IMCLaa Data structures IDSCOnn IDSCLnn III. Further detailed example The following further example provides a detailed outline of a preferred embodiment of the present invention. The example embodiment presented is intended to be merely illustrative and not limiting to the scope of the present invention. The example makes reference to numerous figures to assist with the description of the particular embodiment of the present invention.

This particular embodiment includes: Digital Asset Protection for selected data files or documents (DAs); A central control system storing digital asset master documents, encryption keys and security and general administration database; A client terminal able to communicate via a computer network with the central control system; COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P035/070 F-789 00 O A client software resident on the client terminal to allow the client terminal C to read, update and create digital asset copies whether or not they are connected Sto the central control system; A communication controller machine (also known as proxy or firewall) to hide the central server to client terminals; Encryption of digital asset masters on the central terminal using pluggable Sencryption protocols; t Encryption of digital asset copies on client terminals using pluggable encryption protocols; 00 Encryption of communications between the client terminals and the central 0 Sserver using Secure Sockets Layer Cl Protection using a 'protection level' (also known as "plevel"); A poison pill module; A power-on control monitor; A log record of all digital asset accesses on client terminals, whether or not they are connected to the central control system; and, A DA-recogniser module, implemented as a phrase checker.

As further clarification, the following terms are used herein as defined below: Term Meaning pcentral Central Control System pclient Client Terminal Proxy or Firewall Communication Controller Machine plevel Protection level of Digital Assets and Clearance level of custodians POST-count Power-On-Self-Test (or Reboot) count DA Digital Asset DAP Digital Asset Protection software package Custodian User or users configured through the system to access digital assets Locked Process Process which has opened a digital asset Unlocked Process Process which has not yet opened a digital asset COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P06/70 F-789 00 -31o Sanitise Complete deletion of a data file or files from persistent

C

storage media by overwriting all addressable locations Swith a character, its complement, then a random character and verify,in compliance with US Department o of Defence in the clearing and sanitising standard DoD 5220.22-M.

lr Architecture Overview SThis particular embodiment is being further extended for an enhanced 00 embodiment integrating, for example but not limited to, support for multiple or o s linked DAP systems, support for group-based authentication, links to external audit processes, single logical access to multiple physical databases, etc..

This particular embodiment is intended for use on Microsoft Windows NTderived systems (NT 4.0, Windows 2003, Windows XP and Windows 2003 server). Also, in this particular embodiment only, digital assets are limited to Microsoft Office documents (Word, Excel, PowerPoint). Obviously, other embodiments can be readily developed that relate to any other type of system (including, but not limited to, Unix, Linux, Mac OS, etc.), document or file type.

Other particular embodiments may also provide for: Support of multiple or linked DAP's; External check/audit of DAP process; Facilitation of single logical access to multiple physical database locations as a single logical read; and/or portability and platform independence.

Use Cases PClient Installation: The pclient DAP installation is performed using a standard install.exe file. This installation can either be performed after Windows NT installation, or on demand ('pushed' by pcentral using some distribution software or explicitly installed by the custodian using the DAP install software On CD or network drive). The installation comprises the main software installation, pclient digital certificate generation (and digital signature by pcentral) and conversion of the existing 'sensitive' documents to Digital Assets. This process is illustrated in figure COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P037070 F-789 00 -32- 0 0 PClient POST check: Each time the machine is rebooted, it performs a simple POST check, consisting (in this particular implementation) of counting the number of reboots since the O 5 last connection to pcentral. Other implementations can include other tests and checks to enable control and enforce periodic connection to pcentral as required O by the end-user organisation's business rules. This process is illustrated in figure

CC)

in 6.

00 10 PClient Integrity Check: o Pclient permanently (in real time and at given intervals) checks its integrity and c attempts to detect intrusion attempts. This process is illustrated in figure 7.

PClient Integrity Violation: If an integrity violation is detected, an exception procedure is initiated, resulting in the KILL process. This process is illustrated in figure 8.

PClient Kill: The KILL process is initiated when the POST count reaches the preset limit, or when the integrity of the system is corrupted. It comprises sanitising all digital assets and other sensitive information on the pclient machine. This process is illustrated in figure 9.

PClient Custodian Authentication: The custodian authentication is performed transparently as an authorised user logs into Windows and enters his or her Windows account details. The DAP authentication procedure attempts to connect to pcentral, download any updates (plevel changes etc.) and, if pcentral is not available, check if the custodian is allowed to access digital assets in a disconnected mode. This process is illustrated in figure PClient DA Encryption Decryption Interdiction: All digital asset activity is interdicted as specified in an organisation's business rules. When reading from a digital asset, its content is decrypted from a disk.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P038/070 F-789 00-33- O When writing to a digital asset, its content is encrypted. This process is illustrated in figure 11.

PClient DA Copy Management: 0 5 Only digital asset copies are stored on pclient. The custodian can request a digital asset copy from pcentral, read and update it, and even create new digital assets.

O New digital assets are uploaded to pcentral as soon as possible (as soon as pclient V'n connects to pcentral). This process is illustrated in figure 12.

00 10 PClient DA Copy Upload: o New and updated digital assets are uploaded to pcentral as soon as they are C created/updated. This process is illustrated in figure 13.

PClient Log Management: Each use (authorised or interdicted) of a digital asset is logged. Logs are immediately uploaded to pcentral if possible, or cached on pclient if pcentral is unavailable. This process is illustrated in figure 14.

PCentral Installation: PCentral installation comprises the DAP software installation and its configuration. This process is illustrated in figure PCentral Customisation and Administration: An administration graphical user interface is provided to customise and administer pcentral. IT Managers use this GUI to configure security, encryption, business rules, administer digital assets and monitor logs. This process is illustrated in figure 16.

PCentral Audit Checks: IT Managers can request audit checks. These audit checks are forwarded to pclient machines. Results are collected by pcentral and stored in the pcentral database for further analysis. This process is illustrated in figure 17.

PCentral Administration: COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P039/070 F-789 -34- 00 0 Depending on whether the administration GUI is run from within the inner- Cl sanctum (a secure part of the system between the proxy and pcentral) or in the Souter-sanctum, different functions apply. This process is illustrated in figure 18, Ss PCentral Pclient Custodian Authentication: Both custodian and client terminal (pclient) are securely authenticated by Spcentral. The former is authenticated using the custodian's Windows login Ce lt credentials, and the latter using SSL certificates. This process is illustrated in Sfigure 19.

00 SArchitecture High Level Design N Interdiction: The interdiction is OS-dependant. Windows NT (and subsequent versions), is organised in layers (Win32 API on top of the native API, on top of device drivers, on top of the kernel so interdiction takes place at different levels, depending on the type of API to interdict. For example, the clipboard interdiction takes place at the Win32 level, but the disk interdiction takes place at the file system level.

Encryption: Digital asset encryption on disk is performed at the file system level. The encryption is implemented in such a way that different encryption algorithms can be plugged-in depending on customers' requirements.

Files on disk are encrypted using a unique symmetrical key (very fast and secure).

The symmetrical key is, itself, encrypted with a public/private key which depends on the custodian and plevel. This key pair may in some cases (when the custodian is allowed to access digital assets when not connected to pcentral) need to be stored on the disk itself. It should therefore be encrypted with the custodian password. Therefore, if the custodian changes his or her password, only the public/private keys need to be re-encrypted (and not the digital assets themselves).

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:38 FROM-DCC SYDNEY +61292621080 T-852 P040/070 F-789 0 O As often users have several accounts (one local laptop account and a domain

C

account), public/private keys can be shared between custodians.

d Authentication of Custodian, PClient and Pcentral: 0 5 In this particular embodiment, the DAP system authenticates custodians by using the Windows single sign-on capabilities: as soon as Windows authenticates the 0 custodian, DAP takes over and can authorise access to digital assets. Other tn embodiments can incorporate alternative authentication modules including, for Sexample, biometrics such as fingerprint or iris scanning.

00 1o o If connected to the network, pclient sends the user credentials (domain, user and C encrypted password) to pcentral which then authenticates the custodian internally, and sends any pending updates (such as plevel changes). To make sure nobody impersonates a pcentral or a polient machine, SSL certificates are used in this is embodiment.

Secure communication between Pclient and Pcentral: SLL is also used to provide secure and encrypted communication between pclient and pcentral.

Use of a Communication Handler: A communication handler (also know as a proxy or firewall) is used to isolate pcentral from the outside world (which, for example, may be a company's intranet).

Custodian and Digital Asset monitoring and tracking: Each access to a digital asset is closely monitored by pclient. Logs are immediately sent to pcentral if possible, or cached locally in an encrypted, hidden and interdicted file if disconnected. Logs are automatically uploaded as soon as pcentral becomes accessible.

Programming Languages: As the pclient module is mostly a low-level driver providing low-level interdiction and encryption, is used in this particular embodiment. On the COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'88 14:38 FROM-DCC SYDNEY +61292621080 T-852 P041/070 F-789 00 -36o other hand, pcentral and the communication handler are not system-dependant and c, can run on any platform. Java is used to provide platform-independence.

Database access and independence: Java Database Connectivity ("JDBC") is used to access the DAP database. This means DAP is able to connect to virtually any database provider.

tl Business Rules: SIn this particular implementation, the following Business Rules have been chosen.

00 10 Obviously, these rules could be significantly changed in other embodiments.

o Once a process opens a digital asset, the process will remain 'Locked' until it terminates, even if it closes all its digital assets; Locked processes can open non-DAs Read Only; If a process opens a digital asset but had some non-DA files previously opened, these files become Read Only; All files, including temporary files, created by a Locked process are created as digital assets; Some internal files are totally interdicted to all non-internal processes; Locked processes are not be able to copy data to the clipboard; Locked processes are not be able to print any data; Locked processes are not be able to send any data over a network connection; After a configurable number of reboots without connecting to pcentral, the machine is sanitised; Digital asset masters and copies are encrypted whenever stored on a persistent media; A custodian is only able to see and download digital asset copies from digital asset masters whose plevel is less than or equal to their own plevel; A custodian is only able to see and open digital asset copies which he/she has created himself/herself; If a custodian plevel is lowered, the custodian instantly loses access to previous files he/she created with his/her previous plevel; Digital assets are, by default, created with the custodian's own plevel.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T-852 P042/070 F-789 00 -37o Architecture diagram: c Illustrated in figure 20 is the architecture selected for this particular embodiment.

e2 PClient's hard drive contains normal documents and digital asset copies. It communicates with pcentral through its communication handler. Digital asset masters and general administration information are kept in the inner-sanctum, only accessible by pcentral.

SDatabase diagram: SIllustrated in figure 21 is a database structure selected for this particular 00 10 embodiment. This database diagram is not exhaustive, but details important tables Sof the DAP system.

PClient Architecture diagram: Illustrated in figure 22 is the pclient architecture selected for this particular embodiment. This diagram illustrates the different levels of interdiction present in pclient.

Thus, there has been provided in accordance with the present invention, a method, system and/or computer readable medium of instructions for providing protection for digital assets.

The invention may also be said to broadly consist in the parts, elements and features referred to or indicated herein, individually or collectively, in any or all combinations of two or more of the parts, elements or features, and where specific integers are mentioned herein which have known equivalents in the art to which the invention relates, such known equivalents are deemed to be incorporated herein as if individually set forth.

Although the preferred embodiment has been described in detail, it should be understood that various changes, substitutions, and alterations can be made herein by one of ordinary skill in the art without departing from the scope of the present invention.

COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T-852 P043/070 F-789 O0 -38o Throughout this specification and the claims which follow, unless the context requires c otherwise, the word "comprise", and variations such as "comprises" or "comprising", will Sbe understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or group of integers or steps.

o The reference in this specification to any prior publication (or information Sderived from it), or to any matter which is known, is not, and should not be taken tt as, an acknowledgement or admission or any form of suggestion that that prior Spublication (or information derived from it) or known matter forms part of the 00 io common general knowledge in the field of endeavour to which this specification Srelates.

c, COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04

Claims (33)

1. 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T1-852 P044/070 F-789 00 -39- 0 o The claims: S1. A system for providing protection for identified digital assets, the system including: a central control system; a client terminal able to communicate via a computer network with O the central control system; Ce tVf client software resident on the client terminal; S(4) a master copy of a digital asset stored on the central control system; 00 10 an encrypted copy of the digital asset stored on the client terminal, Swith an encryption key for the encrypted copy of the digital asset stored on the central control system and the client terminal; whereby, the client software resident on the client terminal controls access by a custodian to the copy of the digital asset stored on the client terminal, and the custodian's level of access to the copy of the digital asset stored on the client terminal can be altered from the central control system. 2. The system as claimed in claim 1, wherein when access is initially requested to the encrypted copy of the digital asset by the custodian the client software attempts to communicate with the central control system and authenticate the initial access request. 3. The system as claimed in claim 1, wherein when access is properly requested to the encrypted copy of the digital asset residing on the client, and the client terminal is disconnected from the central control system, the copy of the digital asset can be decrypted and used by the custodian with defence mechanisms active. 4. The system as claimed in any one of the claims I to 3, wherein the digital asset is assigned a level of protection, and the at least one custodian is assigned a level of authorisation. The system as claimed in claim 4, wherein different levels of protection/authorisation allow varying use of each copy of the digital asset. COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'088 14:39 FROM-DCC SYDNEY +61292621080 T-852 P045/070 F-789 00 -4 0 0 S6. The system as claimed in claim 2, wherein: P| if the central control system authenticates an initial access request, a private decryption key is used to enable the encrypted copy of the digital asset to be decrypted; or, if the central control system does not authenticate the initial Saccess request, the decryption key is not available to be used to decrypt the Ce ltt encrypted copy of the digital asset. 0 10o 7. The system as claimed in any one of the claims 1 to 6, wherein the central o control system includes a communications controller and a encryption key register.
2. 8. The system as claimed in any one of the claims 1 to 7, wherein the central control system includes a digital asset register to store current and previous master copies of the digital asset.
3. 9. The system as claimed in any one of the claims 1 to 8, wherein the central control system includes a digital asset register to register and store each encrypted copy that has been distributed at the request of a properly authenticated client terminal. The system as claimed in any one of the claims 1 to 9, wherein the central control system includes a digital asset log record.
4. 11. The system as claimed in claim 8, wherein the central communications controller includes a client communications module and a central communications module.
5. 12. The system as claimed in any one of the claims 1 to 11, wherein the central control system is provided by at least two physical servers. COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T-852 P046/070 F-789 O0 -41- O
6. 13. The system as claimed in claim 12, wherein the communications controller is resident on a first server, and the encryption key register is resident on a second Sserver.
7. 14. The system as claimed in claim 13, wherein all functions other than the communications controller are resident on the second server. ec The system as claimed in any one of the claims 8 to 14, wherein the Sencryption key register stores additional information for the authentication of any 00 10 request to copy a digital asset. c
8. 16. The system as claimed in claim 15, wherein the additional information relates to the identity of the custodian and/or a specific authorised client terminal.
9. 17. The system as claimed in any one of the claims 1 to 16, wherein each client software package uniquely controls the decryption process for a particular client terminal.
10. 18. The system as claimed in any one of the claims 1 to 17, wherein the client software controls access and/or destruction of the copy of the digital asset.
11. 19. The system as claimed in any one of the claims 1 to 18, wherein the client software includes a poison pill module.
12. 20. The system as claimed in claim 19, wherein the poison pill module can cause the destruction of the copy of the digital asset.
13. 21. The system as claimed in either claim 19 or claim 20, wherein the poison pill module checks a retrieved value identifying the client terminal, or a component thereof, against an expected identification value.
14. 22. The system as claimed in either claim 19 or claim 20, wherein the poison pill module checks a component of a hash-sum value, combined with custodian information, a client terminal and hardware reference against expected values. COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 I 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T-852 P047/070 F-789 -42- 00 0 0 0 0,
15. 23. The system as claimed in any one of the claims software includes a power-on control monitor. 5 24, The system as claimed in any one of the claims software includes a communications interface. The system as claimed in any one of the claims software includes an exception handler.
16. 26. The system as claimed in any one of the claims software includes an encryption handler.
17. 27. The system as claimed in any one of the claims software includes an I/O interruption handler. 1 to 22, wherein the client I to 23, wherein the client 1 to 24, wherein the client 1 to 25, wherein the client 1 to 25, wherein the client
18. 28. The system as claimed in any one of the claims 5 to 27, wherein authorisation and protection levels can be updated on the central control system and transmitted to the client software on the client terminal.
19. 29. The system as claimed in any one of the claims 1 to 28, wherein the master copy of the digital asset stored on the central control system is encrypted. A method of providing protection for digital assets, the method including the steps of: storing an encrypted master copy of a digital asset on a central control system; storing a separate encrypted copy of the digital asset on a client terminal provided with client software, the client terminal able to communicate via a computer network with the central control system; storing an encryption key for the encrypted copy of the digital asset on the central control system and the client terminal; and, when access is properly requested by an authorised custodian to the encrypted copy of the digital asset residing on the client terminal, and the client COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:39 FROM-DCC SYDNEY +61292621088 T-852 P048/070 F-789 00 -43- O terminal is disconnected from the central control system, the client software Cl controls access to the copy of the digital asset.
20. 31. The method as claimed in claim 30, wherein when access is initially requested to the encrypted copy of the digital asset by the custodian the client software attempts to communicate with the central control system and 0 authenticate the initial access request. o 32, The method as claimed in claim 30, wherein the digital asset is assigned a 00 10 level of protection, and the custodian is assigned a level of authorisation. 0 C, 33. The method as claimed in claim 32, wherein different levels of protection/authorisation allow varying use of the copy of the digital asset.
21. 34. The method as claimed in any one of the claims 30 to 33, wherein the frequency of computer network connection is monitored by the client software. The method as claimed in any one of the claims 30 to 34, wherein access restrictions to the digital asset can be varied from the central control system.
22. 36. The method as claimed in any one of the claims 30 to 35, wherein the master copy of the digital asset is encrypted.
23. 37. The method as claimed in any one of the claims 30 to 36, wherein a unique encryption key is created for each custodian and each distributed copy of the digital asset.
24. 38. The method as claimed in any one of the claims 30 to 37, wherein if preset criteria are not met the client software can effect destruction of the encryption key, the copy of the digital asset on the client terminal, the contents of memory and/or storage facilities of the client terminal, and/or BIOS information for the client terminal. COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:39 FROM-DCC SYDNEY +61292621080 T-852 P049/70 F-789 00 -44- o 39. The method as claimed in any one of the claims 30 to 38, wherein the copy of the digital asset is destroyed if successful network connection to the central O- control system is not achieved after a preset number of attempts and/or a preset time period. o The method as claimed in any one of the claims 30 to 39, wherein the n central control system tracks the location of all copies of each digital asset. S41. The method as claimed in any one of the claims 30 to 40, wherein a newly 00 10 created digital asset is uploaded to the central control system to create a master Scopy of the digital asset.
25. 42. The method as claimed in any one of the claims 30 to 41, wherein the copy of the digital asset is periodically re-encrypted and redistributed.
26. 43. The method as claimed in any one of the claims 30 to 42, wherein a poison pill module is provided.
27. 44. The method as claimed in claim 43, wherein the poison pill module can delete/overwrite the copy of the digital asset, destroy the client software, and/or inactivate the client terminal BIOS. 44. The method as claimed in any one of the claims 30 to 44, wherein print and copy functions of the client terminal can be optionally disabled by the client software. The method as claimed in any one of the claims 30 to 44, the method able to be performed utilising the system of any one of the claims 1 to 29.
28. 46. A computer readable medium of instructions for providing protection for digital assets in a system including: a central control system; a client terminal able to communicate via a computer network with the central control system; COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:40 FROM-DCC SYDNEY +61292621080 T-852 P850/070 F-789 00 o a master copy of a digital asset stored on the central control system; ,1 an encrypted copy of the digital asset stored on the client terminal, O-i with the encryption key for the encrypted copy of the digital asset stored on the central control system and the client terminal; whereby the computer readable medium of instructions is adapted to control access by a custodian to the copy of the digital asset stored on the client terminal, and the custodian's level of access to the copy of the digital asset stored fl on the client terminal can be altered from the central control system. 00 10 47. The computer readable medium of instructions as claimed in claim 46, o wherein the computer readable medium of instructions is client software.
29. 48. The computer readable medium of instructions as claimed in claim 47, wherein the client software controls the decryption process.
30. 49. The client software as claimed in claim 46 or claim 47, wherein the client software controls access and/or destruction of the copy of the digital asset. The client software as claimed in any one of the claims 46 to 49, wherein the client software includes a poison pill module.
31. 51. The client software as claimed in claim 50, wherein the poison pill module checks a retrieved value identifying the client terminal, or a component thereof, against an expected identification value.
32. 52. The client software as claimed in any one of the claims 46 to 51, wherein the client software includes: a power-on control monitor; a communications interface; an exception handler; an encryption handler; and/or, an I/O interruption handler. COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04 04-04-'08 14:40 FROM-DCC SYDNEY +61292621080 T-852 P051/070 F-789 o00 -46- 0 S53. A system for providing protection for identified digital assets, substantially as hereinbefore described with reference to the accompanying figures.
33. 54. A method of providing protection for digital assets, substantially as hereinbefore described with reference to the accompanying figures. A computer readable medium of instructions for providing protection for digital assets in a system, substantially as hereinbefore described with reference o to the accompanying figures. 00 0 0 ci COMS ID No: ARCS-185539 Received by IP Australia: Time 15:56 Date 2008-04-04