WO2005109211A1 - A file management system - Google Patents

A file management system Download PDF

Info

Publication number
WO2005109211A1
WO2005109211A1 PCT/SG2004/000125 SG2004000125W WO2005109211A1 WO 2005109211 A1 WO2005109211 A1 WO 2005109211A1 SG 2004000125 W SG2004000125 W SG 2004000125W WO 2005109211 A1 WO2005109211 A1 WO 2005109211A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
file
server
user terminal
directory server
Prior art date
Application number
PCT/SG2004/000125
Other languages
French (fr)
Original Assignee
Chng, Raymond
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chng, Raymond filed Critical Chng, Raymond
Priority to PCT/SG2004/000125 priority Critical patent/WO2005109211A1/en
Publication of WO2005109211A1 publication Critical patent/WO2005109211A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards

Definitions

  • the present invention relates to a file management system for managing access to one or more directories by a user terminal, to a directory server for use in a file management system and to a method of managing files .
  • a file management system which includes a file server associated with a plurality of directories and which facilitates access to at least one of the directories by a user terminal.
  • a record of each authorised user and the directories allowable for access by the user is stored on the file server, and following authentication of the identity of the user by the user terminal and/or the directory server, access to the allowable directories by the user terminal is granted.
  • Authentication may be carried out in a variety of ways .
  • each user may be provided with a smart card on which is stored an electronic identification key and a password.
  • the stored password is compared with a password entered by a user and the electronic key is compared with electronic keys stored on the file server.
  • a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
  • the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights.
  • the file access information may include information indicative of the location of at least one file directory for which the user has valid access rights.
  • the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive.
  • the directory server may be arranged so as to automatically change the user status from active to inactive after a predetermined period of time.
  • the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card. Authentication may be carried out using a certificate and public keys.
  • the identifier is an electronic identification key stored on a smart card and on the directory server.
  • the directory server and the file server may be arranged so as to facilitate communications through the Internet.
  • a plurality of file servers may be provided and the file management system may comprise at least one user terminal.
  • a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
  • a computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers I received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
  • a computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
  • a computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
  • a computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal .
  • a method of managing access to electronic files comprising the steps of: providing a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, providing a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, forwarding an identifier to the file server when the identity of the user is authenticated by the directory server, storing identifiers received from the directory server on the file server, and allowing a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
  • the method further includes the step of forwarding file access information from the directory server to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights.
  • the file access information may include information indicative of the location of at least one file directory for which the user has valid access rights.
  • the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive.
  • the method may further include the step of automatically changing the user status from active to inactive after a predetermined period of time.
  • Figure 1 is a block diagram of a file management system in accordance with an embodiment of the present invention shown during use in communication with a user terminal;
  • Figure 2 is a diagrammatic representation of a smart card for use with the file management system shown in Figure 1;
  • Figure 3 is a diagrammatic representation of information stored in the smart card shown in Figure 2;
  • Figure 4 is a diagrammatic representation of a table of information stored in a directory server of the file management system shown in Figure 1;
  • Figure 5 is a flow diagram illustrating steps of an example operation of the file management system shown in Figure 1.
  • FIG. 1 of the drawings there is shown a file management system 10 in accordance with an embodiment of the present invention shown during use in communication with a user terminal 12 disposed at a remote location relative to the file management system 10.
  • the user terminal 12 is not necessarily disposed at a remote location relative to the file management system 10 and may be disposed adjacent the file management system 10.
  • the file management system 10 includes a file server 14 associated with several file directories, and a directory server 16 which cooperates with the user terminal 12 and the file server 14 so as to enable or disable access to the file directories by the user terminals 12.
  • each user terminal 12 being associated with a user desiring to access one or more file directories associated with the file server 14.
  • file server 14 is shown in Figure 1, in practice more than one file server 14 may be present. If more than one file server 14 is present, the file servers 14 may be disposed at the same location or at different locations.
  • each user terminal is arranged to communicate with the file server 14 and the directory server 16 through the Internet 18, although it will be understood that other communications arrangements are possible, the important aspect being that each user terminal 12 is able to communicate with the file server 14 and the directory server 16 from a remote location.
  • the user terminal 12 shown in Figure 1 has an associated smart card reader 20 which is able to accept and read smart cards 22, and which is arranged to pass information obtained from the smart card 22 to the user terminal 12 for the purposes of authentication of a user.
  • authentication may use certificates and public keys.
  • the file server 14 is arranged to receive identifiers from the directory server 16, in this example through the Internet 18, which identifiers are indicative of the identity of the users having valid access rights to one or more of the directories associated with the file server 14.
  • each of the identifiers is an electronic identification key 28 which is recorded on a smart card 22 associated with a user and which is stored on the directory server 16.
  • the file server 14 grants the user terminal 12 access to at least one of the directories associated with the file server.
  • the directory server 16 is arranged to cooperate with user terminals 12 so as to authenticate the identity of the users associated with the user terminals 12.
  • the directory server is arranged to forward an identifier, in this example in the form of an electronic identification key, to the relevant file server (s) 14 for which the user has valid access rights when the identity of the user has been authenticated.
  • a smart card 22 as shown in Figure 2 is used to authenticate the identity of a user.
  • the smart card 22 includes a static identification key 24 disposed on a surface of the smart card 22 and usable to facilitate identification of the owner of the smart card in the event that the smart card is lost.
  • the static identification key 24 is printed on the smart card 22.
  • the smart card 22 also includes electronic circuitry 26, in this example in the form of a processor and a memory, the memory storing an electronic identification key 28 unique to the smart card 22 and thereby the owner of the smart card 22, and a password 30 known to the owner of the smart card 22, as shown in Figure 3.
  • a database 40 of user records 42 is stored in the directory server 16.
  • Each user record 42 includes the name of the user, the static identification- key 24 disposed on the smart card 22 associated with the user, the electronic identification key 28 stored on the smart card 22 associated with the user, file access information in the form of file server information 48 indicative of the file server (s) 14 in relation to which the user has been granted access rights and directory information 50 indicative of the directories in relation to which the user has been granted access rights, and an indication as to whether the status of the user is active or expired.
  • the file server information 48 and the directory information 50 is collectively referred to as a label 54.
  • the directory server 16 may be arranged so that each user record 42 has an active lifespan whereby after a predetermined period of time the status of the user changes automatically to "expired". This allows user records to expire without administrator input.
  • the user records are modifiable by an administrator, for example so as to maintain the status as active, to modify the allowable directories, and so on.
  • the directory server 16 is also arranged to forward the labels 54 associated with the relevant user records 42 to the relevant user terminals 12 when the users have been authenticated by the directory server 16.
  • Each label 54 serves to indicate to a user terminal 12 the locations of the file server (s) 14 and the directories in relation to which the user has been granted access rights.
  • the user terminal 12 is arranged to cooperate with the directory server 16 so as to authenticate the identity of a user when a smart card 22 of the user is introduced into the reader 20.
  • authentication is carried out by comparing an electronic identification key 28 stored on a smart card 22 with an electronic identification key stored in the directory server 16, and by comparing a password 30 stored on the smart card 22 with a password entered into the user terminal 12 by a user.
  • the directory server 16 Upon successful authentication of the identity of the user and if the user status is active, the directory server 16 forwards a copy of the electronic key 28 associated with the authenticated user to the relevant file servers 14 listed in the relevant user record 42. If the user status is expired, the directory server 16 does not forward the electronic key 28 to the file server (s) 14. The directory server 16 also forwards a label 54 associated with the authenticated user and listed in the relevant user record 42 to the user terminal 12, the label 54 being usable by the user terminal 12 to identify the relevant file servers and directories which are allowable for access by the user.
  • the identity of the user is re-authenticated by comparing the electronic key 28 stored on the smart card 22 with the electronic keys 28 received from the directory server 16 and stored in the file server 14. If the relevant electronic key 28 is absent from the file server 14, access to the file server is denied.
  • each electronic key 28 forwarded to a file server 14 is stored only temporarily on the file server 14 for the duration that the relevant user is authenticated by and in communication with the directory server 16.
  • the electronic key 28 is deleted from the file server 14 so that access to the file directory on the file server 14 is no longer possible.
  • An example of operation of the file management system 10 is illustrated by the flow diagram 56 in Figure 5.
  • a user desiring access to one or more file directories first introduces a smart card 22 associated with the user into the smart card reader 20.
  • the directory server 16 queries the smart card 22 for the electronic identification key 28 stored in the smart card 22 and the smart card electronic key 28 is compared with electronic identification keys 28 stored in a plurality of user records 42 on the directory server 16. If the smart card electronic key 28 matches with an electronic key 28 stored in the directory server 16, the user terminal 12 queries the user for a password. If the password entered by the user is the same as the password stored on the smart card 22, the identity of the user is authenticated.
  • the directory server 16 forwards copies of the electronic key 28 to the file servers listed in the relevant user record 42 associated with the user, and the directory server 16- forwards the label 54 in the relevant user record 42 to the user terminal 12.
  • the user terminal 12 Using the received label 54, the user terminal 12 is able to locate any of the file servers listed in the label.
  • the smart card electronic key 28 is compared with electronic keys stored on the file server 14 and, if the smart card electronic key 28 matches with an electronic key stored on the file server 14, access is granted to the directories on the file server 14 listed in the label 54.
  • data which is transferred between the user terminal 12 and the allowed directories may be encrypted using the electronic identification key 28.
  • systems of the present invention may be implemented by software applications or partly implemented by software, they may take the form of program code stored or available from computer readable media, such as CD-Roms or any other machine readable media, the program called comprising instructions which, when loaded into a machine such as a computer, the machine then becomes a system, for carrying out the invention.
  • the computer readable media may include transmission media, such as cabling fibre optics or any other form of transmission media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A file management system (10) for and method of managing access to electronic files is disclosed. The system (10) comprises a file server (14) associated with a plurality of directories, the file server (14) facilitating access to at least one of the directories by a user terminal (12) during use, and a directory server (16) arranged to cooperate with the user terminal (12) so as to authenticate the identity of a user of the user terminal (12), and to forward an identifier to the file server (14) when the identity of the user is authenticated. The file server (14) is arranged to store identifiers received form the directory server (16)and to allow a user terminal (12) to access one or more of the file directories associated with the file server (14) when an identifier associated with the user of the user terminal (12) is stored on the file server (14). A directory server for use with a file management system is also disclosed.

Description

A FILE MANAGEMENT SYSTEM
Field of the Invention The present invention relates to a file management system for managing access to one or more directories by a user terminal, to a directory server for use in a file management system and to a method of managing files .
Background of the Invention
It is known to provide a file management system which includes a file server associated with a plurality of directories and which facilitates access to at least one of the directories by a user terminal. In general, a record of each authorised user and the directories allowable for access by the user is stored on the file server, and following authentication of the identity of the user by the user terminal and/or the directory server, access to the allowable directories by the user terminal is granted.
Authentication may be carried out in a variety of ways . For example, each user may be provided with a smart card on which is stored an electronic identification key and a password. During use, the stored password is compared with a password entered by a user and the electronic key is compared with electronic keys stored on the file server.
However, such a system involves significant resource commitment on the file server.
Summary of the Invention
In accordance with 'a first aspect of the present invention, there is provided a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
In one arrangement, the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights. The file access information may include information indicative of the location of at least one file directory for which the user has valid access rights.
Preferably, the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive. The directory server may be arranged so as to automatically change the user status from active to inactive after a predetermined period of time.
In one arrangement, the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card. Authentication may be carried out using a certificate and public keys.
In one arrangement, the identifier is an electronic identification key stored on a smart card and on the directory server.
The directory server and the file server may be arranged so as to facilitate communications through the Internet.
A plurality of file servers may be provided and the file management system may comprise at least one user terminal.
In accordance with a second aspect of the present invention, there is provided a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
In accordance with a third aspect of the present invention, there is provided a computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers I received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
In accordance with a fourth aspect of the present invention, there is provided a computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
In accordance with a fifth aspect of the present invention, there is provided a computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server. I In accordance with a sixth aspect of the present invention, there is provided a computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal .
In accordance with a seventh aspect of the present invention, there is provided a method of managing access to electronic files, said method comprising the steps of: providing a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, providing a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, forwarding an identifier to the file server when the identity of the user is authenticated by the directory server, storing identifiers received from the directory server on the file server, and allowing a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
In one arrangement, the method further includes the step of forwarding file access information from the directory server to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights. The file access information may include information indicative of the location of at least one file directory for which the user has valid access rights.
Preferably, the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive. The method may further include the step of automatically changing the user status from active to inactive after a predetermined period of time.
Description of the Drawings
The present invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 is a block diagram of a file management system in accordance with an embodiment of the present invention shown during use in communication with a user terminal; Figure 2 is a diagrammatic representation of a smart card for use with the file management system shown in Figure 1; Figure 3 is a diagrammatic representation of information stored in the smart card shown in Figure 2; Figure 4 is a diagrammatic representation of a table of information stored in a directory server of the file management system shown in Figure 1; and Figure 5 is a flow diagram illustrating steps of an example operation of the file management system shown in Figure 1.
Description of an Embodiment of the Present Invention In the following description of an embodiment of the invention, it will be understood that the invention may be implemented as hardware and/or software using an appropriate platform such as a computing system.
Referring to Figure 1 of the drawings, there is shown a file management system 10 in accordance with an embodiment of the present invention shown during use in communication with a user terminal 12 disposed at a remote location relative to the file management system 10. However, it will be understood that the user terminal 12 is not necessarily disposed at a remote location relative to the file management system 10 and may be disposed adjacent the file management system 10.
The file management system 10 includes a file server 14 associated with several file directories, and a directory server 16 which cooperates with the user terminal 12 and the file server 14 so as to enable or disable access to the file directories by the user terminals 12.
It will be understood that although one user terminal 12 is shown in Figure 1, in practice several user terminals would be present, each user terminal 12 being associated with a user desiring to access one or more file directories associated with the file server 14.
It will also be understood that although one file server 14 is shown in Figure 1, in practice more than one file server 14 may be present. If more than one file server 14 is present, the file servers 14 may be disposed at the same location or at different locations.
In the present example, each user terminal is arranged to communicate with the file server 14 and the directory server 16 through the Internet 18, although it will be understood that other communications arrangements are possible, the important aspect being that each user terminal 12 is able to communicate with the file server 14 and the directory server 16 from a remote location.
Also in the present example, the user terminal 12 shown in Figure 1 has an associated smart card reader 20 which is able to accept and read smart cards 22, and which is arranged to pass information obtained from the smart card 22 to the user terminal 12 for the purposes of authentication of a user.
However, although the present example uses smart cards to authenticate users, it will be understood that other authentication arrangements are possible. For example, authentication may use certificates and public keys.
The file server 14 is arranged to receive identifiers from the directory server 16, in this example through the Internet 18, which identifiers are indicative of the identity of the users having valid access rights to one or more of the directories associated with the file server 14. In this example, each of the identifiers is an electronic identification key 28 which is recorded on a smart card 22 associated with a user and which is stored on the directory server 16. When an identifier associated with a user has been received from the directory server and is stored on the file server 14, the file server 14 grants the user terminal 12 access to at least one of the directories associated with the file server.
The directory server 16 is arranged to cooperate with user terminals 12 so as to authenticate the identity of the users associated with the user terminals 12. In addition, for each user, the directory server is arranged to forward an identifier, in this example in the form of an electronic identification key, to the relevant file server (s) 14 for which the user has valid access rights when the identity of the user has been authenticated.
In this example, a smart card 22 as shown in Figure 2 is used to authenticate the identity of a user.
The smart card 22 includes a static identification key 24 disposed on a surface of the smart card 22 and usable to facilitate identification of the owner of the smart card in the event that the smart card is lost. In this example, the static identification key 24 is printed on the smart card 22.
The smart card 22 also includes electronic circuitry 26, in this example in the form of a processor and a memory, the memory storing an electronic identification key 28 unique to the smart card 22 and thereby the owner of the smart card 22, and a password 30 known to the owner of the smart card 22, as shown in Figure 3.
For the purposes of authentication and management of access rights for each user associated with the file management system 10, a database 40 of user records 42 is stored in the directory server 16. Each user record 42 includes the name of the user, the static identification- key 24 disposed on the smart card 22 associated with the user, the electronic identification key 28 stored on the smart card 22 associated with the user, file access information in the form of file server information 48 indicative of the file server (s) 14 in relation to which the user has been granted access rights and directory information 50 indicative of the directories in relation to which the user has been granted access rights, and an indication as to whether the status of the user is active or expired. The file server information 48 and the directory information 50 is collectively referred to as a label 54.
The directory server 16 may be arranged so that each user record 42 has an active lifespan whereby after a predetermined period of time the status of the user changes automatically to "expired". This allows user records to expire without administrator input. The user records are modifiable by an administrator, for example so as to maintain the status as active, to modify the allowable directories, and so on.
The directory server 16 is also arranged to forward the labels 54 associated with the relevant user records 42 to the relevant user terminals 12 when the users have been authenticated by the directory server 16. Each label 54 serves to indicate to a user terminal 12 the locations of the file server (s) 14 and the directories in relation to which the user has been granted access rights.
The user terminal 12 is arranged to cooperate with the directory server 16 so as to authenticate the identity of a user when a smart card 22 of the user is introduced into the reader 20. In this example, authentication is carried out by comparing an electronic identification key 28 stored on a smart card 22 with an electronic identification key stored in the directory server 16, and by comparing a password 30 stored on the smart card 22 with a password entered into the user terminal 12 by a user.
Upon successful authentication of the identity of the user and if the user status is active, the directory server 16 forwards a copy of the electronic key 28 associated with the authenticated user to the relevant file servers 14 listed in the relevant user record 42. If the user status is expired, the directory server 16 does not forward the electronic key 28 to the file server (s) 14. The directory server 16 also forwards a label 54 associated with the authenticated user and listed in the relevant user record 42 to the user terminal 12, the label 54 being usable by the user terminal 12 to identify the relevant file servers and directories which are allowable for access by the user.
In order to access the allowable directories, the identity of the user is re-authenticated by comparing the electronic key 28 stored on the smart card 22 with the electronic keys 28 received from the directory server 16 and stored in the file server 14. If the relevant electronic key 28 is absent from the file server 14, access to the file server is denied.
It will be understood that each electronic key 28 forwarded to a file server 14 is stored only temporarily on the file server 14 for the duration that the relevant user is authenticated by and in communication with the directory server 16. When communication between the user terminal 12 and the directory server 16 ceases, for example because the smart card 22 has been removed from the reader 20, the electronic key 28 is deleted from the file server 14 so that access to the file directory on the file server 14 is no longer possible. An example of operation of the file management system 10 is illustrated by the flow diagram 56 in Figure 5.
As can be seen by steps 58 to 88 of the flow diagram 56, a user desiring access to one or more file directories first introduces a smart card 22 associated with the user into the smart card reader 20. The directory server 16 through the user terminal 12 then queries the smart card 22 for the electronic identification key 28 stored in the smart card 22 and the smart card electronic key 28 is compared with electronic identification keys 28 stored in a plurality of user records 42 on the directory server 16. If the smart card electronic key 28 matches with an electronic key 28 stored in the directory server 16, the user terminal 12 queries the user for a password. If the password entered by the user is the same as the password stored on the smart card 22, the identity of the user is authenticated. Following authentication, the directory server 16 forwards copies of the electronic key 28 to the file servers listed in the relevant user record 42 associated with the user, and the directory server 16- forwards the label 54 in the relevant user record 42 to the user terminal 12. Using the received label 54, the user terminal 12 is able to locate any of the file servers listed in the label. On connection to an allowed file server 14, the smart card electronic key 28 is compared with electronic keys stored on the file server 14 and, if the smart card electronic key 28 matches with an electronic key stored on the file server 14, access is granted to the directories on the file server 14 listed in the label 54.
It will be appreciated that data which is transferred between the user terminal 12 and the allowed directories may be encrypted using the electronic identification key 28. Where systems of the present invention may be implemented by software applications or partly implemented by software, they may take the form of program code stored or available from computer readable media, such as CD-Roms or any other machine readable media, the program called comprising instructions which, when loaded into a machine such as a computer, the machine then becomes a system, for carrying out the invention. The computer readable media may include transmission media, such as cabling fibre optics or any other form of transmission media.
In the claims which follow and in the preceding description of the invention, except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as
"comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention.
Modifications and variations will be apparent to a skilled addressee or deemed to be within the scope of the present invention.

Claims

Claims :
1. A file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received form the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
2. A file management system as claimed in claim 1, wherein the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights .
3. A file management system as claimed in claim 2, wherein the file access information includes information indicative of the location of at least one file directory for which the user has valid access rights. . A file management system as claimed in any one of the preceding claims, wherein the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the 'user status is inactive.
5. A file management system as claimed in claim 4, wherein the directory server is arranged so as to automatically change the user status from active to inactive after a predetermined period of time .
6. A file management system as claimed in any one of the preceding claims, wherein the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card.
7. A file management system as claimed in any one of the preceding claims, wherein authentication is carried out using a certificate and public keys .
8. A file management system as claimed in claim 6 or claim 7, wherein the identifier is an electronic identification key stored on a smart card and on the directory server.
9. A file management system as claimed in any one of the preceding claims, wherein the directory server and the file server are arranged so as to facilitate communications through the Internet .
10. A file management system as claimed in any one of the preceding claims, further comprising a plurality of file servers .
11. A file management system as claimed in any one of the preceding claims, wherein the file management system comprises at least one user terminal.
12. A directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
13. A directory server as claimed in claim 12, wherein the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights .
14. A directory server as claimed in claim 13, wherein the file access information includes information indicative of the location of at least one file directory for which the- user has valid access rights.
15. A directory server as claimed in any one of claims 12 to 14, wherein the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive.
16. A directory server as claimed in claim 15, wherein the directory server is arranged so as to automatically change the user status from active to inactive after a predetermined period of time.
17. A directory server as claimed in any one of claims 12 to 16, wherein the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card.
18. A directory server as claimed in any one of claims 12 to 17, wherein authentication is carried out using a certificate and public keys.
19. A directory server as claimed in claim 17 or claim 18, wherein the identifier is an electronic identification key stored on a smart card and on the directory server.
20. A computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, and a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
21. A computer program as claimed in claim 20, wherein the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access ' rights.
22. A computer program as claimed in claim 21, wherein the file access information includes information indicative of the location of at least one file directory for which the user has valid access rights.
23. A computer program as claimed in any one of claims 20 to 22, wherein the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive. 24. A computer program as claimed in claim 23, wherein the directory server is arranged so as to automatically change the user status from active to inactive after a predetermined period of time . 25. A computer program as claimed in any one of claims 20 to 24 , wherein the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card.
26. A computer program as claimed in any one of claims 20 to 25, wherein authentication is carried out using a certificate and public keys. 27. A computer program as claimed in claim 25 or claim 26, wherein the identifier is an electronic identification key stored on a smart card and on the directory server.
28. A computer program arranged, when loaded into a computing system, to instruct the computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal .
29. A computer program as claimed in claim 28, wherein the directory server is arranged to forward file access information to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights.
30. A computer program as claimed in claim 29, wherein the file access information includes information indicative of the location of at least one file directory for which the user has valid access rights.
31. A computer program as claimed in any one of claims 28 to 30, wherein the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive.
32. A computer program as claimed in claim 31, wherein the directory server is arranged so as to automatically change the user status from active to inactive after a predetermined period of time.
33. A computer program as claimed in any one of claims 28 to 32, wherein the directory server is arranged to cooperate with the user terminal and with a smart card reader so as to authenticate the identity of a user by reading information from a smart card.
34. A computer program as claimed in any one of claims 28 to 33, wherein authentication is carried out using a certificate and public keys .
35. A computer program as claimed in claim 33 or claim 34, wherein the identifier is an electronic identification key stored on a smart card and on the directory server.
36. A computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a file management system for managing access to electronic files, said system comprising: a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to the file server when the identity of the user is authenticated, the file server being arranged to store identifiers received from the directory server and to allow a user terminal to access one or more of the file directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
37. A computer useable medium having a computer readable program code embodied therein for causing a computing system to operate in accordance with a directory server for use in a file management system, said directory server being arranged to cooperate with a user terminal so as to authenticate the identity of a user of the user terminal, and to forward an identifier to a file server when the identity of the user is authenticated, the presence or absence of the identifier at the file server being usable by the file server to permit or restrict access to the file server by the user terminal.
38. A method of managing access to electronic files, said method comprising the steps of: providing a file server associated with a plurality of directories, the file server facilitating access to at least one of the directories by a user terminal during use, providing a directory server arranged to cooperate with the user terminal so as to authenticate the identity of a user of the user terminal, forwarding an identifier to the file server when the identity of the user is authenticated by the directory server, storing identifiers received from the directory server on the file server, and allowing a user terminal to access one or more of the file, directories associated with the file server when an identifier associated with the user of the user terminal is stored on the file server.
39. A method as claimed in claim 38, further including the step of forwarding file access information from the directory server to a user terminal during use when the identity of the user is authenticated, the file access information being indicative of the location of at least one file server for which the user has valid access rights .
40. A method as claimed in claim 39, wherein the file access information includes information indicative of the location of at least one file directory for which the user has valid access rights.
41. A method as claimed in any one of claims 38 to 40, wherein the directory server includes for each user an indication as to whether the status of the user is active or inactive, and the directory server is arranged to forward an identifier to the file server when the user status is active and to not forward an identifier to the file server when the user status is inactive.
42. A method as claimed in claim 41, further including the step of automatically changing the user status from active to inactive after a predetermined period of time.
43. A file management system substantially as hereinbefore described with reference to, and shown in, the accompanying drawings .
44. A directory server substantially as hereinbefore described with reference to, and shown in, the accompanying drawings .
45. A method of managing files substantially as hereinbefore described with reference to, and shown in, the accompanying drawings .
PCT/SG2004/000125 2004-05-07 2004-05-07 A file management system WO2005109211A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SG2004/000125 WO2005109211A1 (en) 2004-05-07 2004-05-07 A file management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SG2004/000125 WO2005109211A1 (en) 2004-05-07 2004-05-07 A file management system

Publications (1)

Publication Number Publication Date
WO2005109211A1 true WO2005109211A1 (en) 2005-11-17

Family

ID=35320385

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2004/000125 WO2005109211A1 (en) 2004-05-07 2004-05-07 A file management system

Country Status (1)

Country Link
WO (1) WO2005109211A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1796052A2 (en) * 2005-12-02 2007-06-13 Palo Alto Research Center Incorporated System and method for establishing temporary and permanent credentials for secure online commerce

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000259476A (en) * 1999-03-10 2000-09-22 Toshiba Corp File management system and server computer
JP2003208350A (en) * 2002-01-10 2003-07-25 Nippon Telegr & Teleph Corp <Ntt> Device, method for managing file and its processing program
US20040054717A1 (en) * 2000-05-10 2004-03-18 Stephane Aubry Application service provider method and apparatus
WO2004104877A1 (en) * 2003-05-23 2004-12-02 Iris-Geneve Secure computer network system for personal data management

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000259476A (en) * 1999-03-10 2000-09-22 Toshiba Corp File management system and server computer
US20040054717A1 (en) * 2000-05-10 2004-03-18 Stephane Aubry Application service provider method and apparatus
JP2003208350A (en) * 2002-01-10 2003-07-25 Nippon Telegr & Teleph Corp <Ntt> Device, method for managing file and its processing program
WO2004104877A1 (en) * 2003-05-23 2004-12-02 Iris-Geneve Secure computer network system for personal data management

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1796052A2 (en) * 2005-12-02 2007-06-13 Palo Alto Research Center Incorporated System and method for establishing temporary and permanent credentials for secure online commerce
EP1796052A3 (en) * 2005-12-02 2013-03-27 Palo Alto Research Center Incorporated System and method for establishing temporary and permanent credentials for secure online commerce

Similar Documents

Publication Publication Date Title
CN107342992B (en) System authority management method and device and computer readable storage medium
US5987232A (en) Verification server for use in authentication on networks
US5706427A (en) Authentication method for networks
CN1322449C (en) Distribution type document system having no service apparatus
US7979465B2 (en) Data protection method, authentication method, and program therefor
RU2560784C2 (en) Model of interaction for transfer of states and data
US7882549B2 (en) Systems for authenticating a user&#39;s credentials against multiple sets of credentials
CN101594351B (en) Information processing apparatus, authentication system and information processing method
CN101677352B (en) Document management system, document producing apparatus, document use managing apparatus, and computer readable medium
US20090206988A1 (en) Method and Server of Electronic Safes With Information Sharing
CN1992596A (en) User authentication device and method
CN101273366A (en) Confidential file protection method
CN102034036A (en) Permission management method and equipment
JP2007156959A (en) Access control program, information processor, and access control method
US20080263630A1 (en) Confidential File Protecting Method and Confidential File Protecting Device for Security Measure Application
US7047409B1 (en) Automated tracking of certificate pedigree
CN107145531B (en) Distributed file system and user management method of distributed file system
CN112118269A (en) Identity authentication method, system, computing equipment and readable storage medium
US6981147B1 (en) Certification of multiple keys with new base and supplementary certificate types
EP0762261A2 (en) A verification server and authentication method for use in authentication on networks
CN101324913B (en) Method and apparatus for protecting computer file
JP2002312326A (en) Multiple authentication method using electronic device with usb interface
US6681233B1 (en) Data circulation between servers and clients
WO2005109211A1 (en) A file management system
US8160967B2 (en) Authorization code recovering method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase