FIELD: information technologies.
SUBSTANCE: invention relates to information security. Method consists in that on the part of the protected object with the object data administrator, generating the protected object ID unique identifier, generating the object administration random symmetric key CA, obtaining the CO object data encryption symmetric key by the derived key calculation from the CA key using the ID identifier as the modifier, encrypting the protected object data on the CO key, receiving the encrypted SDO data, generating the service data block containing the ID identifier, information about the protected object and specification of the used cryptographic functions, forming the access to the object list, consisting of users accounts, to which access to the protected object is granted, wherein at least one of the accounts belongs to the object administrator, performing the following actions for each account: receiving, from the selected user having the asymmetric key pair including the public key and private key, its public key, generating the random number, taking it as the temporary identifier, generating the account identifier, taking the temporary identifier as its value, generating the random asymmetric keys pair including the public key and private key, generating the account random symmetric account key KZ, calculating the common symmetrical key KZP from the private key and the public key, encrypting the KZ key on the KZP key, receiving the encrypted key, deciding on the administrator rights assignment to the user, generating the parameter value, characterizing the administrator rights availability in the user, generating the data block, encrypting it on the KZ key, receiving the encrypted data, forming the selected user account text description, generating the administration verification data block, encrypting it on the CA key, receiving the encrypted data, generating the selected user account, storing together the SDO encrypted data, service information, the object access list.
EFFECT: enabling the decentralized control over the data access rights.
1 cl
| Title | Year | Author | Number |
|---|---|---|---|
| METHOD OF CONTROLLING IDENTIFICATION OF USERS OF INFORMATION RESOURCES OF HETEROGENEOUS COMPUTER NETWORK | 2009 |
|
RU2415466C1 |
| METHOD FOR CREATING PROTECTED VIRTUAL NETWORKS | 2004 |
|
RU2276466C1 |
| SYSTEM FOR CONTROLLING ACCESS TO CREATED ENCRYPTED FILES | 2013 |
|
RU2533061C1 |
| DEVICE FOR MANDATORY ACCESS TO ELECTRONIC INFORMATION RESOURCES | 2022 |
|
RU2792790C1 |
| METHOD OF PROTECTING DATA IN A COMPUTING SYSTEM | 2019 |
|
RU2715293C1 |
| CREATING AND VALIDATING CRYPTOGRAPHICALLY SECURED DOCUMENTS | 2008 |
|
RU2500075C2 |
| PEER-TO-PEER AUTHENTICATION AND AUTHORISATION | 2005 |
|
RU2390945C2 |
| SECURE ACCESS TO PERSONAL HEALTH RECORDS IN EMERGENCY SITUATIONS | 2012 |
|
RU2602790C2 |
| SECURE DATA HANDLING BY VIRTUAL MACHINE | 2013 |
|
RU2648941C2 |
| INFRASTRUCTURE FOR VERIFYING BIOMETRIC ACCOUNT DATA | 2007 |
|
RU2434340C2 |
