Systems and methods for distributed identity verification

US 10,237,259 B2
Filed: 02/28/2017
Issued: 03/19/2019
Est. Priority Date: 02/29/2016
Status: Active Grant

First Claim

Patent Images

1. An identity management method for controlling an exchange of data bundles by an identity provider server, the method comprising:

receiving, at the identity provider server, a first request from a user agent server, the first request identifying one or more claim categories;

generating, at the identity provider server, a data bundle at a first time in response to the first request, the data bundle identifying one or more attributes associated with a user related to the user agent server, wherein each attribute corresponds to a claim category of the one or more claim categories identified in the first request and a corresponding value;

the identity provider server encrypting the data bundle with a user encryption key (UEK);

transmitting, by the identity provider server, the data bundle to the user agent server;

generating a first entry;

signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry;

generating a second entry; and

signing the second entry with a second key to generate a signed second entry, the second key being derived from the identity provider private key;

at a first ledger;

verifying a signature of the identity provider server on the first entry to generate a first signature verification result;

storing the first entry in the first ledger based on the first signature verification result; and

transmitting a first entry address to the identity provider server, the first entry address identifying an address of the first entry in the first ledger;

at a second ledger;

verifying a signature of the identity provider server on the second entry to generate a second signature verification result;

storing the second entry in the second ledger based on the second signature verification result; and

transmitting a second entry address to the identity provider server, the second entry address identifying an address of the second entry in the second ledger; and

at one or more auditor servers;

receiving a first ledger identifier identifying the first ledger storing the first entry, a second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry address;

accessing the first entry based on the first ledger identifier and the first entry address;

verifying the signature of the identity provider server on the first entry;

accessing the second entry based on the second ledger identifier and the second entry address;

verifying the signature of the identity provider server on the second entry;

generating a confirmation entry for each of the one or more auditor servers, wherein each confirmation entry is based on successful verification of the signature of the identity provider server on the first entry and the signature of the identity provider server on the second entry; and

linking the first entry address to the second ledger identifier and the second entry address to the first ledger identifier based on the confirmation entry of the one or more auditor servers,wherein the identity provider server, the user agent server, the first ledger, the second ledger, and the one or more auditor servers are executed by one or more computing devices and communicate via a data communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for decentralized and asynchronous authentication flow between users, relying parties and identity providers. A trusted user agent application or digital lock box under a user'"'"'s control may perform the functions of an authentication broker. In particular, the user agent application or digital lock box can accept relying party requests and respond with authentication and identity data previously obtained from an identity provider server, and without the involvement of a centralized broker server.

44 Citations

View as Search Results

9 Claims

1. An identity management method for controlling an exchange of data bundles by an identity provider server, the method comprising:
- receiving, at the identity provider server, a first request from a user agent server, the first request identifying one or more claim categories;
  
  generating, at the identity provider server, a data bundle at a first time in response to the first request, the data bundle identifying one or more attributes associated with a user related to the user agent server, wherein each attribute corresponds to a claim category of the one or more claim categories identified in the first request and a corresponding value;
  
  the identity provider server encrypting the data bundle with a user encryption key (UEK);
  
  transmitting, by the identity provider server, the data bundle to the user agent server;
  
  generating a first entry;
  
  signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry;
  
  generating a second entry; and
  
  signing the second entry with a second key to generate a signed second entry, the second key being derived from the identity provider private key;
  
  at a first ledger;
  
  verifying a signature of the identity provider server on the first entry to generate a first signature verification result;
  
  storing the first entry in the first ledger based on the first signature verification result; and
  
  transmitting a first entry address to the identity provider server, the first entry address identifying an address of the first entry in the first ledger;
  
  at a second ledger;
  
  verifying a signature of the identity provider server on the second entry to generate a second signature verification result;
  
  storing the second entry in the second ledger based on the second signature verification result; and
  
  transmitting a second entry address to the identity provider server, the second entry address identifying an address of the second entry in the second ledger; and
  
  at one or more auditor servers;
  
  receiving a first ledger identifier identifying the first ledger storing the first entry, a second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry address;
  
  accessing the first entry based on the first ledger identifier and the first entry address;
  
  verifying the signature of the identity provider server on the first entry;
  
  accessing the second entry based on the second ledger identifier and the second entry address;
  
  verifying the signature of the identity provider server on the second entry;
  
  generating a confirmation entry for each of the one or more auditor servers, wherein each confirmation entry is based on successful verification of the signature of the identity provider server on the first entry and the signature of the identity provider server on the second entry; and
  
  linking the first entry address to the second ledger identifier and the second entry address to the first ledger identifier based on the confirmation entry of the one or more auditor servers,wherein the identity provider server, the user agent server, the first ledger, the second ledger, and the one or more auditor servers are executed by one or more computing devices and communicate via a data communication network.

2. The identity management method of claim 1, further comprising, prior to receiving the first request, registering the user agent server at the identity provider server, wherein registering the user agent server at the identity provider server comprises:
- receiving a user agent public key corresponding to the user agent server and a first user agent address uniquely identifying the user agent server to the identity provider server, wherein the first user agent address and the user encryption key are at least partially based on the user agent public key; and
  
  transmitting an identity provider public key associated with the identity provider server to the user agent server.

3. The identity management method of claim 2, further comprising:
- generating, at the identity provider server, a data bundle ownership public key for the user agent server, the data bundle ownership public key being usable for releasing a response bundle based on one or more data bundles to a relying party server.

4. The identity management method of claim 1, further comprising:
- generating a first entry for a first ledger, the first entry comprising;
  
  a hashed data bundle generated by cryptographic hashing of the data bundle;
  
  the data bundle ownership public key;
  
  the identity provider public key;
  
  the one or more hashed attributes and corresponding blinding factor;
  
  a cryptographic nonce;
  
  metadata corresponding to the one or more attributes;
  
  expiry information corresponding to the one or more attributes;
  
  a second ledger identifier identifying a second ledger storing a corresponding second entry and a second entry address identifying an address of the second entry in the second ledger; and
  
  a revocation status of the data bundle.

5. The identity management method of claim 1, further comprising:
- generating a second entry for a second ledger, the second entry comprising;
  
  a hashed data bundle generated by cryptographic hashing of the data bundle;
  
  a cryptographic hash of the data bundle ownership public key and a corresponding blinding factor;
  
  a cryptographic hash of the identity provider public key and a corresponding blinding factor;
  
  the one or more hashed attributes and corresponding blinding factor;
  
  a cryptographic nonce;
  
  metadata corresponding to the one or more attributes;
  
  expiry information corresponding to the one or more attributes; and
  
  a revocation status of the data bundle.

6. The identity management method of claim 1, further comprising:
- generating an auditor bundle for the one or more auditor servers, the auditor bundle comprising a first ledger identifier identifying the first ledger storing the first entry, a second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry address; and
  
  signing the auditor bundle with the identity provider private key corresponding to the identity provider server to generate a signed auditor bundle.

7. The identity management method of claim 1, wherein the identity provider server is a group identity provider server, the method further comprising:
- the identity provider server determining that a child transaction is required to fulfil the first request; and
  
  generating at least one child transaction request; and
  
  transmitting the at least one child transaction request to at least one other group identity provider server.

8. The identity management method of claim 1, further comprising:
- the identity provider server determining that a blind query is required to fulfil the first request; and
  
  generating at least one blind query; and
  
  transmitting the at least one blind query to at least one other identity provider server.

9. An identity management system for controlling an exchange of data bundles, the system comprising:
- a data communication network;
  
  a user agent server configured to transmit a first request identifying one or more claim categories to an identity provider server via the data communication network;
  
  the identity provider server in communication with the user agent server via the data communication network, the identity provider server being configured to;
  
  receive the first request;
  
  generate a data bundle at a first time in response to the first request, the data bundle identifying one or more attributes associated with a user related to the user agent server, wherein each attribute corresponds to a claim category of the one or more claim categories identified in the first request and a corresponding value;
  
  transmit the data bundle to the user agent server;
  
  generate a first entry;
  
  sign the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry;
  
  generate a second entry; and
  
  sign the second entry with a second key to generate a signed second entry, the second key being derived from the identity provider private key;
  
  a first ledger in communication with the data communication network and configured to;
  
  verify a signature of the identity provider server on the first entry to generate a first signature verification result;
  
  store the first entry in the first ledger based on the first signature verification result; and
  
  transmit a first entry address to the identity provider server, the first entry address identifying an address of the first entry in the first ledger;
  
  a second ledger in communication with the data communication network and configured to;
  
  verify signature of the identity provider server on the second entry to generate a second signature verification result;
  
  store the second entry in the second ledger based on the second signature verification result; and
  
  transmit a second entry address to the identity provider server, the second entry address identifying an address of the second entry in the second ledger; and
  
  one or more auditor servers in communication with the first ledger and the second ledger via the data communication network, the one or more auditor servers configured to;
  
  receive a first ledger identifier identifying the first ledger storing the first entry, a second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry address;
  
  access the first entry based on the first ledger identifier and the first entry address;
  
  verify the signature of the identity provider server on the first entry;
  
  access the second entry based on the second ledger identifier and the second entry address;
  
  verify the signature of the identity provider server on the second entry;
  
  generate a confirmation entry for each of the one or more auditor servers, wherein each confirmation entry is based on successful verification of the signature of the identity provider server on the first entry and the signature of the identity provider server on the second entry; and
  
  link the first entry address to the second ledger identifier and the second entry address to the first ledger identifier based on the confirmation entry of the one or more auditor servers,wherein the identity provider server, the user agent server, the first ledger, the second ledger, and the one or more auditor servers are executed by one or more computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Ronda, Troy Jacob, Roberge, Pierre Antoine, Barinov, Dmitry, Varley, Michael, Stark, David Alexander, Wolfond, Gregory Howard, Likic, Aleksandar, Page, Michael John
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/445,367
Publication Number

US 20170250972A1
Time in Patent Office

749 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 9/08   Key distribution or managem...

H04L 9/0891   Revocation or update of sec...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Systems and methods for distributed identity verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for distributed identity verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links