Secure communications using loop-based authentication flow

US 10,263,779 B2
Filed: 03/07/2016
Issued: 04/16/2019
Est. Priority Date: 09/24/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a first party, comprising:

electronically receiving a first digital message from a second party, wherein the first digital message has been encrypted using a first secret key associated with the second party;

further encrypting the first digital message using a computing device of the first party and using a second secret key associated with the first party;

transmitting the further encrypted first digital message as a second digital message to a third party, the third party to decrypt the second digital message using the second secret key, to thereby recover the first digital message therefrom;

transmitting to the third party identification information for the second party, wherein the third party is to use the identification information to obtain decryption of the first digital message according to the first secret key, to obtain from the first digital message payload information provided by the second party which was encrypted using the first secret key, wherein the payload information comprises at least one of a federated credential, a token and a secret key;

electronically receiving from the third party a third digital message comprising the payload information provided by the second party, encrypted using the second secret key; and

decrypting the third digital message using the second secret key;

wherein the method further comprisesreceiving a header with the third digital message which identifies the second party,determining based on the header that the third digital message corresponds to the first digital message, andstoring the payload information provided by the second party in digital storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first party uses a secret key to encrypt information, which is then sent through an untrusted connection to a second party. The second party, however, cannot decrypt the information on its own, and it relays the encrypted information through a secure network. The secure network includes one or more nodes linking the first and second parties through one or more trusted connections (“hops”); each hop features uses of a shared secret key unique to that hop. The first party'"'"'s connection to the network (domain) receives the information relayed through the secure network by the second party, it decrypts that information according to the secret key of the first party, and it then retransmits the decrypted information to the second party using the secure hops. Techniques are provided for sharing a private session key, federated credentials, and private information.

Citations

25 Claims

1. A method implemented by a first party, comprising:
- electronically receiving a first digital message from a second party, wherein the first digital message has been encrypted using a first secret key associated with the second party;
  
  further encrypting the first digital message using a computing device of the first party and using a second secret key associated with the first party;
  
  transmitting the further encrypted first digital message as a second digital message to a third party, the third party to decrypt the second digital message using the second secret key, to thereby recover the first digital message therefrom;
  
  transmitting to the third party identification information for the second party, wherein the third party is to use the identification information to obtain decryption of the first digital message according to the first secret key, to obtain from the first digital message payload information provided by the second party which was encrypted using the first secret key, wherein the payload information comprises at least one of a federated credential, a token and a secret key;
  
  electronically receiving from the third party a third digital message comprising the payload information provided by the second party, encrypted using the second secret key; and
  
  decrypting the third digital message using the second secret key;
  
  wherein the method further comprisesreceiving a header with the third digital message which identifies the second party,determining based on the header that the third digital message corresponds to the first digital message, andstoring the payload information provided by the second party in digital storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein:
    - the first digital message from the second party is received in a manner in which it has been further encrypted as a fourth digital message according to a third secret key associated with a fourth party; and
      
      electronically receiving comprises receiving the fourth digital message from the fourth party and using the computing device to decrypt the fourth digital message using the third secret key associated with the fourth party, to recover the first digital message therefrom.
  - 3. The method of claim 2, wherein the method further comprises using the computing device to encrypt the payload information using the third secret key associated with the fourth party, and transmitting the payload information so encrypted via a fifth digital message to the fourth party.
  - 4. The method of claim 3, wherein the first secret key is a symmetric key shared by the first party and the third party, and wherein the third secret key is a symmetric key shared by the fourth party and the first party.
  - 5. The method of claim 1, wherein:
    - the first digital message comprises a federated credential; and
      
      the method further compriseselectronically accessing a database that associates the federated credential with the second party to retrieve a record associated with the federated credential,using the computing device to determine if the header corresponds to the record associated with the federated credential,in response to a determination by the computing device that the header corresponds to the record associated with the federated credential, associating a validation message with the payload information provided by the second party, andtransmitting the validation message to a fourth party.
  - 6. The method of claim 5, wherein the validation message comprises a hash that is a function of a private key associated with the first party, wherein the method further comprises using the computing device to compute the hash according to the private key, and wherein the hash can also be verified by computing a corresponding hash according to a public key which matches the private key.
  - 7. The method of claim 1, further comprising using a processor to process the decrypted payload information in the digital storage, wherein the decrypted payload information represents a credit card number credential that the second party is purportedly authorized to use, and wherein using a processor to process includes electronically communicating with a credit card processor to effectuate an automated electronic transfer dependent on the credit card number credential, and to automatically, in response to said electronically communicating, electronically crediting a payment value to at least one account associated with the second party.
  - 8. The method of claim 1, wherein:
    - the first digital message comprises a first value that is to be used to establish a symmetric key shared by the first party and the second party;
      
      the method further comprises using the computing device to add a second value to the first digital message;
      
      further encrypting further comprises encrypting the second value using the second secret key, the first value to be forwarded by the third party to the first party in a manner decrypted according to the first key; and
      
      the symmetric key is to be produced by mathematical combination of the first value, once decrypted, with the second value, once decrypted, by each of the first party and the second party.
  - 9. The method of claim 8, wherein:
    - the symmetric key is a private session key; and
      
      the method further compriseselectronically receiving a fourth digital message from the second party, wherein the fourth digital message comprises information provided by the second party which has been encrypted using the first secret key and using the private session key,further encrypting the fourth digital message using the second secret key and transmitting the further encrypted fourth digital message as a fifth digital message to the third party, the third party to decrypt the fifth digital message using the second secret key, to thereby recover the information provided by the second party encrypted using the private session key but decrypted relative to the first secret key, wherein transmitting the fifth digital message includes transmitting to the third party contact information for the second party, and wherein the third party is to use the contact information to obtain decryption of the fifth digital message according to the first secret key to obtain the information provided by the second party encrypted according to the private session key but decrypted relative to the first key, andelectronically receiving from the third party a sixth digital message comprising the information provided by the second party encrypted according to the private session key but decrypted relative to the first key, in a manner encrypted using the second secret key, and using a processor to decrypt the sixth digital message using each of the second secret key and the private session key, and storing information decrypted from the sixth digital message in digital storage.
  - 10. The method of claim 9, wherein the information provided by the second party which has been encrypted using the first secret key and using the private session key comprises an authentication value that is to be used by entity processing a federated credential in verifying that the second party is the owner of the federated credential.
  - 11. The method of claim 1, wherein the payload information is embodied as a header of the first digital message.
  - 12. The method of claim 1, wherein the payload information comprises a private session key.
  - 13. The method of claim 1, wherein the method further comprises determining whether the second party is a member of a loop-based authentication network, and responsively sending a message to the second party to cause the second party to join the loop-based authentication network and to establish the first secret key as a shared symmetric key between a digital device of the second party and a node which connects the second party to the loop-based authentication network.
  - 14. The method of claim 1, wherein:
    - the method further comprises engaging in a session-based exchange with a digital device of the second party and, as part of said session-based exchange, determining that the payload information is to be securely conveyed from the second party to the first party as a subset of the session-based exchange; and
      
      said electronically receiving the first digital message, said further encrypting and said electronically receiving the third digital message are each performed in response to said determining that the payload information is to be securely conveyed.
  - 15. The method of claim 14, wherein the session-based exchange is to effectuate payment as part of a commercial transaction.
  - 16. The method of claim 1, wherein said electronically receiving the first digital message further comprises also electronically receiving at least one header in association with the first digital message, the at least one header not being encrypted using the first secret key, the at least one header containing the identification information for the second party and at least one time stamp.

17. An apparatus comprising instructions stored on non-transitory, machine-readable media, the instructions when executed to cause at least one processor to:
- electronically receive a first digital message from a second party, wherein the first digital message has been encrypted using a first secret key associated with the second party;
  
  further encrypt the first digital message using a second secret key associated with the first part;
  
  transmit the further encrypted first digital message as a second digital message to a third party, the third party to decrypt the second digital message using the second secret key, to thereby recover the first digital message therefrom;
  
  transmit to the third party identification information for the second party, wherein the third party is to use the identification information to obtain decryption of the first digital message according to the first secret key, to obtain from the first digital message payload information provided by the second party which was encrypted using the first secret key, wherein the payload information comprises at least one of a federated credential, a token and a secret key;
  
  electronically receive from the third party a third digital message comprising the payload information provided by the second party, encrypted using the second secret key; and
  
  decrypt the payload information provided by the third party using the second secret key;
  
  wherein the instructions when executed are to further cause the at least one processor toreceive a header with the third digital message which identifies the second party,determine based on the header that the third digital message corresponds to the first digital message, andstore the payload information provided by the second party in digital storage.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein the payload information comprises a private session key.
  - 19. The apparatus of claim 17, wherein the instructions when executed are further to cause the at least one processor to determine whether the second party is a member of a loop-based authentication network, and to responsively send a message to the second party to cause the second party to join the loop-based authentication network and establish the first secret key as a shared symmetric key between a digital device of the second party and a node which connects the second party to the loop-based authentication network.
  - 20. The apparatus of claim 17, wherein:
    - the instructions when executed are to cause the at least one processor to engage in a session-based exchange with a digital device of the second party and, as part of said session-based exchange, to determine that the payload information is to be securely conveyed from the second party to the first party as a subset of the session-based exchange; and
      
      the instructions are to cause the at least one processor to electronically receive the first digital message, to further encrypt the first digital message, and to electronically receive the third digital message in response to said determination that the payload information is to be securely conveyed.
  - 21. The apparatus of claim 19, wherein the session-based exchange is to effectuate payment as part of a commercial transaction.
  - 22. The apparatus of claim 17, wherein the instructions when executed are to cause the at least one processor to electronically receive, in addition to the first digital message, at least one header in association with the first digital message, the at least one header not being encrypted using the first secret key, the at least one header containing the identification information for the second party and at least one time stamp.
  - 23. The apparatus of claim 17, wherein the instructions when executed are to cause the at least one processor to process the decrypted payload information in the digital storage, wherein the decrypted payload information represents a credit card number credential that the second party is purportedly authorized to use, and to electrically communicate with a credit card processor to effectuate an automated electronic transfer dependent on the credit card number credential and to automatically, in response to said electronically communication, credit a payment value to at least one account associated with the second party.
  - 24. The apparatus of claim 17, wherein:
    - the first digital message comprises a first value that is to be used to establish a symmetric key shared by the first party and the second party;
      
      the instructions when executed are to cause the at least one processor to add a second value to the first digital message, and to encrypt the second value using the second secret key, the first value to be forwarded by the third party to the first party in a manner decrypted according to the first key; and
      
      the symmetric key is to be produced by mathematical combination of the first value, once decrypted, with the second value, once decrypted, by each of the first party and the second party.

25. A method implemented by a computing device of a first party, comprising:
- engaging in a session-based exchange with a digital device of the second party and, as part of said session-based exchange, determining that transaction data is to be securely conveyed from the second party to the first party as a subset of the session-based exchange; and
  
  establishing a private session key between the first party and the second party for the secure exchange of the transaction data, byelectronically receiving a first digital message from a second party, wherein the first digital message comprises information representing the private session key, provided by the second party, and encrypted using a first secret key associated with the second party,further encrypting the first digital message using the computing device of the first party and using a second secret key associated with the first party,transmitting the further encrypted first digital message as a second digital message to a third party, the third party to decrypt the second digital message using the second secret key, to thereby recover the first digital message therefrom,transmitting to the third party identification information for the second party, wherein the third party is to use the identification information to obtain decryption of the first digital message according to the first secret key to recover therefrom the information representing the private session key,electronically receiving from the third party a third digital message comprising the information representing the private session key, said information representing the private session key encrypted using the second secret key, anddecrypting the third digital message using the second secret key;
  
  wherein the method further comprisesreceiving a header with the third digital message which identifies the second party,determining based on the header that the third digital message corresponds to the first digital message, andstoring the information representing the private session key in digital storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jonetix Corporation
Original Assignee
Jonetix Corporation
Inventors
Wu, Paul Ying-Fung, Nathan, Richard J., Tredennick, Harry Leslie
Primary Examiner(s)
Le, Khoi V

Application Number

US15/063,487
Publication Number

US 20180337782A1
Time in Patent Office

1,135 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/0815   providing single-sign-on or...

H04L 9/006   involving public key infras...

H04L 9/0827   involving distinctive inter...

H04L 9/0836   using tree structure or hie...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/32   including means for verifyi...

H04L 9/3268   using certificate validatio...

Secure communications using loop-based authentication flow

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communications using loop-based authentication flow

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links