Systems and methods for distributed data sharing with asynchronous third-party attestation
First Claim
1. A method of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the method comprising:
- receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request;
verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises;
retrieving a relying party profile based on the relying party profile identifier,extracting a verification component from the relying party profile;
cryptographically verifying the relying party proof using the verification component;
in response to the verifying of the relying party request being successful;
determining whether an attested data item can fulfill the attested data item request;
in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server;
generating a response, the response comprising the attested data item and the attestation; and
transmitting the response to the relying party server.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for distributed data verification between a relying party server and a client device using data attested by at least one attestation server. Entities are loosely coupled, while still allowing for authentication data and transaction data to be tightly coupled in any given interaction. There need not be any prior relationships between relying parties and attestation servers, or between relying parties and users. A common syntax enables a relying party to define what types of attested data items will be accepted for a particular transaction, without having to predetermine all possible sources of identification a user may wish to provide. The relying party may not know the source of the attested data items a priori, but can nevertheless determine if they are satisfactory once they are received.
-
Citations
44 Claims
-
1. A method of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the method comprising:
-
receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request; verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises; retrieving a relying party profile based on the relying party profile identifier, extracting a verification component from the relying party profile; cryptographically verifying the relying party proof using the verification component; in response to the verifying of the relying party request being successful; determining whether an attested data item can fulfill the attested data item request; in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server; generating a response, the response comprising the attested data item and the attestation; and transmitting the response to the relying party server.
-
-
2. The method of claim 1, wherein the response comprises at least one additional attested data item and at least one additional attestation corresponding to each at least one additional data item, the method further comprising, prior to generating the response:
-
determining that the at least one additional attested data item can fulfill the attested data item request; retrieving the at least one additional attested data item and the at least one additional attestation.
-
-
3. The method of claim 2, further comprising:
-
determining that the at least one additional attested data item is not initially available; transmitting a request for the at least one additional attested data item to the at least one attestation server; receiving a response to the request for the at least one additional attested data item from the at least one attestation server, the response to the request for the at least one additional attested data item comprising the at least one additional attested data item and the at least one additional attestation; and storing the at least one additional attested data item and the at least one additional attestation in a data store.
-
-
4. The method of claim 2, wherein the at least one attestation server comprises at least a first attestation server and a second attestation server, and wherein the attested data item is received from the first attestation server, and wherein the at least one additional attested data item is received from the second attestation server.
-
5. The method of claim 1, wherein the attestation further comprises a cryptographically-generated client proof that the attested data item was verified by the client device, and wherein the generating the response further comprises:
-
retrieving a client device cryptographic key; and verifying the attested data item using the cryptographically-generated client proof.
-
-
6. The method of claim 1, further comprising, prior to generating the response, determining whether the attested data item is eligible to be released.
-
7. The method of claim 6, wherein the determining whether the attested data item is eligible to be released is based on a user agent policy.
-
8. The method of claim 1, wherein the determining whether the attested data item can fulfill the attested data item request comprises searching for the attested data item in a data store.
-
9. The method of claim 1, further comprising:
-
determining that the attested data item is not initially available; transmitting a request for the attested data item to the at least one attestation server; receiving a response to the request for the attested data item from the at least attestation server, the response to the request for the attested data item comprising the attested data item and the attestation; and storing the attested data item and the attestation in a data store.
-
-
10. The method of claim 1, wherein the relying party request comprises a processing agent identifier, the method further comprising:
-
determining a processing agent associated with the processing agent identifier; providing the response to the client device; and providing an indication of the processing agent to the client device to enable the client device to forward the response to the processing agent.
-
-
11. The method of claim 1, wherein the relying party profile identifier identifies a network location of the relying party profile.
-
12. The method of claim 1, wherein the relying party request comprises an identity attribute associated with the relying party profile.
-
13. The method of claim 1, wherein the relying party request comprises an identity attribute verification value associated with the identity attribute associated with the relying party profile.
-
14. The method of claim 1, wherein the relying party request comprises a plurality of identity attributes and a plurality of identity attribute verification values associated respectively with the plurality of identity attributes.
-
15. The method of claim 1, wherein the relying party request comprises an extensible data identifier.
-
16. The method of claim 1, wherein the relying party request comprises an identification of at least one attestation server.
-
17. The method of claim 1, further comprising, prior to generating the response, authenticating a user of the client device.
-
18. The method of claim 17, wherein the authentication is performed via the client device.
-
19. The method of claim 17, wherein the authentication is performed via an authentication server.
-
20. The method of claim 1, further comprising:
-
receiving a second relying party request from a second relying party server; verifying the second relying party request; determining that the attested data item can fulfill the second relying party request; retrieving the attested data item and the attestation corresponding to the attested data item; generating a second response, the second response comprising the attested data item and the attestation; and transmitting the second response to the second relying party server.
-
-
21. The method of claim 1, wherein the relying party request comprises a policy identifier, the method further comprising retrieving at least one policy based on the policy identifier, wherein the determining whether the attested data item can fulfill the attested data item request is based on the at least one policy.
-
22. The method of claim 1, wherein the relying party request further comprises a non-attested data item request, and wherein the response comprises a non-attested data item, the method further comprising generating the non-attested data item.
-
23. A non-transitory computer readable medium storing computer executable instructions which, when executed by a computer processor, cause the computer processor to carry out an operation of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the operation comprising:
-
receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request; verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises; retrieving a relying party profile based on the relying party profile identifier, extracting a verification component from the relying party profile; cryptographically verifying the relying party proof using the verification component; in response to the verifying of the relying party request being successful; determining whether an attested data item can fulfill the attested data item request; in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server; generating a response, the response comprising the attested data item and the attestation; and transmitting the response to the relying party server.
-
-
24. The non-transitory computer readable medium of claim 23, wherein the response comprises at least one additional attested data item and at least one additional attestation corresponding to each at least one additional data item, the operation further comprising, prior to generating the response:
-
determining that the at least one additional attested data item can fulfill the attested data item request; retrieving the at least one additional attested data item and the at least one additional attestation.
-
-
25. The non-transitory computer readable medium of claim 24, the operation further comprising:
-
determining that the at least one additional attested data item is not initially available; transmitting a request for the at least one additional attested data item to the at least one attestation server; receiving a response to the request for the at least one additional attested data item from the at least one attestation server, the response to the request for the at least one additional attested data item comprising the at least one additional attested data item and the at least one additional attestation; and storing the at least one additional attested data item and the at least one additional attestation in a data store.
-
-
26. The non-transitory computer readable medium of claim 24, wherein the at least one attestation server comprises at least a first attestation server and a second attestation server, and wherein the attested data item is received from the first attestation server, and wherein the at least one additional attested data item is received from the second attestation server.
-
27. The non-transitory computer readable medium of claim 23, wherein the attestation further comprises a cryptographically-generated client proof that the attested data item was verified by the client device, and wherein the generating the response further comprises:
-
retrieving a client device cryptographic key; and verifying the attested data item using the cryptographically-generated client proof.
-
-
28. The non-transitory computer readable medium of claim 23, the operation further comprising, prior to generating the response, determining whether the attested data item is eligible to be released.
-
29. The non-transitory computer readable medium of claim 28, wherein the determining whether the attested data item is eligible to be released is based on a user agent policy.
-
30. The non-transitory computer readable medium of claim 23, wherein the determining whether the attested data item can fulfill the attested data item request comprises searching for the attested data item in a data store.
-
31. The non-transitory computer readable medium of claim 23, the operation further comprising:
-
determining that the attested data item is not initially available; transmitting a request for the attested data item to the at least one attestation server; receiving a response to the request for the attested data item from the at least attestation server, the response to the request for the attested data item comprising the attested data item and the attestation; and storing the attested data item and the attestation in a data store.
-
-
32. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a processing agent identifier, the operation further comprising:
-
determining a processing agent associated with the processing agent identifier; providing the response to the client device; and providing an indication of the processing agent to the client device to enable the client device to forward the response to the processing agent.
-
-
33. The non-transitory computer readable medium of claim 23, wherein the relying party profile identifier identifies a network location of the relying party profile.
-
34. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identity attribute associated with the relying party profile.
-
35. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identity attribute verification value associated with the identity attribute associated with the relying party profile.
-
36. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a plurality of identity attributes and a plurality of identity attribute verification values associated respectively with the plurality of identity attributes.
-
37. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an extensible data identifier.
-
38. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identification of at least one attestation server.
-
39. The non-transitory computer readable medium of claim 23, the operation further comprising, prior to generating the response, authenticating a user of the client device.
-
40. The non-transitory computer readable medium of claim 39, wherein the authentication is performed via the client device.
-
41. The non-transitory computer readable medium of claim 39, wherein the authentication is performed via an authentication server.
-
42. The non-transitory computer readable medium of claim 23, the operation further comprising:
-
receiving a second relying party request from a second relying party server; verifying the second relying party request; determining that the attested data item can fulfill the second relying party request; retrieving the attested data item and the attestation corresponding to the attested data item; generating a second response, the second response comprising the attested data item and the attestation; and transmitting the second response to the second relying party server.
-
-
43. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a policy identifier, the operation further comprising retrieving at least one policy based on the policy identifier, wherein the determining whether the attested data item can fulfill the attested data item request is based on the at least one policy.
-
44. The non-transitory computer readable medium of claim 23, wherein the relying party request further comprises a non-attested data item request, and wherein the response comprises a non-attested data item, the operation further comprising generating the non-attested data item.
Specification