Systems and methods for distributed data sharing with asynchronous third-party attestation

US 10,547,643 B2
Filed: 02/27/2017
Issued: 01/28/2020
Est. Priority Date: 02/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the method comprising:

receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request;

verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises;

retrieving a relying party profile based on the relying party profile identifier,extracting a verification component from the relying party profile;

cryptographically verifying the relying party proof using the verification component;

in response to the verifying of the relying party request being successful;

determining whether an attested data item can fulfill the attested data item request;

in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server;

generating a response, the response comprising the attested data item and the attestation; and

transmitting the response to the relying party server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for distributed data verification between a relying party server and a client device using data attested by at least one attestation server. Entities are loosely coupled, while still allowing for authentication data and transaction data to be tightly coupled in any given interaction. There need not be any prior relationships between relying parties and attestation servers, or between relying parties and users. A common syntax enables a relying party to define what types of attested data items will be accepted for a particular transaction, without having to predetermine all possible sources of identification a user may wish to provide. The relying party may not know the source of the attested data items a priori, but can nevertheless determine if they are satisfactory once they are received.

Citations

44 Claims

1. A method of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the method comprising:
- receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request;
  
  verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises;
  
  retrieving a relying party profile based on the relying party profile identifier,extracting a verification component from the relying party profile;
  
  cryptographically verifying the relying party proof using the verification component;
  
  in response to the verifying of the relying party request being successful;
  
  determining whether an attested data item can fulfill the attested data item request;
  
  in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server;
  
  generating a response, the response comprising the attested data item and the attestation; and
  
  transmitting the response to the relying party server.

2. The method of claim 1, wherein the response comprises at least one additional attested data item and at least one additional attestation corresponding to each at least one additional data item, the method further comprising, prior to generating the response:
- determining that the at least one additional attested data item can fulfill the attested data item request;
  
  retrieving the at least one additional attested data item and the at least one additional attestation.

3. The method of claim 2, further comprising:
- determining that the at least one additional attested data item is not initially available;
  
  transmitting a request for the at least one additional attested data item to the at least one attestation server;
  
  receiving a response to the request for the at least one additional attested data item from the at least one attestation server, the response to the request for the at least one additional attested data item comprising the at least one additional attested data item and the at least one additional attestation; and
  
  storing the at least one additional attested data item and the at least one additional attestation in a data store.

4. The method of claim 2, wherein the at least one attestation server comprises at least a first attestation server and a second attestation server, and wherein the attested data item is received from the first attestation server, and wherein the at least one additional attested data item is received from the second attestation server.

5. The method of claim 1, wherein the attestation further comprises a cryptographically-generated client proof that the attested data item was verified by the client device, and wherein the generating the response further comprises:
- retrieving a client device cryptographic key; and
  
  verifying the attested data item using the cryptographically-generated client proof.

6. The method of claim 1, further comprising, prior to generating the response, determining whether the attested data item is eligible to be released.

7. The method of claim 6, wherein the determining whether the attested data item is eligible to be released is based on a user agent policy.

8. The method of claim 1, wherein the determining whether the attested data item can fulfill the attested data item request comprises searching for the attested data item in a data store.

9. The method of claim 1, further comprising:
- determining that the attested data item is not initially available;
  
  transmitting a request for the attested data item to the at least one attestation server;
  
  receiving a response to the request for the attested data item from the at least attestation server, the response to the request for the attested data item comprising the attested data item and the attestation; and
  
  storing the attested data item and the attestation in a data store.

10. The method of claim 1, wherein the relying party request comprises a processing agent identifier, the method further comprising:
- determining a processing agent associated with the processing agent identifier;
  
  providing the response to the client device; and
  
  providing an indication of the processing agent to the client device to enable the client device to forward the response to the processing agent.

11. The method of claim 1, wherein the relying party profile identifier identifies a network location of the relying party profile.

12. The method of claim 1, wherein the relying party request comprises an identity attribute associated with the relying party profile.

13. The method of claim 1, wherein the relying party request comprises an identity attribute verification value associated with the identity attribute associated with the relying party profile.

14. The method of claim 1, wherein the relying party request comprises a plurality of identity attributes and a plurality of identity attribute verification values associated respectively with the plurality of identity attributes.

15. The method of claim 1, wherein the relying party request comprises an extensible data identifier.

16. The method of claim 1, wherein the relying party request comprises an identification of at least one attestation server.

17. The method of claim 1, further comprising, prior to generating the response, authenticating a user of the client device.

18. The method of claim 17, wherein the authentication is performed via the client device.

19. The method of claim 17, wherein the authentication is performed via an authentication server.

20. The method of claim 1, further comprising:
- receiving a second relying party request from a second relying party server;
  
  verifying the second relying party request;
  
  determining that the attested data item can fulfill the second relying party request;
  
  retrieving the attested data item and the attestation corresponding to the attested data item;
  
  generating a second response, the second response comprising the attested data item and the attestation; and
  
  transmitting the second response to the second relying party server.

21. The method of claim 1, wherein the relying party request comprises a policy identifier, the method further comprising retrieving at least one policy based on the policy identifier, wherein the determining whether the attested data item can fulfill the attested data item request is based on the at least one policy.

22. The method of claim 1, wherein the relying party request further comprises a non-attested data item request, and wherein the response comprises a non-attested data item, the method further comprising generating the non-attested data item.

23. A non-transitory computer readable medium storing computer executable instructions which, when executed by a computer processor, cause the computer processor to carry out an operation of distributed data verification between a relying party server and a client device using data attested by at least one attestation server, the operation comprising:
- receiving a relying party request from the relying party server, the relying party request comprising a relying party profile identifier, an attested data item request, and a relying party proof cryptographically generated using secret data associated with the relying party server to enable verification of the relying party request;
  
  verifying the relying party request based on the relying party proof, wherein the verifying of the relying party request comprises;
  
  retrieving a relying party profile based on the relying party profile identifier,extracting a verification component from the relying party profile;
  
  cryptographically verifying the relying party proof using the verification component;
  
  in response to the verifying of the relying party request being successful;
  
  determining whether an attested data item can fulfill the attested data item request;
  
  in response to determining that the attested data item request can be fulfilled, retrieving the attested data item and an attestation corresponding to the attested data item, wherein the attestation comprises a cryptographically-generated proof that the attested data item was verified by the at least one attestation server;
  
  generating a response, the response comprising the attested data item and the attestation; and
  
  transmitting the response to the relying party server.

24. The non-transitory computer readable medium of claim 23, wherein the response comprises at least one additional attested data item and at least one additional attestation corresponding to each at least one additional data item, the operation further comprising, prior to generating the response:
- determining that the at least one additional attested data item can fulfill the attested data item request;
  
  retrieving the at least one additional attested data item and the at least one additional attestation.

25. The non-transitory computer readable medium of claim 24, the operation further comprising:
- determining that the at least one additional attested data item is not initially available;
  
  transmitting a request for the at least one additional attested data item to the at least one attestation server;
  
  receiving a response to the request for the at least one additional attested data item from the at least one attestation server, the response to the request for the at least one additional attested data item comprising the at least one additional attested data item and the at least one additional attestation; and
  
  storing the at least one additional attested data item and the at least one additional attestation in a data store.

26. The non-transitory computer readable medium of claim 24, wherein the at least one attestation server comprises at least a first attestation server and a second attestation server, and wherein the attested data item is received from the first attestation server, and wherein the at least one additional attested data item is received from the second attestation server.

27. The non-transitory computer readable medium of claim 23, wherein the attestation further comprises a cryptographically-generated client proof that the attested data item was verified by the client device, and wherein the generating the response further comprises:
- retrieving a client device cryptographic key; and
  
  verifying the attested data item using the cryptographically-generated client proof.

28. The non-transitory computer readable medium of claim 23, the operation further comprising, prior to generating the response, determining whether the attested data item is eligible to be released.

29. The non-transitory computer readable medium of claim 28, wherein the determining whether the attested data item is eligible to be released is based on a user agent policy.

30. The non-transitory computer readable medium of claim 23, wherein the determining whether the attested data item can fulfill the attested data item request comprises searching for the attested data item in a data store.

31. The non-transitory computer readable medium of claim 23, the operation further comprising:
- determining that the attested data item is not initially available;
  
  transmitting a request for the attested data item to the at least one attestation server;
  
  receiving a response to the request for the attested data item from the at least attestation server, the response to the request for the attested data item comprising the attested data item and the attestation; and
  
  storing the attested data item and the attestation in a data store.

32. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a processing agent identifier, the operation further comprising:
- determining a processing agent associated with the processing agent identifier;
  
  providing the response to the client device; and
  
  providing an indication of the processing agent to the client device to enable the client device to forward the response to the processing agent.

33. The non-transitory computer readable medium of claim 23, wherein the relying party profile identifier identifies a network location of the relying party profile.

34. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identity attribute associated with the relying party profile.

35. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identity attribute verification value associated with the identity attribute associated with the relying party profile.

36. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a plurality of identity attributes and a plurality of identity attribute verification values associated respectively with the plurality of identity attributes.

37. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an extensible data identifier.

38. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises an identification of at least one attestation server.

39. The non-transitory computer readable medium of claim 23, the operation further comprising, prior to generating the response, authenticating a user of the client device.

40. The non-transitory computer readable medium of claim 39, wherein the authentication is performed via the client device.

41. The non-transitory computer readable medium of claim 39, wherein the authentication is performed via an authentication server.

42. The non-transitory computer readable medium of claim 23, the operation further comprising:
- receiving a second relying party request from a second relying party server;
  
  verifying the second relying party request;
  
  determining that the attested data item can fulfill the second relying party request;
  
  retrieving the attested data item and the attestation corresponding to the attested data item;
  
  generating a second response, the second response comprising the attested data item and the attestation; and
  
  transmitting the second response to the second relying party server.

43. The non-transitory computer readable medium of claim 23, wherein the relying party request comprises a policy identifier, the operation further comprising retrieving at least one policy based on the policy identifier, wherein the determining whether the attested data item can fulfill the attested data item request is based on the at least one policy.

44. The non-transitory computer readable medium of claim 23, wherein the relying party request further comprises a non-attested data item request, and wherein the response comprises a non-attested data item, the operation further comprising generating the non-attested data item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Varley, Michael, Ronda, Troy Jacob, Barinov, Dmitry, Wolfond, Gregory Howard, Roberge, Pierre Antoine
Primary Examiner(s)
Nguyen, Trong H
Assistant Examiner(s)
Lin, Amie C.

Application Number

US15/443,400
Publication Number

US 20170251025A1
Time in Patent Office

1,065 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/50   using hash chains, e.g. blo...

Systems and methods for distributed data sharing with asynchronous third-party attestation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for distributed data sharing with asynchronous third-party attestation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links