Preserving Privacy While Using Authorization Certificates
First Claim
1. A method of preserving privacy for a user while enabling the user controlled access to data,the user being represented by a user device (110,721) and identified by a user identity,the method using at least one certificate that associates data access rights with the user identity,wherein the certificate conceals the user identity,the certificate comprises publicly available solution information P, anda concealed secret S′
- is publicly available,the method further comprises at least one ofa certificate verification process (120,420) between the user device and a verifier device (111,701),a certificate issuing process (220,520,620) between the user device and an issuing device (211,711), anda certificate re-issuing process (320) between the user device and the issuing device,wherein the certificate verification process comprises the steps ofthe user device obtaining the concealed secret S′
corresponding to the certificate,the user device retrieving the secret S from the concealed secret S′
,the verifier device obtaining the solution information P from the certificate,the user device proving to the verifier device that it knows the secret S without the verifier device learning the secret S or the user identity,wherein the certificate issuing process comprises the steps of;
generating a secret S and a solution information P,concealing the secret S into a concealed secret S′
,the issuing device issuing a certificate comprising at least the solution information P,wherein the certificate re-issuing process comprises the steps ofthe user device obtaining the concealed secret S′
corresponding to the certificate,the user device retrieving the secret S from the concealed secret S′
,the issuing device obtaining the solution information P from the certificate,the user device proving to the issuing device that it knows the secret S without the issuing verifier device learning the secret S or the user identity,generating a new secret S2 and new solution information P2,concealing the secret S2 into a concealed secret S2′
,the issuing device issuing a new certificate comprising at least the new solution information P2.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention proposes a method to provide privacy for users or a user from a group of users with respect to authorizations they are granted, where such authorizations are expressed using digital authorization certificates, and with respect to domain certificates in case of groups of users. The idea is to conceal the user identity in the certificates, while the certificate itself remains in the clear. In this way, certificates can be widely and openly available, e.g. in a public network, without a random observer being able to link a user to an authorization or to identify a user within a domain. Privacy is also provided towards the certificate verifier by means of zero-knowledge protocols, which are carried out between the user and the verifier in order for the verifier to check a user'"'"'s entitlement to a certificate. Privacy is further provided towards the certificate issuer as well, by means of a mechanism that allows the anonymous (buying or) issuing of certificates from the issuer.
-
Citations
18 Claims
-
1. A method of preserving privacy for a user while enabling the user controlled access to data,
the user being represented by a user device (110,721) and identified by a user identity, the method using at least one certificate that associates data access rights with the user identity, wherein the certificate conceals the user identity, the certificate comprises publicly available solution information P, and a concealed secret S′ - is publicly available,
the method further comprises at least one of a certificate verification process (120,420) between the user device and a verifier device (111,701), a certificate issuing process (220,520,620) between the user device and an issuing device (211,711), and a certificate re-issuing process (320) between the user device and the issuing device, wherein the certificate verification process comprises the steps of the user device obtaining the concealed secret S′
corresponding to the certificate,the user device retrieving the secret S from the concealed secret S′
,the verifier device obtaining the solution information P from the certificate, the user device proving to the verifier device that it knows the secret S without the verifier device learning the secret S or the user identity, wherein the certificate issuing process comprises the steps of; generating a secret S and a solution information P, concealing the secret S into a concealed secret S′
,the issuing device issuing a certificate comprising at least the solution information P, wherein the certificate re-issuing process comprises the steps of the user device obtaining the concealed secret S′
corresponding to the certificate,the user device retrieving the secret S from the concealed secret S′
,the issuing device obtaining the solution information P from the certificate, the user device proving to the issuing device that it knows the secret S without the issuing verifier device learning the secret S or the user identity, generating a new secret S2 and new solution information P2, concealing the secret S2 into a concealed secret S2′
,the issuing device issuing a new certificate comprising at least the new solution information P2. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- is publicly available,
-
18. A computer program product (732) carrying computer executable instructions comprising a computer readable medium, having thereon computer program code means, to make a computer execute, when said computer program code means is loaded in the computer, implementing at least one protocol side of at least one of:
-
the certificate issuing protocol, the certificate re-issuing protocol, and the certificate verification protocol.
-
Specification