Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones

US 20090132813A1
Filed: 11/07/2008
Published: 05/21/2009
Est. Priority Date: 11/08/2007
Status: Abandoned Application

First Claim

Patent Images

1. A process for authenticating an individual to participate in a transaction with a relying party, the process comprising:

producing a mobile electronic device, the device storing a digitally signed document containing a set of credential data of the individual, and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual;

entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data; and

causing the device to communicate the set of credential data to a system of the relying party, for purposes of authenticating the individual to participate in the transaction.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods perform transactions in a secure environment between an individual and another party, such as a merchant, in various embodiments. The individual possesses a mobile electronic device, such as a smartphone, that can encrypt data according to a public key infrastructure. The individual authenticates the individual'"'"'s identity to the device, thereby unlocking credentials that may be used in a secure transaction. The individual causes the device to communicate the credentials, in a secure fashion, to an electronic system of a relying party, in order to obtain the relying party'"'"'s authorization to enter the transaction. The relying party system determines whether to grant the authorization, and communicates the grant and the outcome of the transaction to the device using encryption according to the public key infrastructure.

627 Citations

175 Claims

1. A process for authenticating an individual to participate in a transaction with a relying party, the process comprising:
- producing a mobile electronic device, the device storing a digitally signed document containing a set of credential data of the individual, and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual;
  
  entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data; and
  
  causing the device to communicate the set of credential data to a system of the relying party, for purposes of authenticating the individual to participate in the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. A process according to claim 1, wherein the transaction includes a purchase.
  - 3. A process according to claim 1, wherein the transaction includes receiving an extension of credit.
  - 4. A process according to claim 1, wherein the transaction includes obtaining access to money stored in a financial account.
  - 5. A process according to claim 1, wherein the transaction includes obtaining access to a physical location.
  - 6. A process according to claim 1, wherein the transaction includes obtaining access to a web page.
  - 7. A process according to claim 1, wherein the transaction includes obtaining access to a computing resource.
  - 8. A process according to claim 1, wherein the transaction includes obtaining access to data by downloading.
  - 9. A process according to claim 1, wherein the transaction includes receiving an HTTP cookie.
  - 10. A process according to claim 1, wherein the transaction includes uploading medical data of the individual.
  - 11. A process according to claim 1, wherein the mobile electronic device includes one of a smartphone and a personal digital assistant.
  - 12. A process according to claim 1, wherein the mobile electronic device includes WORM memory.
  - 13. A process according to claim 12, wherein the WORM memory includes a set of encryption data, the set having a private encryption key of the individual.
  - 14. A process according to claim 12, wherein the WORM memory includes a set of encryption data, the set having a private signature key of the individual.
  - 15. A process according to claim 12, wherein the mobile electronic device includes a display and an advertisement associated with an item in the set of encryption data, the process further comprising displaying the advertisement on the display in connection with use of the device.
  - 16. A process according to claim 15, wherein the advertisement is stored in the WORM memory.
  - 17. A process according to claim 1, wherein the set of credential data is derived from one or more of:
    - a passport, a birth certificate, a Transportation Worker Identification Credential (TWIC), a Common Access Card (CAC), a smartcard, a driver'"'"'s license, a pilot'"'"'s certificate, an identification card, an organization membership card, an insurance card, a credit card, a debit card, a store discount card, a public transportation card, or a library card.
  - 18. A process according to claim 1, wherein entering authentication data includes entering data pertaining to one of:
    - a fingerprint, a handprint, a photograph, an iris scan, a retina scan, a password, an authorization code, or a personal identification number.
  - 19. A process according to claim 1, wherein entering authentication data includes providing two-factor authentication data.
  - 20. A process according to claim 19, wherein entering authentication data includes providing a password and biometric data.
  - 21. A process according to claim 1, wherein causing the device to communicate includes triggering wireless communication by the device.
  - 22. A process according to claim 1, wherein the system of the relying party includes one of:
    - a vending machine, a parking meter, an electronic toll collection system, a physical access system, and a magnetic stripe reader.
  - 23. A process according to claim 1, wherein a suite of applications is stored on the device, and the set of credential data identifies a subset of the suite of applications to be made available to the individual upon authentication of the would-be user as the individual.
  - 24. A process according to claim 1, further comprising:
    - causing the device to run an application loaded thereon, the application being unavailable for use until there has been entry into the device of authentication data authenticating the would-be user of the device as the individual.
  - 25. A process according to claim 1, further comprising:
    - receiving at the mobile electronic device, from the system of the relying party, a response to the communication of the set of credentials.
  - 26. A process according to claim 25, wherein receiving the response includes receiving a verification of the set of credential data of the individual.
  - 27. A process according to claim 25, wherein receiving the response includes receiving a notification that the transaction has been completed.
  - 28. A process according to claim 25, wherein receiving the response triggers updating a transaction log maintained on the mobile electronic device.
  - 29. A process according to claim 28, wherein receiving the response triggers setting of an upload flag to enqueue uploading of data reflecting the transaction.
  - 30. A process according to claim 25, wherein the mobile electronic device includes a WORM memory, and the mobile device performs, on the WORM memory, an operation triggered by receiving the response.
  - 31. A process according to claim 30, wherein the operation is storage of data related to the response.
  - 32. A process according to claim 30, wherein the operation is rendering a portion of the WORM memory unreadable.
  - 33. A process according to claim 1, wherein causing the device to communicate the set of credential data triggers storing, in a transaction log maintained on the mobile electronic device, a record having data related to the transaction.

34. A process for use by a relying party in authenticating an individual having a mobile electronic device to participate in a transaction with the relying party, the device storing a digitally signed document containing a set of credential data of the individual and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual, the process comprising:
- receiving, in a system in communication with the device, the digitally signed document from the device, wherein receipt of the digitally signed document constitutes verification of entry into the device of the authentication data;
  
  using the system to evaluate a credential in the set of credentials; and
  
  storing data, associated with the transaction and the digitally signed document, in the system of the relying party in a transaction log.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 35. A process according to claim 34, wherein the transaction includes a purchase.
  - 36. A process according to claim 34, wherein the transaction includes granting an extension of credit.
  - 37. A process according to claim 34, wherein the transaction includes providing access to money stored in a financial account.
  - 38. A process according to claim 34, wherein the transaction includes providing access to a physical location.
  - 39. A process according to claim 34, wherein the transaction includes providing access to a web page.
  - 40. A process according to claim 34, wherein the transaction includes providing access to a computing resource.
  - 41. A process according to claim 34, wherein the transaction includes providing access to data for downloading by the individual.
  - 42. A process according to claim 34, wherein the transaction includes transmitting an HTTP cookie.
  - 43. A process according to claim 34, wherein the mobile electronic device includes one of a smartphone and a personal digital assistant.
  - 44. A process according to claim 34, wherein the mobile electronic device includes WORM memory.
  - 45. A process according to claim 44, wherein the WORM memory includes a set of encryption data, the set having a private encryption key of the individual.
  - 46. A process according to claim 44, wherein the WORM memory includes a set of encryption data, the set having a private signature key of the individual.
  - 47. A process according to claim 46, wherein using the system to evaluate the credential includes validating a digital signature of the digitally signed document, using a public signature key of the individual that forms a key pair with the private signature key of the individual.
  - 48. A process according to claim 34, wherein the set of credential data is derived from one or more of:
    - a passport, a birth certificate, a Transportation Worker Identification Credential (TWIC), a Common Access Card (CAC), a smartcard, a driver'"'"'s license, a pilot'"'"'s certificate, an identification card, an organization membership card, an insurance card, a credit card, a debit card, a store discount card, a public transportation card, or a library card.
  - 49. A process according to claim 34, wherein receiving the digitally signed document includes receiving the document wirelessly.
  - 50. A process according to claim 34, wherein using the system to evaluate the credential includes validating a digital signature of the digitally signed document using a public signature key of the individual.
  - 51. A process according to claim 34, wherein using the system to evaluate the credential includes comparing a digest derived from the credential with a stored digest.
  - 52. A process according to claim 34, wherein using the system to evaluate the credential includes comparing the time the digitally signed document was received from the device with a timestamp in the document.
  - 53. A process according to claim 52, wherein the timestamp is indicative of the time when credentials on the mobile electronic device were last updated.
  - 54. A process according to claim 53, wherein the timestamp is indicative of the time when the mobile electronic device was last connected to a network in a session meeting pre-specified criteria.
  - 55. A process according to claim 34, wherein using the system to evaluate the credential includes obtaining a certificate status response from the mobile electronic device.
  - 56. A process according to claim 55, wherein obtaining the certificate status response comprises:
    - transmitting a first message including a cryptographic nonce to the mobile electronic device, the first message encrypted with a public encryption key of the individual; and
      
      receiving a second message including the nonce and the certificate status response from the mobile electronic device.
  - 57. A process according to claim 34, wherein using the system to evaluate the credential includes communicating with a computer system, of a third party, that can validate the accuracy of the credential or verify that the credential is unexpired.
  - 58. A process according to claim 57, wherein the third party is an issuer of the credential or an agent of the issuer.
  - 59. A process according to claim 57, further comprising obtaining a certificate status response from the third party.
  - 60. A process according to claim 57, further comprising obtaining a certificate revocation list from the third party.
  - 61. A process according to claim 57, wherein communicating includes receiving, from the third party, data indicating that the credential has not been revoked.
  - 62. A process according to claim 34, further comprising:
    - transmitting, to the mobile electronic device, a response to the communication of the set of credentials.
  - 63. A process according to claim 62, wherein transmitting the response includes transmitting data indicating that a credential in the set of credentials is valid and unexpired.
  - 64. A process according to claim 62, wherein transmitting the response includes transmitting a notification that the transaction has been completed.

65. A mobile electronic device, usable by an individual for authentication of transactions, the device comprising:
- a storage module in which are stored;
  
  (i) a digitally signed document containing a set of credentials of the individual, and(ii) authentication data of the individual;
  
  a data entry arrangement for entering data into the device;
  
  a controller, coupled to the storage module and the data entry arrangement, programmed to require, as a condition to using the stored set of credentials for authentication purposes, entry of the authentication data into the device via the data entry arrangement, so as to authenticate a would-be user of the device as the individual; and
  
  a communication port for receiving and transmitting the digitally signed document.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73)
- - 66. A device according to claim 65, wherein the set of credentials includes a plurality of credentials of the individual, so that the device can be used to authenticate distinct classes of transactions, each class of transactions being associated with a distinct one of the credentials.
  - 67. A device according to claim 65, wherein the storage module includes non-volatile memory.
  - 68. A device according to claim 65, wherein the storage module includes WORM memory.
  - 69. A device according to claim 68, wherein the WORM memory includes the digitally signed document.
  - 70. A device according to claim 68, wherein the WORM memory includes a set of encryption data, the set having a private encryption key of the individual.
  - 71. A device according to claim 68, wherein the WORM memory includes a set of encryption data, the set having a private signature key of the individual.
  - 72. A device according to claim 65, wherein the storage module includes both WORM memory and WMRM memory incorporated in flash memory.
  - 73. A device according to claim 65, wherein the storage module includes an application, stored therein, and the device further comprises:
    - an access control module restricting use of the application until there has been entry into the device, via the data entry arrangement, of the authentication data, to authenticate the would-be user of the device as the individual.

74. A process for configuring an electronic device to be usable by an individual for authentication of transactions, the process comprising:
- storing a digitally signed document in the electronic device, the digitally signed document including credential data derived from a set of credentials pertaining to the individual;
  
  storing, in the electronic device, authentication data associated with the individual;
  
  wherein the device includes an access control module that precludes access to the credential data without entry into the device of the authentication data.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84)
- - 75. A process according to claim 74, wherein the set of credentials includes a physical credential.
  - 76. A process according to claim 75, wherein the physical credential is selected from the group consisting of:
    - a passport, a birth certificate, a Transportation Worker Identification Credential (TWIC), a Common Access Card (CAC), a smartcard, a driver'"'"'s license, a pilot'"'"'s certificate, an identification card, an organization membership card, an insurance card, a credit card, a debit card, a store discount card, a public transportation card, and a library card.
  - 77. A process according to claim 74, wherein the set of credentials includes a virtual credential.
  - 78. A process according to claim 74, further comprising:
    - receiving the physical credential from the individual;
      
      manually determining that the set of credentials pertains to the individual;
      
      creating the digitally signed document; and
      
      entrusting the device to the individual.
  - 79. A process according to claim 74, further comprising obtaining biometric data of the individual and including the biometric data in the authentication data.
  - 80. A process according to claim 74, wherein a digital signature in the digitally signed document is verifiable using a public signature key of the individual.
  - 81. A process according to claim 74, wherein a digital signature in the digitally signed document is verifiable using a public signature key of a third party.
  - 82. A process according to claim 74, wherein the electronic device includes WORM memory, and storing the digitally signed document in the electronic device includes storing the document in the WORM memory.
  - 83. A process according to claim 74, further comprising storing a private encryption key of the individual in the electronic device.
  - 84. A process according to claim 74, further comprising storing a private signature key of the individual in the electronic device.

85. A computer-implemented method of developing information pertinent to authentication of a set of credentials of a given individual, the set of credentials associated with a plurality of sets of credentials of other individuals, the method comprising:
- for each of the individuals,verifying such individual'"'"'s credentials as being at the end of a chain of trust, placing such individual'"'"'s credentials in a digitally signed document, and storing the digitally signed document in a credential database; and
  
  automatically and repetitively checking, in a computer process, for revocation of any credentials in the credential database and storing data identifying credentials that have been revoked.
- View Dependent Claims (86, 87, 88, 89, 90)
- - 86. A method according to claim 85, wherein storing data identifying credentials that have been revoked includes updating the credential database.
  - 87. A method according to claim 85, wherein storing data identifying credentials that have been revoked includes storing in a revocation database a listing of credentials that have been revoked.
  - 88. A method according to claim 85, further comprising, for each of the individuals, storing the digitally signed document includes storing it in a token entrusted to such individual.
  - 89. A method according to claim 85, wherein checking includes checking at least as often as once per day.
  - 90. A method according to claim 85, wherein checking includes checking in conformity with a PKI standard.

91. A computer-implemented method of authenticating a given individual'"'"'s set of credentials, each credential in the set having been authenticated as of a given time, the method comprising:
- receiving the set of credentials over a communications network; and
  
  in a computer process, comparing the set of credentials against a database listing of revoked credentials to identify a credential in the set that has been revoked since the given time.
- View Dependent Claims (92, 93, 94, 95)
- - 92. A method according to claim 91, wherein receiving the set of credentials comprises receiving them from a federated data store.
  - 93. A method according to claim 91, wherein receiving the set of credentials comprises uploading a digital document from a token in the possession of the given individual, such digitally signed document containing the individual'"'"'s set of credentials.
  - 94. A method according to claim 91, wherein identifying credentials of the individual that have been revoked implicitly determines that all other credentials of the given individual have not been revoked.
  - 95. A method according to claim 91, wherein comparing is performed in a batch computer process.

96. A computer-implemented method of processing transactions between a relying party having a transaction system, and a set of individuals, each individual in the set of individuals having an electronic device capable of communication with the transaction system, the method comprising:
- obtaining access to a first digitally signed document created in the transaction system of the relying party, the document containing one or more transaction records, each transaction record having data pertaining to a selected transaction between the relying party and a selected individual in the set of individuals; and
  
  for each selected transaction,obtaining access to a second digitally signed document created in the electronic device of the selected individual, the document containing a transaction record corresponding to the selected transaction; and
  
  in a computer process, checking for consistency between the transaction record in the first digitally signed document and the transaction record in the second digitally signed document.
- View Dependent Claims (97, 98, 99, 100, 101, 102, 103, 104)
- - 97. A method according to claim 96, further comprising validating a digital signature of the first digitally signed document, using a public signature key of the relying party.
  - 98. A method according to claim 96, further comprising, validating a digital signature of the second digitally signed document of the selected individual, using a public signature key of the selected individual.
  - 99. A method according to claim 96, further comprising, in the event that checking yields an inconsistency, communicating a warning to the relying party or the selected individual.
  - 100. A method according to claim 96, wherein each transaction record contains data pertaining to at least one of a transaction time, a transaction date, a purchase amount, a loan number, a financial account number, a physical location, an address of a web page, an identifier of a computing resource, a file name, an HTTP cookie name, and a medical condition.
  - 101. A method according to claim 96, wherein obtaining access to the first digitally signed document includes receiving the first digitally signed document over a computer data network.
  - 102. A method according to claim 96, wherein obtaining access to the second digitally signed document includes receiving the second digitally signed document over a computer data network.
  - 103. A method according to claim 96, wherein checking is performed in a batch computer process.
  - 104. A method according to claim 96, wherein checking is performed in a process substantially contemporaneously with the selected transaction.

105. A system enabling a second party to obtain data in a secure manner from a first party, the system comprising:
- a receiving port for securely receiving the data, along with a digitally signed document associated with the first party and a reference to the second party;
  
  a physical data storage medium for storing the received data and the digitally signed document in association with the second party;
  
  a processor for validating that the sender of the received data is the first party using the digitally signed document, and for determining whether to securely forward data stored in the storage area to the second party according to a rule associated with the first party and the second party; and
  
  a transmitting port for forwarding the data to a computer facility of the second party.
- View Dependent Claims (106, 107)
- - 106. A system according to claim 105, wherein the storage area is readable only by the first party and the second party.
  - 107. A system according to claim 105, wherein the storage area is associated with a URL.

108. A computerized method enabling a second party to obtain data in a secure manner from a first party, the method comprising:
- receiving from the first party items including the data, a digitally signed document associated with the data and with the first party, and a reference to the second party;
  
  verifying that the received data were sent by the first party, by using the digitally signed document;
  
  storing the data in association with the digitally signed document and with the reference; and
  
  making the stored data available to the second party using the reference, such that the second party may securely access the data.
- View Dependent Claims (109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131)
- - 109. A method according to claim 108, wherein the data have been encrypted using a public key of the second party.
  - 110. A method according to claim 108, wherein the items are included in a message that has been encrypted using a public key associated with the receiver and receiving the items includes:
    - receiving the message from the first party, anddecrypting the message using a private key associated with the public key.
  - 111. A method according to claim 108, wherein the reference includes at least one of a digital certificate, a telephone number, a postal address, and an electronic address.
  - 112. A method according to claim 108, wherein making the stored data available comprises:
    - encrypting a second message, containing the data and the digitally signed document, using a public key of the second party; and
      
      transmitting the encrypted second message to the second party.
  - 113. A method according to claim 108, wherein the storage space is readable only by the first party and the second party.
  - 114. A method according to claim 108, wherein receiving the data from the first party includes using a secure communications link.
  - 115. A method according to claim 108, further comprising deciding whether to forward the data to the second party according to a set of computer-implemented rules associated with the first party and the second party.
  - 116. A method according to claim 108, further comprising forwarding the data to the second party.
  - 117. A method according to claim 116, wherein forwarding the data to the second party includes using a secure communications link.
  - 118. A method according to claim 108, wherein receiving the items from the first party includes receiving the items through a communications gateway that is not dedicated to handling trusted data from a particular source.
  - 119. A method according to claim 118, wherein the communications gateway also handles data other than trusted data.
  - 120. A method according to claim 118, wherein verifying that the received data were sent by the first party is accomplished by the communications gateway.
  - 121. A method according to claim 120, wherein verifying that the received data were sent by the first party includes accessing an authorized certificate store to retrieve a certificate of the first party.
  - 122. A method according to claim 121, wherein making the stored data available to the second party using the reference is accomplished by the communications gateway.
  - 123. A method according to claim 120, wherein storing the data in association with the digitally signed document and with the reference is caused by the communications gateway.
  - 124. A method according to claim 118, further comprising:
    - upon receiving the items from the first party, initiating communication with the second party to obtain authorization to cause storage of the data.
  - 125. A method according to claim 124, wherein the second party has a mobile telephone, and making the stored data available to the second party includes sending a communication to the mobile telephone identifying the received data and seeking authorization to make the received data available to the second party, and, upon such authorization, making the received data available to the second party.
  - 126. A method according to claim 125, wherein making the received data available to the second party includes making the data accessible to the mobile telephone for storage in memory thereof.
  - 127. A method according to claim 126, wherein the memory of the mobile telephone is flash memory.
  - 128. A method according to claim 126, wherein the data include information relating to a credential, and making the data accessible to the mobile telephone for storage in memory thereof includes making the data accessible for storage only in a portion of such memory configured as WORM memory.
  - 129. A method according to claim 108, wherein the data include information relating to a credential, and making the stored data available to the second party includes making the data accessible for storage only in memory configured as WORM memory.
  - 130. A method according to claim 129, wherein the WORM memory is implemented in flash memory.
  - 131. A method according to claim 108, wherein the data are digital media content encrypted with a public key of the second party.

132. A computerized method for creating a virtual smartcard for an individual based on a physical credential applicable to the individual, the method comprising:
- receiving, over a communications network, credential data derived from the physical credential;
  
  receiving, over the communications network, authentication data pertinent to the individual;
  
  using a computer process to establish a pair of cryptographic keys; and
  
  creating a virtual smartcard for the individual by storing the credential data and the authentication data in association with the pair of cryptographic keys.
- View Dependent Claims (133, 134)
- - 133. A method according to claim 132, wherein the physical credential is selected from the group consisting of a passport, a birth certificate, a Transportation Worker Identification Credential (TWIC), a smartcard, a driver'"'"'s license, a pilot'"'"'s certificate, an identification card, an organization membership card, an insurance card, a credit card, a debit card, a store discount card, a public transportation card, and a library card.
  - 134. A method according to claim 132, wherein authentication data are selected from the group consisting of biometric data and a passcode.

135. A method of evaluating a primary credential issued by an agency, the method comprising:
- using the primary credential to access from storage a summary certificate associated in the storage with the primary credential, the summary certificate containing a collection of secondary credentials considered by the agency in issuing the primary credential;
  
  in a revocation computer process, collecting secondary credential revocation information by (i) identifying each of the secondary credentials that is the subject of a revocation, and, (ii) for each revoked credential, accessing data that characterize a basis for the revocation; and
  
  in an evaluation computer process, applying a set of policy rules to the collected secondary credential revocation information to evaluate its effect on the primary credential.
- View Dependent Claims (136, 137, 138, 139, 140)
- - 136. A method according to claim 135, wherein the revocation computer process includes accessing a database of revoked credentials, the database established by automatic, computer-implemented, repetitive checking for revocation of secondary credentials of a plurality of individuals.
  - 137. A method according to claim 135, wherein one of the secondary credentials that is the subject of revocation is another primary credential that has been previously revoked by operation of computer processes, so that processes herein may spawn a cascade of revocations when permitted by policy rules to do so.
  - 138. A method according to claim 135, wherein accessing data that characterize a basis for the revocation include accessing data indicating that a chain of trust for a secondary credential has been broken.
  - 139. A method according to claim 135, further comprising revoking the primary credential when the policy rules being applied so require.
  - 140. A method according to claim 135, wherein the evaluation computer process leads to revocation of the primary credential, further comprising:
    - in a further revocation computer process, identifying a set of additional primary credentials, the set having at least one member, for which the primary credential serves as a secondary credential in a corresponding set of summary certificates; and
      
      in a further evaluation computer process, subjecting the set of primary credentials to evaluation in a manner generally analogous to the evaluation computer process.

141. A computerized method for responding to a given individual'"'"'s request for access, the method comprising:
- receiving, over a first communications network, a first data set defining rights of the given individual to access;
  
  receiving, over a second communications network, from a token possessed by the given individual, a digitally signed document including a second data set defining rights of the given individual relating to the access; and
  
  in a computer process, comparing the first access rights data and the second access rights data to respond to the given individual'"'"'s access rights.
- View Dependent Claims (142, 143, 144, 145, 146, 147, 148, 149)
- - 142. A method according to claim 141, wherein receiving over the first communications network includes receiving data from a cellular telephone network.
  - 143. A method according to claim 141, wherein receiving over the first communications network includes receiving data from the Internet.
  - 144. A method according to claim 143, wherein receiving over the first communications network includes receiving data from a virtual private network.
  - 145. A method according to claim 141, wherein receiving over the second communications network includes receiving data from a Bluetooth network.
  - 146. A method according to claim 141, wherein the token is a smartphone.
  - 147. A method according to claim 141, further comprising validating a digital signature of the digitally signed document.
  - 148. A method according to claim 147, wherein validating the digital signature includes receiving data from the token pertaining to a digital certificate, the digital certificate having a public signature key.
  - 149. A method according to claim 148, wherein receiving data includes receiving a cached OCSP response.

150. A non-volatile memory device encoded with computer-readable data, such device including a first portion thereof configured as WORM memory in which are encoded credential data and a second portion thereof configured as WMRM memory.
- View Dependent Claims (151, 152, 153)
- - 151. A device according to claim 150, wherein the device is also encoded with computer-readable instructions, such instructions including program code defining a cryptographic engine.
  - 152. A device according to claim 150, wherein the credential data relate to a plurality of credentials of an individual.
  - 153. A device according to claim 150, such device being implemented in flash memory.

154. A method for efficiently authenticating an individual in connection with a transaction, at a physical transaction location, such location using a public key infrastructure and having a terminal for use in the transaction, the method comprising:
- using data provided over a cellular telephone network to estimate a present location of a smartphone of the individual on which is stored credential data relating to a credential of the individual, such smartphone requiring the individual to authenticate himself to the smartphone as a condition of use of the credential data;
  
  if the present location is determined to be within a specified range of the physical transaction location, sending data as to status of the credential to the terminal,so that the individual will be able to present the credential for use in the transaction only by authenticating himself to the smartphone, and status information of the credential will be available to the terminal for use in connection with the transaction when the individual appears at the physical location.
- View Dependent Claims (155, 156)
- - 155. A method according to claim 154, wherein using data provided over a cellular telephone network to estimate a present location includes using base station data.
  - 156. A method according to claim 154, wherein using data provided over a cellular telephone network to estimate a present location includes using GPS data from the smartphone.

157. A method for gating communication to a user'"'"'s smartphone from a caller'"'"'s smartphone based on a set of pre-specified criteria as to attributes of the caller, the method comprising:
- receiving on the user'"'"'s smartphone a control message from the caller'"'"'s smartphone constituting a request to establish communication with the user'"'"'s smartphone, such control message including a credential of the caller;
  
  using a process running on the user'"'"'s smartphone, determining validity of the credential, and if the credential is determined to be valid, evaluating the credential for conformity with the set of criteria;
  
  if the credential is determined to be in conformity with the set of criteria, then allowing the communication to be established.
- View Dependent Claims (158, 159)
- - 158. A method according to claim 157, wherein the set of criteria includes presence of the name of the caller on a white list.
  - 159. A method according to claim 157, wherein the user has an age, and the set of criteria includes a requirement that the caller have an age that is within two years of the user'"'"'s age.

160. A data gathering device for communicating with a mobile electronic device of an individual, the mobile electronic device being capable of decrypting messages according to an encryption key of the individual, the data gathering device comprising:
- a sensor for gathering data;
  
  a cryptographic module for encrypting gathered data using the encryption key; and
  
  a transmitter for transmitting encrypted data to the mobile electronic device.
- View Dependent Claims (161, 162, 163, 164, 165, 166, 167, 168)
- - 161. A device according to claim 160, wherein the transmitter is a Bluetooth transmitter.
  - 162. A device according to claim 160, wherein the cryptographic module is a hardware security module.
  - 163. A device according to claim 160, further comprising a smartcard, wherein the cryptographic module is embedded within the smartcard.
  - 164. A device according to claim 160, further comprising:
    - a receiver for receiving encrypted data from the mobile electronic device; and
      
      a display for displaying received data,wherein the cryptographic module is further capable of decrypting received data according to the encryption key.
  - 165. A device according to claim 164, wherein the display is a video display.
  - 166. A device according to claim 164, wherein the display is an audio display.
  - 167. A device according to claim 164, wherein the display is further capable of displaying gathered data.
  - 168. A device according to claim 160, wherein the sensor gathers medical data, and the data gathering device is a medical device.

169. A method for securely obtaining, from a medical data gathering device, medical data pertinent to an individual, the method comprising:
- receiving the medical data over a wireless network from a smartphone of the individual coupled to the medical data gathering device, wherein;
  
  (i) the smartphone stores and forwards, over the wireless network, the data from the medical data gathering device; and
  
  (ii) the medical data are encrypted with a public key of the individual.
- View Dependent Claims (170, 171, 172, 173, 174, 175)
- - 170. A method according to claim 169, wherein the smartphone is wirelessly coupled to the medical data gathering device.
  - 171. A method according to claim 169, wherein the smartphone includes flash memory in which the medical data are stored.
  - 172. A method according to claim 169, wherein the smartphone includes a storage module in which is stored a digitally signed document containing a set of credentials of the individual.
  - 173. A method according to claim 172, wherein the storage module also stores authentication data of the individual and the smartphone further includes a data entry arrangement for entering data into the device, a controller, coupled to the storage module and the data entry arrangement, programmed to require, as a condition to using the stored set of credentials for authentication purposes, entry of the authentication data into the device via the data entry arrangement, so as to authenticate a would-be user of the device as the individual.
  - 174. A method according to claim 169, further comprising storing the data received over the wireless network in a database coupled to a server for access by authorized medical professionals.
  - 175. A method according to claim 174, further comprising decrypting and granting access to the medical data in response to a request by a person determined to be an authorized medical professional.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InferSpect, LLC
Original Assignee
Suridx, Inc.
Inventors
Schibuk, Norman

Application Number

US12/267,065
Publication Number

US 20090132813A1
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06Q 20/223   based on the use of peer-to...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/389   Keeping log of transactions...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

G06Q 20/425   using two different network...

G07C 9/22   in combination with an iden...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

627 Citations

175 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

627 Citations

175 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links