Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones
First Claim
1. A process for authenticating an individual to participate in a transaction with a relying party, the process comprising:
- producing a mobile electronic device, the device storing a digitally signed document containing a set of credential data of the individual, and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual;
entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data; and
causing the device to communicate the set of credential data to a system of the relying party, for purposes of authenticating the individual to participate in the transaction.
6 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods perform transactions in a secure environment between an individual and another party, such as a merchant, in various embodiments. The individual possesses a mobile electronic device, such as a smartphone, that can encrypt data according to a public key infrastructure. The individual authenticates the individual'"'"'s identity to the device, thereby unlocking credentials that may be used in a secure transaction. The individual causes the device to communicate the credentials, in a secure fashion, to an electronic system of a relying party, in order to obtain the relying party'"'"'s authorization to enter the transaction. The relying party system determines whether to grant the authorization, and communicates the grant and the outcome of the transaction to the device using encryption according to the public key infrastructure.
627 Citations
175 Claims
-
1. A process for authenticating an individual to participate in a transaction with a relying party, the process comprising:
-
producing a mobile electronic device, the device storing a digitally signed document containing a set of credential data of the individual, and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual; entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data; and causing the device to communicate the set of credential data to a system of the relying party, for purposes of authenticating the individual to participate in the transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A process for use by a relying party in authenticating an individual having a mobile electronic device to participate in a transaction with the relying party, the device storing a digitally signed document containing a set of credential data of the individual and requiring, as a condition to using the stored set of credential data for authentication purposes, entry into the device of authentication data authenticating a would-be user of the device as the individual, the process comprising:
-
receiving, in a system in communication with the device, the digitally signed document from the device, wherein receipt of the digitally signed document constitutes verification of entry into the device of the authentication data; using the system to evaluate a credential in the set of credentials; and storing data, associated with the transaction and the digitally signed document, in the system of the relying party in a transaction log. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. A mobile electronic device, usable by an individual for authentication of transactions, the device comprising:
-
a storage module in which are stored; (i) a digitally signed document containing a set of credentials of the individual, and (ii) authentication data of the individual; a data entry arrangement for entering data into the device; a controller, coupled to the storage module and the data entry arrangement, programmed to require, as a condition to using the stored set of credentials for authentication purposes, entry of the authentication data into the device via the data entry arrangement, so as to authenticate a would-be user of the device as the individual; and a communication port for receiving and transmitting the digitally signed document. - View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73)
-
-
74. A process for configuring an electronic device to be usable by an individual for authentication of transactions, the process comprising:
-
storing a digitally signed document in the electronic device, the digitally signed document including credential data derived from a set of credentials pertaining to the individual; storing, in the electronic device, authentication data associated with the individual; wherein the device includes an access control module that precludes access to the credential data without entry into the device of the authentication data. - View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84)
-
-
85. A computer-implemented method of developing information pertinent to authentication of a set of credentials of a given individual, the set of credentials associated with a plurality of sets of credentials of other individuals, the method comprising:
-
for each of the individuals, verifying such individual'"'"'s credentials as being at the end of a chain of trust, placing such individual'"'"'s credentials in a digitally signed document, and storing the digitally signed document in a credential database; and automatically and repetitively checking, in a computer process, for revocation of any credentials in the credential database and storing data identifying credentials that have been revoked. - View Dependent Claims (86, 87, 88, 89, 90)
-
-
91. A computer-implemented method of authenticating a given individual'"'"'s set of credentials, each credential in the set having been authenticated as of a given time, the method comprising:
-
receiving the set of credentials over a communications network; and in a computer process, comparing the set of credentials against a database listing of revoked credentials to identify a credential in the set that has been revoked since the given time. - View Dependent Claims (92, 93, 94, 95)
-
-
96. A computer-implemented method of processing transactions between a relying party having a transaction system, and a set of individuals, each individual in the set of individuals having an electronic device capable of communication with the transaction system, the method comprising:
-
obtaining access to a first digitally signed document created in the transaction system of the relying party, the document containing one or more transaction records, each transaction record having data pertaining to a selected transaction between the relying party and a selected individual in the set of individuals; and for each selected transaction, obtaining access to a second digitally signed document created in the electronic device of the selected individual, the document containing a transaction record corresponding to the selected transaction; and in a computer process, checking for consistency between the transaction record in the first digitally signed document and the transaction record in the second digitally signed document. - View Dependent Claims (97, 98, 99, 100, 101, 102, 103, 104)
-
-
105. A system enabling a second party to obtain data in a secure manner from a first party, the system comprising:
-
a receiving port for securely receiving the data, along with a digitally signed document associated with the first party and a reference to the second party; a physical data storage medium for storing the received data and the digitally signed document in association with the second party; a processor for validating that the sender of the received data is the first party using the digitally signed document, and for determining whether to securely forward data stored in the storage area to the second party according to a rule associated with the first party and the second party; and a transmitting port for forwarding the data to a computer facility of the second party. - View Dependent Claims (106, 107)
-
-
108. A computerized method enabling a second party to obtain data in a secure manner from a first party, the method comprising:
-
receiving from the first party items including the data, a digitally signed document associated with the data and with the first party, and a reference to the second party; verifying that the received data were sent by the first party, by using the digitally signed document; storing the data in association with the digitally signed document and with the reference; and making the stored data available to the second party using the reference, such that the second party may securely access the data. - View Dependent Claims (109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131)
-
-
132. A computerized method for creating a virtual smartcard for an individual based on a physical credential applicable to the individual, the method comprising:
-
receiving, over a communications network, credential data derived from the physical credential; receiving, over the communications network, authentication data pertinent to the individual; using a computer process to establish a pair of cryptographic keys; and creating a virtual smartcard for the individual by storing the credential data and the authentication data in association with the pair of cryptographic keys. - View Dependent Claims (133, 134)
-
-
135. A method of evaluating a primary credential issued by an agency, the method comprising:
-
using the primary credential to access from storage a summary certificate associated in the storage with the primary credential, the summary certificate containing a collection of secondary credentials considered by the agency in issuing the primary credential; in a revocation computer process, collecting secondary credential revocation information by (i) identifying each of the secondary credentials that is the subject of a revocation, and, (ii) for each revoked credential, accessing data that characterize a basis for the revocation; and in an evaluation computer process, applying a set of policy rules to the collected secondary credential revocation information to evaluate its effect on the primary credential. - View Dependent Claims (136, 137, 138, 139, 140)
-
-
141. A computerized method for responding to a given individual'"'"'s request for access, the method comprising:
-
receiving, over a first communications network, a first data set defining rights of the given individual to access; receiving, over a second communications network, from a token possessed by the given individual, a digitally signed document including a second data set defining rights of the given individual relating to the access; and in a computer process, comparing the first access rights data and the second access rights data to respond to the given individual'"'"'s access rights. - View Dependent Claims (142, 143, 144, 145, 146, 147, 148, 149)
-
- 150. A non-volatile memory device encoded with computer-readable data, such device including a first portion thereof configured as WORM memory in which are encoded credential data and a second portion thereof configured as WMRM memory.
-
154. A method for efficiently authenticating an individual in connection with a transaction, at a physical transaction location, such location using a public key infrastructure and having a terminal for use in the transaction, the method comprising:
-
using data provided over a cellular telephone network to estimate a present location of a smartphone of the individual on which is stored credential data relating to a credential of the individual, such smartphone requiring the individual to authenticate himself to the smartphone as a condition of use of the credential data; if the present location is determined to be within a specified range of the physical transaction location, sending data as to status of the credential to the terminal, so that the individual will be able to present the credential for use in the transaction only by authenticating himself to the smartphone, and status information of the credential will be available to the terminal for use in connection with the transaction when the individual appears at the physical location. - View Dependent Claims (155, 156)
-
-
157. A method for gating communication to a user'"'"'s smartphone from a caller'"'"'s smartphone based on a set of pre-specified criteria as to attributes of the caller, the method comprising:
-
receiving on the user'"'"'s smartphone a control message from the caller'"'"'s smartphone constituting a request to establish communication with the user'"'"'s smartphone, such control message including a credential of the caller; using a process running on the user'"'"'s smartphone, determining validity of the credential, and if the credential is determined to be valid, evaluating the credential for conformity with the set of criteria; if the credential is determined to be in conformity with the set of criteria, then allowing the communication to be established. - View Dependent Claims (158, 159)
-
-
160. A data gathering device for communicating with a mobile electronic device of an individual, the mobile electronic device being capable of decrypting messages according to an encryption key of the individual, the data gathering device comprising:
-
a sensor for gathering data; a cryptographic module for encrypting gathered data using the encryption key; and a transmitter for transmitting encrypted data to the mobile electronic device. - View Dependent Claims (161, 162, 163, 164, 165, 166, 167, 168)
-
-
169. A method for securely obtaining, from a medical data gathering device, medical data pertinent to an individual, the method comprising:
-
receiving the medical data over a wireless network from a smartphone of the individual coupled to the medical data gathering device, wherein; (i) the smartphone stores and forwards, over the wireless network, the data from the medical data gathering device; and (ii) the medical data are encrypted with a public key of the individual. - View Dependent Claims (170, 171, 172, 173, 174, 175)
-
Specification