TRUSTED CARD SYSTEM USING SECURE EXCHANGE

US 20100042846A1
Filed: 08/12/2009
Published: 02/18/2010
Est. Priority Date: 08/13/2008
Status: Abandoned Application

First Claim

Patent Images

1. A system for secure, role-based exchange of information between a client and at least one provider of services to the client, said system comprising:

a client device comprising a memory, said memory including data relating to the client, at least a portion of the data controlled by the client, a user access component, a queuing application, a routing application, and an enforcement agent stored therein;

a central server comprising an authentication method, a queuing application, a routing application, and a roles server running thereon, said central server including the data relating to the client; and

an interface device capable of communications with said central server and capable of communicative coupling with said client device, said system operable to;

upon a communicative coupling between said interface device and said client device, activate said user access component, in conjunction with said authentication method, to ensure that the client is the proper holder of said client device;

said enforcement agent operable with said roles server and user interface input from the client to define and maintain access rights to the data relating to the client for the at least one provider of services to the client, the provider of services to the client having access to said central server, the provider of services able to update said memory of said client device, and the data at said central server, based on the access rights defined by the client and contained within said enforcement agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for secure, role-based exchange of information between a client and providers of services is described. The system includes a client device having a memory that includes a portion of the data relating to the client, a user access component, and an enforcement agent. The system also includes a central server running an authentication methodology and a roles server. The central server includes the data relating to the client. The system further includes an interface device capable of communications with the central server and capable of communicative coupling with the client device. The system is operable to, upon a communicative coupling between the interface device and the client device, activate the user access method, in conjunction with the authentication method, to ensure that the client is the proper holder of the client device. The enforcement agent is operable with the roles server and user interface input from the client to define access rights to the client data for the providers of services, who also have access to the central server.

Citations

38 Claims

1. A system for secure, role-based exchange of information between a client and at least one provider of services to the client, said system comprising:
- a client device comprising a memory, said memory including data relating to the client, at least a portion of the data controlled by the client, a user access component, a queuing application, a routing application, and an enforcement agent stored therein;
  
  a central server comprising an authentication method, a queuing application, a routing application, and a roles server running thereon, said central server including the data relating to the client; and
  
  an interface device capable of communications with said central server and capable of communicative coupling with said client device, said system operable to;
  
  upon a communicative coupling between said interface device and said client device, activate said user access component, in conjunction with said authentication method, to ensure that the client is the proper holder of said client device;
  
  said enforcement agent operable with said roles server and user interface input from the client to define and maintain access rights to the data relating to the client for the at least one provider of services to the client, the provider of services to the client having access to said central server, the provider of services able to update said memory of said client device, and the data at said central server, based on the access rights defined by the client and contained within said enforcement agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A system according to claim 1 wherein said interface device comprises a personal computer.
  - 3. A system according to claim 1 wherein said client device comprises a USB interface operable for connection to said interface device.
  - 4. A system according to claim 1 wherein said enforcement agent interacts with said roles server to enforce any roles defined for the at least one provider of services by restricting access to only the data that is defined as accessible to that provider of services within said enforcement agent.
  - 5. A system according to claim 1 wherein accessibility to the portion of the data relating to the client and stored on the client device is defined by the client via a user interface when said client device is communicatively coupled to a machine hosting the user interface.
  - 6. A system according to claim 1 wherein a portion of the authentication method comprises an electronic key exchanged between said interface device and said central server, the electronic key originating from said client device.
  - 7. A system according to claim 1 wherein the data relating to the patient is encrypted.
  - 8. A system according to claim 1 wherein, based on roles defined by said roles server, at least one of the providers of service to the client is able to update at least some of the data relating to the client within said client device.
  - 9. A system according to claim 8 wherein the updating of the data relating to the client within said client device is written directly to said client device via said interface device.
  - 10. A system according to claim 8 wherein the updating of the data relating to the client within said client device is written to said client device via said interface device through instructions received from said server by said interface device.
  - 11. A system according to claim 8 wherein said central server is configured to queue data to be written to said client device, until said client device is communicatively coupled to said interface device and to said central server.
  - 12. A system according to claim 1 wherein said client device comprises a photograph of the client printed thereon and a barcode, both of which are utilized in authenticating the client to said system.
  - 13. A system according to claim 1 wherein at least a portion of the data relating to the client stored within said client device comprises medical records.
  - 14. A system according to claim 1 wherein said roles server comprises roles for the client and each of the providers of services to the client, said roles server programmed with a time limitation for at least one of the defined roles.
  - 15. A system according to claim 1 wherein said interface device comprises a magnetic strip reader and said client device comprises a magnetic strip, said magnetic strip reader and said magnetic strip utilized in authenticating the client to said system.
  - 16. A system according to claim 1 further comprising at least one provider device capable of interfacing to said interface device, said provider device comprising a memory, said memory including at least a portion of the data relating to the provider, a user access component, and an enforcement agent stored therein.

17. A method for providing controlled access by various providers of services to data related to a client, a portion of the data maintained within a client device, another portion of the data maintained at a central server, the providers of services and the client device communicatively coupled to the central server that includes an authentication method and a roles server running thereon, said method comprising:
- authenticating that the holder of the client device is the client using a user access method stored within the client device in conjunction with the authentication method running at the central server;
  
  providing a level of access to the data by the client, the level of access based on a role defined for the client within the roles server, the level of access enforced by an enforcement agent running on the client device; and
  
  providing a level of access to the data for the various providers, the level of access for each provider based on a role defined for each provider within the roles server, the level of access for each provider enforced by an enforcement agent running on the client device, the client capable of defining, within the enforcement agent, at least a portion of the level of access to the data for at least one of the providers.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. A method according to claim 17 wherein authenticating that the holder of the client device is the client using a user access method comprises exchanging an electronic key between the client device and the central server, the electronic key originating from the client device.
  - 19. A method according to claim 17 wherein providing a level of access to the data for the various providers comprises, based on roles defined by the roles server, allowing at least one of the providers update the data relating to the client within the client device and within the central server.
  - 20. A method according to claim 17 further comprising programming the roles server with a time limitation for at least one of the defined roles stored therein.
  - 21. A method according to claim 17 wherein providing a level of access to the data for the various providers comprises interfacing a provider device to the central server, the provider device including a memory having data relating to the provider, a user access component, and an enforcement agent stored therein.
  - 22. A method according to claim 17 further comprising routing a message from the central server to a third party device for at least one of payment, records update, and records confirmation.
  - 23. A method according to claim 17 further comprising queuing data relating to a partially completed transaction, until conditions are such that the transaction may be completed.

24. A method for securing communications between a portable memory device and a server, said method comprising:
- starting a client application when the portable memory device is connected to an interface capable of capable of communications with a server;
  
  establishing a secure channel between the client application and the server;
  
  authenticating a user of the portable memory device by;
  
  encrypting, at the server, a sessionID and sequence number using a public key associated with the portable memory device;
  
  encrypting, the encrypted sessionID and sequence number using a private key associated with the server to form an authentication transaction;
  
  sending, the sessionID and sequence number, encrypted with both the public key and the private key to the client application;
  
  decrypting, with the client application, the authentication transaction with a public key associated with the server;
  
  decrypting, with the client application, the sessionID and sequence number using a private key associated with the portable memory device; and
  
  using the sessionID and sequence number in transactions between the portable memory device and the server.
- View Dependent Claims (25, 26)
- - 25. A method according to claim 24 further comprising verifying, with the client application, the public key associated with the server against a certificate authority stored on the portable memory device to determine if the server is a trusted entity.
  - 26. A method according to claim 24 further comprising authorizing, at the server, the public key associated with the portable memory device against a certificate authority stored on the server to establish the portable memory device is a trusted device.

27. A portable device for secure storage of personal records, said portable device comprising:
- a physical interface for communicative coupling to an external device; and
  
  a memory accessible via said physical interface, said memory comprising;
  
  a data section operable for storage of the personal records;
  
  a user access component operable to provide an interface to records stored in said data section via the external device; and
  
  a security component, said security component activated upon communicative coupling of said physical interface to an external device, said security component operable with a roles server running external to said portable device to provide restricted access to portions of the personal records to a plurality of authorized users, the accessible portions for such authorized users based on roles for the authorized users as defined within said user access component by a person to whom said portable device has been allocated.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. A portable device according to claim 27 wherein personal records within said data section are encrypted and digitally signed.
  - 29. A portable device according to claim 27 wherein said user access component comprises a password protection mechanism such that a password has to be entered into the external device prior to access of the personal records.
  - 30. A portable device according to claim 27 further comprising printed material thereon, said printed material useful for verifying that a holder of the portable device is the owner of the device.
  - 31. A portable device according to claim 27 wherein said portable device comprises a body having dimensions substantially similar to a financial transaction card, said device comprising a UBS interface to said memory.
  - 32. A portable memory device according to claim 27 wherein said memory comprises an audit trail describing which authorized users had access to which portion of the personal records.
  - 33. A portable memory device according to claim 27 wherein the personal records are encrypted, the encryption defining a time limited access to the portions of the personal records by authorized users.

34. A method for maintaining personal record data on a portable memory device, said device allocated to a first user, the personal record data relating to the first user, said method comprising:
- authenticating the first user;
  
  authenticating that a second user has access to the personal record data;
  
  granting access to the second user, upon authentication, to an application operable to provide a user interface for accessing the personal record data;
  
  allocating a role to the second user, the second user role defined by the first user; and
  
  providing access and update privileges to the second user, to at least a portion of the personal record data relating to the first user, the privileges restricted based on the role allocated to the second user, the restricted privileges and allocated role enforced by an enforcement agent application resident on the portable memory device.
- View Dependent Claims (35, 36, 37, 38)
- - 35. A method according to claim 34 wherein authenticating that a second user has access to the personal record data comprises:
    - verifying a password assigned to the second user is correctly entered into the user interface;
      
      querying the enforcement agent on the portable memory device;
      
      extracting information from the portable memory device that identifies both the portable memory device and the first user; and
      
      validating a relationship between the first user and the second user.
  - 36. A method according to claim 35 wherein verifying a password comprises verifying the password entered into the user interface against a password stored within an embedded application stored within a second portable memory device allocated to the second user.
  - 37. A method according to claim 34 wherein authenticating that a second user has access to the personal record data relating to the first user comprises verifying, at a server, credentials received from an embedded application stored within a second portable memory device allocated to the second user.
  - 38. A method according to claim 34 wherein authenticating the first user comprises at least one ofvalidation of portable memory device credentials to identify the first user;
    - portable memory device-based authentication against a set of credentials stored on the portable memory device; and
      
      online authentication against a server-based credential store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secure Exchange Solutions LLC
Original Assignee
Secure Exchange Solutions LLC
Inventors
Lloyd, Gregory W., Macaulay, Ewan S., Beck, Michael D., Trotter, Douglas H.

Application Number

US12/540,241
Publication Number

US 20100042846A1
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/104   Grouping of entities

TRUSTED CARD SYSTEM USING SECURE EXCHANGE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED CARD SYSTEM USING SECURE EXCHANGE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links