Electronic Identity and Credentialing System

US 20150095999A1
Filed: 10/01/2014
Published: 04/02/2015
Est. Priority Date: 10/01/2013
Status: Active Grant

First Claim

Patent Images

1. An electronic identity and credentialing system comprising of:

acquiring, issuing and using electronic identities;

wherein, the system is comprised of collaborating users, each user owning personal identifying information and owning at least one personal identity device, interoperable with the personal identity devices of other users;

wherein a personal identity device has a network interface, a digital camera, a user interface, a biometric module, authentication data, electronic documents and messages, and a pre-installed identity engine;

wherein the identity engine has electronic credentials contained therein specifying selected identifying information of the e-credential owner, the identity engine also controlling e-credentials of other device users contained therein, and a protected memory store;

wherein the protected memory store, possibly removable from the personal identity device, is controlled by the identity engine to safeguard secrets of the device owner therein, the identity engine not disclosing the secrets of the owner, the secrets utilized for pre-determined operations of the identity engine;

wherein owners of personal identity devices in their physical custody, each owner persistently bound to their device by way of authentication data, selecting an e-credential attested to by other device users, the owner can utilize their personal identity device to unambiguously identify themselves and securely collaborate with other device owners using cryptographic methods bound to the selected e-credential which cannot be employed by another user to masquerade as the device owner because the other user does not have the private keys paired with the public keys embedded in the selected e-credential;

whereby if the protected memory store containing the secrets of the owner is removable and is subsequently removed by the owner, the owner'"'"'s device is thereby rendered inoperable.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is an electronic credentialing system that allows personal identity devices to interact; each interacting device has an installed identity engine that acquires, holds, issues and uses electronic credentials (e-credentials), these electronic credentials can be installed on personal identity devices, such as: smart phones, tablets, laptops, embedded systems, and/or personal computers.

Citations

13 Claims

1. An electronic identity and credentialing system comprising of:
- acquiring, issuing and using electronic identities;
  
  wherein, the system is comprised of collaborating users, each user owning personal identifying information and owning at least one personal identity device, interoperable with the personal identity devices of other users;
  
  wherein a personal identity device has a network interface, a digital camera, a user interface, a biometric module, authentication data, electronic documents and messages, and a pre-installed identity engine;
  
  wherein the identity engine has electronic credentials contained therein specifying selected identifying information of the e-credential owner, the identity engine also controlling e-credentials of other device users contained therein, and a protected memory store;
  
  wherein the protected memory store, possibly removable from the personal identity device, is controlled by the identity engine to safeguard secrets of the device owner therein, the identity engine not disclosing the secrets of the owner, the secrets utilized for pre-determined operations of the identity engine;
  
  wherein owners of personal identity devices in their physical custody, each owner persistently bound to their device by way of authentication data, selecting an e-credential attested to by other device users, the owner can utilize their personal identity device to unambiguously identify themselves and securely collaborate with other device owners using cryptographic methods bound to the selected e-credential which cannot be employed by another user to masquerade as the device owner because the other user does not have the private keys paired with the public keys embedded in the selected e-credential;
  
  whereby if the protected memory store containing the secrets of the owner is removable and is subsequently removed by the owner, the owner'"'"'s device is thereby rendered inoperable.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The electronic identity and credentialing system of claim 1,wherein the owner of a personal identity device is bound to the device by way of physical custody;
    - wherein authentication data of the device owner, being secrets of the owner, including PINs, passwords, and biometric minutia of the device owner, are captured and updated by means of the user interface and the biometric module, are retained in the protected memory store controlled by the identity engine, and are provided by the identity engine to the user interface and biometric module when requested and when said authentication data is available, thereby logically binding the personal identity device to the device owner and the e-credentials contained within the identity engine;
      
      wherein the identity engine is operable to issue requests to the user interface and biometric module to authenticate the device owner, providing authentication data to the user interface and biometric module, and in response receiving notifications of the success or failure of authentication attempts, thereby additionally binding the device owner to the e-credentials of the owner retained by the identity engine.
  - 3. The electronic identity and credentialing system of claim 1,wherein an e-credential of the owner additionally contains three public encryption keys, each public key crypto-logically bound to a paired private key, the private keys being secrets of the device owner retained in the protected memory store, not being disclosed by the identity engine to other parties, the e-credentials of other users disclosing only the public keys embedded in said e-credentials;
    - wherein, the three paired public and private keys associated with an e-credential of an owner, thereby associated with specified personal identifying information of the owner, are bound to pre-determined cryptographic methods of the identity engine including a cryptographic method whereby a first owner of a personal identity device, having proofed the personal identifying information specified by the e-credential of a second owner, can bind an attestation that cannot be repudiated to the identity of the second device owner by affixing a cryptographic signature to the e-credential of the second device owner.
  - 4. The electronic identity and credentialing system of claim 1,wherein the protected memory store, if removable and in the control of the device owner by way of physical custody, can be utilized by the device owner to disable device owner authentication while also breaking the logical bindings between the personal identifying information contained in the e-credentials of the device owner and the crypto-logical bindings enabling the pre-determined cryptographic methods of the identity engine, said bindings being re-established when the device owner re-attaches the protected memory store.
  - 5. The electronic identity and credentialing system of claim 1,wherein an e-credential is an electronic document specifying selected personal identifying information of the e-credential owner and three public-private encryption key pairs, the three public encryption keys embedded in the e-credential, the three paired private encryption keys maintained by the identity engine outside the context of the e-credential in a protected memory store;
    - wherein an e-credential includes an e-credential identifier, an issue date, an expiry date, if any, and an e-credential type;
      
      wherein an e-credential also includes attributes of the e-credential owner including at least one identifying name of the owner, including a full legal name, a commonly used name, and a pseudonym;
      
      a plurality of distinguishing features of the owner including hair color, eye color, height, markings;
      
      a plurality of life events and dates of the owner including birth, baptism, marriage, divorce, and death;
      
      a plurality of endorsements of the owner including driving, citizenship, immigration, travel, voting, work authorization, professional, permissions, roles, responsibilities, and financial authorizations;
      
      a plurality of restrictions including handicaps, aids, travel and legal; and
      
      personal identifying information including physical credentials, certifications, and digital photographs including photographs and photocopies of physical credentials, certifications, utility bills and other personal identifying information;
      
      wherein an e-credential also contains a plurality of issuing records, a record including encounter date(s), types of encounters, number of years the owner was known by the issuer, the certifications and qualifications of the issuer, the jurisdiction, policies, procedures of the issuer, identifying information proofed by the issuer, attributes of the owner attested to by the issuer, and attributes conferred on the e-credential owner by the issuer,wherein an e-credential additionally has a digital sealing image employed by the identity engine to render a digital seal created and applied by the e-credential owner to electronic artifacts;
      
      wherein an e-credential further has affixed a plurality of digital seals rendered and applied by the identity engines of collaborating users (e-credentials issuers), and possibly affixed by the identity engine of the e-credential owner;
      
      wherein an e-credential is used to represent the identity of the e-credential owner to other personal identity device users, to remote identity services, and to remote service providers.
  - 6. The electronic identity and credentialing system of claim 5,Wherein the three public-private encryption key pairs, said pairs being bound to each other crypto-logically and being logically bound to the e-credential of an owner that has been proofed and attested to by other users, include a private digital signing key (s) paired with a public verification key (v), a private decryption key (d) paired with a public encryption key (e), and a private embossing key (ε
    - ) paired with a public inspection key (i),wherein the digital signing key s of a proofed and attested to e-credential of a first user, the e-credential owner, s being a private key bound to the first user by means of an identity engine of the first user, can be used by the identity engine to calculate a digital signature over an electronic artifact, including a message, a document and an e-credential; and
      
      the paired verification key v embedded in the e-credential of the first user can be used by an identity engine of a second user, including the identity engine of the first user, to verify that the digital signature calculated over said artifact must have been calculated by the identity engine of the first user, thereby verifying that the artifact must have been originated by the first user, and no other user;
      
      wherein the encryption key e, a public key embedded in the proofed and attested to e-credential of a first user, the e-credential owner, can be used by the identity engine of a second user to encrypt electronic artifacts, including messages, documents and e-credentials, sent to the identity engine of the first user which can use paired private decryption key (d) bound by means of the identity engine of the first user, to decrypt the artifact, thereby ensuring that only the e-credential owner, and no other owner, can read the artifact;
      
      wherein the embossing key ε
      
      of a proofed and attested to e-credential of a first user, the e-credential owner, ε
      
      being a private key bound to the first user by means of an identity engine of the first user, can be used by the identity engine to create a digital seal over an electronic artifact, including a message, a document and an e-credential; and
      
      the paired inspection key i embedded in the e-credential of the first user can be used by an identity engine of a second user, including the identity engine of the first user, to verify that the digital seal over said artifact must have been created by the identity engine of the first user, thereby verifying that the digital seal must have been applied by the first user, and no other user.Wherein an e-credential owner cannot repudiate having digitally signed a message, document or e-credential;
      
      whereby a message, document or e-credential encrypted by a user employing the e-credential of an owner can only be decrypted by the e-credential owner; and
      
      an e-credential owner cannot repudiate having applied a digital seal to a message, document, or e-credential.

7. A method for handling digital seals applied to electronic artifacts, including documents, messages and e-credentials, comprising the steps of:
- applying a digital seal to an electronic artifact, and;
  
  inspecting the digital seal applied to the electronic artifact.
- View Dependent Claims (8, 9)
- - 8. The method for handling digital seals as in claim 7 further comprising the steps of:
    - selecting an e-credential of the owner;
      
      acquiring a declaration from the e-credential owner that related to the electronic artifact;
      
      selecting pre-determined elements of the electronic artifact;
      
      selecting the digital sealing image, the public inspection key (i), the paired private embossing key (ε
      
      ), and pre-determined attributes of the e-credential including at least the e-credential identifier, concatenating the declaration, the pre-determined elements of the artifact, the digital sealing image, the inspection key (i), and the pre-determined attributes of the e-credential, yielding a digest;
      
      encrypting the digest by means of the embossing key (ε
      
      ) thereby yielding a digital seal signature;
      
      combining the declaration, the digital sealing image, the inspection key (i), the digital seal signature, and the pre-determined attributes of the e-credential, rendering a digital seal, and affixing the digital seal to the electronic artifact.
  - 9. The method for handling digital seals as in claim 7 further comprising the steps of:
    - selecting the digital seal affixed to the electronic artifact;
      
      extracting the declaration, the digital sealing image, the inspection key (i), the digital seal signature, and the pre-determined attributes of the e-credential from the digital seal;
      
      concatenating the declaration, the pre-determined elements of the artifact, the digital sealing image, the inspection key (i), and the pre-determined attributes of the e-credential, yielding a digest;
      
      decrypting the digital seal signature by means of the inspection key (i), yielding a result;
      
      comparing the digest to the result;
      
      indicating that the digital seal was successfully verified if the digest and result match, and indicating that the digital seal was not successfully verified if the digest and the result do not match.Wherein the e-credential owner, being the only person having the embossing key (ε
      
      ), and having applied the embossing key to cryptographically combine, by means of digital sealing, the declaration of the owner, the identity of the owner, and the electronic artifact, cannot repudiate their declaration as it relates to the electronic artifact; and
      
      whereby a user can use the inspection key (i) of the e-credential of the owner to verify the digital seal and thereby obtain assurances that the owner'"'"'s declaration related to the electronic artifact is truthful.

10. A method for acquiring attested electronic credentials comprising the steps of:
- preparing and submitting an e-credential request to an issuer;
  
  receiving an e-credential request and attesting to the personal identifying information of the requester;
  
  and issuing an attested e-credential to the requester.
- View Dependent Claims (11, 12, 13)
- - 11. The method for acquiring attested electronic credentials as in claim 10 further comprising the steps of:
    - selecting and specifying the fields of a new or existing e-credential with personal identifying information of the requester;
      
      creating three public-private key pairs, unless already extant, embedding the public keys into the e-credential and retaining the private keys in a separate protected memory store;
      
      submitting the e-credential, including other personal identifying information of the requester, to an e-credential issuer.
  - 12. The method for acquiring attested electronic credentials as in claim 10 further comprising the steps of:
    - receiving an e-credential request by way of an in-person encounter, a synchronous online encounter, or an asynchronous network encounter;
      
      examining the request, including the provided e-credential and personally identifying information;
      
      proofing the requester by matching the provided identifying information to the requester, and asking probing questions;
      
      if satisfied, attaching a declaration to the provisioned e-credential, and digitally sealing the declaration and the e-credential by means of a selected e-credential of the issuer;
      
      if not satisfied, returning a rejection notice to the requester.
  - 13. The method for acquiring attested electronic credentials as in claim 10 further comprising the steps of:
    - returning the digitally sealed declaration to the requester;
      
      documenting the request and writing a transaction record into a registry;
      
      identifying information of the requester embedded in the issued e-credential is attested by the e-credential issuer who cannot repudiate having proofed and digitally signed the issued e-credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kalman Csaba Toth
Original Assignee
Kalman Csaba Toth
Inventors
Toth, Kalman Csaba

Granted Patent

US 9,646,150 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/45   Structures or tools for the...

G06F 21/645   using a third party

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 63/126   the source of the received ...

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/126   Anti-theft arrangements, e....

Electronic Identity and Credentialing System

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic Identity and Credentialing System

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links