Method, system and service for conducting authenticated business transactions

US 6,957,199 B1
Filed: 06/05/2001
Issued: 10/18/2005
Est. Priority Date: 08/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for conducting authenticated business transactions involving communications using microprocessor equipped devices to communicate over a distributed network, the method being carried out by an on-line authentication service available on the distributed network, comprising the acts of:

a) enrolling a multiplicity of users with a closed authentication infrastructure, wherein enrolling comprises obtaining and verifying the identity and other credentials of the multiplicity of users and providing each user with a unique secret necessary for later authentication to said on-line authentication service and storing the verified identity and other credentials in at least one database;

b) authenticating a plurality of the multiplicity of users to said on-line authentication service using each user'"'"'s unique secret to produce a plurality of authenticated users;

c) enabling a plurality of groups each group comprising at least two of said plurality of authenticated users to conduct interactions comprising a plurality of messages under persistent mediation of said on-line authentication service, such that each of the plurality of messages passes through said on-line authentication service and is directly monitored by said on-line authentication service;

d) wherein persistent mediation of an interaction further comprises the acts of directly compiling an audit trail of an interaction and making the audit trail available to the at least two users in the interaction in an intelligible form at any time during the interaction at the option of the at least two users, and wherein the audit trail comprises at least some of the content of the plurality of messages in the interaction; and

e) further comprising the act of providing a discovery portal available to authenticated users through the on-line authentication service such that users can search for other users based on their verified and dynamically variable credentials, whereby users may conduct authenticated interactions with each other without having a prior relationship.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention pertains to a method, online service, and system, for creating partnerships based on trust relationships over a public network, authenticating trade partners, infrastructure providers and collaborators to each other, and providing users with an environment suitable for conducting transactions requiring a high level of trust. A service according to the invention is a persistent authentication and mediation service (PAMS) which is provided as an on-line service. One embodiment is a method for conducting authenticated business transactions involving microprocessor equipped devices over the Internet comprising:

- A. providing an on-line authentication service available on the distributed network;
- B. authenticating a plurality of users to said on-line authentication service using a closed authentication system to produce a plurality of authenticated users; and
- C. connecting a group of at least two of said plurality of authenticated users under persistent mediation of said on-line authentication service, producing a connected group of authenticated users.

389 Citations

29 Claims

1. A method for conducting authenticated business transactions involving communications using microprocessor equipped devices to communicate over a distributed network, the method being carried out by an on-line authentication service available on the distributed network, comprising the acts of:
- a) enrolling a multiplicity of users with a closed authentication infrastructure, wherein enrolling comprises obtaining and verifying the identity and other credentials of the multiplicity of users and providing each user with a unique secret necessary for later authentication to said on-line authentication service and storing the verified identity and other credentials in at least one database;
  
  b) authenticating a plurality of the multiplicity of users to said on-line authentication service using each user'"'"'s unique secret to produce a plurality of authenticated users;
  
  c) enabling a plurality of groups each group comprising at least two of said plurality of authenticated users to conduct interactions comprising a plurality of messages under persistent mediation of said on-line authentication service, such that each of the plurality of messages passes through said on-line authentication service and is directly monitored by said on-line authentication service;
  
  d) wherein persistent mediation of an interaction further comprises the acts of directly compiling an audit trail of an interaction and making the audit trail available to the at least two users in the interaction in an intelligible form at any time during the interaction at the option of the at least two users, and wherein the audit trail comprises at least some of the content of the plurality of messages in the interaction; and
  
  e) further comprising the act of providing a discovery portal available to authenticated users through the on-line authentication service such that users can search for other users based on their verified and dynamically variable credentials, whereby users may conduct authenticated interactions with each other without having a prior relationship.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the method further comprises the act of enabling the plurality of authenticated users to interact with each other in collaboration groups through the on-line authentication service when a collaboration group comprises at least two users each using a browser operated computing device.
  - 3. The method of claim 2 wherein the act of enabling the plurality of authenticated users to interact with each other in collaboration groups further comprises enabling the at least two users in a collaboration group to make a selection during the interaction of at least part of the audit trail for archival by the on-line authentication service such that it will be held under the control of the on-line authentication service for access by any of the at least two users in the interaction after the interaction is complete.
  - 4. The method of claim 2, wherein the collaboration group comprising at least two users each using a browser operated computing devise comprises greater than two users each using a browser operated computer device.
  - 5. The method of claim 1, further comprising the act of accepting dynamically variable credentials from at least some of the plurality of authenticated users, and wherein the act of providing a discovery portal further comprises the act of providing the plurality of users with the capability of searching for other users based on dynamically variable credentials.

6. A method for conducting authenticated business transactions involving communications using microprocessor equipped devices to communicate over a distributed network, the method being carried out by an on-line persistent authentication and mediation service available on the distributed network, comprising the acts of:
- a) enrolling users seeking enrollment in the persistent authentication and mediation service, to produce a multiplicity of enrolled users, wherein enrolling comprises obtaining and verifying the identity and other credentials of the multiplicity of users and providing each user with a unique secret necessary for later authentication to said on-line persistent authentication and mediation service;
  
  b) storing the verified identity and other credentials in at-least one database;
  
  c) receiving on-line requests from enrolled users for authentication to the on-line authentication service;
  
  d) authenticating enrolled users seeking authentication to the persistent authentication and mediation service using each enrolled user'"'"'s unique secret, so as to maintain a plurality of authenticated users;
  
  e) receiving requests from authenticated users to be connected to particular other authenticated users;
  
  f) connecting groups of at least two authenticated users under persistent mediation of the persistent authentication and mediation service and enabling the at least two authenticated users which are connected to conduct an interaction comprising a plurality of messages;
  
  g) repeating act (f) to produce a plurality of groups of connected users;
  
  h) mediating the interaction among the at least two users of each of said plurality of groups of connected users such that each message in the interaction passes through the persistent authentication and mediation service;
  
  i) directly compiling an audit trail of the interaction and making information from the audit trail available to the at least two users of each group of connected users in intelligible form during the interaction andj) wherein the act of enrolling users seeking enrollment in the persistent authentication and mediation service comprises the acts of;
  
  i) distributing software to a user seeking enrollment which enables microprocessor equipped devices operated by the user seeking enrollment to interact with said persistent authentication and mediation service;
  
  ii) generating a unique private key, and a unique public key for the user seeking enrollment;
  
  iii) obtaining permanent credentials particular to each of the users seeking enrollment, said credentials comprising public permanent credentials and secret permanent credentials;
  
  iv) deciding whether to approve the applicant seeking enrollment;
  
  v) distributing the unique secret comprising the unique private key in the form of a camouflaged private encryption key to the user seeking enrollment if the user seeking enrollment is approved, wherein the private encryption key is camouflaged in a software container, whereby the user'"'"'s camouflaged private encryption key will generate a correct response to an authentication challenge if a proper access code is entered, but often generates an incorrect but plausible response if an improper access code is entered, whereby if an incorrect response is used notice will be provided to the on-line persistent authentication and mediation service of a security attack;
  
  vi) distributing the unique public key to the user, wherein said unique public key is in a form which can only be decrypted with a key held under exclusive control of the persistent authentication and mediation service, whereby the persistent authentication and mediation service acts as a closed authentication infrastructure;
  
  vii) storing said permanent credentials in a customer database, said customer database being accessible to said persistent authentication and mediation service, whereby the user seeking enrollment becomes one of said multiplicity of enrolled users; and
  
  viii) repeating steps
  
  1) through vii) for each applicant seeking enrollment.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The method of claim 6 wherein the act of authenticating enrolled users seeking authentication to the persistent authentication and mediation service comprises the acts of:
    - a) generating a challenge message and sending it over the public network to an enrolled user seeking authentication,b) receiving a response to the challenge from the user seeking authentication, said response comprising an encrypted message and the encrypted unique public key of the enrolled user seeking authentication,c) verifying the authenticity of the response to the challenge, the act of verifying the authenticity comprising the act of decrypting the unique public key and then decrypting the response using the unique public key of the enrolled user seeking authentication to produce a decrypted response,d) authenticating the enrolled user seeking authentication if the decrypted response indicates that the response was authentic, whereby the enrolled user seeking authentication becomes an authenticated user,e) rejecting the user if the decrypted response indicates that the response was not authentic, andf) repeating steps (a) through (e) for each enrolled user seeking authentication.
  - 8. The method of claim 7 further comprising the acts of:
    - a) allowing authenticated users to optionally submit variable credentials;
      
      b) receiving variable credentials submitted by authenticated users;
      
      c) storing the variable credentials in the customer database according to user;
      
      d) providing authenticated users discovery software, whereby authenticated users may dynamically discover enrolled users according to search criteria; and
      
      e) granting authenticated users access to search the public permanent credentials and the variable credentials in the customer database, using said discovery software.
  - 9. The method of claim 8 further comprising making available collaboration software to each of said plurality of groups of connected users is to facilitate communication among the at least two authenticated users of each group, wherein said collaboration software makes information from the audit trail available to each of said at least two authenticated users of each of said plurality of groups of connected users.
  - 10. The method of claim 9 wherein:
    - a) the unique secret comprises a cryptographically camouflaged private key in a software container;
      
      b) wherein the unique public key is encrypted with a key held under the exclusive control of the persistent authentication and mediation service and stored in a digital certificate; and
      
      c) wherein the act of authenticating an enrolled user to the persistent authentication and mediation service further comprises the act of decrypting the encrypted unique public key unique to the enrolled user prior to decrypting the response.
  - 11. The method of claim 8 wherein the persistent authentication and mediation service is provided by at least one host site connected to the distributed network, said at least one host site comprising at least one computer server operated by an open software platform providing intelligent interactions, wherein the operation of the persistent authentication and mediation service is implemented by software operating on the open software platform.
  - 12. The method of claim 11 wherein interactions between users and the persistent authentication and mediation service are mediated through the open software platform.
  - 13. The method of claim 12 wherein some of the plurality of groups of connected users comprise at least three authenticated users.
  - 14. The method of claim 13 wherein some of the plurality of groups of at least three connected users comprise users of different types.
  - 15. The method of claim 12 wherein the distributed network is the public Internet.

16. An online service for conducting business transactions among microprocessor equipped devices over a distributed network, the online service comprising:
- a) a host site connected to the network, the host site comprising an open software platform providing intelligent interactions;
  
  b) a persistent authentication and mediation service, the persistent authentication and mediation service comprising a software PKI authentication agent operating on said open software platform such that communications over the network by said persistent authentication and mediation service are mediated by said open software platform;
  
  c) a customer database comprising permanent credentials and dynamically variable information corresponding to users of the online service and a database manager for managing the customer database;
  
  d) software operating on said open software platform which performs at least the following functions;
  
  i) enrolling users seeking enrollment in the persistent authentication and mediation service to produce enrolled users;
  
  ii) storing credentials corresponding to enrolled users in the customer database;
  
  iii) authenticating enrolled users seeking authentication to the persistent authentication and mediation service to produce authenticated users;
  
  iv) allowing authenticated users to discover enrolled users according to search criteria;
  
  v) allowing authenticated users to be connected under mediation of the persistent authentication and mediation service through the open software platform;
  
  vi) allowing collaboration between authenticated users which have been connected; and
  
  vii) memorializing transactions between authenticated users.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The online service defined in claim 16 where the function of enrolling users seeking enrollment in the persistent authentication and mediation service comprises the functions of:
    - a) distributing software to a user seeking enrollment which enables microprocessor equipped devices operated by the user seeking enrollment to interact with the persistent authentication and mediation service,b) generating a unique private key, and a unique public key for the user seeking enrollment,c) obtaining permanent credentials particular to each of the users seeking enrollment, said credentials comprising public permanent credentials and secret permanent credentials,d) deciding whether to approve the applicant seeking enrollment,e) distributing the unique public key and the unique private key to the user seeking enrollment if the user seeking enrollment is approved,f) storing said permanent credentials in a customer database, said customer database being accessible to said persistent authentication and mediation service, whereby the user seeking enrollment becomes one of a multiplicity of enrolled users, andg) repeating steps (a) through (f) for each applicant seeking enrollment.
  - 18. The online service defined in claim 17 wherein the function of authenticating enrolled users seeking authentication to the persistent authentication and mediation service comprises the functions of:
    - a) generating a challenge message from the persistent authentication and mediation service and sending it over the public network to an enrolled user seeking authentication,b) receiving a response to the challenge from the user seeking authentication, said response comprising an encrypted message and the unique public key unique to the enrolled user seeking authentication,c) verifying the authenticity of the response to the challenge, the act of verifying the authenticity comprising the act of decrypting the response using the public key unique to the enrolled user seeking authentication to produce a decrypted response,d) authenticating the enrolled user seeking authentication if the decrypted response indicates that the response was authentic, whereby the enrolled user seeking authentication becomes an authenticated user,e) rejecting the user if the decrypted response indicates that the response was not authentic, andf) repeating steps (a) through (e) for each enrolled user seeking authentication.
  - 19. The online service defined in claim 18 wherein:
    - a) the software PKI authentication agent is a pseudo-PKI system of the type which cryptographically camouflages each of the unique private keys in a software container,b) wherein each of the unique public keys is encrypted in a form recognizable to the pseudo-PKI authentication agent and stored in a digital certificate, andc) wherein the function of authenticating an enrolled user to the persistent authentication and mediation service further comprises the function of decrypting the encrypted unique public key unique to the enrolled user prior to decrypting the response.
  - 20. The online service defined in claim 16 wherein the distributed network is the public Internet.

21. A system for conducting business transactions over a distributed network, the system comprising:
- a) a persistent authentication and mediation service site providing a persistent authentication and mediation service, said site connected to the public network, said site comprisingi) an open software platform application providing intelligent interactions said platform application mediating all interactions of said persistent authentication and mediation service site via said public network,ii) an authentication agent application comprising a software pseudo-PKI authentication application operating on said open software platform application, said authentication agent application comprising software which enrolls new business users producing enrolled users and authenticates the enrolled users producing authenticated business users,iii) an audit agent application operating on said open software platform which logs and monitors interactions mediated by the open software platform, whereby every interaction among authenticated business users passes through the open software platform and is monitored by the audit agent,iv) a discovery software application operating on said open software platform such that said discovery software agent operates to enable authenticated business users to search for other users based on their credentials, andv) a collaboration software application operating on said open software wherein said collaboration software application enables groups of at least two authenticated business users to communicate under direct mediation of the audit agent and to access audit information in an intelligible form during an interaction;
  
  b) a multiplicity of user sites operated by the enrolled users, the user sites being connected to the public network, each site operating at least one computer application whereby it may interact with other business users and each site further comprising software which allows interaction with the persistent authentication and mediation service, a software camouflaged private key, and a digital certificate, said digital certificate comprising an encrypted pseudo-public key encrypted with a key which is under exclusive control of said persistent authentication and mediation service, wherein said camouflaged private key will generate a proper response to a challenge from the persistent authentication and mediation service if a correct access code is entered and may generate plausible but improper responses if incorrect access codes are entered, whereby if an incorrect response is used the persistent authentication and mediation service will be alerted to a security attack on the camouflaged private key, andc) a database of authentication information and credentials pertaining to the enrolled business users of said persistent authentication and mediation service, the database accessible to the authentication agent application and the discovery application.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The system defined in claim 21 further comprising a plurality of authentication provider applications accessible by the authentication agent application.
  - 23. The system defined in claim 21 wherein at least one authentication provider application is located at a different site than the persistent authentication and mediation service site.
  - 24. The system defined in claim 21 further comprising a plurality of audit provider applications accessible by the audit agent application.
  - 25. The system defined in claim 21 wherein at least one authentication application provider is located at a different site than the persistent authentication and mediation service site.
  - 26. The system defined in claim 21 wherein the network is the public Internet.
  - 27. The system defined in claim 21, wherein the user sites comprise sites which are chosen from the group consisting of user sites which access the network via a browser operating on a computer, mobile telephonic devices which access the network, world wide web sites, and sites comprising applications without a user interface.

28. An apparatus for providing a service for conducting authenticated business transactions involving a multiplicity of users over a distributed network, the apparatus comprising:
- a) at least one application server connected to the public network, the at least one application server having a computer processor and a computer readable memory, the memory storing the software to implement the service, the software comprisingi) an open software platform providing intelligent interactions;
  
  ii) a software pseudo-PKI authentication agent application, operating on said open software platform;
  
  iii) a discovery software application, operating on said open software platform; and
  
  iv) a collaboration software application, operating on said open software platform;
  
  b) at least one database server, the at least one database server comprising a business users database, the business users database comprisingi) authenticated data about registered business users, said authenticated data being protected from user modification;
  
  ii) data pertaining to registered business users which is dynamically modifiable by said business users; and
  
  iii) data needed for linking business users;
  
  whereby the application server facilitates authenticated interactions between business users, including the ability to access other authenticated users without repeated logging in, the ability to dynamically search for authenticated users according to user defined specifications, and accomplish peer to peer collaboration.
- View Dependent Claims (29)
- - 29. The apparatus as defined in claim 28 where the distributed network is the public Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Douglas Fisher
Original Assignee
Douglas Fisher
Inventors
Fisher, Douglas
Primary Examiner(s)
Trammell, James P.
Assistant Examiner(s)
Worjloh, Jalatee

Application Number

US09/875,088
Time in Patent Office

1,596 Days
Field of Search

705 50- 80, 713/155, 713/156
US Class Current

705/78
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/0855   involving a third party

G06Q 20/108   Remote banking, e.g. home b...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/401   Transaction verification

G06Q 30/00   Commerce

G06Q 50/188   Electronic negotiation

H04L 9/3271   using challenge-response

Method, system and service for conducting authenticated business transactions

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

389 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and service for conducting authenticated business transactions

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

389 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links