Securely roaming digital identities

US 7,640,579 B2
Filed: 09/09/2005
Issued: 12/29/2009
Est. Priority Date: 09/09/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securely roaming a digital identity stored on a secure roaming device, wherein the secure roaming device stores encrypted attributes of the digital identity accessible using a bimodal credential, the method comprising:

receiving a request for at least one attribute of the digital identity from a service provider;

providing to the secure roaming device a first password of the bimodal credential, wherein the first password enables a safe mode of access to the digital identity;

retrieving from the secure roaming device an encrypted identity token, wherein the encrypted identity token is encrypted with a private key of a public-key cryptographic key pair, and wherein the encrypted identity token comprises;

a cryptographic session key;

a time stamp indicative of a duration of the cryptographic session key; and

the at least one attribute of the digital identity, wherein the at least one attribute comprises private identity information;

retrieving from the secure roaming device an encrypted identifier, wherein the encrypted identifier is encrypted with the cryptographic session key; and

providing the encrypted identity token and the encrypted identifier to the service provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic session key is utilized to maintain security of a digital identity. The session key is valid only for a limited period of time. Additional security is provided via a bimodal credential allowing different levels of access to the digital identify. An identity token contains pertinent information associated with the digital identity. The identity token is encrypted utilizing public-key cryptography. An identifier utilized to verify the validity of the digital identity is encrypted with the cryptographic session key. The encrypted identity token and the encrypted identifier are provided to a service for example. The service decrypts the encrypted identity token utilizing public key cryptography, and decrypts, with the cryptographic session key obtained from the identity token, the encrypted identifier. If the identifier is determined to be valid, the transaction proceeds normally. If the identifier is determined to be invalid, the transaction is halted.

28 Citations

View as Search Results

19 Claims

1. A computer-implemented method for securely roaming a digital identity stored on a secure roaming device, wherein the secure roaming device stores encrypted attributes of the digital identity accessible using a bimodal credential, the method comprising:
- receiving a request for at least one attribute of the digital identity from a service provider;
  
  providing to the secure roaming device a first password of the bimodal credential, wherein the first password enables a safe mode of access to the digital identity;
  
  retrieving from the secure roaming device an encrypted identity token, wherein the encrypted identity token is encrypted with a private key of a public-key cryptographic key pair, and wherein the encrypted identity token comprises;
  
  a cryptographic session key;
  
  a time stamp indicative of a duration of the cryptographic session key; and
  
  the at least one attribute of the digital identity, wherein the at least one attribute comprises private identity information;
  
  retrieving from the secure roaming device an encrypted identifier, wherein the encrypted identifier is encrypted with the cryptographic session key; and
  
  providing the encrypted identity token and the encrypted identifier to the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method in accordance with claim 1, wherein the encrypted identifier comprises a response to a challenge from the service provider.
  - 3. The computer-implemented method in accordance with claim 1, further comprising:
    - providing to the secure roaming device a second password of the bimodal credential, wherein the second password enables an administrative mode of access to the digital identity; and
      
      modifying at least one of the public-key cryptographic key pair, the time stamp, and the at least one attribute of the digital identity.
  - 4. The computer-implemented method in accordance with claim 3, wherein the bimodal credential comprises a pair of predetermined passwords.
  - 5. The computer-implemented method in accordance with claim 1, wherein the safe mode of the bimodal credential allows access to respective metadata associated with each of the encrypted attributes of the digital identity.
  - 6. The computer-implemented method in accordance with claim 1, wherein the secure roaming device comprises a flash memory device.
  - 7. The computer-implemented method in accordance with claim 1, wherein the secure roaming device is accessed through an unsecure interface.

8. A secure roaming device for securely roaming a digital identity, wherein the secure roaming device stores encrypted attributes of the digital identity accessible using a bimodal credential, comprising:
- an input/output portion for;
  
  receiving one or more passwords of a bimodal credential indicative of an appropriate mode of access to information associated with the digital identity;
  
  receiving a request for at least attribute associated with the digital identity;
  
  providing a response to the request, the response being based on the appropriate mode of access and comprising an encrypted identity token and an encrypted identifier, the encrypted identity token comprising the requested at least one attribute, a cryptographic session key, and a time stamp indicative of a duration of the cryptographic session key, wherein;
  
  the identity token is encrypted with a private key of a public-key cryptographic key pair; and
  
  the encrypted identifier is encrypted utilizing the cryptographic session key; and
  
  a memory portion for storing attributes of the digital identity, the private key, the time stamp, the identity token, and all modes of the bimodal credential.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The secure roaming device in accordance with claim 8, further comprising a processing portion for:
    - determining the appropriate mode of access to the information associated with the digital identity based on receiving the one or more passwords of the bimodal credential;
      
      processing the request for at least one attribute associated with the digital identity; and
      
      creating the response to request, wherein the response provides the information associated with the digital identity according to the determined appropriate mode of access.
  - 10. The secure roaming device in accordance with claim 8, wherein the memory portion comprises a removable memory.
  - 11. The secure roaming device in accordance with claim 8, wherein the secure roaming device comprises at least one of a portable secure roaming device and a biometric memory device.
  - 12. The secure roaming device in accordance with claim 8, wherein:
    - an administrative mode of the bimodal credential allows modification of at least one of the public-key cryptographic key pair, the time stamp, and the encrypted attributes of the digital identity; and
      
      a safe mode of the bimodal credential prohibits modification of the public-key cryptographic key pair, the time stamp, and the encrypted attributes of the digital identity.
  - 13. The secure roaming device in accordance with claim 8, wherein the secure roaming device is a flash memory device.
  - 14. The secure roaming device in accordance with claim 8, wherein the secure roaming device is accessed through an unsecure interface.

15. A computer storage medium having computer-executable instructions for securely roaming a digital identity stored on a secure roaming device, wherein the secure roaming device stores encrypted attributes of the digital identity accessible using a bimodal credential, performing the acts of:
- receiving a request for at least one attribute of the digital identity from a service provider over an unsecure interface;
  
  providing to the secure roaming device a first password of the bimodal credential, wherein the first password enables a safe mode of access to the digital identity;
  
  retrieving from the secure roaming device an encrypted identity token, wherein the encrypted identity token is encrypted with a private key of a public-key cryptographic key pair, and wherein the encrypted identity token comprises a cryptographic session key, a time stamp indicative of a duration of the cryptographic session key, and at least one attribute of digital identity;
  
  retrieving from the secure roaming device an encrypted identifier, wherein the encrypted identifier is encrypted with the cryptographic session key; and
  
  providing the encrypted identity token and the encrypted identifier to the service provider over the unsecure interface.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer storage medium in accordance with claim 15, wherein the encrypted identifier comprises a response to a challenge from the service provider.
  - 17. The computer storage medium in accordance with claim 15, the computer-readable medium having further computer-executable instructions for:
    - providing to the secure roaming device a second password of the bimodal credential, wherein the second password enables an administrative mode of access to the digital identity; and
      
      modifying at least one of the public-key cryptographic key pair, the time stamp, and the encrypted attributes of the digital identity.
  - 18. The computer storage medium in accordance with claim 15, wherein the safe mode of the bimodal credential allows access to respective metadata associated with the encrypted attributes of the digital identity.
  - 19. The computer storage medium in accordance with claim 15, wherein the secure roaming device is a flash memory device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shewchuk, John P., Box, Donald F., Nanda, Arun K., Wilson, Hervey O., Walter, Douglas A.
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US11/222,912
Publication Number

US 20070061873A1
Time in Patent Office

1,572 Days
Field of Search

None
US Class Current

726/10
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Securely roaming digital identities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Securely roaming digital identities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links