Resilient trust network services

US 8,843,997 B1
Filed: 08/11/2010
Issued: 09/23/2014
Est. Priority Date: 01/02/2009
Status: Active Grant

First Claim

Patent Images

1. A system relating to trust network services comprising:

a plurality of client computers coupled to a network;

an access server coupled to the network for providing a host application that provides a plurality of application services to the client computers;

a trust server coupled to a trust history database and the network, the trust server providing trust services to the access server;

a display broker coupled to the network providing a user interface for trust services; and

a set of application services including the following services;

trust services, service connectors which are adaptors for the trust services, and trust service proxies coupled to the network;

wherein the access server, the trust server, the display broker and the set of application services are system components that comprise a pipeline that provides function according to the interaction of the system components with the policies held by a relying party;

wherein the access server, the trust server, the display broker and the set of application services communicate with each other in a peer-to-peer manner in a non-hierarchical secure network through a trust protocol;

wherein the trust server is further configured to start a trust session by passing a user identification (ID), close a trust session by passing a session ID, create a new credential expression by passing a session ID, cancel a credential request by passing a credential ID, check a credential request status by passing the credential ID, where the credential request is a request to authorize an interaction with a protected resource that specifies the trust services needed to be validated and documents the interaction and has a status;

wherein the trust protocol does not include starting the trust session and does not include stopping the trust session; and

wherein the trust network services communicate with the trust protocol that includes transmitting a credential request to selectively authorize or restrict communications or provision services among any of the plurality of client computers and the trust network services.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Resilient Trust Network (RTN) is a set of servers that provide: an application integration platform for developing and publishing services and user interface for services, building derived services, subscribing to services, and embedding services into host applications, and building composite applications composed from multiple diverse services. The RST can also provide a platform for defining security requirements and accessing shared trust services that implement those requirements for services regardless of where or how those services are used.

347 Citations

24 Claims

1. A system relating to trust network services comprising:
- a plurality of client computers coupled to a network;
  
  an access server coupled to the network for providing a host application that provides a plurality of application services to the client computers;
  
  a trust server coupled to a trust history database and the network, the trust server providing trust services to the access server;
  
  a display broker coupled to the network providing a user interface for trust services; and
  
  a set of application services including the following services;
  
  trust services, service connectors which are adaptors for the trust services, and trust service proxies coupled to the network;
  
  wherein the access server, the trust server, the display broker and the set of application services are system components that comprise a pipeline that provides function according to the interaction of the system components with the policies held by a relying party;
  
  wherein the access server, the trust server, the display broker and the set of application services communicate with each other in a peer-to-peer manner in a non-hierarchical secure network through a trust protocol;
  
  wherein the trust server is further configured to start a trust session by passing a user identification (ID), close a trust session by passing a session ID, create a new credential expression by passing a session ID, cancel a credential request by passing a credential ID, check a credential request status by passing the credential ID, where the credential request is a request to authorize an interaction with a protected resource that specifies the trust services needed to be validated and documents the interaction and has a status;
  
  wherein the trust protocol does not include starting the trust session and does not include stopping the trust session; and
  
  wherein the trust network services communicate with the trust protocol that includes transmitting a credential request to selectively authorize or restrict communications or provision services among any of the plurality of client computers and the trust network services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 further comprising:
    - signature code to digitally sign the executable code of trust network services or the plurality of the client computers or credential expressions or message traffic transmitted; and
      
      evaluation code to evaluate digital signatures by the trust network services in order;
      
      to detect tampering or to verify that a correct code and/or data is executed so as to determine whether the digital signatures should be trusted pursuant to policies specified by one or more participants on the plurality of client computers coupled to the network or specified by the trust network services.
  - 3. The system of claim 1 further comprising:
    - a credential syndicate trust service that implements an identity or trust syndication, wherein the identity or trust syndication consists an aggregation of identity or trust information not accessed from centralized or federated information sources but from independent network based sources;
      
      the credential syndicate trust service consisting of;
      
      an access server and a trust service connector which accepts a syndicated trust credential request;
      
      a trust credential syndication code to determine which of the trust credentials are relevant to earning the requested syndicated credential based on a context that includes at least one of the following factors;
      
      attributes associated with the users, attributes associated with resources being protected by the trust credentials, the various combinations of the trust credentials that could satisfy the credential syndicate requirements, which of the trust credentials the users or relying parties are eligible for, trust domain constraints, which trust credentials are available based on licensing or other rights; and
      
      trust credential expression generation code to generate a new trust credential expression that satisfies a criteria for earning the trust credentials given the context;
      
      a parameter evaluation and discovery code coupled with the trust credential syndication code that determines whether the trust credentials include required parameters;
      
      if the required parameters are not included, the parameter evaluation and discovery code invokes parameter request code that use trust protocols to obtain additional parameters by one or more of;
      
      requesting attributes from the relying party or intermediary trust network services, requesting a display to solicit input from the user, and calling a locator service or other similar service to discover or derive other attributes from trusted sources.
  - 4. The system of claim 1 further comprising:
    - distributed directory services which offer the plurality of client computers or the trust network services functional code that support the ability to perform at least one of the following functions;
      
      accessing, displaying, querying, entering, updating, resolving, storing, organizing, managing, replicating, visualizing, or synchronizing; and
      
      information stored in a memory coupled to the trust network services that relates to various types of entities that include at least one of the following;
      
      resources, trust credentials, trust authorities, trust services, certificates, external services, devices, trust domains, application services, users, administrators, or organizations, the information including data and metadata about one or more of the following;
      
      identifiers, aliases, addresses, tokens, names, trust criteria, login credentials, access control policies, interface descriptions, schema definitions, configuration metadata, systems management information, provenance metadata, location or geo-tagging data, descriptive metadata, reputation metadata, activity logs, access logs, and administrator privileges.
  - 5. The system of claim 1 further compromising:
    - a tagging service coupled to the network, the tagging service is configured to provide one or more of;
      
      a content tagging service, an identity tagging service, a policy tagging service, or a personal tagging service, or a specialized form tagging service, andwherein the tagging service relies upon some combination of one or more of;
      
      reference data sources, tagging services, taxonomy or terminology mapping services, master person indices, application integration frameworks, matching algorithms, classification algorithms, trust-ranking algorithms, interactive forms supporting user annotation or user tagging, opaque token services, and locator services.
  - 6. The system of claim 5 wherein the tagging service implements one or more transformation algorithms that take as an input source records made up of a set of attributes, and the tagging service transforms the input source records into output records consisting of either annotated records or a derived and transformed set of attributes and wherein the output records include one or more of the following:
    - attributes of the input source records, additional derived or transformed attributes, provenance metadata describing the source of the input source records, the transformation algorithms used, the tagging services involved, and schema or standards of the output records or attributes, metadata summarizing a confidence or a trust ranking associated with the output records as a whole, and of individual attributes thereof.
  - 7. The system of claim 1 further comprising:
    - a locator service coupled to the network, wherein the locator service is configured to function as one or more of the following;
      
      a record locator, an identity locator, a policy locator, an audit locator, or a specialized type of locator service, wherein the locator service incorporates tagging services to support methods for;
      
      enabling discovery and search among client computers and trust network services and resources that do not use consistent schemas, identity attributes or terminologies, filtering or organizing search query results based on provenance, trust-ranking, reputation, pricing, or other criteria and performance optimization.
  - 8. The system of claim 1 further comprising:
    - a trust domain service coupled to the network;
      
      wherein the trust domain service provides trust code and the trust domain service includes a container for at least one of the following;
      
      security policies, credential expressions, administrative mapping tables, credential routing maps, white-lists, black lists, trust rankings, performance metrics, reputation metrics, encryption keys, crypto-salts, links, aliases, and zero-knowledge tokens.
  - 9. The system of claim 1 further comprising:
    - trust validation code that enable the trust network services to implement or invoke the trust validation code that selectively determine whether or not to trust resources or services in specific contexts;
      
      wherein the trust validation code require a verification that the trust network services or users of the plurality of client computers are authorized to utilize the service or resource that have been requested via at least one of the following;
      
           1) validating digital signatures, X.509 certificates, Security Association Markup Language certificates or tokens,
      
           2) verifying possession of correct message validation codes, verifying presence on white-lists or absence from black-lists,
      
           3) verifying that the trust network services or the users have attributes or relationships, or meets specified reputation metrics requirements,
      
           4) verifying that the codes of the services relied upon by the users is executing on trusted computing platforms,
      
           5) requiring use of one or more of the following;
      
      zero-knowledge algorithms to obfuscate credential expressions, addresses, parameter values or message flows, and verification of the identity, credentials, attributes, relationships or reputation of the administrator of the service or resource.
  - 10. The system of claim 1 further comprising:
    - trust routing and resolution code that enable trust network services to support at least one of the following capabilities;
      
           1) expand or resolve partially-specified trust credential requests into one or more fully-specified trust credential requests that satisfy policy requirements; and
      
           2) expand or resolve partially-qualified resource references into one or more fully-qualified resource references that satisfy the policy requirements; and
      
           3) validate that fully-specified trust credential requests satisfy the policy requirements; and
      
           4) validate that fully-qualified resource references satisfy the policy requirements;
      
      wherein the policy requirements to be satisfied are specified in at least one of the following;
      
           1) trust domain or other clauses which stipulate policy requirements in the credential expression requests or resource references themselves; and
      
           2) defaults specified in administrative mapping tables or other such code in the Trust Network services handling each credential request or resolving each resource reference; and
      
           3) clauses within other credential expression elements or resource references which within the same trust resource graph or credential expression tree.

11. A system relating to trust network services comprising:
- a plurality of client computers coupled to a network; and
  
  a plurality of trust network services including the following;
  
  access servers, trust brokers, trust services and trust service proxies;
  
  wherein the plurality of trust network services communicate in a peer-to-peer manner via a trust protocol and a trust network service implements or invokes zero-knowledge token aliasing and encryption and crypto-hashing;
  
  wherein opaque token services selectively obfuscate or reveal data messages;
  
  or opaque token services selectively obfuscate or reveal credential expressions among a plurality of participating client computers;
  
  or opaque token services selectively obfuscate users of the plurality of client computers; and
  
  wherein the decision as to what code to use selected from the group;
  
  token aliasing code, encryption code, crypto-hashing semantic transform firewall code or algorithmic transformation code, is made by an interaction of the trust broker and the trust service proxy is based on the policy of a relying party.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 12. The system of claim 11 further comprising:
    - an opaque token service that relies on a trust network service to provide access to inputs necessary for the function of the opaque token service comprising provision of encryption keys, and where the decision to provide encryption keys is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 13. The System of claim 11 further comprising:
    - an opaque token service that relies on a trust network service to provide access to inputs necessary for the function of the opaque token service comprising provision of crypto-salts and where the decision to provide crypto-salts is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 14. The system of claim 11 further comprising:
    - an opaque token service that relies on a trust network service to provide access to inputs necessary for the function of the opaque token service comprising provision of numeric values and where the decision to provide numeric values is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 15. The system of claim 11 further comprising:
    - an opaque token service that relies on a trust network service to provide access to inputs necessary for the function of the opaque token service comprising provision of random number generators and where the decision to provide random number generators is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 16. The system of claim 11 further comprising:
    - an opaque token service that relies on a trust network service to provide access to inputs necessary for the function of the opaque token service comprising provision of look-up tables and where the decision to provide look-up tables is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 17. The system of claim 11 wherein the decision as to what target selected from the group:
    - data message, credential expression, users, to operate on is made by the interaction of the trust broker and trust service proxy based on the policy of the relying party.
  - 18. The system of claim 11 further comprising:
    - opaque token services that selectively obfuscate or reveal trust network services, where the decision as to whether to obfuscate or reveal trust network services is made by the interaction of the trust broker, trust service proxy based on the policy of the relying party.
  - 19. The system of claim 11 further comprising:
    - a zero-knowledge token service coupled to the network that transforms trust network request/response message flow elements into opaque tokens, including;
      
      zero-knowledge token aliases, cryptographic hashes, encrypted values or opaque metadata;
      
      zero-knowledge orchestration code that distribute flows to partition the execution of these transformations across the trust network to ensure that sources of clear text values do not have access to either the corresponding output opaque token values or the parameters used by opaque token services to generate the opaque token values, used for algorithmic transformations necessary to generate the parameters; and
      
      zero-knowledge resolution code that restrict the resolution of the opaque token values back into clear text values to authorized parties.
  - 20. The system of claim 11 further comprising:
    - trust network nodes coupled to the network; and
      
      a zero-knowledge messaging, routing and service orchestration service coupled to the network that acts as an intermediary among the trust network nodes, the zero-knowledge messaging, routing and service orchestration service uses opaque tokens to route, validate or transmit request and response interactions to transmit messages across the trust network, opaque tokens create a dynamically generated opaque address and name space, which is partitioned such that each of the trust network nodes has selectively limited visibility into the actual addresses or identities of the trust network nodes directly or indirectly communicated with, the composition and structure of the overall network of the trust network nodes, or to the routes or contents of messages or requests transmitted.
  - 21. The system of claim 11 further comprising:
    - a zero-knowledge credential expression service coupled to the network or incorporated in the trust network services, the zero-knowledge credential expression service evaluates, generates or transforms credential expressions that consist partially or completely of opaque tokens so that the trust network services are able to correctly evaluate and execute credential expressions without knowing some or all of the credential elements and parameter values involved, and so that credential expression elements may be successively transformed into different opaque tokens as the credential expression elements are transmitted to nodes of the trust network, and selectively resolved back into clear text by authorized nodes, the authorized nodes partitioning knowledge across the trust network so that the nodes can correctly perform their individual tasks and route requests and messages without understanding context or information that is not necessary to complete their individual tasks.
  - 22. The system of claim 11 further comprising:
    - zero-knowledge indexing code that transform clear text index source records into opaque or semi-opaque zero-knowledge index records composed of one or more instances of each of some combination of the following attributes;
      
      index record tokens, search criteria hash codes, search criteria attributes, trust-rank metrics, provenance metadata, authentication criteria hash codes, duplicate detection hash-codes, credential result tokens, credential result authentication predicate tokens, anonymous metering tokens;
      
      message authentication codes; and
      
      a index storage code that posts copies of each zero-knowledge index record and associated tokens to one or more storage services, comprising;
      
      locator, discovery or directory services, databases or filing systems.
  - 23. The system of claim 11 further comprising:
    - a zero-knowledge search proxy that accepts search query criteria from a requestor, including some combination of;
      
      search criteria attributes;
      
      result filter criteria such as provenance metadata, trust-rank metrics, and authentication criteria; and
      
      a specification of one or more target storage services to be searched;
      
      wherein the zero-knowledge search proxy transforms the search query criteria using one or more opaque token services into some combination of search criteria hash codes and search criteria attributes, where such transformation include pre-processing to ensure consistent formats or semantics appropriate to the search targets; and
      
      the zero-knowledge search proxy queries one or more target storage services coupled to the network, andwherein some or all of the attributes of an output record are transformed into one or more opaque tokens via zero-knowledge algorithms and some of the attributes of the output record are selectively transformed back into clear text by authorized parties.

24. A system relating to trust network services comprising:
- a plurality of client computers coupled to a network;
  
  an access server coupled to the network for providing a host application that provides a plurality of application services to the client computers;
  
  a trust broker coupled to a trust history database and the network, the trust broker providing trust services to the access server;
  
  a display broker coupled to the network providing a user interface for trust services; and
  
  a set of application services including the following services;
  
  trust services, service connectors which are adaptors for the trust services, and trust service proxies coupled to the network;
  
  wherein the access server, the trust broker, the display broker and the set of application services are system components that comprise a pipeline that provides function according to the interaction of the system components with the policies held by a relying party;
  
  wherein the access server, the trust broker, the display broker and the set of application services communicate with each other in a peer-to-peer manner in a non-hierarchical secure network through a trust protocol;
  
  wherein the trust server is further configured to start a trust session by passing a user identification (ID), close a trust session by passing a session ID, create a new credential expression by passing a session ID, cancel a credential request by passing a credential ID, check a credential request Status by passing the credential ID, where the credential request is a request to authorize an interaction with a protected resource that specifies the trust services needed to be validated and documents the interaction and has a status;
  
  wherein the trust protocol does not include starting the trust session and does not include stopping the trust session; and
  
  wherein the trust network services communicate with the trust protocol that includes transmitting a credential request to selectively authorize or restrict communications or provision services among any of the plurality of client computers and the trust network services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Data443 Risk Mitigation, Inc.
Original Assignee
Resilient Power Systems, LLC
Inventors
Hare, Jonathan Paul
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US12/854,825
Time in Patent Office

1,504 Days
Field of Search

726/3
US Class Current

726/3
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

Resilient trust network services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

347 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Resilient trust network services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

347 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links