System and method of dynamic issuance of privacy preserving credentials

US 9,825,917 B2
Filed: 12/20/2013
Issued: 11/21/2017
Est. Priority Date: 12/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user, operating a web application on a host computer, to a web-based service of a service provider, comprising:

receiving, by the web application from the service provider, a request to present a credential indicative of satisfying an access requirement of the service provider;

forwarding the request to present a credential, by the web application, to a security device connected to the host computer;

if the security device has possession of a verifiable credential proving that an identity provider vouches for the satisfaction of the access requirement, presenting a presentation token to the service provider, the presentation token providing proof of the possession of a verifiable credential indicative of satisfying the access requirement of the service provider;

if the security device is not in possession of the verifiable credential, operating the service provider to transmit a first request to the web application in which the web application is requested to obtain the verifiable credential by displaying a user interface directing the user to the identity provider;

in response to receiving the first request and user indication to proceed to the identity provider to obtain the verifiable credential, operating the web application to redirect the first request received from the service provider to the identity provider via a separator, by;

transmitting the first request from the web application to the separator without identifying the user;

operating the separator to transmit a second request for the verifiable credential to the identity provider without identifying the service provider as originator;

operating the identity provider and the security device associated with the user in response to the second request;

to engage in a privacy-preserving credential creation exchange in cooperation with the identity provider including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy the access requirement of the service provider;

operating the security device;

to generate the presentation token from the privacy-preserving credential; and

to present the presentation token to the service provider as proof of the validity.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and System for enhanced privacy in privacy-preserving identity solutions. The technology provides for a redirect of a request to generate a proof of an attribute from a service provider to a separator. The separator removes source identification from the attribute-proof request and redirects the attribute-proof request, free of original source identification, to a credential issuer which issues the credential. A security device of the user generates a presentation token from the privacy-preserving credential and presents the presentation token to the service provider as proof of the attribute. Other systems and methods are disclosed.

Citations

10 Claims

1. A method for authenticating a user, operating a web application on a host computer, to a web-based service of a service provider, comprising:
- receiving, by the web application from the service provider, a request to present a credential indicative of satisfying an access requirement of the service provider;
  
  forwarding the request to present a credential, by the web application, to a security device connected to the host computer;
  
  if the security device has possession of a verifiable credential proving that an identity provider vouches for the satisfaction of the access requirement, presenting a presentation token to the service provider, the presentation token providing proof of the possession of a verifiable credential indicative of satisfying the access requirement of the service provider;
  
  if the security device is not in possession of the verifiable credential, operating the service provider to transmit a first request to the web application in which the web application is requested to obtain the verifiable credential by displaying a user interface directing the user to the identity provider;
  
  in response to receiving the first request and user indication to proceed to the identity provider to obtain the verifiable credential, operating the web application to redirect the first request received from the service provider to the identity provider via a separator, by;
  
  transmitting the first request from the web application to the separator without identifying the user;
  
  operating the separator to transmit a second request for the verifiable credential to the identity provider without identifying the service provider as originator;
  
  operating the identity provider and the security device associated with the user in response to the second request;
  
  to engage in a privacy-preserving credential creation exchange in cooperation with the identity provider including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy the access requirement of the service provider;
  
  operating the security device;
  
  to generate the presentation token from the privacy-preserving credential; and
  
  to present the presentation token to the service provider as proof of the validity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method for authenticating a user according to claim 1,wherein the first request is preceded by operating the service provider to request proof of an attribute from the user;
    - andthe method further comprises;
      
      transmitting a token-issued status-message from the identity provider to the web application;
      
      operating the host computer to redirect the token-issued status-message to the separator;
      
      operating the separator to redirect the token-issued status-message to the service provider via the host computer; and
      
      wherein the step of operating the security device to generate the presentation token from the privacy-preserving credential is preceded by operating the service provider, in response to receiving the token-issued status-message, to repeat the request for proof of an attribute from the user.
  - 3. The method for authenticating a user according to claim 2, further comprising:
    - operating the service provider to verify the presentation token and to provide access to the web-based service.
  - 4. The method for authenticating a user according to claim 1, further comprising operating the security device to store the privacy-preserving credential or the presentation token.
  - 5. The method for authenticating a user according to claim 1, wherein the security device is a smart card.
  - 6. The method for authenticating a user according to claim 1, wherein the privacy-preserving credential is a U-Prove privacy-preserving credential.
  - 7. The method for authenticating a user according to claim 1, wherein the privacy-preserving credential is an Identity Mixer (idemix) credential and the presentation token is a transformation of the idemix credential.

8. A system for protecting privacy of a user of online information services, comprising:
- a host computer operating under a control of a web application by which the user accesses a web service executing on a server of a service provider;
  
  a personal security device connected to the host computer and programmed to generate and store privacy-preserving credentials and to generate presentation tokens from the privacy-preserving credentials in response to receiving a request including a policy of the web service;
  
  wherein the service provider is programmed to generate a credential generation request that redirects to a separator via the web application executing on the host computer;
  
  wherein the separator comprises a web server that is programmed to receive the credential generation request and to create a second credential generation request, wherein the separator returns the second credential generation request to the web application and wherein the second credential generation request redirects the web application to an identity provider; and
  
  wherein the identity provider comprises a second web server operable, in response to the second credential generation request, to engage in a credential generation protocol with the personal security device including verification and attestation by the identity provider of validity of attributes that the user needs to prove to the service provider to satisfy an access requirement of the service provider.

9. A web server computer having a processor and a memory, the memory comprising instructions to cause the web server to receive a first request to generate a privacy-preserving credential from a web browser wherein the first request originates with a service provider and is redirected to the web server via the web browser executing on a host computer;
- in response to receiving the first request to generate the privacy-preserving credential, creating a response in the form of a second request to generate the privacy-preserving credential wherein the second request redirects the web browser to an identity provider directing the identity provider to engage in a credential issuance protocol with a personal security device connected to the host computer; and
  
  transmitting the second request to the web browser in response to the first request.
- View Dependent Claims (10)
- - 10. The web server computer according to claim 9, further comprising instructions to cause the web server to receive a first token-issued status message from the identity provider transmitted via the web browser and in response to receiving the token-issued status message, creating a second token-issued status message and transmitting the second token-issued status message to the web browser wherein the second token-issued message is designed to redirect to the service provider thereby indicating to the service provider that the personal security device has generated the privacy-preserving credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SAS (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Lu, HongQian Karen, Castillo, Laurent, Smadja, Philippe
Primary Examiner(s)
Plecha, Thaddeus

Application Number

US14/654,547
Publication Number

US 20150341340A1
Time in Patent Office

1,432 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 21/34   involving the use of extern...

G06F 21/6254   by anonymising data, e.g. d...

G06F 21/6263   during internet communicati...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/0421   Anonymous communication, i....

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

System and method of dynamic issuance of privacy preserving credentials

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of dynamic issuance of privacy preserving credentials

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links