System and methods for providing identity attribute validation in accordance with an attribute disclosure profile

US 8,863,308 B2
Filed: 12/01/2010
Issued: 10/14/2014
Est. Priority Date: 12/01/2009
Status: Active Grant

First Claim

Patent Images

1. A method of server-based identity attribute validation, comprising:

a computer server receiving an identity attribute validation request from one of a plurality of communication devices, and an identifier associated with the one communication device, the identity attribute validation request requesting at least one attribute for disclosure to the one communication device, the computer server further receiving a credential and being configured with at least one attribute disclosure profile, each said attribute disclosure profile being associated with a respective one of the communication devices and identifying a disclosure authorization status for the associated communication device, for at least one attribute;

the computer server determining a validity of the credential and the received identifier, and using the received identifier to locate the attribute disclosure profile associated with the one communication device; and

the computer server providing the communication device with a response to the identity attribute validation request based on an outcome of the credential and identifier validity determination and a correlation between the at least one attribute of the identity attribute validation request and the at least one attribute of the located attribute disclosure profile, the attribute validation response including attribute data associated with the credential authorized for disclosure to the one communication device by the located attribute disclosure profile but excluding attribute data associated with the credential not authorized for disclosure to the one communication device by the located attribute disclosure profile,wherein the credential is associated with a hardware token, the computer server transmits a session token to the hardware token, and the credential validity determining step comprises the computer server verifying that the hardware token generated the credential from the session token, andwherein the hardware token is configured with a private encryption key, the computer server is configured with a public encryption key corresponding to the private encryption key, and the step of verifying the credential comprises the computer server validating the credential with the public encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of identity attribute validation at a computer server involves the computer server receiving an identity attribute validation request from a communication terminal. The computer server further receives a credential, and is configured with an attribute disclosure profile of attributes authorized for disclosure to the communication terminal. The computer server determines the validity of the credential, and provides the communication terminal with a response to the identity attribute validation request based on an outcome of the credential validity determination. The attribute validation response includes attributes data associated with the credential authorized for disclosure by the attribute disclosure profile but excludes attributes data associated with the credential not authorized for disclosure by the attribute disclosure profile.

18 Citations

View as Search Results

14 Claims

1. A method of server-based identity attribute validation, comprising:
- a computer server receiving an identity attribute validation request from one of a plurality of communication devices, and an identifier associated with the one communication device, the identity attribute validation request requesting at least one attribute for disclosure to the one communication device, the computer server further receiving a credential and being configured with at least one attribute disclosure profile, each said attribute disclosure profile being associated with a respective one of the communication devices and identifying a disclosure authorization status for the associated communication device, for at least one attribute;
  
  the computer server determining a validity of the credential and the received identifier, and using the received identifier to locate the attribute disclosure profile associated with the one communication device; and
  
  the computer server providing the communication device with a response to the identity attribute validation request based on an outcome of the credential and identifier validity determination and a correlation between the at least one attribute of the identity attribute validation request and the at least one attribute of the located attribute disclosure profile, the attribute validation response including attribute data associated with the credential authorized for disclosure to the one communication device by the located attribute disclosure profile but excluding attribute data associated with the credential not authorized for disclosure to the one communication device by the located attribute disclosure profile,wherein the credential is associated with a hardware token, the computer server transmits a session token to the hardware token, and the credential validity determining step comprises the computer server verifying that the hardware token generated the credential from the session token, andwherein the hardware token is configured with a private encryption key, the computer server is configured with a public encryption key corresponding to the private encryption key, and the step of verifying the credential comprises the computer server validating the credential with the public encryption key.
- View Dependent Claims (2, 3, 7)
- - 2. The method according to claim 1, wherein the computer server receives the credential over a communication channel distinct from the identity attribute validation request.
  - 3. The method according to claim 1, wherein the attribute validation response anonymously identifies an authorized recipient of the hardware token.
  - 7. A non-transitory computer-readable medium carrying at least one identity attribute associated with a credential, an attribute disclosure profile of the identity attributes authorized for disclosure to a communication device, and computer program instructions stored thereon, the computer program instructions when executed by a computer causing the computer to perform the method of claim 1.

4. An issuer server comprising:
- at least one attribute disclosure profile, each said attribute disclosure profile being associated with one of a plurality of communication devices and identifying a disclosure authorization status for the associated communication device, for at least one attribute; and
  
  an identity attribute validation request processor configured to receive from one of the communication devices an identity attribute validation request and an identifier associated with the one communication device, wherein the identity attribute validation request processor is a hardware processor, the identity attribute validation request requesting at least one attribute for disclosure to the one communication device, and to further receive a credential, the identity attribute validation request processor being further configured to determine a validity of the received credential and the identifier, to use the received identifier to locate the attribute disclosure profile associated with the one communication device, and to provide the communication device with a response to the identity attribute validation request based on an outcome of the credential and identifier validity determination and a correlation between the at least one attribute of the identity attribute validation request and the at least one attribute of the located attribute disclosure profile, the attribute validation response including attribute data associated with the credential authorized for disclosure to the one communication device by the located attribute disclosure profile but excluding attribute data associated with the credential not authorized for disclosure to the one communication device by the located attribute disclosure profile,wherein the credential is associated with a hardware token, and the identity attribute validation request processor is configured to transmit a session token to the hardware token, and to determine the validity of the credential by verifying that the hardware token generated the credential from the session token, andwherein the hardware token is configured with a private encryption key, the issuer server is configured with a public encryption key corresponding to the private encryption key, and the identity attribute validation request processor is configured to verify the credential by validating the credential with the public encryption key.
- View Dependent Claims (5, 6)
- - 5. The issuer server according to claim 4, wherein the computer server receives the credential over a communication channel distinct from the identity attribute validation request.
  - 6. The issuer server according to claim 4, wherein the identity attribute validation request processor is configured to determine the validity of the credential by verifying that the credential is still in force.

8. A method of terminal-based identity attribute validation, comprising:
- receiving, by a communication terminal, a credential from a hardware token interfaced with the communication terminal, and transmitting to a computer server the credential, an identifier associated with the communication terminal, and an identity attribute validation request, the communication terminal being configured with an attribute disclosure profile identifying a disclosure authorization status for the communication terminal, for at least one attribute;
  
  receiving, by the communication terminal, receiving a response to the identity attribute validation request from the computer server, the attribute validation response being based on an outcome of a determination of validity of the credential and the identifier by the computer server;
  
  in accordance with the attribute validation response, using, by the communication terminal, the attribute disclosure profile to interrogate the hardware token for attribute data associated with the credential authorized for disclosure to the communication terminal but excluding attribute data associated with the credential not authorized for disclosure to the communication terminal; and
  
  generating, by the communication terminal, an authorization signal in accordance with a correlation between the authorized attribute data and a predetermined criterion.
- View Dependent Claims (9, 10, 14)
- - 9. The method according to claim 8, wherein the step of interrogating the hardware token for the authorized attribute data comprises querying the hardware token only for the attribute data authorized by the attribute disclosure profile.
  - 10. The method according to claim 8, wherein the attribute validation response includes further attribute data authorized for disclosure to the communication terminal but excludes the attribute data not authorized for disclosure to the communication terminal.
  - 14. A non-transitory computer-readable medium carrying computer program instructions stored thereon, the computer program instructions when executed by a computer causing the computer to perform the method of claim 8.

11. A validation terminal comprising:
- a credential interface configured to interface with a hardware token;
  
  an attribute disclosure profile identifying a disclosure authorization status for the validation terminal, for at least one attribute; and
  
  an identity attribute validation processor configured to (1) receive a credential from the hardware token, (2) transmit to a computer server the credential, an identifier associated with the validation terminal, and an identity attribute validation request, (3) receive a response to the identity attribute validation request from the computer server, the attribute validation response being based on an outcome of a determination of validity of the credential and the identifier by the computer server, (4) in accordance with the attribute validation response, use the attribute disclosure profile to interrogate the hardware token for attribute data associated with the credential authorized for disclosure to the communication terminal but excluding attribute data associated with the credential not authorized for disclosure to the communication terminal, and (5) generate an authorization signal in accordance with a correlation between the authorized attribute data and a predetermined criterion, the attribute validation response being based on an outcome of a determination of validity of the credential by the computer server.
- View Dependent Claims (12, 13)
- - 12. The validation terminal according to claim 11, wherein the identity attribute validation processor is configured to interrogate the hardware token for the authorized attribute data by querying the hardware token only for the attribute data authorized by the attribute disclosure profile.
  - 13. The validation terminal according to claim 11, wherein the attribute validation response includes further attribute data authorized for disclosure to the communication terminal but excludes the attribute data not authorized for disclosure to the validation terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Original Assignee
SecureKey Technologies, Inc. (Gen Digital Inc.)
Inventors
Boysen, Andre Michel, Wolfond, Gregory, Roberge, Pierre Antoine, Engel, Patrick Hans, Ronda, Troy Jacob
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US13/513,487
Publication Number

US 20120233705A1
Time in Patent Office

1,413 Days
Field of Search

726/29
US Class Current

726/29
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 21/42   using separate channels for...

G06F 21/6245   Protecting personal data, e...

G06F 21/6272   by registering files or doc...

G06F 21/73   by creating or determining ...

G06F 21/77   in smart cards

G06F 2221/2129   Authenticate client device ...

H04L 63/0492   by using a location-limited...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 9/0662   with particular pseudorando...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/068   using credential vaults, e....

H04W 12/08   Access security

System and methods for providing identity attribute validation in accordance with an attribute disclosure profile

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for providing identity attribute validation in accordance with an attribute disclosure profile

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links