System and Method to Enable PKI- and PMI- Based Distributed Locking of Content and Distributed Unlocking of Protected Content and/or Scoring of Users and/or Scoring of End-Entity Access Means - Added
Abstract
A central server configured with an Attribute Authority (“AA”) acting as a Trusted Third Party mediating service provider and using X.509-compatible PKI and PMI, VPN technology, device-side thin client applications, security hardware (HSM, Network), cloud hosting, authentication, Active Directory and other solutions. This ecosystem results in real time management of credentials, identity profiles, communication lines, and keys. It is not centrally managed, rather distributes rights to users. Using its Inviter-Invitee protocol suite, Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. Users establish and respond to authorization requests and other real-time verifications pertaining to accessing each communication line (not end point) and sharing encrypted digital files. These are auditable, brokered, trusted-relationships where such relationships/digital agreements can each stand-alone (for privacy) or can leverage build-up of identity confidence levels across relationships. The service is agnostic to how encrypted user content is transported or stored.
Claims
exact text as granted — not AI-modified1 . A system of communication comprising: a client app, a user facing domain, a key escrow domain, and an inviter-invitee protocol wherein the user facing domain securely relates to multiple parties via the client app and the key escrow domain authenticates secure lines of communication amongst the parties;
the said client app in claim 1 consisting of but not limited to a local key store module and a digital identity token; the said user facing domain in claim 1 consisting of but not limited to a login interface on a server, hardware security module (hsm) and lightweight directory access protocol application (ldap) on a server; the said key escrow domain consisting of consisting a registration authority, certificate authority, attribute authority (each installed on a server) and hardware security module (hsm); the said initiation protocol in claim 1 consisting of multiple steps but not limited to sending an invitation, receiving the invitation, downloading the client app, installation and registration, authentication, and single or multiple key requests, creation, and exchanges; the said invitation consisting of, but not limited to, a client app with digital identity token, e-mail address, designated attributes, authentication question, answer to authentication question, and a cryptographic digital signature.
2 . A method of secure communication based on the system of communication in claim 1 wherein a persistent, yet revocable, a secure line of communication is established and authenticated;
the said method in claim 2 wherein the secure line of communication is established by the said invitation protocol in claim 1 .
3 . The said method in claim 2 whereby a user on an electronic device has the ability to install an application that: creates a set of public and private encryption keys for: encrypting and decrypting documents, digital signing and other purposes;
allows a first user to invite a second user using a second electronic device to share a communication line with the first user on the first user's electronic device;
provides a method whereby the second user may respond to the invitation of the first user and install a comparable application on the second user's electronic device and
thereafter have a comparable set of public and private encryption keys on that electronic device;
the invitation a method that will include authentication steps that the second user must comply with in a specified method on his electronic device so that the identify of the second user, together with the associated installation of the application on his specific electronic device together with that specific electronic device are all linked together in such a manner that the first user can be assured by the server of the trusted third party that provided and monitored the installation and authentication of the app on the physical electronic device controlled by the second user confirms this described association through this method;
such that the public encryption key of each user is made available to the other user's application in a manner in which the authenticity of the keys is assured by the server of the trusted third party that provided the app to each party;
such that by relying on the representation and authentication provided through the server of the trusted third party that the parties can thereafter use encryption capabilities of the app to first encrypt a digital asset on one electronic device with a symmetric encryption key followed by the encryption of that symmetric encryption key using the public encryption key known to be that of the other user, followed by having the ability to transfer (in any manner selected by the originating user) both the encrypted digital asset together with the symmetric encryption key which has been encrypted using the public encryption of the second user such that the second user, upon receipt of these two will be able to use his private key to decrypt the symmetric key and thereafter decrypt the encrypted digital asset.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.