US2017187538A1PendingUtilityA1
System and method to use a cloud-based platform supported by an api to authenticate remote users and to provide pki- and pmi- based distributed locking of content and distributed unlocking of protected content
Est. expiryApr 30, 2030(~3.8 yrs left)· nominal 20-yr term from priority
H04L 63/0428H04L 9/006H04L 9/0894H04L 9/3271H04L 9/3247H04L 9/0822H04L 63/0435H04L 63/061H04L 9/30H04L 63/029H04L 9/321H04L 63/08H04L 9/3263H04L 63/10H04L 63/0442H04L 9/14H04L 63/20
54
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A security system for authenticating users and protecting content that provides an application program interface (API) with a Cloud Platform integration (Platform) to extend the security capabilities of Public Key Infrastructure and Privilege Management Infrastructure systems to authenticated external users and protected content.
Claims
exact text as granted — not AI-modified1 . A method in a server or servers, or other computing device or devices each including a processor and memory, which provides an integration of security and/or cryptographic functions which may include one or more applications such as: public key infrastructure, privilege management infrastructure, certification authority, registration authority, attribute authority, hardware security module, and/or other hardware systems and/or software systems and including a method that communicates with one or more of these applications, which together may be described as a platform service and be capable of supporting a variety of security-related functions;
such as to enable the extension of security credentials for entities such as enterprise businesses, government, small business, individuals, systems integrators, independent software vendors and others, in order to effectuate more secure communication between one such entity, which may be referred to as a user, and one or more such remote third party entity, which also may be referred to as a user, with an example of such being from an enterprise entity to a third party customer entity of that said enterprise entity which will likely exist beyond that said enterprise entity's network firewall; such that to access, utilize and/or benefit from the security and/or authentication capabilities of said applications and/or said platform service, such a said entity need not have specific knowledge and/or expertise regarding typical technical requirements, operation and/or capabilities of how said cryptography and/or security systems function, operate and/or perform and/or accomplish their functions in order for said entity to achieve the security needs, features and/or functions provided by said platform service; such that an entity might access, utilize and/or benefit from the capabilities of said platform service through the use of an application programming interface which could access and/or utilize designated capabilities of said platform service to said entity in a fashion that could require substantially less technical knowledge of security and/or cryptography systems of the part of said entity than might otherwise be required in order for said entity to achieve its desired security-related controls and/or results; such that such platform service may integrate with existing security and/or cryptographic applications pre-existing with an entity and therefore not require such pre-existing application as a component of said platform service.
2 . A method of claim 1 where a platform service may be located in a server or servers in a cloud computing environment or in a server or servers, or other computing device or devices within an enterprise or other entity's network or in a server or servers, or other computing device or devices located elsewhere, and in any of such cases the platform service would be accessible by said application programming interface;
such that a platform service in one embodiment may support the needs of a single such enterprise entity or in another embodiment being located in a cloud computing environment where it may support the needs of one or many related and/or unrelated entities as well as other embodiments where it may support entities in other configurations.
3 . A method of claim 1 where such an application programming interface may run on a server or servers, or other computing device or devices each including a processor and memory such as located within an enterprise entity's network such that said enterprise entity could use said application programming interface to access said platform service in order authenticate one or more employee entity, or other individual entity or other entity, which could be referred to as an originating entity or a remote entity;
such as within any other entity's computer or network environment such that said entity could use said application programming interface to access said platform service in order to authenticate one or more other type of entity, such as an employee, customer, or other entity, which could be referred to as an originating entity, a remote entity or a user;
such that the process of authentication of any such originating entity, remote entity or user would include said originating entity, remote entity or user installing an application compatible with such application programming interface on one or more computing devices to be used by said originating entity, remote entity or user.
4 . A method of claim 1 in a server or servers, or other computing device or devices of such entity, such method being compatible with the methods of said application programming interface so that such application programming interface compatible application or method is able to communicate via said application programming interface with said platform service in order to access, utilize and/or benefit from the capabilities of said platform service;
such that any such entity may become an originating entity by using said application programming interface compatible method to invite one or more remote entities to establish and authenticate a secure communications line with said originating entity by using one or more of the steps of an inviter-invitee protocol;
such that the setup of authorized communication lines may involve delegation of authorizations, e.g., as incorporated into said inviter-invitee process;
such that real-time credential management may involve key establishment key pairs and/or encryption-decryption key pairs and/or with digital signature verification and digital signature generation key pairs;
such that said key establishment key pairs and/or encryption and decryption key pairs may be used, in turn, to deliver access to derived, transported and/or agreed-upon symmetric encryption/decryption keys so that plaintext content, for example digital content or files, and/or communications, such as messages, may preferably securely be made available to intended recipients, such as originating or remote entities, whether internal or external to any entity's network.
5 . A method of claim 1 in a server or other computing device including a processor and memory, which together could compose an originating entity for a secure communication, that accesses an application programming interface which could be on the same computing device or on a separate, connected computing device including a processor and memory;
in order to deliver pre-defined and formatted requests to that computing device on which the application programming interface runs;
which requests may be subsequently processed and translated by the application programming interface into instructions which in turn may be transmitted to a designated and known remote server which may be located in a cloud computing or enterprise or other environment upon which a platform service runs;
where functions of said platform service are to contribute to the delivery of defined security, authentication, cryptographic, and other security-related capabilities;
such that those translated requests from said application programming interface to said platform service are in a defined format that said platform service can understand and can act upon; whereupon pre-determined, desired actions may be implemented via one or more transferred instruction by the platform service to occur and/or make changes on separate, known computing devices each with one or more processors and memory which would be operating as a remote entity;
such actions may be communicated from the platform service to the application programming interface and thereafter to a computing device of an originating entity or remote entity with a client software application which can connect to the application programming interface; or alternatively to a separate computing device connected to said platform service.
6 . The method of claim 1 , wherein data generated by said platform service resulting from requests made via said application programming interface to said platform service or to said platform service from a separate computing device application used by such remote entity may be responded to by said platform service to said application programming interface or to such separate computing device which responses may include instructions, steps and/or methods that;
enable entities to authenticate themselves remotely to another such entity using an inviter-invitee protocol; enable an exchange of authenticated public encryption keys between such entities; thereby provide the capabilities that enable such entities to exchange encrypted documents between themselves and/or other such authenticated entities using third-party means.
7 . A method of claim 1 composed of a system of communication comprising: a client software application, a user facing domain, a key escrow domain, and an inviter-invitee protocol wherein the user facing domain securely relates to multiple parties via the client application and the key escrow domain authenticates secure lines of communication amongst the parties;
said client application in claim 1 consisting of but not limited to a local key store module and a digital identity token;
said user facing domain in claim 1 consisting of but not limited to a login interface on a server, hardware security module and lightweight directory access protocol application on a server;
said key escrow domain consisting of consisting a registration authority, certificate authority, attribute authority, each being installed on a server and hardware security module;
said inviter-invitee protocol consisting of multiple steps but not limited to sending an invitation, receiving the invitation, downloading the client app, installation and registration, authentication, and single or multiple key requests, creation, and exchanges;
said invitation consisting of, but not limited to, a client application with digital identity token, e-mail address, designated attributes, authentication question, answer to authentication question, and a cryptographic digital signature.
8 . A method of secure communication based on the system of communication in claim 1 wherein a persistent, yet revocable, a secure line of communication is established and authenticated;
said method in claim 4 and claim 6 wherein the secure line of communication is established by the said invitation protocol in claim 7 .
9 . A method of claim 4 and claim 7 whereby a user on an electronic device has the ability to install an application that:
creates a set of public and private encryption keys for:
encrypting and decrypting documents, digital signing and other purposes;
allows a first user to invite a second user using a second electronic device to share a communication line with the first user on the first user's electronic device;
provides a method whereby the second user may respond to the invitation of the first user and install a comparable application on the second user's electronic device and thereafter have a comparable set of public and private encryption keys on that electronic device;
provides an invitation method that will include authentication steps that the second user must comply with in a specified method on his electronic device so that the identify of the second user, together with the associated installation of the application on his specific electronic device together with that specific electronic device are all linked together in such a manner that the first user can be assured by the server of the trusted third party or through the use of such application programming interface and such a platform service, that provided and monitored the installation and authentication of the client software application on the physical electronic device controlled by the second user confirms this described association through this method;
such that the public encryption key of each user is made available to the other user's application in a manner in which the authenticity of the keys is assured by the server of the trusted third party or through the use of such application programming interface and such a platform service, that provided the client software application to each party, actions which also may be completed through the use of such an application programming interface and such a platform service;
such that by relying on the representation and authentication provided through the server of the trusted third party or through the use of such application programming interface and such a platform service, that the parties can thereafter use encryption capabilities of the client software application client software application to first encrypt a digital asset on one electronic device with a symmetric encryption key followed by the encryption of that symmetric encryption key using the public encryption key known to be that of the other user, followed by having the ability to transfer, in any manner selected by the originating entity, both the encrypted digital asset together with the symmetric encryption key which has been encrypted using the public encryption of the second user
such that the second user, upon receipt of these two will be able to use his private key to decrypt the symmetric key and thereafter decrypt the encrypted digital asset;
the applicable steps may be completed through the use of such an application programming interface and such a platform service or directly with a server with an accompanying security ecosystem.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.