OA18047A - System and method for communicating credentials. - Google Patents

System and method for communicating credentials. Download PDF

Info

Publication number
OA18047A
OA18047A OA1201600271 OA18047A OA 18047 A OA18047 A OA 18047A OA 1201600271 OA1201600271 OA 1201600271 OA 18047 A OA18047 A OA 18047A
Authority
OA
OAPI
Prior art keywords
présenter
presenting
server
communication
accepting
Prior art date
Application number
OA1201600271
Inventor
Gerard Barry
Declan BARRY
Original Assignee
Priviti Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Priviti Pte. Ltd. filed Critical Priviti Pte. Ltd.
Publication of OA18047A publication Critical patent/OA18047A/en

Links

Abstract

A system and method for conducting transactions involving the communication of credentials connected to an entity or an individual, known as the presenter to a permitted destination, known as the network endpoint (110) following a request from an accepter while maintaining the privity in said credentials. The system includes presenting appliances (108) and accepting appliances (109) that communicate with a controlling server (101). The controlling server receives communication from the accepting and presenting appliances that contains a secret keycode exclusive to the individual or presenter, presenter identifiers and a shared keycode and if the communications are matched, credentials specific to presenter identifier is permitted to be released to a known network endpoint.

Description

[0001] The présent invention pertains to the field of information and communication technology, privity of data exchange entrusted to information and communication technology, as well as’ preserving and protecting the privity prevailing in credentials communicated with information and communication technology. Privity refers to the possession of or participation in any information that pertains to an entity, or any set of credentials connecting an entity and any particular individual. In particular, the présent invention is concemed with, but not limited to permitted release of data comprising sets of private personal particulars and controlled credentials that a party to whom the credential set pertains, may wish consent and permit to hâve confidentially released in a protected and secure manner whilst ensuring the ongoing préservation and maintenance of the confidentiality and privacy of the personal particulars and controlled credentials for a variety of purposes. Controlled credentials refer _ to such information connecting the owner/issuer of the controlled credentials and the holder/possessor of the controlled credentials.
Background to the Invention [0002] In modem society, individuals are associated with a vast array of personal data. Some examples of such personal data include but are not limited to name, address, date of birth, nationality, social security number, passport number, driver’s license number, membership number (for a given organization), maiden name (if applicable), mother's maiden name, employer information, bank account number, crédit card number etc. This personal data is used in a multitude of ways as and when individuals interact with other individuals and organizations. Many of these interactions dépend heavily on the accuracy of a data set that is both particular to the individual and necessary for the interaction in question. Accordingly, because each such data set (hereafter referred to as a credential set) is both particular to an individual and necessary for the interaction, it is sensitive information that desirably is retained in a state of privity. The information is sensitive (and desirably retained in a state of privity) additional relevant data, such as data pertaining to additional security features, for exemple, a secret keycode associated with a given instrument. It will be understood that even if it is intended to release a credential set from a record, it may be necessary to ensure that the associated data is never released, particularly where it pertains to additional security features.
[0003] Such record registries are typicaLly populated in the following way. The credential set pertaining to a présenter is furnished to the controller and the credential set is verified and validated. Once the credential set is verifïed and validated, an instrument is produced bearing the credential set, and this credential set is provided to the présenter. The credential set is also entered into a new record on the record registry and typically supplemented with any data pertaining to the corresponding instrument (such as serial nurnber, etc.) and any other relevant data (such as additional security feature data including but not limited to biométries etc.). [0004] Ways hâve evolved to render credential sets onto such bespoke instruments. Historically, such data may hâve been inked, typed or labeled on the issued instrument. Subsequently, such data may hâve been embossed or engraved or encoded or embedded on the issued instrument. More recently, machine readable media (such as magnetic stripes or chips) hâve been used as instruments, the relevant credential sets being stored electronically on such media. The format of many instruments (and the format in which credential sets are stored thereon) is govemed by the International Organization for Standardization-, For example, ISO 7501 governs the format of Machine readable travel documents; ISO 7810 and ISO 7811 govern the format of Identification Cards; and ISO 7812 and ISO 7816 govem the manner in which cards may be provided from different issuers.
[0005] In spite of advances in the provision of instruments bearing présenter credential sets, there remains the danger of ffaud. It remains necessary to be able to both verify that the présenter bearing the instrument comprising the credential set is the valid/authentic présenter (i.e. tirât the instrument has not been stolen or cloned and hence is not being used fraudulently) and also to verify that the proffered instrument comprising the credential set is indeed authentic (i.e. that the credentials are accurate and that the instrument is not a complété forgery). This is an issue of increasing concern as bearers of such instruments release their credential sets on an increasingly frequent basïs. While the credential sets are initially held in an environment of confidentially/privacy, existing between the presenters of credential sets and their controllers, this environment of confidentially/privacy is jeopardized whenever the credential set is released during an exchange with a third party. While improvements in the security of the means by which credential sets are released hâve sought to bolster this environment of confidentially/privacy, weaknesses still persist.
[0006] For example, with even with the advent of automated Systems for reading passport instruments, when a passenger présents their passport to any check point offîcer or any border control agency (the accepter), the controlled credentials on the issued instrument are visible to and handled by the accepter prior to and after capturing the controlled credentials in the reading device. If — in contravention of privacy policy said credentials as viewed are copied and shared by the accepter, not just captured and processed, the state of privity in which the passport instrument credentials originally resided is compromised. Similar deficiencies exist for other instruments for which automated credential capture Systems hâve been developed, such as driving licenses, loyalty/membership cards, and payment cards.
[0007] There remains a need for improved methods and Systems by which presenters may proffer credential sets during exchanges with other individuals or organizations in a manner that guarantees both the authenticity of the credential set, and the authenticity of the présenter bearing the credential set. It would be highly désirable to provide methods and Systems that ensure an environment of complété confidentially/privacy for credential sets when being disclosed. It would be strongly préférable for any such improved methods and Systems to be backwardly compatible with existing methods and Systems that are in common usage such that the improved methods and Systems may be phased in smoothly and gradually. This would be highly advantageous as it would eliminate the need for costly and timeconsuming transitions to new Systems and methods. It would further be préférable for any new improved methods and Systems to be scalable such that they may cater for a plurality of diverse credential sets through a single system and method.
Summary of the Invention [0008] An aspect of the invention comprises a system for permitting a communication of at least one set of controlled credentials connected to a présenter, to a network endpoint, while maintaining privity prevailing in said controlled 5 credentials connected to the présenter, wherein the system comprises at least one accepting appliance, at least one presenting appliance, at least one network endpoint and at least one server, and wherein one of said servers comprise one or more records. Each record pertains to a given présenter, comprises a présenter identifier, and a secret keycode bound to each présenter identifier, and is affîliated with at 10 least one entry pertaining to a set of controlled credentials connected to the présenter. Each entry pertains to at least one set of credentials associated with said given présenter. Each entry may also pertain to at least one alias, each alias connected respectively with one of said sets of credentials. Each network endpoint is a designated récipient of a type of controlled credentials connected to presenters, 15 said endpoint being either the accepting appliance or that of a designated third party linked to the accepting appliance; wherein permitting a communication of at least one set of controlled credentials connected to the présenter is performed in the context of an interaction between the presenting interactor and the accepting interactor; and wherein the credential set to which the permission pertains is 20 associated with the presenting interactor. One of said servers functions as a controlling server further configured to (a) receive a communication from an accepting appliance hereinafter referred to as an accepting appliance communication, said communication containing a secret keycode pertaining to the présenter and a once-off shared keycode; (b) receive a communication from a 25 presenting appliance hereinafter referred to as a presenting appliance communication, said communication containing a présenter identifier pertaining to the présenter and a once-off shared keycode; (c) seek to match the once-off shared keycode contained in the accepting appliance communication and the corresponding once-off shared keycode contained in the presenting appliance 30 communication; (d) initiate a search for a target record by linking the secret keycode contained in said accepting appliance communication and the présenter identifier contained in said presenting appliance communication, wherein both said communications contain the same shared keycode; (e) conduct a search for said target record that comprises both said secret keycode and said présenter identifier; (f) identify an entry affiliated with said target record, said entry pertaining to a set of controlled credentials connected to the présenter; (g) permit the retrieval of said credential set pertaining to said entry and permit the release of said credential set to said network endpoint, said endpoint being the permitted récipient of a set of controlled credentials connected to said présenter, and said endpoint being either the accepting appliance or that of a designated third party linked to the accepting appliance2.
[0009] Another aspect of the invention comprises a method to permit a communication of at least one set of controlled credentials connected to a présenter, from a server to a network endpoint, while maintaining the privity prevailing in said controlled credentials connected to the présenter; and wherein a server comprises one or more records, each record pertaining to a présenter (given party enrolled with the server as a présenter and/or as an accepter), and each record comprising a présenter identifier (and/or accepter identifier4) and a (présenter and/or accepter4) secret keycode bound to said présenter identifier, and each record is affiliated with an entry pertaining to a set of controlled credentials (associated with said party4) connected to said présenter; the method comprising: (a) at an accepting appliance, making a once-off shared keycode available to a/the presenting interactor; (b) at the accepting appliance, receiving a (présenter4) secret keycode pertaining to the presenting interactor wherein said (présenter4) secret keycode is input at the accepting appliance by the presenting interactor; (c) at the accepting appliance, communicating an accepting appliance communication to at least one of the servers, said accepting appliance communication containing the once-off shared keycode and the (présenter4) secret keycode; (d) at a presenting appliance of the presenting interactor, receiving the once off shared keycode; (e) at the presenting appliance, retrieving a présenter identifier pertaining to the presenting interactor from a storage location on the presenting appliance; and (f) at the presenting appliance, communicating a presenting appliance communication to said server, said presenting appliance communication containing the once-off shared keycode and the présenter identifier, wherein (g) upon receipt of said accepting appliance communication and said presenting appliance communication, at a the server processing the communications to ascertain if it is permitted to communicate a set of controlled credentials connected to the présenter, thereby permitting its retrieval at a server and thereby permitting its release to a network endpoint, said endpoint being a permitted récipient, and said endpoint being either the accepting appliance or that of a designated tliird party linked to the accepting appliance.
[0010] In an aspect of the invention, ail credential sets connected to the présenter (or aliases affïliated to credential sets) may be comprised as entries in said record.
[0011] In another aspect of the invention, ail credential sets connected to the présenter (and aliases affïliated) may be comprised as separate entries on a different server communicable with a controlling server. Alternatively, some credential sets connected to the présenter and aliases affïliated may be comprised as entries in said record, whereas others may be comprised as separate entries on said server or separate entries on different severs.
[0012] The accepting appliance communication may be communicated to said server* over a first communication channel and the presenting appliance communication may be communicated to said server over a second communication channel.
[0013] In an aspect of the invention, the once-off shared keycode may be generated at the server* and communicated to the accepting appliance before said once-off shared keycode is made available to the presenting interactor or/and the presenting appliance.
[0014] In another aspect of the invention, the once-off shared keycode may be generated at the accepting appliance before said once-off shared keycode is made available to the presenting interactor or/and the presenting appliance.
[0015] A copy of the once-off shared keycode may be communicated from the accepting appliance to the presenting appliance via a wireless technology, the wireless technology optionally selected from a group comprising Wifi, bluetooth, NFCorRJFID.
[0016] In an aspect of the invention, a validity period may be assigned to the accepting appliance communication and presenting appliance communications and/or the shared keycode. This ensures that if an accepting appliance communication is not matched to a presenting appliance communication as discussed below within a certain timeframe (the validity period), then such communication lapses and thereby becomes void rendering further processes redundant. Where such communication lapses and becomes void rendering further processes redundant, the data pertaining to the communication can be purged, freeing up resources for the processing of further communications. Where communications are generated , transmitted or received, containing shared keycodes bearing a validity period, the validity period can ensure that shorter, less complex shared keycodes can be used because shared keycode re-use is thereby feasible. Upon expiry of the validity period of a shared keycode, the same shared keycode may be re-used in a subséquent itération of the method.
[0017] In an aspect of the invention a copy of the once-off shared keycode may be made available to the presenting interactor or/and presenting appliance via a screen comprised in the accepting appliance or on a printout from the accepting appliance, wherein eitlier: (a) a copy of the once-off shared keycode is made available in machine-readable character format, for example UTF-8, and the copy of the onceoff shared keycode is received at the presenting peripheral via input from the presenting interactor or/and accepting interactor or/and accepting appliance; or (b) a copy of the once-off shared keycode is comprised in a QR code, and the copy of the once-off shared keycode is received at the presenting appliance via a caméra function comprised in the presenting appliance that is used to capture the quick response code and extract a copy of the once-off shared keycode.
[0018] The accepting appliance communication may further contain one or more predetermined auxiliary parameters, and the presenting appliance communication may also further contain said one or more predetermined auxiliary parameters. These auxiliary parameters may optionally also hâve to be matched as will be described further below before corroboration is successful to initiate and conduct a search for any target records. This further matching condition in the process of corroboration, where mandated over and above the shared keycode, further enhances the method as it introduces additional criteria into the process of seeking to match an accepting appliance communication and presenting appliance communication. The predetermined auxiliary parameter may be a code agreed between the accepting interactor and the presenting interactor, or it may be a value pertinent to the interaction between the. presenting interactor and the accepting interactor, such as the value of the intended transaction.
[0019] If a validity period is assigned to the once-off shared keycode, said shared keycode maybe unique over the duration of its validity period.
[0020] Another aspect of the invention comprises a method to permit a communication of at least one set of controlled credentials connected to the présenter, at a server to a network endpoint, while maintaining the privity prevailing in the set of controlled credentials connected to the présenter wherein the permission comprises an accepting appliance communication containing a shared keycode and a présenter secret keycode, and a presenting appliance communication containing a shared keycode and a présenter identifier, the method comprising: (a) at a/the server receiving the accepting appliance communication; (b) at a/the server receiving the presenting appliance communication; (c) at a/the server seeking to match the once-off shared keycode contained in the accepting appliance communication with the corresponding once-off shared keycode contained in the presenting appliance communication, (d) at a/the server initiating a search for a target record by linking the (présenter) secret keycode contained in the accepting appliance communication and the présenter identifier contained in the presenting appliance communication, wherein both said communications contain the same shared keycode; (e) at a/the server conducting a search for a target record comprising both said (présenter) secret keycode and said présenter identifier; (f) if a target record is identified, at a/the server identifying an entry affiliated with said target record, said entry pertaining to the controlled credentials connected to the présenter; (g) at a/the server permitting a retrieval of said credential set identified by said entry affiliated to the target record, and permitting a release of said credential set to said network endpoint, said endpoint being the permitted récipient of a set of controlled credentials connected to the présenter, and said endpoint being either the accepting appliance or that of a designated third party linked to the accepting appliance.
[0021] The target record at said server may also further comprise an alias associated to said entry pertaining to each credential set connected to the présenter, and the presenting appliance communication may further contain a copy of an alias selected from a list of aliases itemized at the presenting appliance, wherein the step of conducting a search for a target record comprising the same présenter identifier and secret keycode also utilizes the copy of the alias contained in the presenting appliance communication to search for a target record comprising the same said alias in addition to the same présenter identifier and secret keycode.
[0022] The entry pertaining to the credential set connected to the présenter may be comprised in said target record on said controlling server configured to permit the retrieval and release of the credential set connected to the présenter, and the steps of retrieving the credential set connected to the présenter and releasing the credential set connected to the présenter are performed at said controlling server configured to permit the retrieval and release of the credential set connected to the présenter.
[0023] The credential set connected to the présenter may be comprised in separate entries on a different server separately from said controlling server configured to permit the retrieval and release of the credential set connected to the présenter, the separate entry being affiliated with the target record, wherein the steps of retrieving and releasing the credential set are performed at either said controlling server configured to permit the retrieval and release of the credential set connected to the présenter or said different server separate to that controlling server configured to permit the retrieval and release of the credential set connected to the présenter.
[0024] A validity period may be assigned to the accepting appliance communication and/or the presenting appliance communication and/or the shared keycode contained in the accepting appliance communication or/and in the presenting appliance communication, wherein the step of seeking to match the shared keycode contained in an accepting appliance communication and the shared keycode contained in the presenting appliance communication further comprises establishing whether the validity period has expired. This ensures that if an accepting appliance communication is not matched to a presenting appliance communication as discussed below within a certain timeframe (the validity period), then such
ΙΟ interaction / notification / communication lapses and thereby becomes void rendering further processes redundant. Where any validity period lapses and becomes void rendering further processes redundant, the data pertaining to the communication can be purged, freeing up resources for the processing of further communications. Where any communications are generated / transmitted / received and contain shared keycodes bearing a validity period, the validity period can ensure that shorter, less complex shared keycodes can be used because shared keycode re-use is thereby feasible. Upon expiry of the validity period of a shared keycode, the same shared keycode may be re-used in a subséquent itération of the method.
[0025] If a validity period is assigned to the shared keycode, said shared keycode may be unique over the duration of its validity period.
[0026] The accepting appliance communication may further contain one or more predetermined auxiliary parameters, and the presenting appliance communication may also further contain said one or more predetermined auxiliary parameters, wherein the step of seeking to match shared keycodes further comprises the step of seeking to corroborate the predetermined auxiliary parameter contained in the accepting appliance communication and the corresponding predetermined auxiliary parameter contained the presenting appliance communication.
[0027] A further aspect of the invention comprises a method to permit a communication of a set of controlled credentials connected to a présenter, at a server to a network endpoint, while maintaining the privity prevailing in the credentials connected to the présenter, a permission made/granted in accordance with any of the aspects of the invention described above, the method comprising: (a) at a/the server receiving the accepting appliance communication; (b) at a/the server receiving the presenting appliance communication; (c) at the server seeking to match the once-off shared keycode contained in the accepting appliance communication and the corresponding once-off shared keycode contained in the presenting interactor communication, (and thereby matching said accepting appliance communication with said presenting appliance communication); (d) at a/the server, initiating a search for a target record by linking the secret keycode contained in the accepting appliance communication and the présenter identifier contained in the presenting appliance communication; (e) at a/the server conducting a search for a target record comprising both said secret keycode and said présenter identifier; (f) if a target record is identified, identifying an entry pertaining to a credential set connected to the présenter and associated; (g) if a credential set connected to the présenter is identified, at a/the server permitting a retrieval of the credential set connected to the présenter, and permitting a release of said credential set connected to the présenter to said network endpoint, said endpoint being the permitted récipient of the credential set connected to the présenter, and said endpoint being either the accepting appliance or that of a designated third party linked to the accepting appliance.
[0028] If said credential sets connected to the présenter are comprised in said records on said controlling server configured to permit the retrieval and release of the controlled credentials, the steps of retrieving the connected présenter credential set and communicating the connected présenter credential set may be performed at said controlling server configured to permit the retrieval and release of the controlled credentials.
[0029] If said credential sets connected to the présenter are comprised in separate entries on a different server that is separate from said controlling server configured to pennit the retrieval and release of the controlled credentials, (the step of identifying an entry pertaining to a connected présenter credential set may be performed at said different server separate to said controlling server configured to permit the retrieval and release of the controlled credentials), the steps of retrieving the connected credential set and releasing the connected credential set may be performed at either the controlling server configured to permit the retrieval and release of the credential set connected to the présenter or the different server separate to that controlling server configured to permit the retrieval and release of the credential set connected to the présenter.
[0030] The step of seeking to match the shared keycodes may further comprise establishing whether the validity period has expired.
[0031] The step of seeking to match the shared keycodes may further comprise seeking to match the predetermined auxiliary parameter contained in the accepting appliance communication with the corresponding predetermined auxiliary parameter contained in the presenting appliance communication.
[0032] If a validity period is assigned to the once-off shared keycode, said shared keycode may be unique over the duration of its validity period.
[0033] In another aspect of the invention, a method comprising £a) an accepting appliance making a once-off shared keycode available to the presenting interactor; (b) receiving a présenter secret keycode belonging to the presenting interactor at the accepting appliance wherein said présenter secret keycode is input at the terminal by the presenting interactor; (c) communicating an accepting appliance communication from the accepting appliance to the server, the accepting appliance communication comprising the once-off shared keycode and the présenter secret keycode; (d) the presenting appliance receiving the once off shared keycode; (e) the présenter appliance retrieving a présenter identifier belonging to the presenting interactor from a storage location on the presenting peripheral or appliance; and (f)the presenting peripheral communicating a presenting appliance communication to the controlling server, the presenting appliance communication comprising the once-off shared keycode, and the présenter identifier.
[0034] The target record at said server may also further comprise an alias associated with said entry pertaining to each credential set connected to the présenter, and the presenting appliance communication may further contain a copy of an alias selected from a list of aliases itemized at the presenting appliance, and wherein the step of conducting a search for a target record that comprises the same présenter identifier and secret keycode also utilizes the alias contained in the presenting appliance communication to search for a target record comprising the same said alias in addition to the same présenter identifier and secret keycode.
[0035] The credential set may be comprised as an entry in said target record on said controlling server configured to permit the retiïeval and release of the controlled credentials, and the steps of retrieving the credential set and releasing the credential set are performed at said controlling server configured to permit the retrieval and release of the controlled credentials.
[0036] The credential set may be comprised as an entry on a different server separate to the said controlling server configured to permit the retrieval and release of the controlled credentials, the separate entry being affiliated with the target record, and wherein the steps of retrieving and releasing the credential set may be performed at either said controlling server configured to permit the retrieval and release of the controlled credentials or the different server separate to that controlling server configured to permit the retrieval and release of the controlled credentials.
[0037] A further aspect of the invention comprises a presenting appliance configured to perform one or more of the presenting appliance steps described above.
[0038] Another aspect of the invention comprises an accepting appliance configured to perform one or more of the accepting appliance steps described above.
[0039] An additional aspect of the invention comprises a server configured to perform one or more of said server steps described above.
[0040] A further aspect of the invention comprises a system comprising two or more of the presenting appliances, two or more of the accepting appliances, and said controlling server configured to perform one or more of the embodiments as described above.
[0041] An additional aspect of the invention comprises a computer readable storage medium carrying a computer program stored thereon, said program comprising computer exécutable instructions adapted to perform one or more of the method steps described above when executed by one or more processing modules.
Detailed Description [0042] Figure 1 is a diagram illustrating the central system to preserve privity. in a manner that also facilitâtes permitted release of a stored credential set to a récipient approved by the participant to whom the credential set pertains. The system 100 is secure in that it protects the credential sets from unauthorized access by unauthorized would-be récipients of the credential sets, and also prevents the credential sets from use by those who would fraudulently présent a credential set as being their own. Parties enrolled with the System are designated as presenters and accepters in accordance with their rôle in the method of the invention and their manner of interacting with the System of the invention. In the course of an interaction between a présenter and an accepter, it may be necessary for the présenter to release a credential set with which they are associated. Presenters and accepters actively engaged in such an interaction are respectively designated as presenting interactors and accepting interactors. It will be appreciated that in many embodiments of the invention, presenters are each associated with credential sets that are unique to them such that the presenters are related to the credential sets in a one-to-one fashion. However, the invention also envisages scénarios where there is a many-to-one relationship between presenters and credential sets, where many presenters are associated with a single credential set, and it is still désirable to maintain said credential set in a state of privity.
[0043] In accordance with an embodiment of the invention, the System and method of the invention is used by such a presenting interactor to release a credential set associated with said presenting interactor to one or more designated récipients in a manner that maintains the privity of the credential set. In accordance with other embodiments of the invention, the System and method of the invention may be used by an accepting interactor to release a credential set associated with the accepting interactor to one or more designated récipients while preserving said state of privity. Other embodiments of the invention envisage concurrent disclosure of both présenter and accepter credential sets associated respectively with presenting interactor and accepting interactor. Both the présenter and the accepter cooperate to facilitate the release of such credential sets from the System. The designated récipient may be the accepting interactor, the presenting interactor or may be a trusted third party.
[0044] The System 100 comprises at least one server 101, the server comprising a collection of présenter records 102. Each présenter record pertains to a given participant that has enrolled as a présenter with said server 101, and each said record comprises the one or more credential sets pertaining to that présenter. More particularly, each présenter record comprises a présenter identifier, a présenter secret keycode, at least one set of credentials associated with said présenter, and at least one alias, wherein each set of credéhtials is connected respectively with one alias whereby each alias within a présenter record is distinguishable from the remaining aliases for that présenter record. The présenter identifier is a unique string that is used to identify a given présenter record for the présenter record collection. The présenter secret keycode is a string known only to the présenter. When a présenter interacts with the System with a view to releasing a presenter's credential set to a designated récipient (such a présenter is referred to as a presenting interactor), they provide their présenter identifier, and their présenter secret keycode can then be utilized to authenticate the presenting interactor before any credential sets are released. In addition to the présenter identifier and the présenter secret keycode, each présenter record comprises at least one set of credentials. As previously described, each credential set comprises a set of personal data that is particular to an individual and necessary for a given interaction. Each credential set is also associated with a distinguishable alias. By way of illustration, an individual by the name of John Brown may hâve a first set of credentials pertaining to a driving license, and a second set of credentials pertaining to a store loyalty card. The first set of credentials may comprise the name John Brown, a date of birth, a driving license number, and an expiry date. The second set of credentials may comprise the name John Brown, an address, and a loyalty club membership number. The first set of credentials may be associated with the alias driving license, whereas the second set of credentials may be associated with the alias loyalty card 1. It will be appreciated that in embodiments of the invention where it is envisaged that each présenter record will comprise only one credential set, it may not be necessary for the présenter records to further comprise an alias connected to each credential set. Rather, in such instances, identification of the record pertaining to the interacting présenter will automatically also indicates the credential set to be released.
[0045] In addition, in some embodiments of the invention the server 101 also comprises a collection of separate accepter records. Each accepter record pertains to an individual or organization that has enrolled as accepter with the server, and comprises one or more credential sets associated with that accepter. Each accepter record further comprises an accepter identifier, and optionally an accepter secret keycode. The accepter identifier is a unique string that is used to identity a given accepter record within the accepter record collection. The accepter secret keycode (if applicable) is a string known only to the accepter. When an accepter interacts with the system with a view to facilitating the release of a présenter credential set 5 associated with the presenting interactor with a designated récipient (such an accepter is referred to as an accepting interactor) the accepter identifier of the accepting interactor is provided, and the accepting interactor's accepter secret keycode (if utilized) can then be employed to authenticate the accepting interactor before any credential sets are disclosed.
[0046] It will be appreciated that while in this described embodiment of the invention, the présenter records and accepter records are distinct and are typically maintained as separate record collections, in other embodiments of the invention, the server 101 may comprise a single record collection comprising both présenter and accepter records. Furthermore, it will also be appreciated that while in one 15 embodiment, an accepter's and/or presenter's credential sets are stored on a server, multiple servers are also envisaged, wherein each server is tasked with the storage of records comprising one or more credential set types.
[0047] It is additionally envisaged that in some embodiments of the invention, the server 101 will solely comprise présenter records, and will comprise no accepter 20 records. Preferably, in such embodiments, the server 101 and potential accepting interactors will be capable of communicating with one another via their existing software Systems. This embodiment of the invention is advantageous because preenrolment of accepters is not required, and this removes an obstacle to uptake of the claimed system and method amongst potential accepting interactors. This therefore 25 improves ease of use of the system and method. .
[0048] The server 101 is communicable with one or more appliances 108 over a communication channel. It will be appreciated that the communication channel 106 may comprise the Internet, a proprietary network, or a combination of the two. Appliance 108 may be disparately located, and may connect to the communication 30 channel 106 by way of one or more of a variety of technologies, such as PSTN,
Ethernet, DSL, ISDN, Wi-Fi, WiMax, 2G, 3G, LTE, 4G, etc. The appliances 108 may be any of a variety of devices including desktop personal computers, laptops, tablet personal computers, personal digital assistants, mobile phones, smartphones etc. The appliance 108 may alternatively comprise bespoke computing Systems as used in a variety of industries including banking, finance, aviation, travel, homeland security, border control, energy, transport, retail and/or télécommunications. Accordingly, the appliances may comprise devices configured to act as Point of Sale devices. In the context of the invention, these appliances will be referred to as accepting appliances.
[0049] The server 101 is also communicable over a communication channel 107 with one or more appliances 109. Such appliances may comprise, for example, wireless devices communicable with the server 101 via a wireless base station or router. The wireless devices may comprise any form of wireless device including laptops, tablet personal computers, personal digital assistants, mobile phones, smartphones etc. Such peripheral devices may further comprise devices communicable over communication channel 104 via a wired connection, and thus may, for example, include desktop computers as well as industry-specific bespoke computing Systems mentioned above, including but not limited to Point of Sale Systems. In the context of the invention, these peripheral devices will be referred to as presenting peripherals. In an embodiment, the presenting peripheral may also be password-protected or may require additional permission from the présenter to initiate communication. The presenting peripherals may be disparately located, and may communicate with the server 101 over communication channel 107 via a variety of means such as PSTN, Ethernet, DSL and ISDN. Presenting peripherals comprising wireless devices may communicate with router 103 by way of one or more of a variety of wireless communications technologies, such as Wi-Fi, WiMax, 2G, 3 G, LTE, 4G, etc. The communication channel 107 may comprise the Internet, a proprietary network, or a combination of the two. The presenting peripherals are configured with an application that facilitâtes communication with the server 101. As the connection between the accepting appliances 109 and the server 101 comprise a first communications channel 106 and the connection between the presenting appliances comprise a second communications channel 107, the system 100 may be regarded as being multichannel in composition. This ensures a more secure mechanism by which credential sets and other sensitive data may be stored and released to network endpoint 110 while remaining in a state of privity. The network endpoint 110 in sonie embodiments may be either a separate appliance or the accepting appliance itself depending on designated destination in tire accepting appliance communication.
[0050] While in this embodiment, it has been described that the credential sets and connected aliases are comprised in the présenter and/or accepter records on the server, in other embodiments of the invention, it is anticipated that said credential sets and connected aliases may be affiliated with said présenter and/or accepter records in alternative ways. For example, the credential sets and affiliated aliases may be comprised in one or more record sets separate to the record set(s) on the server that comprise the records comprising the identifiers and secret keys. These separate record sets may be housed on one or more different servers. In some embodiments of the invention, the different servers housing the credential sets are administered by the controllers responsible for the issuance of the instruments comprising said credential sets.
[0051] Figure 2 is a flowchart illustrating how a new potential applicant enrolls with the server 101 as a présenter in accordance with an embodiment of the invention. At step 200, a web page hosted by the server 101 is accessed by the new présenter applicant, preferably using their presenting peripheral 105, 107, and 109. The web page is configured such that at this step, the new présenter applicant provides general enrolment details such as name, address, email address, country of résidence, etc. and submits these to the server 101. It will be appreciated that while in some embodiments, this invention, the enrolment details are provided directly to the server 101, in other embodiments, the enrolment details may be pre-provided indirectly for pre-processing prior to entry of the details in the server 101. The web page may be accessed over a connection for the duration of the procedure, or else secure connections may merely be used only where sensitive information (such as a credential set or additional data such as a presenter's secret keycode) is being transmitted. It will also be appreciated that alternative means of enrolment are possible such as by way of submitting a completed form by mail, fax, etc.
[0052] Then, at step 202, a new account is created on the server 101 for the présenter applicant. This is done by generating a new présenter record in the collection of présenter records. Either at step 200 or at step 202, the new présenter applicant is prompted to select and enter a new présenter secret keycode, which is then added to the new présenter applicant's présenter record. In alternative embodiments of the invention, the new présenter record may be automatically provided with a temporary présenter secret keycode, which may subsequently be updated to a custom présenter secret keycode by the présenter applicant thereafter. Such a temporary secret keycode may be provided by way of the web page, or preferably by way of a second communication channel that may comprise any form of communication, including email, SMS messaging, téléphoné call or post. In some embodiments of the invention there is additionally scope for providing a replacement secret keycode for example in the event the original secret keycode is forgotten or compromised. Such replacement secret keys may similarly be provided via any form of communication including via a website, email, SMS, téléphoné call or post.
[0053] At step 204, the new présenter applicant is prompted to add credential sets to a new présenter applicant's newly created account. As previously described, these credential sets may comprise a variety of personal data, and may pertain to credential set-bearing instruments issued by a variety of different governmental or commercial oversight bodies. Each credential set will be connected to an alias unique to its parent présenter record (i.e. each alias is locally unique). In one embodiment, the new présenter applicant may be prompted at step 206 to provide a locally unique alias for each credential set provided. In another embodiment, a default alias may be provided for each credential set. In one embodiment, the aliases may be subsequently editable by the présenter. In some embodiments of the invention, the présenter record may be editable after enrolment to the extent that existing credential sets and connected aliases may be edited or deleted and/or that new credential sets and connected aliases may be added. In some embodiments of the invention, the presenting interactor record may be editable after enrolment to the extent that existing credential sets and connected aliases may be edited or deleted and that new credential sets and connected aliases may be added.
[0054] At step 206, the new présenter applicant is given the opportunity to set spécifie preferences associated with the processing and usage of credential sets associated with particular govemmental or commercial oversight bodies and the interaction types to which they pertain. By way of example, with respect to a credential set pertaining to an airline loyalty membership, the présenter may be given the option to set additional preferences in accordance with their membership preferences, such as preferred airline meal, seat reference, or local airport. By way of a further example, with respect to a credential set pertaining to a crédit card, the présenter may be given the option to enable functionalities such as card preference usage, direct currency conversion, value added tax refimding for travelers or splitting payment over multiple cards.
[0055] At step 208, the new présenter applicant is then prompted to install a bespoke application on their presenting peripheral. The bespoke application is configured to facilitate communication with the server as required during the process of permitting that the server release a credential set and the process of authenticating such a transmitted permission as will be described in greater detail below. During the course of installing the bespoke application, the application is associated with a unique présenter identifier that is retained on the presenting peripheral. In a preferred embodiment, the présenter identifier is assigned by the server, and is embedded in the application before, during or after the application is installed on the presenting peripheral. Altematively, the présenter identifier may be derived from a sequence of characters native to the presenting peripheral, for example an IMEI number or serial number. This sequence of characters may be modifîed to arrive at a unique présenter identifier. In addition to rétention on the presenting peripheral, the présenter identifier is also added to the présenter record m the présenter record collection on tire server 101. During the course of installing the bespoke application, the application is also provided with tire aliases connected to the credential sets stored in step 204 for a given présenter. Accordingly, when the application is used in an interaction by the new présenter, it has at its disposai both a présenter identifier and the aliases connected to the new presenter's credential sets such that the présenter identifier and an alias may be communicated to the server 101 as appropriate.
[0056] In a preferred embodiment, a generic version of the application may be initially installée! on a new présenter applicant's presenting peripheral. Subséquent to the process depicted in steps 200-208, the new présenter applicant may be prompted to authenticate their account by replying to an email, and/or by confirming their presenter's secret keycode in reply to a prompt from the server. Subséquent to this authentication, the generic version of the application on the new présenter applicant's presenting peripheral may be customized with the new présenter applicant's présenter identifier, the aliases connected to the new présenter applicant's credential sets, and the new présenter applicant's preferences as configured in step 206. This data may be stored in an encrypted format on the new présenter applicant's presenting peripheral. Figure 3 is a flowehart similar to that of Figure 2 depicting the steps via which a party may enroll as an accepter with the server '101 in accordance with an embodiment of the invention. As previously indicated, the invention envisages embodiments where the accepter must actively enroll with the server, as well as embodiments where it is not necessary for the accepter to enroll with the server. Furthermore, in other embodiments of the invention, enrolment of the accepter may be done passively as will be described in greater detail below. At step 300, a web page hosted by the server 101 is accessed by the party (hereafter referred to as a new accepter applicant), preferably using the accepting appliance 111. In a fashion analogous to step 200 of Figure 2, the web page is configured such that at this step, the new accepter applicant provides general enrolment details such as the name of the individual or organization, address, email address, etc. and submits these to the server 101. The web page may be accessed over a secure connection for the duration of the procedure, or else secure connections may merely be used only where sensitive information (such as an accepter's secret keycode or an acceptons credential set) is being transmitted. It will be further appreciated that enrolment of new accepter applicant may take place by way of other means such as by mail or fax·. Alternatively, if the accepter opérâtes an accepting appliance that is remote controlled by a linked third party (such as, for example, Terminal Management Systems used by Acquirers to manage card payment Point of Sale devices, enrolment of an accepter may be initiated by the linked third party. In such scénarios, it may not be necessary for the accepter to provide any information themselves. ..
[0057] At step 302, a new account is created on the server 101 by generating a new accepter applicant record in the collection of accepter records.
[0058] In order to arrange for disclosure-of a présenter credential set, permission must be given as described further below. In one embodiment of the invention, any permission emanating from an acceptor for the release of a présenter credential set will require that the accepter be identified, and hence, any permission for the release of a présenter credential set may require the initial provision of an accepter credential set. Accordingly, it is envisaged that just as for the présenter records, a separate accepter credential set is required in an accepter record for each interaction type that an accepter wishes to engage in. Interaction types may be defined broadly — for example, the release of a driving license instrument and the release of a payment card instrument may be regarded as different interaction types. Altematively, interaction types may be defined narrowly — for example the release of different payment card instruments (e.g. Mastercard, Visa Débit) may be regarded as different interaction types. Accordingly, while in some embodiments, for example, an accepter credential set may apply generally to ail payment cards, in other embodiments, an accepter may hâve a different credential set for each different payment card type handled by the accepter.
[0059] At step 306, the new accepter applicant is given the opportunity to set spécifie preferences associated with the processing and usage of credential sets associated with particular interaction types. By way of example, with respect to a credential set pertaining to a crédit card, the new accepter applicant may be given the option to indicate whether they wish to provide downstream functionalities associated with the credential set once the accepter credential set has been released, such as direct currency conversion, value added tax refunding for travelers or splitting payment over multiple cards.
[0060] At step 308, the accepting appliance is then configured such that it may communicate with the server. This may be done in a variety of ways. In embodiments of the invention where the accepting appliance is remote controlled by a third party, the third party may initiate an automatic reconfiguration of the accepting appliance if required. In other embodiments of the invention, the new accepter applicant may initiate reconfîguration via installation of a bespoke application in a manner similar to that described in Figure 2.
[0061] Figure 4 is a flowchart illustrating the method of permitting the release of at least one set of controlled credentials connected to a présenter while maintaining privity prevailing in said credentials in accordance with an embodiment of the invention. The controlling server receives an accepting appliance communication containing a secret keycode and a once-off shared keycode and a presenting appliance communication containing a présenter identifier and a once-off shared keycode. At step 403, the communication messages are compared. An unsuccessful match terminâtes the method and the interaction instruction is not completed. If the shared keycodes match, at step 404 a search for a target record on the server is initiated by linking the secret keycode and présenter identifier. A search for any target record comprising the same présenter identifier and secret keycode as contained in the accepting appliance communication and presenting appliance communication. If a target record is found, the credential set pertaining at the storage location présent in the record is rétrieved and permitted to be released to a designated destination that is the network endpoint.
[0062] Figures 5A and 5B disclose the process performed at accepting appliance. A once-off shared keycode is generated by the accepting appliance and conveyed to the presenting appliance. The accepting appliance further receives the présenter secret keycode and generates a communication to be sent to the controlling server as depicted by 101 in figure 1. The said communication comprises of the présenter secret keycode and the once-off shared keycode.
[0063] Figures 6A and 6B disclose the process performed at the presenting appliance. The présenter identifier is retrieved from memory. On receiving the once-off shared keycode from the accepting appliance, a communication comprising of the présenter identifier and the once-off shared keycode is transmitted to the controlling server 101. Figure 7 and figure 8 are a représentation of entries pertaining to the controlled credentials connected to the présenter. Each of the entries is associated with a présenter identifier and a secret keycode. Figures 7A to 7E represent various embodiments of storing records on the controlling server or credential server 101. In some embodiments, records of presenting interactors may be masked and located using look-up lists as is described in figures 7A and 7C. There may be another embodiment wherein each présenter interactor record is associated with an alias.
[0064] Figure 9A and 9B disclose graphical représentations pertaining to the process of communicating messages at the controlling server from the presenting and accepting interactors and the process of dispatching controlled credentials to permitted destinations. Figure 10 is a sequence diagram illustrating the process by which permission may be given in accordance with an embodiment of the invention involving a server 1001, presenting interactor 1002, presenting appliance 1003, network endpoint 1004, and accepting appliance 1005, to retrieve a set of credentials in storage at a location identifîed by the presenting interactor 1002 and release a set of credentials to a facility of a récipient permitted by the presenting interactor 1002. It will be appreciated that' giving permission to retrieve and release a présenter credential set may also be accompanied with request for retrieving an accepter credential set simultaneously, wherein the accepting appliance 1005 and the presenting appliance 1003 still submit the their respective communications to the Server 1001. It will further be appreciated that in some embodiments of the invention, the permission to release the credential set will specifically be a permission to release a présenter credential set (associated with a presenting interactor 1002) to the network endpoint 1004 or to an accepting appliance 1005. However, in other embodiments of the invention the permission will be to share the accepter or présenter credential set to that of a trusted third party linked to the network endpoint 1004 or the accepting appliance 1005. For example where permission is submitted to share a présenter credential set pertaining to a payment card instrument; it may be that it is intended for the payment card credential set to be sent to a trusted third party transaction processor.
[0065] In Figure 10, a presenting interactor 1002 possessing a presenting appliance 1003 configured to generate and transmit .a presenting appliance communication to the server 1001, identifies a facility operating at an accepting interactor that comprises a network endpoint 1004 or/and accepting appliance 1005 (wherein the network endpoint 1004 is an accepting appliance 1005, or wherein the network endpoint 1004 is linked to an accepting appliance 1005), and whereby the accepting appliance is configured to generate and transmit an accepting appliance communication to the server 1001. The presenting interactor 1002 may décidé to interact at such facility with a view to permitting a reading of a credential set connected to the presenting interactor 1002 to be released to the network endpoint 1004 or the accepting appliance 1005. The accepting interactor may also décidé to interact at such facility with a view to requesting a reading of a credential set connected to the accepting interactor to be returned to the network endpoint 1004 or accepting appliance 1005 when receiving the credential set connected to the presenting interactor 1002 at the network endpoint 1004 or the accepting appliance 1005. More specifîcally, a state of privity prevailing in the credentials connected to the presenting interactor 1002 is preserved in the preferred embodiment of the présent invention, whereby a reading of the set of credentials connected to the presenting interactor 1002 is not visible to or accessible by the accepting interactor nor communicated to or by presenting appliance 1003, but only communicated confidentially to the network endpoint 1004 or accepting appliance 1005.
[0066] In Figure 10, and at the event precedent 1010, a signal is conveyed at the network endpoint 1004 or the accepting appliance 1005 to a presenting interactor 1002, indicating that the said method devised in the présent invention is a method available at the network endpoint 1004 or accepting appliance 1005 for the presenting interactor 1002, whereby the network endpoint 1004 is equipped with such accepting appliance 1005 and wherein such accepting appliance 1005 is configured to communicate with Server 1001. In effect, the said method devised in the présent invention is one of the methods available at the network endpoint 1004 for obtaining credentials from presenting interactor 1002 [0067] In Figure 10, and at the event precedent 1011, a presenting interactor 1002 décidés to initiate an interaction at the facility operated at the accepting interactor as per the process of the method devised by the présent invention by availing of the presenting appliance 1003 configured to generate and transmit a presenting appliance communication to such server 1001, and availing of an accepting appliance 1005, configured to generate and transmit an accepting appliance communication to such server 1001. In effect, the presenting interactor 1002 selects to initiate an interaction at the facility of the accepting interactor as per the process of the method devised by the présent invention, declining to initiate an interaction at the facility operated at the accepting interactor as per any other process of prior methods available at the network endpoint 1004 for obtaining credentials from presenting interactor 1002.
[0068] At stage 1012, an interaction is initiated by activating 1012 the accepting appliance 1005 that is configured to facilitate accepting appliance communications with server 1001. On activation at 1012, a once-off shared keycode is produced 1012 at the accepting appliance 1005. In one embodiment of 1012, the shared keycode is generated by the server 1001 and transmitted to the accepting appliance 1005. In another embodiment of 2012, the shared keycode is generated at the accepting appliance 1005.
[0069] At stage 1013, an interaction is initiated by activating 1013 the presenting appliance 1003 that facilitâtes presenting appliance communications with server 1001. On activation at 1013, a présenter identifier is retrieved from a storage location on the presenting appliance 1003. In one embodiment at 1013, a list of aliases associated to the credentials connected the presenting interactor 1002 related to the présenter identifier also retrieved from some storage location on the presenting appliance 1003. In such embodiment of 1012, such a list of aliases associated to the credentials connected the presenting interactor are itemized on the presenting peripheral 1003 for sélection by the présenter identifier 1002.
[0070] At stage 1014, a shared keycode is rendered available 1014 at the accepting appliance 1005 to presenting interactor 1002 and presenting appliance 1003. In one embodiment of 1014, it is rendered human-readable at accepting appliance 1005. In another embodiment of 1014, it is rendered machine-readable at accepting appliance 1005.
[0071] At stage 1015, the shared keycode is obtained accordingly 1015 at the presenting appliance 1003. In one embodiment of 1015, it is obtained by reading it at the accepting appliance 1005 and inputting it in to the presenting appliance 1003. In another embodiment of 1015 it is obtained by scanning it at the accepting appliance 1005 and capturing it on to the presenting appliance 1003. In one embodiment, the accepting appliance 1005 transmits the once-off shared keycode directly 1014 to the presenting appliance 1003, whereas in another embodiment, the accepting appliance 1005 makes the shared keycode available 1014 to the presenting interactor 1002, who enters it 1016 into the presenting appliance 1003. In 5 some embodiments of the invention, a validity period may be assigned to the shared keycode. This ensures that if a received accepting appliance communication and a received presenting appliance communication are not corroborated within a certain timeframe by seeking to match the once-off shared keys (as discussed further below) within a certain timeframe (the validity period), then the interaction may 10 lapse and thereby become void rendering further processes redundant. Upon expiry of the validity period of a shared keycode,· the same shared keycode thus may be reused in a subséquent itération of the method. Accordingly, a validity period can ensure that shorter, less complex secret keys can be used because shared keycode re-use is thereby feasible. This is advantageous in embodiments of the invention 15 where it is necessary for the presenting interactor to enter the shared keycode into the presenting peripheral, as reduced keycode complexity makes this embodiment of the method more manageable.
[0072] In some embodiments, the presenting appliance may also display a list of aliases pertaining to different présenter credential sets connected to said presenting 20 interactor. The presenting interactor then selects an alias associated to the desired credential set connected to the presenting interactor.
[0073] At stage 1016, the accepting appliance seeks to obtain the secret keycode of the presenting interactor by prompting the presenting interactor 1002 to enter the presenter's secret keycode on the accepting appliance 1005. In one embodiment, the 25 accepting appliance 1005 may additionally display at 1012 a predetermined auxiliary parameter to the presenting interactor 1002 in order to further correlate the interaction and corroborate the accepting appliance communication and the presenting appliance communication.
[0074] At 1017, the secret keycode is obtained 1017 by the accepting appliance 30 1005. In one embodiment, the presenting interactor 1002 uses a keypad to enter the secret keycode on the accepting appliance 1005. In another embodiment, the présenter interactor 1002 may use a device to convey the secret keycode to the accepting appliance 1005.
[0075] At stage 1019, the accepting appliance 1005 then transmits an accepting appliance communication to the server 1001 permitting release of a spécifie credential set(s) connected to the presenting interactor 1003 to the facility of the récipient permitted by the presenting interactor 1002. The accepting appliance communication contains the presenter's secret keycode as obtained at 1017 and the once-off shared keycode as generated at 1012. The accepting appliance communication may also contain an identifier pertaining to the accepting interactor if retrieved following 1012 and any auxiliary predetermined parameters if captured following 1012.
[0076] At stage 1018, the presenting appliance 1003 transmits a presenting appliance communication to the server' 1001 allowing retrieval of the spécifie credential set(s) connected to the presenting interactor 1002, in storage at the location identified by the presenting interactor 1002. The presenting appliance communication contains a présenter identifier retrieved in 1013 and the once-off shared keycode obtained at 1015. The presenting appliance communication may also contain an alias associated to the chosen credential set if itemized at 1013 and selected at 1016, and may also contain any predetermined auxiliary parameters if captured following 1016.
[0077] At 1020, the server 1001 seeks to match the received accepting appliance communications and received presenting appliance communications by seeking to match the once-off shared keycode contained in accepting appliance communications and the once-off shared keycode contained in presenting appliance communications. In some embodiments of 1020, the accepting appliance communication and/or the presenting appliance communication may be assigned a validity period 1020. If the accepting appliance communication and presenting appliance communications are not matched within the designated validity period, the interaction lapses and is deemed void rendering further processes redundant. Where an interaction lapses and becomes void rendering further processes redundant, the data pertaining to the interaction (i.e. the interactor communications) can be purged from the system, freeing up resources for the processing of further received permissions. In other embodiments of 1020, a value or predetermined auxiliary parameters may hâve been contained in the accepting appliance communication in 1019 and presenting appliance communication in 1018. If so, the value is used in addition to shared keycode as the predetermined auxiliary parameter to seek a match of an accepting appliance communication and presenting appliance communication in 1020.
[0078] At stage 1021, and in the event a match is found at 1020, the server 1001 initiâtes a search by linking 1021 the presenting identifier contained in the presenting appliance communication and the secret keycode contained in the accepting appliance communication, wherein the shared keycode contained in the presenting appliance communication is the same as the shared keycode contained in the accepting appliance communication as per 1020. If no match is found at 1020, the method does not thus proceed with 1021, and the Server 1001 may retum a message accordingly to the accepting appliance 1005 or the presenting appliance 1003.
[0079] At stage 1022, the server 1001 conducts 1022 a search for a target record within its collection of présenter records comprising the présenter identifier contained in the matched presenting appliance communication and the secret keycode contained in the matched accepting appliance communication. In one embodiment of 1022, and in the event 1022 an alias associated to the présenter identifier is contained in the presenting appliance communication as per 1018, the alias is also used to ascertain 1022 a target record comprising that alias in addition to the présenter identifier and secret keycode of the presenting interactor 1002.
[0080] At stage 1023, and in the event a record comprising the présenter identifier and presenter's secret keycode is located in 1022, a search is continued by identifying 1023 an entry affîliated to the target record located in 1022, wherein the entry pertains to the set of credentials connected to the presenting interactor 1002. (In one embodiment, the credential set concemed may be the credential set connected to the alias selected by the presenting interactor at step 1022). In one embodiment, the entry identifîed contains 1022 a reading comprising the credentials connected to the presenting interactor 1002. In another embodiment, the entry identified contains 1022 a pointer locating the credentials connected to the presenting interactor 1002. In the event a record comprising the présenter identifier and presenter's secret keycode is not located in step 1022, the process does not thus proceed with 1023 and the Server 1001 may retum a message accordingly to the accepting appliance 1005 or/and the presenting appliance 1003.
[0081] At 1024, a search is completed by permitting a retrieval of a reading of the credentials connected to the presenting interactor 1002 in storage at the location identified in 1023, and permitting a release of the reading of the credentials connected to the presenting interactor to the facility of the récipient permitted by the presenting interactor 1002.
[0082] At stage 1025, a reading is retrieved from storage at the location indicated by the presenting interactor 1002. In one embodiment, a reading is stored and retrieved 1025 at the controlling server configured to perform the method devised in 1020 to 1024. In another embodiment, a reading is stored and retrieved 1025 at another server different to the controlling server configured to perform the method devised in 1020 to 1024.
[0083] At stage 1026, a reading of the credentials is released 1026 to tire facility of the récipient permitted by the presenting interactor 1002 .In one embodiment of 1026, the reading is released and dispatched to the network endpoint 1004. In another embodiment of 1026, the reading is released and dispatched to the accepting appliance 1005.
[0084] In Figure 10, and as the events subséquent at 1027 and 1028, a message is retumed by the server 1001 to the presenting appliance 1003 for the presenting interactor 1002, indicating if the reading has been retrieved as identified and released as permitted by the presenting interactor 1002; in such supplémentai embodiments, a recording is retained at the server 1001 listing a status of events occurring between 1020 and 1024, ad reviewable to the presenting interactor 1002 at the presenting appliance 1003.
[0085] The embodiments in the invention described with reference to the drawings comprise a computer apparatus and/or processes performed in a computer apparatus. However, the invention also extends to computer programs, particularly computer programs stored on or in a carrier adapted to bring the invention into practice. The program may be in the form of source code, object code, or a code intermediate source and object code, such as in partially compiled form or in any other form suitable for use in the implémentation of the method according to the invention. The carrier may comprise a storage medium such as ROM, e.g. CD ROM, or magnetic recording medium, e.g. a floppy disk or hard disk. The carrier may be an electrical or optical signal which may be transmitted via an electrical or an optical cable or by radio or other means.
[0086] The words comprises/comprising and the words having/including when used herein with reference to the présent invention are used to specify the presence of stated features, integers, steps or components but do not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.
[0087] It is appreciated that certain features of the invention, which are, for clarity, described in the context of separ'ate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination.

Claims (36)

  1. CLAIMS:
    1. A System (100) for permitting a communication of at least one set of controlled credentials connected to a présenter from a server to a network endpoint, said system comprising:
    at least one network endpoint;
    at least one accepting appliance (109) configured to send an accepting appliance communication (104), said accepting appliance communication containing a secret keycode (109a) pertaining to said présenter and a once-off shared keycode (109b);
    at least one presenting appliance (108) configured to send a presenting appliance communication (105), said presenting appliance communication containing a présenter identifier (108a) pertaining to said présenter and said once-off shared keycode (108b);
    at least one server that further comprises a processor, at least one communications interface and memory storing at least one entry (103) pertaining to said at least one set of connected controlled credentials, each entry being affiliated to at least one record (102), the record pertaining to any one présenter and comprises a présenter identifier and a secret keycode bound to the présenter identifier;
    wherein said at least one server is configured to:
    a) receive said accepting appliance communication (104);
    b) receive said presenting appliance communication (105);
    c) seek a match of said once-off shared keycode (109b) contained in said accepting appliance communication (104) with said once-off shared keycode (108b) contained in said presenting appliance communication (105);
    d) initiate a search for a target record by linking said secret keycode in said accepting appliance communication (104) with said présenter identifier in said presenting appliance communication (105), both said accepting appliance communication and said presenting appliance communication containing the same once-off shared keycode (108b, 109b);
    e) conduct the search for said target record that comprises both said secret keycode (109a) and said présenter identifier (108a);
    f) identify an entry (103) affiliated with said target record;
    g) permit the retrieval of said at least one set of connected controlled credentials pertaining to said entry (103) and permit the release of said at least one set of connected controlled credentials to said network endpoint (110), said network endpoint being a permitted récipient of a type of said at least one set of connected controlled credentials.
  2. 2. The System of claim 1, wherein said at least one server comprises a controlling server (101).
  3. 3. The System of claim 2, wherein the controlling server (101) is further configured to generate said once-off shared keycode, and render it available at the accepting appliance (109).
  4. 4. The System of claim 2, wherein said accepting appliance is further configured to generate said once-off shared keycode, receive said secret keycode (109a) from said présenter and transmit said accepting appliance communication to said controlling server (101).
  5. 5. The System of claim 3, wherein said presenting appliance is further configured to receive said once-off shared keycode from said accepting appliance (109), retrieve said présenter identifier from its memory and transmit said presenting appliance communication (105) to said controlling server (101).
  6. 6. The System of any one of the preceding daims, wherein said record comprising said présenter identifier and said secret keycode further comprises an alias associated to the présenter identifier and affiliated to said entry (103) pertaining to said at least one set of connected controlled credentials.
  7. 7. The system of any one of the preceding daims, wherein said presenting appliance communication further contains an alias associated to said présenter identifier and affiliated to said entry (103) pertaining to said at least one set of connected controlled credentials, and wherein said search for said target record further utilizes said alias contained in said presenting appliance communication (105) to search for said target record comprising said alias in addition to comprising said présenter identifier (108a) and said secret keycode.
  8. 8. The System of any one of the preceding daims, wherein said network endpoint comprises said accepting appliance (109) and is configured as a designated récipient of one or more types of said at least one set of connected controlled credentials.
  9. 9. The system of any one of daims 1 to 7, wherein said network endpoint is linked to said accepting appliance and is configured as a designated récipient of one or more types of said at least one set of connected controlled credentials.
  10. 10. The system of claim 2, wherein said at least one set of connected controlled credentials comprises an entry in said target record (102) on said controlling server (101).
  11. 11. The system of claim 2, wherein said at least one set of connected controlled credentials comprises an entry on another of said at least one server which is affiliated to said target record on said controlling server (101).
  12. 12. The System of any one of the preceding claims, wherein a validity period is assigned to said accepting appliance communication (104), and wherein step c) further comprises establishing whether said validity period has expired.
  13. 13. The System of any one of claims 1 to 11, wherein a validity period is assigned to said presenting appliance communication (105), and wherein step c) further comprises establishing whether said validity period has expired.
  14. 14. The System of any one of claims 1 to 11, wherein a validity period is assigned to said once-off shared keycode, and wherein step c) further comprises establishing whether said validity period has expired.
  15. 15. The System of claim 14, wherein said once-off shared keycode is unique over the duration of its validity period.
  16. 16. The System of any one of the preceding claims, wherein said accepting appliance communication (104) further contains one or more predetermined auxiliary parameters, and said presenting appliance communication also further comprises said one or more predetermined auxiliary parameters.
  17. 17. The System of claim 16, when dépendent on any one of claims 2 to 5, wherein said controlling server (101) seeks to match at least one of said predetermined auxiliary parameters from said presenting appliance communication (105) with said corresponding predetermined auxiliary parameter(s) from said accepting appliance communication (104) to provide further at least one of: corrélation and corroboration.
  18. 18. The system of any one of daims 2 to 5, wherein, if said records comprise entries of at least one set of connected controlled credentials on said controlling server (101), steps f) and g) are performed at said controlling server, and communication of said at least one set of connected controlled credentials is performed from said controlling server.
  19. 19. The system of any one of daims 2 to 5, wherein, if said records comprise entries of at least one set of connected controlled credentials on a different server than said controlling server, steps f) and g) are performed at said different server, and communication of said at least one set of connected controlled credentials is performed using one of: said controlling server and said different server.
  20. 20. The system of any one of daims 2 to 5, wherein, if no match between said accepting appliance communication (104) and presenting appliance communication (105) is found at said controlling server (101), said controlling server terminâtes further configured actions and records such status thereat.
  21. 21. The system of any one of daims 2 to 5, wherein, if no target record is found at said controlling server (101), said controlling server terminâtes further configured actions and records such status thereat.
  22. 22. The system of any one of daims 2 to 5, wherein said controlling server (101) is further configured to record the status of the events occurring and to relay such status to at least one of: said accepting appliance (109) and said presenting appliance (108).
  23. 23. The system of any one of the preceding daims, wherein each of said servers, network endpoints (110), and presenting and accepting appliances (108,
    109) each further comprises at least one of: a processor, communication interfaces, memory, input consoles and output consoles.
  24. 24. The system of any one of the preceding daims, wherein the System is opérable over a communications network (106, 107, 111).
  25. 25. A method to permit a communication of at least one set of controlled credentials connected to a présenter from at least one server to a network endpoint (110), said method comprising the following steps performed at at least one server:
    (a) receiving an accepting appliance communication (104), said communication containing a secret keycode (109a) pertaining to said présenter and a once-off shared keycode (109b);
    (b) receiving a presenting appliance communication (105), said communication containing a présenter identifier (108a) pertaining to said présenter and once-off shared keycode (108b);
    (c) seeking a match of said once-off shared keycode (109b) contained in said accepting appliance communication (104) and said once-off shared keycode (108b) contained in said presenting appliance communication (105);
    (d) initiating a search for a target record by linking said secret keycode (109a) of said accepting appliance communication (104) and said présenter identifier (108a) in said presenting appliance communication (105), both said accepting appliance communication and said presenting applicance communication containing the same once-off shared keycode (108b, 109b);
    (e) conducting the search for the target record comprising both said secret keycode (109a) and said présenter identifier (108a);
    (f) identifying an entry (103) affiliated with said target record, said entry pertaining to said at least one set of connected controlled credentials; and (g) permitting a retrieval of said at least one set of connected controlled credentials pertaining to said entry and permitting a release of said set of connected controlled credentials to said network endpoint (110), said endpoint being a permitted récipient of said at least one set of connected controlled credentials.
  26. 26. The method of claim 25, wherein the target record comprising said présenter identifier (108a) and secret keycode (109a) further comprises an alias associated to said présenter identifier (108a) and affiliated to said entry (103) pertaining to said at least one set of connected controlled credentials, and said presenting appliance communication (105) further contains an alias associated to said présenter identifier (108a) and affiliated to said entry pertaining to said at least one set of connected controlled credentials, and wherein step (e) further comprises matching respective aliases of said record and said presenting appliance communication.
  27. 27. The method of claim 25 or 26, wherein said at least one server comprises a controlling server (101) and steps (a) to (g) are performed thereon.
  28. 28. The method of claim 25 or 26, wherein said at least one server comprises a controlling server (101) and said at least one set of connected controlled credentials comprises an entry on a different server to said controlling server (101), said entry being affiliated with said target record, and wherein the step of identifying a credential set is performed at said different server, and wherein steps (e) to (g) are performed at one of: said controlling server (101) and a different server.
  29. 29. The method of any one of claims 25 to 28, further comprising assigning a validity period to at least one of: said accepting appliance communication (104), said presenting appliance communication (105) and said once-off shared keycode, and step (c) further comprises establishing whether said validity period has expired.
  30. 30. The method of claim 29, wherein said once-off shared keycode is unique over the duration of its validity period.
  31. 31. The method of any one of daims 25 to 29, wherein each of said presenting appliance communication (105) and said accepting appliance communication (104) further contains one or more predetermined auxiliary parameters, and wherein step (c) further comprises seeking a match of at least one of said predetermined auxiliary parameters in said presenting appliance communication with at least one of corresponding predetermined auxiliary parameters in said accepting appliance communication.
  32. 32. The method of claim 27, wherein, if said records comprise entries of at least one set of connected controlled credentials on said controlling server (101), performing the steps (f) and (g) at said controlling server, and the method further comprises releasing said at least one set of connected controlled credentials from said controlling server.
  33. 33. The method of claim 25 or 26, wherein said at least one server comprises a controlling server (101), and, if said records comprise entries of at least one set of connected controlled credentials on a different server to said controlling server (101), performing the steps (f) and (g) at said different server, and the method further comprises releasing said at least one set of connected controlled credentials from one of: said controlling server and said different server.
  34. 34. The method of claim 27 or 28, wherein, if no match between said accepting appliance communication (104) and presenting appliance communication (105) is found, terminating further configured actions and recording such status at said controlling server (101).
  35. 35. The method of claims 27 or 28, wherein, if no target record is found, 5 terminating further configured actions and recording such status at said controlling server (101).
  36. 36. The method of claim 27 or 28, further comprising recording the status of the events at said controlling server (101) and relaying such status to at least
    10 one of: said accepting appliance (109) and said presenting appliance (108).
OA1201600271 2014-01-10 2015-01-09 System and method for communicating credentials. OA18047A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP14150856.4 2014-01-10

Publications (1)

Publication Number Publication Date
OA18047A true OA18047A (en) 2018-04-06

Family

ID=

Similar Documents

Publication Publication Date Title
US10021093B2 (en) System and method for communicating credentials
US11069016B2 (en) National digital identity
CN109241726B (en) User authority control method and device
EP2751733B1 (en) Method and system for authorizing an action at a site
HUE026214T2 (en) A qualified electronic signature system, associated method and mobile phone device for a qualified electronic signature
US20140053251A1 (en) User account recovery
CN105427106B (en) Authorization processing method and payment processing method of electronic cash data and virtual card
CN113590930A (en) System and method for data access control using short-range transceivers
US9811858B2 (en) Method for enrolling and authenticating a cardholder
KR101191345B1 (en) Application for nfc mobile phone equipped with the permission of the management system and method
JP2010140228A (en) Service providing device, user information management device, user registration management system, user registration method, user information management method, user registration program, and user information management program
US8804158B2 (en) Token generation from a printer
US20170344755A9 (en) Secure health data storage and transaction system
OA18047A (en) System and method for communicating credentials.
EP3145117B1 (en) A method and a system for shared digital signing of a document
CN112020715A (en) Authorized printing
US20230388295A1 (en) Method for logging in online system without username and password, and authentication server
JP6827842B2 (en) Delivery support system, delivery support device and delivery support method
BR112016016049B1 (en) SYSTEM AND METHOD FOR ALLOWING COMMUNICATION OF AT LEAST ONE SET OF CONTROLLED CREDENTIALS CONNECTED TO A DISPLAY FROM AT LEAST ONE SERVER TO A NETWORK ENDPOINT
BG4802U1 (en) MODULAR ELECTRONIC IDENTITY SYSTEM
Sel et al. Worldbank’s Secure eID Toolkit for Africa
KR20150083182A (en) Method for Managing Certificate
KR20150083181A (en) Method for Managing Certificate