NL2021222B1 - Method for secure encrypted digital services - Google Patents
Method for secure encrypted digital services Download PDFInfo
- Publication number
- NL2021222B1 NL2021222B1 NL2021222A NL2021222A NL2021222B1 NL 2021222 B1 NL2021222 B1 NL 2021222B1 NL 2021222 A NL2021222 A NL 2021222A NL 2021222 A NL2021222 A NL 2021222A NL 2021222 B1 NL2021222 B1 NL 2021222B1
- Authority
- NL
- Netherlands
- Prior art keywords
- digital
- server
- user
- identity
- user equipment
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A method for providing digital services includes a digital services server and at least one user equipment connected over a network. The digital services are run between the at least one user equipment and the server. The method includes creating a digital identification code associated with the user equipment, which includes: -- providing an identity of a user ofthe user equipment and at least an identifier code ofthe user equipment; -- validating the identity ofthe user, and if validated, creating a pair of encryption keys based on a combination ofthe identity and at least the identifier code; -- creating the digital identification code based on the encryption keys; -- creating a user account with the digital identification code as user identity, and using the digital identification code for encrypted communication between the user equipment and the user account on the server to use the digital services.
Description
Field of the invention
The present invention relates to a method of secure encrypted digital services. Moreover, the invention relates to the field of protecting data communications in which public and secret keys, as well as solely secret keys, are used to encrypt/decrypt data, and possibly digitally sign data, which data is transmitted along a communication path and needs to be secured.
Background
From the prior art is known that both symmetric and a-symmetric encryption keys can be randomly generated with software and/or hardware based random entropy, whereby these encryption keys are assigned, administered and somehow enrolled to an identity of a person and their relevant device which will hold the encryption key(s), after positive authentication of said person.
In order to authenticate a person, the person identifies himself, usually by means of a username, and then proves his identity by means of authentication.
Prior-art well describes different methods of single factor and multi-factor authentication, most commonly: something a person knows (i.e., a PIN code or password/passphrase), something you have (a One-Time-Password generator token ora smartcard), something a person is (i.e., biometrics), somewhere a person is (GPS location), when a person is (date/time/timezone), followed by assigning proof of such positive authentication, by providing either an indefinitely valid or temporary valid proof of identity in the form of for example but not limited to: a Kerberos token, a cookie, an X.509 certificate with corresponding key-pair, a PGP key.
This proof of identity can either not contain any reference to the verified identity, in which case proof by association or circle of trust is used. Or the proof of identity can contain a reference to the person’s identity, usually be referring to reference number, a username, or full name, in which situation one or more different prior art methodologies are used to prevent the included identity reference from being altered, for example by using hashing.
It is an object of the present invention to provide a novel way to associate one’s proven identity directly to an encryption key, and/or encryption key-pairs, and/or concatenated encryption key-parts, after which said key(s) can be used to provide further secure online digital services to the identity using its directly associated encryption key(s)
Summary of the invention
The object is achieved by a method as defined in claim 1.
The invention allows to exchange data in a secure way via a public and/or non-public network, such as the Internet. The invention allows this by using a combination of digital certificates and associated key-pairs, as well as symmetric keys such as AES which are bound to a person by means of a digital identity code.
The invention is directed to a reliable way of authentication and, subsequently, securing a connection, as well as securing specific files over said connection, between two or more clients, or between a client or multiple clients and a server using a centrally managed policy enforcer.
By makingw one or multiple factors of one’s digital identity authentication proof, the identity code, part of the entropy of the encryption key generation, both identity and proof of identity are no longer solely connected on an administrative level, but also on an intertwined mathematical encryption key level.
In today's market privacy and a high level of security in (digital) communications is a must have. Individuals and companies need to be able to rely on the fact that privacy and other sensitive data is solely exchanged between identified parties, and only exchanged between said parties when all parties agree to receiving/sending said data, without fear that either a legal or illegal party can eavesdrop simply because they managed to obtain one of the (associated) encryption keys.
To that end the invention provides some methods and arrangements as specified in the annexed claims.
Brief description of drawings
The invention will be explained in more detail below with reference to drawings in which illustrative embodiments thereof are shown. They are intended exclusively for illustrative purposes and not as a restriction of the inventive concept, which is defined by the appended claims.
Figure 1 shows schematically a layout of a network for carrying out a method according to an embodiment of the invention;
Figure 2 shows a first flow diagram of a method in accordance with an embodiment of the invention, and
Figure 3 shows a second flow diagram of a method in accordance with an embodiment of the invention.
Detailed description of embodiments
Figure 1 shows schematically a layout of a network for carrying out a method according to an embodiment of the invention. Figure 2 shows a first flow diagram in accordance with the method.
In a network 100 a digital services server 10 and at least a user equipment 12 are arranged. The digital services server 10 and the user equipment are connected to the communication network 100.
The communication network 100 can be a local area network or wide area network for digital communications, and can be a part of the Internet. In addition, the communication network 100 can be a wired network or a wireless network, or a combination of these.
The digital services server 10 comprises a processor, memory and data storage in an server architecture as known in the art and is capable of connecting to the network by wired and/or wireless connection. In addition, the server 10 is configured to provide digital services to user equipment. The digital services comprise mail, e-mail, e-payment, file storage, voice communication, video communication, messaging, digital documents services, digitized documents services, directory services and other electronic services.
The user equipment 12 is an electronic device capable of electronic communication over the network 100, by wired and/or wireless connection.
To provide digital services between the user equipment and the digital services server an authentication for the user equipment is required by the digital services server, as illustrated by the method steps of the flow diagram 200 in Figure 2.
If the user equipment 12 connects S201 to the server 10 to use digital services, a procedure S202 to create a user account is typically performed by the user equipment 12 and the digital services server 10 in which the user equipment must be identified before using the digital services. Thus, a digital identification code ID2 for the user equipment needs to be created.
According to an embodiment, in the setup procedure between the user equipment 12 and the digital services server 10, the user equipment 12 provides an identity ID of a user of the user equipment 12 to the digital services server 10. In addition the user equipment 12 provides in step S204 at least one further identifier code to the digital services server 10. According to an embodiment, the further identifier code IC is associated with the user equipment 12. For example, the further identifier code IC is an hardwired code stored with the user equipment 12 that uniquely identifies the user equipment.
After receiving the identity of the user and the further identifier code on the server 10, the digital services server 10 performs in step S205 a validation of the identity ID of the userand if successful, in subsequent step S206 the digital services server 10 creates a pair of encryption keys on the basis of a combination of the identity ID of the user and the further identifier code IC of the user equipment 12.
Also, in next step S207 the digital services server 10 creates a digital identification code ID2 from the pair of encryption keys.
The server 10 now creates S208 a user account for the user of the user equipment 12 in which the user account is labelled with the created digital identification code ID2 as account identity.
After creation of the user account ID2, the digital identification code ID2 is used to set up encrypted communication between the user equipment 12 and the user account ID2 on the digital services server 10.
According to an embodiment, one encryption key from the pair of encryption keys is stored on the user equipment 12 and the other one of the pair is stored on the server 10. The encrypted communication between the user equipment 12 and the digital services server 10 is then performed using an encryption scheme based on the pair of encryption keys.
Advantageously, the method provides a unique digital identification code ID2 for the user by combining the user’s identity ID with a unique identifier IC of the user equipment 12. As will be appreciated by the skilled in the art, the use of the digital identification code ID2 provides that a secure communication can be established between the digital services server 10 and the user equipment 12.
On the network 100 one or more other devices 14 are available that can provide data content for the user in his user account ID2. Such data content may include for example digital (e-mail) messages, digital documents, digital images, and forms, each addressed to the user, in particular the identity ID of the user which may include his name and address.
These other devices 14 (typically third party network devices) are capable to send the data content to the user of the user equipment 12 in which the data content is labelled with the identity ID of the user or a network address associated with said identity.
The digital services server 10 is configured to receive the data content from the sending other device 14. From the label associated with the identity ID of the user, the digital services server 10 determines an identity of the user to whom the data content is addressed and compares the addressed identity with the identity ID of the user as present in the digital identification code ID2 stored on the server 10 forthat particular user. If a match is found between the identity ID of the user in the digital identification code ID2 and the identity of the user in the label of the received data content, the digital services server 10 accepts the received data content and stores the received data content in the account ID2 of the user (i.e., in storage space on the server associated with the user account ID2 for the user with the identity ID).
Advantageously, this procedure allows that digital content addressed to a user using an identity based on name and address can be forwarded to a user account with an account identifying name ID2 which due to the use of the further identifier code IC of the user equipment 12 (and unknown to the sender) is not derivable for a sender of content to the user. Thus this method provides a high degree of security to the user having the user account.
According to an embodiment, the method provides that the validation step carried out by the digital services server 10 includes that the identity ID of the user is validated by a trusted third party server 16 that provides identity management services based on previously verified data relating to the identity of the user. The trusted third party server 16 is typically connected to the network 100.
Typically, the trusted third party server 16 is capable of verifying a user identity ID by comparing personal data such as name and address data as provided by the user with stored data forthat user already verified by the trusted third party. If these personal data match with the trusted third party verified data, the identity ID of the user is successfully validated and can be accepted by the digital services server 10.
For example, in the Netherlands, a platform called iDIN is used for online verification and identification of electronic user identities and can provide trusted third party server functionality for validation of the identity of the user as described above. Similar trusted third party servers can be used for the same purpose.
Figure 3 shows a second flow diagram of a method in accordance with an embodiment of the invention.
In a further embodiment, the invention relates to a method 300 for distributing digital content to one or more user equipment devices 12 over the network 100. In this embodiment, the method is carried out by a content server 18 and the digital services server 10 that provides digital services as described above.
The content server 18 is configured for providing digital content to one or more user equipment based on an identity of the user associated with the user equipment. For example, the content server is configured to transmit digital content to an electronic address of the user as identity of the user. Such digital content comprises electronic messages and mail, digital documents and images, data files, etc.
According to an embodiment, the content server 18 transmits in step S302 for one or more users the digital content to the digital services server 10. To identify the addressee for the digital content, the digital content is labelled with identifying information relating to the identity ID of the user, including in this embodiment, name and address of the user as explained above.
The digital services server 10 receives the digital content in step S303 and determines in step S304 the intended identity of the user from the labelled identifying information. Next, in step S305, the digital services server 10 compares the intended identity with the identities ID of a user associated with one of the user accounts on the digital services server as present in the respective digital identification code ID2 for each user account.
In step S306 the digital services server 10 determines if the identifying information matches an identity ID of a user coupled to a user account ID2 on the digital services server then the digital content is stored in the user account ID2 associated with the identity ID of the user on the digital services server 10.
The user can access the stored digital content by means of the user equipment 12 using the secure communication connection between the digital services server 10 and the user equipment 12.
According to a further embodiment, the method comprises in step S307 that if there is no match between the identifying information and any one of the identities of the user accounts as present in the digital identification codes and stored on the digital services server, the digital services server 10 is configured to send information to the content server that no match is found. The method then comprises that the content server carries out an additional step S308 based on this non-matching information.
Based on the information that no match occurs for the addressee of the digital content and one of the user accounts, the content server 18 can be configured to try delivery of hardcopy of the digital content to the addressee by means of the name and physical address.
According to an embodiment, where the digital content relates to printable matter, the content server 18 is arranged to forward the digital content to a printer (not shown) in case no match was found. The printer is then arranged to print hardcopy of the digital content which is labelled by the name and address from the identifying information.
According to the embodiment that a match was found, the content server 18 receives information of the match from the digital services server 18. Accordingly, the content server is configured to omit the step of forwarding the digital content to the printer.
Alternatively, if no match is found the digital services server 10 can be configured to forward the digital content to the printer, without reporting to the content server.
In the foregoing description, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the scope of the invention as summarized in the claims set out below.
In addition, modifications may be made to adapt a particular situation to the teachings of the invention without departing from the essential scope thereof. Therefore, it is intended that the invention is not limited to the particular embodiments disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (12)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NL2021222A NL2021222B1 (en) | 2018-07-02 | 2018-07-02 | Method for secure encrypted digital services |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NL2021222A NL2021222B1 (en) | 2018-07-02 | 2018-07-02 | Method for secure encrypted digital services |
Publications (1)
Publication Number | Publication Date |
---|---|
NL2021222B1 true NL2021222B1 (en) | 2020-01-07 |
Family
ID=63405319
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
NL2021222A NL2021222B1 (en) | 2018-07-02 | 2018-07-02 | Method for secure encrypted digital services |
Country Status (1)
Country | Link |
---|---|
NL (1) | NL2021222B1 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060248346A1 (en) * | 2005-03-18 | 2006-11-02 | Kentaro Shiomi | Method for generating device unique key, secret information LSI with secret information processing function using the method, host device mounted with the LSI, recording medium with authentication function used in the host device, and portable terminal with the recording medium having authentication function |
US20060277598A1 (en) * | 2003-09-30 | 2006-12-07 | Inka Entworks, Inc. | Method of synchronizing data between contents providers and a portable device via network and a system thereof |
WO2008061344A1 (en) * | 2006-11-20 | 2008-05-29 | Tet Hin Yeap | System and method for secure electronic communication services |
-
2018
- 2018-07-02 NL NL2021222A patent/NL2021222B1/en not_active IP Right Cessation
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060277598A1 (en) * | 2003-09-30 | 2006-12-07 | Inka Entworks, Inc. | Method of synchronizing data between contents providers and a portable device via network and a system thereof |
US20060248346A1 (en) * | 2005-03-18 | 2006-11-02 | Kentaro Shiomi | Method for generating device unique key, secret information LSI with secret information processing function using the method, host device mounted with the LSI, recording medium with authentication function used in the host device, and portable terminal with the recording medium having authentication function |
WO2008061344A1 (en) * | 2006-11-20 | 2008-05-29 | Tet Hin Yeap | System and method for secure electronic communication services |
Non-Patent Citations (1)
Title |
---|
KUMAR K THIRUMAL ET AL: "Secure strategic mail application with hardware device", 2016 INTERNATIONAL CONFERENCE ON ADVANCES IN COMPUTING, COMMUNICATIONS AND INFORMATICS (ICACCI), IEEE, 21 September 2016 (2016-09-21), pages 887 - 892, XP032989899, DOI: 10.1109/ICACCI.2016.7732157 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1622301B1 (en) | Methods and system for providing a public key fingerprint list in a PK system | |
US11336641B2 (en) | Security enhanced technique of authentication protocol based on trusted execution environment | |
US10313136B2 (en) | Method and a system for verifying the authenticity of a certificate in a web browser using the SSL/TLS protocol in an encrypted internet connection to an HTTPS website | |
US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
FI115098B (en) | Authentication in data communication | |
US7334255B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
US20090240936A1 (en) | System and method for storing client-side certificate credentials | |
US20050278538A1 (en) | Method for naming and authentication | |
US10250589B2 (en) | System and method for protecting access to authentication systems | |
US20080141352A1 (en) | Secure password distribution to a client device of a network | |
US10579809B2 (en) | National identification number based authentication and content delivery | |
CA2551113A1 (en) | Authentication system for networked computer applications | |
JP2006525563A (en) | User and web site authentication method and apparatus | |
US11349646B1 (en) | Method of providing secure communications to multiple devices and multiple parties | |
Dua et al. | Replay attack prevention in Kerberos authentication protocol using triple password | |
Chalaemwongwan et al. | A practical national digital ID framework on blockchain (NIDBC) | |
CN113886771A (en) | Software authorization authentication method | |
US20080034212A1 (en) | Method and system for authenticating digital content | |
CN100499453C (en) | Method of the authentication at client end | |
CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
NL2021222B1 (en) | Method for secure encrypted digital services | |
US11461451B2 (en) | Document signing system for mobile devices | |
Patiyoot | Patiyoot 2: Key Distribution, and Session Key for Authentication Protocol in Wireless Network | |
CN116186664A (en) | Image interaction method and system based on trusted execution environment | |
Townsend et al. | Software Implementation using Hardware-Based Verification for Secure Content Delivery |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MM | Lapsed because of non-payment of the annual fee |
Effective date: 20210801 |