NZ745996B2 - Systems and methods for distributed identity verification - Google Patents

Systems and methods for distributed identity verification

Info

Publication number
NZ745996B2
NZ745996B2 NZ745996A NZ74599617A NZ745996B2 NZ 745996 B2 NZ745996 B2 NZ 745996B2 NZ 745996 A NZ745996 A NZ 745996A NZ 74599617 A NZ74599617 A NZ 74599617A NZ 745996 B2 NZ745996 B2 NZ 745996B2
Authority
NZ
New Zealand
Prior art keywords
entry
ledger
identity provider
provider server
address
Prior art date
Application number
NZ745996A
Other versions
NZ745996A (en
Inventor
Dmitry Barinov
Aleksandar Likic
Michael John Page
Pierre Antoine Roberge
Troy Jacob Ronda
David Alexander Stark
Michael Varley
Gregory Howard Wolfond
Original Assignee
Securekey Technologies Inc
Filing date
Publication date
Application filed by Securekey Technologies Inc filed Critical Securekey Technologies Inc
Priority claimed from PCT/CA2017/050263 external-priority patent/WO2017147696A1/en
Publication of NZ745996A publication Critical patent/NZ745996A/en
Publication of NZ745996B2 publication Critical patent/NZ745996B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

Systems and methods for decentralized and asynchronous authentication flow between users, relying parties and identity providers. A trusted user agent application or digital lock box under a user's control may perform the functions of an authentication broker. In particular, the user agent application or digital lock box can accept relying party requests and respond with authentication and identity data previously obtained from an identity provider server, and without the involvement of a centralized broker server.

Claims (11)

We claim:
1. An identity management method for controlling an exchange of data bundles by an identity provider server, the method comprising: 5 receiving, at the identity provider server, a first request from a user agent server, the first request identifying one or more claim categories; generating, at the identity provider server, a data bundle at a first time in response to the first request, the data bundle identifying one or more attributes associated with a user related to the user agent server, wherein each attribute 10 corresponds to a claim category of the one or more claim categories identified in the first request and a corresponding value; generating a first entry for a first ledger, wherein the first entry comprises: a hashed data bundle generated by cryptographic hashing of the data bundle; 15 the data bundle ownership public key; the identity provider public key; the one or more hashed attributes and corresponding blinding factor; a cryptographic nonce; metadata corresponding to the one or more attributes; 20 expiry information corresponding to the one or more attributes; a second ledger identifier identifying a second ledger storing a corresponding second entry and a second entry address identifying an address of the second entry in the second ledger; and a revocation status of the data bundle; 25 signing the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry; transmitting the signed first entry to the first ledger, wherein the first ledger is configured to: verify a signature of the identity provider server on the first entry to 30 generate a first signature verification result; store the first entry in the first ledger based on the first signature verification result; and transmit a first entry address to the identity provider server, the first entry address identifying an address of the first entry in the first ledger; – 79 – generating the second entry for the second ledger, wherein the second entry comprises: a hashed data bundle generated by cryptographic hashing of the data bundle; 5 a cryptographic hash of the data bundle ownership public key and a corresponding blinding factor; a cryptographic hash of the identity provider public key and a corresponding blinding factor; the one or more hashed attributes and corresponding blinding factor; 10 a cryptographic nonce; metadata corresponding to the one or more attributes; expiry information corresponding to the one or more attributes; and a revocation status of the data bundle; signing the second entry with a second key to generate a signed second 15 entry, the second key being derived from an identity provider private key corresponding to the identity provider server; and transmitting the signed second entry to the second ledger; the identity provider server encrypting the data bundle with a user encryption key (UEK); and 20 transmitting, by the identity provider server, the data bundle to the user agent server.
2. The identity management method of claim 1, further comprising, prior to receiving the first request, registering the user agent server at the identity provider 25 server, wherein registering the user agent server at the identity provider server comprises: receiving a user agent public key corresponding to the user agent server and a first user agent address uniquely identifying the user agent server to the identity provider server, wherein the first user agent address and the user encryption key are 30 at least partially based on the user agent public key; and transmitting an identity provider public key associated with the identity provider server to the user agent server.
3. The identity management method of claim 2, further comprising: – 80 – generating, at the identity provider server, a data bundle ownership public key for the user agent server, the data bundle ownership public key being usable for releasing a response bundle based on one or more data bundles to a relying party server.
4. The identity management method of any one of claims 1 to 3, wherein the second ledger is configured to: verify a signature of the identity provider server on the second entry to 10 generate a second signature verification result; store the second entry in the second ledger based on the second signature verification result; and transmit the second entry address to the identity provider server. 15
5. The identity management method of claim 4, further comprising: generating an auditor bundle for an auditor system comprising the one or more auditor servers, the auditor bundle comprising a first ledger identifier identifying the first ledger storing the first entry, the second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry 20 address.
6. The identity management method of claim 5, wherein the auditor system is configured to: access the first entry based on the first ledger identifier and the first entry 25 address; verify the signature of the identity provider server on the first entry; access the second entry based on the second ledger identifier and the second entry address; verify the signature of the identity provider server on the second entry; 30 generate a confirmation entry for each of the one or more auditor servers within the auditor system, wherein each confirmation entry is based on successful verification of the signature of the identity provider server on the first entry and the signature of the identity provider server on the second entry; and – 81 – link the first entry address to the second ledger identifier and the second entry address to the first ledger identifier based on the confirmation entry of the one or more auditor servers. 5
7. The identity management method of any one of claims 1 to 6, wherein the identity provider server is a group identity provider server, the method further comprising: the identity provider server determining that a child transaction is required to fulfill the first request; and 10 generating at least one child transaction request; and transmitting the at least one child transaction request to at least one other group identity provider server.
8. The identity management method of any one of claims 1 to 7, further comprising: 15 the identity provider server determining that a blind query is required to fulfill the first request; and generating at least one blind query; and transmitting the at least one blind query to at least one other identity provider server.
9. A non-transitory computer readable medium storing computer executable instructions which, when executed by a computer processor, cause the computer processor to carry out the method of any one of claims 1 to 8.
10. An identity management system for controlling an exchange of data bundles, the system comprising: a user agent server configured to transmit a first request identifying one or more claim categories to an identity provider server; 30 a first ledger; a second ledger; and the identity provider server in communication with the user agent server, the first ledger and the second ledger, the identity provider server configured to: receive the first request; – 82 – generate a data bundle at a first time in response to the first request, the data bundle identifying one or more attributes associated with a user related to the user agent server, wherein each attribute corresponds to a claim category of the one or more claim categories identified in the first request and a corresponding 5 value; generate a first entry for the first ledger, wherein the first entry comprises: a hashed data bundle generated by cryptographic hashing of the data bundle; the data bundle ownership public key; the identity provider public key; the one or more hashed attributes and corresponding blinding factor; a cryptographic 10 nonce; metadata corresponding to the one or more attributes; expiry information corresponding to the one or more attributes; a second ledger identifier identifying the second ledger storing a corresponding second entry and a second entry address identifying an address of the second entry in the second ledger; and a revocation status of the data bundle; 15 sign the first entry with an identity provider private key corresponding to the identity provider server to generate a signed first entry; transmit the signed first entry to the first ledger; generate a second entry for the second ledger, wherein the second entry comprises: a hashed data bundle generated by cryptographic hashing of the data 20 bundle; a cryptographic hash of the data bundle ownership public key and a corresponding blinding factor; a cryptographic hash of the identity provider public key and a corresponding blinding factor; the one or more hashed attributes and corresponding blinding factor; a cryptographic nonce; metadata corresponding to the one or more attributes; expiry information corresponding to the one or more 25 attributes; and a revocation status of the data bundle; sign the second entry with a second key to generate a signed second entry, the second key being derived from the identity provider private key; and transmit the data bundle to the user agent server, wherein the first ledger is configured to: 30 verify a signature of the identity provider server on the first entry to generate a first signature verification result; store the first entry in the first ledger based on the first signature verification result; and – 83 – transmit a first entry address to the identity provider server, the first entry address identifying an address of the first entry in the first ledger, and wherein the second ledger is configured to: verify signature of the identity provider server on the second entry to 5 generate a second signature verification result; store the second entry in the second ledger based on the second signature verification result; and transmit a second entry address to the identity provider server, the second entry address identifying an address of the second entry in the 10 second ledger.
11. The identity management system of claim 10, further comprising: one or more auditor servers in communication with the first ledger and the second ledger, the one or more auditor servers being configured to: 15 receive a first ledger identifier identifying the first ledger storing the first entry, the second ledger identifier identifying the second ledger storing the second entry, the first entry address and the second entry address; access the first entry based on the first ledger identifier and the first entry address 20 verify the signature of the identity provider server on the first entry; access the second entry based on the second ledger identifier and the second entry address; verify the signature of the identity provider server on the second entry; generate a confirmation entry for each of the one or more auditor 25 servers, wherein each confirmation entry is based on successful verification of the signature of the identity provider server on the first entry and the signature of the identity provider server on the second entry; and link the first entry address to the second ledger identifier and the second entry address to the first ledger identifier based on the confirmation entry of the one or 30 more auditor servers. – 84 –
NZ745996A 2017-02-28 Systems and methods for distributed identity verification NZ745996B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201662301129P 2016-02-29 2016-02-29
US201662355661P 2016-06-28 2016-06-28
US201762453133P 2017-02-01 2017-02-01
PCT/CA2017/050263 WO2017147696A1 (en) 2016-02-29 2017-02-28 Systems and methods for distributed identity verification

Publications (2)

Publication Number Publication Date
NZ745996A NZ745996A (en) 2023-12-22
NZ745996B2 true NZ745996B2 (en) 2024-03-26

Family

ID=

Similar Documents

Publication Publication Date Title
US11651109B2 (en) Permission management method, permission verification method, and related apparatus
EP3788523B1 (en) System and method for blockchain-based cross-entity authentication
TWI725655B (en) Method, apparatus and system for program execution and data proof for executing a sub-logic code within a trusted execution environment
CN109829326B (en) Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain
US9635000B1 (en) Blockchain identity management system based on public identities ledger
CN110138560B (en) Double-proxy cross-domain authentication method based on identification password and alliance chain
CN112291245B (en) Identity authorization method, identity authorization device, storage medium and equipment
JP5215289B2 (en) Method, apparatus and system for distributed delegation and verification
CN111884815A (en) Block chain-based distributed digital certificate authentication system
KR102330012B1 (en) Authentication System and Method based on anonymous protocol in Permissioned Blockchain, Recording Medium for Performing the Method
EP2595340A2 (en) Cryptographic document processing in a network
CN112311538B (en) Identity verification method, device, storage medium and equipment
CN113824563A (en) Cross-domain identity authentication method based on block chain certificate
US20220020020A1 (en) Methods, systems, and devices for managing digital assets
CN109981287A (en) A kind of code signature method and its storage medium
CN111586049A (en) Lightweight key authentication method and device for mobile internet
CN110855445A (en) Block chain-based certificate management method and device and storage equipment
CN110177109A (en) A kind of cross-domain Verification System of dual-proxy based on id password and alliance's chain
CN112508576A (en) Key management method, system and storage medium based on block chain
Gulati et al. Self-sovereign dynamic digital identities based on blockchain technology
KR20200097773A (en) Blockchain-based identity system
CN113746916B (en) Third party service providing method, system and related nodes based on block chain
CN114944937A (en) Distributed digital identity verification method, system, electronic device and storage medium
Aiash et al. A formally verified access control mechanism for information centric networks
CN114930770A (en) Certificate identification method and system based on distributed ledger