WO2010127643A2 - Method of establishing parameterisable protected electronic communication between various electronic devices - Google Patents

Method of establishing parameterisable protected electronic communication between various electronic devices Download PDF

Info

Publication number
WO2010127643A2
WO2010127643A2 PCT/CZ2010/000055 CZ2010000055W WO2010127643A2 WO 2010127643 A2 WO2010127643 A2 WO 2010127643A2 CZ 2010000055 W CZ2010000055 W CZ 2010000055W WO 2010127643 A2 WO2010127643 A2 WO 2010127643A2
Authority
WO
WIPO (PCT)
Prior art keywords
electronic
devices
identity
user
service
Prior art date
Application number
PCT/CZ2010/000055
Other languages
French (fr)
Other versions
WO2010127643A3 (en
Inventor
Libor Neumann
Original Assignee
Anect A.S.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anect A.S. filed Critical Anect A.S.
Publication of WO2010127643A2 publication Critical patent/WO2010127643A2/en
Publication of WO2010127643A3 publication Critical patent/WO2010127643A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/081Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying self-generating credentials, e.g. instead of receiving credentials from an authority or from another peer, the credentials are generated at the entity itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the invention concerns the method of establishing a parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices.
  • Known systems of electronic communication are designed for securing one level of security while using a beforehand specified procedure including corresponding algorithms and their parameters.
  • the security level, method of establishing the protected electronic communication or applied algorithms and their parameters can not be modified during operation of corresponding devices.
  • Individual providers of electronic service determine usually directly or implicitly the applied level of security, procedures of. establishing an electronic communication, algorithms and possibly their parameters, independently from each other that forces indirectly the users of electronic service to use several different devices for establishing a protected electronic communication and this approach is complicated, expensive and it results in endangered security of electronic communication.
  • the background art consists as well in a specific method of establishing protected electronic communication between various electronic devices, where users of electronic service acquire in the first instance a personal electronic identity gadget with no information regarding the user's identity whereupon the personal electronic identity gadget and the electronic devices of electronic service providers and/or local electronic devices generate mutually after the first connection of the blank personal '-electronic identity gadget to the electronic devices of any electronic service provider and/or to the local electronic devices their verifiable electronic identities that will be stored in a personal electronic identity gadget and the electronic devices of electronic service providers and/or local electronic devices for subsequent purposes of electronic communication, separately from other identities and without any knowledge of personal data of the user of electronic service and the generated and stored information will be used for identity verification during each " subsequent connection of the user to the electronic devices of the respective electronic service provider and/or to local electronic devices.
  • such a solution neither contains any definition and administration of the security level, method of identity verification, algorithm and other parameters nor storing of additional information on a user's electronic gadget and a backup of the electronic identity.
  • the aim of the invention is to eliminate the above-mentioned disadvantages, by a new manner of establishing parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, based on the fact, 5 that the electronic devices of user of electronic service and/or automated device and electronic devices of arbitrary electronic service providers and/or local electronic devices are constructed in such a manner that they support several security levels, make possible the use of several procedures of verification of the electronic identity via several various parameterisable algorithm values in such a manner that during their production is not beforehand determined, which possibility will be used.
  • the mutual communication between electronic devices of the user of electronic service and/or automated device and electronic devices of electronic service provider and/of local electronic devices that determines the concrete level of security, verification procedure, algorithm and other parameters, can be controlled by a security administrator or by other specialists, especially on the electronic service provider side and/or by setting of electronic devices of user of electronic service and/or automated device.
  • the invention it appears further as advantageous that it is possible to store additional information in the electronic devices of the user of electronic service and/or automated device in such a manner, L that the information is stored only after the electronic identity has been created, separately for individual electronic service providers and/or for local electronic devices in such a mariner, that, based on procedures of electronic identity verification that contain the verification of the electronic identity of the electronic service provider and/or local electronic device, the access to additional information which belongs to him is granted exclusively for the corresponding electronic service provider and/or for local electronic device.
  • backup of the electronic identity of the user of electronic service and/or automated device is produced without copying of secret information in such a manner that another electronic identity is created in other (backup) electronic device of the user of electronic service and/or automated device and this is securely linked to original (backed up) electronic identity of the user of electronic service and/or automated device via mutual communication between both electronic devices of the user of electronic service and/pr automated device and the corresponding electronic devices of electronic service provider and/or local electronic devices whereas for the secured link between both electronic identities another single- purpose electronic identity of the user of electronic service and/or automated device that is applicable only for this particular purpose can be utilized
  • Figure 1 Presentation of a process of establishing a parameterisable protected electronic communication between various electronic devices, especially between electronic devices of the electronic service providers and electronic devices of the users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of the users of electronic service and/or automated devices by means of logical communication channels and a personal electronic identity gadget (PEIG) and use of PEIG for protected storage of additional information.
  • PEIG personal electronic identity gadget
  • the method of establishing parameterisable protected electronic communication according to the invention, between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, is based on automated special appliance PEIG 1, (Personal Electronic Identity Gadget).
  • the appliance is an automated special electronic appliance or a part of an appliance universally used by its owner -user for all activities connected with electronic identity that is designed and manufactured for securing several levels of security, enables the utilisation of the several methods or procedures of verification of electronic identity by means of several various parameterisable algorithm values during which production is not beforehand determined, which possibility will be used.
  • the PEIG 1 appliance is designated for personal use by one person. Besides the preservation and handling of the electronic identity of its owner-user and provision of all other activities connected with creation, usage, maintenance and cancellation of an electronic identity or identities of a single user, it is designed and manufactured in such a manner that it makes possible the storing of additional information with separated access control that utilises the method of establishing a parameterisable protected electronic communication. This additional information can be stored either directly in an electronic device performing the functionality of PEIG 1 1, or in the PEIG Carrier 2.
  • the PEIG 1 appliance can be directly connected to another PEIG 1 (backup) appliance in this way enabling user to produce a backup carrier of his/her electronic identity without copying any secret information.
  • the PEIG 1. appliance can be designed and manufactured in such a manner that it does in no way make possible copying any secret information.
  • the PEIG Carrier 2 may also contain Local Data 22, i.e. data that the user carries with him/her together with PEIG 1.
  • the Local Data 22 or other storage place on the PEIG Carrier 2 is arranged for storage of additional- information with separated access control in such a manner that the information which belongs to each individual Service Provider 5 is located separately with the access granted only after verification of the electronic identity of Service
  • PEIG 1. communicates with the Service Provider 5.
  • the devices in question are devices designated for electronic service ⁇ provision. These devices usually contain a number of modules serving different purposes, more or less tightly integrated with the provided service and electronic identity of the user of- electronic service. These may be, for example, the Service Application Program 6 or Terminal Application Program 19 and storage place for personal and other data about the users of the service Personal Data 7.
  • the PEIG-P 8 module maintains all activities connected with creation, usage, maintenance and cancellation of a parameterisable electronic identity or identities of users of a service or cluster of services, on the side of the Service Provider 5 or of the Terminal PEIG-P 20 in the Terminal 9. It is designed and manufactured for securing several levels of security, enables the utilisation of the several methods' ⁇ r procedures of verification of electronic identity by means of several various parameterisable algorithm values in such a manner that during its production is not beforehand determined, which possibility will be used.
  • the PEIG-P 8 module can utilize the settings which have been set while installing the PEIG- P 8 module or which have been set via the administration interface of the PEIG-P 8 module for determination of the concrete level of security, verification procedure, algorithm and other parameters. Such settings can be modified during the operation and these modified settings can be utilized for the change of the precedent concrete level of security, verification procedure, algorithm and other parameters which have been determined via previous communication.
  • the PEIG-P 8 module on the side of the Service Provider 5 arranges the access to corresponding additional information stored on PEIG Carrier 2 for the Service Provider 5.
  • the PEIG-P 8 module maintains cooperation with both modules PEIG-M 3 that are located on two different PEIG 1 during the generation of the backup electronic identity in such a manner that after verifying the security conditions it will link the original identity which is used by the primary PEIG 1 with the newly produced identity of the secondary (backup)
  • PEIG 1. For verifying the security conditions and linking the original and secondary identity
  • the individual modules PEIG-M 3 and PEIG-P 8 will support simultaneously many security levels , via several methods or procedures and many algorithms with various parameters even for each security level.
  • the explicit selection of the concrete security level, concrete method, concrete algorithms and parameters 1 WiIl be carried out automatically via the communication between PEIG-M 3 a PEIG-P 8 by means of a Logical Communication Channel 17 ⁇ in the moment of generation or modification of the electronic identity.
  • the way of communication makes possible to choose such a security level, method, algorithms and parameters that conform to minimum security requirements of the Service Provider 5 and minimum security requirements set by the manufacturer of PEIG 1. or by its user and which will be g implemented by means of a PEIG-M 3 and PEIG-P 8.
  • the individual security levels, methods, algorithms and parameters utilized by PEIG-M 3 may differ according to various Service Providers 5 likewise the individual security levels, methods, algorithms and parameters utilized for PEIG-P 8 may differ according to various PEIG 1.
  • the unique previously determined and stored security level is used in the time of using and verifying an electronic identity and electronic identity will be verified by a unique previously determined method which uses a sole set of algorithms and their parameters.
  • no information about applied security level, method, algorithm and their parameters is transmitted between PEIG-P 8 a PEIG 1.
  • the security level, method and/or algorithm and its parameters can be modified during the identity modification without any loss of the link between PEIG 1 and the Service Provider 5.
  • the separated storage of additional information with controlled access using a way of establishing parameterisable protected electronic communication contains additional functionalities which make possible a separated storage and administration. of additional information in the module Local Data 22 or in other place on the PEIG Carrier 2 in such a manner. that only the particular Service Provider 5 who stored the data will ,be authorized to access ⁇ and manipulate this data.
  • a part of stored or manipulated data can consist a record of the third party rights to store and/or manipulate the data and thus the Service Provider 5 makes possible the execution of the data manipulation activities for the third party in the range of the recorded rights.
  • Two modules PEIG-M 3 and one module PEIG-P 8 enable such a way of communication where the previously produced electronic identity which is known to one module PEIG-M 3 and to the module PEIG-P 8, is connected inside the module PEIG-P 8 to the newly produced identity of the second module PEIG-M 3 in such a manner that it is the backup identity of the original identity that is produced by using the purposely generated single-purpose identifier that is transferred between both modules PEIG-M 3 and the module PEIG-P 8 in a way to assure that the owner of both modules PEIG-M 3 is the same individual whereas the single-purpose identifier will be transferred between both modules PEIG-M 3 for example by means of .the Local Direct Logical Communication Channel 24 realised by the common Local Communication Channel 16.
  • the individual modules of electronic identity PEIG-M 3 and PEIG-P 8 are constructed as virtual specialised computers with extensible instruction set. This facilitates future enhancements by new necessary activities connected with new requirements or other areas of usages ' for v example new functionality for electronic payments support.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method of establishing parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, based on the fact, that users of electronic service are beforehand equipped with a personal electronic identity gadget without any information about the identity of user of electronic service and/or automated device that supports several security levels and that enables using several methods of verification of the electronic identity via several algorithms that can be parameterised by means of several parameterisable algorithm values, whereas even the electronic devices of any electronic service provider and/or local electronic devices support several security levels and make possible the use of several procedures of verification of the electronic identity of the user of electronic service and/or automated device via several various algorithms that can be parameterised by means of several parameterisable algorithm values, and only at the first connection of the blank personal gadget of the user of electronic service and/or automated devices to the electronic devices of an arbitrary electronic service provider and/or to the local electronic devices or when changing the electronic identity of the user of electronic service and/or automated devices, the personal electronic identity gadget of the user of electronic service and/or automated devices and the electronic devices of the electronic service provider and/or the local electronic devices mutually communicate for determining a unique concrete security level, verification method, algorithm and other parameters which are memorised in the personal electronic identity gadget of user of electronic service and/or automated devices and electronic devices of the electronic service provider and/or local electronic devices and further utilized for use and verification of the electronic identity of the user of electronic service and/or automated device without transferring this information during usage and verification of the electronic identity of the user of electronic service and/or automated device whereas, the modification υf concrete values may be done subsequently, based on the mutual communication.

Description

Method of establishing parameterisable protected electronic communication between various electronic devices
Technical field
The invention concerns the method of establishing a parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices.
Background art
Known systems of electronic communication, especially those securing communication between electronic devices of electronic service providers and electronic devices of users of electronic service, are designed for securing one level of security while using a beforehand specified procedure including corresponding algorithms and their parameters. The security level, method of establishing the protected electronic communication or applied algorithms and their parameters can not be modified during operation of corresponding devices. Individual providers of electronic service determine usually directly or implicitly the applied level of security, procedures of. establishing an electronic communication, algorithms and possibly their parameters, independently from each other that forces indirectly the users of electronic service to use several different devices for establishing a protected electronic communication and this approach is complicated, expensive and it results in endangered security of electronic communication.
There are known systems of electronic communication, especially those securing communication between electronic devices of electronic service providers and electronic devices of users of electronic sepice that enable the application of more than one algorithm, possibly also the verification procedure of his/her electronic identity. This is made in such a manner that while verifying his/her ^ electronic identity, a part of the communication embodies the determination procedure or algorithm of the verification of his/her electronic identity, which either directly represents the method of verification of his/her electronic identity or the selection is done via communication with the user. This requires preparing the procedure of the identity verification either in advance in the way that during each identity verification, it would be possible to determine clearly which particular procedure is applied in this particular1 case or to require from the user which is usually not specialist in electronics that he enters the relevant parameters or options. The common feature of known systems is that the possible selection or determination is done during the verification or detection of his/her electronic identity which complicates the use and verification of his/her electronic identity and besides, this sequence might be abused such as attacking his/her electronic identity at the same time. Therefore, further security measures are necessary for eliminating such-abitsό or for at least reducing the risks. A further common unfavourable feature of the known systems is the fact that it is very complicated to switch over to a new security level, new'identky verification procedure or to a new algorithm or to a new set of parameters.
It is quite common that, apart from the user and the service provider, third parties enter the system, as well as other subjects participating in creation, verification, usage, invalidation or other manipulations with the electronic identity, e.g. certification and registration authorities, electronic identity providers etc. or ^directly electronic service providers that enter personal and other data in electronic devices of the user prior this device is ready to use. This data is consequently used in standard practice for various purposes, e.g. for definition of access right or as information on electronic device holder. Usually, the data acquired in such a way cannot be modified afterwards or^ the change would be too complicated and expensive. Known electronic devices are designed in such a way that this data is not protected against unauthorised access and is accessible to arbitrary electronic service providers, even for this who mimic an electronic service p/oyider. Consequently, there arise complications if more than one electronic service provider tlries to employ one1 single electronic device of the user. This Would be possible 'only if all providers agree on the complete content of information stored in the user's electronic device and if they ensure that this data is stored even before the very first use of the user's electronic device. In practice, it often leads to 'very complicated solutions or even to the elimination of sharing one electronic device even in case that the providers are very few. At the same time, a situation can occur where the personal and other data that is stored in the user's electronic device become accessible to anybody even in remote mode and it results in endangered privacy.
There are known systems, too, that allow to control access to information stored in electronic device, but these are not ready for sharing the electronic device by several electronic service providers or they represent one-purpose solution only preventing the use of the electronic identity device by several electronic service providers.
The inconvenience of known systems for electronic communication between electronic devices of electronic service providers* consists either in their support of the possibility of copying secret information that is intentionally used by electronic devices for security protection (for identity verification — authentication) enabling using the electronic identity even in the case of the equipment failure and thus presenting the risk that either the produced copy of secret information or the devices utilized for copying secret information can be abused for a fictitious identity verification (e.g. for so called identity theft or other abuse) or they are designed in such a way that in order to prevent abuse of electronic information it would be in no way possible to produce copies of secret information and in such a case these systems hinder the use of electronic identity if the user's electronic device is disturbed.
The background art consists as well in a specific method of establishing protected electronic communication between various electronic devices, where users of electronic service acquire in the first instance a personal electronic identity gadget with no information regarding the user's identity whereupon the personal electronic identity gadget and the electronic devices of electronic service providers and/or local electronic devices generate mutually after the first connection of the blank personal '-electronic identity gadget to the electronic devices of any electronic service provider and/or to the local electronic devices their verifiable electronic identities that will be stored in a personal electronic identity gadget and the electronic devices of electronic service providers and/or local electronic devices for subsequent purposes of electronic communication, separately from other identities and without any knowledge of personal data of the user of electronic service and the generated and stored information will be used for identity verification during each " subsequent connection of the user to the electronic devices of the respective electronic service provider and/or to local electronic devices. However, such a solution neither contains any definition and administration of the security level, method of identity verification, algorithm and other parameters nor storing of additional information on a user's electronic gadget and a backup of the electronic identity.
Disclosure of Invention
The aim of the invention is to eliminate the above-mentioned disadvantages, by a new manner of establishing parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, based on the fact,5 that the electronic devices of user of electronic service and/or automated device and electronic devices of arbitrary electronic service providers and/or local electronic devices are constructed in such a manner that they support several security levels, make possible the use of several procedures of verification of the electronic identity via several various parameterisable algorithm values in such a manner that during their production is not beforehand determined, which possibility will be used. Only when electronic devices of user of electronic service and/or automated devices arid electronic devices of electronic service providefand/or local electronic devices mutually communicate during generating or modifying a verifiable electronic identity, the concrete level of security, verification procedure, algorithm έnά* other parameters are determined and memorized in electronic devices of user of electronic service and/or automated device and in electronic devices of electronic service provider and/or in local electronic devices, and subsequently, this information is utilized for the use and verification of the electronic identity without being transmitted, whereas the concrete values can be modified even subsequently. The mutual communication between electronic devices of the user of electronic service and/or automated device and electronic devices of electronic service provider and/of local electronic devices that determines the concrete level of security, verification procedure, algorithm and other parameters, can be controlled by a security administrator or by other specialists, especially on the electronic service provider side and/or by setting of electronic devices of user of electronic service and/or automated device.
According to the invention, it appears further as advantageous that it is possible to store additional information in the electronic devices of the user of electronic service and/or automated device in such a manner, Lthat the information is stored only after the electronic identity has been created, separately for individual electronic service providers and/or for local electronic devices in such a mariner, that, based on procedures of electronic identity verification that contain the verification of the electronic identity of the electronic service provider and/or local electronic device, the access to additional information which belongs to him is granted exclusively for the corresponding electronic service provider and/or for local electronic device.
According to the invention, it appears especially as advantageous that backup of the electronic identity of the user of electronic service and/or automated device is produced without copying of secret information in such a manner that another electronic identity is created in other (backup) electronic device of the user of electronic service and/or automated device and this is securely linked to original (backed up) electronic identity of the user of electronic service and/or automated device via mutual communication between both electronic devices of the user of electronic service and/pr automated device and the corresponding electronic devices of electronic service provider and/or local electronic devices whereas for the secured link between both electronic identities another single- purpose electronic identity of the user of electronic service and/or automated device that is applicable only for this particular purpose can be utilized
Description of Figures in Drawings
Further advantages and impacts of theύnvention are evident from the enclosed figures:
Figure 1 : Presentation of a process of establishing a parameterisable protected electronic communication between various electronic devices, especially between electronic devices of the electronic service providers and electronic devices of the users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of the users of electronic service and/or automated devices by means of logical communication channels and a personal electronic identity gadget (PEIG) and use of PEIG for protected storage of additional information.
Figure 2. Demonstration of an example of backup of an electronic identity without copying secret information from PEIG.
Example of Carrying out the Invention
The method of establishing parameterisable protected electronic communication according to the invention, between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, is based on automated special appliance PEIG 1, (Personal Electronic Identity Gadget). The appliance is an automated special electronic appliance or a part of an appliance universally used by its owner -user for all activities connected with electronic identity that is designed and manufactured for securing several levels of security, enables the utilisation of the several methods or procedures of verification of electronic identity by means of several various parameterisable algorithm values during which production is not beforehand determined, which possibility will be used.
The PEIG 1 appliance is designated for personal use by one person. Besides the preservation and handling of the electronic identity of its owner-user and provision of all other activities connected with creation, usage, maintenance and cancellation of an electronic identity or identities of a single user, it is designed and manufactured in such a manner that it makes possible the storing of additional information with separated access control that utilises the method of establishing a parameterisable protected electronic communication. This additional information can be stored either directly in an electronic device performing the functionality of PEIG11, or in the PEIG Carrier 2.
The PEIG 1 appliance can be directly connected to another PEIG 1 (backup) appliance in this way enabling user to produce a backup carrier of his/her electronic identity without copying any secret information. The PEIG 1. appliance can be designed and manufactured in such a manner that it does in no way make possible copying any secret information.
The PEIG Carrier 2 may also contain Local Data 22, i.e. data that the user carries with him/her together with PEIG 1. The Local Data 22 or other storage place on the PEIG Carrier 2 is arranged for storage of additional- information with separated access control in such a manner that the information which belongs to each individual Service Provider 5 is located separately with the access granted only after verification of the electronic identity of Service
Provider 5 to whom the corresponding individual data belongs.
PEIG 1. communicates with the Service Provider 5. The devices in question are devices designated for electronic service ^provision. These devices usually contain a number of modules serving different purposes, more or less tightly integrated with the provided service and electronic identity of the user of- electronic service. These may be, for example, the Service Application Program 6 or Terminal Application Program 19 and storage place for personal and other data about the users of the service Personal Data 7.
The PEIG-P 8 module maintains all activities connected with creation, usage, maintenance and cancellation of a parameterisable electronic identity or identities of users of a service or cluster of services, on the side of the Service Provider 5 or of the Terminal PEIG-P 20 in the Terminal 9. It is designed and manufactured for securing several levels of security, enables the utilisation of the several methods'αr procedures of verification of electronic identity by means of several various parameterisable algorithm values in such a manner that during its production is not beforehand determined, which possibility will be used. With the PEIG-P 8 module or the Terminal PEIG-P 20, only when electronic devices of users of electronic service and/or automated device and electronic devices of electronic service provider and/or local electronic devices mutually communicate during generating or modifying a verifiable electronic identity, the concrete level of security, verification procedure, algorithm and other parameters are determined and memorized, and subsequently, this information is utilized for use and verification of the electronic identity. The PEIG-P 8 module can utilize the settings which have been set while installing the PEIG- P 8 module or which have been set via the administration interface of the PEIG-P 8 module for determination of the concrete level of security, verification procedure, algorithm and other parameters. Such settings can be modified during the operation and these modified settings can be utilized for the change of the precedent concrete level of security, verification procedure, algorithm and other parameters which have been determined via previous communication.
The PEIG-P 8 module on the side of the Service Provider 5 arranges the access to corresponding additional information stored on PEIG Carrier 2 for the Service Provider 5. The PEIG-P 8 module maintains cooperation with both modules PEIG-M 3 that are located on two different PEIG 1 during the generation of the backup electronic identity in such a manner that after verifying the security conditions it will link the original identity which is used by the primary PEIG 1 with the newly produced identity of the secondary (backup)
PEIG 1. For verifying the security conditions and linking the original and secondary identity
"" - v'! a single-purpose identifier may be used.
The individual modules PEIG-M 3 and PEIG-P 8 will support simultaneously many security levels, via several methods or procedures and many algorithms with various parameters even for each security level. The explicit selection of the concrete security level, concrete method, concrete algorithms and parameters 1WiIl be carried out automatically via the communication between PEIG-M 3 a PEIG-P 8 by means of a Logical Communication Channel 17^ in the moment of generation or modification of the electronic identity. The way of communication makes possible to choose such a security level, method, algorithms and parameters that conform to minimum security requirements of the Service Provider 5 and minimum security requirements set by the manufacturer of PEIG 1. or by its user and which will be g implemented by means of a PEIG-M 3 and PEIG-P 8. The individual security levels, methods, algorithms and parameters utilized by PEIG-M 3 may differ according to various Service Providers 5 likewise the individual security levels, methods, algorithms and parameters utilized for PEIG-P 8 may differ according to various PEIG 1. The unique previously determined and stored security level is used in the time of using and verifying an electronic identity and electronic identity will be verified by a unique previously determined method which uses a sole set of algorithms and their parameters. During usage and verification of the electronic identity no information about applied security level, method, algorithm and their parameters is transmitted between PEIG-P 8 a PEIG 1. The security level, method and/or algorithm and its parameters can be modified during the identity modification without any loss of the link between PEIG 1 and the Service Provider 5.
Examples of further utilisation of the system for establishing parameterisable protected L v electronic communication between various electronic devices
The separated storage of additional information with controlled access using a way of establishing parameterisable protected electronic communication: The individual modules PEIG-M 3 and PEIG-P 8 contain additional functionalities which make possible a separated storage and administration. of additional information in the module Local Data 22 or in other place on the PEIG Carrier 2 in such a manner. that only the particular Service Provider 5 who stored the data will ,be authorized to access^ and manipulate this data. A part of stored or manipulated data can consist a record of the third party rights to store and/or manipulate the data and thus the Service Provider 5 makes possible the execution of the data manipulation activities for the third party in the range of the recorded rights.
The backuping of the electronic identity without copying electronic identity information: Two modules PEIG-M 3 and one module PEIG-P 8 enable such a way of communication where the previously produced electronic identity which is known to one module PEIG-M 3 and to the module PEIG-P 8, is connected inside the module PEIG-P 8 to the newly produced identity of the second module PEIG-M 3 in such a manner that it is the backup identity of the original identity that is produced by using the purposely generated single-purpose identifier that is transferred between both modules PEIG-M 3 and the module PEIG-P 8 in a way to assure that the owner of both modules PEIG-M 3 is the same individual whereas the single-purpose identifier will be transferred between both modules PEIG-M 3 for example by means of .the Local Direct Logical Communication Channel 24 realised by the common Local Communication Channel 16.
Industrial usability
As part of extensible functionality, the individual modules of electronic identity PEIG-M 3 and PEIG-P 8 are constructed as virtual specialised computers with extensible instruction set. This facilitates future enhancements by new necessary activities connected with new requirements or other areas of usages 'forv example new functionality for electronic payments support.

Claims

P A T E N T C L A I M S
1. A method of establishing parameterisable protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service and/or automated devices and/or between local electronic devices and electronic devices of users of electronic service and/or automated devices, which is characterised in that users of electronic service and/or automated devices are beforehand equipped with a personal electronic identity gadget without any information about the identity of user of electronic service and/or automated device that supports several security levels and that enables using several methods of verification of the electronic identity tvia several algorithms that can be parameterised by means of several parameterisable algorithm values, whereas even the electronic devices of any electronic service provider and/or local electronic devices support several security levels and make possible the use of several procedures of verification of the electronic identity of the user of electronic service and/or automated device via several various algorithms that can be parameterised by means of several parameterisable algorithm values, and only at the first connection of the blank personal gadget of the user of electronic service and/or automated devices to the electronic devices of ari'arbitrary electronic service provider and/or to the local electronic devices or when changing the electronic identity of the user of electronic service and/or automated devices, the personal electronic identity gadget of the user of electronic service and/or automated devices and the electronic devices of the electronic service provider and/or the local electronic devices mutually communicate for determining a unique concrete security level, verification ^method, algorithm and other parameters which are memorised in the personal electronic ' identity gadget of user of electronic service and/or automated devices and electronic devices of the electronic service provider and/or local electronic devices and further utilized for use and verification bf the electronic identity of the user of electronic service and/Or automated device without transferring this information during usage and verification of the electronic identity of the user of electronic service and/or automated device whereas, b aόed on the mutual communication, the modification of concrete values may be done subsequently.
2. The method according to claim 1, which is characterised in that the personal electronic identity gadget of user of electronic service and/or automated devices is utilised for separated storage of the additional information that is protected against unauthorized manipulation thereby the verified electronic identity of the electronic service provider and/or of the local electronic devices is used in such a manner that the separately stored information is accessible exclusively to the authorized electronic service provider and/or local electronic devices or to the entity with the access right granted by the corresponding electronic service provider and/or the local electronic device.
3. The method according to claim 1, which is characterised in that the secret information about the electronic identity of the user of electronic service and/or automated device that is stored in the personal electronic identity gadget of the user of electronic service and/or automated device is for the security reason stored in such a manner that the information can not be acquired even for producing a security backup of the electronic identity of the user of electronic service and/or automated device and that the personal electronic identity gadget of the user of electronic service and/or automated device is constructed in such a manner that the security backup of the electronic identity of the user of electronic service and/or automated device can be produced by means of cooperation of two personal electronic identity gadgets of user of electronic service and/or automated device that are locally communicating together while cooperating with the electronic devices of electronic service providers and/or local electronic devices and for this purpose, a single-purpose identifier can be utilized.
PCT/CZ2010/000055 2009-05-05 2010-05-03 Method of establishing parameterisable protected electronic communication between various electronic devices WO2010127643A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CZPV2009-281 2009-05-05
CZ20090281A CZ2009281A3 (en) 2009-05-05 2009-05-05 Method of establishing programmable protected electronic communication between various electronic devices

Publications (2)

Publication Number Publication Date
WO2010127643A2 true WO2010127643A2 (en) 2010-11-11
WO2010127643A3 WO2010127643A3 (en) 2011-01-06

Family

ID=42782309

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CZ2010/000055 WO2010127643A2 (en) 2009-05-05 2010-05-03 Method of establishing parameterisable protected electronic communication between various electronic devices

Country Status (2)

Country Link
CZ (1) CZ2009281A3 (en)
WO (1) WO2010127643A2 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CZ306210B6 (en) * 2015-07-07 2016-09-29 Aducid S.R.O. Method of assignment of at least two authentication devices to the account of a user using authentication server

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
Anonymous: "eChallenges Paper Repository Search"[Online] 4 October 2010 (2010-10-04), XP002603767 eChallenges.org Retrieved from the Internet: URL:http://www.echallenges.org/e2010/default.asp?page=paper-repository&fltyear=all&flttheme=all&flttype=all&flttitle=&fltauthor=libor+neumann&pagesize=100&submit=Search > [retrieved on 2010-10-04] *
Libor Neumann: "Alucid - Automatic eldentity"[Online] 4 October 2010 (2010-10-04), XP002603766 Retrieved from the Internet: URL:http://alucid.cz/clanek/2009062504-alucidsuprsup-presented-by-libor-neumann-at-echallenges-2008.html> [retrieved on 2010-10-04] *
NEUMANN L: "Anonymous, Liberal and User-Centric Electronic Identity Supports Citizen Privacy Protection in e-Government" INTERNET CITATION, [Online] 11 July 2008 (2008-07-11), pages 1-16, XP002521386 Retrieved from the Internet: URL:http://www.epma.cz/Docs/EEEGD08/Neumann_ALUCIDv1.pdf> [retrieved on 2008-04-25] *
NEUMANN L: "Anonymous, Liberal, and User-Centric Electronic Identity - A New, Systematic Design of eID Infrastructure" ECHALLENGES 2008, 22 - 24 OCTOBER 2008, STOCKHOLM,, [Online] 24 October 2008 (2008-10-24), pages 1-19, XP007915198 Retrieved from the Internet: URL:http://www.alucid.cz/DOCUMENTS/PUBLICATIONS/eChallenges_ref_148_doc_4607.pdf> [retrieved on 2010-10-04] *
NEUMANN L: "Anonymous, Liberal, and User-Centric Electronic Identity - A New, Systematic Design of eID Infrastructure" ECHALLENGES 2008, 22 - 24 OCTOBER 2008, STOCKHOLM,, [Online] 24 October 2008 (2008-10-24), pages 1-8, XP007915197 Retrieved from the Internet: URL:http://www.alucid.cz/DOCUMENTS/PUBLICATIONS/eChallenges_ref_148_doc_4442.pdf> [retrieved on 2010-10-04] *
WAEL ADI ET AL: "Bio-Inspired Electronic-Mutation with genetic properties for Secured Identification" BIO-INSPIRED, LEARNING, AND INTELLIGENT SYSTEMS FOR SECURITY, 2007. BL ISS 2007. ECSIS SYMPOSIUM ON, IEEE, PI, 1 August 2007 (2007-08-01), pages 133-136, XP031127642 ISBN: 978-0-7695-2919-6 *

Also Published As

Publication number Publication date
CZ2009281A3 (en) 2010-11-18
WO2010127643A3 (en) 2011-01-06

Similar Documents

Publication Publication Date Title
EP3320667B1 (en) Method for mapping at least two authentication devices to a user account using an authentication server
RU2620998C2 (en) Method and authentication device for unlocking administrative rights
US20140164777A1 (en) Remote device secure data file storage system and method
CN101819612B (en) Versatile content control with partitioning
CN102521165B (en) Safe USB disk and its recognition methods and device
US9225696B2 (en) Method for different users to securely access their respective partitioned data in an electronic apparatus
CN106603484A (en) Virtual key method and apparatus using the same, background system, and user terminal
KR20150052260A (en) Method and system for verifying an access request
CN105247833B (en) Self-certified apparatus and method for
CN109977039A (en) HD encryption method for storing cipher key, device, equipment and readable storage medium storing program for executing
EP2208335B1 (en) Method of establishing protected electronic communication between various electronic devices, especially between electronic devices of electronic service providers and electronic devices of users of electronic service
CN104811941A (en) Offline virtual machine safety management method and device
CN104144411A (en) Encryption and decryption terminal and encryption and decryption method applied to encryption terminal and decryption terminal
CN112669104A (en) Data processing method of rental equipment
CN102202057B (en) System and method for safely dumping data of mobile memory
CN105430649B (en) WIFI cut-in method and equipment
US8750522B2 (en) Method and security system for the secure and unequivocal encoding of a security module
US20190042758A1 (en) A method of verifying the integrity of an electronic device, and a corresponding electronic device
CN110287725A (en) A kind of equipment and its authority control method, computer readable storage medium
CN115037451B (en) Data protection method and electronic equipment
WO2010127643A2 (en) Method of establishing parameterisable protected electronic communication between various electronic devices
CN109359450A (en) Safety access method, device, equipment and the storage medium of linux system
CN114357398A (en) Terminal access right processing method and device and electronic equipment
CN101107610A (en) A method for discouraging illegal distribution of content within a drm system for commercial and personal content
Chen et al. A trusted biometric system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10751553

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10751553

Country of ref document: EP

Kind code of ref document: A2