WO2018207174A1 - Method and system for sharing a network enabled entity - Google Patents

Method and system for sharing a network enabled entity Download PDF

Info

Publication number
WO2018207174A1
WO2018207174A1 PCT/IL2018/050491 IL2018050491W WO2018207174A1 WO 2018207174 A1 WO2018207174 A1 WO 2018207174A1 IL 2018050491 W IL2018050491 W IL 2018050491W WO 2018207174 A1 WO2018207174 A1 WO 2018207174A1
Authority
WO
WIPO (PCT)
Prior art keywords
network enabled
consumer
enabled entity
computing device
access
Prior art date
Application number
PCT/IL2018/050491
Other languages
French (fr)
Inventor
Shay Rapaport
Original Assignee
Shay Rapaport
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shay Rapaport filed Critical Shay Rapaport
Publication of WO2018207174A1 publication Critical patent/WO2018207174A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present disclosure relates to network enabled entities in general and to sharing access permissions or resources with such entities, online and offline, in particular.
  • Networking architectures have grown increasingly complex and have been designed for use in a wide variety of communications environments.
  • US8848608 discloses a method in one embodiment includes detecting a trigger on an electronic device and identifying an interface usage policy for an agent and a corresponding application on the electronic device. The method also includes selecting a first wireless interface of a plurality of wireless interfaces on the electronic device for a network session between an application process of the application and a remote node, with the first wireless interface being selected based on one or more criteria in the interface usage policy.
  • the electronic device is an on-board unit of a vehicle.
  • US20140282993 discloses a system and method for managing authentication tokens that operate across multiple types of physical resources binding the tokens to one or more external electronic Identity Providers; generating tokens; authenticating the tokens at multiple physical resources; managing access to physical resources by linking the tokens to the electronic identities; translating the tokens to the appropriate physical token type based on infrastructure services available at the point of service; validating tokens at the physical resource; tracking and conveying usage information; and making use of social group relationships and other data defined by individual usage to, among other things, simplify the process of granting user- generated credentials to persons connected to a given individual via the Identity Provider or an external social network, for example.
  • US20160055699 discloses methods, system, mobile node, administrative module for managing access to a vehicle and/or for activating temporary access to the vehicle.
  • a fixed unit comprising a short range transceiver is provided in the vehicle, for managing access thereto the vehicle.
  • a virtual key is provided to the mobile device that has a primary function other than virtual key management. The fixed unit interacts only via the short range transceiver while granting access, the virtual key may be associated by the mobile device to a valet key device for granting conditional access to the vehicle.
  • US20160021116 discloses a method includes analyzing information received from a first network-enabled device to identify instructions for a second network-enabled device associated with a second user of a social-networking system, the first network-enabled device being associated with a first user of the social-networking system. The method also includes determining (1) that the first user is connected to the second user with respect to a social graph of the social-networking system and (2) that the first user has authorization to provide instructions to the second network-enabled device, where the authorization is based on social- networking information.
  • US20130110295 discloses a system for collaborative energy management and control in a building, including an energy management controller, one or more occupant HMIs that supports two-way communication between building occupants and a facility manager, and between building occupants and the energy management controller, and a facility manager HMI that supports two-way communication between the facility manager and the building occupants, and between the facility manager and the energy management controller, in which the occupant HMI allows building occupants to provide temperature preferences to the facility manager and the energy management controller, and the facility manager HMI allows the facility manager to configure an energy policy for the building as a set of rules and to view occupants' aggregated temperature preferences, and the energy management controller determines an optimum temperature range that resolves conflicting occupant temperature preferences and occupant temperature preferences that conflict with the facility manager's energy policy for the building.
  • US20160241559 discloses a security system comprises an access control node broadcasting a beacon including a time stamp and user devices generating replies to the beacon that are based on credential information for the user of the user device and the time stamp.
  • the system relies on the users' wireless-capable mobile computing devices such as smartphones, tablets, or wireless fobs.
  • a credential management system proves a system for the authentication of users and then issues security tokens as credential information to the users' mobile computing devices. These tokens are presented wirelessly by the devices to the security system's access control nodes, for example, where the access control nodes then decide whether to grant or deny access.
  • the term computing device refers herein to a device that includes a processing unit. Examples for such device are a personal computer, a laptop, a server, a tablet a smartphone, a smart wearable item and IOT (internet of things) devices.
  • wireless communication refers herein to communication between devices through any standard wireless communication protocol, such as NFC, Bluetooth, BLE, Wifi, Wifi- Direct and so forth.
  • network enabled entity refers herein to an entity that can be accessed via the internet network, a local network or through wireless communication.
  • Examples of a network enabled entity are vehicle ignition system, a private house or a hotel room door lock system, a computer lock screen and its locking system, a file, a folder, a specific application or a user account, such as a banking account or a service account.
  • the term user refers herein to a person who has successfully registered to the system.
  • the user may register through an internet website or an application.
  • Such a user may share a network enabled entity that he owns.
  • Such a user may also gain administrative permission from an owner of a network enabled entity for sharing the network enabled entity with other users.
  • Such a user may get temporary access to a network enabled entity.
  • the term consumer refers herein to a user who gains an access to a network enabled entity for using the network enabled entity. In some cases the access is temporal.
  • the term owner refers herein to a user of the system that gained ownership over a network enabled entity and who is capable of sharing the usage of the network enabled entity with other users and of delegate the privilege to share to an administrator.
  • the term administrator refers herein to a user of the system entity that has the privileges to share the network enabled entity with other users.
  • the administrator may be the owner of the network enabled entity or a user that is authorized by the owner.
  • authenticating computing device refers herein to a computing device with which the user is authenticated to the system. Examples for such authenticating computing device are a Smartphone and a smart watch.
  • system entity refers herein to a computing device of a user, to the server of the system and to the network enabled entity.
  • access request refers herein to a request made by a computing device of user, to receive access and thus share a network enabled entity.
  • sharing period refers herein to the period or policy in which the consumer is given access to the network enabled entity.
  • the sharing period may be identical or different than the period that is requested by the consumer, according to the administrator's choice.
  • Access Token refers herein to a digital Access Token provided by an administrator or an owner to a consumer, allowing to use or access the network enabled entity, for sharing period that is defined in the access token.
  • the term local storage encryption refers herein to the method of storing of any sensitive data on a computer device of any user. This method involves encryption of the data with the user's private key and further encrypting the private key itself with either a biometric encryption relying on fingerprint, face recognition, retinal or iris scan, ECG and so forth, or using a pattern, a PIN or any combination of these, in such a way that the same combination must be used to decrypt the private key on the Computer Device to allow encryption or decryption of data.
  • sharing authority refers herein to an owner of a network enable entity or to an administrator of a network enabled entity.
  • One technical problem disclosed by the present disclosure is how to provide online and offline secured sharing of network enabled entity .Most Identity Management and Access Control management solutions in general and for network enabled entities in particular assume both a prior acquaintance between all involved parties and that all of them are online during all the events managed by the system.
  • One exemplary embodiment of the disclosed subject matter is system and network for authenticating the sharing of a network enabled entity.
  • an owner of the network enabled entity may share the network enabled entity with other users. Such a sharing may be for a limited, and/or predefined period.
  • the owner of the Network Enabled Entity receives ownership privileges by entering an ownership and activation code to the Network Enabled Entity.
  • the ownership code may be sent from a computing device of the entity authority, a device of a previous owner or, alternatively, it may be provided with the network enabled entity.
  • the ownership code may be, in a digital or a printed version, such as a serial number, a barcode or a QR code .
  • the owner may use the ownership code to activate the network enabled entity and to claim ownership over it.
  • the Owner or the Administrators of the Network Enabled Entity it is required to allow the Owner or the Administrators of the Network Enabled Entity to create and to encrypt Access Tokens. In such a way that the owner and administrators and the network enabled entity can generate or read such Access Tokens, while the consumer can only use the Access Token for accessing the network enabled entity for limited time. The consumer but cannot read or modify Consumer the Token for accessing the network enabled entity.
  • the Owner of the Network Enabled Entity receives the new Administrator's Public Key from that Administrator's device and updates it directly on the Network Enabled Entity either in direct, peer to peer communication, via the internet or any ad-hoc network or through the System Entity.
  • the Owner of the Network Enabled Entity receives the new Administrator's Public Key from that Administrator's device and updates it to the Network Enabled Entity indirectly.
  • the Owner may certify the new Administrator using a digital signature, such as encrypting that Administrator's Public key using the Owner's Private Key and delivering this certification to the Administrator and to their Computing Device.
  • the administrator may add this certification to Access Tokens that they create later for Consumers.
  • the Network Enabled Entity receives an access token with such a certificate, it may decrypt and validate it using the Owner's Public Key. If the certificate can be decrypted and does contain the Administrator's Public Key, then Access Tokens that are generated by that Administrator are accepted by the Network Enabled Entity.
  • the owner of the network enabled entity delegates the authority to provide access to the network enabled entity to other administrators.
  • the delegating may be by sending one of the secret cryptographic keys and its correlating ID to the administrator computing device, or alternatively by updating the Administrator's public key on the Network Enabled Entity.
  • the computer device of the owner of the network enabled entity flags the Access Token that was shared with an administrator, in order to prevent the owner to use it or to share it with additional administrators.
  • the system Server may store the cryptographic keys IDs and flag them as well.
  • the owner of the network enabled entity may cancel the authorization of the administrator.
  • the cancellation may be by flagging or deleting the secret cryptographic key provided to an administrator on the Network Enabled Entity or by flagging that Administrator's Public key as invalid on the Network Enabled Entity.
  • Such flagging or deletion may take place through the system, online, or directly, between the owner's computer device and the one of the Network Enabled Entity, via Wireless Communication. In such a case the cryptographic key and/or the Access Tokens that have been generated by the administrator may be invalidated.
  • an owner of a certain network enabled entity may be the consumer or the administrator of another network enabled entity.
  • the users have to register to the system prior to using the system.
  • the registration includes the providing of identification data.
  • Such data may include social network identification, a phone number an email address and a copy of a photo ID and or any other personal identifying information, as well as information about the device and the installed application, in order to allow further communication with that user.
  • the verifying process is performed by a Registration Authority (RA) or a plurality of such RAs.
  • RA Registration Authority
  • the verification process may be via the social network ("Social Login”) or via the validation of the email address through a link sent to it, or via an OTP sent as a text message to the phone number, or via any process, face to face or online, to validate of the registrant's photo ID and any other PII.
  • Social Login social network
  • OTP OTP sent as a text message to the phone number
  • the users' attributes are stored with a certificate authority (CA) computing device may store the user PII (personal identifying information) attributes as they are, or as hashed values or any other zero -knowledge mechanism, designed to allow only the validation of these details.
  • CA certificate authority
  • Such CA may be one or more computing devices, or a cryptographic distributed network such as a Blockchain.
  • the certificate authority computing device generates public key and secret key pair for the user.
  • the CA computing device binds the public key and the secret key with the identity of the registered user.
  • the CA computing device issues a digital certificate for the user.
  • the digital certificate and the public key may be used for identification and for securing the communication between the registered user and other users of the system.
  • the user's identifying details are stored on the user's computing device using Local Storage Encryption.
  • the Administrator searches for that User on the system through the User's Public Key or any PII that the user chose to expose on the system, such as a name or an email.
  • the consumer when the consumer wishes to search for an administrator to request permission to use a network enabled entity, the consumer receives the network enabled entity identity and public key when in close proximity, via Wireless Communication. Then the consumer may search for the Network Enabled Entity's owner and/or its administrators through the system. The search may be either by any identification that is available to the consumer. Such identification using may be the Entity's ID and/or its public key, or by using the Administrator's ID or any PII, if the user knows them. Then the consumer then requests via his computing device access permission to the network enabled entity.
  • the Network Enabled Entity is associated with a private key and public key pair. This pair may be given to the Network Enabled Entity by its owner, upon activation and may be identical to the owner's keys. Alternatively, it may be given to the Entity by the system, during a registration process that may be technically similar to a user registration. Such registration can take place upon activation or prior to that, by the creator, manufacturer or seller of such a Network Enabled Entity.
  • a User's request to receive an Access Token to a Network Enabled Entity is sent to the Owner or to any Administrator of the Network Enabled Entity either through the system, online, or directly via Wireless Communication.
  • the request may include the digital certificate that was issued to the user with identifiable details and a Public Key, The Network Enabled Entity's ID or Public Key and the requested sharing period or privileges.
  • the computing device of the administrator of the network enabled entity authenticates the user and validates the details. The authentication may be via the CA or the CA implementation on a BlockChain Infrastructure or through the certificate and digital signature, provided directly by that User.
  • the computing device of the administrator may generate an Access Token.
  • Such Access Token may include the public key that is associated with the User, the public key or identifier that is associated with the Network Enabled Entity, The Public Key of the Administrator and the permitted Sharing Period or permitted access policy.
  • the Access Token enables the user to access the network enabled entity for a predefined sharing period and/or for predefined actions.
  • the Access Token is encrypted using Secret the cryptographic key, which is provided to the Administrator by the Owner.
  • the computing device of the administrator sends the Access Token coupled with the encryption key ID and the Network Enabled Entity ID to the computing device of the consumer, either through the system via internet, or directly through a Wireless Communication.
  • the Access Token enables the user to access the network enabled entity for a predefined sharing period and/or for a predefined set of actions.
  • said Access Token is encrypted using the Administrator's Private Key.
  • the computing device of the consumer may encrypt the Access Token further with Local Storage Encryption.
  • the consumer may send the Access Token to the Network Enabled Entity through Wireless Communication.
  • the Entity and the consumer's device may encrypt the communication asymmetrically using each other's public key, or they may exchange a symmetric key first over such asymmetric encrypted communication and then use such a symmetric key to further communicate and send the Access Token details.
  • Both the Network Enabled Entity and the Consumer may use their own Private key to encrypt the communication.
  • the network enabled entity decrypts the Access Token, using the Secret Cryptographic Key correlating to the ID or using the Administrator's Public Key. According to some embodiment, if the Public Key that is used by the Consumer's computing device matches the one public key that is in the Access Token, and if the Administrator's cryptographic key is valid, a permission to use the Network enabled entity has been sufficiently proved and the Network Enabled Entity will allow the Consumer to use it according to the policy of the Sharing Period that is in the Access Token.
  • the network enabled entity when the Network Enabled Entity has Internet connectivity, the network enabled entity reports the transaction, directly to the Owner computing device and or to the relevant Administrator Computing Device, or to the System Server.
  • the reporting is for the purpose to storing and tracking of transaction details.
  • Embodiments of the invention disclose a method for authenticating the sharing of a network enabled entity, the method comprises: receiving a request for sharing the network enabled entity by a consumer, wherein the request comprises an access token; wherein the access token comprises, an identification of the network enabled entity and an identification of the consumer; the access token being generated by the computing device of the sharing authority in response to a request of the consumer for sharing the network enabled entity; authenticating the request; the authenticating comprises one member of a group consisting of: validating that the request is for sharing the network enabled entity, the validating is by utilising identification of the network enabled entity, and authenticating the consumer; the authenticating the consumer utilising the identification of the consumer in the access token; and if the request is authenticated by the authenticating then providing an access for the consumer to the network enabled entity, the access is in accordance with the access request policy.
  • the sharing authority is an owner of the network enabled entity.
  • the sharing authority is an administrator of the network enabled entity and further comprising receiving an administrator token the administrator token comprises a public key of an administrator and validating the administrator by utilising the administrator token.
  • the identification of the consumer comprises a public key and the authenticating the consumer comprises PKI (public key infrastructure).
  • the identification of the network enabled entity comprises a public key and validating that the request is for sharing the network enabled entity comprises PKI (public key infrastructure).
  • the access token comprises access policy and further comprising validating permission in accordance with the policy.
  • Embodiments of the invention disclose a system the system comprises a network enabled entity, an owner computing device, the owner computing device is configured for sharing an access to the network enabled entity; a consumer computing device the consumer computing device is configured for requesting an access to the network enabled entity; wherein the owner computing device is further configured for generating an access token in response to the request, wherein the access token comprises, an identification of the network enabled entity and an identification of the consumer; the access token being generated by the computing device of the sharing authority in response to a request of the consumer for sharing the network enabled entity; wherein the network enabled entity is configured for receiving the request and the access token and for sharing the network enabled entity in accordance with the token.
  • Fig. 1 shows a block diagram of a system for sharing a network enabled entity, in accordance with some exemplary embodiments of the subject matter
  • Fig. 2 shows a flowchart diagram of a method for registering to the system, in accordance with some exemplary embodiments of the subject matter
  • FIGs. 3A, 3B, 3C and 3D show a flowchart diagram of a method for sharing a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter;
  • FIGs. 4A and 4B show a flowchart diagram of another method for sharing of a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter
  • Figs. 5A and 5B show a block diagram of a method for authenticating sender of an access token, in accordance with some embodiments of the disclosed subject matter.
  • Fig. 6 shows a block diagram of a method for delegating the privileges of sharing a network enabled entity to an administrator.
  • Fig. 1 shows a block diagram of a system for authenticating the sharing of a network enabled entity, in accordance with some exemplary embodiments of the subject matter.
  • System 100 includes a server 125, a certificate authority computing device 105, a consumer computing device 110, an administrator computing device 115, a plurality of owner computing devices 120 and network enable entity 130.
  • the server 125 is configured for handling the registrations of users to the system and any online communication between the users.
  • the server 125 communicates with the owner computing devices 120 for sending ownership code to the owner computing devices 120 and for sending cryptographic keys.
  • the server 125 may communicate with all the computing devices of the system for handling the authentication when parties are online. In some cases the authentication is performed via the CA and RA computing device 105. In such a case the server communicates with the certificate authority CA and RA computing device 105 for issuing a digital certificate to a user and for authenticating the user by the certificate.
  • the certificate authority CA and RA computing device 105 is configured for verifying the users in the registration process and for authenticating the registered users.
  • the authenticating may be performed via digital certificates and asymmetric keys.
  • CA and RA computing device is illustrated for illustration purposes only and that the system may include a plurality of CA and RA computing devices and that in some cases CA and RA may share computing devices.
  • the consumer computing device 110 is configured for sharing at least one of the network enabled entities 130.
  • the consumer computing device 110 communicates with the server for registering to the system.
  • the consumer computing device 110 receives an Access Token from the administrator computing device 115 that administrate the requested network enabled entity 130.
  • the Access Token may be for a limited period or access policy.
  • the consumer computing device 110 communicates with the network enabled entity 130 for accessing the network enabled entity.
  • the communication is via short distance network such as NFC.
  • consumer computing device is illustrated for illustration purposes only and that the system may include a plurality of consumer computing devices 110.
  • the owner computing device 120 receives the ownership Access Token code and the cryptographic keys from the server 125 or create it by himself.
  • the owner computing device 120 may delegate the option to generate Access Tokens to an administrator. In such a case the owner computing device 120 transfers a cryptographic key to the administrator computing device 115.
  • the owner computing devices 120 may communicate with the network enable entity 130 that he owns for exchanging cryptographic keys.
  • the owner computing devices 120 may communicate and with a consumer 110 for allowing the consumer to share the network enabled entity 130.
  • the administrator computing device 115 is configured for allowing consumers to share a network enabled entity 130.
  • the administrator computing device 115 communicates with the server 125 CA and RA computing device 105 for verifying the identity of the consumer.
  • the administrator computing device 115 communicates and with the consumer computing device 110 for providing an Access Token to the consumer computing device 110.
  • the network enabled entity 130 receives a plurality of cryptographic keys from the plurality of administrator computing devices that administrates the entity 130.
  • the network enabled entity communicates with the consumer computing devices for providing to the consumer access permission to the network enabled entity 130.
  • Fig. 2 shows a flowchart diagram of a method for registering to the system, in accordance with some exemplary embodiments of the disclosed subject matter.
  • the user requests to register to the system.
  • the request may be via an application or via a web site.
  • the request may include identification data.
  • identification data may include user name, address, social network identification and email.
  • the registration request is sent to the server of the system.
  • the server sends the registration request to a certificate registration authority computing device.
  • the certificate registration authority computing device verifies the identity of the user.
  • the verification may be by the social media, the email address and by the internet history.
  • operation proceeds to block 208 otherwise operation proceeds to block 210.
  • a notification message about the failure of the verification is sent to the server and from the server to the user and the operation terminates.
  • the certificate authority computing device generates a digital certificate and a set of user public and user private key for the registered user.
  • the certificate authority computing device binds the digital certificate with the set of public and private keys.
  • the user's public key and private key are generated by the user device.
  • the certificate authority computing device sends the digital certificate the user public key and the user private key to the server.
  • the server sends the digital certificate, the user public key and the user private key to the computing device of the registered user.
  • the digital certificate may be used for securing the communication between the registered user and other entities of the system and for identity validation.
  • the public key and private key are generated by the user.
  • Figs. 3A, 3B, 3C and 3D show a flowchart diagram of a method for sharing of a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter.
  • an owner of a Network Enabled Entity receives a code with which ownership is claimed over the entity, if such ownership has not been established before.
  • the ownership code may be provided by the system (server) or by the creator/manufacturer of the Entity.
  • the Owner claims Ownership by sending the code to the entity, either via the system or directly via Wireless Communication. Such ownership may or may not be registered on the system server.
  • the computing devices of the Owner and the Network Enabled Entity exchange secret Cryptographic Keys, each having its own unique ID.
  • Such keys may be generated either by the system Server, by the Owner's Computer Device or by the Entity Computer Device. These cryptographic keys may be used for encrypting and/or decrypting an Access Token for accessing the network enabled entity.
  • the Owner authorizes an Administrator.
  • the Owner's Computer Device sends one secret Cryptographic Key and its ID to the Administrator's Computing Device.
  • Such authorization associating the Administrator with the Network Enabled Entity may be registered on the server.
  • the computing device of the owner flags the cryptographic key.
  • the cryptographic keys that an Owner sends to the administrator cannot be used by other administrators as well as by the owner and are thereby flagged as being used. Such flagging of IDs can take place on the Owner's Computer Device, on the system Server or both.
  • the computing device of the consumer sends an access request for receiving a permission to access the network enabled entity.
  • the request is for renting a vehicle for ten days starting from the 10 th of October 2017.
  • the request may include the digital certificate of the consumer and the requested sharing period or policy.
  • the public key or any other identifier of that entity may be included in the request as well.
  • the Consumer may retrieve the public key or any other identifier, either by direct communication with the entity via the Internet or in close proximity via Wireless Communication, or through the system Server, by searching publicly listed Entities or searching by Owner or Administrator attributes, such as rental company names and the Network Enabled Entities they own and manage.
  • the access request is sent to the Administrator Computing Device, either directly via internet or Wireless Communication or indirectly via Server where rules can be applied as to which
  • Administrator receives the request, as well as logging such a requests.
  • Block 325, 330 and 340 occur only if the consumer does not have a signed document:
  • the Administrator Computing Device sends an authentication request to the certificate authority computing device.
  • the certificate authority computing device validates the consumer and sends a reply to the administrator.
  • the validation may be by comparing the public key and identity attributes to the attributes that are kept in the CA for such public key.
  • operation continues at block 335 otherwise operation continues at block 340.
  • the computing device of the consumer and the computing device of the administrator receives a notification that the request was not validated and the operation is terminated.
  • the Administrator chooses the access policy to grant to the Consumer, which may be identical or different to the policy that is in the Access Request.
  • the Administrator Computer Device generates an Access Token that comprises the Administrator's public key, the Consumer's public key , the Network Enabled Entity's public key and the Access Policy (such as two timestamps).
  • the Administrator's Computer Device encrypts the Access Token with the Cryptographic Key shared originally by the Owner and adds the Cryptographic Key's ID.
  • the computing device of the administrator sends the encrypted Access Token to the computing device of the Consumer, either directly, through the internet or Wireless Communication, or indirectly via system Server, where the access grant may also be logged.
  • the computing device of the consumer receives the encrypted Access Token and the identification key.
  • the encrypted Access Token is stored on the Consumer's Computer Device with Local Storage Encryption.
  • the consumer wishes to use access the network enabled entity.
  • the consumer issues a request to use the network enabled entity.
  • a request can be initiated by the user, remotely via the Internet or in close proximity with the Network Enabled Entity, but may also be initiated automatically, for example, if the Network Enabled Entity transmits its public key via Wireless Communication, the Consumer's Computer Device may initiate communication and prompt the user to decrypt and send all the relevant Access Tokens to that entity.
  • the computing device of either the Network Enabled Entity or the Consumer generates a symmetric key to be used for further communication between the Computer Devices and sends it to the other Computer Device, encrypted with that device's Public Key.
  • Access Tokens that have the ID of the Network Enabled Entity are decrypted on the Consumers Computer Device (via User's PIN, pattern and/or biometric auth and then the decrypted private key).
  • the Access Tokens are then encrypted using the agreed symmetric key and sent to the Network Enabled Entity, either via the internet, via a local network or Wireless Communication.
  • the identity of the consumer may be first authenticated via the CA Computing Device.
  • Blocks 375, 380, 385, 399, 3991 and 3992 describe the process of authenticating the consumer by the network enabled entity.
  • the network enabled entity receives the message.
  • the network enabled entity decrypts the Access Token with the agreed symmetric key.
  • the network enabled entity retrieves the encryption key ID from the message, then, assuming such a key exists and is valid, it decrypts the Access Token using the cryptographic key that correlates to this ID.
  • the network enable entity decrypts the password with the public key of the end user;
  • the network enabled entity sends the encrypted password to the computing device of the end user.
  • the device of the end user receives the message and decrypts the password.
  • the device of the end user encrypts the password with the public key of the network enabled entity and sends the encrypted password to the network enabled entity.
  • the network enabled entity compares its public key to the public key in the Access Token. It also compares the Consumer's Device's public key, used previously to exchange a symmetric key, to the Consumer's public key that is in the Access Token.
  • the network enabled entity sends a termination message and terminates communication. Otherwise the end user is authenticated at 3994.
  • Figs. 4A and 4B show a flowchart diagram of another method for sharing a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter. While the first method uses a set of secret cryptographic keys to prove the validity of access tokens, the other method uses digital signatures generated by the Owner or the Administrator, using their Private keys.
  • an owner of a Network Enabled Entity registers to the system and receives a set of a user private key and a user public key.
  • the private key and public key are generated in each computing device.
  • the user public key and the user private key may be used for authenticating a user.
  • the user private key and public key are unique to each user.
  • the computing device of the network enabled entity receives from the system entity private key and entity public key from the system.
  • the entity private key and public key are unique to the entity.
  • the computing device of the network enabled entity generates the private key and public key.
  • the owner enters barcode or QR code or secret password to prove his ownership and then the computing device of the Owner of the Network Enabled Entity and the computing device of the network enabled entity exchange public keys. That is to say, the public key of the network enabled entity is transmitted to the computing device of the owner and the public key of the owner is transmitted to the computing device of the network enabled entity.
  • a consumer registers to the system.
  • the registration process is explained in greater details in figure 2.
  • the computing device of the consumer sends an access request for receiving a permission to share the network enabled entity.
  • the request is sent to the Computing Device of the owner, either directly via internet or Wireless Communication or indirectly via Server where rules can be applied as to which Administrator receives the request, as well as logging such a requests .
  • the request includes the public key of the consumer.
  • One example the request is for renting a vehicle for ten days starting from the 10 th of October 2017.
  • the computing device of the owner generates the token of the consumer.
  • the token of the consumer includes the public key of the network enabled entity, the public key of the consumer and access policy.
  • the access policy may include sharing period.
  • the token is encrypted with the owner private key. In some cases the content is hashed before being encrypted. In some other embodiments only a digital signature associated with the token is encrypted with the private key.
  • the computing device of the owner transmits the access token of the consumer to the computing device of the consumer.
  • the transmitting is either directly, through the internet or Wireless Communication, or indirectly via system Server, where the access grant may also be logged.
  • the computing device of the consumer receives the token of the consumer.
  • the Token of the consumer is stored on the Consumer's Computer Device with Local Storage Encryption.
  • the consumer wishes to use access the network enabled entity.
  • the consumer issues a request to use the network enabled entity. Such a request can be initiated by the consumer remotely via the Internet or in close proximity with the Network Enabled Entity. Such a request may also be initiated automatically by the computing device of the consumer.
  • the request includes the Access Token of the consumer and the public token of the consumer.
  • the computing device of the network enabled entity receives the request and transmits the public key of the network enabled entity to the computing device of the consumer.
  • the computing device of the network enabled entity decrypt the access token of the consumer.
  • the decryption is performed with the public key of the owner.
  • the computing device of the network enabled entity verifies the following:
  • the computing device of the network enabled entity grants permission to the consumer to share the network enabled entity in accordance with the policy. Otherwise at block 465 the computing device of the network enables entity transmits notifications and the process terminates.
  • Figs. 5A and 5B shows a block diagram of a method for authenticating sender of a token by the network enabled entity computing device, in accordance with some embodiments of the disclosed subject matter.
  • the authenticating may be used for validating the identity of the consumer.
  • Blocks 500-520 depict a first embodiment of authenticating the sender of token.
  • the network enabled entity computing device encrypts the token that was sent to it or encrypts or a randomly generated password.
  • the encryption is with the private key of the network enabled entity.
  • the network enabled entity computing device transmits the encrypted token to the computing device of the consumer.
  • the computing device of the consumer decrypts the message with the public key of the network enabled entity.
  • the computing device of the consumer encrypts the decrypted token, or the decrypted random password with its own private key and transmits the message to the computing device of the network enabled entity.
  • Blocks 525-535 depict the validating the consumers proven public key.
  • the computing device of the consumer encrypts the token, or a randomly generated password, with the public key of the network enabled entity and transmits the token to the network enabled entity.
  • the computing device of the network enabled entity decrypts the token, or the randomly generated password with its own private key.
  • the network enabled entity generates a random password and encrypts it with the consumers private key and transmits it to the consumer's device.
  • the consumer decrypts the password with his private key and then encrypts it again with the network enabled entity's public key
  • the computing device of the network enabled entity validates the password by opening it with its own private key and comparing it to the password it generated.
  • the network enabled entity compares the public key of the consumer to the public key of the consumer that is included in the access token.
  • Fig. 6 shows a block diagram of a method for delegating the privileges of sharing a network enabled entity to an administrator.
  • Blocks 600-620 occur when the owner decides to delegate privileges of sharing the network enabled entity to an administrator.
  • the computing device of the owner of the network enabled entity receives the public key of the administrator.
  • the computing device of the owner of the network enabled entity generates administrator token.
  • the administrator token includes public key of the administrator and optionally a policy for the administrator (e.g administration period, administration rights etc) .
  • the computing device of the owner of the network enabled entity encrypts the administrator token with its private key and transmits the encrypted administrator token to the administrator's computing device.
  • the administrator computing device generates a consumer access token using the administrator's private key to encrypt and sign the access token.
  • the process of generating the consumer access token is explained in greater details in fig. 4.
  • the administrator computing device transmits the consumer access token and the administrator token to the consumer computing device
  • the consumer sends the access token and the administrator token to the network enabled entity and then authenticates his identity to the network enabled entity.
  • the process of authenticating the consumer is explained in greater details in fig. 5.
  • the computing device of the network enabled entity decrypts the administrator token with the public key of the owner of the network enabled entity.
  • the computing device of the network enabled entity decrypts the consumer access token using the public key of the administrator, taken from the decrypted administrator token and the access token is inspected by verifying the consumers public key, enabled entity public key and access policy.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The subject matter discloses a method for authenticating the sharing of a network enabled entity, the method comprises: receiving a request for sharing the network enabled entity by a consumer, wherein the request comprises an access token; wherein the access token comprises, an identification of the network enabled entity and an identification of the consumer; the access token being generated by the computing device of the sharing authority in response to a request of the consumer for sharing the network enabled entity; authenticating the request; the authenticating comprises one member of a group consisting of: validating that the request is for sharing the network enabled entity, the validating is by utilising identification of the network enabled entity, and authenticating the consumer; the authenticating the consumer utilising the identification of the consumer in the access token; and if the request is authenticated by the authenticating then providing an access for the consumer to the network enabled entity, the access is in accordance with the access request policy.

Description

METHOD AND SYSTEM FOR SHARING A NETWORK ENABLED ENTITY
FIELD OF THE INVENTION
The present disclosure relates to network enabled entities in general and to sharing access permissions or resources with such entities, online and offline, in particular.
BACKGROUND OF THE INVENTION
Networking architectures have grown increasingly complex and have been designed for use in a wide variety of communications environments.
US8848608 discloses a method in one embodiment includes detecting a trigger on an electronic device and identifying an interface usage policy for an agent and a corresponding application on the electronic device. The method also includes selecting a first wireless interface of a plurality of wireless interfaces on the electronic device for a network session between an application process of the application and a remote node, with the first wireless interface being selected based on one or more criteria in the interface usage policy. In specific embodiments the electronic device is an on-board unit of a vehicle.
US20140282993 discloses a system and method for managing authentication tokens that operate across multiple types of physical resources binding the tokens to one or more external electronic Identity Providers; generating tokens; authenticating the tokens at multiple physical resources; managing access to physical resources by linking the tokens to the electronic identities; translating the tokens to the appropriate physical token type based on infrastructure services available at the point of service; validating tokens at the physical resource; tracking and conveying usage information; and making use of social group relationships and other data defined by individual usage to, among other things, simplify the process of granting user- generated credentials to persons connected to a given individual via the Identity Provider or an external social network, for example. US20160055699 discloses methods, system, mobile node, administrative module for managing access to a vehicle and/or for activating temporary access to the vehicle. A fixed unit comprising a short range transceiver is provided in the vehicle, for managing access thereto the vehicle. A virtual key is provided to the mobile device that has a primary function other than virtual key management. The fixed unit interacts only via the short range transceiver while granting access, the virtual key may be associated by the mobile device to a valet key device for granting conditional access to the vehicle.
US20160021116 discloses a method includes analyzing information received from a first network-enabled device to identify instructions for a second network-enabled device associated with a second user of a social-networking system, the first network-enabled device being associated with a first user of the social-networking system. The method also includes determining (1) that the first user is connected to the second user with respect to a social graph of the social-networking system and (2) that the first user has authorization to provide instructions to the second network-enabled device, where the authorization is based on social- networking information.
US20130110295 discloses a system for collaborative energy management and control in a building, including an energy management controller, one or more occupant HMIs that supports two-way communication between building occupants and a facility manager, and between building occupants and the energy management controller, and a facility manager HMI that supports two-way communication between the facility manager and the building occupants, and between the facility manager and the energy management controller, in which the occupant HMI allows building occupants to provide temperature preferences to the facility manager and the energy management controller, and the facility manager HMI allows the facility manager to configure an energy policy for the building as a set of rules and to view occupants' aggregated temperature preferences, and the energy management controller determines an optimum temperature range that resolves conflicting occupant temperature preferences and occupant temperature preferences that conflict with the facility manager's energy policy for the building. US20160241559 discloses a security system comprises an access control node broadcasting a beacon including a time stamp and user devices generating replies to the beacon that are based on credential information for the user of the user device and the time stamp. The system relies on the users' wireless-capable mobile computing devices such as smartphones, tablets, or wireless fobs. A credential management system proves a system for the authentication of users and then issues security tokens as credential information to the users' mobile computing devices. These tokens are presented wirelessly by the devices to the security system's access control nodes, for example, where the access control nodes then decide whether to grant or deny access.
SUMMARY OF THE INVENTION
The term computing device refers herein to a device that includes a processing unit. Examples for such device are a personal computer, a laptop, a server, a tablet a smartphone, a smart wearable item and IOT (internet of things) devices.
The term wireless communication refers herein to communication between devices through any standard wireless communication protocol, such as NFC, Bluetooth, BLE, Wifi, Wifi- Direct and so forth.
The term network enabled entity refers herein to an entity that can be accessed via the internet network, a local network or through wireless communication. Examples of a network enabled entity are vehicle ignition system, a private house or a hotel room door lock system, a computer lock screen and its locking system, a file, a folder, a specific application or a user account, such as a banking account or a service account.
The term user refers herein to a person who has successfully registered to the system. The user may register through an internet website or an application. Such a user may share a network enabled entity that he owns. Such a user may also gain administrative permission from an owner of a network enabled entity for sharing the network enabled entity with other users. Such a user may get temporary access to a network enabled entity.
The term consumer refers herein to a user who gains an access to a network enabled entity for using the network enabled entity. In some cases the access is temporal.
The term owner refers herein to a user of the system that gained ownership over a network enabled entity and who is capable of sharing the usage of the network enabled entity with other users and of delegate the privilege to share to an administrator.
The term administrator refers herein to a user of the system entity that has the privileges to share the network enabled entity with other users. The administrator may be the owner of the network enabled entity or a user that is authorized by the owner.
The term authenticating computing device refers herein to a computing device with which the user is authenticated to the system. Examples for such authenticating computing device are a Smartphone and a smart watch. The term system entity refers herein to a computing device of a user, to the server of the system and to the network enabled entity.
The term access request refers herein to a request made by a computing device of user, to receive access and thus share a network enabled entity.
The term sharing period refers herein to the period or policy in which the consumer is given access to the network enabled entity. The sharing period may be identical or different than the period that is requested by the consumer, according to the administrator's choice.
The term Access Token refers herein to a digital Access Token provided by an administrator or an owner to a consumer, allowing to use or access the network enabled entity, for sharing period that is defined in the access token.
The term local storage encryption refers herein to the method of storing of any sensitive data on a computer device of any user. This method involves encryption of the data with the user's private key and further encrypting the private key itself with either a biometric encryption relying on fingerprint, face recognition, retinal or iris scan, ECG and so forth, or using a pattern, a PIN or any combination of these, in such a way that the same combination must be used to decrypt the private key on the Computer Device to allow encryption or decryption of data.
The term sharing authority refers herein to an owner of a network enable entity or to an administrator of a network enabled entity.
One technical problem disclosed by the present disclosure is how to provide online and offline secured sharing of network enabled entity .Most Identity Management and Access Control management solutions in general and for network enabled entities in particular assume both a prior acquaintance between all involved parties and that all of them are online during all the events managed by the system.
One exemplary embodiment of the disclosed subject matter is system and network for authenticating the sharing of a network enabled entity. According to some embodiments an owner of the network enabled entity may share the network enabled entity with other users. Such a sharing may be for a limited, and/or predefined period. According to some embodiments, the owner of the Network Enabled Entity receives ownership privileges by entering an ownership and activation code to the Network Enabled Entity. The ownership code may be sent from a computing device of the entity authority, a device of a previous owner or, alternatively, it may be provided with the network enabled entity. The ownership code may be, in a digital or a printed version, such as a serial number, a barcode or a QR code .
The owner may use the ownership code to activate the network enabled entity and to claim ownership over it.
In some cases, it is required to allow the Owner or the Administrators of the Network Enabled Entity to create and to encrypt Access Tokens. In such a way that the owner and administrators and the network enabled entity can generate or read such Access Tokens, while the consumer can only use the Access Token for accessing the network enabled entity for limited time. The consumer but cannot read or modify Consumer the Token for accessing the network enabled entity.
According to one embodiment of the invention, the Owner of the Network Enabled Entity receives the new Administrator's Public Key from that Administrator's device and updates it directly on the Network Enabled Entity either in direct, peer to peer communication, via the internet or any ad-hoc network or through the System Entity.
According to another embodiment of the invention, the Owner of the Network Enabled Entity receives the new Administrator's Public Key from that Administrator's device and updates it to the Network Enabled Entity indirectly. To do so, the Owner may certify the new Administrator using a digital signature, such as encrypting that Administrator's Public key using the Owner's Private Key and delivering this certification to the Administrator and to their Computing Device. The administrator may add this certification to Access Tokens that they create later for Consumers. When the Network Enabled Entity receives an access token with such a certificate, it may decrypt and validate it using the Owner's Public Key. If the certificate can be decrypted and does contain the Administrator's Public Key, then Access Tokens that are generated by that Administrator are accepted by the Network Enabled Entity. In some cases the owner of the network enabled entity delegates the authority to provide access to the network enabled entity to other administrators. The delegating may be by sending one of the secret cryptographic keys and its correlating ID to the administrator computing device, or alternatively by updating the Administrator's public key on the Network Enabled Entity.
In some cases the computer device of the owner of the network enabled entity flags the Access Token that was shared with an administrator, in order to prevent the owner to use it or to share it with additional administrators. The system Server may store the cryptographic keys IDs and flag them as well.
According to some embodiments the owner of the network enabled entity may cancel the authorization of the administrator. The cancellation may be by flagging or deleting the secret cryptographic key provided to an administrator on the Network Enabled Entity or by flagging that Administrator's Public key as invalid on the Network Enabled Entity. Such flagging or deletion may take place through the system, online, or directly, between the owner's computer device and the one of the Network Enabled Entity, via Wireless Communication. In such a case the cryptographic key and/or the Access Tokens that have been generated by the administrator may be invalidated.
It should be noted that an owner of a certain network enabled entity may be the consumer or the administrator of another network enabled entity.
According to some embodiments the users have to register to the system prior to using the system. The registration includes the providing of identification data. Such data may include social network identification, a phone number an email address and a copy of a photo ID and or any other personal identifying information, as well as information about the device and the installed application, in order to allow further communication with that user. According to some embodiments the verifying process is performed by a Registration Authority (RA) or a plurality of such RAs.
The verification process may be via the social network ("Social Login") or via the validation of the email address through a link sent to it, or via an OTP sent as a text message to the phone number, or via any process, face to face or online, to validate of the registrant's photo ID and any other PII.
The users' attributes are stored with a certificate authority (CA) computing device may store the user PII (personal identifying information) attributes as they are, or as hashed values or any other zero -knowledge mechanism, designed to allow only the validation of these details. Such CA may be one or more computing devices, or a cryptographic distributed network such as a Blockchain. The certificate authority computing device generates public key and secret key pair for the user. The CA computing device binds the public key and the secret key with the identity of the registered user. The CA computing device issues a digital certificate for the user. The digital certificate and the public key may be used for identification and for securing the communication between the registered user and other users of the system.
According to some embodiments the user's identifying details are stored on the user's computing device using Local Storage Encryption.
According to some embodiments when an administrator the wishes to find a User in order to share a Network Enabled Device with that User, the Administrator searches for that User on the system through the User's Public Key or any PII that the user chose to expose on the system, such as a name or an email.
According to some embodiments when the consumer wishes to search for an administrator to request permission to use a network enabled entity, the consumer receives the network enabled entity identity and public key when in close proximity, via Wireless Communication. Then the consumer may search for the Network Enabled Entity's owner and/or its administrators through the system. The search may be either by any identification that is available to the consumer. Such identification using may be the Entity's ID and/or its public key, or by using the Administrator's ID or any PII, if the user knows them. Then the consumer then requests via his computing device access permission to the network enabled entity.
According to some embodiments, the Network Enabled Entity is associated with a private key and public key pair. This pair may be given to the Network Enabled Entity by its owner, upon activation and may be identical to the owner's keys. Alternatively, it may be given to the Entity by the system, during a registration process that may be technically similar to a user registration. Such registration can take place upon activation or prior to that, by the creator, manufacturer or seller of such a Network Enabled Entity.
According to some embodiments a User's request to receive an Access Token to a Network Enabled Entity is sent to the Owner or to any Administrator of the Network Enabled Entity either through the system, online, or directly via Wireless Communication. The request may include the digital certificate that was issued to the user with identifiable details and a Public Key, The Network Enabled Entity's ID or Public Key and the requested sharing period or privileges. The computing device of the administrator of the network enabled entity authenticates the user and validates the details. The authentication may be via the CA or the CA implementation on a BlockChain Infrastructure or through the certificate and digital signature, provided directly by that User.
According to some embodiments, if the Administrator chooses to share the Network Enabled Entity with a user, the computing device of the administrator may generate an Access Token. Such Access Token may include the public key that is associated with the User, the public key or identifier that is associated with the Network Enabled Entity, The Public Key of the Administrator and the permitted Sharing Period or permitted access policy. The Access Token enables the user to access the network enabled entity for a predefined sharing period and/or for predefined actions. According to some embodiments, the Access Token is encrypted using Secret the cryptographic key, which is provided to the Administrator by the Owner. The computing device of the administrator sends the Access Token coupled with the encryption key ID and the Network Enabled Entity ID to the computing device of the consumer, either through the system via internet, or directly through a Wireless Communication. The Access Token enables the user to access the network enabled entity for a predefined sharing period and/or for a predefined set of actions.
According to another embodiment, said Access Token is encrypted using the Administrator's Private Key.
According to some embodiments the computing device of the consumer may encrypt the Access Token further with Local Storage Encryption. According to some embodiments the consumer may send the Access Token to the Network Enabled Entity through Wireless Communication. The Entity and the consumer's device may encrypt the communication asymmetrically using each other's public key, or they may exchange a symmetric key first over such asymmetric encrypted communication and then use such a symmetric key to further communicate and send the Access Token details. Alternatively, Both the Network Enabled Entity and the Consumer may use their own Private key to encrypt the communication.
According to some embodiments, the network enabled entity decrypts the Access Token, using the Secret Cryptographic Key correlating to the ID or using the Administrator's Public Key. According to some embodiment, if the Public Key that is used by the Consumer's computing device matches the one public key that is in the Access Token, and if the Administrator's cryptographic key is valid, a permission to use the Network enabled entity has been sufficiently proved and the Network Enabled Entity will allow the Consumer to use it according to the policy of the Sharing Period that is in the Access Token.
According to some embodiments, when the Network Enabled Entity has Internet connectivity, the network enabled entity reports the transaction, directly to the Owner computing device and or to the relevant Administrator Computing Device, or to the System Server. The reporting is for the purpose to storing and tracking of transaction details.
Embodiments of the invention disclose a method for authenticating the sharing of a network enabled entity, the method comprises: receiving a request for sharing the network enabled entity by a consumer, wherein the request comprises an access token; wherein the access token comprises, an identification of the network enabled entity and an identification of the consumer; the access token being generated by the computing device of the sharing authority in response to a request of the consumer for sharing the network enabled entity; authenticating the request; the authenticating comprises one member of a group consisting of: validating that the request is for sharing the network enabled entity, the validating is by utilising identification of the network enabled entity, and authenticating the consumer; the authenticating the consumer utilising the identification of the consumer in the access token; and if the request is authenticated by the authenticating then providing an access for the consumer to the network enabled entity, the access is in accordance with the access request policy. According to some embodiments the sharing authority is an owner of the network enabled entity. According to some embodiments the sharing authority is an administrator of the network enabled entity and further comprising receiving an administrator token the administrator token comprises a public key of an administrator and validating the administrator by utilising the administrator token. According to some embodiments the identification of the consumer comprises a public key and the authenticating the consumer comprises PKI (public key infrastructure). According to some embodiments the identification of the network enabled entity comprises a public key and validating that the request is for sharing the network enabled entity comprises PKI (public key infrastructure). According to some embodiments the access token comprises access policy and further comprising validating permission in accordance with the policy.
Embodiments of the invention disclose a system the system comprises a network enabled entity, an owner computing device, the owner computing device is configured for sharing an access to the network enabled entity; a consumer computing device the consumer computing device is configured for requesting an access to the network enabled entity; wherein the owner computing device is further configured for generating an access token in response to the request, wherein the access token comprises, an identification of the network enabled entity and an identification of the consumer; the access token being generated by the computing device of the sharing authority in response to a request of the consumer for sharing the network enabled entity; wherein the network enabled entity is configured for receiving the request and the access token and for sharing the network enabled entity in accordance with the token.
In this respect, before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting.
THE BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE
DRAWINGS
The present disclosed subject matter will be understood and appreciated more fully from the following detailed description taken in conjunction with the drawings in which corresponding or like numerals or characters indicate corresponding or like components. Unless indicated otherwise, the drawings provide exemplary embodiments or aspects of the disclosure and do not limit the scope of the disclosure. In the drawings:
Fig. 1 shows a block diagram of a system for sharing a network enabled entity, in accordance with some exemplary embodiments of the subject matter;
Fig. 2 shows a flowchart diagram of a method for registering to the system, in accordance with some exemplary embodiments of the subject matter;
Figs. 3A, 3B, 3C and 3D show a flowchart diagram of a method for sharing a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter;
Figs. 4A and 4B show a flowchart diagram of another method for sharing of a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter;
Figs. 5A and 5B show a block diagram of a method for authenticating sender of an access token, in accordance with some embodiments of the disclosed subject matter; and
Fig. 6 shows a block diagram of a method for delegating the privileges of sharing a network enabled entity to an administrator.
DETAILED DESCRIPTION
The present invention is described in brief with reference to the accompanying drawings. Now, refer in more detail to the exemplary drawings for the purposes of illustrating non- limiting embodiments of the present invention.
* As used herein, the term "comprising" and its derivatives including "comprises" and "comprise" include each of the stated integers or elements but does not exclude the inclusion of one or more further integers or elements.
* As used herein, the singular forms "a", "an", and "the" include plural referents unless the context clearly dictates otherwise. For example, reference to "a device" encompasses a single device as well as two or more devices, and the like.
* As used herein, the terms "for example", "like", "such as", or "including" are meant to introduce examples that further clarify more general subject matter. Unless otherwise specified, these examples are provided only as an aid for understanding the applications illustrated in the present disclosure, and are not meant to be limiting in any fashion.
Fig. 1 shows a block diagram of a system for authenticating the sharing of a network enabled entity, in accordance with some exemplary embodiments of the subject matter.
System 100 includes a server 125, a certificate authority computing device 105, a consumer computing device 110, an administrator computing device 115, a plurality of owner computing devices 120 and network enable entity 130.
The server 125 is configured for handling the registrations of users to the system and any online communication between the users. The server 125 communicates with the owner computing devices 120 for sending ownership code to the owner computing devices 120 and for sending cryptographic keys. The server 125 may communicate with all the computing devices of the system for handling the authentication when parties are online. In some cases the authentication is performed via the CA and RA computing device 105. In such a case the server communicates with the certificate authority CA and RA computing device 105 for issuing a digital certificate to a user and for authenticating the user by the certificate.
The certificate authority CA and RA computing device 105 is configured for verifying the users in the registration process and for authenticating the registered users. The authenticating may be performed via digital certificates and asymmetric keys.
It should be noted that only one CA and RA computing device is illustrated for illustration purposes only and that the system may include a plurality of CA and RA computing devices and that in some cases CA and RA may share computing devices.
The consumer computing device 110 is configured for sharing at least one of the network enabled entities 130. The consumer computing device 110 communicates with the server for registering to the system. When an consumer wishes to share one of the network enable entities 130, the consumer computing device 110 receives an Access Token from the administrator computing device 115 that administrate the requested network enabled entity 130. The Access Token may be for a limited period or access policy.
The consumer computing device 110 communicates with the network enabled entity 130 for accessing the network enabled entity. In some cases the communication is via short distance network such as NFC.
It should be noted that only one consumer computing device is illustrated for illustration purposes only and that the system may include a plurality of consumer computing devices 110.
The owner computing device 120 receives the ownership Access Token code and the cryptographic keys from the server 125 or create it by himself. The owner computing device 120 may delegate the option to generate Access Tokens to an administrator. In such a case the owner computing device 120 transfers a cryptographic key to the administrator computing device 115.
The owner computing devices 120 may communicate with the network enable entity 130 that he owns for exchanging cryptographic keys. The owner computing devices 120 may communicate and with a consumer 110 for allowing the consumer to share the network enabled entity 130.
It should be noted that only one owner computing device is illustrated for illustration purposes only and that the system may include a plurality of end owner computing devices 120.
The administrator computing device 115 is configured for allowing consumers to share a network enabled entity 130. The administrator computing device 115 communicates with the server 125 CA and RA computing device 105 for verifying the identity of the consumer. The administrator computing device 115 communicates and with the consumer computing device 110 for providing an Access Token to the consumer computing device 110.
It should be noted that only one end administrator computing device is illustrated for illustration purposes only and that the system may include a plurality of administrator computing devices 115.
The network enabled entity 130 receives a plurality of cryptographic keys from the plurality of administrator computing devices that administrates the entity 130.
In some cases there is only one administrator and only one cryptographic key. The network enabled entity communicates with the consumer computing devices for providing to the consumer access permission to the network enabled entity 130.
It should be noted that only one end network enabled entity is illustrated for illustration purposes only and that the system may include a plurality of network enabled entities 110. Fig. 2 shows a flowchart diagram of a method for registering to the system, in accordance with some exemplary embodiments of the disclosed subject matter.
In block 200 the user requests to register to the system. The request may be via an application or via a web site. The request may include identification data. Such identification data may include user name, address, social network identification and email. The registration request is sent to the server of the system.
At block 205 the server sends the registration request to a certificate registration authority computing device.
At block 207 the certificate registration authority computing device verifies the identity of the user. The verification may be by the social media, the email address and by the internet history.
If the user is verified then operation proceeds to block 208 otherwise operation proceeds to block 210. At block 210 a notification message about the failure of the verification is sent to the server and from the server to the user and the operation terminates.
At block 208 the certificate authority computing device generates a digital certificate and a set of user public and user private key for the registered user. The certificate authority computing device binds the digital certificate with the set of public and private keys. In other embodiment the user's public key and private key are generated by the user device.
At block 215 the certificate authority computing device sends the digital certificate the user public key and the user private key to the server.
At block 220 the server sends the digital certificate, the user public key and the user private key to the computing device of the registered user. The digital certificate may be used for securing the communication between the registered user and other entities of the system and for identity validation. In other embodiments the public key and private key are generated by the user.
Figs. 3A, 3B, 3C and 3D show a flowchart diagram of a method for sharing of a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter.
At block 300 an owner of a Network Enabled Entity receives a code with which ownership is claimed over the entity, if such ownership has not been established before. The ownership code may be provided by the system (server) or by the creator/manufacturer of the Entity.
At block 305 the Owner claims Ownership by sending the code to the entity, either via the system or directly via Wireless Communication. Such ownership may or may not be registered on the system server.
At block 307 the computing devices of the Owner and the Network Enabled Entity exchange secret Cryptographic Keys, each having its own unique ID. Such keys may be generated either by the system Server, by the Owner's Computer Device or by the Entity Computer Device. These cryptographic keys may be used for encrypting and/or decrypting an Access Token for accessing the network enabled entity.
At block 309 the Owner authorizes an Administrator. The Owner's Computer Device sends one secret Cryptographic Key and its ID to the Administrator's Computing Device. Such authorization, associating the Administrator with the Network Enabled Entity may be registered on the server.
At block 310, the computing device of the owner flags the cryptographic key. In some embodiments the cryptographic keys that an Owner sends to the administrator cannot be used by other administrators as well as by the owner and are thereby flagged as being used. Such flagging of IDs can take place on the Owner's Computer Device, on the system Server or both.
At block 315 a consumer resisters to the system. The registration process is explained in greater details in figure 2.
At block 320 the computing device of the consumer sends an access request for receiving a permission to access the network enabled entity. One example the request is for renting a vehicle for ten days starting from the 10th of October 2017.
The request may include the digital certificate of the consumer and the requested sharing period or policy. In some cases, if the request is to a specific Network Enabled Entity, the public key or any other identifier of that entity may be included in the request as well. The Consumer may retrieve the public key or any other identifier, either by direct communication with the entity via the Internet or in close proximity via Wireless Communication, or through the system Server, by searching publicly listed Entities or searching by Owner or Administrator attributes, such as rental company names and the Network Enabled Entities they own and manage.
The access request is sent to the Administrator Computing Device, either directly via internet or Wireless Communication or indirectly via Server where rules can be applied as to which
Administrator receives the request, as well as logging such a requests.
Block 325, 330 and 340 occur only if the consumer does not have a signed document:
At block 325 the Administrator Computing Device sends an authentication request to the certificate authority computing device.
At block 330 the certificate authority computing device validates the consumer and sends a reply to the administrator. The validation may be by comparing the public key and identity attributes to the attributes that are kept in the CA for such public key.
If the consumer is not validated then operation continues at block 335 otherwise operation continues at block 340.
At block 335 the computing device of the consumer and the computing device of the administrator receives a notification that the request was not validated and the operation is terminated.
At block 340 which is performed if the consumer is validated, The Administrator chooses the access policy to grant to the Consumer, which may be identical or different to the policy that is in the Access Request. The Administrator Computer Device generates an Access Token that comprises the Administrator's public key, the Consumer's public key , the Network Enabled Entity's public key and the Access Policy (such as two timestamps). The Administrator's Computer Device encrypts the Access Token with the Cryptographic Key shared originally by the Owner and adds the Cryptographic Key's ID.
At block 350 the computing device of the administrator sends the encrypted Access Token to the computing device of the Consumer, either directly, through the internet or Wireless Communication, or indirectly via system Server, where the access grant may also be logged.
At block 352 the computing device of the consumer receives the encrypted Access Token and the identification key. In some embodiments the encrypted Access Token is stored on the Consumer's Computer Device with Local Storage Encryption.
At block 355 the consumer wishes to use access the network enabled entity. The consumer issues a request to use the network enabled entity. Such a request can be initiated by the user, remotely via the Internet or in close proximity with the Network Enabled Entity, but may also be initiated automatically, for example, if the Network Enabled Entity transmits its public key via Wireless Communication, the Consumer's Computer Device may initiate communication and prompt the user to decrypt and send all the relevant Access Tokens to that entity.
At block 360, as a result of the request, the Computing Device of the Consumer and the Computer Device of the Network Enabled Entity exchange public keys.
At block 365 the computing device of either the Network Enabled Entity or the Consumer generates a symmetric key to be used for further communication between the Computer Devices and sends it to the other Computer Device, encrypted with that device's Public Key.
At block 370 all Access Tokens that have the ID of the Network Enabled Entity are decrypted on the Consumers Computer Device (via User's PIN, pattern and/or biometric auth and then the decrypted private key). The Access Tokens are then encrypted using the agreed symmetric key and sent to the Network Enabled Entity, either via the internet, via a local network or Wireless Communication.
If the Computing Device of the Network Enabled Entity has internet connectivity, the identity of the consumer may be first authenticated via the CA Computing Device.
Blocks 375, 380, 385, 399, 3991 and 3992 describe the process of authenticating the consumer by the network enabled entity.
At block 375 the network enabled entity receives the message.
At block 380 the network enabled entity decrypts the Access Token with the agreed symmetric key.
At block 385, the network enabled entity retrieves the encryption key ID from the message, then, assuming such a key exists and is valid, it decrypts the Access Token using the cryptographic key that correlates to this ID.
At block 390 the network enable entity decrypts the password with the public key of the end user; At block 395 the network enabled entity sends the encrypted password to the computing device of the end user.
At block 397 the device of the end user receives the message and decrypts the password.
At block 398 the device of the end user encrypts the password with the public key of the network enabled entity and sends the encrypted password to the network enabled entity.
At blocks 399 and 3991 , the network enabled entity compares its public key to the public key in the Access Token. It also compares the Consumer's Device's public key, used previously to exchange a symmetric key, to the Consumer's public key that is in the Access Token.
If any of the two above keys do not match then at block 3993, a check is performed to find out if the request is with the sharing period.
If the request is not within the sharing period then at block 3995 the network enabled entity sends a termination message and terminates communication. Otherwise the end user is authenticated at 3994.
Figs. 4A and 4B show a flowchart diagram of another method for sharing a network enabled entity, in accordance with some exemplary embodiments of the disclosed subject matter. While the first method uses a set of secret cryptographic keys to prove the validity of access tokens, the other method uses digital signatures generated by the Owner or the Administrator, using their Private keys.
At block 400 an owner of a Network Enabled Entity registers to the system and receives a set of a user private key and a user public key. In other embodiments the private key and public key are generated in each computing device. The user public key and the user private key may be used for authenticating a user. The user private key and public key are unique to each user.
At block 405 the computing device of the network enabled entity receives from the system entity private key and entity public key from the system. The entity private key and public key are unique to the entity. In other embodiment the computing device of the network enabled entity generates the private key and public key.
At block 410 the owner enters barcode or QR code or secret password to prove his ownership and then the computing device of the Owner of the Network Enabled Entity and the computing device of the network enabled entity exchange public keys. That is to say, the public key of the network enabled entity is transmitted to the computing device of the owner and the public key of the owner is transmitted to the computing device of the network enabled entity.
At block 415 a consumer registers to the system. The registration process is explained in greater details in figure 2.
At block 420 the computing device of the consumer sends an access request for receiving a permission to share the network enabled entity. The request is sent to the Computing Device of the owner, either directly via internet or Wireless Communication or indirectly via Server where rules can be applied as to which Administrator receives the request, as well as logging such a requests . The request includes the public key of the consumer.
One example the request is for renting a vehicle for ten days starting from the 10th of October 2017.
At block 425 the computing device of the owner generates the token of the consumer. The token of the consumer includes the public key of the network enabled entity, the public key of the consumer and access policy. The access policy may include sharing period. The token is encrypted with the owner private key. In some cases the content is hashed before being encrypted. In some other embodiments only a digital signature associated with the token is encrypted with the private key.
At block 430 the computing device of the owner transmits the access token of the consumer to the computing device of the consumer. The transmitting is either directly, through the internet or Wireless Communication, or indirectly via system Server, where the access grant may also be logged.
At block 435 the computing device of the consumer receives the token of the consumer. In some embodiments the Token of the consumer is stored on the Consumer's Computer Device with Local Storage Encryption. At block 440 the consumer wishes to use access the network enabled entity. The consumer issues a request to use the network enabled entity. Such a request can be initiated by the consumer remotely via the Internet or in close proximity with the Network Enabled Entity. Such a request may also be initiated automatically by the computing device of the consumer. The request includes the Access Token of the consumer and the public token of the consumer.
At block 445 the computing device of the network enabled entity receives the request and transmits the public key of the network enabled entity to the computing device of the consumer.
At block 450 the computing device of the network enabled entity decrypt the access token of the consumer. The decryption is performed with the public key of the owner.
At block 455 the computing device of the network enabled entity verifies the following:
• The public key of the network enable entity that is included in the token of the user is correct
• The policy included in the user token can be implemented.
• The consumer is authenticated. Authenticating of the consumer is explained in greater details at figure 5.
If all conditions are met then at block 460 the computing device of the network enabled entity grants permission to the consumer to share the network enabled entity in accordance with the policy. Otherwise at block 465 the computing device of the network enables entity transmits notifications and the process terminates.
Figs. 5A and 5B shows a block diagram of a method for authenticating sender of a token by the network enabled entity computing device, in accordance with some embodiments of the disclosed subject matter. The authenticating may be used for validating the identity of the consumer.
It is assumed that the network enabled entity and the consumer has already exchanged public keys prior to the authentication process.
Blocks 500-520 depict a first embodiment of authenticating the sender of token.
At block 500 the network enabled entity computing device encrypts the token that was sent to it or encrypts or a randomly generated password. The encryption is with the private key of the network enabled entity.
At block 505 the network enabled entity computing device transmits the encrypted token to the computing device of the consumer.
At block 510 the computing device of the consumer decrypts the message with the public key of the network enabled entity.
At block 515 the computing device of the consumer encrypts the decrypted token, or the decrypted random password with its own private key and transmits the message to the computing device of the network enabled entity.
At block 520 which occurs if the network enabled entity receives the encrypted token or encrypted random password and is able to decrypt it with the consumer's public key, the consumer is validated.
Blocks 525-535 depict the validating the consumers proven public key.
At block 525 the computing device of the consumer encrypts the token, or a randomly generated password, with the public key of the network enabled entity and transmits the token to the network enabled entity.
At block 530 the computing device of the network enabled entity decrypts the token, or the randomly generated password with its own private key.
At block 535 the network enabled entity generates a random password and encrypts it with the consumers private key and transmits it to the consumer's device.
At block 540 the consumer decrypts the password with his private key and then encrypts it again with the network enabled entity's public key
At block 545 the computing device of the network enabled entity validates the password by opening it with its own private key and comparing it to the password it generated.
At block 550 the network enabled entity compares the public key of the consumer to the public key of the consumer that is included in the access token.
Fig. 6 shows a block diagram of a method for delegating the privileges of sharing a network enabled entity to an administrator.
Blocks 600-620 occur when the owner decides to delegate privileges of sharing the network enabled entity to an administrator. At block 600 the computing device of the owner of the network enabled entity receives the public key of the administrator.
At block 605, the computing device of the owner of the network enabled entity generates administrator token. The administrator token includes public key of the administrator and optionally a policy for the administrator (e.g administration period, administration rights etc) .
At block 610, the computing device of the owner of the network enabled entity encrypts the administrator token with its private key and transmits the encrypted administrator token to the administrator's computing device.
At block 625 the administrator computing device generates a consumer access token using the administrator's private key to encrypt and sign the access token. The process of generating the consumer access token is explained in greater details in fig. 4.
At block 630 the administrator computing device transmits the consumer access token and the administrator token to the consumer computing device
At block 635 the consumer sends the access token and the administrator token to the network enabled entity and then authenticates his identity to the network enabled entity. The process of authenticating the consumer is explained in greater details in fig. 5.
At block 640 the computing device of the network enabled entity decrypts the administrator token with the public key of the owner of the network enabled entity.
At block 645, the computing device of the network enabled entity decrypts the consumer access token using the public key of the administrator, taken from the decrypted administrator token and the access token is inspected by verifying the consumers public key, enabled entity public key and access policy.

Claims

CLAIMS What is claimed is:
1. A method for authenticating the sharing of a network enabled entity, the method comprises:
receiving a request for sharing said network enabled entity by a consumer, wherein said request comprises an access token; wherein said access token comprises, an identification of said network enabled entity and an identification of said consumer; said access token being generated by said computing device of said sharing authority in response to a request of said consumer for sharing said network enabled entity;
authenticating said request; said authenticating comprises one member of a group consisting of: validating that said request is for sharing said network enabled entity, said validating is by utilising identification of said network enabled entity, vand authenticating said consumer; said authenticating said consumer utilising said identification of said consumer in said access token; and
if said request is authenticated by said authenticating then providing an access for said consumer to said network enabled entity, said access is in accordance with said access request policy.
2. The method of claim 1 wherein said sharing authority is an owner of said network enabled entity.
3. The method of claim 1 , wherein said sharing authority is an administrator of said network enabled entity and further comprising receiving an administrator token said administrator token comprises a public key of an administrator and validating said administrator by utilising said administrator token.
4. The method of claim 1 wherein said identification of said consumer comprises a public key and said authenticating said consumer comprises PKI (public key infrastructure).
5. The method of claim 1 wherein said identification of said network enabled entity comprises a public key and validating that said request is for sharing said network enabled entity comprises PKI (public key infrastructure).
6. The method of claim 1 wherein said access token comprises access policy and further comprising validating permission in accordance with said policy.
7. A system said system comprises:
a network enabled entity,
an owner computing device, said owner computing device is configured for sharing an access to said network enabled entity;
a consumer computing device said consumer computing device is configured for requesting an access to said network enabled entity;
wherein said owner computing device is further configured for generating an access token in response to said request, wherein said access token comprises, an identification of said network enabled entity and an identification of said consumer; said access token being generated by said computing device of said sharing authority in response to a request of said consumer for sharing said network enabled entity; wherein said network enabled entity is configured for receiving said request and said access token and for sharing said network enabled entity in accordance with said token.
PCT/IL2018/050491 2017-05-07 2018-05-06 Method and system for sharing a network enabled entity WO2018207174A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762502688P 2017-05-07 2017-05-07
US62/502,688 2017-05-07

Publications (1)

Publication Number Publication Date
WO2018207174A1 true WO2018207174A1 (en) 2018-11-15

Family

ID=64104639

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2018/050491 WO2018207174A1 (en) 2017-05-07 2018-05-06 Method and system for sharing a network enabled entity

Country Status (1)

Country Link
WO (1) WO2018207174A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210173900A1 (en) * 2019-12-05 2021-06-10 APPDIRECT, Inc. Geographically local license sharing
CN113536388A (en) * 2020-04-16 2021-10-22 中移物联网有限公司 Data sharing method and system based on block chain
US11463244B2 (en) * 2019-01-10 2022-10-04 Samsung Electronics Co., Ltd. Electronic apparatus, method of controlling the same, and network system thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5931947A (en) * 1997-09-11 1999-08-03 International Business Machines Corporation Secure array of remotely encrypted storage devices
US5943423A (en) * 1995-12-15 1999-08-24 Entegrity Solutions Corporation Smart token system for secure electronic transactions and identification
US20090300744A1 (en) * 2008-06-02 2009-12-03 Microsoft Corporation Trusted device-specific authentication
US8447831B1 (en) * 2008-03-31 2013-05-21 Amazon Technologies, Inc. Incentive driven content delivery

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5943423A (en) * 1995-12-15 1999-08-24 Entegrity Solutions Corporation Smart token system for secure electronic transactions and identification
US5931947A (en) * 1997-09-11 1999-08-03 International Business Machines Corporation Secure array of remotely encrypted storage devices
US8447831B1 (en) * 2008-03-31 2013-05-21 Amazon Technologies, Inc. Incentive driven content delivery
US20090300744A1 (en) * 2008-06-02 2009-12-03 Microsoft Corporation Trusted device-specific authentication

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11463244B2 (en) * 2019-01-10 2022-10-04 Samsung Electronics Co., Ltd. Electronic apparatus, method of controlling the same, and network system thereof
US20210173900A1 (en) * 2019-12-05 2021-06-10 APPDIRECT, Inc. Geographically local license sharing
US11886550B2 (en) * 2019-12-05 2024-01-30 APPDIRECT, Inc. Geographically local license sharing
CN113536388A (en) * 2020-04-16 2021-10-22 中移物联网有限公司 Data sharing method and system based on block chain

Similar Documents

Publication Publication Date Title
US11700117B2 (en) System for credential storage and verification
US11716320B2 (en) Digital credentials for primary factor authentication
US11770261B2 (en) Digital credentials for user device authentication
US11792181B2 (en) Digital credentials as guest check-in for physical building access
US11641278B2 (en) Digital credential authentication
US11698979B2 (en) Digital credentials for access to sensitive data
US11627000B2 (en) Digital credentials for employee badging
US11531783B2 (en) Digital credentials for step-up authentication
US10636240B2 (en) Architecture for access management
US11792180B2 (en) Digital credentials for visitor network access
US10367817B2 (en) Systems and methods for challengeless coauthentication
US11683177B2 (en) Digital credentials for location aware check in
WO2019191213A1 (en) Digital credential authentication
WO2019191216A1 (en) System for credential storage and verification
EP2957064B1 (en) Method of privacy-preserving proof of reliability between three communicating parties
US11522713B2 (en) Digital credentials for secondary factor authentication
WO2019191215A1 (en) Digital credentials for secondary factor authentication
WO2018207174A1 (en) Method and system for sharing a network enabled entity
WO2018207079A1 (en) Method and system for universal access control management to an entity with inconsistent internet access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18799411

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18799411

Country of ref document: EP

Kind code of ref document: A1