WO2020006572A2 - Data stream identity - Google Patents

Data stream identity Download PDF

Info

Publication number
WO2020006572A2
WO2020006572A2 PCT/US2019/040202 US2019040202W WO2020006572A2 WO 2020006572 A2 WO2020006572 A2 WO 2020006572A2 US 2019040202 W US2019040202 W US 2019040202W WO 2020006572 A2 WO2020006572 A2 WO 2020006572A2
Authority
WO
WIPO (PCT)
Prior art keywords
identified
owner
data stream
unique identifier
memory
Prior art date
Application number
PCT/US2019/040202
Other languages
French (fr)
Other versions
WO2020006572A4 (en
WO2020006572A3 (en
Inventor
Nathanael COFFING
Original Assignee
Syntegrity Networks Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Syntegrity Networks Inc. filed Critical Syntegrity Networks Inc.
Priority to EP19825552.3A priority Critical patent/EP3815299A4/en
Priority to JP2021522928A priority patent/JP2021530071A/en
Priority to CN201980055893.0A priority patent/CN113039746A/en
Publication of WO2020006572A2 publication Critical patent/WO2020006572A2/en
Publication of WO2020006572A3 publication Critical patent/WO2020006572A3/en
Publication of WO2020006572A4 publication Critical patent/WO2020006572A4/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Definitions

  • the present invention generally relates to data stream management. More specifically, the present invention relates to managing identities assigned to data streams.
  • Each entity may be involved in different capacities as to the content of data streams. For example, different entities may be involved in the generation of the data, other contribution of data, analysis of the data, distribution of the data, consumption of the data, etc. As such, each entity may be associated with different portions of a data stream, as well as entitled to different rights to such portions. Each entity may be associated with different policies and requirements that such entity may wish to apply to their respective portions.
  • a video stream may involve entities associated with the camera that captured the video, entities associated with the processing software (e.g., facial recognition) applied to the video, entities that appear in or are associated with images in the video, distributors of the video, and consumers or other recipients of the video.
  • entities associated with the camera that captured the video e.g., entities associated with the processing software (e.g., facial recognition) applied to the video, entities that appear in or are associated with images in the video, distributors of the video, and consumers or other recipients of the video.
  • the processing software e.g., facial recognition
  • Embodiments of the present invention allow for data sets to assume their own identity with individual requirements for lifecycle and access control management attached.
  • individual data sets may be associated with a unique identifier.
  • a data stream may be broken down, for example, into multiple data segments, which may be part of a data set.
  • Such data set may not necessarily be contiguous. For example, an individual may appear, then disappear, then reappear in a video at different points in time. Such individual may further appear in only a small portion of each image frame. As such, that individual may be associated with a data set comprising the respective portions in which he or she appears at the different points in time.
  • Various embodiments may include methods for managing data stream identity.
  • Such methods may include analyzing ownership information regarding a data stream to identify at least one owner, filtering the data stream to identify at least one portion that is associated with the identified owner, assigning a unique identifier to the identified portion, storing the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner, and controlling access to the identified portion based on settings set by the identified owner.
  • Further embodiments may include systems for managing data stream identity.
  • Such systems may include a communication interface that receives a data stream over a
  • Systems may further include memory that stores the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner; and the processor may control access to the identified portion based on settings set by the identified owner.
  • Yet further embodiments may include non-transitory computer-readable storage media having embodied thereon programs that are executable to perform the methods described herein.
  • FIG. 1 illustrates a simplified network environment in which a system for managing data stream identity may be implemented.
  • FIG. 2 is a flowchart illustrating an exemplary method for managing data stream identity.
  • FIG. 3 illustrates an exemplary computing system that may be used to implement an embodiment of the present invention.
  • Embodiments of the present invention allow for data sets to assume their own identity with individual requirements for lifecycle and access control management attached.
  • individual data sets may be associated with a unique identifier.
  • a data stream may be broken down, for example, into multiple data segments, which may be part of a data set.
  • Such data set may not necessarily be contiguous. For example, an individual may appear, then disappear, then reappear in a video at different points in time. Such individual may further appear in only a small portion of each image frame. As such, that individual may be associated with a data set comprising the respective portions in which he or she appears at the different points in time.
  • FIG. 1 illustrates an exemplary network environment in which a system for managing data stream identity may be implemented.
  • an exemplary network environment 100 may include a variety of different entities, including entity A 120A
  • entity B 120B e.g., individual users
  • entity C 120C e.g., Internet of Things (IoT) devices
  • entity D 120D e.g., services/server systems.
  • entities 120A-D may communicate over one or more different types of communication networks 110 with one or more identity servers A 130A and B 130B.
  • Communication network 110 may be a local, proprietary network (e.g., an intranet) and/or may be a part of a larger wide-area network.
  • the communications network 110 may be a local area network (LAN), which may be communicatively coupled to a wide area network (WAN) such as the Internet.
  • LAN local area network
  • WAN wide area network
  • IP Internet Protocol
  • Examples of network service providers are the public switched telephone network, cellular or mobile service providers, a cable service provider, a provider of digital subscriber line (DSL) services, or a satellite service provider.
  • Communications network 110 allows for communication between the various components of network environment 100.
  • entities 120A-D may communicate with identity servers 130 over communication network 110 via an API gateway (not pictured).
  • an API gateway may serve as an entry point for an entity 120 to a service mesh.
  • API gateway may expose public endpoints for identification and authentication, as well as inject into a data stream contextual data (e.g., via a token to proxied requests signed using a private key issued exclusively for the API gateway (e.g., by an internal certificate authority in a security plane)).
  • API gateway can enforce rich policies that can be created in identity server 130 (e.g., based on such factors as user attributes, roles, relationships, session attributes, current location, device information, authentication methods used, and risk factor of a transaction user or a device).
  • Entities 120A-D may use or be embodied in any number of different electronic devices, such as general purpose computers, mobile phones, smartphones, smartwatches, wearable devices, personal digital assistants (PDAs), portable computing devices (e.g., laptop, netbook, tablets), desktop computing devices, handheld computing device, smart sensors, smart appliances, IoT devices, devices networked to controllers for smart control, servers and server systems (including cloud-based servers and server systems), or any other type of computing device capable of communicating over communication network 110.
  • Such devices associated with entities 120A-D may also be configured to access data from other storage media, such as local caches, memory cards, or disk drives as may be appropriate in the case of downloaded services.
  • Devices associated with entities 120- A-D may include standard hardware computing components such as network and media interfaces, non-transitory computer-readable storage (memory), and processors for executing instructions that may be stored in memory.
  • Identity servers 130 may provide a platform for managing data stream identity.
  • Identity server 130 may be installable in the cloud or on-premises.
  • Such identity server 130 may also include a public key infrastructure (PKI) that allows for reading, generation, assignment, and management of digital certificates, security keys, and other encryption data.
  • PKI public key infrastructure
  • Identity server 130 may therefore uniquely associate each entity 120 with a set of identification data that allows for entity-specific identification, digital signature, and/or encryption.
  • Entity-specific identity information may be generated by one or more identity servers 130, as well as other identity providers (e.g., Facebook, OAuth OpenID, biometric signatures).
  • Identity servers 130 may generate a private key (e.g., PKI-based key) that is unique to each identified specific entity 120, which allows the entity 120 to be identified and allows the entity 120 to manage its associated data portions or segments within a stream.
  • identity server 130 may issue a private key to an entity 120 upon registrations. Otherwise, identity server 130 may identify a new entity 120that has not registered and issue a placeholder or nonce key to the identified new entity 120. Upon registration or attestation at a later point in time, the nonce key may be correlated with the identified new entity 120.
  • the key issued by the identity server 130 allows the entity 120 to secure (e.g., encrypt or digitally sign) data portions within the stream with which the entity 120 is associated.
  • each entity 120 may have data-field level control over access to its respective data portions.
  • entity-specific identity data may be used to sign authorization policies that may then be packaged with the data stream.
  • authorization policies may govern various conditions under which the data portion is allowed to be accessed, for example, when the data portion may be access, how such data portion may be access, etc.
  • data may be added to a data stream that is associated with one or more entities 120.
  • Different data segments of a data stream may be associated with a different set of entities 120.
  • Each data portion may therefore be associated with different sets pf authorization policies.
  • the different data sets may further be assigned to different entities 120.
  • Each entity 120 may further exercise certain rights to their respective data set, which may also be subject to different policies and rules based on the entity 120 with which the data set is associated.
  • an individual whose image appears in a video may be identified as an owner of the data set comprising the portions (including portions of each image frame) in which he or she appears.
  • the individual may choose to manipulate that data set (e.g., by blacking out, deleting, pixelating the respective portions) or restrict access permissions (e.g., remove from public view, restrict to identified individuals or groups).
  • the individual may live in certain jurisdictions with policies and rules that govern privacy rights, rights of publicity, and other rights. Such policies and rules may be applied, specifically to the data set.
  • a single data stream may therefore be associated with different owners assigned to the different data sets identified within the stream and assigned unique identifiers.
  • Such identifier and ownership data may be stored in a database in association with the respective data sets in the data stream (e.g., a video). Ownership data may further reflect the location of the owner, as well as certain access and control rights specified by the set of authorization policies. Certain access and control settings specified by an owner may also be stored in association with the data set.
  • An owner may further be given the authority to manage their respective data set, which may further be stored in an encrypted format. The respective encryption keys may then be shared with other individuals and groups authorized by the owner to access the underlying data set associated with the owner.
  • the data stream itself may be treated holistically, allowing for association with multiple different encryption keys, different consent patterns, different ownership schemes, etc. based on the different data sets identified within the complete data stream.
  • the data stream may be processed by one or more identity servers 130, which may make use of various libraries to identify specific entities associated with the stream.
  • image libraries may be used to identify specific entities captured in a video stream.
  • Some membership organizations or other associations may issue picture identification to its members or associates.
  • Digital libraries that include such pictures may be used to identify when a member or associate is captured in a video stream.
  • identity server 130 (or a proxy) may also identify that an entity captured in the video is not a member or associate.
  • non-member or non-associate may nevertheless be associated with a nonce key.
  • the nonce key may later be correlated to the identity of the entity upon registration.
  • the identity server 130 may therefore enforce the authorization policies associated with each data portion.
  • FIG. 2 is a flowchart illustrating an exemplary method for managing data stream identity.
  • the method 200 of FIG. 2 may be embodied as executable instructions in a non- transitory computer readable storage medium including but not limited to a CD, DVD, or non volatile memory such as a hard drive.
  • the instructions of the storage medium may be executed by a processor (or processors) to cause various hardware components of a computing device hosting or otherwise accessing the storage medium to effectuate the method.
  • the steps identified in FIGURE 2 (and the order thereof) are exemplary and may include various alternatives, equivalents, or derivations thereof including but not limited to the order of execution of the same.
  • an entity 120 is assigned a private key by identity server 130. Such assignment may occur upon registration with a particular identity server 130 or upon identification as a new entity by the identity server 130. Such private key may be stored and managed by identity server 130 or associated proxies.
  • a data stream may be generated in associated with one or more entities 120.
  • Such data generation may include digital communications, capture (e.g., in video or audio) on digital media, or other association.
  • each data stream and portions thereof may be associated with a different set of entities 120.
  • a video stream for example, may have segments respectively associated with no entities, one entity, or multiple different entities.
  • identity server 130 may analyze ownership of the data stream. Such analysis may include use of various libraries to identify the presence or association of all entities associated with the data stream, whether known or unknown to the identity server 130.
  • identity server 130 may filter the data stream by owner
  • the identified segment(s) may then be associated with the private key associated with the owner entity, and in step 270, the association may be stored in memory of identity server 130 for use in processing future requests related to the data segment(s).
  • FIG. 3 illustrates an exemplary computing system 300 that may be used to implement an embodiment of the present invention.
  • System 300 of FIG. 3 may be implemented in the contexts of the likes of entity A devices 120A, entity C 120C, or entity D 120D, as well as those used by used by entity B 120B.
  • the computing system 300 of FIG. 3 includes one or more processors 310 and memory 310.
  • Main memory 310 stores, in part, instructions and data for execution by processor 310.
  • Main memory 310 can store the executable code when in operation.
  • the system 300 of FIG. 3 further includes a mass storage device 330, portable storage medium drive(s) 340, output devices 350, user input devices 360, a graphics display 370, and peripheral devices 380.
  • processor unit 310 and main memory 310 may be connected via a local microprocessor bus 390, and the mass storage device 330, peripheral device(s) 380, portable storage device 340, and display system 370 may be connected via one or more input/output (1/0) buses 390.
  • Mass storage device 330 which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 310. Mass storage device 330 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory
  • Portable storage device 340 operates in conjunction with a portable non- volatile storage medium, such as a floppy disk, compact disk (CD) or digital video disc (DVD), to input and output data and code to and from the computer system 300 of FIG. 3.
  • a portable non- volatile storage medium such as a floppy disk, compact disk (CD) or digital video disc (DVD)
  • CD compact disk
  • DVD digital video disc
  • the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 300 via the portable storage device 340.
  • Input devices 360 provide a portion of a user interface.
  • Input devices 360 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys.
  • the system 300 as shown in FIG. 3 includes output devices 350. Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 370 may include a liquid crystal display (LCD) or other suitable display device. Display system 370 receives textual and graphical information, and processes the information for output to the display device.
  • LCD liquid crystal display
  • Peripherals 380 may include any type of computer support device to add additional functionality to the computer system.
  • peripheral device(s) 380 may include a modem or a router.
  • the components contained in the computer system 300 of FIG. 3 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
  • the computer system 300 of FIG. 3 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
  • the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
  • Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.
  • Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.
  • a bus (e.g., bus 390) carries the data to system RAM, from which a CPU retrieves and executes the instructions.
  • system RAM can optionally be stored on a fixed disk either before or after execution by a CPU.
  • Various forms of storage may likewise be implemented as well as the necessary network interfaces and network topologies to implement the same.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

Systems and methods for managing data stream identity are provided. Ownership information regarding a data stream may be analyzed to identify at least one owner. The data stream may be filtered to identify at least one portion that is associated with the identified owner. A unique identifier may be assigned to the identified portion. The identified portion may be stored in memory in association with the assigned unique identifier and information regarding the identified owner. Access to the identified portion may be controlled based on settings set by the identified owner.

Description

DATA STREAM IDENTITY
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present patent application claims the priority benefit of U.S. provisional patent application number 62/692,371 filed June 29, 2018, the disclosure of which is incorporated by reference herein.
BACKGROUND OF THE INVENTION
1. Field of the Invention
[0002] The present invention generally relates to data stream management. More specifically, the present invention relates to managing identities assigned to data streams.
2. Description of the Related Art
[0003] Multiple different entities may be involved in different capacities as to the content of data streams. For example, different entities may be involved in the generation of the data, other contribution of data, analysis of the data, distribution of the data, consumption of the data, etc. As such, each entity may be associated with different portions of a data stream, as well as entitled to different rights to such portions. Each entity may be associated with different policies and requirements that such entity may wish to apply to their respective portions.
[0004] For example, a video stream may involve entities associated with the camera that captured the video, entities associated with the processing software (e.g., facial recognition) applied to the video, entities that appear in or are associated with images in the video, distributors of the video, and consumers or other recipients of the video.
[0005] There is currently no way, however, of associating a data stream (or defining specific segments therein) with entity-specific data of multiple entities with such granularity. For example, specific segments of the video may be associated with different entities, and such segments may overlap to different extents. No presently known system is capable of defining entity-specific segments within a single data stream for multiple different entities, associating such segments with respective entities, nor applying multiple different authorization requirements to different segments (some of which may overlap to different extents) of the same data stream.
[0006] There is, therefore, a need in the art for systems and methods of assigning, identifying, and managing identities associated with data streams.
SUMMARY OF THE CLAIMED INVENTION
[0007] Embodiments of the present invention allow for data sets to assume their own identity with individual requirements for lifecycle and access control management attached. In particular, individual data sets may be associated with a unique identifier. A data stream may be broken down, for example, into multiple data segments, which may be part of a data set.
Such data set may not necessarily be contiguous. For example, an individual may appear, then disappear, then reappear in a video at different points in time. Such individual may further appear in only a small portion of each image frame. As such, that individual may be associated with a data set comprising the respective portions in which he or she appears at the different points in time.
[0008] Various embodiments may include methods for managing data stream identity.
Such methods may include analyzing ownership information regarding a data stream to identify at least one owner, filtering the data stream to identify at least one portion that is associated with the identified owner, assigning a unique identifier to the identified portion, storing the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner, and controlling access to the identified portion based on settings set by the identified owner.
[0009] Further embodiments may include systems for managing data stream identity. Such systems may include a communication interface that receives a data stream over a
communication network, as well as a processor that executes instructions for analyzing ownership information regarding a data stream to identify at least one owner, filtering the data stream to identify at least one portion that is associated with the identified owner, and assigning a unique identifier to the identified portion. Systems may further include memory that stores the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner; and the processor may control access to the identified portion based on settings set by the identified owner. [0010] Yet further embodiments may include non-transitory computer-readable storage media having embodied thereon programs that are executable to perform the methods described herein.
BRIEF DESCRIPTION OF THE FIGURES
[0011] FIG. 1 illustrates a simplified network environment in which a system for managing data stream identity may be implemented.
[0012] FIG. 2 is a flowchart illustrating an exemplary method for managing data stream identity.
[0013] FIG. 3 illustrates an exemplary computing system that may be used to implement an embodiment of the present invention.
DETAILED DESCRIPTION
[0014] Embodiments of the present invention allow for data sets to assume their own identity with individual requirements for lifecycle and access control management attached. In particular, individual data sets may be associated with a unique identifier. A data stream may be broken down, for example, into multiple data segments, which may be part of a data set.
Such data set may not necessarily be contiguous. For example, an individual may appear, then disappear, then reappear in a video at different points in time. Such individual may further appear in only a small portion of each image frame. As such, that individual may be associated with a data set comprising the respective portions in which he or she appears at the different points in time.
[0015] FIG. 1 illustrates an exemplary network environment in which a system for managing data stream identity may be implemented. As illustrated, an exemplary network environment 100 may include a variety of different entities, including entity A 120A
(e.g., personal user devices), entity B 120B (e.g., individual users), entity C 120C (e.g., Internet of Things (IoT) devices), and entity D 120D (e.g., services/server systems). Such entities 120A-D may communicate over one or more different types of communication networks 110 with one or more identity servers A 130A and B 130B.
[0016] Communication network 110 may be a local, proprietary network (e.g., an intranet) and/or may be a part of a larger wide-area network. The communications network 110 may be a local area network (LAN), which may be communicatively coupled to a wide area network (WAN) such as the Internet. The Internet is a broad network of interconnected computers and servers allowing for the transmission and exchange of Internet Protocol (IP) data between users connected through a network service provider. Examples of network service providers are the public switched telephone network, cellular or mobile service providers, a cable service provider, a provider of digital subscriber line (DSL) services, or a satellite service provider. Communications network 110 allows for communication between the various components of network environment 100. [0017] In some instances, entities 120A-D may communicate with identity servers 130 over communication network 110 via an API gateway (not pictured). Such an API gateway may serve as an entry point for an entity 120 to a service mesh. API gateway may expose public endpoints for identification and authentication, as well as inject into a data stream contextual data (e.g., via a token to proxied requests signed using a private key issued exclusively for the API gateway (e.g., by an internal certificate authority in a security plane)). API gateway can enforce rich policies that can be created in identity server 130 (e.g., based on such factors as user attributes, roles, relationships, session attributes, current location, device information, authentication methods used, and risk factor of a transaction user or a device).
[0018] Entities 120A-D may use or be embodied in any number of different electronic devices, such as general purpose computers, mobile phones, smartphones, smartwatches, wearable devices, personal digital assistants (PDAs), portable computing devices (e.g., laptop, netbook, tablets), desktop computing devices, handheld computing device, smart sensors, smart appliances, IoT devices, devices networked to controllers for smart control, servers and server systems (including cloud-based servers and server systems), or any other type of computing device capable of communicating over communication network 110. Such devices associated with entities 120A-D may also be configured to access data from other storage media, such as local caches, memory cards, or disk drives as may be appropriate in the case of downloaded services. Devices associated with entities 120- A-D may include standard hardware computing components such as network and media interfaces, non-transitory computer-readable storage (memory), and processors for executing instructions that may be stored in memory.
[0019] Identity servers 130 may provide a platform for managing data stream identity. Identity server 130 may be installable in the cloud or on-premises. Such identity server 130 may also include a public key infrastructure (PKI) that allows for reading, generation, assignment, and management of digital certificates, security keys, and other encryption data. Identity server 130 may therefore uniquely associate each entity 120 with a set of identification data that allows for entity-specific identification, digital signature, and/or encryption. Entity-specific identity information may be generated by one or more identity servers 130, as well as other identity providers (e.g., Facebook, OAuth OpenID, biometric signatures). [0020] Identity servers 130 may generate a private key (e.g., PKI-based key) that is unique to each identified specific entity 120, which allows the entity 120 to be identified and allows the entity 120 to manage its associated data portions or segments within a stream. In some instances, identity server 130 may issue a private key to an entity 120 upon registrations. Otherwise, identity server 130 may identify a new entity 120that has not registered and issue a placeholder or nonce key to the identified new entity 120. Upon registration or attestation at a later point in time, the nonce key may be correlated with the identified new entity 120. The key issued by the identity server 130 allows the entity 120 to secure (e.g., encrypt or digitally sign) data portions within the stream with which the entity 120 is associated. As such, each entity 120 may have data-field level control over access to its respective data portions. In some instances, entity-specific identity data may be used to sign authorization policies that may then be packaged with the data stream. As such, if another wishes to access a data portion associated with a specific entity 120, such access may be governed by the authorization policies of the specific entity 120. Such authorization policies may govern various conditions under which the data portion is allowed to be accessed, for example, when the data portion may be access, how such data portion may be access, etc.
[0021] As entities 120 communicate data to each other, data may be added to a data stream that is associated with one or more entities 120. Different data segments of a data stream may be associated with a different set of entities 120. Each data portion may therefore be associated with different sets pf authorization policies. By breaking down such collections of data (e.g., a data stream) into data sets that can each be associated with unique identifiers, the different data sets may further be assigned to different entities 120. Each entity 120 may further exercise certain rights to their respective data set, which may also be subject to different policies and rules based on the entity 120 with which the data set is associated. Referring to the example above, an individual whose image appears in a video may be identified as an owner of the data set comprising the portions (including portions of each image frame) in which he or she appears. As such, the individual may choose to manipulate that data set (e.g., by blacking out, deleting, pixelating the respective portions) or restrict access permissions (e.g., remove from public view, restrict to identified individuals or groups). Moreover, the individual may live in certain jurisdictions with policies and rules that govern privacy rights, rights of publicity, and other rights. Such policies and rules may be applied, specifically to the data set.
[0022] A single data stream may therefore be associated with different owners assigned to the different data sets identified within the stream and assigned unique identifiers. Such identifier and ownership data may be stored in a database in association with the respective data sets in the data stream (e.g., a video). Ownership data may further reflect the location of the owner, as well as certain access and control rights specified by the set of authorization policies. Certain access and control settings specified by an owner may also be stored in association with the data set. An owner may further be given the authority to manage their respective data set, which may further be stored in an encrypted format. The respective encryption keys may then be shared with other individuals and groups authorized by the owner to access the underlying data set associated with the owner.
[0023] In some embodiments, the data stream itself may be treated holistically, allowing for association with multiple different encryption keys, different consent patterns, different ownership schemes, etc. based on the different data sets identified within the complete data stream.
[0024] The data stream may be processed by one or more identity servers 130, which may make use of various libraries to identify specific entities associated with the stream. For example, image libraries may be used to identify specific entities captured in a video stream. Some membership organizations or other associations, for example, may issue picture identification to its members or associates. Digital libraries that include such pictures may be used to identify when a member or associate is captured in a video stream. Conversely, identity server 130 (or a proxy) may also identify that an entity captured in the video is not a member or associate. As noted above, however, such non-member or non-associate may nevertheless be associated with a nonce key. The nonce key may later be correlated to the identity of the entity upon registration. The identity server 130 may therefore enforce the authorization policies associated with each data portion. Such enforcement may include granting or denying access, modifying the data stream (e.g., blur or pixelate an image of a specific entity), verifying authorization and conditions of the access, etc. [0025] FIG. 2 is a flowchart illustrating an exemplary method for managing data stream identity. The method 200 of FIG. 2 may be embodied as executable instructions in a non- transitory computer readable storage medium including but not limited to a CD, DVD, or non volatile memory such as a hard drive. The instructions of the storage medium may be executed by a processor (or processors) to cause various hardware components of a computing device hosting or otherwise accessing the storage medium to effectuate the method. The steps identified in FIGURE 2 (and the order thereof) are exemplary and may include various alternatives, equivalents, or derivations thereof including but not limited to the order of execution of the same.
[0026] In step 210, an entity 120 is assigned a private key by identity server 130. Such assignment may occur upon registration with a particular identity server 130 or upon identification as a new entity by the identity server 130. Such private key may be stored and managed by identity server 130 or associated proxies.
[0027] In step 220, a data stream may be generated in associated with one or more entities 120. Such data generation may include digital communications, capture (e.g., in video or audio) on digital media, or other association. As noted above, each data stream and portions thereof may be associated with a different set of entities 120. A video stream, for example, may have segments respectively associated with no entities, one entity, or multiple different entities. The
[0028] In step 230, identity server 130 may analyze ownership of the data stream. Such analysis may include use of various libraries to identify the presence or association of all entities associated with the data stream, whether known or unknown to the identity server 130.
[0029] In step 240 and 250, identity server 130 may filter the data stream by owner
(e.g., each different recognized entity with in the data stream) to identify data segments associated with each entity. In step 260, the identified segment(s) may then be associated with the private key associated with the owner entity, and in step 270, the association may be stored in memory of identity server 130 for use in processing future requests related to the data segment(s).
[0030] FIG. 3 illustrates an exemplary computing system 300 that may be used to implement an embodiment of the present invention. System 300 of FIG. 3 may be implemented in the contexts of the likes of entity A devices 120A, entity C 120C, or entity D 120D, as well as those used by used by entity B 120B. The computing system 300 of FIG. 3 includes one or more processors 310 and memory 310. Main memory 310 stores, in part, instructions and data for execution by processor 310. Main memory 310 can store the executable code when in operation. The system 300 of FIG. 3 further includes a mass storage device 330, portable storage medium drive(s) 340, output devices 350, user input devices 360, a graphics display 370, and peripheral devices 380.
[0031] The components shown in FIG. 3 are depicted as being connected via a single bus 390. However, the components may be connected through one or more data transport means. For example, processor unit 310 and main memory 310 may be connected via a local microprocessor bus 390, and the mass storage device 330, peripheral device(s) 380, portable storage device 340, and display system 370 may be connected via one or more input/output (1/0) buses 390.
[0032] Mass storage device 330, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 310. Mass storage device 330 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory
310.
[0033] Portable storage device 340 operates in conjunction with a portable non- volatile storage medium, such as a floppy disk, compact disk (CD) or digital video disc (DVD), to input and output data and code to and from the computer system 300 of FIG. 3. The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 300 via the portable storage device 340.
[0034] Input devices 360 provide a portion of a user interface. Input devices 360 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, the system 300 as shown in FIG. 3 includes output devices 350. Examples of suitable output devices include speakers, printers, network interfaces, and monitors. [0035] Display system 370 may include a liquid crystal display (LCD) or other suitable display device. Display system 370 receives textual and graphical information, and processes the information for output to the display device.
[0036] Peripherals 380 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 380 may include a modem or a router.
[0037] The components contained in the computer system 300 of FIG. 3 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system 300 of FIG. 3 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.
[0038] The present invention may be implemented in an application that may be operable using a variety of devices. Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.
[0039] Various forms of transmission media may be involved in carrying one or more sequences of one or more instructions to a CPU for execution. A bus (e.g., bus 390) carries the data to system RAM, from which a CPU retrieves and executes the instructions. The
instructions received by system RAM can optionally be stored on a fixed disk either before or after execution by a CPU. Various forms of storage may likewise be implemented as well as the necessary network interfaces and network topologies to implement the same.
[0040] While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. The descriptions are not intended to limit the scope of the invention to the particular forms set forth herein. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above- described exemplary embodiments. It should be understood that the above description is illustrative and not restrictive. To the contrary, the present descriptions are intended to cover such alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims and otherwise appreciated by one of ordinary skill in the art. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the appended claims along with their full scope of equivalents.

Claims

CLAIMS WHAT IS CLAIMED IS:
1. A method for managing data stream identity, the method comprising:
analyzing ownership information regarding a data stream to identify at least one owner; filtering the data stream to identify at least one portion that is associated with the identified owner;
assigning a unique identifier to the identified portion;
storing the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner; and
controlling access to the identified portion based on settings set by the identified owner.
2. The method of claim 1, wherein the unique identifier is a private key.
3. The method of claim 2, wherein the private key is based on public key infrastructure (PKI).
4. The method of claim 2, wherein controlling access to the identified portion includes encrypting the identified portion.
5. The method of claim 1, further comprising generating the unique identifier.
6. The method of claim 5, further comprising registering the identified owner in association with entity identification information in memory, wherein the unique identifier is generated upon registration.
7. The method of claim 5, wherein the identified owner is not associated with entity
identification information in memory, and wherein the unique identifier is a nonce identifier.
8. The method of claim 1, wherein the identified owner is associated with a plurality of different portions within the data stream.
9. The method of claim 1, wherein at least one portion associated with the identified owner is further associated with at least one other owner.
10. A system for managing data stream identity, the system comprising:
a communication interface that receives a data stream over a communication network; a processor that executes instructions stored in memory, wherein execution of the instructions by the processor:
analyzes ownership information regarding a data stream to identify at least one owner,
filters the data stream to identify at least one portion that is associated with the identified owner, and
assigns a unique identifier to the identified portion; and
memory that stores the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner,
wherein the processor controls access to the identified portion based on settings set by the identified owner.
11. The system of claim 10, wherein the unique identifier is a private key.
12. The system of claim 11, wherein the private key is based on public key infrastructure (PKI).
13. The system of claim 11, wherein the processor controls access to the identified portion by encrypting the identified portion.
14. The system of claim 10, wherein the processor further generates the unique identifier.
15. The system of claim 14, wherein the processor further registers the identified owner in association with entity identification information in memory, and wherein the unique identifier is generated upon registration.
16. The system of claim 14, wherein the identified owner is not associated with entity identification information in memory, and wherein the unique identifier is a nonce identifier.
17. The system of claim 10, wherein the identified owner is associated with a plurality of different portions within the data stream.
18. The system of claim 10, wherein at least one portion associated with the identified owner is further associated with at least one other owner.
19. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for managing data stream identity, the method comprising:
analyzing ownership information regarding a data stream to identify at least one owner; filtering the data stream to identify at least one portion that is associated with the identified owner;
assigning a unique identifier to the identified portion;
storing the identified portion in memory in association with the assigned unique identifier and information regarding the identified owner; and
controlling access to the identified portion based on settings set by the identified owner.
PCT/US2019/040202 2018-06-29 2019-07-01 Data stream identity WO2020006572A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP19825552.3A EP3815299A4 (en) 2018-06-29 2019-07-01 Data stream identity
JP2021522928A JP2021530071A (en) 2018-06-29 2019-07-01 Data stream identity
CN201980055893.0A CN113039746A (en) 2018-06-29 2019-07-01 Data stream identity

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862692371P 2018-06-29 2018-06-29
US62/692,371 2018-06-29

Publications (3)

Publication Number Publication Date
WO2020006572A2 true WO2020006572A2 (en) 2020-01-02
WO2020006572A3 WO2020006572A3 (en) 2020-01-30
WO2020006572A4 WO2020006572A4 (en) 2020-03-05

Family

ID=68987611

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/040202 WO2020006572A2 (en) 2018-06-29 2019-07-01 Data stream identity

Country Status (5)

Country Link
US (2) US10999067B2 (en)
EP (1) EP3815299A4 (en)
JP (1) JP2021530071A (en)
CN (1) CN113039746A (en)
WO (1) WO2020006572A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10999067B2 (en) 2018-06-29 2021-05-04 Cloudentity, Inc. Data stream identity

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633542B (en) * 2023-07-20 2023-10-27 深圳奥联信息安全技术有限公司 Data encryption method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070201694A1 (en) 2002-06-18 2007-08-30 Bolle Rudolf M Privacy management in imaging system
US20160294781A1 (en) 2015-01-25 2016-10-06 Jennifer Kate Ninan Partial or complete image obfuscation and recovery for privacy protection
WO2017027787A1 (en) 2015-08-12 2017-02-16 Google Inc. Systems and methods for managing privacy settings of shared content

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0317571D0 (en) 2003-07-26 2003-08-27 Koninkl Philips Electronics Nv Content identification for broadcast media
GB2404486A (en) * 2003-07-31 2005-02-02 Sony Uk Ltd Access control for digital storage medium content
US8200972B2 (en) * 2005-03-16 2012-06-12 International Business Machines Corporation Encryption of security-sensitive data by re-using a connection
US20070242880A1 (en) * 2005-05-18 2007-10-18 Stebbings David W System and method for the identification of motional media of widely varying picture content
US20070150934A1 (en) 2005-12-22 2007-06-28 Nortel Networks Ltd. Dynamic Network Identity and Policy management
US8024785B2 (en) * 2006-01-16 2011-09-20 International Business Machines Corporation Method and data processing system for intercepting communication between a client and a service
US7752449B1 (en) * 2006-02-22 2010-07-06 Avaya, Inc. System and method for generating a non-repudiatable record of a data stream
US20080010458A1 (en) * 2006-07-07 2008-01-10 Michael Holtzman Control System Using Identity Objects
US20100138652A1 (en) * 2006-07-07 2010-06-03 Rotem Sela Content control method using certificate revocation lists
US20080255928A1 (en) * 2007-04-10 2008-10-16 Thomas Joseph Tomeny Trusted networks of unique identified natural persons
US20090070266A1 (en) 2007-09-07 2009-03-12 Shah Rahul C System and method for physiological data authentication and bundling with delayed binding of individual identification
US20090210886A1 (en) 2008-02-19 2009-08-20 Bhojwani Sandeep M Method and system for defining financial transaction notification preferences
US8230272B2 (en) 2009-01-23 2012-07-24 Intelliscience Corporation Methods and systems for detection of anomalies in digital data streams
US10235439B2 (en) 2010-07-09 2019-03-19 State Street Corporation Systems and methods for data warehousing in private cloud environment
US8990574B1 (en) * 2010-10-06 2015-03-24 Prima Cinema, Inc. Secure device authentication protocol
EP2761540A1 (en) * 2011-09-27 2014-08-06 Telefonaktiebolaget L M Ericsson (publ) Management of data flows between networked resource nodes in a social web
WO2013123548A2 (en) * 2012-02-20 2013-08-29 Lock Box Pty Ltd. Cryptographic method and system
US9330277B2 (en) * 2012-06-21 2016-05-03 Google Technology Holdings LLC Privacy manager for restricting correlation of meta-content having protected information based on privacy rules
US9405988B2 (en) 2013-08-13 2016-08-02 James Alves License plate recognition
US9948682B2 (en) * 2015-08-11 2018-04-17 Vescel, Llc Data resource control through a control policy defining an authorized context for utilization of a protected data resource
US10346635B2 (en) 2016-05-31 2019-07-09 Genesys Telecommunications Laboratories, Inc. System and method for data management and task routing based on data tagging
US20180121663A1 (en) * 2016-11-01 2018-05-03 Microsoft Technology Licensing, Llc Sharing Protection for a Screen Sharing Experience
EP3539090A4 (en) * 2016-11-14 2020-11-04 Intrinsic Value, LLC Systems, devices, and methods for access control and identification of user devices
US20180182052A1 (en) * 2016-12-20 2018-06-28 Microshare, Inc. Policy Fabric And Sharing System For Enabling Multi-Party Data Processing In An IoT Environment
US11010614B2 (en) * 2017-01-26 2021-05-18 Matias Klein Total property intelligence system
GB2560177A (en) 2017-03-01 2018-09-05 Thirdeye Labs Ltd Training a computational neural network
US10484352B2 (en) * 2017-03-31 2019-11-19 Microsoft Technology Licensing, Llc Data operations using a proxy encryption key
CN113039746A (en) 2018-06-29 2021-06-25 云实体公司 Data stream identity
WO2020006573A1 (en) 2018-06-29 2020-01-02 Syntegrity Networks Inc. Filtering authorizations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070201694A1 (en) 2002-06-18 2007-08-30 Bolle Rudolf M Privacy management in imaging system
US20160294781A1 (en) 2015-01-25 2016-10-06 Jennifer Kate Ninan Partial or complete image obfuscation and recovery for privacy protection
WO2017027787A1 (en) 2015-08-12 2017-02-16 Google Inc. Systems and methods for managing privacy settings of shared content

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3815299A4

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10999067B2 (en) 2018-06-29 2021-05-04 Cloudentity, Inc. Data stream identity
US11646875B2 (en) 2018-06-29 2023-05-09 Cloudentity, Inc. Data stream identity

Also Published As

Publication number Publication date
EP3815299A4 (en) 2022-03-23
US10999067B2 (en) 2021-05-04
JP2021530071A (en) 2021-11-04
CN113039746A (en) 2021-06-25
WO2020006572A4 (en) 2020-03-05
WO2020006572A3 (en) 2020-01-30
EP3815299A2 (en) 2021-05-05
US11646875B2 (en) 2023-05-09
US20210211280A1 (en) 2021-07-08
US20200014532A1 (en) 2020-01-09

Similar Documents

Publication Publication Date Title
US10623431B2 (en) Discerning psychological state from correlated user behavior and contextual information
JP6426189B2 (en) System and method for biometric protocol standard
EP3047626B1 (en) Multiple resource servers with single, flexible, pluggable oauth server and oauth-protected restful oauth consent management service, and mobile application single sign on oauth service
US9516066B2 (en) Rights management services integration with mobile device management
US9716724B1 (en) Cloud data loss prevention system
US20110167479A1 (en) Enforcement of policies on context-based authorization
EP3025229B1 (en) Data communications management
JP2020531981A (en) Computer implementation methods, computer programs and systems for identity verification using biometric data and irreversible functions over the blockchain
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
US8811944B2 (en) Authentication request management
US20220224535A1 (en) Dynamic authorization and access management
US11646875B2 (en) Data stream identity
EP3149582A1 (en) Method and apparatus for a scoring service for security threat management
AU2015296791A1 (en) Method and system for providing a virtual asset perimeter
US20200013060A1 (en) Filtering authorizations
CN114640713A (en) Data access monitoring and control
US20150281281A1 (en) Identification of unauthorized application data in a corporate network
US11310280B2 (en) Implementation of selected enterprise policies
US11647020B2 (en) Satellite service for machine authentication in hybrid environments
WO2007090866A1 (en) Collaborative access control in a computer network
EP2790123B1 (en) Generating A Data Audit Trail For Cross Perimeter Data Transfer
US11977620B2 (en) Attestation of application identity for inter-app communications
US11798001B2 (en) Progressively validating access tokens
US20220414204A1 (en) Systems for enhanced bilateral machine security
CN115314264A (en) Key management service system, key management method, gateway and equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19825552

Country of ref document: EP

Kind code of ref document: A2

ENP Entry into the national phase

Ref document number: 2021522928

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019825552

Country of ref document: EP

Effective date: 20210129

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19825552

Country of ref document: EP

Kind code of ref document: A2