WO2022251894A1 - Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés - Google Patents

Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés Download PDF

Info

Publication number
WO2022251894A1
WO2022251894A1 PCT/AU2021/050534 AU2021050534W WO2022251894A1 WO 2022251894 A1 WO2022251894 A1 WO 2022251894A1 AU 2021050534 W AU2021050534 W AU 2021050534W WO 2022251894 A1 WO2022251894 A1 WO 2022251894A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
document
key
artefact
digital
Prior art date
Application number
PCT/AU2021/050534
Other languages
English (en)
Inventor
Paul Zietsman
Michael Joseph
Original Assignee
Medikey Australia Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Medikey Australia Pty Ltd filed Critical Medikey Australia Pty Ltd
Priority to PCT/AU2021/050534 priority Critical patent/WO2022251894A1/fr
Priority to AU2021107618A priority patent/AU2021107618A4/en
Publication of WO2022251894A1 publication Critical patent/WO2022251894A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/608Watermarking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Definitions

  • the present invention generally relates to digital information security (InfoSec), and in particular, relates to systems and methods for establishing a trusted and secure digital asset management platform enabling its subscribers to securely store their digital assets, specify the flow of their encrypted document in requesting authentication, submitting and/or sharing with the intended platform’s users or agencies.
  • InfoSec digital information security
  • Digital transformation is the term that has been used and heard in the past ten years across individual, organisations and government agencies. In a very narrow and simple sense this term may refer to the concept of "going paperless” or reaching a "digital business maturity” affecting both individual businesses and whole segments of society. There is clear evidence that the digital transformation is already underway for example digital documents, digital receipt, official digital letter, digital statement, even digital driving licencing and the like where the transaction of those occurs online, within a secure system, via digital communication with trusted devices or uses an associated mobile device rather than traditional hand-to-hand exchange, surface mails, and/or human senses assessment on physical ID.
  • Cloud-based storage on an endpoint of the Internet provides ubiquitous access of user's files and applications from any capable end point, at any time.
  • the traditional paradigm for protection of sensitive information stored in cloud-based locations on the Internet is a password i.e. user’s knowledge factors. For access, a user presents log-in credentials to a server that are verified against known credentials stored at the server.
  • the comparison paradigm is vulnerable to phishing or key-logging attacks by imposters, hacking or network Sniffing, and even guessing by trial and error.
  • the user files and applications are open not only to undetected theft by copying, but to vandalism by deletion.
  • the entire account is exposed at once because individually protecting each file and application with a unique password i.e. encryption techniques, is not commonly practical and normally applying encryption techniques cannot be carried out by every individual.
  • United States Patent No. 9,922,207, Chines Patent Publication No. 102761521B and United States Patent No. 9,767,299 disclose the concept where symmetric file key is generated or provided for a file encryption, the file key is encrypted with user asymmetric public key, then both encrypted file and encrypted file key are stored on the server. To decrypt the file, the user asymmetric private key is used to reconstruct the file key, then the file key is used to encrypt the file. The user asymmetric private key is securely kept on the user’s device which can be reconstituted with the user’s password. For file sharing, the file key is encrypted with the user’s key whom the file will be shared with. The file key may be randomly generated to minimise the risk when the file key is compromised.
  • United States Patent No. 8,954,758 goes beyond the password protected private key in these documents by proposing the use of human gesture to form and then reconstitute a cryptography key whereas United States Patent No. 9070112 proposes asymmetric file key for file encryption.
  • United States Patent No. 9537918 discloses that the secret key will be sent to other users whom the file will be shared with via an ‘out-of-band’ channel.
  • the discussed techniques may improve the security for cloud storage. But the risk especially risk of chained failure remains high.
  • none of those techniques can provide mechanism to prevent fraudulent use or re-purposing of the document.
  • the present invention is directed to systems and methods for secure digital file sharing and authenticating, which may at least partially overcome at least one of the abovementioned disadvantages or provide the consumer with a useful or commercial choice.
  • the present invention in one form, resides broadly in a system for secure digital file storing, sharing and authenticating, the system including:
  • At least one computer server operating a primary server software application
  • At least one user with a personal computing device operating a client software application configured to communicate with the primary server software application, the user provided with a unique account following a registration process with the system, the registration process based on receipt of a combination of at least one knowledge factor, possession factor and inherence factor from the user by the primary server software application collected during the registration process; upon successful user registration, the client software application on the personal computing device automatically generates a registered user asymmetric cryptography keypair including a user public key and a user private key, and stores the keypair on the personal computing device, the client software application encrypting at least the user’s at least one knowledge factor and the user private key before providing to the at least one computer server, the user’s at least one knowledge factor remaining encrypted at all times at the at least one computer server, the system thereafter using the asymmetric cryptography keypair to allow the user to securely store, in a digital artefact repository, a digital artefact utilising multilayer encryption of the digital artefact with geographically non-collocated cryptography modules, said geographical
  • the present invention finds particular use in the management of digital documents.
  • the client software application may be or include a secure website accessed on the user personal computing device or a proprietary client software application installed on the user personal computing device.
  • Knowledge factors require the user to demonstrate knowledge of hidden information. Routinely used in single-layer authentication processes, knowledge factors can come in the form of passwords, passphrases, PINs or answers to secret questions.
  • possession factors are physical entities possessed by the authorised user to connect to the client computer or portal.
  • Connected tokens are preferably items which physically connect to a computer in order to authenticate identity. Items such as card readers, wireless tags and USB tokens are common connected tokens used to serve as a possession factor during a multi-factor authentication process.
  • Disconnected tokens are items which do not directly connect to the client computer - instead requiring input from the individual attempting to sign in. Most typically, a disconnected token device will use a built-in screen to display authentication data which is then utilised by the user to sign in, where and when prompted.
  • Any possession factors used in the system of the present invention may be provided to a user and/or created by or as a part of the client software application.
  • Inherence factors are metrics intrinsically owned by the authorised individuals. These often take the form of biometrics - such as fingerprint readers, retina scanners or voice recognition.
  • a registered user in order to view a digital artefact that is stored in the system of the present invention, such as a digital document, a registered user would successfully login to the user account using the client software application on the user personal computing device.
  • the registered user can preferably can select any digital artefact for action, for example a digital document can be selected for viewing via the client software application on the user personal computing device.
  • the user’s selected artefact ID(s) is submitted to the primary server software application operating on the at least one computer server where the multilayer encrypted document and the encrypted unique document encryption key corresponding to the submitted artefact ID are retrieved from the digital artefact repository and key vault respectively for use at a first decryption engine to recover the user public-key encrypted document (i.e. the document still remains encrypted).
  • the primary server software application operating on the at least one computer server then preferably sends the user public -key encrypted document to the client software application on the user personal computing device, where the user private key is autonomously retrieved by the client software application on the user personal computing device for use at a second decryption engine in decrypting the user public key encrypted document.
  • the document is then displayed via the client software application on the user personal computing device.
  • the system of the present invention is also preferably configured to provide the services on secure digital artefact sharing where a first user can share his/her stored digital artefact or any artefact in his/her possession, with one or more second users within the system with high confidence that his/her shared artefact is protected by the system from fraudulent misuse and/or repurposing.
  • the preferred process of sharing an artefact by a first user means allowing another party (i.e. one or more second users) to view a shared artefact.
  • a first user would successfully login to the user account using the client software application on the user personal computing device.
  • the first user can then select one or more stored artefact (s) for sharing and further select the second users who will be receiving the shared artefact (s).
  • the artefact(s) selected for sharing may be in the first user digital artefact repository or in his/her possession but may not have been uploaded to the system at the time the request for sharing is made (such as for example in the case where the artefact is loaded and then an immediate sharing request is made). If the selected artefact has not been uploaded to the first user’s digital artefact repository, then preferably without user intervention, the artefact intended for sharing is autonomously uploaded onto the first user’s digital artefact repository using the above discussed artefact loading process which returns the artefact ID as reference for use in the sharing process.
  • the client software application on the personal computing device will typically submit the artefact ID(s), the second user ID(s) and other sharing attributes chosen by the first user, to the primary server software application operating on the at least one computer server.
  • the sharing attributes chosen by the first user may include the restriction on how the shared artefact can be used.
  • the multilayer encrypted document(s) and the encrypted unique document encryption key corresponding to the submitted document ID(s), and the first user keypair are retrieved from the first user’s digital artefact repository and key vault respectively for use within a third decryption engine.
  • the original artefact is briefly recovered and a digital copy of the artefact is preferably generated for sharing.
  • the digital copy of the original artefact is preferably low-resolution (compared to the original artefact) and watermarked (if a document) making it immediately differentiable from the original artefact within the ecosystem of the invention.
  • the public keypair corresponding to the second user is retrieved from the key vault for use in the third encryption engine.
  • the low-resolution and watermarked copy (208) is the preferably encrypted with the or each retrieved public key and then a unique document encryption key is preferably generated.
  • the multilayer encrypted low-resolution and watermarked copy is then saved in the second user(s) (recipient) folder or repository.
  • the second user shall preferably become the (beneficial) owner of the shared low-resolution and watermarked copy of the original digital artefact.
  • a notification (for example, a push notification) is preferably generated and sent to the or each second user(s) to notify the or each second user(s) that they have received a shared document.
  • shared documents can only be viewed from within the system by the rightful beneficial owner.
  • a second user Upon receiving a notification of shared document from the system on behalf of the first user, a second user will preferably successfully login to the system and choose the shared document to view.
  • the primary server software application operating on the at least one computer server preferably securely verifies the second user’s private key, and then retrieves the double-layer encrypted shared copy and the unique document encryption key corresponding to the submitted shared document ID from the second user document folder or repository and the key vault respectively for use in decrypting at the first decryption engine to recover the second user group public-key encrypted shared copy.
  • the primary server software application operating on the at least one computer server then preferably sends the second user public -key encrypted shared copy to the requesting client software application on the user personal computing device, where the second user private key is preferably autonomously retrieved by the client software application on the user personal computing device for use at the second decryption engine in decrypting the second user key encrypted copy.
  • the low-resolution and watermarked copy is then preferably displayed via the client software application on the user personal computing device.
  • the use of the displayed low- resolution and watermarked copy at the second user device may be restricted depending on the sharing attributes that were configured by the first user. The restrictions may include editing, downloading and/or printing.
  • the multilayer encryption model with geographically non-collocated cryptography modules architecture may in turn comprise one cryptography module at the client-side and at least one cryptography module at the server-side.
  • the at least one client-side cryptography module will preferably be provided by or as a part of the client software application.
  • the at least one client-side cryptography module preferably always uses the system registered user’s RSA public key for encrypting the user artefact, and the corresponding user’s RSA private key for decrypting the public-key encrypted artefact.
  • the RSA keypair (i.e. public key and corresponding private key) is preferably automatically generated at the client-side by the client software application upon the successful user registration using the client software application installed on the user personal computing device.
  • a copy of the encrypted user private key and the corresponding user public key are preferably transferred to the primary server software application operating on the at least one computer server for centralised key management.
  • An encrypted user private key is preferably further encrypted before it is saved in a system key vault.
  • a system key vault There can be one or more system key vaults.
  • the server-side cryptography module may use the symmetric document key for re encrypting the user public-key encrypted artefact, and for decrypting the multilayer encrypted artefact.
  • a symmetric artefact key is preferably uniquely generated by the primary server software application operating on the at least one computer server for each artefact loaded and or created including any digital copy of the artefact which is generated for sharing.
  • the server generated symmetric artefact key is preferably encrypted with the artefact owner’s private key and then normally saved in the key vault.
  • the automated and secure artefact sharing process may only require that a first user within the system select the artefact for sharing, defining the sharing attributes, and selecting one or more second users who will receive the shared artefact.
  • the primary server software application operating on the at least one computer server within the secure system preferably briefly retrieves, from the first user’s repository, the artefact corresponding to the selected artefact ID, and generates a low-resolution & watermarked digital copy of the artefact for sharing.
  • the generated low-resolution & watermarked digital copy of the artefact for sharing is preferably multilayer encrypted with second user public key and then with the unique artefact key, and saved in the second user(s) repository.
  • the generated low-resolution & watermarked digital or shared copy preferably becomes the property of the second user.
  • the generated low-resolution & watermarked digital copy is preferably encrypted in such a way that it can only be decrypted and viewed within the system by the rightful second user(s).
  • the automated and secure digital certification of a digital artefact may only require a first user within the system to select the artefact for authentication or certification, and selecting second users who will authenticate or certify the artefact copy.
  • the generated low-resolution & watermarked digital copy is preferably multilayer encrypted then saved in the second user repository and notification is sent to the second user once saving has been completed.
  • the second user may view the generated low-resolution & watermarked digital copy, verify the generated low-resolution & watermarked digital copy by comparing the generated low-resolution & watermarked digital copy with source system data, and then cryptographically sign the generated low-resolution & watermarked digital copy.
  • the cryptographically signed copy is preferably multilayer encrypted then saved into the first user repository for viewing only by the first user, and/or into a third-party user repository for viewing only by the third user, if the third user is included by the first user.
  • the system may further include an ID AM server for user registrations, device registrations & associations, user logins, user identity verification/validation/authentication, password resets & recoveries, group configurations & reconfigurations, and document or file processing request.
  • ID AM server for user registrations, device registrations & associations, user logins, user identity verification/validation/authentication, password resets & recoveries, group configurations & reconfigurations, and document or file processing request.
  • the system may further include one or more databases for securely keeping the system registered users’ information.
  • the system may further include one or more digital key vaults for securely storing the system registered users’ keys, keypairs and/or artefact keys.
  • the system may further include artefact repositories for secure retention of the system registered users encrypted digital artefacts or assets such as documents or files.
  • the system of the present invention is preferably scalable and may be deployable on public cloud, private cloud, or hybrid cloud.
  • a user may register for an account through a secure website accessed via the user personal computing device or client software application installed on the user personal computing device.
  • the primary server software application operating on the at least one computer server will preferably associate the personal computing device (for example using an IMEI number or equivalent identification) and/or secure website or client software application with the registered user account.
  • the system may subject the first time login to strong multifactor authentication linking with the current associated device(s).
  • the system may send a one-time passcode to the client software application installed on a user personal computing device or otherwise use multifactor authentication to authenticate the user and/or personal computing device.
  • the primary server software application operating on the at least one computer server may associate the new personal computing device with the registered user account.
  • the present invention is therefore directed to a system, and method for realising cloud-based secure digital asset management platform, which may at least partially overcome at least one of the disadvantages, mentioned in the background section or provide the consumer with a useful or commercial choice.
  • the system of a preferred embodiment preferably provides services including but not being limited to the secure user’s digital assets particularly storage and security of document sharing in a way that prevents fraudulent use or re-purposing of the document, and document certification supporting non-repudiable certification of document authenticity.
  • the system preferably comprises the secure server operating a primary software application, a secure website, and/or a secure mobile application for being installed on any personal computing device or smart device capable of internet access.
  • the secure platform is preferably scalable and preferably comprises ID AM (Identify and Access Management) servers, secure databases, secure key vaults, and secure document repository.
  • ID AM Identify and Access Management
  • the ID AM servers is used for user registrations, device registrations, user logins, user identity verifications, validations and authentications, password resets & recoveries, group configurations & reconfigurations, and documents or files processing requests.
  • the database is preferably for securely keeping the registered user’s information; the key vaults is for securely storing the registered user’s keys and/or keypair.
  • the document repository is preferably for securely retaining the registered users encrypted digital assets such as documents or files.
  • the platform may be deployed in public cloud, private cloud, or hybrid cloud.
  • a user at an endpoint of the internet may via the website or the client software application installed and operable on their smart devices to register for an account.
  • the device and client software application on that device are associated with the user account as part of the system security.
  • RSA key pair private or secret key and public key
  • the system’s multifactor authentication may generate one-time passcode, and send to the app on the associated device(s). The one-time passcode is used for authentication from the new device.
  • the device Upon successful login on a new device, the device is associated with the registered user account and the user encrypted RSA private key and the associate public key copies are transferred to the new device for subsequent use.
  • One embodiment of the present invention relates to the cryptographic based security method that ensures individuals’ documents are strongly protected.
  • the security method preferably comprises multilayer encryption with geographically non-collocated cryptography modules being distributed across the client side and server sides to eliminate single point of failure and chained failure.
  • a plaintext file entering the system at the client-side is preferably automatically encrypted by the client side first cryptography module using the user public key for secure transportation to the server.
  • the ciphertext file is preferably further encrypted at the server side second cryptography module using the uniquely generated document key for securely storing in the user repository.
  • a document that has been uploaded to the platform can preferably only be accessed and/or viewed from within the by the document owner and thus helping the realisation of the concept where the user is the one who owns the data in the cloud storage environment.
  • Another embodiment of the present invention relates to the method that enables a first user as the primary document owner within the system, to securely share a document or a suite of documents with other second users, in a way that prevents fraudulent use or re-purposing of the document.
  • the method may involve first user as the document owner and one or more second users as the person(s) with whom the document is shared.
  • the method preferably comprises steps in selecting the document for sharing and one or more second users by the first user, retrieving the document intended for sharing from the first user repository by the server, generating low-resolution & watermarked digital version of the document by the server, performing multilayer encryption on the low-resolution and watermarked digital copies with a second user group public key and then with the second user group document key by the server, saving the multilayer encrypted low-resolution & watermarked digital copies in the second users’ repositories by the server, thus making the second user the (beneficial) owner of the shared low-resolution & watermarked digital copies, and then preferably notifying the second users that they have received a shared document by the server on behalf of the first user.
  • the shared documents can typically only be viewed from within the system (requiring registration and login) by the intended second users.
  • a further embodiment of the present invention relates to method enabling documents to be certified by document originators, or a certifying body, supporting non-repudiable certification of document authenticity.
  • the method may involve first user as the document owner, second user as the document originator or certifying body approved by the business, and third users as the shared document receivers.
  • the method preferably comprises steps in selecting the document for being certified or authenticated and further selecting the second user and one or more third user by the first user; preferably retrieving the document for being certified from the first user repository by the server, generating reduced-resolution & watermarked digital version of the document by the server; preferably performing multilayer encryption on the reduced- resolution and watermarked digital version with the second public key and then with the uniquely generated document key by the server; preferably saving the multilayer encrypted reduced-resolution & watermarked digital version in the second user’ s repositories by the server, and preferably notifying the second users that they have received a document for authentication by the server on behalf of the first user.
  • the second user within the system may verify the reduced-resolution and watermarked digital version by comparing the digital version with their source system data and then typically cryptographically signs the reduced-resolution & watermarked version, completing certification.
  • the second user may be given the authority by the system to directly view the original corresponding to the copy for the verification purpose.
  • the server then preferably multilayer encrypts the authenticated or certified copy with the first user public key and then with the uniquely generated document key.
  • the multilayer encrypted copy is then typically saved into the first user’s repository by the server and the first user is notified by the server on behalf of the second user.
  • the server may multilayer encrypt the authenticated or certified copy with the group public key and then with the uniquely generated group document key.
  • the said group may include the first user and one or multiple third user.
  • the multilayer encrypted copy is then preferably saved into the first user’s repository and the third users’ repositories by the server and the first user and third users are preferably notified by the server on behalf of the second user.
  • the authenticated or certified documents can only be viewed from within the system by the first user and/or the third users.
  • the third user or whoever views the digitally signed document does so within the system, and sees visual evidence - text, image or both - that verifies that the document is certified.
  • Figure 1 is a schematic view of the system architecture of a system according to a preferred embodiment of the present invention.
  • Figure 2 is a method of loading a digital file into the system of a preferred embodiment for secure storing.
  • Figure 3 is a graphical representation of a detail design for loading a document into the system of a preferred embodiment for secure storing, sharing and/or request for authentication.
  • Figure 4 shows a method of viewing a stored digital file within the system of a preferred embodiment for secure storing.
  • Figure 5 is a graphical representation of a detail design for viewing a document in the system of a preferred embodiment.
  • Figure 6 shows a method of sharing digital document/file within the system of a preferred embodiment.
  • Figure 7 is a graphical representation of a detail design for sharing a document in the system of a preferred embodiment.
  • Figure 8 is a graphical representation of a detail design for viewing a shared document in the system of a preferred embodiment.
  • Figure 9 shows an exemplary method of automated authentication and sharing within the system of a preferred embodiment.
  • a system for secure digital file sharing and authenticating is provided.
  • the system for secure digital file sharing and authenticating of a preferred embodiment includes a computer server operating a primary server software application and multiple users, each having an associated personal computing device operating a client software application configured to communicate with the primary server software application.
  • Each user is provided with a unique account following a registration process with the system, the registration process based on receipt of a combination of at least one knowledge factor, possession factor and inherence factor from the user by the primary server software application collected during the registration process.
  • the client software application on the personal computing device Upon successful user registration, automatically generates a registered user asymmetric cryptography keypair including a user public key and a user private key, and stores the keypair on the personal computing device, typically with a backup stored on the computer server operating the primary server software application.
  • the client software application encrypts at least the user’s at least one knowledge factor and the user private key before providing to the at least one computer server, and the user’s at least one knowledge factor remains encrypted at all times at the at least one computer server.
  • the system thereafter uses the asymmetric cryptography keypair to allow the user to securely store, in a digital artefact repository, one or more digital artefacts, which will typically be documents or files utilising multilayer encryption of the digital artefact with geographically non-collocated cryptography modules, said geographically non-collocated cryptography modules including a first encryption engine for first layer encryption using user the user public key at a user side and a second encryption engine for second layer encryption using a unique document encryption key at the at least one computer server.
  • the unique document encryption key includes a symmetric -key which is generated by the at least one computer server uniquely for every new digital artefact loaded into the system or created within the system and encrypted with the user private key and stored in an electronically stored key vault.
  • the present invention finds particular use in the management of digital documents.
  • the client software application will normally be or include a secure website accessed on the user personal computing device or a proprietary client software application installed on the user personal computing device, the use of which is capable of identifying the user and/or the user personal computing device, typically using an IMEI number or equivalent.
  • FIG 1 illustrates the high-level view of the ecosystem architecture, which the to-be disclosed techniques or methods in applying several well-established cryptographies that secures the registered users data and privacy information, to establish the trust system and platform system of the present invention, hereinafter named ‘i-dentify’ for safe & confident digital assets management including but not being limited to storing, sharing and processing digital artefacts (e.g. document or file) with high level of automation in a way that fraudulent misuse and/or repurposing of those within the said ‘i-dentify’ system can be prevented, are discussed to advance.
  • digital artefacts e.g. document or file
  • the preferred ‘i-dentify’ ecosystem architecture (01) comprises:
  • a set of API or adaptors (51) enables the i-dentify platform to securely interact with other system(s) (50).
  • the secure i-dentify platform (20) in turn comprises the ID AM Server(s) (Identity and Access Management) (21), the secure database (22), the secure key vaults (23) and the secure document repository (24).
  • ID AM Server(s) is designed to handle new user(s) registration, new device(s) registration, user login, user identity verification/validation/authentication, password reset & recovery, new & existing group configuration & reconfiguration, and new & exist document(s) or file(s) processing request
  • the database (22) is designed for securely keeping the i-dentify registered users information
  • the key vaults (23) is designed to securely store the i-dentify registered users keys
  • the document repository (24) is designed to securely retain the i-dentify registered users encrypted digital assets such as documents or files.
  • the secure i-dentify platform (20) is designed for being deployed in public cloud, private cloud, or hybrid cloud which enable new users to register and/or its registered users to access and share their digital assets via the secure i- dentify website or secure i-dentify mobile apps on theirs associated smart devices anytime and anywhere.
  • i-dentify digital assets management services including but not being limited to confidential digital document safe -keeping, sharing, approving and certification or authentication
  • a user In order to use the i-dentify digital assets management services including but not being limited to confidential digital document safe -keeping, sharing, approving and certification or authentication, a user must via the secure i-dentify website or i-dentify mobile app installed on his/her associated smart device, performs the registration for an account. There is one and only one account for each successfully registered user.
  • the i-dentify system may provide several types of user account depending on a user’s privileges and/or authorities.
  • a standard-user account may allow a registered user to only use the i-dentify platform in securely retaining his/her own authenticated original digital document, in securely sharing his/her digital document with other i-dentify registered user(s) or agencies without concern whether his/her shared document will be fraudulently misused and/or repurposed, or in requesting another i-dentify registered power-user to certify his/her digital copy.
  • a power-user account such as the one for an authorised person like justice of peace, may allow a user to view the relevant authenticated original digital document when certifying the corresponding digital copy
  • a privilege-user account like the one for a government agency such as VicRoad for example, may allow a user to trigger a built-in API (51) that interact with their external system (50) for information verification/validation like driver licence status inquiry.
  • a privilege-user account may be configured for group usage i.e. plurality number of users in an agency may share the same account.
  • the i-dentify system shall via its secure i-dentify website or user’s device installed mobile app, collect plurality of user’s knowledge factors, possession factors, and inherence factors. Where three or more of those factors shall be used in interoperable manner to confirm the registering user’s identity, and two or more of those factors shall be used to authenticate the user upon subsequent logins or automated password recovery/reset. It should be noted that the i-dentify system only collect and retain the registered user’s knowledge factors and possession factors securely. Where the registered user’s inherence factors such as finger print or facial attributes are collected and stored in the user’s associated trusted smart device (i.e.
  • An API-call can be in-app API call from the i-dentify system will trigger the biometric matching function for delivering the matching result i.e. positive or negative to the i-dentify server which will be used for decision making in granting access to the registered user.
  • the i-dentify mobile app Upon successful user registration via the i-dentify mobile app on the user associated device, the i-dentify mobile app automatically generates the registered user corresponded RSA keypair (i.e. user public key and user private key - client-side keys generation).
  • the client-side generated RSA keypair is securely kept in the registered user associated device where a copy is securely transmitted to the i-dentify server for central management.
  • the RSA asymmetric public key and private key will subsequently be used in encrypting the user’s document or file to secure data transmission prior to uploading to the i-dentify server and decrypting the user’s downloaded encrypted document or file for viewing at the user’s device(s).
  • the “elevated encryption” technique is used to encrypt the collected user’s knowledge factors and the user’s RSA private key at client site (e.g. user’s computer web browser or user’s device mobile app), using the ‘in-app built-in encryption/decryption engine’ before being transported to the i-dentify servers (21), where additional layer of encryption is applied before they will be stored in the secure database (22).
  • client site e.g. user’s computer web browser or user’s device mobile app
  • the ‘in-app built-in encryption/decryption engine’ before being transported to the i-dentify servers (21), where additional layer of encryption is applied before they will be stored in the secure database (22).
  • a registered user e.g. 04
  • the i-dentify server’s device management function facilitates the said flexibility by securely transferring the centrally stored user’s RSA public key and encrypted RSA private key to the new device upon the successful first login from that device, where the transferred keypair will subsequently be used anonymously for encryption and decryption on the said device.
  • the i-dentify system shall enforce multifactor authentication process where ‘the one time in-app passcode may be sent to the primarily or previously used user’s associated device (e.g. 07), that will be for authentication on the new device (e.g. 08)’ on the second step of MFA.
  • the most basic service that the i-dentify system designed to provide is the secure documents or digital artefacts storing and viewing where an i-dentify registered user may utilise the i-dentify platform as his/her cloud repository for securely or safely retaining his/her own digital assets which can be accessed only by himself/herself anywhere and anytime.
  • FIG. 2 exemplarily illustrates the loading process by which an i-dentify registered user (e.g. 04) loads a document (101) from his/her associated device (e.g. 07) using the i-dentify secure website or mobile app (17) to the secure i-dentify platform (20) for safe-keeping, and may be subsequently for sharing and/or authentication.
  • the key point of the document loading process (100 - Figure 2) is the multilayer encryption of a user document or digital artefact with geographically non-collocated cryptography modules.
  • the said geographically non-collocated cryptography modules entails the first encryption engine (102) for 1st layer encryption using user public key at the client side and second encryption engine (103) for second layer encryption using unique document key at the server side.
  • a document entering the i- dentify system at a client-side is always encrypted at the client-side (e.g. device 07) with the user’s RSA public key by the 1st encryption engine (e.g. 102) before being submitted to the server (21).
  • the document is re-encrypted second time with a unique document key (105) by the second encryption engine (103).
  • the document encryption key (105) is a symmetric -key which is generated by the i- dentify server (21) uniquely for every new document and its copies. Each generated unique document key is encrypted with the user’s private key and then stored in the key vaults (23). A multilayer encrypted document is then saved in the document repository (24) in database area or folder (104) being reserved for the registered user (04).
  • the multilayer encryption model with geographically non-collocated cryptography modules using user asymmetric keys at client-side module and unique document symmetric key at the server- side module shall leave no point of failure especially chained failure can be eliminated.
  • the detail design of loading a document into the ‘i-dentify’ platform is illustrated in the Figure 3.
  • a document that has been uploaded to the i-dentify platform can only be accessed and/or viewed from within the i-dentify by the document owner and thus helping the realisation of the concept where the user is the one who own the data in the cloud environment.
  • FIG 4 exemplarily illustrates the document viewing process (150).
  • an i-dentify registered user ‘n’ e.g. 03 or 04
  • the registered user (e.g. 04) via the mobile app (e.g. 17) on his/her device (e.g. 07) can select document(s) for viewing (e.g. 151).
  • the user’s selected document ID(s) (e.g. 152) is submitted to the i-dentify server (e.g. 21), where the multilayer encrypted document (104) and the encrypted unique document key (105) corresponding to the submitted document ID (152) are retrieved from the user document repository or folder (e.g. 24) and the key vaults (e.g. 23) respectively for use at the first decryption engine (153) to recover the user public-key encrypted document (i.e. the document still remains encrypted).
  • the server (e.g. 21) is then sending the user public -key encrypted document to the requesting mobile app (e.g. 17) on the targeted client device (e.g. 07), where the user private key is autonomously retrieved by the app for use at the second decryption engine (155) in decrypting the user public key encrypted document.
  • the document is then displayed via the mobile app within the i-dentify (e.g. 156).
  • Figure 5 details the documents viewing process within the i-dentify according to a preferred embodiment.
  • the i-dentify system is designed to provide the services on secure digital asset sharing where an i-dentify first user can share his/her i-dentify stored document or any documents in his/her possession with one or more i-dentify second users within the i-dentify with high confidence that his/her shared document is protected by the i-dentify from fraudulent misuse and/or repurposing.
  • the said process of sharing a document (200) is exemplarily illustrated in Figure 6.
  • sharing a document means allowing another party (i.e. one or more second users) to view the shared document.
  • another party i.e. one or more second users
  • an i-dentify first user in order to share a document, must successfully login his/her account using the secure i-dentify website or the installed mobile app (17) on his/her associated device (07).
  • the first user (04) via the mobile app (17) on his/her associated device (07) may select a document(s) for sharing and further select the i-dentify second users (201) who will be receiving the shared document.
  • the selected document(s) for share may be in the i-dentify first user repository or in his/her possession but has not been uploaded to the i-dentify.
  • the document intended for sharing is autonomously uploaded onto the first user’s i-dentify repository using the above discussed document loading process which returns the document ID as reference for use in the to-be-discussed sharing process.
  • the mobile app (17) shall submit the document ID(s), the second user ID(s) and other sharing attributes chosen by the first user (202), to the i-dentify server (21).
  • the sharing attributes chosen by the first user may include the restriction on how the shared document can be used.
  • the multilayer encrypted document(s) (204) and the encrypted document key (205) corresponding to the submitted document ID(s), and the first user keys are retrieved from the first user’s repository or folder (203) and the key vaults (23) respectively for use within the third decryption engine (206).
  • the original document is briefly recovered for generating a copy (208) which will be shared.
  • the copy of the original document (208) is low- resolution and watermarked making it differentiable from its original within the i-dentify ecosystem.
  • the group public keys corresponding to the second users’ group (207) is retrieved from the key vaults (23) for use in the third encryption engine (209).
  • the low-resolution and watermarked copy (208) is encrypted with the retrieved group public key and then with the group document key.
  • the multilayer encrypted low-resolution and watermarked copy is then saved in the second user(s) (recipient) folder (211).
  • Notification e.g. push notification
  • Figure 7 details the documents sharing process within the i-dentify according to a preferred embodiment of the present invention.
  • a second user Upon receiving a notification of shared document from the i-dentify system on behalf of the first user, a second user must successfully login the i-dentify system and choose the shared document to view.
  • the i-dentify server securely verifying the second user’s group private key, and then retrieve the double-layer encrypted shared copy and the unique document group key corresponding to the submitted shared document ID from the second user document folder or repository and the key vaults respectively for use in decrypting at the first decryption engine to recover the second user group public -key encrypted shared copy.
  • the server is then sending the second user group public -key encrypted shared copy to the requesting mobile app on the client device, where the second user group private key is autonomously retrieved by the app for use at the second decryption engine in decrypting the second user group key encrypted copy.
  • the low-resolution and watermarked copy is then displayed via the mobile app within the i-dentify.
  • the use of the displayed low-resolution and watermarked copy at the second user device may be restricted depending on the sharing attributes that was configured by the first user.
  • the restriction may include downloading and/or printing.
  • the i-dentify system is also designed to provide its users the flexibility to formulate or manage the process flow for their own document that may involve multiple i- dentify users with different account types and their requested actions.
  • a first user on his/her device may want an original document in his/her possession where the copy of the original must be certified by a nominated (high-power) second user (302), and the authenticated copy is then submitted to the third user (303) as an legitimated copy for further usage.
  • a second user may be the document originator (e.g. financial institutes, or first user employer), or a certifying body (e.g. justice of peace) approved by the i- dentify business.
  • the first user must successfully login the i-dentify system via the i-dentify app on his/her device.
  • the first user (301) commences the process via the app on his/her device, by selecting the document, identifying the second user for authentication and the third user as the recipient of the authenticated copy (310). Without further interventions from the first user (301), the document ID, second user ID, third user ID and the defined process flow (311) are submitted to the i-dentify server (304).
  • the original document corresponding to the submitted document ID is briefly retrieved within the third decryption engine from the first user’s folder or repository (340) for generating a reduced resolution & watermarked copy.
  • the reduced- resolution and watermarked copy is multilayer encrypted using second user public key and newly generated document key, and then stored in the second user’s folder or repository (341).
  • the i- dentify notifies the second user that he/she have received a document and authentication request (314).
  • the second user may login the i-dentify system, view the reduced-resolution and watermarked copy, verify the reduced- resolution and watermarked copy by comparing the copy with their source system data (320) and then cryptographically signs the reduced-resolution & watermarked copy.
  • the second user (302) may be given the authority by the i-dentify to directly view the original corresponding to the copy for the verification purpose.
  • the i-dentify system may provide the option for the second user (302) to send the authenticated copy directly to the third user (303).
  • the option for direct delivery of the authenticated copy is selected, the i-dentify will encrypt and save the authenticated copies to the first user’s folder (351) and third user’s folder or repository (352), and the notifications are sent to the first user (323) indicating the delivery of the authenticated copy and third user (324) informing the sharing of the authenticated copy.
  • the i- dentify will save the encrypted authenticated copy to the first user’s folder or repository (351), and the notification is sent to the first user (323) indicating the availability of the authenticated copy.
  • the first use may then need to view and act in sharing the authenticated copy (312) to the third user (303) where the authenticated copy is decrypted, re-encrypted and stored in the third user’s folder (342).
  • the third user (303) or whoever views the digitally signed document does so within i-dentify (330), and sees visual evidence - text, image or both - that verifies that the document is certified.
  • Document is loaded using the i-dentify app.
  • a reduced resolution, watermarked version of the document is shared with the certifying body, who may be the document originator, or a certifying body approved by the i-dentify business.
  • the certifying body running i-dentify, compares the document with their source system data, and then digitally signs the watermarked copy.
  • the document owner receives a copy of the digitally signed document and can then share that with whomever. Whoever views the digitally signed document does so within i-dentify, and sees visual evidence - text, image or both - that verifies that the document is certified.
  • Document is twice encrypted, firstly with the user’s public key, and subsequently with a unique document encryption key.
  • the document is encrypted with its own private key, and that private key is further encrypted with the user’s private key.
  • Sharing a document means, as the name suggests, allowing another party to view the shared document.
  • the process of sharing a document entails:
  • Documents can only be viewed from within i-dentify.
  • the process entails retrieving the document’s private key from the server, decrypting the document client-side in i-dentify, and then displaying the document from with i-dentify.
  • Documents can only be viewed from within i-dentify.
  • the process entails securely verifying the group private key, and then decrypting the document client-side within i-dentify, using the group private key.
  • the preferred embodiment therefore provides a trusted and secure digital asset management platform enabling its subscribers to securely store their digital assets, specify the flow of their encrypted document in requesting authentication, submitting and/or sharing with the intended platform’s users or agencies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne d'une manière générale la sécurité de l'information numérique (InfoSec), et concerne en particulier des systèmes et des procédés pour l'établissement d'une plateforme de gestion d'actifs numériques de confiance et sécurisée permettant à ses abonnés de stocker de manière sécurisée leurs actifs numériques, de spécifier le flux de leur document chiffré lors d'une demande d'authentification, d'une soumission et/ou d'un partage avec les utilisateurs voulus de la plateforme ou des agences voulues.
PCT/AU2021/050534 2021-06-01 2021-06-01 Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés WO2022251894A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/AU2021/050534 WO2022251894A1 (fr) 2021-06-01 2021-06-01 Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés
AU2021107618A AU2021107618A4 (en) 2021-06-01 2021-08-24 User interface for digital file sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/AU2021/050534 WO2022251894A1 (fr) 2021-06-01 2021-06-01 Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés

Related Child Applications (1)

Application Number Title Priority Date Filing Date
AU2021107618A Division AU2021107618A4 (en) 2021-06-01 2021-08-24 User interface for digital file sharing

Publications (1)

Publication Number Publication Date
WO2022251894A1 true WO2022251894A1 (fr) 2022-12-08

Family

ID=79170298

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2021/050534 WO2022251894A1 (fr) 2021-06-01 2021-06-01 Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés

Country Status (2)

Country Link
AU (1) AU2021107618A4 (fr)
WO (1) WO2022251894A1 (fr)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050052469A1 (en) * 1999-12-16 2005-03-10 Matt Crosby Method and apparatus for rendering a low-resolution thumbnail image suitable for a low resolution display having a reference back to an original digital negative and an edit list of operations
WO2012122175A1 (fr) * 2011-03-07 2012-09-13 Security First Corp. Système et procédé de partage de fichiers sécurisés
US9203612B1 (en) * 2014-06-02 2015-12-01 Atlanta DTH, Inc. Systems and methods for controlling media distribution
US9298942B1 (en) * 2013-12-31 2016-03-29 Google Inc. Encrypted augmentation storage
WO2016063254A1 (fr) * 2014-10-23 2016-04-28 Pageproof.Com Limited Système et procédé de collaboration chiffrée
US20170329937A1 (en) * 2016-05-12 2017-11-16 Markany Inc. Method and apparatus of drm systems for protecting enterprise confidentiality
EP2839407B1 (fr) * 2012-04-19 2018-09-05 Invenia As Procédé de stockage et de partage sécurisés de fichier de données par l'intermédiaire d'un réseau de communication informatique et services en nuage ouvert
AU2020100734A4 (en) * 2019-05-24 2020-06-18 Medikey Australia Pty Ltd Systems and methods for secure digital file sharing and authenticating

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050052469A1 (en) * 1999-12-16 2005-03-10 Matt Crosby Method and apparatus for rendering a low-resolution thumbnail image suitable for a low resolution display having a reference back to an original digital negative and an edit list of operations
WO2012122175A1 (fr) * 2011-03-07 2012-09-13 Security First Corp. Système et procédé de partage de fichiers sécurisés
EP2839407B1 (fr) * 2012-04-19 2018-09-05 Invenia As Procédé de stockage et de partage sécurisés de fichier de données par l'intermédiaire d'un réseau de communication informatique et services en nuage ouvert
US9298942B1 (en) * 2013-12-31 2016-03-29 Google Inc. Encrypted augmentation storage
US9203612B1 (en) * 2014-06-02 2015-12-01 Atlanta DTH, Inc. Systems and methods for controlling media distribution
WO2016063254A1 (fr) * 2014-10-23 2016-04-28 Pageproof.Com Limited Système et procédé de collaboration chiffrée
US20170329937A1 (en) * 2016-05-12 2017-11-16 Markany Inc. Method and apparatus of drm systems for protecting enterprise confidentiality
AU2020100734A4 (en) * 2019-05-24 2020-06-18 Medikey Australia Pty Ltd Systems and methods for secure digital file sharing and authenticating

Also Published As

Publication number Publication date
AU2021107618A4 (en) 2022-01-06

Similar Documents

Publication Publication Date Title
AU2020100734A4 (en) Systems and methods for secure digital file sharing and authenticating
US10756906B2 (en) Architecture and methods for self-sovereign digital identity
US10127378B2 (en) Systems and methods for registering and acquiring E-credentials using proof-of-existence and digital seals
US10673632B2 (en) Method for managing a trusted identity
US10904014B2 (en) Encryption synchronization method
US20180295121A1 (en) Secure element authentication
CN106537403B (zh) 用于从多个装置访问数据的系统
US9646150B2 (en) Electronic identity and credentialing system
JP6543040B2 (ja) リモートアクセス、リモートデジタル署名のためのシステムおよび方法
WO2008030184A1 (fr) Systeme d'authentification perfectionne
US10579809B2 (en) National identification number based authentication and content delivery
US11252161B2 (en) Peer identity verification
US20220005039A1 (en) Delegation method and delegation request managing method
US11275858B2 (en) Document signing system for mobile devices
US10938808B2 (en) Account access
Burr et al. Sp 800-63-1. electronic authentication guideline
US11620393B1 (en) System and method for facilitating distributed peer to peer storage of data
US11671475B2 (en) Verification of data recipient
US11461451B2 (en) Document signing system for mobile devices
WO2022251894A1 (fr) Systèmes et procédés de partage et d'authentification de fichiers numériques sécurisés
US8621231B2 (en) Method and server for accessing an electronic safe via a plurality of entities
WO2024026428A1 (fr) Affectation, attribution et gestion d'identités numériques
CN117834242A (zh) 验证方法、装置、设备、存储介质和程序产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943354

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21943354

Country of ref document: EP

Kind code of ref document: A1