Digital Healthcare – Ernie F. Brickell, Wesley Deklotz, Jeff U. Glover, Michael R. Premi, Matthew D. Wood, Marion H. Shimoda, Intel Corp
Abstract for “Delegating digital credentials”
The system involves receiving a designation from a delegator of a role and a delegate who will assume that role. A credential service provider then issues a delegation credential to confirm that the delegator received the indication.
Background for “Delegating digital credentials”
“Cryptography is the foundation for many privacy and authentication mechanisms in computer-based system. A digital signature is one such mechanism. It is used to authenticate the sender in electronic messages. First, the sender must create a private and public signature keys. The sender uses a computation to sign a message or another document. This takes the message as input and creates a digital signature. A receiver uses a computation to verify a digital signature. This takes the message, digital signature and public verification key as input and outputs either “signature verified?” “Signature verified” or “signature failed to verify?”
“To facilitate authentication of digitally signed documents, the receiver must be sure that the public verify key used to verify signature is the same public verification key as the sender. The digital certificate contains the identity of sender and the public verification key. It also includes other information. This digital certificate is typically digitally signed by an authority. Another mechanism can be used to establish the correspondence between an individual’s identity and a public verifiable key, such as an entry into a database.
“DESCRIPTION DU DRAWINGS”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.3.23 is an example activity journal.”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.7” is a flowchart that shows how to select delegation credentials for a delegator.
“FIG. “FIG.8 is a flowchart that shows how to use a confirmation code during the delegation process.
“DESCRIPTION”
As used herein, “A user’s digital credential” refers to security mechanisms that are associated with their identity. A user’s digital credentials can contain one or more digital signature keys that relate to one or several digital certificates. A user’s digital credential could also include any other cryptographic security mechanism suitable for use, such as a mechanism to be used in a proprietary cryptographic system.
One or more tasks can be required to validate a user’s digital credential. One example is to verify that the user’s signature is valid using the public keys in the user?s digital certificates. Another example is to validate the digital cert, which may include using a key from the certification authority to verify that the digital cert is valid.
“FIG. “FIG. System 2 is able to detect fraudulent activity and general misuse of digital credentials quickly, as we will explain in more detail.
“Web browser 12, like Internet Explorer?” From Microsoft Corporation of Redmond (Wash.) executes in an operating system provided by computing device 4A. This allows an owner of digital credentials 16 to remotely access online service 6 via network 28. Online services 6 are generally Web-based sites that allow secure electronic transactions. Online services 6 could be used to sell consumer products like books, movies and software. Online services 6 could also be business-tobusiness websites, such as online marketplaces and medical supplies. Online banking institutions, brokerage companies, and health services are just a few examples. Web browsers (not illustrated) are used by authorized delegates of users to access online services 6, and to conduct secure transactions using digital credentials that have been authorized to the user to act for the user for specific uses.
“Computing devices4” refers to general-purpose computing systems that can interact with network 28. A personal computer is an example of a suitable computing gadget 4. Each computing device 4 may also be a tablet computer, a handheld or a personal digital assistant (PDA) such as a Palm. An organizer can be purchased from Palm Inc. in Santa Clara, Calif. or a network-enabled cell phone. Network 28 can be described as any communication network such as a packet-based network like the Internet.
“Credential service provider 8 (CSP8) 8 is a central service that allows users to manage their digital credentials. CSP 8 is a central service that allows users to request digital credentials, revoke digital credentials, and designate one or more delegate(s) who can use their digital credential to perform specified functions.
“To obtain digital credential 16, the user uses Web browser 12 to CSP 8 to generate a private key and public verification key, then requests a digital certificate. The public verification key is submitted by the user along with a range of information such as address and name.
CSP 8 transmits the information to credential issuing services (CIS) 22 which, as a certificate authority issues a corresponding 16 digital credential, including a signature key, and records owner information in the owner database 24. The user is now the “owner?” Digital credential 16: The user becomes the?owner? The digital credential 16 issued by CIS 22 can be accessed by the owner to access CSP 8 and designate one of their authorized delegates.
“The digital credential 16 is used by the owner to secure access online services 6, sign digital documents, and conduct secure transactions. Web browser 12 creates a secure communication connection with one of the online services 6 by using a secure communications protocol such as Secure Socket Layer. The Web server issues a “challenge” when accessed. To Web browser 12. Web browser 12 replies by signing the challenge using his private signature key, communicating digital credential 16, and submitting the signed challenge to an online service 6. Web browser 12 also uses his private key to digitally sign documents presented to online servers 6. This is when the owner/delegate submits confidential medical information or a prescription request for a Web-based healthcare service.
Online services 6 have the option to validate digital credential 16. This can be done by using the public keys to verify digital signatures and checking local databases to confirm the association between the public and user keys. Online services 6 can communicate digital credential 16 to credential validation service 10 (CVS), for verification. Online services 6 can validate low-value transactions locally, while CVS 10 can validate high-value transactions.
CVS 10 obtains the digital credential (16, including the digital signature, and digital certificate) from online services 6. Then, it interacts with CIS 22. CVS 10 connects to CIS 22 as a certificate authority and obtains the public key for CIS 22. CVS 20 then accesses CIS 22, to verify that digital credential 16 was revoked as indicated by certificate repository 26, CVS 20 saves the results of verification in activity log 20, regardless of whether they were successful.
CSP 8 allows users to create a variety of digital signature keys that are associated with their identity, and then assign a friendly name. Each key. The user can assign names like: Office Key, Home Key or Portable Key. This allows users to track digital signature keys usage more easily, as described below.
“System 2 includes many features that enable an owner or delegate detect unauthorized digital signature key use in the event of digital signature key misappropriation or misuse. CVS 10, for example, can send an activity report automatically to Web browser 12 when verifying digital signatures during secure transactions. The activity report can be displayed to the user. This allows the user to quickly identify if the digital signature key has been misused.
“In addition, the owner/delegate can access CSP 8 to request an activity report detailing any digital signature key usage. CSP 8 receives such a request and communicates it directly to CVS 10. CVS 10 analyzes activity log 20 and extracts relevant activity information. CSP 8 then creates a report, and sends it to CSP 8. CSP 8 presents the report electronically to the user via network 28. CSP 8 can be configured by the owner or delegate to generate periodic reports and send them electronically to the user. CSP 8 also has the option to mail a printed copy of the report directly to the user.
“In addition the previously described techniques that an owner or delegate can use to detect misuse of digital credentials, fraud detection module 18 (CVS 10) applies fraud detection techniques activity log 20 to automatically identify misuse. Fraud detection module 18 analyses activity log 20 in order to detect unusual patterns that could indicate misuse, as described below.
“FIG. “FIG. Each online service 6 secures transactions by transmitting digital credential 16 (322) to CVS 10. CVS 10 works with CIS 22 in order to verify digital credential 16, and determine whether digital credential 16 has been revoked. Online services can validate digital credential 16 and transmit transaction information to CVS 10.
The result of each verification is stored in Activity Log 26 (34). CVS 10 also stores transaction information like the date and time of each transaction, online service 6 involved in the transaction and the type of transaction. This includes the device used to access online service 6, such a laptop computer or cell phone, as well as location and position information such an IP address 4 or the name of the computing device 4.
CVS 10 creates activity reports to help identify misuse of digital credential 16. These reports detail information in activity log 20 (36). CVS 10 can generate activity reports in many ways and at different times. CVS 10 can generate activity reports automatically when it processes verification requests, providing this information frequently to the user. CVS 10 also generates activity reports periodically or on request from the owner.
“CVS 10 tailors each activity report for the requester so that the owner 16 of digital credential 16 has access to all activity, even those by delegates. A delegate can view only activity reports that include his or her activity.
“Fraud detection module 18 (CVS 10) analyzes log 20 in order to detect unusual patterns and identify fraudulent activities. A significant increase in transactions or their size can be indicative of misuse. Any change in the type of transactions could indicate misuse. Any indication that digital signature key 16 suddenly is being used from another computing device, such a change in an IP address from which a commonly used internet protocol (IP), address was previously used, could also be a sign of misuse. CVS 10 sends an activity report to the owner informing him or her about any potential misuse. This allows the owner to quickly determine if there has been any fraud or general misuse and the extent of it.
“If an owner believes that there have been unauthorized activities, he/she can access CSP 8 to revoke digital credential 16. The owner can, for example, revoke the associated certificate. Alternately, the owner could create a private signature key and a public verification key and sign the public verification key using the old private key. For this verification key, System 2 can issue a digital certificate. CSP 8 transmits the revocation of digital credential 16 to CIS 22, updating the status in certificate repository 26. This causes any future verifications of digital credential 10 to fail. This allows the owner to immediately stop fraudulent activity.
“In addition, an authorized operator of CSP8 of CVS 10 can receive the activity report.” An activity report detailing activity at an online service 6 can also be generated and sent to the authorized operator.
“In this way, system 2 detects unauthorized use of digital signature keys in the event that digital signature keys are misappropriated. These features are particularly beneficial to professionals such as the healthcare industry. These benefits can be further illustrated by a healthcare professional accessing an online healthcare service. They can request access to information about healthcare or submit prescriptions. The online service transmits transaction information, including the access request description and the digital credential of the medical professional to the central credential verifying service. The credential verification service will issue a verification report to the healthcare oriented service. This service then grants access to the medical records. The credential verification service then sends a report of activity to the healthcare oriented services. They then give the report to the healthcare professional.
“FIG. “FIG. Activity report 40 lists all activities that were logged in activity log 20. It is broken down by delegate and owner. The example activity report 40 lists each authentication request and includes the date and times, online service used in the transaction and the name of the computing device 4 used to initiate the transaction. It also shows the transaction value, type, and authentication result.
“System 100 contains system memory 113, including random access memory (RAM), 114, and read only memory (ROM), 115. This system memory is connected to processor 112 via a system data/addressbus 116. The input/output bus (118) is connected via bus controller 119 to the data/addressbus 116. Input/output bus 120 is implemented in one embodiment as a standard Peripheral Component Interconnect bus (PCI). Bus controller 119 inspects all signals coming from processor 112 and routes them to the appropriate bus. The bus controller 119 does not route signals between the processor 112 or the system memory113. Signals from the processor 112 that are intended for other devices than the system memory 113, however, are routed onto bus 118.
“Various devices can be connected to the input/output 118 bus, including hard disk drive 120 and floppy drive121, which are used to read floppy disc 151. Also optical drive 122 is used to read optical disk 122. A CD-ROM drive is used to read optical disk 152. A video adapter 125 connects the video display 124 to the input/output buses 118.
“Users input commands and information into system 100 using a keyboard 140 or a pointing device such as a mouse142. These devices are connected to bus118 via input/output port 128. Track pads, joysticks and data gloves as well as track balls, joysticks, joysticks, data gloves, and head trackers are all possible pointing devices. System 100 also contains a modem (129), which is used for communication over large area networks (not illustrated). This can be used, for example, to connect to the Internet via a wired or wireless connection.
Software applications 136 and data are stored typically via one of the memory storage device, which could include the hard disk 120 or floppy disk151 or CD-ROM 152. They are then copied to RAM 115 for execution. Software applications 136 can be stored in ROM 114. They are copied to RAM 115 or executed from ROM 114.
“In general, the operating systems 135 execute software applications 136 and carry out instructions given by the user. The Basic Input/Output System 117 (BIOS) for system 100 is a collection of basic executable programs that has traditionally helped to transfer data between computing resources in the system 100. These routines are used by operating system 135 and other software applications 136. One embodiment of system 100 contains a registry (not illustrated), which is a system database that stores configuration information for system 100.
“CVS 10 or CIS 22 can be executed on the same machine (e.g. computer) as CSP 8 (as shown) These descriptions assume that they all are implemented on the same machine.
“Delegating Roles”
“In this embodiment, the delegator (e.g. an owner of a digital credential) can delegate a role, or function, to a delegate. The delegator does not have to delegate all authority to the delegate; only a subset. A doctor might delegate the right to see a patient’s billing records to a secretary, but not for diagnosis. An X-ray technician may be able to view the same patient’s medical records regarding diagnosis but not billing. The doctor can delegate some authority to different assistants without giving up his complete authority.
“?Delegation credentials? “?Delegation credentials” are a type digital credential that allows the delegator only to delegate certain functions or authority to another delegate. Delegation credentials allow one or more delegate to use the digital credential of a delegator to perform specified functions.
Referring to FIG. Referring to FIG. 5, a block diagram shows the elements of a delegation transaction. The elements are a delegator 200 and a delegate 222, a relying person 204, a CSP206, and a delegation services provider (DSP 208). Each element can be implemented with a programmable computing device, such as the system 100 in FIG. 4 (The delegator or delegate could be entities that may use system 100).
“Delegator 200” is an entity that delegated one or more functions to another 202. Delegate 202 is given the authority to perform these functions by using delegation credentials as explained below. Relying party (204) is an entity that offers a requested service in accordance with the delegated credentials. A relying party 204 could be, for example, a website that receives the delegation credentials (of a delegate) from the delegate. Once they have been verified, it provides access to services (e.g. information) previously unavailable only to the delegator.
CSP 206 is the same as above, and for the purposes this embodiment includes a CVS or CIS. CSP 206 has access to a database 210 which contains the delegation credentials of delegator, and a data base 212 which contains activity logs. These logs store information such that which delegation credentials were delegated to which delegate. FIG. 2 shows the databases 210 and 212, but they are not shown in isolation. 5 they could be one database.”
“DSP208 controls delegation of delegation credentials. DSP 208 manages a database 214 that contains delegation information. This includes delegate information. It identifies delegators and delegates. The database also lists the functions they have access to. Delegates can then choose which functions are available to them. FIG. 2 shows DSP 208 (and CSP 206) as two separate machines. 5. However, they can be combined using the same machine.”
Referring to FIG. 6 is a process 216 that provides a delegate the authority to assume one of several roles as a delegator. Referring to FIGS. Referring to FIGS. 5 and 6, the delegator registers (218), for a digital credential (CSP 206). The delegator gives registration information such as his identity, professional title and authority. CSP 206. CSP 206 could contain information about potential subscribers such as delegator 200. CSP 206 will verify the registration information once delegator 200 has entered it. CSP206 may issue (220), a digital credential to delegator 20 if there is enough correspondence between the registration data and the information in the database. CSP 206 can issue (220), the digital credential after receiving the registration information and payment.
“Delegator 200 can then delegate one or several roles to a delegate (e.g. professional titles, authority functions, functions). Delegator 200 gives DSP 208 a designation. This includes a role as well as a delegate to take the role. The designation is approved by Delegator 200 using the digital credential the delegator obtained during registration. Delegator 200 gives the designation and digital credential to CSP 206. CSP206 confirms that the delegator authorized the designation by verifying the digital credential of the delegator and informing DSP208 that it is valid. CSP 206 also records the approval and designation in database 212.
“DSP 208 is granted (222) the designation, including the identity and role(s), from delegator 200. It also receives approval from CSP 206. DSP208 issues (226), a delegation credential in response to this approval. The delegate credential can be issued directly to the delegator (226), or it can be issued to CSP206 (which will then give it to the respective delegator, or any other party as required). The delegation credential includes information about delegation, including the identity and possible roles of the delegate.
“DSP 208 may keep the delegation credential in the database 214 along with an indication of approval. DSP208 may also send (228), a confirmation message 200 to delegator 200 informing them that the requested delegation has been created.
Referring to FIG. “Referring to FIG. 7”, a process 230 in which a delegate uses delegation credentials to access services that are available to him from a relying person is shown. Delegate 202 requests (232), access from a relieing party 204, such as a website, to a service that requires digital credentials. The relying party 204 responds to the request by sending a request for access to the delegate, which will be granted with a digital credential. The delegate sends a delegation credential in response. CSP206 receives (234) the delegation credential of the delegate along with the access requirements from the relying party (204).
CSP 206 determines (236), if the delegation credential meets the access requirement. CSP 206, which is based on the delegation credentials, determines if the delegate can access the services of relying parties 204. CSP 206 confirms the validity of the delegation credential by comparing it with stored delegation credentials.
CSP206 informs (238), relying party (204) that the delegation credential meets the access requirements. CSP206 will check (240), if the delegation credential is invalid for the access requirements, and (240), determine (240), if there is a delegate credential that meets the access requirement. CSP206 will provide (242) a list with all the delegation credentials that are available to the delegate to satisfy the access requirements for the relying party. Delegates can then choose (244) from the available list which delegation credentials they wish to use. CSP 206 informs the relying party 204 if no delegation is found.
The selected delegation credential can be sent to a verification agency, such as a CVS within CSP 206. The verification service will compare the delegation credential with a list of permitted delegation credentials for the delegate. The verification service verifies the delegation credential, e.g. it is on the list. If so, the verification service logs the access request and signs a digital declaration confirming the validity of the requested access. The digital statement can be given to the relying party 204.
“CSP206 and relying person 204 will receive information about which delegation credentials have been selected by the delegate, as well as the verification service statement (if any). To access the requested service, the delegation credential (246) is used. This means that the relying party (204) verifies the verification and/or delegation credential, and then provides the requested service to delegate.
CSP 206 records the identity of the delegation credential used by the delegate to access services of relying parties 204. CSP 206 can make the logs available for the delegate or delegator to be inspected. The logs that CSP 206 keeps can be viewed by the delegator. The delegator or delegate may request that the delegation credential that was used for that action be revoked if he finds an inappropriate action. You can send a revocation request at DSP 208 or CSP 206. A delegator can also review the stored logs to determine if any of his delegation credentials were fraudulently created. If such creation is allowed, the delegator can also review any delegation credentials that he has created for him by a delegate.
DSP 208 could also send all the delegation credentials to the relying parties and have them check to make sure they are valid. Instead of or in addition to DSP 208 storage, the delegate could keep the delegation information. This information could be provided to the relying party by the delegate when the latter requests a service.”
“The default delegation credential could be granted to the delegate. If multiple delegation credentials are available that meet the access requirements for the relying party’s access requirements, the delegate may be presented with a user interface that has the default delegation credential pre-selected. The default delegation could be accepted by the delegate.
“DSP 208” could also be used to send all the delegation credentials of the delegate directly to the relying parties and have them check if there are any that meet their access requirements.
Referring to FIG. 8 shows a process 248, in which a confirmation code can be used to assign a delegation credential. For example, process 248 can be used in blocks 226 or 228 of process 216, (FIG. 6).”
“In process 248, a delegator decides to assign a delegation. The delegator can visit the delegation Web site (not displayed) to select the roles to be assigned to each delegate. The Web site may allow the delegator to select professional titles such as technician, secretary, etc. that will define the roles. The delegator will then provide (e.g. via the Web site), a confirmation code. The confirmation code can be an N-digit random alphanumeric sequence (whereN>1). The confirmation code may be hashed by the Web site using a cryptographic haveh function such as SHA-1. The digital credential of the delegator authorizes the approval of selected roles and confirms that they are valid. DSP 206 is given the confirmation code.
“DSP 208” receives the confirmation code, selected roles and an identifier to the delegator. An identifier can be a number or name that corresponds to the delegator, e.g. it identifies him. This information is stored in DSP208 database 214. The confirmation code and identifier are provided by the delegator to the delegate. These information can be given by hand, electronically, or any other secure method, that is not dependent on the delegation processes described herein.
“The delegate enters his confirmation code and identifier into the appropriate section of the delegation Web site. DSP208 receives (250), the confirmation code and the identifier from the Web site. It then identifies (252) the delegator with this information. The identifier may be compared to a pre-stored identifier and/or checked for accuracy by checking the hash. DSP208 can then assign (254) the appropriate delegation credential(s), and send (256), a confirmation to the delegator.
DSP208 is an alternative to process 248, DSP208 may receive from a delegate a delegation request for the role of delegator; receive from him a confirmation code; request approval of outstanding delegation requests from delegator; ask for approval of delegator for a outstanding delegation request from delegate; and then receive confirmation code from delegator as a response to the request for approval. DSP208 can confirm approval of an outstanding delegation request by using the confirmation code.
“The delegate can visit the DSP Web site (not displayed) to identify the delegator either by name or selecting him from a list of delegators. A confirmation code and role may be entered by the delegate. The confirmation code may be hashed by the Web site and sent to DSP208. DSP 208 stores the request as well as the hash of confirmation code in database 214.
The confirmation code is provided by the delegate to the delegator. The confirmation code can be given to the delegator in a variety of ways, including electronic mail, handwritten, or by other secure means.
“The delegator can request, e.g. via a DSP web site (not shown), outstanding delegate requests that relate to him. DSP208 may be asked by the delegator to determine which delegates have requested the roles of the delegator. DSP208 receives the request of the delegator, and gives the delegator a list with all outstanding delegation requests. This list could include the names of the delegate(s) who are requesting the delegation and the roles they requested. DSP208 also requests approval from the delegator for any outstanding delegation requests.
“To approve the delegation request from the delegate, DSP208 requires that the confirmation code be provided by the delegator along with the digital credential of the delegator. DSP 208 is notified by the confirmation code and digital credential. DSP208 compares the hash of confirmation code with a stored hash and digital credential of delegator to determine if they match. DSP208 approves the outstanding delegation request of the delegate if both match and stores the approval into database 214.
“Process 248 reduces name collision and name similarity in secure communications. This means that a combination of digital credentials and a confirmation code provides an additional identifier.
“In some other embodiments, the confirmation codes could be generated by DSP Web sites instead of the delegator. Instead of sending the confirmation code hash, the delegator could send it. The confirmation code could have a time limit so that the confirmation code can be invalidated if it is not entered within a specified time. Instead of saving it on DSP208, the delegate could save the delegation information.
“Processes 248, 230 and 248 can be used with any hardware other than the one shown in FIG. They may be applicable in any computing environment. The processes 216, 248 and 230 can be implemented in either hardware or software. The processes 216, 238, and 248, may be implemented on one or more computer programs that execute on programmable computers. Each program includes a processor, storage media readable by the processor (including volatile memory and/or storage element), at least one input device and one or several output devices. To perform the processes 216-230-248 and generate output information, program code can be applied to data input using an input device. One or more output devices may have the output information applied.
“Each program can be implemented in an object-oriented or procedural programming language to communicate directly with a computer system. The programs can also be implemented in machine or assembly language. It can be either a compiled language or an interpreted one.
Each computer program can be stored on an article, e.g., CD-ROM, hard drive, magnetic diskette. The storage medium or device may be readable by a general purpose or special purpose programmeable computer. When the storage medium or device has been read by the computer, it will perform processes 216 to 230 and 248. The computer-readable storage medium may be configured with a computer programme that allows the execution of the instructions.
“The invention has been described using a variety embodiments. These embodiments and others not described herein fall within the scope the following claims.
Summary for “Delegating digital credentials”
“Cryptography is the foundation for many privacy and authentication mechanisms in computer-based system. A digital signature is one such mechanism. It is used to authenticate the sender in electronic messages. First, the sender must create a private and public signature keys. The sender uses a computation to sign a message or another document. This takes the message as input and creates a digital signature. A receiver uses a computation to verify a digital signature. This takes the message, digital signature and public verification key as input and outputs either “signature verified?” “Signature verified” or “signature failed to verify?”
“To facilitate authentication of digitally signed documents, the receiver must be sure that the public verify key used to verify signature is the same public verification key as the sender. The digital certificate contains the identity of sender and the public verification key. It also includes other information. This digital certificate is typically digitally signed by an authority. Another mechanism can be used to establish the correspondence between an individual’s identity and a public verifiable key, such as an entry into a database.
“DESCRIPTION DU DRAWINGS”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.3.23 is an example activity journal.”
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.
“FIG. “FIG.7” is a flowchart that shows how to select delegation credentials for a delegator.
“FIG. “FIG.8 is a flowchart that shows how to use a confirmation code during the delegation process.
“DESCRIPTION”
As used herein, “A user’s digital credential” refers to security mechanisms that are associated with their identity. A user’s digital credentials can contain one or more digital signature keys that relate to one or several digital certificates. A user’s digital credential could also include any other cryptographic security mechanism suitable for use, such as a mechanism to be used in a proprietary cryptographic system.
One or more tasks can be required to validate a user’s digital credential. One example is to verify that the user’s signature is valid using the public keys in the user?s digital certificates. Another example is to validate the digital cert, which may include using a key from the certification authority to verify that the digital cert is valid.
“FIG. “FIG. System 2 is able to detect fraudulent activity and general misuse of digital credentials quickly, as we will explain in more detail.
“Web browser 12, like Internet Explorer?” From Microsoft Corporation of Redmond (Wash.) executes in an operating system provided by computing device 4A. This allows an owner of digital credentials 16 to remotely access online service 6 via network 28. Online services 6 are generally Web-based sites that allow secure electronic transactions. Online services 6 could be used to sell consumer products like books, movies and software. Online services 6 could also be business-tobusiness websites, such as online marketplaces and medical supplies. Online banking institutions, brokerage companies, and health services are just a few examples. Web browsers (not illustrated) are used by authorized delegates of users to access online services 6, and to conduct secure transactions using digital credentials that have been authorized to the user to act for the user for specific uses.
“Computing devices4” refers to general-purpose computing systems that can interact with network 28. A personal computer is an example of a suitable computing gadget 4. Each computing device 4 may also be a tablet computer, a handheld or a personal digital assistant (PDA) such as a Palm. An organizer can be purchased from Palm Inc. in Santa Clara, Calif. or a network-enabled cell phone. Network 28 can be described as any communication network such as a packet-based network like the Internet.
“Credential service provider 8 (CSP8) 8 is a central service that allows users to manage their digital credentials. CSP 8 is a central service that allows users to request digital credentials, revoke digital credentials, and designate one or more delegate(s) who can use their digital credential to perform specified functions.
“To obtain digital credential 16, the user uses Web browser 12 to CSP 8 to generate a private key and public verification key, then requests a digital certificate. The public verification key is submitted by the user along with a range of information such as address and name.
CSP 8 transmits the information to credential issuing services (CIS) 22 which, as a certificate authority issues a corresponding 16 digital credential, including a signature key, and records owner information in the owner database 24. The user is now the “owner?” Digital credential 16: The user becomes the?owner? The digital credential 16 issued by CIS 22 can be accessed by the owner to access CSP 8 and designate one of their authorized delegates.
“The digital credential 16 is used by the owner to secure access online services 6, sign digital documents, and conduct secure transactions. Web browser 12 creates a secure communication connection with one of the online services 6 by using a secure communications protocol such as Secure Socket Layer. The Web server issues a “challenge” when accessed. To Web browser 12. Web browser 12 replies by signing the challenge using his private signature key, communicating digital credential 16, and submitting the signed challenge to an online service 6. Web browser 12 also uses his private key to digitally sign documents presented to online servers 6. This is when the owner/delegate submits confidential medical information or a prescription request for a Web-based healthcare service.
Online services 6 have the option to validate digital credential 16. This can be done by using the public keys to verify digital signatures and checking local databases to confirm the association between the public and user keys. Online services 6 can communicate digital credential 16 to credential validation service 10 (CVS), for verification. Online services 6 can validate low-value transactions locally, while CVS 10 can validate high-value transactions.
CVS 10 obtains the digital credential (16, including the digital signature, and digital certificate) from online services 6. Then, it interacts with CIS 22. CVS 10 connects to CIS 22 as a certificate authority and obtains the public key for CIS 22. CVS 20 then accesses CIS 22, to verify that digital credential 16 was revoked as indicated by certificate repository 26, CVS 20 saves the results of verification in activity log 20, regardless of whether they were successful.
CSP 8 allows users to create a variety of digital signature keys that are associated with their identity, and then assign a friendly name. Each key. The user can assign names like: Office Key, Home Key or Portable Key. This allows users to track digital signature keys usage more easily, as described below.
“System 2 includes many features that enable an owner or delegate detect unauthorized digital signature key use in the event of digital signature key misappropriation or misuse. CVS 10, for example, can send an activity report automatically to Web browser 12 when verifying digital signatures during secure transactions. The activity report can be displayed to the user. This allows the user to quickly identify if the digital signature key has been misused.
“In addition, the owner/delegate can access CSP 8 to request an activity report detailing any digital signature key usage. CSP 8 receives such a request and communicates it directly to CVS 10. CVS 10 analyzes activity log 20 and extracts relevant activity information. CSP 8 then creates a report, and sends it to CSP 8. CSP 8 presents the report electronically to the user via network 28. CSP 8 can be configured by the owner or delegate to generate periodic reports and send them electronically to the user. CSP 8 also has the option to mail a printed copy of the report directly to the user.
“In addition the previously described techniques that an owner or delegate can use to detect misuse of digital credentials, fraud detection module 18 (CVS 10) applies fraud detection techniques activity log 20 to automatically identify misuse. Fraud detection module 18 analyses activity log 20 in order to detect unusual patterns that could indicate misuse, as described below.
“FIG. “FIG. Each online service 6 secures transactions by transmitting digital credential 16 (322) to CVS 10. CVS 10 works with CIS 22 in order to verify digital credential 16, and determine whether digital credential 16 has been revoked. Online services can validate digital credential 16 and transmit transaction information to CVS 10.
The result of each verification is stored in Activity Log 26 (34). CVS 10 also stores transaction information like the date and time of each transaction, online service 6 involved in the transaction and the type of transaction. This includes the device used to access online service 6, such a laptop computer or cell phone, as well as location and position information such an IP address 4 or the name of the computing device 4.
CVS 10 creates activity reports to help identify misuse of digital credential 16. These reports detail information in activity log 20 (36). CVS 10 can generate activity reports in many ways and at different times. CVS 10 can generate activity reports automatically when it processes verification requests, providing this information frequently to the user. CVS 10 also generates activity reports periodically or on request from the owner.
“CVS 10 tailors each activity report for the requester so that the owner 16 of digital credential 16 has access to all activity, even those by delegates. A delegate can view only activity reports that include his or her activity.
“Fraud detection module 18 (CVS 10) analyzes log 20 in order to detect unusual patterns and identify fraudulent activities. A significant increase in transactions or their size can be indicative of misuse. Any change in the type of transactions could indicate misuse. Any indication that digital signature key 16 suddenly is being used from another computing device, such a change in an IP address from which a commonly used internet protocol (IP), address was previously used, could also be a sign of misuse. CVS 10 sends an activity report to the owner informing him or her about any potential misuse. This allows the owner to quickly determine if there has been any fraud or general misuse and the extent of it.
“If an owner believes that there have been unauthorized activities, he/she can access CSP 8 to revoke digital credential 16. The owner can, for example, revoke the associated certificate. Alternately, the owner could create a private signature key and a public verification key and sign the public verification key using the old private key. For this verification key, System 2 can issue a digital certificate. CSP 8 transmits the revocation of digital credential 16 to CIS 22, updating the status in certificate repository 26. This causes any future verifications of digital credential 10 to fail. This allows the owner to immediately stop fraudulent activity.
“In addition, an authorized operator of CSP8 of CVS 10 can receive the activity report.” An activity report detailing activity at an online service 6 can also be generated and sent to the authorized operator.
“In this way, system 2 detects unauthorized use of digital signature keys in the event that digital signature keys are misappropriated. These features are particularly beneficial to professionals such as the healthcare industry. These benefits can be further illustrated by a healthcare professional accessing an online healthcare service. They can request access to information about healthcare or submit prescriptions. The online service transmits transaction information, including the access request description and the digital credential of the medical professional to the central credential verifying service. The credential verification service will issue a verification report to the healthcare oriented service. This service then grants access to the medical records. The credential verification service then sends a report of activity to the healthcare oriented services. They then give the report to the healthcare professional.
“FIG. “FIG. Activity report 40 lists all activities that were logged in activity log 20. It is broken down by delegate and owner. The example activity report 40 lists each authentication request and includes the date and times, online service used in the transaction and the name of the computing device 4 used to initiate the transaction. It also shows the transaction value, type, and authentication result.
“System 100 contains system memory 113, including random access memory (RAM), 114, and read only memory (ROM), 115. This system memory is connected to processor 112 via a system data/addressbus 116. The input/output bus (118) is connected via bus controller 119 to the data/addressbus 116. Input/output bus 120 is implemented in one embodiment as a standard Peripheral Component Interconnect bus (PCI). Bus controller 119 inspects all signals coming from processor 112 and routes them to the appropriate bus. The bus controller 119 does not route signals between the processor 112 or the system memory113. Signals from the processor 112 that are intended for other devices than the system memory 113, however, are routed onto bus 118.
“Various devices can be connected to the input/output 118 bus, including hard disk drive 120 and floppy drive121, which are used to read floppy disc 151. Also optical drive 122 is used to read optical disk 122. A CD-ROM drive is used to read optical disk 152. A video adapter 125 connects the video display 124 to the input/output buses 118.
“Users input commands and information into system 100 using a keyboard 140 or a pointing device such as a mouse142. These devices are connected to bus118 via input/output port 128. Track pads, joysticks and data gloves as well as track balls, joysticks, joysticks, data gloves, and head trackers are all possible pointing devices. System 100 also contains a modem (129), which is used for communication over large area networks (not illustrated). This can be used, for example, to connect to the Internet via a wired or wireless connection.
Software applications 136 and data are stored typically via one of the memory storage device, which could include the hard disk 120 or floppy disk151 or CD-ROM 152. They are then copied to RAM 115 for execution. Software applications 136 can be stored in ROM 114. They are copied to RAM 115 or executed from ROM 114.
“In general, the operating systems 135 execute software applications 136 and carry out instructions given by the user. The Basic Input/Output System 117 (BIOS) for system 100 is a collection of basic executable programs that has traditionally helped to transfer data between computing resources in the system 100. These routines are used by operating system 135 and other software applications 136. One embodiment of system 100 contains a registry (not illustrated), which is a system database that stores configuration information for system 100.
“CVS 10 or CIS 22 can be executed on the same machine (e.g. computer) as CSP 8 (as shown) These descriptions assume that they all are implemented on the same machine.
“Delegating Roles”
“In this embodiment, the delegator (e.g. an owner of a digital credential) can delegate a role, or function, to a delegate. The delegator does not have to delegate all authority to the delegate; only a subset. A doctor might delegate the right to see a patient’s billing records to a secretary, but not for diagnosis. An X-ray technician may be able to view the same patient’s medical records regarding diagnosis but not billing. The doctor can delegate some authority to different assistants without giving up his complete authority.
“?Delegation credentials? “?Delegation credentials” are a type digital credential that allows the delegator only to delegate certain functions or authority to another delegate. Delegation credentials allow one or more delegate to use the digital credential of a delegator to perform specified functions.
Referring to FIG. Referring to FIG. 5, a block diagram shows the elements of a delegation transaction. The elements are a delegator 200 and a delegate 222, a relying person 204, a CSP206, and a delegation services provider (DSP 208). Each element can be implemented with a programmable computing device, such as the system 100 in FIG. 4 (The delegator or delegate could be entities that may use system 100).
“Delegator 200” is an entity that delegated one or more functions to another 202. Delegate 202 is given the authority to perform these functions by using delegation credentials as explained below. Relying party (204) is an entity that offers a requested service in accordance with the delegated credentials. A relying party 204 could be, for example, a website that receives the delegation credentials (of a delegate) from the delegate. Once they have been verified, it provides access to services (e.g. information) previously unavailable only to the delegator.
CSP 206 is the same as above, and for the purposes this embodiment includes a CVS or CIS. CSP 206 has access to a database 210 which contains the delegation credentials of delegator, and a data base 212 which contains activity logs. These logs store information such that which delegation credentials were delegated to which delegate. FIG. 2 shows the databases 210 and 212, but they are not shown in isolation. 5 they could be one database.”
“DSP208 controls delegation of delegation credentials. DSP 208 manages a database 214 that contains delegation information. This includes delegate information. It identifies delegators and delegates. The database also lists the functions they have access to. Delegates can then choose which functions are available to them. FIG. 2 shows DSP 208 (and CSP 206) as two separate machines. 5. However, they can be combined using the same machine.”
Referring to FIG. 6 is a process 216 that provides a delegate the authority to assume one of several roles as a delegator. Referring to FIGS. Referring to FIGS. 5 and 6, the delegator registers (218), for a digital credential (CSP 206). The delegator gives registration information such as his identity, professional title and authority. CSP 206. CSP 206 could contain information about potential subscribers such as delegator 200. CSP 206 will verify the registration information once delegator 200 has entered it. CSP206 may issue (220), a digital credential to delegator 20 if there is enough correspondence between the registration data and the information in the database. CSP 206 can issue (220), the digital credential after receiving the registration information and payment.
“Delegator 200 can then delegate one or several roles to a delegate (e.g. professional titles, authority functions, functions). Delegator 200 gives DSP 208 a designation. This includes a role as well as a delegate to take the role. The designation is approved by Delegator 200 using the digital credential the delegator obtained during registration. Delegator 200 gives the designation and digital credential to CSP 206. CSP206 confirms that the delegator authorized the designation by verifying the digital credential of the delegator and informing DSP208 that it is valid. CSP 206 also records the approval and designation in database 212.
“DSP 208 is granted (222) the designation, including the identity and role(s), from delegator 200. It also receives approval from CSP 206. DSP208 issues (226), a delegation credential in response to this approval. The delegate credential can be issued directly to the delegator (226), or it can be issued to CSP206 (which will then give it to the respective delegator, or any other party as required). The delegation credential includes information about delegation, including the identity and possible roles of the delegate.
“DSP 208 may keep the delegation credential in the database 214 along with an indication of approval. DSP208 may also send (228), a confirmation message 200 to delegator 200 informing them that the requested delegation has been created.
Referring to FIG. “Referring to FIG. 7”, a process 230 in which a delegate uses delegation credentials to access services that are available to him from a relying person is shown. Delegate 202 requests (232), access from a relieing party 204, such as a website, to a service that requires digital credentials. The relying party 204 responds to the request by sending a request for access to the delegate, which will be granted with a digital credential. The delegate sends a delegation credential in response. CSP206 receives (234) the delegation credential of the delegate along with the access requirements from the relying party (204).
CSP 206 determines (236), if the delegation credential meets the access requirement. CSP 206, which is based on the delegation credentials, determines if the delegate can access the services of relying parties 204. CSP 206 confirms the validity of the delegation credential by comparing it with stored delegation credentials.
CSP206 informs (238), relying party (204) that the delegation credential meets the access requirements. CSP206 will check (240), if the delegation credential is invalid for the access requirements, and (240), determine (240), if there is a delegate credential that meets the access requirement. CSP206 will provide (242) a list with all the delegation credentials that are available to the delegate to satisfy the access requirements for the relying party. Delegates can then choose (244) from the available list which delegation credentials they wish to use. CSP 206 informs the relying party 204 if no delegation is found.
The selected delegation credential can be sent to a verification agency, such as a CVS within CSP 206. The verification service will compare the delegation credential with a list of permitted delegation credentials for the delegate. The verification service verifies the delegation credential, e.g. it is on the list. If so, the verification service logs the access request and signs a digital declaration confirming the validity of the requested access. The digital statement can be given to the relying party 204.
“CSP206 and relying person 204 will receive information about which delegation credentials have been selected by the delegate, as well as the verification service statement (if any). To access the requested service, the delegation credential (246) is used. This means that the relying party (204) verifies the verification and/or delegation credential, and then provides the requested service to delegate.
CSP 206 records the identity of the delegation credential used by the delegate to access services of relying parties 204. CSP 206 can make the logs available for the delegate or delegator to be inspected. The logs that CSP 206 keeps can be viewed by the delegator. The delegator or delegate may request that the delegation credential that was used for that action be revoked if he finds an inappropriate action. You can send a revocation request at DSP 208 or CSP 206. A delegator can also review the stored logs to determine if any of his delegation credentials were fraudulently created. If such creation is allowed, the delegator can also review any delegation credentials that he has created for him by a delegate.
DSP 208 could also send all the delegation credentials to the relying parties and have them check to make sure they are valid. Instead of or in addition to DSP 208 storage, the delegate could keep the delegation information. This information could be provided to the relying party by the delegate when the latter requests a service.”
“The default delegation credential could be granted to the delegate. If multiple delegation credentials are available that meet the access requirements for the relying party’s access requirements, the delegate may be presented with a user interface that has the default delegation credential pre-selected. The default delegation could be accepted by the delegate.
“DSP 208” could also be used to send all the delegation credentials of the delegate directly to the relying parties and have them check if there are any that meet their access requirements.
Referring to FIG. 8 shows a process 248, in which a confirmation code can be used to assign a delegation credential. For example, process 248 can be used in blocks 226 or 228 of process 216, (FIG. 6).”
“In process 248, a delegator decides to assign a delegation. The delegator can visit the delegation Web site (not displayed) to select the roles to be assigned to each delegate. The Web site may allow the delegator to select professional titles such as technician, secretary, etc. that will define the roles. The delegator will then provide (e.g. via the Web site), a confirmation code. The confirmation code can be an N-digit random alphanumeric sequence (whereN>1). The confirmation code may be hashed by the Web site using a cryptographic haveh function such as SHA-1. The digital credential of the delegator authorizes the approval of selected roles and confirms that they are valid. DSP 206 is given the confirmation code.
“DSP 208” receives the confirmation code, selected roles and an identifier to the delegator. An identifier can be a number or name that corresponds to the delegator, e.g. it identifies him. This information is stored in DSP208 database 214. The confirmation code and identifier are provided by the delegator to the delegate. These information can be given by hand, electronically, or any other secure method, that is not dependent on the delegation processes described herein.
“The delegate enters his confirmation code and identifier into the appropriate section of the delegation Web site. DSP208 receives (250), the confirmation code and the identifier from the Web site. It then identifies (252) the delegator with this information. The identifier may be compared to a pre-stored identifier and/or checked for accuracy by checking the hash. DSP208 can then assign (254) the appropriate delegation credential(s), and send (256), a confirmation to the delegator.
DSP208 is an alternative to process 248, DSP208 may receive from a delegate a delegation request for the role of delegator; receive from him a confirmation code; request approval of outstanding delegation requests from delegator; ask for approval of delegator for a outstanding delegation request from delegate; and then receive confirmation code from delegator as a response to the request for approval. DSP208 can confirm approval of an outstanding delegation request by using the confirmation code.
“The delegate can visit the DSP Web site (not displayed) to identify the delegator either by name or selecting him from a list of delegators. A confirmation code and role may be entered by the delegate. The confirmation code may be hashed by the Web site and sent to DSP208. DSP 208 stores the request as well as the hash of confirmation code in database 214.
The confirmation code is provided by the delegate to the delegator. The confirmation code can be given to the delegator in a variety of ways, including electronic mail, handwritten, or by other secure means.
“The delegator can request, e.g. via a DSP web site (not shown), outstanding delegate requests that relate to him. DSP208 may be asked by the delegator to determine which delegates have requested the roles of the delegator. DSP208 receives the request of the delegator, and gives the delegator a list with all outstanding delegation requests. This list could include the names of the delegate(s) who are requesting the delegation and the roles they requested. DSP208 also requests approval from the delegator for any outstanding delegation requests.
“To approve the delegation request from the delegate, DSP208 requires that the confirmation code be provided by the delegator along with the digital credential of the delegator. DSP 208 is notified by the confirmation code and digital credential. DSP208 compares the hash of confirmation code with a stored hash and digital credential of delegator to determine if they match. DSP208 approves the outstanding delegation request of the delegate if both match and stores the approval into database 214.
“Process 248 reduces name collision and name similarity in secure communications. This means that a combination of digital credentials and a confirmation code provides an additional identifier.
“In some other embodiments, the confirmation codes could be generated by DSP Web sites instead of the delegator. Instead of sending the confirmation code hash, the delegator could send it. The confirmation code could have a time limit so that the confirmation code can be invalidated if it is not entered within a specified time. Instead of saving it on DSP208, the delegate could save the delegation information.
“Processes 248, 230 and 248 can be used with any hardware other than the one shown in FIG. They may be applicable in any computing environment. The processes 216, 248 and 230 can be implemented in either hardware or software. The processes 216, 238, and 248, may be implemented on one or more computer programs that execute on programmable computers. Each program includes a processor, storage media readable by the processor (including volatile memory and/or storage element), at least one input device and one or several output devices. To perform the processes 216-230-248 and generate output information, program code can be applied to data input using an input device. One or more output devices may have the output information applied.
“Each program can be implemented in an object-oriented or procedural programming language to communicate directly with a computer system. The programs can also be implemented in machine or assembly language. It can be either a compiled language or an interpreted one.
Each computer program can be stored on an article, e.g., CD-ROM, hard drive, magnetic diskette. The storage medium or device may be readable by a general purpose or special purpose programmeable computer. When the storage medium or device has been read by the computer, it will perform processes 216 to 230 and 248. The computer-readable storage medium may be configured with a computer programme that allows the execution of the instructions.
“The invention has been described using a variety embodiments. These embodiments and others not described herein fall within the scope the following claims.
Click here to view the patent on Google Patents.