[go: nahoru, domu]

WO2023012808A1 - A system and method for managing digital identity of a user in a digital ecosystem - Google Patents

A system and method for managing digital identity of a user in a digital ecosystem Download PDF

Info

Publication number
WO2023012808A1
WO2023012808A1 PCT/IN2021/050989 IN2021050989W WO2023012808A1 WO 2023012808 A1 WO2023012808 A1 WO 2023012808A1 IN 2021050989 W IN2021050989 W IN 2021050989W WO 2023012808 A1 WO2023012808 A1 WO 2023012808A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
server
digital identity
response
user device
Prior art date
Application number
PCT/IN2021/050989
Other languages
French (fr)
Inventor
Sukanta Sahoo
GovindRaj Jayaram
Original Assignee
SRINIVAS RAJGOPAL, Anasapurapu
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SRINIVAS RAJGOPAL, Anasapurapu filed Critical SRINIVAS RAJGOPAL, Anasapurapu
Publication of WO2023012808A1 publication Critical patent/WO2023012808A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Definitions

  • the present invention generally relates to digital identity of a user in a digital ecosystem. More particularly, the present invention relates to a system and method for managing a digital identity of a user in a digital ecosystem.
  • the user may tend to use the same log-in details for two or more applications, thereby weaking the authentication mechanisms for these applications, thereby compromising on safety and security for the users.
  • One or more embodiments of the present invention provides system and method for managing digital identity of a user in a digital ecosystem.
  • a system for managing digital identity of a user in a digital ecosystem comprises a relying party (RP) server, configured to: establish, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generate, the digital identity of the user in response to establishing the secured link with the user device; generate, a profile of the user in response to generating the digital identity, the profile being identified by the digital identity; verify the user, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generate, a pair of keys including a public key and a private key of the user and storing at the profile of the user, wherein the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key; authenticate, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to
  • a computer implemented method for managing digital identity of a user in a digital ecosystem comprises the steps of: establishing, by a relying party (RP) server, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generating, by the RP server, the digital identity of the user in response to establishing the secured link with the user device; verifying the user, by the RP server, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generating, by the RP server, a profile of the user in response to successful verification of the user based on the peer information received, the profile being identified by the digital identity; generating, by the RP server, a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user in response to receiving the peer verified information pertaining to the user, wherein the digital identity of the user being transmitted to the
  • FIG. 1 is an environment for managing digital identity of a user in a digital ecosystem, according to one or more embodiments of the present invention
  • FIG. 2 is a schematic representation of managing a digital identity of a user in a digital ecosystem utilizing various hardware components, according to one or more embodiments of the present invention
  • FIG. 3 is an example of an interface that is generated to register the user with a system, according to one or more embodiments of the present invention
  • FIG. 4 illustrates a storage space allocated for one or more peers at a profile of a user, according to one or more embodiments of the present invention
  • FIG. 5 illustrates an exemplary embodiment of authenticating a user, in accordance with one or more embodiments of the present invention
  • FIG. 6 illustrates an example of performing a handshake operation, according to one or more embodiments of the present invention
  • FIG. 7 illustrates a flowchart of a computer implemented method for managing digital identity of a user in a digital ecosystem
  • FIG. 8 is a block diagram of a computing device that may be used to implement the systems and methods described in this document, according to or more embodiments of the present invention.
  • Various embodiments of the invention provide system and method for managing digital identity of a user in a digital ecosystem.
  • the present invention is configured to provide a system and method for managing the digital identity of the user in the digital ecosystem by ensuring privacy and integrity of user data is maintained.
  • the present invention negates the usage of password and user-name in order to access one or more vendor entities/vendor servers.
  • the present invention can be applied to fields such as, at least one of, but not limited to, social network, medical, banking, government, information technology, education, e-commerce, etc.
  • the digital ecosystem is a group of interconnected information technology resources that can function as a unit.
  • Digital ecosystems are made up of suppliers, customers, trading partners, applications, third-party data service providers, social network systems and all respective technologies.
  • FIG. 1 illustrates an environment for managing digital identity of a user in a digital ecosystem, according to one or more embodiments of the present invention.
  • the environment includes a system 100, a user device 150, a vendor server 170 and an Application Programming Interface (API) server 180.
  • the system 100, the user device 150, the vendor server 170 and the API server 190 communicate with each other over a communications network 190.
  • API Application Programming Interface
  • the communications network can be one of, but not limited to, LAN, cable, WLAN, cellular, or satellite.
  • the user device 150 includes a display 152, a relying party (RP) interactive module 154, a memory 156, a transceiver 158 and a microprocessor 160.
  • the microprocessor 160 controls the operation of the display 152, the memory 156 and the transceiver 158.
  • the RP interactive module 154 is also configured to display and facilitate the user to input and/or view data.
  • the vendor server 170 includes a transceiver 172, a vendor processor 174 and a memory 176.
  • the vendor entity including the vendor server 170 is at least one of, but not limited to, e-commerce platforms, social networks, etc.
  • the system 100 includes a replying party (RP) server 102.
  • RP replying party
  • the RP server 102 is utilized in the present invention since the RP server has the built-in configurations to provide access to secure vendor entities/vendor servers.
  • the RP server 102 includes a communication transceiver 104, a RP processor 106, a memory 108, a storage unit 110 and an authentication module 112.
  • the communication transceiver 104, the RP processor 106, the memory 108 and the storage unit 110 can operate as independent units in communication with each other.
  • Fig. 2 illustrates the schematic representation of managing the digital identity of the user in the digital ecosystem, wherein various hardware components such as, but not limited to, the peer devices 202, the user device 150, the communication transceiver 104, the RP processor 106, the storage unit 110, the authentication module 112, the API server 180 and the vendor server 170 are used in order to implement the present invention.
  • Fig. 2 will be explained along with other figures for clarity purposes.
  • the user device 150 is one of, but not limited to, a mobile phone, a laptop, a desktop, PDA, tablet and a virtual storage medium such as, but not limited to, cloud.
  • the user device 150 communicates with the RP server 102 via the communications network 190.
  • the processors explained hereinafter, are the processors that may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions.
  • the processor is configured to fetch and execute computer-readable instructions stored in the memory.
  • the memory referred hereinafter in general includes memory and any other storage means and/or units may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • volatile memory such as static random access memory (SRAM) and dynamic random access memory (DRAM)
  • non-volatile memory such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • the user is required to register with the system 100.
  • the user is required to first download the RP interactive module 154 on the user device 150.
  • the communication transceiver 104 of the RP server 102 establishes a secured link with the user device 150.
  • the secured link is a communications channel that connects two or more devices over the communications network 190, herein mainly the user device 150 and the RP server 102, for the purpose of data transmission.
  • the secured link may be a dedicated physical link or a virtual circuit that uses one or more physical links or shares a physical link with other telecommunications links.
  • Fig. 3 illustrates an example of an interface 310 that is generated by the RP server 102 on the display 152 of the user device 150 once the RP interactive module 154 is downloaded.
  • the interface 310 displays a list of requirements/instructions for the user to follow in order to register with the system 100.
  • the list of instructions is related to receiving at least one of or a combination of, the user details and the user’s biometric data. For example as shown in Fig. 3, the user is required to input the respective name as user details. Thereafter, the user device 150 requests the biometric data of the user.
  • the biometric data of the user can be receiving data of physical characteristics of the user such as at least one of, but not limited to, the impressions of the fingers of the user, face pattern of the user and iris of the user.
  • the user device 150 checks to verify if the data received is in the right order. In case there are any errors, the same is indicated to the user to rectify. Once this task is completed, the user is said to be registered with the system 100.
  • the RP server 102 generates the digital identity of the user.
  • the digital identity is a unique identifier of the user in the digital ecosystem and comprises a combination of alphanumeric characters.
  • the RP server 102 verifies the user based on peer information pertaining to the user received from one or more peer devices 202 belonging to one or more peers related to the user.
  • the peers are acquaintances of the user.
  • the peer information is received at the RP server 102 from the one or more peer devices 202 in response to transmitting, by the RP server 102, to the user device 150 a peer verification link and the user sharing via the user device 150, the verification link to the one or more peer devices 202.
  • the user is required to share the peer verification link to at least three peers to ensure a thorough verification is performed of the user by the RP server 102.
  • the user may send the peer verification link via the user device 150 using one or more third party platforms.
  • the one or more peers receive the peer verification link on their respective peer devices 202, the one or more peers are required to click on the said link.
  • the said link will direct the one or more peers to the RP interactive module 154 which is required to be downloaded and installed by the one or more peers.
  • a questionnaire/information pertaining to the identity of the user is displayed on the peer device 202.
  • the questionnaire/information pertaining to the identity of the user may include how the one or more peers of the user know the user.
  • the questionnaire/information may include questions such as, but not limited to, how do you know the user? or do you know the user?.
  • the peer information is received at the RP server 102 from the one or more peer devices 202. Thereafter, the RP server 102 tags the user device ID of the user with the peer information.
  • tagging the user device ID with the peer information includes correlating and storing the user device ID with the peer device ID’s.
  • this ensures that the user cannot verify again using the peer verification link with the same user device ID, thereby preventing fake identities being created with the system 100.
  • a profile of the user is generated, the profile being identified by the digital identity. Further, a storage space is allocated for each of the one or more peers at the profile of the user as shown in Fig. 4.
  • populating digital data of the one or more peers for each user In this regard, the one or more peers become and integral part of the user’s circle to verify /validate the user in the future.
  • the RP server 102 generates a user device 150 identifier in response to generating the profile which is identified by the digital identity. Subsequently, a correlating link is established between the user device 150 identifier and the digital identity of the user. For example, let us consider the digital identity of the user is “1234” and the user device identifier is “Ia2b3c”. Based on which, the correlating link can contain information in the format such as, but not limited to, [Digital Identity- 1234; User Device Identifier- Ia2b3c]. Once the correlating link is established, the RP server 102 stores the correlating link at the profile of the user at the storage unit 110.
  • the user device identifier is independent, irrespective of a change in configurations of the user device ID.
  • the user device identifier is not restricted to the present user device ID of the user and the respective user device 150.
  • the user installs the RP interactive module 154 on the new user device 150 with the same digital identity even then the same correlating link will be used which is stored at the profile of the user.
  • ensuring the digital identity of the user is preserved irrespective of the change in configurations of the user device.
  • the RP server 102 in response to receiving the peer verified information from the one or more peer devices 202, the RP server 102 generates a pair of keys including a public key and a private key of the user.
  • the pair of keys is stored at the profile of the user.
  • the digital identity of the user is transmitted to the user device 150 along with the public key and the private key to decrypt the digital identity encrypted with the public key.
  • the RP server 102 authenticates the user based on an attestation response received from the user device 150.
  • the authentication is done by the RP server 102 to check the authenticity of the digital identity of the user.
  • the attestation response is received by the RP server 102 from the user device 150 in response to the RP server 102 requesting the attestation response from the user device 150 by transmitting an attestation response request to the user.
  • the attestation response includes information of the public key and a token pertaining to the digital identity of the user.
  • the RP server 102 extracts the public key and the token including the digital identity of the user from the attestation response that is received. Thereafter, the RP server 102 matches the digital identity of the user that is extracted from the token with the multiple digital identities of multiple profiles stored at the storage unit. Subsequent to a match identified of the digital identity at the profile, the RP server 102 matches the public key received with the attestation response with the public key corresponding to the identified matched digital identity at the profile of the user. [0052] Authentication of the user by the RP server is further explained with reference to an example as shown in Fig. 5.
  • attestation response received at the RP server 102 includes the token and the public key details.
  • the token includes the digital identity of the user which is “la2b” and the public key is “3c4d”.
  • the RP server performs a match test of the received digital identity of the user “la2b” with the multiple digital identities stored at respective multiple profiles of the users as shown in Fig. 5.
  • the RP server 102 checks if the received public key matches with the public key stored at the respective profile of the matched digital identity.
  • the match of the received digital identity of the user is with the digital identity stored at profile 1.
  • the RP server 102 matches the received public key “3c4d” of the attestation response with the public key “3c4d” stored at the profile 1 of the matched digital identity, thereby successfully authenticating the user.
  • the user can select on an option to send an authorizing instruction via the RP interactive module 154 as shown in an exemplary embodiment of Fig. 6.
  • the authorizing instruction is sent from the user device 150 to the RP server 102.
  • the authorizing instruction includes the details of the digital identity and the private key of the user. In the present example, the digital identity is “la2b” and the private key is “786t”.
  • the authorizing instruction received from the user device is triggered in response to the user being detected subsequent to receiving the biometric data at the user device 150 from the user.
  • the RP server 102 performs a handshake operation between the user and the vendor server 170 belonging to the vendor entity.
  • the handshake operation is illustrated below.
  • the RP server 102 extracts the digital identity and the private key details from the authorizing instruction. Thereafter, the RP server does a match test of the received digital identity with the multiple digital identities stored at multiple profiles as shown in Fig. 6 to verify the user.
  • the RP server matches the received private key “786t” with the corresponding private key stored at profile 1.
  • the verification of the private key ensures that the user is verified in a secured way.
  • the RP server 102 Upon successful verification of the user using the private key, the RP server 102 transmits the token of the user to the vendor server 170 via the API server 180. The token including details of the digital identity of the user. Finally, the RP server 102 signs the digital identity of the user with the vendor server 170 utilizing a vendor private key, thereby ensuring the user is validated by the vendor entity.
  • the vendor private key is received by the RP server 102 from the vendor server, in response to the RP server 102 transmitting the token including the digital identity of the user to the vendor server upon successful verification of the user.
  • the RP server 102 receives the vendor private key from the vendor server 170 only after the RP server 102 verifies the user, thereby ensuring only verified users are given access to the vendor servers 170 belonging to the respective vendor entities. Further, ensuring that the security of the vendor entities is not compromised.
  • the vendor private key is pre- stored at the RP server 102 and the RP server 102 signs the digital identity of the user with the vendor private key only after successful verification of the user by the RP server 102.
  • the RP server instead of the RP server signing the digital identity of the user with the vendor server 170, the RP server sends signing instructions to the vendor server 170, thereafter the vendor server 170 signs the digital identity of the user with the vendor private key.
  • the API server 180 used in the present invention facilitates in allowing the RP server 102 to communicate with the vendor server 170 in a secured way.
  • the authorizing instruction received from the user via the user device 150 to access the vendor entity further includes at least one of, instructions pertaining to scope of access to contents of the vendor entity and scope of data sharing by the user with the vendor entity.
  • the authorizing instruction received from the user via the user device 150 to access the vendor entity further includes at least one of, instructions pertaining to scope of access to contents of the vendor entity and scope of data sharing by the user with the vendor entity.
  • module refers to logic embodied in hardware or firmware, or to a collection of software instructions, written in a programming language, such as, for example, Java, C, or assembly.
  • One or more software instructions in the modules may be embedded in firmware, such as an EPROM.
  • modules may comprised connected logic units, such as gates and flip-flops, and may comprise programmable units, such as programmable gate arrays or processors.
  • the modules described herein may be implemented as either software and/or hardware modules and may be stored in any type of computer-readable medium or other computer storage device.
  • the user private key, the user public key and the vendor private key may be at least one of, but not limited to a combination of alphanumeric characters, randomly or pseudo-randomly generated sequence of bits, etc.
  • the user has complete control over the user data.
  • confidentiality of the user data is given utmost importance in the present invention.
  • the RP server performs the handshake between the user and the vendor entity, storage of user data is done at the RP server and/or the storage unit. Therefore, the user device will not be burdened with large data storage of multiple vendor entities, thereby leading to efficient data storage and ensuring data transmission to be quick and in real time the user device, the RP server 102, the API server 180 and the vendor server 170.
  • FIG. 7 shows a flowchart of a computer implemented method for managing digital identity of a user in a digital ecosystem.
  • the method is described with the embodiment as illustrated in Fig. 1 to Fig. 6.
  • the method comprises the steps as indicated below:
  • step 702 establishing, by a relying party (RP) server, a secured link with a user device in response to the user downloading the relying party interactive module on the user device.
  • RP relying party
  • step 704 generating, by the RP server, the digital identity of the user in response to establishing the secured link with the user device.
  • step 706 verifying the user, by the RP server, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user.
  • step 708 generating, by the RP server, a profile of the user in response to successful verification of the user based on the peer information received, the profile being identified by the digital identity.
  • step 710 generating, by the RP server, a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user in response to receiving the peer verified information pertaining to the user.
  • the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key.
  • step 712 authenticating the user, by the RP server, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user.
  • step 714 performing a handshake, by the RP server, between the user and a vendor entity in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
  • FIG. 8 is a block diagram of computing device 800 that may be used to implement the systems and methods described in this document, as a server or plurality of servers.
  • Computing device is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
  • the components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations described and/or claimed in this document.
  • Computing device includes a processor 802, memory 804, a storage device 806, a high-speed interface 808 connecting to the memory 804 and highspeed expansion ports 810, and a low speed interface 812 connecting to low speed bus 814 and storage device 806.
  • Each of the components 802, 804, 806, 808, 810, 812 and 814, are interconnected using various busses, and may be mounted on a common motherboard or in other manners as appropriate.
  • the processor 802 can process instructions for execution within the computing device, including instructions stored in the memory or on the storage device to display graphical information for a GUI on an external input/output device, such as display 816 coupled to high speed interface.
  • multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory.
  • multiple computing devices may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi -processor system).
  • the memory 804 stores information within the computing device.
  • the memory 804 is a computer-readable medium.
  • the memory is a volatile memory unit or units.
  • the memory is a non-volatile memory unit or units.
  • the storage device 806 is capable of providing mass storage for the computing device.
  • the storage device 806 is a computer- readable medium.
  • the storage device 806 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid-state memory device, or an array of devices, including devices in a storage area network or other configurations.
  • a computer program product is tangibly embodied in an information carrier.
  • the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
  • the information carrier is a computer- or machine readable medium, such as the memory, the storage device, memory on processor, or a propagated signal.
  • the high-speed controller manages bandwidth-intensive operations for the computing device, while the low speed controller manages lower bandwidthintensive operations. Such allocation of duties is exemplary only.
  • the high-speed controller is coupled to memory, display (e.g., through a graphics processor or accelerator), and to high-speed expansion ports, which may accept various expansion cards (not shown).
  • low-speed controller is coupled to storage device and low-speed expansion port.
  • the low-speed expansion port which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet), may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
  • the computing device may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 818, or multiple times in a group of such servers. It may also be implemented as part of a rack server system 820. In addition, it may be implemented in a personal computer such as a laptop computer 822. Alternatively, components from computing device may be combined with other components in a mobile device (not shown), such as device. Each of such devices may contain one or more of computing device, and an entire system may be made up of multiple computing devices 800 communicating with each other.
  • Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof.
  • ASICs application specific integrated circuits
  • These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
  • the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer.
  • a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
  • a keyboard and a pointing device e.g., a mouse or a trackball
  • Other categories of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • the systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components.
  • the components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (“LAN”), a wide area network (“WAN”), and the Internet.
  • LAN local area network
  • WAN wide area network
  • the Internet the global information network
  • Embodiments may be implemented, at least in part, in hardware or software or in any combination thereof.
  • Hardware may include, for example, analog, digital or mixed-signal circuitry, including discrete components, integrated circuits (ICs), or application- specific ICs (ASICs).
  • Embodiments may also be implemented, in whole or in part, in software or firmware, which may cooperate with hardware.
  • Processors for executing instructions may retrieve instructions from a data storage medium, such as EPROM, EEPROM, NVRAM, ROM, RAM, a CD-ROM, a HDD, and the like.
  • Computer program products may include storage media that contain program instructions for implementing embodiments described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A system and method for managing digital identity of a user in a digital ecosystem is provided. The method comprises, establishing a secured link with a user device in response to the user downloading the relying party interactive module on the user device, generating the digital identity of the user, verifying the user based on peer information pertaining to the user received from one or more peer devices, generating a profile of the user, generating a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user, authenticating the user based on an attestation response received from the user device, and performing a handshake between the user and a vendor entity in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.

Description

TITLE
A SYSTEM AND METHOD FOR MANAGING DIGITAL IDENTITY OF A USER IN A DIGITAL ECOSYSTEM
FIELD OF THE INVENTION
[0001] The present invention generally relates to digital identity of a user in a digital ecosystem. More particularly, the present invention relates to a system and method for managing a digital identity of a user in a digital ecosystem.
BACKGROUND OF THE INVENTION
[0002] With the advent of smart phones, multiple mobile applications are being built and hosted on various platforms via the internet. The mobile applications are built in relation to social interaction, business, professional, e-commerce, education, technology, etc. Therefore, the smart phone user is spoilt with multiple choices of mobile applications for various uses. In this regard, the user may have multiple mobile applications installed on the smart phone and each of these will have a registration process to add the user to the respective application. In other words, each application installed will require a separate log-in, i.e., a user-name and a password/biometric identity detection pattern. Therefore, it becomes a complicated process for the user to, firstly remember the log-in details of each application. Further, in the event the log-in details are forgotten by the user, the process to retrieve/create new log-in details is again a time consuming process.
[0003] Further, in order to remember the log-in details of each application, the user may tend to use the same log-in details for two or more applications, thereby weaking the authentication mechanisms for these applications, thereby compromising on safety and security for the users.
[0004] Furthermore, some of these mobile applications are linked to the widely popular social networking platforms and e-commerce platforms. Therefore, instead of registering/logging-in with the respective log-in details for each of the mobile application, the user can log-in using these popular social networking platforms and e-commerce platforms. However, there are possibilities of the user data being retained/misappropriated with these social networking platforms and e-commerce platforms, thereby compromising on privacy and integrity of the user data. Also, while logging-in using the social networking platforms, the user will not have the flexibility of controlling and sharing the user data, since the user data will already be stored in the social networking platforms.
[0005] In view of the above, there is a dire need for systems and methods for managing digital identity of the user in the digital ecosystem, thereby ensuring confidentiality, integrity and privacy of user data is not compromised.
SUMMARY OF THE INVENTION
[0006] One or more embodiments of the present invention, provides system and method for managing digital identity of a user in a digital ecosystem.
[0007] In one aspect of the invention, a system for managing digital identity of a user in a digital ecosystem is provided. The system comprises a relying party (RP) server, configured to: establish, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generate, the digital identity of the user in response to establishing the secured link with the user device; generate, a profile of the user in response to generating the digital identity, the profile being identified by the digital identity; verify the user, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generate, a pair of keys including a public key and a private key of the user and storing at the profile of the user, wherein the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key; authenticate, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user, wherein in response to receiving the attestation response, the RP server identifies the digital identity of the user based on the; and perform, a handshake between the user and a vendor entity via an API server, in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
[0008] In yet another aspect of the invention, a computer implemented method for managing digital identity of a user in a digital ecosystem is provided. The method comprises the steps of: establishing, by a relying party (RP) server, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generating, by the RP server, the digital identity of the user in response to establishing the secured link with the user device; verifying the user, by the RP server, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generating, by the RP server, a profile of the user in response to successful verification of the user based on the peer information received, the profile being identified by the digital identity; generating, by the RP server, a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user in response to receiving the peer verified information pertaining to the user, wherein the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key; authenticating the user, by the RP server, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user; and performing a handshake, by the RP server, between the user and a vendor entity in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
[0009] Other features and aspects of this invention will be apparent from the following description and the accompanying drawings. The features and advantages described in this summary and in the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the relevant art, in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] Reference will be made to embodiments of the invention, examples of which may be illustrated in the accompanying figures. These figures are intended to be illustrative, not limiting. The accompanying figures, which are incorporated in and constitute a part of the specification, are illustrative of one or more embodiments of the disclosed subject matter and together with the description explain various embodiments of the disclosed subject matter and are intended to be illustrative. Further, the accompanying figures have not necessarily been drawn to scale, and any values or dimensions in the accompanying figures are for illustration purposes only and may or may not represent actual or preferred values or dimensions. Although the invention is generally described in the context of these embodiments, it should be understood that it is not intended to limit the scope of the invention to these particular embodiments.
[0011] FIG. 1 is an environment for managing digital identity of a user in a digital ecosystem, according to one or more embodiments of the present invention;
[0012] FIG. 2 is a schematic representation of managing a digital identity of a user in a digital ecosystem utilizing various hardware components, according to one or more embodiments of the present invention;
[0013] FIG. 3 is an example of an interface that is generated to register the user with a system, according to one or more embodiments of the present invention;
[0014] FIG. 4 illustrates a storage space allocated for one or more peers at a profile of a user, according to one or more embodiments of the present invention;
[0015] FIG. 5 illustrates an exemplary embodiment of authenticating a user, in accordance with one or more embodiments of the present invention;
[0016] FIG. 6 illustrates an example of performing a handshake operation, according to one or more embodiments of the present invention;
[0017] FIG. 7 illustrates a flowchart of a computer implemented method for managing digital identity of a user in a digital ecosystem; and
[0018] FIG. 8 is a block diagram of a computing device that may be used to implement the systems and methods described in this document, according to or more embodiments of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0019] Reference will now be made in detail to specific embodiments or features, examples of which are illustrated in the accompanying drawings. Wherever possible, corresponding or similar reference numbers will be used throughout the drawings to refer to the same or corresponding parts. References to various elements described herein, are made collectively or individually when there may be more than one element of the same type. However, such references are merely exemplary in nature. It may be noted that any reference to elements in the singular may also be construed to relate to the plural and vice-versa without limiting the scope of the invention to the exact number or type of such elements unless set forth explicitly in the appended claims. Moreover, relational terms such as first and second, and the like, may be used to distinguish one entity from the other, without necessarily implying any actual relationship or between such entities.
[0020] Various embodiments of the invention provide system and method for managing digital identity of a user in a digital ecosystem. The present invention is configured to provide a system and method for managing the digital identity of the user in the digital ecosystem by ensuring privacy and integrity of user data is maintained. Advantageously, the present invention negates the usage of password and user-name in order to access one or more vendor entities/vendor servers. The present invention can be applied to fields such as, at least one of, but not limited to, social network, medical, banking, government, information technology, education, e-commerce, etc.
[0021] In an embodiment, the digital ecosystem is a group of interconnected information technology resources that can function as a unit. Digital ecosystems are made up of suppliers, customers, trading partners, applications, third-party data service providers, social network systems and all respective technologies.
[0022] Fig. 1 illustrates an environment for managing digital identity of a user in a digital ecosystem, according to one or more embodiments of the present invention. The environment includes a system 100, a user device 150, a vendor server 170 and an Application Programming Interface (API) server 180. The system 100, the user device 150, the vendor server 170 and the API server 190 communicate with each other over a communications network 190.
[0023] The communications network can be one of, but not limited to, LAN, cable, WLAN, cellular, or satellite. [0024] In accordance with an embodiment of the invention, the user device 150 includes a display 152, a relying party (RP) interactive module 154, a memory 156, a transceiver 158 and a microprocessor 160. The microprocessor 160 controls the operation of the display 152, the memory 156 and the transceiver 158. The RP interactive module 154 is also configured to display and facilitate the user to input and/or view data.
[0025] Further, in accordance with an embodiment of the invention, the vendor server 170 includes a transceiver 172, a vendor processor 174 and a memory 176. [0026] In an embodiment, the vendor entity including the vendor server 170 is at least one of, but not limited to, e-commerce platforms, social networks, etc.
[0027] The system 100 includes a replying party (RP) server 102.
[0028] In an embodiment, the RP server 102 is utilized in the present invention since the RP server has the built-in configurations to provide access to secure vendor entities/vendor servers.
[0029] The RP server 102 includes a communication transceiver 104, a RP processor 106, a memory 108, a storage unit 110 and an authentication module 112. In an alternate embodiment, the communication transceiver 104, the RP processor 106, the memory 108 and the storage unit 110 can operate as independent units in communication with each other.
[0030] The present invention will hereinafter be explained with reference to Fig. 2. Fig. 2 illustrates the schematic representation of managing the digital identity of the user in the digital ecosystem, wherein various hardware components such as, but not limited to, the peer devices 202, the user device 150, the communication transceiver 104, the RP processor 106, the storage unit 110, the authentication module 112, the API server 180 and the vendor server 170 are used in order to implement the present invention. Fig. 2 will be explained along with other figures for clarity purposes.
[0031] In an embodiment, the user device 150 is one of, but not limited to, a mobile phone, a laptop, a desktop, PDA, tablet and a virtual storage medium such as, but not limited to, cloud.
[0032] The user device 150 communicates with the RP server 102 via the communications network 190. [0033] The processors explained hereinafter, are the processors that may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor is configured to fetch and execute computer-readable instructions stored in the memory.
[0034] The memory referred hereinafter, in general includes memory and any other storage means and/or units may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
[0035] At the outset, the user is required to register with the system 100. For registration, the user is required to first download the RP interactive module 154 on the user device 150. Once the RP interactive module 154 is downloaded on the user device 150, the communication transceiver 104 of the RP server 102 establishes a secured link with the user device 150.
[0036] In an embodiment, the secured link is a communications channel that connects two or more devices over the communications network 190, herein mainly the user device 150 and the RP server 102, for the purpose of data transmission. The secured link may be a dedicated physical link or a virtual circuit that uses one or more physical links or shares a physical link with other telecommunications links.
[0037] Thereafter, the user is required to install the RP interactive module 154 on the user device 150. Fig. 3 illustrates an example of an interface 310 that is generated by the RP server 102 on the display 152 of the user device 150 once the RP interactive module 154 is downloaded. The interface 310 displays a list of requirements/instructions for the user to follow in order to register with the system 100. The list of instructions is related to receiving at least one of or a combination of, the user details and the user’s biometric data. For example as shown in Fig. 3, the user is required to input the respective name as user details. Thereafter, the user device 150 requests the biometric data of the user. In an embodiment, the biometric data of the user can be receiving data of physical characteristics of the user such as at least one of, but not limited to, the impressions of the fingers of the user, face pattern of the user and iris of the user. Once the combination of the user name and the biometric data are received at the user device 150, the user device 150 checks to verify if the data received is in the right order. In case there are any errors, the same is indicated to the user to rectify. Once this task is completed, the user is said to be registered with the system 100.
[0038] Once the user is registered with the system 100, the RP server 102 generates the digital identity of the user. In an embodiment, the digital identity is a unique identifier of the user in the digital ecosystem and comprises a combination of alphanumeric characters.
[0039] Once the digital identity of the user is generated, the RP server 102 verifies the user based on peer information pertaining to the user received from one or more peer devices 202 belonging to one or more peers related to the user.
[0040] In an embodiment, the peers are acquaintances of the user. The peer information is received at the RP server 102 from the one or more peer devices 202 in response to transmitting, by the RP server 102, to the user device 150 a peer verification link and the user sharing via the user device 150, the verification link to the one or more peer devices 202.
[0041] In an embodiment, the user is required to share the peer verification link to at least three peers to ensure a thorough verification is performed of the user by the RP server 102.
[0042] Since, the one or more peers are not registered with the system 100 yet, the user may send the peer verification link via the user device 150 using one or more third party platforms. Once the one or more peers receive the peer verification link on their respective peer devices 202, the one or more peers are required to click on the said link. The said link will direct the one or more peers to the RP interactive module 154 which is required to be downloaded and installed by the one or more peers. [0043] Once the RP interactive module 154 is installed, a questionnaire/information pertaining to the identity of the user is displayed on the peer device 202.
[0044] In an embodiment, the questionnaire/information pertaining to the identity of the user may include how the one or more peers of the user know the user. For example, the questionnaire/information may include questions such as, but not limited to, how do you know the user? or do you know the user?.
[0045] Once the one or more peers respond to the questionnaire/information, the peer information is received at the RP server 102 from the one or more peer devices 202. Thereafter, the RP server 102 tags the user device ID of the user with the peer information. In an embodiment, tagging the user device ID with the peer information includes correlating and storing the user device ID with the peer device ID’s. Advantageously, this ensures that the user cannot verify again using the peer verification link with the same user device ID, thereby preventing fake identities being created with the system 100.
[0046] Once the RP server 102 successfully verifies the one or more peers of the user, a profile of the user is generated, the profile being identified by the digital identity. Further, a storage space is allocated for each of the one or more peers at the profile of the user as shown in Fig. 4. Advantageously, populating digital data of the one or more peers for each user. In this regard, the one or more peers become and integral part of the user’s circle to verify /validate the user in the future.
[0047] Thereafter, the RP server 102 generates a user device 150 identifier in response to generating the profile which is identified by the digital identity. Subsequently, a correlating link is established between the user device 150 identifier and the digital identity of the user. For example, let us consider the digital identity of the user is “1234” and the user device identifier is “Ia2b3c”. Based on which, the correlating link can contain information in the format such as, but not limited to, [Digital Identity- 1234; User Device Identifier- Ia2b3c]. Once the correlating link is established, the RP server 102 stores the correlating link at the profile of the user at the storage unit 110. [0048] In an embodiment, the user device identifier is independent, irrespective of a change in configurations of the user device ID. In other words, the user device identifier is not restricted to the present user device ID of the user and the respective user device 150. In the event the user device 150 is lost, and thereafter the user installs the RP interactive module 154 on the new user device 150 with the same digital identity, even then the same correlating link will be used which is stored at the profile of the user. Advantageously, ensuring the digital identity of the user is preserved irrespective of the change in configurations of the user device.
[0049] In an embodiment, in response to receiving the peer verified information from the one or more peer devices 202, the RP server 102 generates a pair of keys including a public key and a private key of the user. The pair of keys is stored at the profile of the user. Thereafter, the digital identity of the user is transmitted to the user device 150 along with the public key and the private key to decrypt the digital identity encrypted with the public key.
[0050] In an embodiment, the RP server 102 authenticates the user based on an attestation response received from the user device 150. The authentication is done by the RP server 102 to check the authenticity of the digital identity of the user. The attestation response is received by the RP server 102 from the user device 150 in response to the RP server 102 requesting the attestation response from the user device 150 by transmitting an attestation response request to the user. In an embodiment, the attestation response includes information of the public key and a token pertaining to the digital identity of the user.
[0051] In an embodiment, the RP server 102 extracts the public key and the token including the digital identity of the user from the attestation response that is received. Thereafter, the RP server 102 matches the digital identity of the user that is extracted from the token with the multiple digital identities of multiple profiles stored at the storage unit. Subsequent to a match identified of the digital identity at the profile, the RP server 102 matches the public key received with the attestation response with the public key corresponding to the identified matched digital identity at the profile of the user. [0052] Authentication of the user by the RP server is further explained with reference to an example as shown in Fig. 5. Let us consider that the attestation response is received from the user device in response to the attestation response request sent by the RP server 102 to the user device 150. In the present example, attestation response received at the RP server 102 includes the token and the public key details. The token includes the digital identity of the user which is “la2b” and the public key is “3c4d”.
[0053] Firstly, the RP server performs a match test of the received digital identity of the user “la2b” with the multiple digital identities stored at respective multiple profiles of the users as shown in Fig. 5.
[0054] Once a match of the digital identity is identified at the profile, the RP server 102 checks if the received public key matches with the public key stored at the respective profile of the matched digital identity. In the present example, the match of the received digital identity of the user is with the digital identity stored at profile 1. Thereafter, the RP server 102 matches the received public key “3c4d” of the attestation response with the public key “3c4d” stored at the profile 1 of the matched digital identity, thereby successfully authenticating the user.
[0055] In the event the user intends to access the vendor entity, the user can select on an option to send an authorizing instruction via the RP interactive module 154 as shown in an exemplary embodiment of Fig. 6. Once the user selects the option on the RP interactive module 154, the authorizing instruction is sent from the user device 150 to the RP server 102. The authorizing instruction includes the details of the digital identity and the private key of the user. In the present example, the digital identity is “la2b” and the private key is “786t”.
[0056] In an embodiment, the authorizing instruction received from the user device is triggered in response to the user being detected subsequent to receiving the biometric data at the user device 150 from the user.
[0057] Once the authorizing instruction is received at the RP server 102, the RP server 102 performs a handshake operation between the user and the vendor server 170 belonging to the vendor entity. The handshake operation is illustrated below. [0058] Firstly, the RP server 102 extracts the digital identity and the private key details from the authorizing instruction. Thereafter, the RP server does a match test of the received digital identity with the multiple digital identities stored at multiple profiles as shown in Fig. 6 to verify the user.
[0059] Once a match is found with one of the profiles, herein the received digital identity “la2b” matches with the digital identity “la2b” of profile 1, then the RP server matches the received private key “786t” with the corresponding private key stored at profile 1. In the present example, there is a successful match of the private key received with the private key stored at profile 1. Therefore, the user is successfully verified. Advantageously, the verification of the private key ensures that the user is verified in a secured way.
[0060] Upon successful verification of the user using the private key, the RP server 102 transmits the token of the user to the vendor server 170 via the API server 180. The token including details of the digital identity of the user. Finally, the RP server 102 signs the digital identity of the user with the vendor server 170 utilizing a vendor private key, thereby ensuring the user is validated by the vendor entity.
[0061] In an embodiment, the vendor private key is received by the RP server 102 from the vendor server, in response to the RP server 102 transmitting the token including the digital identity of the user to the vendor server upon successful verification of the user. Advantageously, the RP server 102 receives the vendor private key from the vendor server 170 only after the RP server 102 verifies the user, thereby ensuring only verified users are given access to the vendor servers 170 belonging to the respective vendor entities. Further, ensuring that the security of the vendor entities is not compromised.
[0062] In an alternate embodiment, the vendor private key is pre- stored at the RP server 102 and the RP server 102 signs the digital identity of the user with the vendor private key only after successful verification of the user by the RP server 102.
[0063] In an alternate embodiment, instead of the RP server signing the digital identity of the user with the vendor server 170, the RP server sends signing instructions to the vendor server 170, thereafter the vendor server 170 signs the digital identity of the user with the vendor private key.
[0064] In an embodiment, the API server 180 used in the present invention, facilitates in allowing the RP server 102 to communicate with the vendor server 170 in a secured way.
[0065] In an embodiment, the authorizing instruction received from the user via the user device 150 to access the vendor entity further includes at least one of, instructions pertaining to scope of access to contents of the vendor entity and scope of data sharing by the user with the vendor entity. Advantageously, ensuring the user is in control of user data and also the user has the flexibility for content management. Further, since the user is only required to remember only the digital identity to access one or more vendor entities, the cumbersome task of remembering multiple passwords for multiple vendor entities is negated in totality.
[0066] In general, the word “module,” as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, written in a programming language, such as, for example, Java, C, or assembly. One or more software instructions in the modules may be embedded in firmware, such as an EPROM. It will be appreciated that modules may comprised connected logic units, such as gates and flip-flops, and may comprise programmable units, such as programmable gate arrays or processors. The modules described herein may be implemented as either software and/or hardware modules and may be stored in any type of computer-readable medium or other computer storage device.
[0067] Further, while one or more operations have been described as being performed by or otherwise related to certain modules, devices or entities, the operations may be performed by or otherwise related to any module, device or entity. As such, any function or operation that has been described as being performed by a module could alternatively be performed by a different server, by the cloud computing platform, or a combination thereof.
[0068] In an embodiment, the user private key, the user public key and the vendor private key may be at least one of, but not limited to a combination of alphanumeric characters, randomly or pseudo-randomly generated sequence of bits, etc.
[0069] Based on the above examples and embodiments as illustrated above, the user has complete control over the user data. Advantageously, confidentiality of the user data is given utmost importance in the present invention. Further, since the RP server performs the handshake between the user and the vendor entity, storage of user data is done at the RP server and/or the storage unit. Therefore, the user device will not be burdened with large data storage of multiple vendor entities, thereby leading to efficient data storage and ensuring data transmission to be quick and in real time the user device, the RP server 102, the API server 180 and the vendor server 170.
[0070] FIG. 7 shows a flowchart of a computer implemented method for managing digital identity of a user in a digital ecosystem. For the purpose of description, the method is described with the embodiment as illustrated in Fig. 1 to Fig. 6. The method comprises the steps as indicated below:
[0071] At step 702, establishing, by a relying party (RP) server, a secured link with a user device in response to the user downloading the relying party interactive module on the user device.
[0072] At step 704, generating, by the RP server, the digital identity of the user in response to establishing the secured link with the user device.
[0073] At step 706, verifying the user, by the RP server, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user.
[0074] At step 708, generating, by the RP server, a profile of the user in response to successful verification of the user based on the peer information received, the profile being identified by the digital identity.
[0075] At step 710, generating, by the RP server, a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user in response to receiving the peer verified information pertaining to the user. The digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key. [0076] At step 712, authenticating the user, by the RP server, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user.
[0077] At step 714, performing a handshake, by the RP server, between the user and a vendor entity in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
[0078] FIG. 8 is a block diagram of computing device 800 that may be used to implement the systems and methods described in this document, as a server or plurality of servers. Computing device is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The components shown here, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations described and/or claimed in this document.
[0079] Computing device includes a processor 802, memory 804, a storage device 806, a high-speed interface 808 connecting to the memory 804 and highspeed expansion ports 810, and a low speed interface 812 connecting to low speed bus 814 and storage device 806. Each of the components 802, 804, 806, 808, 810, 812 and 814, are interconnected using various busses, and may be mounted on a common motherboard or in other manners as appropriate. The processor 802 can process instructions for execution within the computing device, including instructions stored in the memory or on the storage device to display graphical information for a GUI on an external input/output device, such as display 816 coupled to high speed interface. In other implementations, multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory. Also, multiple computing devices may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi -processor system).
[0080] The memory 804 stores information within the computing device. In one implementation, the memory 804 is a computer-readable medium. In one implementation, the memory is a volatile memory unit or units. In another implementation, the memory is a non-volatile memory unit or units.
[0081] The storage device 806 is capable of providing mass storage for the computing device. In one implementation, the storage device 806 is a computer- readable medium. In various different implementations, the storage device 806 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid-state memory device, or an array of devices, including devices in a storage area network or other configurations. In one implementation, a computer program product is tangibly embodied in an information carrier. The computer program product contains instructions that, when executed, perform one or more methods, such as those described above. The information carrier is a computer- or machine readable medium, such as the memory, the storage device, memory on processor, or a propagated signal.
[0082] The high-speed controller manages bandwidth-intensive operations for the computing device, while the low speed controller manages lower bandwidthintensive operations. Such allocation of duties is exemplary only. In one implementation, the high-speed controller is coupled to memory, display (e.g., through a graphics processor or accelerator), and to high-speed expansion ports, which may accept various expansion cards (not shown). In the implementation, low-speed controller is coupled to storage device and low-speed expansion port. The low-speed expansion port, which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet), may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
[0083] The computing device may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 818, or multiple times in a group of such servers. It may also be implemented as part of a rack server system 820. In addition, it may be implemented in a personal computer such as a laptop computer 822. Alternatively, components from computing device may be combined with other components in a mobile device (not shown), such as device. Each of such devices may contain one or more of computing device, and an entire system may be made up of multiple computing devices 800 communicating with each other.
[0084] Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
[0085] These computer programs (also known as programs, software, software applications or code) include machine instructions for a programmable processor, and can be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly /machine language. As used herein, the terms “machine-readable medium” “computer-readable medium” refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine -readable medium that receives machine instructions as a machine- readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor.
[0086] To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other categories of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input. [0087] The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (“LAN”), a wide area network (“WAN”), and the Internet.
[0088] Embodiments may be implemented, at least in part, in hardware or software or in any combination thereof. Hardware may include, for example, analog, digital or mixed-signal circuitry, including discrete components, integrated circuits (ICs), or application- specific ICs (ASICs). Embodiments may also be implemented, in whole or in part, in software or firmware, which may cooperate with hardware. Processors for executing instructions may retrieve instructions from a data storage medium, such as EPROM, EEPROM, NVRAM, ROM, RAM, a CD-ROM, a HDD, and the like. Computer program products may include storage media that contain program instructions for implementing embodiments described herein.
[0089] While aspects of the present invention have been particularly shown and described with reference to the embodiments above, it will be understood by those skilled in the art that various additional embodiments may be contemplated by the modification of the disclosed machines, systems and methods without departing from the scope of what is disclosed. Such embodiments should be understood to fall within the scope of the present invention as determined based upon the claims and any equivalents thereof.

Claims

I/We Claim:
1. A computer implemented method for managing digital identity of a user in a digital ecosystem, the method comprises the steps of: establishing, by a relying party (RP) server, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generating, by the RP server, the digital identity of the user in response to establishing the secured link with the user device; verifying the user, by the RP server, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generating, by the RP server, a profile of the user in response to successful verification of the user based on the peer information received, the profile being identified by the digital identity; generating, by the RP server, a pair of keys including a public key and a private key of the user and storing the pair of keys at the profile of the user in response to receiving the peer verified information pertaining to the user, wherein the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key; authenticating the user, by the RP server, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user; and performing a handshake, by the RP server, between the user and a vendor entity in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
2. The method as claimed in claim 1, wherein the digital identity generated by the RP server is a unique identifier of the user in the digital ecosystem.
3. The method as claimed in claim 1, wherein the digital identity of the user comprises a combination of alphanumeric characters. The method as claimed in claim 1, wherein the step of generating, by the RP server, the digital identity of the user, further comprises the steps of: receiving, credentials and biometric data of the user from the user device; generating, the digital identity in response to receiving the credentials and the biometric data of the user; generating, a user device identifier in response to generating the digital identity, wherein the user device identifier being independent irrespective of a change in configurations of the user device; and establishing a correlating link between the user device identifier and the digital identity of the user and storing the correlating link at the profile of the user, thereby ensuring the digital identity of the user is preserved irrespective of the change in configurations of the user device. The method as claimed in claim 1, wherein the peer information is received from the one or more peer devices in response to transmitting, by the RP server, to the user device a peer verification link and the user sharing via the user device, the verification link to the one or more peer devices. The method as claimed in claim 1, wherein in response to the successful verification of the user based on the peer information received from the one or more peer devices, the RP server allocates a storage space for each of the one or more peers at the profile of the user, thereby populating digital data of the one or more peers for each user. The method as claimed in claim 1, wherein the step of performing the handshake, by the RP server, between the user and the vendor entity, comprises the steps of: receiving, by the RP server, the private key of the user from the user device, in response to the authorizing instruction from the user to access the vendor entity; verifying, by the RP server, the user based on comparing the private key received from the user device with the corresponding public key stored at the profile of the user; transmitting, by the RP server, the token of the user to the vendor server in response to a successful verification of the user; and signing, the digital identity of the user with the vendor server utilizing a vendor private key. The method as claimed in claim 1, wherein the authorizing instruction received from the user device is triggered in response to the user being detected subsequent to receiving the biometric data at the user device by the user. The method as claimed in claim 1, wherein the authorizing instruction received from the user via the user device to access the vendor entity further includes at least one of, instructions pertaining to scope of access to contents of the vendor entity and scope of data sharing by the user with the vendor entity, thereby ensuring the user is in control of user data. A system for managing digital identity of a user in a digital ecosystem, the system comprising: a relying party (RP) server, configured to: establish, a secured link with a user device in response to the user downloading the relying party interactive module on the user device; generate, the digital identity of the user in response to establishing the secured link with the user device; generate, a profile of the user in response to generating the digital identity, the profile being identified by the digital identity; verify the user, based on peer information pertaining to the user received from one or more peer devices belonging to one or more peers related to the user; generate, a pair of keys including a public key and a private key of the user and storing at the profile of the user, wherein the digital identity of the user being transmitted to the user device along with the public key and the private key to decrypt the digital identity encrypted with the public key; authenticate, based on an attestation response received from the user device, the attestation response including information of the public key and a token pertaining to the digital identity of the user, wherein in response to receiving the attestation response, the RP server identifies the digital identity of the user based on the; and perform, a handshake between the user and a vendor entity via an API server, in response to receiving an authorizing instruction from the user via the user device to access the vendor entity.
22
PCT/IN2021/050989 2021-08-04 2021-10-18 A system and method for managing digital identity of a user in a digital ecosystem WO2023012808A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202141035126 2021-08-04
IN202141035126 2021-08-04

Publications (1)

Publication Number Publication Date
WO2023012808A1 true WO2023012808A1 (en) 2023-02-09

Family

ID=85155376

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2021/050989 WO2023012808A1 (en) 2021-08-04 2021-10-18 A system and method for managing digital identity of a user in a digital ecosystem

Country Status (1)

Country Link
WO (1) WO2023012808A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6401206B1 (en) * 1997-03-06 2002-06-04 Skylight Software, Inc. Method and apparatus for binding electronic impressions made by digital identities to documents
US20040205176A1 (en) * 2003-03-21 2004-10-14 Ting David M.T. System and method for automated login
US20130086639A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Mobile application, identity interface
US20190114636A1 (en) * 2017-10-13 2019-04-18 John D. Rome Method and system providing peer effort-based validation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6401206B1 (en) * 1997-03-06 2002-06-04 Skylight Software, Inc. Method and apparatus for binding electronic impressions made by digital identities to documents
US20040205176A1 (en) * 2003-03-21 2004-10-14 Ting David M.T. System and method for automated login
US20130086639A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Mobile application, identity interface
US20190114636A1 (en) * 2017-10-13 2019-04-18 John D. Rome Method and system providing peer effort-based validation

Similar Documents

Publication Publication Date Title
US9871821B2 (en) Securely operating a process using user-specific and device-specific security constraints
US10038690B2 (en) Multifactor authentication processing using two or more devices
US9602492B2 (en) Privacy enhanced key management for a web service provider using a converged security engine
US20190305955A1 (en) Push notification authentication
WO2017000829A1 (en) Method for checking security based on biological features, client and server
US20230034169A1 (en) Non-fungible token authentication
RU2019109206A (en) BIOMETRIC IDENTIFICATION AND VERIFICATION AMONG IOT DEVICES AND APPLICATIONS
CN113079134B (en) Mobile terminal access method, mobile terminal access device, computer equipment and medium
US10812271B2 (en) Privacy control using unique identifiers associated with sensitive data elements of a group
CN105978855B (en) Personal information safety protection system and method under a kind of system of real name
US11398902B2 (en) Systems and methods for non-deterministic multi-party, multi-user sender-receiver authentication and non-repudiatable resilient authorized access to secret data
US11824850B2 (en) Systems and methods for securing login access
US10362023B2 (en) Authentication information encryption server apparatuses, systems non-transitory computer readable mediums and methods for improving password security
US10771462B2 (en) User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal
EP4004778A1 (en) Signing in to multiple accounts with a single gesture
CN116529729A (en) Integrated circuit for obtaining enhanced rights to network-based resources and performing actions in accordance therewith
CN102694776A (en) Authentication system and method based on dependable computing
US11528134B2 (en) Authentication using transformation verification
CN112862484A (en) Secure payment method and device based on multi-terminal interaction
CN112769565B (en) Method, device, computing equipment and medium for upgrading cryptographic algorithm
WO2023012808A1 (en) A system and method for managing digital identity of a user in a digital ecosystem
US9288060B1 (en) System and method for decentralized authentication of supplicant devices
US20150007293A1 (en) User authentication utilizing patterns
US20230185963A1 (en) System and method for management of access to customer data
Al-Attab et al. Authentication Technique by Using USB Token in Cloud Computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21952677

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21952677

Country of ref document: EP

Kind code of ref document: A1