GB2478753A - Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority - Google Patents
Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority Download PDFInfo
- Publication number
- GB2478753A GB2478753A GB1004391A GB201004391A GB2478753A GB 2478753 A GB2478753 A GB 2478753A GB 1004391 A GB1004391 A GB 1004391A GB 201004391 A GB201004391 A GB 201004391A GB 2478753 A GB2478753 A GB 2478753A
- Authority
- GB
- United Kingdom
- Prior art keywords
- party
- certifying authority
- time
- digit
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000005516 engineering process Methods 0.000 claims 1
- 238000013474 audit trail Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000035899 viability Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H04L29/06755—
-
- H04L29/06823—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H04L9/3202—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H04L9/3294—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/20—Services signaling; Auxiliary data signalling, i.e. transmitting data via a non-traffic channel
- H04W4/21—Services signaling; Auxiliary data signalling, i.e. transmitting data via a non-traffic channel for social networking applications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention proposes a `real-time ID' comprising a root ID (eg. based on passport information), a persona/role/attribute (eg. police officer) and a timestamp. The real time ID is encrypted and combined with a plain text request for information into a challenge transmitted from a requesting party 9 to a providing party 10, who forwards it to a certifying authority/authentication broker 11. The certifying authority decrypts the real time ID and validates whether the requestor is authorised to make the request. If allowable the certifying authority responds with a real time ID and the requested data, recovered from secure data depositories. Example uses are bar staff requesting proof of age, customs officials requesting travel details. The real time ID may be displayed as a 2D barcode (see Figs. 1 and 2).
Description
Generating an individual's real-time ID
DESCRIPTION
The invention describes a system that uses a handset-based mobile device (e.g. smart phone, i-pod, blackberry, palm-held computer) for providing an individual's real-time root identity assignment that is only created and presented at the point of requirement. This is ephemeral data that has no value subsequent to its generation and one-time use.
For in-Country nationals, this will be a unique real-time ID and will be an encrypted minimum 24 digit figure consisting of an 11 digit Root Identity, followed by a 3 or more digit persona and digit time stamp.
The key claim within Real time ID, however, is that the identity is only established at the pointitime of requirement, making it a unique bridge between the authonsed request (requesting party) and the identity claimant (providing party/individual).
The claimant (providing party/individual) has no need to be aware of their root identity number, as it will never be required to be presented, but will need to be aware of which persona the individual wishes to verify. The individual merely needs a device capable of calculating the necessary verification of their identity at any given time and the secondary ability to relay this information to the requesting party.
The principle is based on there being a root identity assigned to an individual, and that the individual can then adopt persona with which to make assertions, enabling them to provide tailored business cards' enabling pseudonymity, whilst also enabling authorised bodies (such as law enforcement, port security, medical staff, bar staff etcetera) to have a challenge persona associated with their status providing the requisite information that they are permitted to request with no additional superfluous information.
Therefore, if a police officer was to request ID from an individual then the challenge response would be initiated by the officer with a validated request under, say, persona 999, with name, address, and other pertinent information. In the case of freight movement into/out of a port, the challenge response would be initiated by port gate security with a validated request, say persona 211, for the vehicle driver's name, booking reference, and other pertinent information such as HGV details and freight documentation, etcetera. However, should a challenge be issued by bar staff under, say persona 456, the information provided would be a yes/no answer to the question of being over 18.
For an exemplar of overseas visitors entering Country at an immigration gateway (e.g. airport, seaport) for business, pleasure, etc., should the visit be in connection with an event such as London 2012, the root identity of the visitor would be the country code, passport number and biometric data, and the persona would be the 2012 (digital) ticket The data [7], could be displayed as a block grid [6], and used to provide access to various events, and help prevent ticket touting.
The root identity, combined with the persona would therefore provide only the information required (in line with Kim Cameron's laws of Identity) and an audit trail of the request would be created in the form of the unique real time identity (whether manifesting as a numerical string or an image).
The principle behind the real time nature of Identity under this model holds true regardless of the precise numbers used, but for ease of illustration and to demonstrate the feasibility of the system we use the example of our current 240 block grid [6&7], being an 8 by 30 display, giving 2240 possible variants. This figure is sufficient to build in vast redundancy, and were there to be 100 billion root identities (i.e. people) enrolled, and giving the opportunity for 1000 personae (i.e. 500 claims and 500 role based authorisations), and with real time ID operating each second (all these are clearly excessive assumptions, but are made to illustrate the viability) the following chances of collision are raised.
With 100 billion root identities and 1000 personae giving 100 trillion claims, there are 100 trillion possible valid results every second, enabling an attacker with full access to data to attempt to find a collision of a given string/image at a rate of 100 trillion per second.
Fortunately, however, with only' 100 trillion valid results (being that person a with persona b at time c's identity collides with person x with persona y at time z) then with a given string/image the chance of a collision within the next century would be one in iü°. Had the system been put in place at the time of the Big Bang, the chance of a collision having occurred at some point to date would rise to one in 1 Embodiments of the present invention will now be described with accompanying figures, by way of an example/illustration, with reference to a deployment.
When an authonsed/requesting party requests ID credentials [8, 9] they issue a challenge consisting of a simple timestamp, encrypted under the key relating to their own claim.
Therefore a challenge relating to I am a police/security officer and want your ID is sent in plain text accompanying a cipher text containing the timestamp, root ID of the challenging party, and the persona under which they are requesting information) encrypted under their key.
The responding/providing party, for example vehicle driver, [10] can only see plain text relating to the challenge, which is passed on to the authentication broker/certifying authority [11] (as termed under UK Government Gateway -essentially this is the trusted third party (UP) holding all the root identities) which decrypts the cipher-text to reveal the timestamp of the challenge and verifies that the challenger is authorised to make such an assertion. The UP then relays to the respondent (providing party) the unique real-time ID code [5] together with the requisite information (i.e. name [1], booking reference [2], port exit date [3]) alongside the appropriate security information (e.g. a facial biometric [4]) to establish to the requesting party that the respondent is who they say they are.
This identity code is thereafter of no relevance as it pertains only to that root identify and that persona at that time, and cannot therefore be replayed. In many circumstances this could be a challenge response in real time, or in other uses could be time ranged (e.g. in printing tickets with the unique ID code which will confirm right of entry at a given time (cancellation of ticket by genuine purchaser can then invalidate the unique ID code, and another can be presented).
Claims (4)
- CLAIMSA system that uses handset-based mobile devices for providing a unique real-time identity, which for in-Country nationals will be an encrypted minimum 24 digit figure consisting of an 11 digit Root Identity, followed by a 3 or more digit persona and 10 digit time stamp (for in-Country visitors, the root identity would be an encrypted country code, passport number and biometrics, and the persona related to the reason for visiting) that is only created and presented at the point/time of requirement, comprising: (i) A requesting party, and a providing party; and (ii) A certifying authority; and (iii) An operating system, resident software; and (iv) A security component; and (v) Secure data depositories; and (Vi) A means for receiving, deciphering and displaying received information.
- 2. A system according to claim 1(i), wherein each party has a proximity enabled handset-based mobile device which uses close proximity technologies such as blue-tooth, infra-red, near-field, etc.; and
- 3. A system according to claim I (ii), wherein the certifying authority is a trusted third party that holds all root identities and decrypts the cipher-text to reveal the timestamp of the challenge and verifies that the requesting party is authonsed to make such a request; and
- 4. A system according to claim I (iii), wherein the operating system enables routing of an encrypted challenge request to the certifying authority and displays the challenge request in plain text on the providing party's mobile device; and A system according to claim 1(v), wherein one or more secure data depositories are accessed to retrieve the requested information; and 6. A system according to claim 5, wherein the trusted third party relays the information to requested party which is then deciphered and displayed on the requested party's mobile device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB1004391A GB2478753A (en) | 2010-03-17 | 2010-03-17 | Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB1004391A GB2478753A (en) | 2010-03-17 | 2010-03-17 | Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB201004391D0 GB201004391D0 (en) | 2010-04-28 |
| GB2478753A true GB2478753A (en) | 2011-09-21 |
Family
ID=42261693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB1004391A Withdrawn GB2478753A (en) | 2010-03-17 | 2010-03-17 | Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2478753A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2495494A (en) * | 2011-10-10 | 2013-04-17 | Intercede Ltd | Identity verification |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040093515A1 (en) * | 2002-11-12 | 2004-05-13 | Microsoft Corporation | Cross platform network authentication and authorization model |
| US20080189544A1 (en) * | 2006-05-05 | 2008-08-07 | International Business Machines Corporation | Method and apparatus for preferred business partner access in public wireless local area networks (lans) |
-
2010
- 2010-03-17 GB GB1004391A patent/GB2478753A/en not_active Withdrawn
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040093515A1 (en) * | 2002-11-12 | 2004-05-13 | Microsoft Corporation | Cross platform network authentication and authorization model |
| US20080189544A1 (en) * | 2006-05-05 | 2008-08-07 | International Business Machines Corporation | Method and apparatus for preferred business partner access in public wireless local area networks (lans) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2495494A (en) * | 2011-10-10 | 2013-04-17 | Intercede Ltd | Identity verification |
Also Published As
| Publication number | Publication date |
|---|---|
| GB201004391D0 (en) | 2010-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11044087B2 (en) | System for digital identity authentication and methods of use | |
| US20190273607A1 (en) | System for digital identity authentication and methods of use | |
| US8078885B2 (en) | Identity authentication and secured access systems, components, and methods | |
| US20020152379A1 (en) | Method, arrangement and device for voting | |
| JP6590834B2 (en) | Electronic voting system and method | |
| CN109409893A (en) | A kind of belief system and its construction method, equipment and storage medium | |
| Shah et al. | Blockchain enabled online-voting system | |
| Alamleh et al. | Analysis of the design requirements for remote internet-based e-voting systems | |
| CN101088247B (en) | Control group access to doors | |
| Jambhulkar et al. | A secure approach for web based internet voting system using multiple encryption | |
| Geetha et al. | A secure digital e-voting using blockchain technology | |
| US11640616B2 (en) | System and method of counting votes in an electronic voting system | |
| Ansper et al. | Security and Trust for the Norwegian E-voting Pilot Project E-valg 2011 | |
| Petcu et al. | A hybrid mobile biometric-based e-voting system | |
| GB2478753A (en) | Authenticated challenge/response scheme with encrypted time-stamped ID/role messages exchanged and validated by certifying authority | |
| Abo-Rizka et al. | A Novel E-voting in Egypt | |
| Prosser et al. | Security assets in e-voting | |
| Dharwadker et al. | Options for digital birth certificates | |
| Purkayastha et al. | Static Structure of Smart Card based Cloud Voting System | |
| Biswas | Gsm verification based secure e-voting framework | |
| Krishnamoorthy et al. | A Robust Blockchain Assisted Electronic Voting Mechanism with Enhanced Cyber Norms and Precautions | |
| Pradhan et al. | Decentralized Voting System Using Blockchain Technology | |
| Matharu et al. | Integrated election voting system: A model for leveraging ICT in the Indian election scenario | |
| Li et al. | A Study of Vulnerabilities in E-Voting System | |
| Liu | Scenario study of biometric systems at borders |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |