SYSTEM AND METHOD TO USE A CLOUD-BASED PLATFORM SUPPORTED BY AN API TO AUTHENTICATE REMOTE USERS AND TO PROVIDE PKI- AND PMI- BASED DISTRIBUTED LOCKING OF CONTENT AND DISTRIBUTED UNLOCKING OF PROTECTED CONTENT

Abstract

A security system for authenticating users and protecting content that provides an application program interface (API) with a Cloud Platform integration (Platform) for use by enterprise businesses, government entities, systems integrators, independent software vendors, small business, individuals and others (“Entities”) to extend the security capabilities of PKI- and PMI-systems to authenticated external users and protected content.

Description

BACKGROUND

Field of the Described Embodiments

The present disclosure relates generally to providing one or more Application Programming Interfaces (APIs) integrating with a Platform Service (either Cloud, local server-based, or other) to provide access and use of one or more of the Platform's features. An example of one such feature could be to enable the extension of security credentials for entities such as enterprise businesses, government, small business, individuals, systems integrators, independent software vendors and others, “Entities”, in order to effectuate more secure communication between an Entity and one or more remote third parties (for example, from an enterprise Entity to a third party customer beyond that enterprise Entities' network firewall).

Most Entities are faced with similar, common security challenges. For many of such challenges, positive security solutions can sometimes be achieved through the use of cryptography. Cryptographic security solutions typically require well-tested solutions which can be challenging to execute and deliver reliably and securely, even for professional experienced in the field. According to Bruce Schneier (respected cryptographer, computer security & privacy specialist, and writer): “ . . . two cryptography truisms. The first is that cryptography is hard . . . . The second is that cryptographic implementation is hard . . . ” and “We're great at mathematically secure cryptography, and terrible at using those tools to engineer secure systems”. For these reasons, well-designed, well-executed, tested, cryptographic tools that provide useful and flexible solutions that meet actual security needs can be difficult for those Entities to produce for themselves. Therefore a Platform and API with useful and tested cryptographic solutions could be of benefit to those Entities.

The Platform with its API(s) and Software Development Kit (SDK) may make it easier and simpler for software designers, application developers, Entities and others to add sophisticated cryptographic security solutions to their applications and/or Entity software solutions. The Platform, API and related technology may allow them to devote more time to meeting software requirements rather than dealing with the unique challenges of developing secure cryptographic systems, thereby reducing overall development time.

SUMMARY OF THE DESCRIBED EMBODIMENTS

Application programmers, including application developers, often provide Users with software applications that enable various services for the User. For example, an application may be provided to a user to authenticate the identity of a remote third party with whom the user desires to establish an authenticated, secure communication line (as described later herein). In such a case, the application programmer or platform service provider provisions an API with the authentication feature, and exposes various inputs to permit the user to activate the feature to implement the feature. The application programmer may implement the service of authentication based on knowledge of application programming interfaces (APIs) that are offered by various technology service and/or platform providers. Each platform or service provider tends to have proprietary or specific APIs used to invoke the services it offers. The application programmer utilizes the APIs provided by the provider, with the appropriate parameters, to invoke the desired feature (e.g., authentication of a remote third party).

API (Application Programming Interface) may include a set of routines, protocols, and tools for building software applications that utilize those specific routines, protocols and tools. Generally an API is considered to be a software component in terms of its defined operations, inputs, outputs, and underlying types. The Platform API may define and provide access to (and use of) the unique functionalities of the Platform. A software developer may incorporate the API into his/her software application. An API may make it easier to develop a software application by providing some of the building blocks required by an application developer, which he/she may then put together.

APIs may be created and offered using various methods such as SOAP (SOAP stands for Simple Object Access Protocol, and is XML based). Another is REST (short for Representational State Transfer. REST uses standard HTTP methods). More description of common API technology can be found at http://en.wikipedia.org/wiki/Application_programming_interface

A Platform is often hosted in the Cloud (e.g., “Cloud computing”; “Platform as a Service”). Cloud computing (see http://en.wikipedia.org/wiki/Cloud_computing). At the foundation of cloud computing is the broader concept of converged infrastructure and shared services. Cloud computing, or in simpler shorthand just “the cloud”, also focuses on maximizing the effectiveness of the shared resources.

The Platform, as disclosed herein, may also be hosted on a server within an Entity business network or elsewhere other than in the Cloud.

The Platform may support application developers to build software by employing the SDK tools to better use the capabilities of the API in order to control, access and utilize the features and functions of the Platform. Using any of these capabilities, for this disclosure, an Entity and/or User could gain access to one or more of the security, authentication, cryptographic, and other capabilities as disclosed herein and/or priority claims hereof, including U.S. Provisional Patent Applications No. 61/994,885 and 62/133,371.

The Platform and API solutions disclosed herein may provide a User-Directed, Authenticated, Cryptography-Enabling, Security-Focused Ecosystem (the “Security Ecosystem” as described in Appendix A of Application No. 62/133,371) through which an Entity and/or an Entity's “Users” (i.e., customers, clients, prospects, vendors, associates, employees, and/or others with whom an Entity may have a need to share sensitive information) can use one or more of the components of the Security Ecosystem to address one or more security challenges encountered by an Entity and/or User.

Some examples of capabilities that might be accessed through the Platform and API may include (but are not limited to) the following features: Cross-Certification (the Platform may cross-certify an Entity's authorized identities with those of another trusted Entity that also uses the Platform; cross-certification may result in identities on one Entity being recognized by another Entity in order to facilitate inter-Entity, secure, point-to-point encrypted communication with trusted identities). Go Paperless with Users (may eliminate some printing and postage costs of sending statements and/or invoices (and/or other digital content) and/or alternatively the cumbersome practice of requiring Users to login and manually retrieve such digital content, by implementing a process of encrypting such digital content, thus allowing for such digital content to their authenticated recipients for decryption). Digital Transaction Signing (which may support regulatory and/or business needs by providing non-repudiable authorization for some high value transactions, e.g., money transfers, account changes, medical orders, access authorization, etc.). Digital Signatures (may provide an Integrated, Persistent, Non-Repudiable Digital Signature capability between an Entity and a User and/or another Entity that could facilitate the efficiency and reliability of remote document execution). Audit Trails (may provide an integrated Digital, Non-Repudiable, verifiable Audit Trail capability confirming chain of custody, access, etc. of encrypted digital files which, in turn, may reduce fraud). 2-Factor Authentication (may provide an integrated, digital, 2-factor authentication capability to greatly enhance the reliability of remote authentication and approvals as compared to common SMS messaging techniques). Tunable Security (the platform and/or API may include a series of configurable authorization controls, limitations and monitoring capabilities, together with tunable security tools and such features may be configured controlled by an Entity and/or Users.)

Benefits of the possible solutions that could be offered through the Platform and API are numerous with some of them being described as one or more of the following: a core security solution together with add-on, customizable features that can integrate and evolve with existing security solutions; a capability to enable an Entity to invite Users or individuals to a secure communication line without exposing the Entity Infrastructure; a function to allow an Entity system administrator to track, monitor and/or audit transmitted encrypted digital content; a capability to create a separate database of associates and affiliates, including the right to revoke any invitation or relationship; a capability for an Entity to send encrypted digital content outside an Entity firewall with a result being that such digital content may be as secure (or more secure) than within that firewall; a capability to integrate Platform and/or API data records with Active Directory (or a similar system) as well with an Entity's PKI (Public Key Infrastructure); a reduction in “Data Spawn” (i.e., a tendency of unencrypted sensitive digital content to be copied and transferred to another person, Entity and/or location and possibly copied and transferred repeatedly with a result being that the original sensitive digital content may become located in multiple places and/or with multiple individuals or entities, thus reducing its security) through the capabilities of the Platform and API whereby digital content may be transferred to multiple places and/or with multiple individuals or entities in an encrypted format and may be stored in an encrypted format, thus reducing an uncontrolled and/or un-audited distribution of unencrypted sensitive digital content.

The actions of the Platform may be selectively changed, controlled and utilized via the API through Entity-written code, thus providing application-specific security software required by an Entity or end User (such functions may be unique, custom, common or generic). The functionality of the Platform may include the cryptographic security functionality desired by the Entity to provide it with one or more needed products, functions, solutions, capabilities, etc. For example these may include: the inviter-invitee protocol; authentication functions; audit trail capabilities; or other products, functions, solutions, capabilities etc. as described in this disclosure and/or its priority claims, etc.

A Platform SDK (Software Development Kit) may include a set of software development tools that may allow a software developer to create custom software applications to utilize the capabilities of the Platform and/or API. A Platform and/or API in general may also be used or accessed by other Platforms. An example of this is the Uber platform (www.uber.com) which uses the Twilio API and platform (www.twilio.com) for the telecommunications needs that Uber provides to its users (e.g., a text that “your Uber driver has arrived”). Another example is that Uber also uses the Braintree API and platform (www.braintreepayments.com) for processing Uber customers' credit card payments.

One problem to address could be long-stalled “going-paperless” initiatives of some Entities: securely delivering statements, invoices, and other digital content to their Users as opposed to postal mail or the inconvenient “come and get it” paradigm (requiring Users to log into Entity websites and manually retrieve such digital assets. Billions of documents need to be delivered annually from Entities to their Users. Mail is expensive. The “come and get it” paradigm of Users logging onto Entity websites is only partially successful. The “going-paperless” problem is a manifestation of a broader problem confronting Entities: lack of a user-friendly, workable, authenticated, secure B2C and B2B communication capability. It is a challenge today for Entities to easily and securely exchange sensitive digital content with those outside their networks. The Platform and API Security Ecosystem's integrated software capabilities can ensure that the sensitive digital content, etc., that Entity users send to third parties who are off the Entity network can be delivered securely and privately to their correct, authenticated recipients.

The Platform and API Security Ecosystem's software is generally oriented to reduce impact on the existing manner in which Entity users create, store and transmit digital content to others. The Platform and API Security Ecosystem generally does not transport, store or have access to user's encrypted data. The Platform and API Security Ecosystem generally attempts to provide security to user's digital assets by providing a system to protect those assets though encryption, both in transit and at rest.

For Users the Platform and API Security Ecosystem may provide a tool so that Users may communicate privately, securely and with confidence not only with their authenticated friends, family and associates, but also with their user-created groups (e.g., schools, teams, clubs, political organizations, etc.)

The Platform and API Security Ecosystem (either directly or through Entities) may offer Users a downloadable application to install on a desktop or mobile device that will “lock” (encrypt) and “unlock” (decrypt) digital content using a cryptographic standard such as Advanced Encryption Standards (AES 256) as well as possibly other optional protocols. An authenticated, authorized recipient of a digital file may open it; locked files should not be viewable by advertisers, email or cloud providers, governments or others; private encryption keys can be held generally by their owners; and identities may be authenticated through user-managed tools.

As stated on Page 1 of Appendix B of Application No. 62/133,371 (as well as on Page 1 of Application No. 61/792,927) “The various inventions described herein contemplate functions or services fulfilled through service provider involvement. As stated in the various referenced APPENDICES, functions or services and/or data and/or keys may be split across multiple service providers or servers or systems and/or across multiple components of a given service provider or server or system.” “Server” may also be considered to be a “computing device” with a processor(s) and memory.

Such splitting of functions or services and/or data and/or keys (“Items”) across multiple service providers or servers or systems and/or across multiple components of a given service provider or server or system applies to the nature of flexibility of configurations relative to how those Items could be located on a Platform and/or a Line Server within the network infrastructure of an Entity and/or elsewhere. Such embodiments of the invention are suggested and/or described in the descriptions following the above quoted sections in the above priority filings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in greater detail below, with reference to the accompanying drawings, in which:

FIG. 1 is a block diagram of an illustrative architecture for interface and integration between the network of an Entity, an API and a Platform; and

FIG. 2 is a flowchart illustrating an embodiment of the invention through the establishment of an authenticated relationship with an outside third party;

DETAILED DESCRIBED EMBODIMENTS

Referring to FIG. 1, an integration framework 100 is provided to support application developers that develop applications and services for Entities and/or Users in order to use the functions and services offered by the Platform and API. This framework may accommodate development in multiple languages (101, 102, 103, 104, 105, etc.) together with seamless integration by supporting those languages. The framework may support common open protocols (e.g., REST & SOAP). The framework may provide integrated class libraries for each of the programming languages supported. In one embodiment Common Language Specification (CLS) 110 allows designers of various languages to write code that is able to access underlying library functionality of the Platform Object Services layer 112. The specification 110 functions as a contract between language designers and library designers that can be used to promote language interoperability. By adhering to the CLS, libraries written in one language can be directly accessible to code modules written in other languages to achieve seamless integration between code modules written in one language and code modules written in another language. (More information on Common Language Specification can be found under Common Language Infrastructure on Wikipedia: http://en.wkipedia.org/wiki/Common_Language_Infrastructure). The framework 100 includes an application program interface (API) layer 111. The API layer 111 presents groups of functions that the applications 101-105 can call to access the resources and services provided by Platform Object Services layer 112. By exposing the API functions for multiple Platform services, application developers can create Web applications and/or direct application calls that can generate, control and/or make full use of the Platform resources, without needing to understand the complex interworkings of how those cryptographically sophisticated Platform resources actually operate or are made available. Moreover, the Web applications can be written in any number of programming languages, and may be translated into an intermediate language supported by a common language runtime 113 and included as part of the Common Language Specification 110. In this way, the API layer 111 may provide methods to access all of the Platform resources. Additionally, the framework 100 can be configured to support API and/or direct calls placed by remote Client Apps of the service (see 20 in FIG. 2). This framework may modified for Entity and/or User purposes, particularly if a User is using a limited or dedicated function device, such as a mobile device (tablet, cellular phone, etc.).

Referring to FIG. 2, a Enterprise Entity has a network infrastructure, 1, including servers, workstations, firewall, Active Directory, Public Key Infrastructure (PKI), etc. In this embodiment it has a component of the invention with a separate Registration Authority-Certification Authority-Attribute Authority-Line Servers combination, 2 (which in another embodiment may not be present in the enterprise network environment). Both this and the Entity's API Control & Interface Module 3 interface with the API 4. On the workstation 5 of an Employee of the Entity, there is a sensitive plain test document (digital content) 6 that the employee would like to send to an Outside User 7. Using an installed Client App (which includes a Local Key Store Module—LKSM) 8 the employee (now an “Inviter”) enters a request 9 into the Client App to invite the Outside User (now an “Invitee”) to share a secure communication line between the two of them. The request 9 travels across the network to the Entity's API control and interface module 3. In conformance with the specifications of the API, the API control and interface module 3 transmits an invitation request message 10 to the API. The API transmits a translated message 11 to the Platform 12. The functions and services of the Platform 13 prepare an invitation response message 14 that is returned to the API 4. In accordance with a specification, the API converts the response to a message 15 understandable by the API control and interface module 3. The API control and interface module transmits the message 15 across the network to the Client App 8 on the Inviter workstation 5. The Client App prepares a message that the Inviter can send in an email 16 which arrives at the Invitee 17. The Invitee may click on a link in the email (or visits a designated website and enter a unique invitation code which is provided in the email) to download 18 the client app. The client app is downloaded 19 and installed 20. With the basic install completed, the client is registered 21 with the Platform. From the Platform the Invitee is asked a secret question (supplied by the Inviter in the original invitation request) to which the Invitee is expected to know the answer and upon supplying that answer, the installation of the LKSM is authenticated 22 with the Platform and the system. The Client App requests permission 23 to make certain cryptographic keys (including a Digital Identity Token—DIT). This is done upon approval 24 from the Platform with the Invitee's public keys then being sent 25 to the Platform. The Inviter's public key is received from the Platform 26 (which had received it upon the initial installation of the Inviter's Client App). The functions and services of the Platform 27 process and store this data and prepare a message 28 that is returned to the API 4. In accordance with a specification, the API converts this message to a message 29 understandable by the API control and interface module 3 and the Client App 8. The API control and interface module transmits the message 29 across the network to the Client App 8 on the Inviter workstation 5. The Client App 8 updates its LKSM with the invitation authentication and stores the Invitee's public key.

Claims

1. A method in a server or servers, or other computing device or devices each including a processor and memory, which provides an integration of security and/or cryptographic functions which may include one or more applications such as: public key infrastructure, privilege management infrastructure, certification authority, registration authority, attribute authority, hardware security module, and/or other hardware systems and/or software systems and including a method that communicates with one or more of these applications, which together may be described as a platform service and be capable of supporting a variety of security-related functions; such as to enable the extension of security credentials for entities such as enterprise businesses, government, small business, individuals, systems integrators, independent software vendors and others, in order to effectuate more secure communication between one such entity, which may be referred to as a user, and one or more such remote third party entity, which also may be referred to as a user, with an example of such being from an enterprise entity to a third party customer entity of that said enterprise entity which will likely exist beyond that said enterprise entity's network firewall;such that to access, utilize and/or benefit from the security and/or authentication capabilities of said applications and/or said platform service, such a said entity need not have specific knowledge and/or expertise regarding typical technical requirements, operation and/or capabilities of how said cryptography and/or security systems function, operate and/or perform and/or accomplish their functions in order for said entity to achieve the security needs, features and/or functions provided by said platform service;such that an entity might access, utilize and/or benefit from the capabilities of said platform service through the use of an application programming interface which could access and/or utilize designated capabilities of said platform service to said entity in a fashion that could require substantially less technical knowledge of security and/or cryptography systems of the part of said entity than might otherwise be required in order for said entity to achieve its desired security-related controls and/or results;such that such platform service may integrate with existing security and/or cryptographic applications pre-existing with an entity and therefor not require such pre-existing application as a component of said platform service.

2. A method of claim 1 where a platform service may be located in a server or servers in a cloud computing environment or in a server or servers, or other computing device or devices within an enterprise or other entity's network or in a server or servers, or other computing device or devices located elsewhere, and in any of such cases the platform service would be accessible by said application programming interface; such that a platform service in one embodiment may support the needs of a single such enterprise entity or in another embodiment being located in a cloud computing environment where it may support the needs of one or many related and/or unrelated entities as well as other embodiments where it may support entities in other configurations.

3. A method of claim 1 where such an application programming interface may run on a server or servers, or other computing device or devices each including a processor and memory such as located within an enterprise entity's network such that said enterprise entity could use said application programming interface to access said platform service in order authenticate one or more employee entity, or other individual entity or other entity, which could be referred to as an originating entity or a remote entity;such as within any other entity's computer or network environment such that said entity could use said application programming interface to access said platform service in order to authenticate one or more other type of entity, such as an employee, customer, or other entity, which could be referred to as an originating entity, a remote entity or a user;such that the process of authentication of any such originating entity, remote entity or user would include said originating entity, remote entity or user installing an application compatible with such application programming interface on one or more computing devices to be used by said originating entity, remote entity or user.

4. A method of claim 1 in a server or servers, or other computing device or devices of such entity, such method being compatible with the methods of said application programming interface so that such application programming interface compatible application or method is able to communicate via said application programming interface with said platform service in order to access, utilize and/or benefit from the capabilities of said platform service; such that any such entity may become an originating entity by using said application programming interface compatible method to invite one or more remote entities to establish and authenticate a secure communications line with said originating entity by using one or more of the steps of an inviter-invitee protocol;such that the setup of authorized communication lines may involve delegation of authorizations, e.g., as incorporated into said inviter-invitee process;such that real-time credential management may involve key establishment key pairs and/or encryption-decryption key pairs and/or with digital signature verification and digital signature generation key pairs;such that said key establishment key pairs and/or encryption and decryption key pairs may be used, in turn, to deliver access to derived, transported and/or agreed-upon symmetric encryption/decryption keys so that plaintext content, for example digital content or files, and/or communications, such as messages, may preferably securely be made available to intended recipients, such as originating or remote entities, whether internal or external to any entity's network.

5. A method of claim 1 in a server or other computing device including a processor and memory, which together could compose an originating entity for a secure communication, that accesses an application programming interface which could be on the same computing device or on a separate, connected computing device including a processor and memory; in order to deliver pre-defined and formatted requests to that computing device on which the application programming interface runs;which requests may be subsequently processed and translated by the application programming interface into instructions which in turn may be transmitted to a designated and known remote server which may be located in a cloud computing or enterprise or other environment upon which a platform service runs;where functions of said platform service are to contribute to the delivery of defined security, authentication, cryptographic, and other security-related capabilities;such that those translated requests from said application programming interface to said platform service are in a defined format that said platform service can understand and can act upon;whereupon pre-determined, desired actions may be implemented via one or more transferred instruction by the platform service to occur and/or make changes on separate, known computing devices each with one or more processors and memory which would be operating as a remote entity;such actions may be communicated from the platform service to the application programming interface and thereafter to a computing device of an originating entity or remote entity with a client software application which can connect to the application programming interface;or alternatively to a separate computing device connected to said platform service.

6. The method of claim 1, wherein data generated by said platform service resulting from requests made via said application programming interface to said platform service or to said platform service from a separate computing device application used by such remote entity may be responded to by said platform service to said application programming interface or to such separate computing device which responses may include instructions, steps and/or methods that; enable entities to authenticate themselves remotely to another such entity using an inviter-invitee protocol;enable an exchange of authenticated public encryption keys between such entities;thereby provide the capabilities that enable such entities to exchange encrypted documents between themselves and/or other such authenticated entities using third-party means.

7. A method of claim 1 composed of a system of communication comprising: a client software application, a user facing domain, a key escrow domain, and an inviter-invitee protocol wherein the user facing domain securely relates to multiple parties via the client application and the key escrow domain authenticates secure lines of communication amongst the parties; said client application in claim 1 consisting of but not limited to a local key store module and a digital identity token;said user facing domain in claim 1 consisting of but not limited to a login interface on a server, hardware security module and lightweight directory access protocol application on a server;said key escrow domain consisting of consisting a registration authority,certificate authority, attribute authority, each being installed on a server and hardware security module;said inviter-invitee protocol consisting of multiple steps but not limited to sending an invitation, receiving the invitation, downloading the client app, installation and registration, authentication, and single or multiple key requests, creation, and exchanges;said invitation consisting of, but not limited to, a client application with digital identity token, e-mail address, designated attributes, authentication question, answer to authentication question, and a cryptographic digital signature.

8. A method of secure communication based on the system of communication in claim 1 wherein a persistent, yet revocable, a secure line of communication is established and authenticated; said method in claim 4 and claim 6 wherein the secure line of communication is established by the said invitation protocol in claim 7.

9. A method of claim 4 and claim 7 whereby a user on an electronic device has the ability to install an application that: creates a set of public and private encryption keys for: encrypting and decrypting documents, digital signing and other purposes;allows a first user to invite a second user using a second electronic device to share a communication line with the first user on the first user's electronic device;provides a method whereby the second user may respond to the invitation of the first user and install a comparable application on the second user's electronic device and thereafter have a comparable set of public and private encryption keys on that electronic device;provides an invitation method that will include authentication steps that the second user must comply with in a specified method on his electronic device so that the identify of the second user, together with the associated installation of the application on his specific electronic device together with that specific electronic device are all linked together in such a manner that the first user can be assured by the server of the trusted third party or through the use of such application programming interface and such a platform service, that provided and monitored the installation and authentication of the client software application on the physical electronic device controlled by the second user confirms this described association through this method;such that the public encryption key of each user is made available to the other user's application in a manner in which the authenticity of the keys is assured by the server of the trusted third party or through the use of such application programming interface and such a platform service, that provided the client software application to each party, actions which also may be completed through the use of such an application programming interface and such a platform service;such that by relying on the representation and authentication provided through the server of the trusted third party or through the use of such application programming interface and such a platform service, that the parties can thereafter use encryption capabilities of the client software application client software application to first encrypt a digital asset on one electronic device with a symmetric encryption key followed by the encryption of that symmetric encryption key using the public encryption key known to be that of the other user, followed by having the ability to transfer, in any manner selected by the originating entity, both the encrypted digital asset together with the symmetric encryption key which has been encrypted using the public encryption of the second usersuch that the second user, upon receipt of these two will be able to use his private key to decrypt the symmetric key and thereafter decrypt the encrypted digital asset.the applicable steps may be completed through the use of such an application programming interface and such a platform service or directly with a server with an accompanying security ecosystem.