System and method to enable PKI- and PMI- based distributed locking of content and distributed unlocking of protected content and/or scoring of users and/or scoring of end-entity access means—added

摘要

A central server configured with an Attribute Authority (“AA”) acting as a Trusted Third Party mediating service provider and using X.509-compatible PKI and PMI, VPN technology, device-side thin client applications, security hardware (HSM, Network), cloud hosting, authentication, Active Directory and other solutions. This ecosystem results in real time management of credentials, identity profiles, communication lines, and keys. It is not centrally managed, rather distributes rights to users. Using its Inviter-Invitee protocol suite, Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. Users establish and respond to authorization requests and other real-time verifications pertaining to accessing each communication line (not end point) and sharing encrypted digital files. These are auditable, brokered, trusted-relationships where such relationships/digital agreements can each stand-alone (for privacy) or can leverage build-up of identity confidence levels across relationships. The service is agnostic to how encrypted user content is transported or stored.

主权项

1. A method of secure communication, comprising:
downloading, using a trusted third party server, a first app for execution on a first electronic device, the first app creating a first set of encryption keys including a first public encryption key and a first private encryption key on the first electronic device; generating, using the trusted third party server, an invitation to establish a secure communications line between the first electronic device and a second electronic device based on receiving an invitation request for the invitation from a first user of the first electronic device, the invitation request including identification and authentication information to identify and authenticate a second user of the second electronic device together with requested terms of digital agreement covering the secure communications line; transmitting, by the trusted third party server, the invitation to the first electronic device; transmitting, by the trusted third party server, a second app for execution on the second electronic device upon request by the second electronic device, the second app creating a second set of encryption keys including a second public encryption key and a second private encryption key on the second electronic device; and authenticating, at the trusted third party server, the second user of the second electronic device based at least in part on an acceptable response to the identification and authentication information provided to the trusted third party server by the first user in the invitation request and based at least in part on acknowledgement of an installation of the second app on the second electronic device and acceptance of the requested terms in the digital agreement covering the secure communications line; wherein the trusted third party server makes available the first public encryption key of the first user to the second app and the second public encryption key of the second user to the first app to authenticate the first public encryption key and second public encryption key; wherein the first app generates an encrypted digital asset by encrypting a digital asset on the first electronic device using a symmetric encryption key; wherein the first app generates an encrypted symmetric encryption key by encrypting the symmetric encryption key using the second public encryption key of the second user; wherein the first electronic device transfers the encrypted digital asset and the encrypted symmetric encryption key to the second electronic device, such that the second user is able to decrypt the encrypted symmetric encryption key using the second private encryption key and decrypt the encrypted digital asset using the then decrypted symmetric encryption key to thereby establish the secure communications line; and wherein the invitation includes a client app with a digital identity token, e-mail address, designated attributes, authentication question, answer to authentication question, or a cryptographic digital signature.