1. Field of the Described Embodiments
The present descriptions generally relate to the field of enabling security based communication lines established between users when using X.509-compatible PKI and PMI and related tools (see FIG. 1 “High-Level Depiction of Component- and Functional-Relationships in Combined Service Provider Model”). Rather than a centrally managed system of identity and relationship recognition and authorization, these functions are transferred to users through an Inviter-Invitee protocol suite, through which Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. The Security Ecosystem includes an Attribute Authority which acts as a Trusted Third Party mediating service provider for users that can: securely set up identities, uniquely associate keys to identities and their invitees, thereby securing each communication line. The system delegates authorizations to inviters and invitees for each communication line, and then proceeds to enable live and/or asynchronous uploads. It delegates authorization requests and real-time verifications to the users of the system, so they can create private communication lines for the sharing of digital files. The service is agnostic to the platform and or service that each user uses to transport or store their encrypted content.
2. Description of the Related Art
In establishing and achieving secure communications between individuals and other individuals and/or businesses and/or with other businesses, authentication of identities of the other parties has been a challenge. It can be a challenge for one party to be certain of the identity of another party as well as to determine if some unknown party is impersonating the intended party.
In the field of secure communications using public key cryptography, authenticating the pubic key of a remote party has been a challenge. A third party has been known to impersonate the intended party and provide a public key purported to be from the desired remote party, but it is not, thus security can be compromised.
Cryptographic systems such as PGP have attempted to mitigate such challenges by instituting “key signing parties” and creating a “web of trust”. While helpful, such tools are cumbersome and less than absolute. Cryptographic systems such as PGP tend to become tools generally of the technically proficient who are willing to take the extra steps to overcome such limitations.
In the current environment of Internet security, it is considered by many security experts that to keep one's data secure one should encrypt it prior to transmitting it over the Internet (“secure in transit”) as well as securing it when it is not being accessed (“secure at rest”).
Cryptography is the desired tool to protect digital assets from access by others. While properly encrypted digital assets can be secure, managing, transmitting, protecting the keys that allow access to such assets should be done securely and properly or the keys can come into control of others thereby compromising the encrypted asset.
Symmetric key cryptography presents challenges not only in protecting the key in its owner's possession, but more critically in transmitting the key securely to a third party to whom the owner of the asset would like to provide access to the asset. This is can be difficult to accomplish.
Public key cryptography can be used to address this problem. The digital asset can be encrypted with a symmetric encryption key followed by the symmetric key being encrypted using the public key of an intended third party to whom the owner would like to give access to the asset. Cryptographically, and for security purposes, this procedure works well. A shortcoming is related to the previously described challenges associated with public key cryptography.
Businesses typically use centrally managed systems where users, their identities, and their relationships with other users are created and controlled. Particularly, with cryptographic capabilities involved, they aren't generally used or deployed unless there is a sophisticated Information Technology department supporting them. As a result the addition of new users, the establishment of user relationships, and the efficient flow of data between users are slowed by such a centrally managed bottleneck.
Additionally, it is difficult for businesses to efficiently manage (with good security of data and keys) the encryption of digital assets so that they are protected both in transit and at rest. This is particularly the case when a business needs to transmit a digital asset to a third party that is not within the business's secure network. Such limitations result in a business' difficulty or inability to securely transmit a digital asset to such a third party. For example, email is widely considered insecure for such uses. Due to such limitations, postal mail and express shipments (e.g. Federal Express) continue to be common with businesses in today's high tech age. Such mail/shipping options are both expensive and inconvenient for a business to provide.
The result of these limitations is that many businesses require their off-network third parties to login to a secure website and from there, then can access and download desired digital assets that are stored behind the business' firewall. Such a method is common today. It is efficient, convenient, relatively inexpensive and secure for the business. Examples of this are financial services business' customers login into secure websites to manually download bank statements, credit card statements, security trading statements, and all manner of other digital assets. Numerous other industries provide similar services (e.g., an insurance firm requiring policy holders to login to retrieve premium notices, copies of policies, notices, etc.; a healthcare provider may require patients to login to retrieve notifications from doctors, prescriptions and various other records). Such practices are not favorable for the third party users (e.g., customers). Customers should maintain multiple unique, secure logins for each such business visited and they generally take the time and trouble to manually retrieve, download and save such digital assets. It is noteworthy that once downloaded from such a business' secure website and saved to the third party user's computer, the digital assets are no longer secure. They are typically save in plain text and thus are not secure at rest.
In view of the above, it is desired to provide methods and apparatus for individuals and other individuals and/or businesses and/or with other businesses to mutually authenticate each other and establish secure communication lines between them by using a reliable system operated by a Trusted Third Party mediating service provider. And further that the users of such authenticated, secure communications lines can then utilize digital signed requests at the level of each communication line in order to maintain the security of their digital assets while in transit and/or at rest.