Patent Issued for Digital credentials for access to sensitive data (USPTO 11698979): Workday Inc.

2023 JUL 31 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent by the inventors Hamel, Bjorn (Dublin, IE), Ruggiero, Jonathan David (Danville, CA, US), filed on March 26, 2019, was published online on July 11, 2023, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents.

Patent number 11698979 is assigned to Workday Inc. (Pleasanton, California, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “A database system distributes cryptographic digital credentials to a user to allow the user to prove qualifications (e.g., a degree, employment experience, health insurance coverage, etc.). Credentials can be assigned to a user by a trusted third party client of the database system (e.g., a university, an insurer). Digital credentials can be stored on a user authentication device (e.g., a mobile device belonging to the user) that is accessed by the database system when a credential is required. The user authentication device can additionally be used for authenticating secure user actions taken on the database system-for example confirming a user access. However, confirming a secure action with an external device requires a secure confirmation of the external device identity.”

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.

“A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.

“The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user’s access ability to something. The application queries the system regarding a proof of identity and the user provides the proof using a credential to the system that is ultimately passed to the application to prove identity of the user. The system allows an application developer to pick attributes that an application challenges for and the sources that will satisfy any given challenge. The proof of identity is embodied in a digital credential that is able to be secured using a combination of cryptography and a distributed ledger (e.g., a decentralized ledger, a permissioned ledger, a public ledger, etc.) to assure legitimacy of the proof of identity.

“A system for digital credentialing receives the digital credential from a credential issuing system. The system for digital credentialing stores user information for the user. The system for digital credentialing further determines a set of credentials available to the user based on the user information as well as stores a record of previously issued credentials. The credentials comprise categories satisfied by the user information at differing levels of specificity (e.g., greater than an amount, in a range of amounts, less than an amount, etc.). For example, in the case where the user comprises an employee earning $95,000 per year, the system for digital credentialing could determine credentials available to the user indicating that the user earns more than $60,000 per year, that the user earns more than $80,000 per year, that the user earns in the range of $90,000-$100,000 per year, etc. When the user interacts with the system for digital credentialing using a credential requesting app or application, the system determines the set of credentials available to the user and provides the list of credentials to the credential requesting app or application. The user can then provide (e.g., from a storage on a user device) one or more available credentials to the credential requesting app or application.

“In various embodiments, a credential comprises data that is validated or verified to be authentic-for example, data verifying academic diplomas, academic degrees, certifications, security clearances, identification documents, badges, passwords, user names, keys, powers of attorney, human resource data, personal information, or any other relevant information,”

The claims supplied by the inventors are:

“1. A system for providing access, comprising: an interface configured to: receive an application access request from an application for authorization to access, wherein access to the application is requested by a user having a user authentication device; receive a sensitive data access request from the application for authorization to access a document that includes sensitive data, wherein the sensitive data request includes a blinding secret and a document encryption key encrypted with a public key associated with an identity private key stored on the user authentication device, and wherein the access to the document is requested by the user; and a processor configured to: determine to authorize the user access to the application in response to the application access request, wherein determining to authorize the user access to the application includes linking the user authentication device with the user and validating the public key matches information stored on a distributed ledger; in response to the sensitive data access request: determine the user authentication device and a set of credentials satisfactory to authenticate the user to access the application; provide a primary request for authorization to access sensitive data to the user authentication device; receive a primary response from the authentication device; in response to a determination that the primary response comprises a credential of the set of credentials, provide a secondary request for authorization to access sensitive data to the user authentication device, wherein the secondary request comprises the blinding secret and the encrypted document encryption key, wherein the the user authentication device: decrypts the encrypted document encryption key to generate a document encryption key; and blinds the document encryption key using the blinding secret to generate a blinded document encryption key; receive a secondary response from the user authentication device in response to the secondary request, wherein the secondary response comprises the blinded document encryption key; validate the secondary response; and in response to determining that the secondary response is valid, provide the secondary response to an application server associated with the application, wherein the application server encrypts the document with the document encryption key and provides the encrypted document to the user authentication device enabling the user authentication device to decrypt the encrypted document and provide the user access to the sensitive data.

“2. The system of claim 1, wherein the sensitive data access request comprises a user identifier.

“3. The system of claim 2, wherein the sensitive data access request additionally comprises a file name.

“4. The system of claim 2, wherein the document is encrypted using the document encryption key, wherein the document is encrypted for secure transmission in response to a user application request for the document.

“5. The system of claim 2, wherein determining the user authentication device comprises determining the user authentication device linked with the user.

“6. The system of claim 5, wherein determining the user authentication device linked with the user comprises looking up a link as stored in a user authentication device database that associates the user authentication device with the user identifier.

“7. The system of claim 1, wherein the sensitive data access request from the application for the authorization to access sensitive data is transmitted using a secure REST call.

“8. The system of claim 1, wherein the secondary request additionally comprises a user identifier.

“9. The system of claim 1, wherein the secondary request additionally comprises a file name.

“10. The system of claim 1, wherein the secondary request is encrypted using the public key.

“11. The system of claim 1, wherein the user authentication device provides the secondary response after confirmation from the user.

“12. The system of claim 1, wherein the application server is configured to provide the blinded document encryption key and the encrypted document to a user application.

“13. The system of claim 12, wherein the user application is configured to unblind the blinded document encryption key using the blinding secret to generate the document encryption key and decrypt the encrypted document using the document encryption key.

“14. The system of claim 13, wherein the user application comprises a web browser.

“15. The system of claim 1, wherein the secondary response is received via a secure channel.

“16. A method for credentialing, comprising: receiving an application access request from an application for authorization to access, wherein access to the application is requested by a user having a user authentication device; determining, using a processor, to authorize the user access to the application in response to the application access request, wherein determining to authorize the user access to the application includes linking the user authentication device with the user; receiving a sensitive data access request from the application for authorization to access a document that includes sensitive data, wherein the sensitive data request includes a blinding secret and a document encryption key encrypted with a public key associated with an identity private key stored on the user authentication device, and wherein the access to the document is requested by the user and validating the public key matches information stored on a distributed ledger; in response to the sensitive data access request: determining the user authentication device and a set of credentials satisfactory to authenticate the user to access the application; providing a primary request for authorization to access sensitive data to the user authentication device; receiving a primary response from the authentication device; in response to a determination that the primary response comprises a credential of the set of credentials, providing a secondary request for authorization to access sensitive data to the user authentication device, wherein the secondary request comprises the blinding secret and the encrypted document encryption key, wherein the user authentication device: decrypts the encrypted document encryption key to generate a document encryption key; and blinds the document encryption key using the blinding secret to generate a blinded document encryption key; receiving a secondary response from the user authentication device in response to the secondary request, wherein the secondary response comprises the blinded document encryption key; validating the secondary response; and in response to determining that the secondary response is valid, providing the secondary response to an application server associated with the application, wherein the application server encrypts the document with the document encryption key and provides the encrypted document to the user authentication device enabling the user authentication device to decrypt the encrypted document and provide the user access to the sensitive data.

“17. A computer program product for credentialing, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving an application access request from an application for authorization to access, wherein access to the application is requested by a user having a user authentication device; determining to authorize the user access to the application in response to the application access request, wherein determining to authorize the user access to the application includes linking the user authentication device with the user; receiving a sensitive data access request from the application for authorization to access a document that includes sensitive data, wherein the sensitive data request includes a blinding secret and a document encryption key encrypted with a public key associated with an identity private key stored on the user authentication device, and wherein the access to the document is requested by the user and validating the public key matches information stored on a distributed ledger; in response to the sensitive data access request: determining the user authentication device and a set of credentials satisfactory to authenticate the user to access the application; providing a primary request for authorization to access sensitive data to the user authentication device; receiving a primary response from the authentication device; in response to a determination that the primary response comprises a credential of the set of credentials, providing a secondary request for authorization to access sensitive data to the user authentication device, wherein the secondary request comprises the blinding secret and the encrypted document encryption key, wherein the user authentication device: decrypts the encrypted document encryption key to generate a document encryption key; and blinds the document encryption key using the blinding secret to generate a blinded document encryption key; receiving a secondary response from the user authentication device in response to the secondary request, wherein the secondary response comprises the blinded document encryption key; validating the secondary response; and in response to determining that the secondary response is valid, providing the secondary response to an application server associated with the application, wherein the application server encrypts the document with the document encryption key and provides the encrypted document to the user authentication device enabling the user authentication device to decrypt the encrypted document and provide the user access to the sensitive data.”

URL and more information on this patent, see: Hamel, Bjorn. Digital credentials for access to sensitive data. U.S. Patent Number 11698979, filed March 26, 2019, and published online on July 11, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(11698979)&db=USPAT&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)