AUTHENTICATION

Field of the invention

The present invention generally relates to Information technology and more particularly relates to a system and method for collective trust identity and authentication for the entities communicating over the electronic communication network.

Background of the invention

Today, organizations are retreating from the mode of paper communication with ink signatures or authenticity stamps, and give way to the electronic documents with digital signatures. The digital signatures are capable of providing added assurances of evidence to identity, origin and status of an electronic document as well as approval by a signatory. This reduces the likelihood of compromise of individual credentials used to authenticate the identity of the source messages. The earliest version of identity-based digital signatures was developed by Adi Shamir in 1984 that allowed users to verify digital signatures using unique information about the identity of the user such as user’s identifier (e.g. email address). In the protocol a Trusted Third Party (TTP) (aka Private Key Generator or PKG) would verify the identity of the entity, generate a private key for that particular entity from its identity and then deliver the private key to the entity using a secure channel. The protocol does not discuss about the methods for identity verification or how to build a secure channel for delivering private key. On the other hand it gives the TTP the ability to generate the private key as there are no provable association between the identity and keys. Using this ability the TTP can sign messages or decrypt secret information of any user.

A traditional system to secure the traffic across the public internet, called Public key infrastructure (PKI) commonly helps to authenticate the identity of the communicating parties or devices. The PKI normally works on keys, a long string of bits or numbers, and certificates. The keys include a public key, and a private key which are related by a complex mathematical formula. The public key can be used to encode a message, and the private key, which is considered to be a secret key, used for decrypting the received messages. But the PKI provides poor execution when the parties involved in the communication process fail to deploy or manage the procedures properly and most of the risks are associated with securing digital identities using PKI.

Another encryption technique called identity-based encryption (IBE) employs an identity based system to generate a public key of a user from a known identity value as unique information about the identity of the user for e.g. a user's email address. A trusted party called the Private Key Generator (PKG), generates a corresponding private key for its trusted users. Here, the PKG first publishes a master public key, and retains the corresponding master private key in secret, such that any trusted party can compute a public key corresponding to the identity by combining the master public key with the identity value. Further, a corresponding private key is issued through PKG for the party authorized to use the identity ID, by using the master private key. The risks involved with this technique is mainly associated with the PKG, wherein when the PKG compromised, all the messages protected over the entire lifetime of the public-private key pair used by the respective server also be compromised. This necessitates frequent updation of the private -public key pair with a new independent key pair. This may cause key management issues, where each and every parties must have the knowledge of the most recent public key for the server. Another issue related to this case is that requirement of a secured channel between a user and the Private Key Generator (PKG) for transmitting the private key for joining the system. Here, the users that hold accounts with the PKG must be able to authenticate themselves.

Accordingly, there exists a need to provide collective trust identity and authentication for the entities communicating over the electronic communication network, which can overcome the drawbacks of prior art techniques. Objects of the invention

An object of the present invention is to use a credible digital identity that is a function of all attributes of the entity and distribute trust equally between all involved entities a signer, a verifier, and an arbitrator.

Summary of the invention

The present invention generally relates to Information technology and more particularly relates to a system and method for collective trust identity and authentication for the entities communicating over the electronic communication network.

In an implementation according to one of the embodiments of the present invention the first computing devices is configured with an encryption module having a digital identity II representing a first entity (“entity- 1” hereinafter). The second computing device is also configured with an encryption module having a digital identity 12 representing a second entity (“entity-2 hereinafter). A server specifically a platform for the authentication procedures acts as arbitrator in the collective trust identity authentication process and is provided with a digital identity Ip, called Crypto-ID (Cryptographic Identity).

In an implementation according to one of the embodiments the method of the present invention as first step includes configuring a server platform in the third computing device as an arbitrator for the authentication procedures. In the second step, the process includes signing and verification of the entities wherein identity establishment process takes place for all the entities. After successful verification process, a digital identity (11/12) is created for the respective entity from the available verified attributes. This digital identity of the entity is further used by the arbitrator to create an electronic signature certificate (ESC) that can be used for the authentication between the entity and the server platform. The third step involves login process where, each of the entity and arbitrator authentications occurs. During this session, an entity (entity- l/entity-2) can login the authentication process by using respective PIN/biometric data that are used during the second step to encrypt the ESC. In the fourth step, entity to entity authentication happens. The authentication procedures generate a symmetric key between the two entities with the help of the arbitrator, using the public identities of each other. This is represented as a ‘Collective Identity’ or ‘Collective -ID’. According to one of the embodiments of the present invention a method for collective trust identity and authentication includes configuring a first computing device with an encryption module representing a first entity, Entity- 1, configuring a second computing device with an encryption module representing a second entity, Entity-2 and configuring a server specifically as a platform for the authentication procedures acting as arbitrator in the collective trust identity authentication process. The method includes performing entity and platform authentication to generate digital identities for entity- 1 and entity-2 and the server. The method includes executing activation of the first computing device, Entity- 1 and second computing device, Entity-2. The method includes generating first Collective ID for the Entity-1 and Entity-2. The method includes generating New Collective ID for the Entity- 1 and Entity-2. The method includes authenticating each other’s identity by the server platform and the entities and generating by the entities and server platform a shared secret key for secure communication between them. The method includes creating by the entity-1 as requester/verifier a transaction note and request a Transaction-ID from the server. The method includes generating by the server a Transaction-ID. The method includes executing operations for signing. The method includes executing the signing. The method consecutively includes performing at the Entity- 1 verification by polling on fiD. According to one of the embodiments of the present invention a system for collective trust identity and authentication, the system comprises a first computing device, the first computing device Entity- 1, a second computing device, the second computing device Entity-2 and a third computing device, the third computing device server specifically a platform for the authentication procedures acting as arbitrator communicatively connected together through a communication network server, wherein the system is configured to configure a first computing device with an encryption module representing a first entity, Entity- 1, configure a second computing device with an encryption module representing a second entity, Entity-2, configure a server specifically as a platform for the authentication procedures acting as arbitrator in the collective trust identity authentication process, perform entity and platform authentication to generate digital identities for entity- 1 and entity-2 and the server, execute activation of the first computing device, Entity- 1 and second computing device, Entity-2, generate first Collective ID for the Entity- 1 and Entity-2, generate New Collective ID for the Entity- 1 and Entity-2, authenticate each other’s identity by the server platform and the entities and generating by the entities and server platform a shared secret key for secure communication between them, create by the entity- 1 as requester/verifier a transaction note and request a Transaction-ID from the server, generate by the server a Transaction-ID, execute operations for signing, execute the signing; and perform at the Entity-1 verification by polling on TID.

Brief description of the drawings

The embodiments can be better understood with reference to the following drawings and description. The components in the figures are not necessarily to scale, the emphasis instead being placed upon illustrating the principles of the embodiments. Moreover, the figures, like reference numerals designate corresponding parts throughout the different views. Reference will be made to embodiments of the invention, examples of which may be illustrated in the accompanying figures. These figures are intended to be illustrative, not limiting. Although the invention is generally described in the context of these embodiments, it should be understood that it is not intended to limit the scope of the invention to these particular embodiments.

The above and other objects, features, and advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:

Figure 1 shows a functional block representation of a system for identity-based key agreement for secure communication in accordance with the present invention and

Figure 2 shows a functional flow diagram of a method identity-based key agreement for secure communication in accordance with the present invention

Detailed description of the invention The foregoing objects of the present invention are accomplished and the problems and shortcomings associated with the prior art, techniques and approaches are overcome by the present invention as described below in the preferred embodiments.

The present invention provides a system and method for collective trust identity and authentication for the entities communicating over an electronic communication network.

In the following description, for the purpose of explanation, specific details are set forth in order to provide an understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these details. One skilled in the art will recognize that embodiments of the present invention, some of which are described below, may be incorporated into a number of systems. The various embodiments of the present invention provide a method and system for secure communication over communication network by an identity-based key agreement between the parties transmitting information over the network.

Furthermore, connections between components and/or modules within the figures are not intended to be limited to direct connections. Rather, these components and modules may be modified, re-formatted or otherwise changed by intermediary components and modules.

The systems/device and methods described herein are explained using examples with specific details for better understanding. However, the disclosed embodiments can be worked on by a person skilled in the art without the use of these specific details.

Throughout this application, with respect to all reasonable derivatives of such terms, and unless otherwise specified (and/or unless the particular context clearly dictates otherwise), each usage of:

“a” or “an” is meant to read as “at least one.”

“the” is meant to be read as “the at least one.”

References in the present invention to “one embodiment” or “an embodiment” mean that a particular feature, structure, characteristic, or function described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.

Embodiments of the present invention include various steps, which will be described below. The steps may be performed by hardware components or may be embodied in machine -executable instructions, which may be used to cause a general-purpose or special purpose processor programmed with the instructions to perform the steps. Alternatively, steps may be performed by a combination of hardware, software, firmware and/or by human operators. Various methods described herein may be practiced by combining one or more machine -readable storage media containing the code according to the present invention with appropriate standard computer hardware to execute the code contained therein. An apparatus for practicing various embodiments of the present invention may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the invention could be accomplished by modules, routines, subroutines, or subparts of a computer program product.

In some embodiments, the systems may be configured as a distributed system where one or more components of the system are distributed across one or more networks in a cloud computing system.

If the specification states a component or feature "may ¹ can", "could", or "might" be included or have a characteristic, that particular component or feature is not required to be included or have the characteristic.

As used in the description herein and throughout the claims that follow, the meaning of "a, an," and "the" includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of "in" includes "in" and "on" unless the context clearly dictates otherwise.

Exemplary embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. These embodiments are provided so that this invention will be thorough and complete and will fully convey the scope of the invention to those of ordinary skill in the art. Moreover, all statements herein reciting embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future (i.e., any elements developed that perform the same function, regardless of structure).

Hereinafter, embodiments will be described in detail. For clarity of the description, known constructions and functions will be omitted. Parts of the description may be presented in terms of operations performed by an Electrical/Electronic system, using terms such as state, link, ground, fault, packet and the like, consistent with the manner commonly employed by those skilled in the art to convey the substance of their work to others skilled in the art. As is well understood by those skilled in the art, these quantities take the form of data stored/transferred in the form of electrical, magnetic, or optical signals capable of being stored, transferred, combined, and otherwise manipulated through mechanical and electrical components of the electronic/electrical systems; and the term electronic/electrical/computer system includes general purpose as well as special purpose data processing machines, switches, and the like, that are standalone, adjunct or embedded.

While embodiments of the present invention have been illustrated and described, it will be clear that the invention is not limited to these embodiments only. Numerous modifications, changes, variations, substitutions, and equivalents will be apparent to those skilled in the art, without departing from the spirit and scope of the invention, as described in the claim.

Referring to the figures 1 and 2, a system for collective trust identity authentication (100) (“the system (100)” hereinafter) is shown, in accordance with the present invention. The system (100) comprises a first computing device second computing device and a third computing device communicatively connected together a through a communication network server (“network server” hereinafter).

The first the second and third computing devices, each respectively comprises a processing unit coupled with an input unit, an output unit and a memory unit through a plurality of interfacing circuits. Similarly, the network server and each of the plurality of computing devices in the network also having a hardware configuration of processing unit interfaced with input unit, output unit and memory unit. The processing unit includes a plurality of integrated circuits, or chips, that are designed to work in accordance with a set of instructions configured within an internal memory. The memory unit in the network server is configured with an application module that supports real-time communication and control of resources in the communication network. The server resources shared by the plurality of computing devices include the memory and accessibility to the network.

Each if the first the second and third computing devices being are configured with an application module that provides a secure communication between the computing devices over the communication network. The secure communication between the entities is established based on collective trust identity authentication between the first and second computing devices or the parties involved in the communication process.

The first computing devices is configured with an encryption module having a digital identity 11 representing a first entity (“entity-1” hereinafter). Specifically, the first computing device includes desktop computer, laptop computers, handheld electronic devices, Internet of Things (IoT), and like. Further, the second computing device is also configured with an encryption module having a digital identity E representing a second entity (“entity-2 hereinafter). The encryption module stored in each of the first and second computing devices give accessibility to the third computing device, which is also configured with an application module supporting the authenticating process for the communication between the first and the second computing devices and act as a server specifically a platform for the authentication procedures. The server acts as arbitrator in the collective trust identity authentication process and is provided with a digital identity I _p called Crypto -ID

(Cryptographic Identity). The digital identity created for each of the first and second computing device is from the list of all available attributes associated with each of the entities. So the digital identity is cryptographically linked with a physical entity through its attributes. Since the identity is created by the entity, all credentials are stored only with the device at the user end.

Again, referring to the figures 1 and 2, a method of collective trust identity and authentication for the entities (50) communicating over an electronic communication network is described in accordance with the present invention. The method is described in conjunction with the system (100).

The first step includes configuring a server platform in the third computing device as an arbitrator for the authentication procedures. During the set-up process of server platform, the platform defines cryptographic parameters to be used by the entities for signing/registering process. The entities include the users of the first and second computing devices but are not limited thereto. Here the platform acts as an arbitrator for the entire process of the authentication procedures.

In the second step, the process includes signing and verification of the entities wherein identity establishment process takes place for all the entities. Here, the entities who are all want to participate in the authentication procedures have to register with the arbitrator/ the server. The arbitrator verifies the identity of each of the entity as per specific procedures. Here, the identity includes the entire list of attributes and their proof-of-verification for example Attribute Verification microCertificate (AVmC) issued by other organizations or government entities. The digital identity creation process uses maximum attributes. This ensures the uniqueness and therefore results a continuous evolving process.

After successful verification process, a digital identity (Ii/I ₂ ) is created for the respective entity from the available verified attributes. This digital identity of the entity is further used by the arbitrator to create an electronic signature certificate (ESC) that can be used for the authentication between the entity and the server platform. The ESC thus generated has two parts, one stored by the server platform and other by the respective entity. The ESC is generally encrypted using a personal identification number (PIN) and/or biometric data stored by the respective computing devices of each of the entities.

The third step involves login process where, each of the entity and arbitrator authentications occurs. During this session, an entity (entity- 1 /entity-2) can login the authentication process by using respective PIN/biometric data that are used during the second step to encrypt the ESC. Thus the encryption module of the respective computing device of the entity will decrypt the cryptographic parameters of the ESC and the entity can successfully use the ESC to authenticate with the server platform.

In the fourth step, entity to entity authentication happens. The authentication procedures generate a symmetric key between the two entities with the help of the arbitrator, using the public identities of each other. This is represented as a ‘Collective Identity’ or ‘Collective -ID’. The symmetric key is a unique identification for each of the first and second entities and can only be calculated by those members in the communication process with the knowledge of the private identity of the respective entity (first entity) and public identity shared by the second entity.

The information that are mandatory for generating “Collective Trust (Electronic Signature)” include:

• a digital identity called Crypto-ID (E) of the signer entity which is possessed or generated only by signer entity and the server platform.

• a digital identity called a Crypto-ID (I _p ) of server platform which is only possessed by the server,

• a digital identity called a Crypto-ID (I ₂ ) of the verifier entity which is only possessed by the verifier entity, and

• a collective ID which is only available to the signer and verifier entities not to the server. Thus the entities who are a signer a verifier separately authenticate each other via the server platform in a secured way. Preferably, the encryption and Hash functions are used to achieve integrity in authentication process, wherein the encryption keys are dynamic and specific to the entities who act as a signer and a verifier.

An example of the procedures involved in entity to entity authentication for creating the collective Identity is given in the following table 1.

Table 1:

Functions:

GenMPub( ): Cryptographic function for generating master public key GenPriv( ): Function for generating Entity Private Key GenEx( ): Function for generating exchange key

GenCID( ): Function for generating Collective-ID

The resultant key 112 is a shared secret key generated by the first computing device for entity- 1 and second computing device for entity-2 only. This will be used for multiple use cases like creating a secure channel and in the electronic signature protocol.

The steps involved in creating a collective electronic signature are given in Table 2 below.

Table 2:

Functions:

H( ): One-way HASH function; e.g. SHA256 DPriv( ); Cryptographic Randomization Function - DPub( ): Cryptographic One-way Function

GenSK( ): Function for generating signing/verifying key

Here, participation of all parties (Signing entity, Verifying entity) is mandatory for generation of the electronic signature. The signing key issued by the arbitrator is tightly bound with the document identity (for example, generated from the content of the document) and timestamp. Therefore, the signing/verifying key will be different for different documents. Hence, compromising of one key does not harm future signatures.

Table 3: The results observed for the method of collective trust authentication (50) for a secure communication towards properties that a digital/electronic signature must be satisfied.

The table above shows that the system satisfies all the required properties of digital/electronic signature protocol.

In an implementation according to one of the embodiments of the present invention the first computing devices is configured with an encryption module having a digital identity II representing a first entity (“entity- 1” hereinafter). The second computing device is also configured with an encryption module having a digital identity 12 representing a second entity (“entity-2 hereinafter). A server specifically a platform for the authentication procedures acts as arbitrator in the collective trust identity authentication process and is provided with a digital identity Ip, called Crypto-ID (Cryptographic Identity).

In an implementation according to one of the embodiments the method of the present invention as first step includes configuring a server platform in the third computing device as an arbitrator for the authentication procedures. In the second step, the process includes signing and verification of the entities wherein identity establishment process takes place for all the entities. After successful verification process, a digital identity (11/12) is created for the respective entity from the available verified attributes. This digital identity of the entity is further used by the arbitrator to create an electronic signature certificate (ESC) that can be used for the authentication between the entity and the server platform. The third step involves login process where, each of the entity and arbitrator authentications occurs. During this session, an entity (entity- l/entity-2) can login the authentication process by using respective PIN/biometric data that are used during the second step to encrypt the ESC. In the fourth step, entity to entity authentication happens. The authentication procedures generate a symmetric key between the two entities with the help of the arbitrator, using the public identities of each other. This is represented as a ‘Collective Identity’ or ‘Collective-ID’.

According to one of the embodiments of the present invention a method for collective trust identity and authentication includes configuring a first computing device with an encryption module representing a first entity, Entity- 1, configuring a second computing device with an encryption module representing a second entity, Entity-2 and configuring a server specifically as a platform for the authentication procedures acting as arbitrator in the collective trust identity authentication process. The method includes performing entity and platform authentication to generate digital identities for entity- 1 and entity-2 and the server. The method includes executing activation of the first computing device, Entity- 1 and second computing device, Entity-2. The method includes generating first Collective ID for the Entity-1 and Entity-2. The method includes generating New Collective ID for the Entity- 1 and Entity-2. The method includes authenticating each other’s identity by the server platform and the entities and generating by the entities and server platform a shared secret key for secure communication between them. The method includes creating by the entity- 1 as requester/verifier a transaction note and request a Transaction-ID from the server. The method includes generating by the server a Transaction-ID. The method includes executing operations for signing. The method includes executing the signing. The method consecutively includes performing at the Entity- 1 verification by polling on fiD.

In an implementation according to one of the embodiments of the present invention the method includes performing entity and platform authentication to generate digital identities for entity- 1 and entity-2 and the server. The step of entity and platform authentication includes generating digital identity II for the entity -1 through entity 1 and platform authentication. The step of entity and platform authentication includes generating digital identity 12 for the entity -2 through entity 2 and platform authentication. The step of entity and platform authentication includes generating digital identity Ip for the server as a platform.

In an implementation according to one of the embodiments of the present invention the method includes executing activation of the first computing device, Entity- 1 and second computing device, Entity-2. The method of executing activation of the first computing device, Entity- 1 and second computing device, Entity-2 includes generating at the entity 1 a random number R1 <- Random(). The method consecutively includes applying at the entity 1 a cryptographic oneway function F( ) to the random number R1 generated at entity 1 to generate at the entity 1 a Random QR Code, F(R 1 ) <-Random_ QR_Code(). The method includes generating at the entity 2 a random number R2 <- Random(). The method consecutively includes applying at the entity 2 a cryptographic one-way function F( ) to the random number R2 generated at entity 2 to generate at the entity 2 a Random QR Code, F(R2) <-Random_ QR_Code(). The function F( ) applied in the above steps is a cryptographic one-way function F( ), that means computing the inverse C l is computationally difficult.

In an implementation according to one of the embodiments of the present invention the method includes generating first Collective ID for the Entity- 1 and Entity-2. The of generating first Collective ID for the Entity- 1 and Entity-2 includes step of Entity 1 and Entity 2 manually scanning or inputting the QR code from each other. The method includes step of generating at the entity 1 a collective ID 112 by applying a hash function to the Random QR Code, F(R 1) of entity 1 and Random QR Code, F(R2) of entity 2, 712 HASH(F(R\ * R2)). The method includes step of generating at the entity 2 a collective ID 112 by applying a hash function to the Random QR Code, F(R2) of entity 2 and Random QR Code, F(Rl) of entity 1, 712 <- HASH(F(R\ * 722)). In an implementation according to one of the embodiments of the present invention the method includes generating New Collective ID for the Entity- 1 and Entity-2. The method of generating New Collective ID for the Entity- 1 and Entity- 2 includes step of generating at the entity 1 a Public key ul as a hash function of function of digital identity II, ul <— HASH[F(11 )]. The method includes step of generating at the entity 2 a Public key u2 as a hash function of function of digital identity 12, u2 <— HASH[F(I2 )]. The method includes step of generating by a Trusted Third Party i.e. a server supporting the authenticating process, a master private key MPriv and a master public key MPub = GenMPub(MPriv ) corresponding to the identities of the users i.e. entity 1 and entity 2. The method includes step of obtaining from the Trusted Third Party i.e. a server, a master private key to generate Entity- 1 private key U\ Private as a function of a master private key and Entity- 1 Public key ul and generating Entity- 1 private key as UlPrivate <— GenPriv(MPriv, u1 ). The method includes step of obtaining from the Trusted Third Party i.e. a server, a master private key to generate Entity-2 private key UlPrivate as a function of a master private key and Entity-2 Public key u2 and generating Entity-2 private key as UlPrivate GenPriv(MPriv, u2 ). The method step includes communicating to the Entity-2 through the communication encrypted by II through the Trusted Third Party i.e. a server, the generated Entity- 1 private key UlPrivate by the Entity- 1. The method step includes communicating to the Entity- 1 through the communication encrypted by 12 through the Trusted Third Party i.e. a server, the generated Entity-2 private key UlPrivate by the Entity-2. The method includes generating at the entity 1 a random number rl <- random() and at the entity 2 a random number r2 <- random(). The method incudes step of generating at the entity- 1 a exchange key X as a function of rl, Mpub and u2 as X GenEx(r 1. MPub, ul). The method includes step of generating encrypted exchange key X’ as a function of exchange key X and encryption key 112. The method incudes step of generating at the entity-2 a exchange key Y as a function of r2, Mpub and ul as Y <— GenEx(rl. MPub, ul). The method includes step of generating encrypted exchange key Y’ as a function of exchange key Y and encryption key 112. The method includes step of communicating through the Trusted Third Party i.e. a server, by the Entity-1 to the Entity-2 the encrypted exchange key X’ encrypted with existing Collective Identity. The method includes step of communicating through the Trusted Third Party i.e. a server, by the Entity-2 to the Entity-1 the encrypted exchange key Y’ encrypted with existing Collective Identity. The method includes step of decrypting at the Entity- 1 the received encrypted exchange key Y’ through decryption function of Y’ and Key 112 as f <- Decrypt(Y', Key = 712). The method includes step of generating at the Entity- 1 a New Collective-ID 112 as a generating Collective-ID function of U2private, rl, Y as New Collective-ID 712 = GenCID(U2Private, rl, Y). The method includes step of decrypting at the Entity- 2 the received encrypted exchange key X’ through decryption function of X’ and Key 112 as X <— Decrypt(X', Key = 712). The method includes step of generating at the Entity-2 a New Collective-ID 112 as a generating Collective-ID function of Ulprivate, r2, X as New Collective-ID 712 = GenCID(U IPrivate , rl, X).

In an implementation according to one of the embodiments of the present invention the method includes authenticating each other’s identity by the server platform and the entities and generating by the entities and server platform a shared secret key for secure communication between them. The method includes step of authenticating by server platform and at least two entities, each other’s identity as entity 1 digital identity as II, entity 2 digital identity as 12, server digital identity as Ip and generating by the entities and server platform a shared secret key for secure communication between them.

In an implementation according to one of the embodiments of the present invention the method includes creating by the entity- 1 as requester/ verifier a transaction note and request a Transaction-ID from the server. The method of creating by the entity- 1 as requester/ verifier a transaction note and request a Transaction-ID from the server includes step of creating as a requester or verifier by a first entity, the first entity entity- 1, a transaction note Trans_Note, generating a transaction note Id TH as a hash function of Trans Note as TH <— H(Trans_Note ) and sending a request for generation of a Transaction-ID for the transaction note Id TH to the server.

In an implementation according to one of the embodiments of the present invention the method includes generating by the server a Transaction-ID. The method of generating by the server a Transaction-ID includes step of generating by the server, Transaction-ID TID as a function of transaction note Id TH and Timestamp t as TID <— [TH\\t] and forwarding by the server the Transaction-ID TID to the first entity entity- 1.

In an implementation according to one of the embodiments of the present invention the method includes executing operations for signing. The method of executing operations for signing includes step of generating at the entity 1 dynamic private identity EPrive by applying cryptographic randomization function DPrive ( ) to the digital identity II of the entity 1 as EPriv <— DPriv{I1 ). The method includes step of generating at the entity 1 dynamic public identity EPub by applying cryptographic one-way function DPub ( ) to the dynamic private identity EPrive of the entity 1 as EPub <— DPub(EPriv). The method includes step of sending the parameters TID and EPub to the server. The method includes step of generating by the server a Dynamic Private ID IPrive by applying cryptographic randomization function DPrive ( ) to the Private Key i.e. digital identity Ip of the server as IPriv DPriv(IP ). The method includes generating by the server a Dynamic Public ID IPub by applying cryptographic one-way function DPub ( ) to the parameters TID, EPub received from the entity- 1 and Dynamic Private ID IPrive as IPub DPub(TID, EPubJPriv). The method includes step of receiving at the second computing device, Entity-2, through a application configured at Entity2 a request for transaction signing and calling through the application the Trusted Third party, the server for receiving session parameters of TID and Poll on TID. The method includes step of sending by the server to the Entity-2 the parameters TID and IPub. The method includes step of obtaining TH’ by applying One-way HASH function H( ) to the Trans Note as TH’ = H(Trans Note), extracting TH from TID, and proceeding further if (TH == TH’ ) else aborting the process. The method includes step of generating by the Entity-2, a Dynamic Private Identity UPrive as operations for signing by applying cryptographic randomization function DPrive ( ) to the digital identity 12 of the Entity-2 as UPriv DPriv(12 ). The method includes step of generating by the Entity 2 a Dynamic Public Identity UPub by applying cryptographic one-way function DPub ( ) to the Dynamic Private Identity UPrive generated at Entity 2 as UPub <— DPub(UPriv). The method includes step of extracting at the Entity 2 the collective Identity 112. In an implementation according to one of the embodiments of the present invention the method includes executing the signing. The method of executing the signing includes step of generating by the Entity 2 a Signing Key sk by applying function for generating signing/verifying key to the parameters EPub, UPriv,I\2 as sk GenSK(EPub, UPriv,I\2). The method includes generating by the entity 2 a signature on TID ‘sig’ by applying encryption function to parameters TID and signing key sk as sig <— Encrypt(TID, sk). The method includes step of sending by the entity 2 to the server the parameters TID, sig, and UPub. The method includes generating by the server a UPub by applying cryptographic one-way function DPub( ) to the parameters UPub, TID received from entity 2 and Dynamic Private Identity I Prive as UPub DPub(UPub, TIDJPriv). The method includes step of sending by the server to the entity 1 the parameters TID, sig, and UPub.

In an implementation according to one of the embodiments of the present invention the method includes step of performing at the entity 1 verification by polling on TID. The method of performing at the entity 1 verification by polling on TID includes steps of extracting the collective identity 112, generating by the entity 1 the Verification key vk by applying function for generating signing/verifying key to the parameters UPub, EPriv,I\2 as vk GenSK(UPub, EPriv,I\2), verifying by the entity 1 the TID and TID’ by generating TID’ by applying decryption function to parameters sig and vk as | T ID ' ] <— Decrypt(sig, vk) and matching the TID and TID ^' as TID == TID' .

According to one of the embodiments of the present invention a system for collective trust identity and authentication, the system comprises a first computing device, the first computing device Entity- 1, a second computing device, the second computing device Entity-2 and a third computing device, the third computing device server specifically a platform for the authentication procedures acting as arbitrator communicatively connected together through a communication network server, wherein the system is configured to configure a first computing device with an encryption module representing a first entity, Entity- 1, configure a second computing device with an encryption module representing a second entity, Entity-2, configure a server specifically as a platform for the authentication procedures acting as arbitrator in the collective trust identity authentication process, perform entity and platform authentication to generate digital identities for entity- 1 and entity-2 and the server, execute activation of the first computing device, Entity- 1 and second computing device, Entity-2, generate first Collective ID for the Entity- 1 and Entity-2, generate New Collective ID for the Entity- 1 and Entity-2, authenticate each other’s identity by the server platform and the entities and generating by the entities and server platform a shared secret key for secure communication between them, create by the entity- 1 as requester/verifier a transaction note and request a Transaction-ID from the server, generate by the server a Transaction-ID, execute operations for signing, execute the signing; and perform at the Entity- 1 verification by polling on TID.

According to one of the embodiments of the present invention the first the second and third computing devices, each respectively comprises a processing unit coupled with an input unit, an output unit and a memory unit through a plurality of interfacing circuits wherein the processing unit includes a plurality of integrated circuits, or chips, that are designed to work in accordance with a set of instructions configured within an internal memory. According to one of the embodiments of the present invention the network server and each of the plurality of computing devices in the network comprise hardware configuration of processing unit interfaced with input unit, output unit and memory unit wherein the processing unit includes a plurality of integrated circuits, or chips, that are designed to work in accordance with a set of instructions configured within an internal memory. The memory unit in the network server is configured with an application module that supports real-time communication and control of resources in the communication network.

According to one of the embodiments of the present invention the first, the second and third computing devices are configured with an application module that provides a secure communication between the computing devices over the communication network wherein the secure communication between the entities is established based on collective trust identity authentication between the first and second computing devices or the parties involved in the communication process. According to one of the embodiments of the present invention the first computing devices is configured with an encryption module having a digital identity II representing a first entity Entity- 1. The second computing device is also configured with an encryption module having a digital identity 12 representing a second entity Entity-2. The server acting as arbitrator in the collective trust identity authentication process is provided with a digital identity Ip.

Advantages of the invention:

1. The system (100) introduces an authentication procedure that establishes a link between the physical identities and the digital identities of a user, which makes the authentication by the electronic signature much stronger. 2. The ESC generated by the system (100) is very efficient and easy to use and adopt.

3. The digital Identity created by the system (100) from the list of all the available attributes associated with the entity is cryptographically linked with physical entity through its attributes. This removes the dependency on a centralized third party like CA (Certifying Authority).

4. The system (100) uses maximum attributes in the digital identity creation process, thus ensures property of uniqueness.

5. The Crypto-ID (I1/I2) can only be generated by the entity after successful authentication with the server platform. This is based on the attributes of entity PIN, encrypted pre-shares information and the respective computing device identity. This information is known and/or possessed only by signer. Therefore, signer cannot deny the act of authentication procedures.

6. In the system (100), the authentication with Trusted Third Party (TTP) is mandatory to initiate a signing process. Authentication can only be done based on PIN, encrypted pre-shares information and the computing device identity shared by the respective entity. All these information are known (or kept) only by the signing entity, so that the entity can have sole control of signing. 7. The Trusted Third Party (TTP) ensures uniqueness of crypto ID for every user, hence eliminating the possibility of multiple identities for same user.

The present invention as implemented through various embodiments is economically viable and can be adopted by the businesses easily as it provides the higher graded security in economical plans. In some embodiments, the disclosed techniques can be implemented, at least in part, by computer program instructions encoded on a non-transitory computer- readable storage media in a machine -readable format, or on other non-transitory media or articles of manufacture. Such computing systems (and non-transitory computer-readable program instructions) can be configured according to at least some embodiments presented herein, including the processes shown and described in connection with Figures.

The programming instructions can be, for example, computer executable and/or logic implemented instructions. In some examples, a computing device is configured to provide various operations, functions, or actions in response to the programming instructions conveyed to the computing device by one or more of the computer readable medium, the computer recordable medium, and/or the communications medium. The non-transitory computer readable medium can also be distributed among multiple data storage elements, which could be remotely located from each other. The computing device that executes some or all of the stored instructions can be a micro-fabrication controller, or another computing platform. Alternatively, the computing device that executes some or all of the stored instructions could be remotely located computer system, such as a server.

Further, while one or more operations have been described as being performed by or otherwise related to certain modules, devices or entities, the operations may be performed by or otherwise related to any module, device or entity.

Further, the operations need not be performed in the disclosed order, although in some examples, an order may be preferred. Also, not all functions need to be performed to achieve the desired advantages of the disclosed system and method, and therefore not all functions are required.

While select examples of the disclosed system and method have been described, alterations and permutations of these examples will be apparent to those of ordinary skill in the art. Other changes, substitutions, and alterations are also possible without departing from the disclosed system and method in its broader aspects. The foregoing descriptions of specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the present invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the present invention and its practical application, to thereby enable others skilled in the art to best utilize the present invention and various embodiments with various modifications as are suited to the particular use contemplated. It is understood that various omission and substitutions of equivalents are contemplated as circumstance may suggest or render expedient, but such are intended to cover the application or implementation without departing from the scope of the present invention.