Search

US-12621140-B2 - Access gateway system for accessing a resource

US12621140B2US 12621140 B2US12621140 B2US 12621140B2US-12621140-B2

Abstract

An access gateway may grant a requestor access to a computer resource. The requestor may receive a credential from an identity provider and calculate a zero-knowledge proof of possession of the credential. The requestor may use the proof to request access to the computer resource. The identity provider may record a policy corresponding to the credential in a distributed ledger. The access gateway may, subject to verifying the proof, retrieve the policy from the distributed ledger. The access gateway may grant the requestor access to the computer resource as indicated by the policy. For example, the access gateway may allow the requestor to transfer data from a classified data storage component to a declassified data storage component. In some cases, the classified data storage component may encrypt data (e.g., using an encryption key provided by the requestor and/or the declassified data storage component) prior to transfer.

Inventors

  • Jesús Alejandro Cárdenes Cabré
  • Jeremy Taylor
  • Madjid Aoudia
  • John Christopher Muddle
  • Colin Gounden

Assignees

  • Via Science, Inc.

Dates

Publication Date
20260505
Application Date
20240716

Claims (20)

  1. 1 . A computer-implemented method comprising: receiving, by an access gateway system from a first client device, a first request for access to first data; receiving, from the first client device, second data representing a zero-knowledge proof of possession of a first credential; verifying, using the second data, that the first client device likely corresponds to the first credential; in response to verifying that the first client device likely possesses the first credential, retrieving, from a distributed ledger system, policy data corresponding to the first credential; determining that the policy data grants a possessor of the first credential access to the first data; and in response to determining that the policy data grants the possessor of the first credential access to the first data: causing a first data storage component to encrypt the first data using a first encryption key to generate first encrypted data, and causing the first data storage component to send the first encrypted data to a second data storage component.
  2. 2 . The computer-implemented method of claim 1 , further comprising, prior to causing the first data storage component to encrypt the first data: receiving the first encryption key from the second data storage component; and sending the first encryption key to the first data storage component.
  3. 3 . The computer-implemented method of claim 1 , further comprising: causing the second data storage component to decrypt the first encrypted data using a first decryption key, the first encryption key and the first decryption key representing public/private key pair.
  4. 4 . The computer-implemented method of claim 1 , wherein the first request represents a request declassify the first data, the method further comprising: receiving the first encrypted data from the first data storage component, the first data storage component representing a secure data store; and sending the first encrypted data to the second data storage component.
  5. 5 . The computer-implemented method of claim 1 , further comprising: receiving, from an identity provider system, second data representing a verifier key, the identity provider system sending, to the first client device, third data representing a prover key corresponding to the verifier key; causing the first client device to generate the first data using the third data; and processing the first data and the second data to determine that the first data likely represents a true claim.
  6. 6 . The computer-implemented method of claim 1 , further comprising: sending, to the distributed ledger system, the policy data indicating a first association between the first credential and the policy data with respect to the first data; and sending, to the first client device, first credential data representing the first credential.
  7. 7 . The computer-implemented method of claim 1 , further comprising: receiving, from the first client device, a second request for access to the first data, the first request corresponding to a first operation and the second request corresponding to a second operation different from the first operation; determining that the policy data authorizes the first operation but not the second operation; and in response to determining that the policy data does not authorize the second operation, denying, by the access gateway system, the second request.
  8. 8 . A system, comprising: at least one processor; and at least one memory comprising instructions that, when executed by the at least one processor, cause the system to: receive, by an access gateway system from a first client device, a first request for access to first data; receive, from the first client device, second data representing a zero-knowledge proof of possession of a first credential; verify, using the second data, that the first client device likely corresponds to the first credential; in response to verifying that the first client device likely possesses the first credential, retrieve, from a distributed ledger system, policy data corresponding to the first credential; determine that the policy data grants a possessor of the first credential access to the first data; and in response to determining that the policy data grants the possessor of the first credential access to the first data: cause a first data storage component to encrypt the first data using a first encryption key to generate first encrypted data, and cause the first data storage component to send the first encrypted data to a second data storage component.
  9. 9 . The system of claim 8 , wherein the instructions further cause the system to, prior to causing the first data storage component to encrypt the first data: receiving, from the second data storage component, the first encryption key; and sending the first encryption key to the first data storage component.
  10. 10 . The system of claim 8 , wherein the instructions further cause the system to: cause the second data storage component to decrypt the first encrypted data using a first decryption key, the first encryption key and the first decryption key representing public/private key pair.
  11. 11 . The system of claim 8 , wherein the first request represents a request declassify the first data, and the instructions further cause the system to: receive the first encrypted data from the first data storage component, the first data storage component representing a secure data store; and send the first encrypted data to the second data storage component.
  12. 12 . The system of claim 8 , wherein the instructions further cause the system to: receive, from an identity provider system, second data representing a verifier key, the identity provider system sending, to the first client device, third data representing a prover key corresponding to the verifier key; cause the first client device to generate the first data using the third data; and process the first data and the second data to determine that the first data likely represents a true claim.
  13. 13 . The system of claim 8 , wherein the instructions further cause the system to: send, to the distributed ledger system, the policy data indicating a first association between the first credential and the policy data with respect to the first data; and send, to the first client device, first credential data representing the first credential.
  14. 14 . The system of claim 8 , wherein the instructions further cause the system to: receive, from the first client device, a second request for access to the first data, the first request corresponding to a first operation and the second request corresponding to a second operation different from the first operation; determine that the policy data authorizes the first operation but not the second operation; and in response to determining that the policy data does not authorize the second operation, deny, by the access gateway system, the second request.
  15. 15 . A computer-implemented method comprising: receiving, by an access gateway system from a first client device, a first request for access to first data; receiving, from the first client device, second data representing a zero-knowledge proof of possession of a first credential; verifying, using the second data, that the first client device likely corresponds to the first credential; in response to verifying that the first client device likely possesses the first credential, retrieving, from a distributed ledger system, policy data corresponding to the first credential; determining that the policy data grants a possessor of the first credential access to the first data; in response to determining that the policy data grants the possessor of the first credential access to the first data, sending, to a first data storage component, a first encryption key; receiving, from the first data storage component first encrypted data representing the first data; and sending the first encrypted data to a second data storage component, the second data storage component decrypting the first encrypted data using a first decryption key.
  16. 16 . The computer-implemented method of claim 15 , further comprising: receiving, from the first data storage component, second encrypted data representing the first decryption key encrypted using the first encryption key, the first decryption key corresponding to a symmetric-key cryptography algorithm.
  17. 17 . The computer-implemented method of claim 15 , further comprising: prior to sending the first encryption key to the first data storage component, receiving the first encryption key from the second data storage component; and sending, to the second data storage component, second encrypted data received from the first data storage component, the second data storage component decrypting the second encrypted data using a second decryption key, the first encryption key and the second decryption key corresponding to a public-key cryptography algorithm.
  18. 18 . The computer-implemented method of claim 15 , further comprising: receiving, prior to sending the first encryption key to the first data storage component, the first encryption key from the second data storage component; and causing the first data storage component to encrypt the first data using the first encryption key.
  19. 19 . The computer-implemented method of claim 15 , further comprising: receiving, from an identity provider system, second data representing a verifier key, the identity provider system sending, to the first client device, third data representing a prover key corresponding to the verifier key; causing the first client device to generate the first data using the third data; and processing the first data and the second data to determine that the first data likely represents a true claim.
  20. 20 . The computer-implemented method of claim 15 , further comprising: sending, to the distributed ledger system, the policy data indicating a first association between the first credential and the policy data with respect to the first data; and sending, to the first client device, first credential data representing the first credential.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a continuation-in-part of U.S. patent application Ser. No. 18/603,590, Filed Mar. 13, 2024, and entitled “ACCESS GATEWAY SYSTEM FOR ACCESSING A RESOURCE,” which claims the benefit of priority of U.S. Provisional Patent Application No. 63/490,038, filed Mar. 14, 2023, and entitled “CRYPTOGRAPHICALLY SECURE GLOBAL ADDRESSING LIST FOR DATA VERIFICATION AND DECLASSIFICATION,” the contents of both of which are incorporated herein by reference in their entirety. BRIEF DESCRIPTION OF DRAWINGS For a more complete understanding of the present disclosure, reference is now made to the following description taken in conjunction with the accompanying drawings. FIG. 1 is a conceptual diagram of an example environment in which an access gateway system may operate, according to embodiments of the present disclosure. FIG. 2 is a signal flow diagram illustrating example operations of the access gateway system, according to embodiments of the present disclosure. FIG. 3A illustrates operations of a first example use case of the access gateway system for declassifying data, according to embodiments of the present disclosure. FIG. 3B is a signal flow diagram illustrating example operations of the first example use case, according to embodiments of the present disclosure. FIG. 4A illustrates operations of a second example use case of the access gateway system for authorizing access to secured data for executing workflows on a data owner system, according to embodiments of the present disclosure. FIG. 4B is a signal flow diagram illustrating example operations of the second example use case, according to embodiments of the present disclosure. FIG. 5A illustrates operations of a third example use case of the access gateway system for authorizing submission of digitally signed content to a content platform, according to embodiments of the present disclosure. FIG. 5B is a signal flow diagram illustrating example operations of the third example use case, according to embodiments of the present disclosure. FIG. 6A illustrates operations of a fourth example use case involving encrypting declassified data prior to transferring the data, via the access gateway system to a declassified data storage, according to embodiments of the present disclosure. FIG. 6B is a signal flow diagram illustrating example operations of the fourth example use case, according to embodiments of the present disclosure. FIG. 7 is a block diagram illustrating an example client device and system component communicating over a computer network, according to embodiments of the present disclosure. DETAILED DESCRIPTION The systems and methods described herein relate to a cryptographically secure global addressing list for data verification and declassification. An access gateway system (AGS) may control access of a requestor to a computer resource. The computer resource may be, for example, a resource system and/or a data store. The requestor may be an individual such as a user, administrator, analyst, content creator, etc. requesting access to the computer resource. The requestor may seek access to the computer resources for various purposes, including, for example, declassifying data and relocate it to a declassified storage, executing a workflow on a data owner system, and/or uploading digitally signed content to a content platform. The AGS may verify credentials of a requestor and retrieve policies corresponding to the credentials. The policies may pertain to permission to access the computer resource and may additionally specify granular permissions with regard to the resource system and/or data (e.g., read-only, write, delete, etc.). In some implementations, the requestor may use a zero-knowledge proof to show possession of the relevant credential to the AGS. This may allow the AGS to determine that the requestor has a credential granting it access to the computer resource without knowing the exact identity of the requestor and/or without divulging the identity of the requestor to an observer. An identity provider system may provide the requestor with the credential and the AGS with data for verifying the proof. The resource system may implement policies that govern, for example, which credentials correspond to which permissions. In some implementations, the resource system may record policies in a distributed ledger such as a blockchain. In some implementations, the resource system may record the policies along with credentials corresponding to requestors to which the policies grants access. The tamper resistant nature of the distributed ledger may represent reliable evidence that the policies and/or corresponding credentials recorded therein accurately represent what the resource system originally intended/recorded. The distributed ledger may further provide a robust, reliable, and replicated record of the policies and/or credentials. By combining zero-knowledge proof of credentials and distributed ledg