Search

US-12627493-B2 - Method, cloud-service method, cloud server, self-sovereign identity method for providing a self-sovereign identity cloud service to a user

US12627493B2US 12627493 B2US12627493 B2US 12627493B2US-12627493-B2

Abstract

The present disclosure relates to a method for providing a self-sovereign identity cloud service to a user. The method includes signing, on a user device of the user, an instruction to store self-sovereign identity data of the user based on a user private key of a user asymmetric key pair. The method further includes sending the signed instruction and the self-sovereign identity data from the user device to a cloud server. The method further includes verifying, in a trusted execution environment of the cloud server, the signed instruction based on a user public key of the user asymmetric key pair. The method further includes, if the signed instruction is approved, storing the self-sovereign identity data in the trusted execution environment.

Inventors

  • Hugo EMBRECHTS
  • Rik CLAESEN
  • Michele Minelli
  • Noriyuki Suzuki
  • Kenji Suzuki

Assignees

  • Sony Group Corporation

Dates

Publication Date
20260512
Application Date
20220729
Priority Date
20210729

Claims (15)

  1. 1 . A method for providing a self-sovereign identity cloud service to a user, comprising: signing, on a user device of the user, an instruction to store self-sovereign identity data of the user based on a user private key of a user asymmetric key pair, wherein the self-sovereign identity data comprises user-controlled identity credentials verifiable by third parties that enable the user to control the user's self-sovereign identity without intervention of a centralized identity management system; sending the signed instruction and the self-sovereign identity data from the user device to a cloud server; verifying, in a trusted execution environment of the cloud server, the signed instruction based on a user public key of the user asymmetric key pair; and in a case that the signed instruction is approved, storing the self-sovereign identity data in the trusted execution environment.
  2. 2 . The method of claim 1 , further comprising: registering the user device on the trusted execution environment, wherein registering comprises: receiving, on the user device, a cloud public key of a cloud asymmetric key pair from the cloud server; generating the user asymmetric key pair on the user device; encrypting, on the user device, the user public key of the user asymmetric key pair based on the cloud public key; sending the encrypted user public key from the user device to the cloud server; decrypting, in the trusted execution environment, the encrypted user public key based on a cloud private key of the cloud asymmetric key pair; associating the user device with the self-sovereign identity cloud service by storing the user public key in the trusted execution environment; and storing the user private key of the user asymmetric key pair on the user device.
  3. 3 . The method of claim 2 , wherein receiving, on the user device, the cloud public key of the cloud asymmetric key pair comprises: receiving, at the user device, a remote attestation for the cloud public key from an attestation server.
  4. 4 . The method of claim 2 , wherein sending the signed instruction and the self-sovereign identity data from the user device to the cloud server comprises: encrypting, on the user device, the self-sovereign identity data based on the cloud public key.
  5. 5 . The method of claim 2 , further comprising: registering a second user device of the user on the trusted execution environment, wherein registering comprises: receiving, on the user device, a second user public key of a second user asymmetric key pair from the second user device, wherein a second user private key of the second user asymmetric key pair is stored on the second user device; encrypting, on the user device, the second user public key based on the cloud public key; sending the encrypted second user public key from the user device to the cloud server; decrypting, in the trusted execution environment, the encrypted second public key based on the cloud private key; and associating the second user device with the self-sovereign identity cloud service by storing the second user public key on the trusted execution environment.
  6. 6 . The method of claim 5 , further comprising: synchronizing, on the second user device, self-sovereign identity data stored on the second user device with the self-sovereign identity data stored on the trusted execution environment.
  7. 7 . The method of claim 6 , further comprising: blocking the user device/the second user device on the trusted execution environment, wherein blocking comprises: receiving, at the second user device/the user device, a tag of the user public key/second user public key from the trusted execution environment; sending a blocking request indicating the tag of the user public key/the second user public key from the second user device/the user device to the cloud server; and deleting the user public key/the second user public key in the trusted execution environment.
  8. 8 . The method of claim 1 , further comprising: synchronizing, on the user device, self-sovereign identity data stored on the user device with the self-sovereign identity data stored on the trusted execution environment.
  9. 9 . The method of claim 1 , further comprising: sending, upon a request from the user device, the self-sovereign identity data or portions thereof from the cloud server to a third party.
  10. 10 . The method of claim 1 , wherein the self-sovereign identity data is managed by the trusted execution environment as part of a digital wallet for the user's self-sovereign identity.
  11. 11 . A cloud server for providing a self-sovereign identity cloud service to a user, comprising: an interface configured to receive a signed instruction to store self-sovereign identity data of the user and the self-sovereign identity data from a user device, wherein the instruction is signed based on a user private key of a user asymmetric key pair, wherein the user private key is stored on the user device, wherein the self-sovereign identity data comprises user-controlled identity credentials verifiable by third parties that enable the user to control the user's self-sovereign identity without intervention of a centralized identity management system; and a trusted execution environment configured to: verify the signed instruction based on a user public key of the user asymmetric key pair; and in a case that the signed instruction is approved, store the self-sovereign identity data.
  12. 12 . A cloud service method for providing a self-sovereign identity cloud service to a user, comprising: receiving a signed instruction to store self-sovereign identity data of the user and the self-sovereign identity data from the user device, wherein the instruction is signed based on a user private key of a user asymmetric key pair, wherein the user private key is stored on the user device, wherein the self-sovereign identity data comprises user-controlled identity credentials verifiable by third parties that enable the user to control the user's self-sovereign identity without intervention of a centralized identity management system; verifying, in a trusted execution environment, the signed instruction based on a user public key of the user asymmetric key pair; and if the signed instruction is approved, storing the self-sovereign identity data in the trusted execution environment.
  13. 13 . A program having a program code for performing the method of claim 12 , when the program is executed on a processor or a programmable hardware.
  14. 14 . A self-sovereign identity method, comprising: signing an instruction to store self-sovereign identity data of a user based on a user private key of a user asymmetric key pair, wherein the self-sovereign identity data comprises user-controlled identity credentials verifiable by third parties that enable the user to control the user's self-sovereign identity without intervention of a centralized identity management system; and sending the signed instruction and the self-sovereign identity data to a trusted execution environment of a cloud server, wherein the trusted execution environment has access to a user public key of the user asymmetric key pair.
  15. 15 . A program having a program code for performing the method of claim 14 , when the program is executed on a processor or a programmable hardware.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS The present application is based on PCT filing PCT/EP2022/071314, filed Jul. 29, 2022, which claims priority from European Patent Application No. 21188462.2, filed Jul. 29, 2021, the entire contents of each are incorporated herein by reference. FIELD Examples relate to a method, a cloud-service method, a cloud server, and a self-sovereign identity method for providing a self-sovereign identity cloud service to a user. BACKGROUND Self-Sovereign Identity (SSI) enables a user of the Web to control his/her digital identity without an intervention of a centralized identity management system. A so-called digital wallet is used to store self-sovereign identity data, often comprising confidential material like decentralized identifiers and corresponding secret keys or SSI credentials. The digital wallet usually is part of an electronic device possessed by the user, e.g., a smartphone. This may cause several problems concerning a management of the digital wallet. Firstly, in case the electronic device is broken or lost, the digital wallet may be lost as well. A second digital wallet may therefore be created on a second electronic device possessed by the user. In this case, the user needs to take care of exporting/importing and synchronizing the digital wallet. Secondly, if the electronic device is stolen, the user may lose control over the digital wallet. The digital wallet may even be misused to impersonate the user. Hence, there may be a demand for improved digital identity management. SUMMARY The demand may be satisfied by the subject matter of the appended claims. An example relates to a method for providing a self-sovereign identity cloud service to a user. The method comprises signing, on a user device of the user, an instruction to store self-sovereign identity data of the user based on a user private key of a user asymmetric key pair. The method further comprises sending the signed instruction and the self-sovereign identity data from the user device to a cloud server. The method further comprises verifying, in a trusted execution environment of the cloud server, the signed instruction based on a user public key of the user asymmetric key pair. The method further comprises, if the signed instruction is approved, storing the self-sovereign identity data in the trusted execution environment. Another example relates to a cloud server for providing a self-sovereign identity cloud service to a user. The cloud server comprises an interface configured to receive a signed instruction to store self-sovereign identity data of the user and the self-sovereign identity data from a user device. The instruction is signed based on a user private key of a user asymmetric key pair. The user private key is stored on the user device. The cloud server further comprises a trusted execution environment configured to verify the signed instruction based on a user public key of the user asymmetric key pair. The trusted execution environment is further configured to store the self-sovereign identity data if the signed instruction is approved. Another example relates to a cloud service method for providing a self-sovereign identity cloud service to a user. The cloud service method comprises receiving a signed instruction to store self-sovereign identity data of the user and the self-sovereign identity data from the user device. The instruction is signed based on a user private key of a user asymmetric key pair. The user private key is stored on the user device. The cloud service method further comprises verifying, in a trusted execution environment, the signed instruction based on a user public key of the user asymmetric key pair. The cloud service method further comprises storing the self-sovereign identity data in the trusted execution environment if the signed instruction is approved. Another example relates to a self-sovereign identity method comprising signing an instruction to store self-sovereign identity data of a user based on a user private key of a user asymmetric key pair. The self-sovereign identity method further comprises sending the signed instruction and the self-sovereign identity data to a trusted execution environment of a cloud server. The trusted execution environment has access to a user public key of the user asymmetric key pair. BRIEF DESCRIPTION OF THE FIGURES Some examples of apparatuses and/or methods will be described in the following by way of example only, and with reference to the accompanying figures, in which FIG. 1 illustrates a conventional architecture of Decentralized Identifiers; FIG. 2 illustrates a flowchart of an example of a method for providing a self-sovereign identity cloud service to a user; FIG. 3 illustrates an example of a cloud server for providing the self-sovereign identity cloud service to the user; FIG. 4 illustrates a flowchart of another example of the method for providing the self-sovereign identity cloud service to the user; FIG. 5 illust