CA2289452C - Initial secret key establishment including facilities for verification of identity - Google Patents
Initial secret key establishment including facilities for verification of identity Download PDFInfo
- Publication number
- CA2289452C CA2289452C CA002289452A CA2289452A CA2289452C CA 2289452 C CA2289452 C CA 2289452C CA 002289452 A CA002289452 A CA 002289452A CA 2289452 A CA2289452 A CA 2289452A CA 2289452 C CA2289452 C CA 2289452C
- Authority
- CA
- Canada
- Prior art keywords
- issuer
- applicant
- key
- secret key
- pass
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
An issuer offers any type of service secured with a secret cryptographic key assigned to an applicant according to the present invention, which includes a secret key registration process. Usually, the secret key will be loaded on a portable memory device or other secret key store of the applicant. As preliminary steps, the issuer sets up its public key for the Probabilistic Encryption Key Exchange (PEKE) cryptosystem, and the applicant obtains a copy of a secret key registration software, a copy of the issuer's public key, and an uninitialized portable memory device. Once initiated by the applicant, the registration software generates an internal PEKE secret key. The applicant chooses a registration pass query and pass reply that the registration software MACs and encrypts with a key derived from the PEKE secret key. The registration software derives the key assigned to the applicant from the PEKE secret key, and loads it into the secret key store. A message is sent to the issuer data processing center where the cryptographic processing (PEKE, MAC, encryption) is reversed. Using an alternate channel (e.g. telephone conversation) an issuer agent verifies the identity of the applicant: the agent asks the pass query, the applicant replies with the pass reply, and the issuer verifies the applicant's knowledge of some relevant personal data. The issuer agent can approve the applicant's registration in the issuer database. There is no need for the issuer to personalize either the software or the secret key store before delivery to the applicant, and there is a single personal contact between the applicant and the issuer agent.
Description
- I -INITIAL SECRET KEY ESTABLISHMENT INCLUDING FACILITIES
FOR VERIFICATION OF IDENTITY
Field of the Invention The present invention generally relates to cryptographic key management that is required for the implementation of secure data communications or transaction processing. More specifically, it addresses the need to establish, or renew (e.g. after security breach), the very first shared secret key between two parties (e.g. a client and a financial institution in an on-line banking service arrangement). This registration process encompasses human activities by the parties' agents for the verification of identity. The present invention facilitates these human activities by a novel and unique arrangement of automated operations, notably cryptographic transformations. The present invention also relates to the secure loading of cryptographic key material in hand-held memories in the form of smart cards, security tokens, and the like. Although the present invention uses public key cryptography primitives, it does not assist the establishment of a private/public key pair of the type used for digital signatures or public key encryption. The present invention does not deal with the derivation of a session key or a one-time password from either a preset shared secret key, or a preset secret password.
Background of the Invention For the deployment of electronic commerce and on-line banking services, information security techniques are of paramount importance. As will be seen from the prior art cited hereafter, they are also important for the protection of computer networks and the authentication of subscribers of mobile telephone service. A general scheme emerges for the organization of such electronic authentication applications, despite the diversified vocabulary used in different application areas. There is first a central database under the operational control of a service organization whose trustworthiness is commensurate with the issues at stake. Then, there are the potential clients, individuals or organizations.
The general function of a registration process is to make a given client known by the service organization in such a way that the subsequent routine processing of transactions is automated and efficient. The clients have access to electronic apparatus through which they conduct their ordinary activities. A registration process provides the client with secret authentication information. This secret can be a Personal Identification Number (PIN), a private key for a digital signature algorithm, or a secret cryptographic key shared between the client and the service organization. While a PIN can be remembered by a normal person, the two other forms of authentication secret require a digital memory of some sort. The present invention is mainly concerned with the registration process when a shared secret authentication key is used.
Ultimately, transaction authentication is effective if it secures the legal tie or bind between a bank account withdrawal and the account holder's liability, while barring access to the funds by defrauders. Since the account holder is a legal person rather than a digital apparatus, the required chain of evidence is a two-tiered authentication bind: 1) the logical bind between the account holder (or the account holder agent) and a cryptographic operation performed by a digital apparatus, and 2) the bind between this said cryptographic operation and the transaction historic records of the financial institution. Within its scope of a registration process, the present invention addresses these two aspects of transaction authentication.
The distinction between "secret key cryptography" and "public key cryptography" is well known in the prior art. In the present disclosure, we reserve the term "secret" to data shared in confidence between parties in a secret key cryptography arrangement, and respectively the terms "private" and "public"
to the private and public components of a private/public key pair of the type used for digital signatures or public key encryption from the field of public key cryptography.
The elementary cryptographic operation used in transaction authentication can be DES encryption of a secret Personal Identification Number (PIN) entered at a Point of Sale terminal (POS terminal), with cryptographic integrity protection applied to the whole transaction (typically with a Message Authentication Code based on DES and a secret key). In that case, a long-term secret key has to be established initially between the POS terminal and the data processing center responsible for transactions initiated from this POS
terminal (normally under the control of the merchant's financial institution). This long-term secret key is of the type that can be established with the present invention.
US patent 4,771,461 discloses a procedure for this secret key establishment.
This prior art of US patent 4,771,461 suffers from a number of intrinsic limitations. First and foremost, there is the following explicit security weakness (column 16 lines 1 to 6): "The general exposure of the procedure is that an opponent can always initiate a successful sign-on from his location with his terminal, provided that the real terminal never signs on before T2 and does not report this to the KDC [Key Distribution Center]. In that case, the fake terminal can continue to operate indefinitely."
FOR VERIFICATION OF IDENTITY
Field of the Invention The present invention generally relates to cryptographic key management that is required for the implementation of secure data communications or transaction processing. More specifically, it addresses the need to establish, or renew (e.g. after security breach), the very first shared secret key between two parties (e.g. a client and a financial institution in an on-line banking service arrangement). This registration process encompasses human activities by the parties' agents for the verification of identity. The present invention facilitates these human activities by a novel and unique arrangement of automated operations, notably cryptographic transformations. The present invention also relates to the secure loading of cryptographic key material in hand-held memories in the form of smart cards, security tokens, and the like. Although the present invention uses public key cryptography primitives, it does not assist the establishment of a private/public key pair of the type used for digital signatures or public key encryption. The present invention does not deal with the derivation of a session key or a one-time password from either a preset shared secret key, or a preset secret password.
Background of the Invention For the deployment of electronic commerce and on-line banking services, information security techniques are of paramount importance. As will be seen from the prior art cited hereafter, they are also important for the protection of computer networks and the authentication of subscribers of mobile telephone service. A general scheme emerges for the organization of such electronic authentication applications, despite the diversified vocabulary used in different application areas. There is first a central database under the operational control of a service organization whose trustworthiness is commensurate with the issues at stake. Then, there are the potential clients, individuals or organizations.
The general function of a registration process is to make a given client known by the service organization in such a way that the subsequent routine processing of transactions is automated and efficient. The clients have access to electronic apparatus through which they conduct their ordinary activities. A registration process provides the client with secret authentication information. This secret can be a Personal Identification Number (PIN), a private key for a digital signature algorithm, or a secret cryptographic key shared between the client and the service organization. While a PIN can be remembered by a normal person, the two other forms of authentication secret require a digital memory of some sort. The present invention is mainly concerned with the registration process when a shared secret authentication key is used.
Ultimately, transaction authentication is effective if it secures the legal tie or bind between a bank account withdrawal and the account holder's liability, while barring access to the funds by defrauders. Since the account holder is a legal person rather than a digital apparatus, the required chain of evidence is a two-tiered authentication bind: 1) the logical bind between the account holder (or the account holder agent) and a cryptographic operation performed by a digital apparatus, and 2) the bind between this said cryptographic operation and the transaction historic records of the financial institution. Within its scope of a registration process, the present invention addresses these two aspects of transaction authentication.
The distinction between "secret key cryptography" and "public key cryptography" is well known in the prior art. In the present disclosure, we reserve the term "secret" to data shared in confidence between parties in a secret key cryptography arrangement, and respectively the terms "private" and "public"
to the private and public components of a private/public key pair of the type used for digital signatures or public key encryption from the field of public key cryptography.
The elementary cryptographic operation used in transaction authentication can be DES encryption of a secret Personal Identification Number (PIN) entered at a Point of Sale terminal (POS terminal), with cryptographic integrity protection applied to the whole transaction (typically with a Message Authentication Code based on DES and a secret key). In that case, a long-term secret key has to be established initially between the POS terminal and the data processing center responsible for transactions initiated from this POS
terminal (normally under the control of the merchant's financial institution). This long-term secret key is of the type that can be established with the present invention.
US patent 4,771,461 discloses a procedure for this secret key establishment.
This prior art of US patent 4,771,461 suffers from a number of intrinsic limitations. First and foremost, there is the following explicit security weakness (column 16 lines 1 to 6): "The general exposure of the procedure is that an opponent can always initiate a successful sign-on from his location with his terminal, provided that the real terminal never signs on before T2 and does not report this to the KDC [Key Distribution Center]. In that case, the fake terminal can continue to operate indefinitely."
More generally, the procedure of US patent 4,771,461 appears outdated when one considers the level of sophistication reached by adversaries of actual cryptosystems. See for instance the article by Ross J. Anderson, Liability and Computer Security: Nine Principles (in Computer Security - Esorics '94, Third European Symposium on Research in Computer Security, November 1994, LNCS 875, Springer Verlag, PP 231-245), the article by Martin Abadi, and Roger Needham, Prudent Engineering Practice for Cryptographic Protocols (in 1994 IEEE Symposium on Research in Security and Privacy, IEEE, 1994, PP
122-136), and the article by Ross J. Anderson, and Roger Needham, Robustness Principles for Public Key Protocols (in Advances in Cryptology, CRYPTO '95, LNCS 963, Springer Verlag, 1995, PP 236-247). Nonetheless, US patent 4,771,461 has the merit of stressing the importance of data integrity protection for the initial establishment of cryptographic keys.
There are also operational limitations in the procedure of US patent 4,771,461. Despite the acknowledgment that courier services for secret key distribution are expensive and burdensome, it is not clear how courier services can be avoided altogether. They may be required because the POS terminals can be loaded with a terminal identifier and/or a public key at a central location.
Courier services or another form of alternate secure channel may also be required for some instructions to a person because these instructions may contain sensitive information specific to each POS terminal. Moreover, the explicit operational delays introduced by this prior art have a negative impact on the value of the procedures.
US patent 5,784,463 uses public key cryptography to establish some long term cryptographic keys in a manner analogue to US patent 4,771,461, but it lacks facilities for verification of identity such as the time windows in US
patent 4,771,461. In other words, US patent 5,784,463 embeds no procedural countermeasure against the threat of theft of identity.
US patent 5,216,715 on lines 14 to 18 on column 5 (and on lines 16 to 23 on column 6) refers to a known procedural protection used for remote user authentication at the outset of a telephone call, just after some session key establishment protocol, that is the verbal confirmation that some check value agree on both ends of the telephone call. The assurance provided by this procedural authentication step is valid for the duration of the telephone call only.
Indeed, the procedural step for remote telephone operator identification as in US
patent 5,216,715 is typical of very high security telephone sets. In addition, the procedural verification of identity in US patent 5,216,715 does not work if the call is established with a voice mailbox.
In the field of wireless subscriber registration, US patent 5,077,790 discloses a procedure based on the establishment of a "key code" that is a secret key shared between a portable telephone and the network controller. Upon verification of the applicant's credit, a help desk agent provides a "link identification number" that binds the credit approval to the subsequent download of the definitive "subscriber identification number", this download being cryptographically protected with the initial "key code". This procedure is inconvenient due to the manual operations involved in the establishment of the "key code" and might be vulnerable to eavesdropping because every security critical information is transmitted over the air and while no public key cryptography is involved.
In many cases, security systems features create more inconvenience to the users than effective protection. This is the case in US patent 5,386,468 that discloses an electronic identification registration procedure where the typing of user application information on a communication terminal keyboard is duplicated by filing a user application form and mailing it. This duplicate work is inconvenient because the paper processing actually delays the reply in the query/reply protocol used for registration. Also, the key management burden in the manufacturing and distribution of terminals is significantly higher in US
patent 5,386,468 than in US patent 4,771,461.
The elementary cryptographic operation used in transaction authentication can also be a digital signature from the field of public key cryptography, in which case a representative description of the prior art may be found in the Working Draft ANSI standard X9.30-199x Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry: Part 3:
Certificate Management for DSA (by the Accredited Standards Committee X9-Financial Services, ANSI ASC X9, American Bankers Association, Washington, DC, November 19, 1994 document N24-94). The present invention alleviates the traditional burden of secret key distribution, and thus suggests the avoidance of the public key infrastructure described in the mentioned Working Draft ANSI
standard X9.30-199x. Indeed, the financial industry has been operating on a centralized trust model for decades, and the adoption of public key paradigms may be expected to remain low.
Turning now to the logical bind between the account holder (or the account holder agent) and a cryptographic operation performed by a digital apparatus, one way to let the account holder control the use of a cryptographic key is to store it on a hand-held memory device in credit card format, or in a format suitable for attachment on a key ring, or any other small size format.
122-136), and the article by Ross J. Anderson, and Roger Needham, Robustness Principles for Public Key Protocols (in Advances in Cryptology, CRYPTO '95, LNCS 963, Springer Verlag, 1995, PP 236-247). Nonetheless, US patent 4,771,461 has the merit of stressing the importance of data integrity protection for the initial establishment of cryptographic keys.
There are also operational limitations in the procedure of US patent 4,771,461. Despite the acknowledgment that courier services for secret key distribution are expensive and burdensome, it is not clear how courier services can be avoided altogether. They may be required because the POS terminals can be loaded with a terminal identifier and/or a public key at a central location.
Courier services or another form of alternate secure channel may also be required for some instructions to a person because these instructions may contain sensitive information specific to each POS terminal. Moreover, the explicit operational delays introduced by this prior art have a negative impact on the value of the procedures.
US patent 5,784,463 uses public key cryptography to establish some long term cryptographic keys in a manner analogue to US patent 4,771,461, but it lacks facilities for verification of identity such as the time windows in US
patent 4,771,461. In other words, US patent 5,784,463 embeds no procedural countermeasure against the threat of theft of identity.
US patent 5,216,715 on lines 14 to 18 on column 5 (and on lines 16 to 23 on column 6) refers to a known procedural protection used for remote user authentication at the outset of a telephone call, just after some session key establishment protocol, that is the verbal confirmation that some check value agree on both ends of the telephone call. The assurance provided by this procedural authentication step is valid for the duration of the telephone call only.
Indeed, the procedural step for remote telephone operator identification as in US
patent 5,216,715 is typical of very high security telephone sets. In addition, the procedural verification of identity in US patent 5,216,715 does not work if the call is established with a voice mailbox.
In the field of wireless subscriber registration, US patent 5,077,790 discloses a procedure based on the establishment of a "key code" that is a secret key shared between a portable telephone and the network controller. Upon verification of the applicant's credit, a help desk agent provides a "link identification number" that binds the credit approval to the subsequent download of the definitive "subscriber identification number", this download being cryptographically protected with the initial "key code". This procedure is inconvenient due to the manual operations involved in the establishment of the "key code" and might be vulnerable to eavesdropping because every security critical information is transmitted over the air and while no public key cryptography is involved.
In many cases, security systems features create more inconvenience to the users than effective protection. This is the case in US patent 5,386,468 that discloses an electronic identification registration procedure where the typing of user application information on a communication terminal keyboard is duplicated by filing a user application form and mailing it. This duplicate work is inconvenient because the paper processing actually delays the reply in the query/reply protocol used for registration. Also, the key management burden in the manufacturing and distribution of terminals is significantly higher in US
patent 5,386,468 than in US patent 4,771,461.
The elementary cryptographic operation used in transaction authentication can also be a digital signature from the field of public key cryptography, in which case a representative description of the prior art may be found in the Working Draft ANSI standard X9.30-199x Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry: Part 3:
Certificate Management for DSA (by the Accredited Standards Committee X9-Financial Services, ANSI ASC X9, American Bankers Association, Washington, DC, November 19, 1994 document N24-94). The present invention alleviates the traditional burden of secret key distribution, and thus suggests the avoidance of the public key infrastructure described in the mentioned Working Draft ANSI
standard X9.30-199x. Indeed, the financial industry has been operating on a centralized trust model for decades, and the adoption of public key paradigms may be expected to remain low.
Turning now to the logical bind between the account holder (or the account holder agent) and a cryptographic operation performed by a digital apparatus, one way to let the account holder control the use of a cryptographic key is to store it on a hand-held memory device in credit card format, or in a format suitable for attachment on a key ring, or any other small size format.
Thus, the account holder is relieved from the obligation to control the access to a fixed apparatus like a computer system, or a luggage-size apparatus like a portable personal computer. When the hand-held memory device contains intrinsic data access control features, it falls into the smart card category.
This usually requires a rudimentary microprocessor along with the memory device.
With further sophistication, a hand-held electronic device may embed sufficient processing power and/or memory to perform complete cryptographic operations.
In the latter case, the security is enhanced by avoiding the threat of malignant software modifications. The present invention facilitates the establishment of the secret key to be loaded on hand-held devices where the prior art required the use of centralized key loading facilities, and/or secure transmission of secret keys using trusted courier services. The present invention may allow the avoidance of centralized smart card personalization operation.
The centralized trust model typical of the financial industry is assumed by the United States regulatory environment for consumer protection in the case of electronic fund transfers. The field of the present invention is more specifically covered by EFTA, Electronic Fund Transfer Act, Title IX of the Customer Credit Protection Act, (15 U.S.C. 1601 et seq.) and Regulation E: Electronic Fund Transfers, (12 C.F.R. 205) Section 205.5 which deals with the issuance of access devices used for customer-initiated EFT. In some circumstances and according to these rules, a secret key (established with the help of cryptographic protocols) may fall under the legal definition of an access device. In such a case, a verification of the customer identity is prescribed as a condition for the final validation of the secret key for EFT transactions. An object of the present invention is to facilitate the issuance (of access devices) complying with the EFTA Regulation E or similar rules.
A difficulty with key management methods that require centralized configuration or personalization is the implied restrictions on the channels of distribution. For consumer electronics, computer products, and software devoid of security functions, a myriad of channels is possible: catalog sales, retail stores, large discounters, and the like, the list being endless. If an item (like an access device for an EFT service) has to be prepared for a specific customer by trusted personnel according to procedures dictated by a financial institution, the possible channels of distribution are very few, if any, besides courier shipment by the financial institution. US patent 5,557,679 is an attempt to use retail outlets for the distribution of subscriber identity modules (portable memories used for mobile telephone subscriber authentication). The present invention broadens the choices of acceptable channels of distribution for authentication devices.
This usually requires a rudimentary microprocessor along with the memory device.
With further sophistication, a hand-held electronic device may embed sufficient processing power and/or memory to perform complete cryptographic operations.
In the latter case, the security is enhanced by avoiding the threat of malignant software modifications. The present invention facilitates the establishment of the secret key to be loaded on hand-held devices where the prior art required the use of centralized key loading facilities, and/or secure transmission of secret keys using trusted courier services. The present invention may allow the avoidance of centralized smart card personalization operation.
The centralized trust model typical of the financial industry is assumed by the United States regulatory environment for consumer protection in the case of electronic fund transfers. The field of the present invention is more specifically covered by EFTA, Electronic Fund Transfer Act, Title IX of the Customer Credit Protection Act, (15 U.S.C. 1601 et seq.) and Regulation E: Electronic Fund Transfers, (12 C.F.R. 205) Section 205.5 which deals with the issuance of access devices used for customer-initiated EFT. In some circumstances and according to these rules, a secret key (established with the help of cryptographic protocols) may fall under the legal definition of an access device. In such a case, a verification of the customer identity is prescribed as a condition for the final validation of the secret key for EFT transactions. An object of the present invention is to facilitate the issuance (of access devices) complying with the EFTA Regulation E or similar rules.
A difficulty with key management methods that require centralized configuration or personalization is the implied restrictions on the channels of distribution. For consumer electronics, computer products, and software devoid of security functions, a myriad of channels is possible: catalog sales, retail stores, large discounters, and the like, the list being endless. If an item (like an access device for an EFT service) has to be prepared for a specific customer by trusted personnel according to procedures dictated by a financial institution, the possible channels of distribution are very few, if any, besides courier shipment by the financial institution. US patent 5,557,679 is an attempt to use retail outlets for the distribution of subscriber identity modules (portable memories used for mobile telephone subscriber authentication). The present invention broadens the choices of acceptable channels of distribution for authentication devices.
In US patent 5,557,679, secret keys are pre-established to secure a network of retail locations where the key loading operation is performed.
There is no capability for the fully distributed scenario where the target electronic devices are remotely located from any (already) secured system. Secret key schemes that avoid the use of courier services in a fully distributed scenario are conceivable if the target electronic devices are already loaded with a common, fixed key "hidden by being included in the [device] programmable read only memory (PROM) at manufacturing level", as in US patent 5,539,824. Such a scheme is generally considered not so secure, except perhaps when offered by a very reputable supplier.
The famous Diffie-Hellman cryptosystem described in US patent 4,200,770, and the recent similar proposals found in US patents 5,583,939 and 5,375,169 do not provide remote party authentication and secret key freshness simultaneously. Indeed the "public key" of a Diffie-Hellman exchange is usually considered a short-lived cryptographic value, and the authentication potential of the Diffie-Hellman exchange is not used. For instance, US patent 5,020,105 applies Diffie-Hellman to the task of establishing a secret authentication key, but does not provide facilities for verification of account holder identity.
Moreover, the processing load implied by the original Diffie-Heilman cryptosystem is large, while the security of US patents 5,583,939 and 5,375,169 is questionable or uncertain. The recent article by Lein Ham, Digital signature for Diffie-Hellman keys without using a one-way function (in Electronics Letters, 16th January 1997, Vol. 33, No. 2, pp. 125-126) discloses a noteworthy attempt at enhancing the Diffie-Hellman scheme with authentication properties.
It is logical that the disclosure in US patent 4,771,461 stresses the need for data integrity in the key loading operation, and at the same time uses a public key cryptosystem, RSA, with a long-term public key assigned to the financial institution. This public key participates in the authentication of the financial institution to the benefit of the client-side of the secret key establishment.
The security of this prior art depends on the unpredictability of the random number source on the client-side. The use of random sources for cryptographic key material has been recognized as a potential source of security flaws.
Any scheme where the client-side of the session key establishment already has a long term public key is likely to address a need different from the present invention, based on the premises of public key cryptography. US patent 5,406,628 may be a good example.
Last, but not least, is the disclosure by the present Applicant, of the Probabilistic Encryption Key Exchange (PEKE) cryptosystem in Canadian patent application 2,156,780 (entitled Apparatus and Method for Cryptographic System Users to Obtain a Jointly Determined, Secret, Shared, and Unique Bit String, filed on August 23, 1995, laid-open to the public on September 23, 1995), in an article by Thierry Moreau, Probabilistic Encryption Key Exchange (in Electronics Letters, Vol. 31, number 25, 7th December 1995, pp. 2166-2168), and in a technical report by Thierry Moreau, Automated Data Protection for Telecommunications, Electronic Transactions and Messaging using PEKE
Secret Key Exchange and Other Cryptographic Algorithms, Technology Licensing Opportunity (revision 1.1, CONNOTECH Experts-Conseils Inc., Montreal, Canada, March 1996, with legal deposits in the National Library of Canada, where it was not available to the public before April 1997, and in the National Library of Quebec, where it was made available to the public some time between November 1996 and January 1997). The PEKE cryptosystem is based on the Blum-Goldwasser probabilistic encryption scheme explained in an article by Manuel Blum and Shafi Goldwasser, An Efficient Probabilistic Public-key Encryption Scheme which Hides All Partial Information (in Advances in Cryptology: Proceedings of Crypto '84, Springer-Verlag, 1985, pp. 289-299).
The PEKE cryptosystem has been disclosed so far for session key establishment with no facilities for the verification of identity. Indeed, transaction authentication using PEKE is suggested in the mentioned technical report by Thierry Moreau, but using a preset shared secret password as the basis for authentication, and PEKE for session key establishment. For the present invention, the PEKE cryptosystem is one of three alternate cryptosystems, the other two being conventional public key encryption (e.g. RSA, in US patent 4,405,829), and the Lein Ham's improvement to the Diffie-Hellman key exchange in the mentioned article by Lein Ham.
The commonly used public key cryptosystems use arithmetic operations on large integers and especially the modulus (the remainder of an integer division). To make these computations relatively efficient, the use of the Montgomery modulo reduction algorithm is relatively known in the prior art, see the original article by Peter L. Montgomery, Modular Multiplication Without Trial Division (in Mathematics of computations, Vol. 44, no. 170, April 1985, pp. 519-522). Two implementations are disclosed in the article by Stephen R.
Dusse and Burton S. Kaliski Jr., A Cryptographic Library for the Motorola DSP56000 (in Advances in Cryptology, Eurocrypt '90, Lecture Notes In Computer Science no. 473, pp. 230-244, Springer-Verlag, 1990) and in the article by S. E. Eldridge and Colin D. Walter, Hardware Implementation of Montgomery's Modular Multiplication Algorithm (in IEEE Transactions on Computers, Vol. 46, no. 6, June 1993, pp. 693-699). These two detailed accounts of the Montgomery algorithm implementation are targeted, respectively, at digital signal processors with peculiar instruction sets, and at dedicated integrated circuit design. Adaptations of this prior art are useful when the Montgomery algorithm is implemented on a general-purpose digital processor.
Summary of the Invention According to the present invention, there is an "issuer", that is a service organization that registers "applicants". For the issuer, it is reasonable and economically justified to maintain a computerized "database" of its customers, account holders, clients or subscribers, where this database contains sensitive information, and to train personnel, or "issuer agents", to provide customer services with a relevant degree of integrity and loyalty. The issuer database is secured using the known art of data processing security where a single organization may exert effective control of the system security. Typically, this will include cryptographic processing capabilities closely associated with the database in such a way that secret keys are not accessible to issuer personnel. At the same time, the issuer agents are typically provided with relevant customer data needed to respond to specific customer requests. The issuer agents typically access this data on a need-to-know basis through on-line terminals with controlled access to software functions, and with auditing to deter or sanction frauds that agents might conceive or commit.
The present invention is an improved method for the establishment of a secret key shared in confidence between a digital memory possessed by an applicant and the issuer database, where no prior secret is available from which the desired secret key could be derived. The present invention may obviously be used to establish a secret key when a choice is made to ignore any prior secret, e.g. due to a suspected security breach.
Table 1 shows the preliminary steps needed for the present invention. The issuer arranges his own private/public key pair for a Public Key Cryptosystem (PKC) that is later used, in any number of secret key establishment instances, to protect a message transmission from the applicant's digital processor to the issuer data processing center where the issuer's private key may be used. At least three PKCs are acceptable: 1) conventional public key encryption, 2) the PEKE
cryptosystem, and 3) the Lein Ham's improvement to the Diffie-Hellman key exchange. Each PKC has intrinsic properties that can lead to variations of the present invention.
There is no capability for the fully distributed scenario where the target electronic devices are remotely located from any (already) secured system. Secret key schemes that avoid the use of courier services in a fully distributed scenario are conceivable if the target electronic devices are already loaded with a common, fixed key "hidden by being included in the [device] programmable read only memory (PROM) at manufacturing level", as in US patent 5,539,824. Such a scheme is generally considered not so secure, except perhaps when offered by a very reputable supplier.
The famous Diffie-Hellman cryptosystem described in US patent 4,200,770, and the recent similar proposals found in US patents 5,583,939 and 5,375,169 do not provide remote party authentication and secret key freshness simultaneously. Indeed the "public key" of a Diffie-Hellman exchange is usually considered a short-lived cryptographic value, and the authentication potential of the Diffie-Hellman exchange is not used. For instance, US patent 5,020,105 applies Diffie-Hellman to the task of establishing a secret authentication key, but does not provide facilities for verification of account holder identity.
Moreover, the processing load implied by the original Diffie-Heilman cryptosystem is large, while the security of US patents 5,583,939 and 5,375,169 is questionable or uncertain. The recent article by Lein Ham, Digital signature for Diffie-Hellman keys without using a one-way function (in Electronics Letters, 16th January 1997, Vol. 33, No. 2, pp. 125-126) discloses a noteworthy attempt at enhancing the Diffie-Hellman scheme with authentication properties.
It is logical that the disclosure in US patent 4,771,461 stresses the need for data integrity in the key loading operation, and at the same time uses a public key cryptosystem, RSA, with a long-term public key assigned to the financial institution. This public key participates in the authentication of the financial institution to the benefit of the client-side of the secret key establishment.
The security of this prior art depends on the unpredictability of the random number source on the client-side. The use of random sources for cryptographic key material has been recognized as a potential source of security flaws.
Any scheme where the client-side of the session key establishment already has a long term public key is likely to address a need different from the present invention, based on the premises of public key cryptography. US patent 5,406,628 may be a good example.
Last, but not least, is the disclosure by the present Applicant, of the Probabilistic Encryption Key Exchange (PEKE) cryptosystem in Canadian patent application 2,156,780 (entitled Apparatus and Method for Cryptographic System Users to Obtain a Jointly Determined, Secret, Shared, and Unique Bit String, filed on August 23, 1995, laid-open to the public on September 23, 1995), in an article by Thierry Moreau, Probabilistic Encryption Key Exchange (in Electronics Letters, Vol. 31, number 25, 7th December 1995, pp. 2166-2168), and in a technical report by Thierry Moreau, Automated Data Protection for Telecommunications, Electronic Transactions and Messaging using PEKE
Secret Key Exchange and Other Cryptographic Algorithms, Technology Licensing Opportunity (revision 1.1, CONNOTECH Experts-Conseils Inc., Montreal, Canada, March 1996, with legal deposits in the National Library of Canada, where it was not available to the public before April 1997, and in the National Library of Quebec, where it was made available to the public some time between November 1996 and January 1997). The PEKE cryptosystem is based on the Blum-Goldwasser probabilistic encryption scheme explained in an article by Manuel Blum and Shafi Goldwasser, An Efficient Probabilistic Public-key Encryption Scheme which Hides All Partial Information (in Advances in Cryptology: Proceedings of Crypto '84, Springer-Verlag, 1985, pp. 289-299).
The PEKE cryptosystem has been disclosed so far for session key establishment with no facilities for the verification of identity. Indeed, transaction authentication using PEKE is suggested in the mentioned technical report by Thierry Moreau, but using a preset shared secret password as the basis for authentication, and PEKE for session key establishment. For the present invention, the PEKE cryptosystem is one of three alternate cryptosystems, the other two being conventional public key encryption (e.g. RSA, in US patent 4,405,829), and the Lein Ham's improvement to the Diffie-Hellman key exchange in the mentioned article by Lein Ham.
The commonly used public key cryptosystems use arithmetic operations on large integers and especially the modulus (the remainder of an integer division). To make these computations relatively efficient, the use of the Montgomery modulo reduction algorithm is relatively known in the prior art, see the original article by Peter L. Montgomery, Modular Multiplication Without Trial Division (in Mathematics of computations, Vol. 44, no. 170, April 1985, pp. 519-522). Two implementations are disclosed in the article by Stephen R.
Dusse and Burton S. Kaliski Jr., A Cryptographic Library for the Motorola DSP56000 (in Advances in Cryptology, Eurocrypt '90, Lecture Notes In Computer Science no. 473, pp. 230-244, Springer-Verlag, 1990) and in the article by S. E. Eldridge and Colin D. Walter, Hardware Implementation of Montgomery's Modular Multiplication Algorithm (in IEEE Transactions on Computers, Vol. 46, no. 6, June 1993, pp. 693-699). These two detailed accounts of the Montgomery algorithm implementation are targeted, respectively, at digital signal processors with peculiar instruction sets, and at dedicated integrated circuit design. Adaptations of this prior art are useful when the Montgomery algorithm is implemented on a general-purpose digital processor.
Summary of the Invention According to the present invention, there is an "issuer", that is a service organization that registers "applicants". For the issuer, it is reasonable and economically justified to maintain a computerized "database" of its customers, account holders, clients or subscribers, where this database contains sensitive information, and to train personnel, or "issuer agents", to provide customer services with a relevant degree of integrity and loyalty. The issuer database is secured using the known art of data processing security where a single organization may exert effective control of the system security. Typically, this will include cryptographic processing capabilities closely associated with the database in such a way that secret keys are not accessible to issuer personnel. At the same time, the issuer agents are typically provided with relevant customer data needed to respond to specific customer requests. The issuer agents typically access this data on a need-to-know basis through on-line terminals with controlled access to software functions, and with auditing to deter or sanction frauds that agents might conceive or commit.
The present invention is an improved method for the establishment of a secret key shared in confidence between a digital memory possessed by an applicant and the issuer database, where no prior secret is available from which the desired secret key could be derived. The present invention may obviously be used to establish a secret key when a choice is made to ignore any prior secret, e.g. due to a suspected security breach.
Table 1 shows the preliminary steps needed for the present invention. The issuer arranges his own private/public key pair for a Public Key Cryptosystem (PKC) that is later used, in any number of secret key establishment instances, to protect a message transmission from the applicant's digital processor to the issuer data processing center where the issuer's private key may be used. At least three PKCs are acceptable: 1) conventional public key encryption, 2) the PEKE
cryptosystem, and 3) the Lein Ham's improvement to the Diffie-Hellman key exchange. Each PKC has intrinsic properties that can lead to variations of the present invention.
Issuer Distributor Applicant Set up private/
public key pair Package public key with application Distribute software Obtain application software software Distribute Obtain portable hardware memory device Table 1 Preliminary Steps The issuer also prepares some application software that embeds an "applicant registration program" and a copy of the issuer's public key. The applicant obtains a copy of this application software from any type of distribution channel because there is no customization required at this stage.
The applicant also obtains a portable memory device if the secret key is to be stored on such a device, again from any type of distribution channel.
In an instance of secret key establishment, under the control of the applicant, the applicant registration program is executed by a digital processor.
(See Table 2) This program generates a secret key, preferably not arbitrarily but starting with one or more arbitrary numbers and then applying transformations mandated by the PKC in use and taking into account the issuer's public key, the said transformations preferably taking into account a first message according to the cryptosystem in use and issued by or on behalf of the issuer. When the PKC
in use is conventional public key encryption, there is no first message. When the PKC in use is PEKE, the first message is the PEKE initiator's message and it may be issued by or on behalf of the issuer. When the PKC in use is the Lein Ham's improvement to the Diffie-Hellman key exchange, the first message must be issued by the issuer because it requires knowledge of the issuer's private key, and the transformations further include the abortion of the process upon the failure of a digital signature verification.
Once generated, part or this entire secret key is loaded into the portable memory device, if any, otherwise into a convenient digital memory area.
Alternatively, it may be displayed to the applicant in human-readable form, in which case the applicant would presumably load this key into a separate apparatus having its own memory.
Another function of the applicant registration program is to accept secret inputs chosen by the applicant and typed on a keyboard. The secret inputs preferably include a pass query. The secret inputs include a pass reply. The applicant should be instructed not to disclose the pass reply to anyone but to an issuer agent who preferably would first pronounce the pass query.
Portable Applicant's Issuer data memory Applicant digital processing device processor center Start applicant Preferably receive registration message according to cryptosystem in program use Generate a secrete key, variant-dependent rules Receive secret Load secret key into key portable memory device Type secret Seal and enc t e.g.
pass query ryp and using issuer public pass reply key Send message Receive message Decrypt and check, store secret key, pass query, and pass reply Table 2 Applicant Registration Program The main role of the PKC in use is to provide protections for 1) the generated secret key, 2) preferably the pass query, 3) the pass reply, and 4) optionally other data, during their transmission to the issuer data processing center. A PKC alone cannot conveniently provide all the required protections.
Accordingly, a hybrid public/secret key cryptosystem is needed. The details of this arrangement are influenced by the specific PKC in use in any embodiment of the present invention. The result of the hybrid public/secret key cryptosystem is put in a second message sent to the issuer data processing center.
At the issuer data processing center, the second message is received and then the algorithms used for protection are reversed, notably using the issuer's private key. Upon failure of any verification, the process is aborted. Then the applicant's record in the issuer database is expanded to include 1) part or all of the generated secret key, 2) preferably the pass query, and 3) the pass reply.
public key pair Package public key with application Distribute software Obtain application software software Distribute Obtain portable hardware memory device Table 1 Preliminary Steps The issuer also prepares some application software that embeds an "applicant registration program" and a copy of the issuer's public key. The applicant obtains a copy of this application software from any type of distribution channel because there is no customization required at this stage.
The applicant also obtains a portable memory device if the secret key is to be stored on such a device, again from any type of distribution channel.
In an instance of secret key establishment, under the control of the applicant, the applicant registration program is executed by a digital processor.
(See Table 2) This program generates a secret key, preferably not arbitrarily but starting with one or more arbitrary numbers and then applying transformations mandated by the PKC in use and taking into account the issuer's public key, the said transformations preferably taking into account a first message according to the cryptosystem in use and issued by or on behalf of the issuer. When the PKC
in use is conventional public key encryption, there is no first message. When the PKC in use is PEKE, the first message is the PEKE initiator's message and it may be issued by or on behalf of the issuer. When the PKC in use is the Lein Ham's improvement to the Diffie-Hellman key exchange, the first message must be issued by the issuer because it requires knowledge of the issuer's private key, and the transformations further include the abortion of the process upon the failure of a digital signature verification.
Once generated, part or this entire secret key is loaded into the portable memory device, if any, otherwise into a convenient digital memory area.
Alternatively, it may be displayed to the applicant in human-readable form, in which case the applicant would presumably load this key into a separate apparatus having its own memory.
Another function of the applicant registration program is to accept secret inputs chosen by the applicant and typed on a keyboard. The secret inputs preferably include a pass query. The secret inputs include a pass reply. The applicant should be instructed not to disclose the pass reply to anyone but to an issuer agent who preferably would first pronounce the pass query.
Portable Applicant's Issuer data memory Applicant digital processing device processor center Start applicant Preferably receive registration message according to cryptosystem in program use Generate a secrete key, variant-dependent rules Receive secret Load secret key into key portable memory device Type secret Seal and enc t e.g.
pass query ryp and using issuer public pass reply key Send message Receive message Decrypt and check, store secret key, pass query, and pass reply Table 2 Applicant Registration Program The main role of the PKC in use is to provide protections for 1) the generated secret key, 2) preferably the pass query, 3) the pass reply, and 4) optionally other data, during their transmission to the issuer data processing center. A PKC alone cannot conveniently provide all the required protections.
Accordingly, a hybrid public/secret key cryptosystem is needed. The details of this arrangement are influenced by the specific PKC in use in any embodiment of the present invention. The result of the hybrid public/secret key cryptosystem is put in a second message sent to the issuer data processing center.
At the issuer data processing center, the second message is received and then the algorithms used for protection are reversed, notably using the issuer's private key. Upon failure of any verification, the process is aborted. Then the applicant's record in the issuer database is expanded to include 1) part or all of the generated secret key, 2) preferably the pass query, and 3) the pass reply.
From then on, an issuer agent may be assigned the task of communicating with the applicant to verify the applicant's identity. (See Table 3) This communication should be two-way simultaneous like a telephone conversation or a personal visit to a branch of the issuer. The issuer data processing facilities display, or otherwise make available in human understandable form, the information relevant to the verification of the applicant's identity, namely some identification data, preferably the pass query, and the pass reply. During this conversation, preferably the issuer agent pronounces the pass query, allowing the applicant to recognize the agent as being authorized to verify his identity.
Then, the applicant should pronounce the pass reply, while the issuer agent listens and verifies the pass reply. During this conversation, the issuer agent generally verifies the applicant's identity. The data processing facilities provide the agent with an input mechanism, e.g. an input field on a computer screen, to enter the final acceptance or rejection of the registration. This causes a change in the status of the secret key in the issuer database. The pass query and pass reply are not intended for further use after this verification of identity.
Issuer data processing Issuer agent Applicant center Communicate applicant's Establish real-time, Establish real-time, data 2-way contact 2-way contact Communicate pass query and pass reply Pronounce pass query Listen and verify query Listen and verify reply Pronounce pass reply Verify applicant's identity Answer questions Validate secrete key Accept applicant's registration identify Table 3 Verifying Applicant's Identity Generally speaking, the present invention assists the development of mutual recognition relationships between the applicant and the issuer. Thus, an account of the trust relationships through the recommended use of the invention may help its understanding.
In a preferred embodiment of the present invention, the chain of recognition relationships starts with the applicant receiving some software (e.g.
in the form of an on-line banking software package, or in the form of firmware within an electronic wallet) that he may recognize as genuinely endorsed by the issuer, and that contains the public key of the issuer stored with proprietary or semi-proprietary data integrity algorithm. Stated differently, the applicant believes that some software package or security device is not bogus, presumably because of its look and feel. What-he-believes-genuine contains the public key of the issuer. Some obscure method is used by what-he-believes-genuine to make sure no defrauder pasted his own public key in place of the issuer's public key.
When the applicant starts the applicant program, a new secret key is generated locally. Also, the applicant's program gets input, from the applicant, for two secret phrases used only for registration purposes, namely a "pass query"
(e.g. "Where did my father look when he was at the boarding school?") and a "pass reply" (e.g. "My first car was brown and rusty."), both of them being protected, along with the newly generated secret key. The issuer's public key is used as the starting point of the protection mechanism. The result is sent as the digital message from the applicant's digital processor to the issuer's data processing facilities. By keeping secret the pass query and pass reply, the applicant gets assurance that the first person who can thereafter pronounce them is an issuer agent; this level of assurance being proportional to the applicant's trust in the issuer's operational integrity. The applicant should be given clear instructions to reveal the pass reply only to someone who just pronounced the pass query.
Upon receipt of the digital message from the applicant by the issuer, the issuer program may be executed within the issuer data processing facilities, where the private counterpart of the issuer's public key is available. As a result of the issuer program execution, the applicant record in the issuer database is updated with a fresh, yet to be validated secret key registration, and the pass query and pass reply. As yet another result of the issuer program execution, an issuer agent may, at any time thereafter, be assigned the task of validating the applicant's identity with a personal conversation.
During the conversation between the applicant and an issuer agent according to the present invention, the present invention provides the issuer agent with the applicant information needed for the verification of identity, namely personal descriptive data (e.g. mother's maiden name and state of birth), pass query, and pass reply. The issuer agent should pronounce the pass query to the person he is speaking with, wait for this person to pronounce the pass reply.
In case this verification fails, the present invention provides the issuer with means to flag the registration as being void. The issuer agent should give rapid warning to the legitimate applicant since in these circumstances an impostor could impersonate a user agent for this applicant. In the normal case where the pass reply verification is successful, and assuming that the applicant did not reveal the pass reply to anyone, the issuer agent is assured that the person he is speaking with is the one who entered the pass query and reply when the applicant's secret key was generated. Then the issuer agent should check that this person knows, without unusual hesitation or imprecision, the descriptive data about the applicant. This is the verification of identity that binds the applicant to the shared secret key established with the cryptographic protocol. If the verification of identity is successful, the issuer agent is assured that the person he is speaking with is indeed the applicant for whom the secret key registration was awaiting validation in the issuer's database. The present invention thus provides the issuer agent with means to flag the secret key registration as being accepted or validated.
It is an object of the present invention to offer a remote secret key initialization and loading protocol with sensible identity verification procedures.
It is yet another object of the present invention to provide enhanced security in view of the subtleties of attacks to cryptographic protocols and algorithms.
It is yet another object of the present invention to provide cost-effective customer registration procedures for the delivery of electronic transactions based on a secret authentication key. It is yet another object of the present invention to provide customer registration procedures facilitating the use of alternate channels for the distribution of devices used for authentication.
Brief Description of the Drawings The present invention will be better understood by way of the following detailed description of the invention with reference to the appended drawings, in which:
Figure 1 is an overview block diagram illustrating the secret key establishment method and system according to the present invention;
Figure 2 is a detailed block diagram illustrating the applicant registration program according to the present invention; and Figure 3 is a detailed block diagram illustrating the reversed cryptographic processing done in the issuer data processing center according to the present invention, and the facilities provided by the present invention for verification of identity.
Detailed Description of the Invention Some operations required by the present invention are performed by digital processors. Such operations are hereafter called "controlled computer operation" but are nonetheless considered as acts of either the applicant or the issuer. In practice, these operations are performed by a computer or other electronic apparatus under the control of either the applicant or the issuer.
The degree of effective control on any computer operation may influence the security of the whole secret key establishment method as someone knowledgeable in the field of information system security will appreciate from the following description.
The inputs and outputs of controlled computer operations are often stored in digital memories. Then, again, uninterrupted possession and/or control over the use of these digital memories may influence the security of the whole secret key establishment method. When a digital memory is physically protected against unauthorized reading or modification, it becomes a "physically secure memory".
It is well known in the field of cryptography and information security how a legitimate user reverses a given cryptographic function from the knowledge of the appropriate keys. Thus, the disclosure of the present invention does not require the same level of detail for the reversal of a cryptographic function as for the function itself.
A public key cryptosystem (PKC) is at the heart of the proposed secret key establishment method. There are three possible PKC's, namely 1) any Public Key Encryption (PK-Encr) schemes, 2) the Probabilistic Encryption Key Exchange (PEKE), and 3) the Diffie-Hellman scheme as improved by Lein Ham (DH-Harn). For the PK-Encr case, the prior art is mature for a number of practical alternatives, notably RSA. For PEKE and DH-Harn, the prior art needs some precision for use in the present invention. PEKE is used in the preferred embodiment; provisions are made to exploit its efficiency as a public key cryptosystem for the applicant. Table 4. "PKC specification table" portrays the use of each PKC in the present invention. For PK-Encr, the RSA cryptosystem is used as an example in the PKC specification table. For PEKE and DH-Harn, the PKC specification table and the rest of the narrative specification are mutually agreeing. The mathematical notation for each PKC is independent from each other (e.g. the symbol "e" for PEKE bears no relation to the symbol number "e"
for DH-Harn). As with most public key cryptosystems, all computations are made with integer arithmetic, and often with very large operands. The usual known art of algorithmic number theory is implied. The symbol ";" represents concatenation of k-bit strings, and tacitly specifies a conversion from integer to bit string. Any of the following symbols should be read as if it was a one-letter symbol: xA_,B, XB, alpha, beta, mu, and nu.
Then, the applicant should pronounce the pass reply, while the issuer agent listens and verifies the pass reply. During this conversation, the issuer agent generally verifies the applicant's identity. The data processing facilities provide the agent with an input mechanism, e.g. an input field on a computer screen, to enter the final acceptance or rejection of the registration. This causes a change in the status of the secret key in the issuer database. The pass query and pass reply are not intended for further use after this verification of identity.
Issuer data processing Issuer agent Applicant center Communicate applicant's Establish real-time, Establish real-time, data 2-way contact 2-way contact Communicate pass query and pass reply Pronounce pass query Listen and verify query Listen and verify reply Pronounce pass reply Verify applicant's identity Answer questions Validate secrete key Accept applicant's registration identify Table 3 Verifying Applicant's Identity Generally speaking, the present invention assists the development of mutual recognition relationships between the applicant and the issuer. Thus, an account of the trust relationships through the recommended use of the invention may help its understanding.
In a preferred embodiment of the present invention, the chain of recognition relationships starts with the applicant receiving some software (e.g.
in the form of an on-line banking software package, or in the form of firmware within an electronic wallet) that he may recognize as genuinely endorsed by the issuer, and that contains the public key of the issuer stored with proprietary or semi-proprietary data integrity algorithm. Stated differently, the applicant believes that some software package or security device is not bogus, presumably because of its look and feel. What-he-believes-genuine contains the public key of the issuer. Some obscure method is used by what-he-believes-genuine to make sure no defrauder pasted his own public key in place of the issuer's public key.
When the applicant starts the applicant program, a new secret key is generated locally. Also, the applicant's program gets input, from the applicant, for two secret phrases used only for registration purposes, namely a "pass query"
(e.g. "Where did my father look when he was at the boarding school?") and a "pass reply" (e.g. "My first car was brown and rusty."), both of them being protected, along with the newly generated secret key. The issuer's public key is used as the starting point of the protection mechanism. The result is sent as the digital message from the applicant's digital processor to the issuer's data processing facilities. By keeping secret the pass query and pass reply, the applicant gets assurance that the first person who can thereafter pronounce them is an issuer agent; this level of assurance being proportional to the applicant's trust in the issuer's operational integrity. The applicant should be given clear instructions to reveal the pass reply only to someone who just pronounced the pass query.
Upon receipt of the digital message from the applicant by the issuer, the issuer program may be executed within the issuer data processing facilities, where the private counterpart of the issuer's public key is available. As a result of the issuer program execution, the applicant record in the issuer database is updated with a fresh, yet to be validated secret key registration, and the pass query and pass reply. As yet another result of the issuer program execution, an issuer agent may, at any time thereafter, be assigned the task of validating the applicant's identity with a personal conversation.
During the conversation between the applicant and an issuer agent according to the present invention, the present invention provides the issuer agent with the applicant information needed for the verification of identity, namely personal descriptive data (e.g. mother's maiden name and state of birth), pass query, and pass reply. The issuer agent should pronounce the pass query to the person he is speaking with, wait for this person to pronounce the pass reply.
In case this verification fails, the present invention provides the issuer with means to flag the registration as being void. The issuer agent should give rapid warning to the legitimate applicant since in these circumstances an impostor could impersonate a user agent for this applicant. In the normal case where the pass reply verification is successful, and assuming that the applicant did not reveal the pass reply to anyone, the issuer agent is assured that the person he is speaking with is the one who entered the pass query and reply when the applicant's secret key was generated. Then the issuer agent should check that this person knows, without unusual hesitation or imprecision, the descriptive data about the applicant. This is the verification of identity that binds the applicant to the shared secret key established with the cryptographic protocol. If the verification of identity is successful, the issuer agent is assured that the person he is speaking with is indeed the applicant for whom the secret key registration was awaiting validation in the issuer's database. The present invention thus provides the issuer agent with means to flag the secret key registration as being accepted or validated.
It is an object of the present invention to offer a remote secret key initialization and loading protocol with sensible identity verification procedures.
It is yet another object of the present invention to provide enhanced security in view of the subtleties of attacks to cryptographic protocols and algorithms.
It is yet another object of the present invention to provide cost-effective customer registration procedures for the delivery of electronic transactions based on a secret authentication key. It is yet another object of the present invention to provide customer registration procedures facilitating the use of alternate channels for the distribution of devices used for authentication.
Brief Description of the Drawings The present invention will be better understood by way of the following detailed description of the invention with reference to the appended drawings, in which:
Figure 1 is an overview block diagram illustrating the secret key establishment method and system according to the present invention;
Figure 2 is a detailed block diagram illustrating the applicant registration program according to the present invention; and Figure 3 is a detailed block diagram illustrating the reversed cryptographic processing done in the issuer data processing center according to the present invention, and the facilities provided by the present invention for verification of identity.
Detailed Description of the Invention Some operations required by the present invention are performed by digital processors. Such operations are hereafter called "controlled computer operation" but are nonetheless considered as acts of either the applicant or the issuer. In practice, these operations are performed by a computer or other electronic apparatus under the control of either the applicant or the issuer.
The degree of effective control on any computer operation may influence the security of the whole secret key establishment method as someone knowledgeable in the field of information system security will appreciate from the following description.
The inputs and outputs of controlled computer operations are often stored in digital memories. Then, again, uninterrupted possession and/or control over the use of these digital memories may influence the security of the whole secret key establishment method. When a digital memory is physically protected against unauthorized reading or modification, it becomes a "physically secure memory".
It is well known in the field of cryptography and information security how a legitimate user reverses a given cryptographic function from the knowledge of the appropriate keys. Thus, the disclosure of the present invention does not require the same level of detail for the reversal of a cryptographic function as for the function itself.
A public key cryptosystem (PKC) is at the heart of the proposed secret key establishment method. There are three possible PKC's, namely 1) any Public Key Encryption (PK-Encr) schemes, 2) the Probabilistic Encryption Key Exchange (PEKE), and 3) the Diffie-Hellman scheme as improved by Lein Ham (DH-Harn). For the PK-Encr case, the prior art is mature for a number of practical alternatives, notably RSA. For PEKE and DH-Harn, the prior art needs some precision for use in the present invention. PEKE is used in the preferred embodiment; provisions are made to exploit its efficiency as a public key cryptosystem for the applicant. Table 4. "PKC specification table" portrays the use of each PKC in the present invention. For PK-Encr, the RSA cryptosystem is used as an example in the PKC specification table. For PEKE and DH-Harn, the PKC specification table and the rest of the narrative specification are mutually agreeing. The mathematical notation for each PKC is independent from each other (e.g. the symbol "e" for PEKE bears no relation to the symbol number "e"
for DH-Harn). As with most public key cryptosystems, all computations are made with integer arithmetic, and often with very large operands. The usual known art of algorithmic number theory is implied. The symbol ";" represents concatenation of k-bit strings, and tacitly specifies a conversion from integer to bit string. Any of the following symbols should be read as if it was a one-letter symbol: xA_,B, XB, alpha, beta, mu, and nu.
RSA (PK-Encr) PEKE DH-Harn Public key N= P x Q, e N=P x Q y = aX mod p P, Q, d, where P, Q, where P
P and Q are and Q are large large random random primes random x, x<p Private key primes, and congruent to 3 d x e mod modulo 4 (P-1)(Q-1) = I (note 1) S, C, k, t, where p, a, where p is Other none 0<CxS<N a large prime parameters ' number and a is k<In(N)/In(2) a " enerator"
r, s, where r = ak mod p First random xA_,B, from private message none where x,,-,B<C random k, s from signature equation (note 5) Verification Signature of first n/a none verification message equation (note 5) w=Bo,'B,: ...;Bt.,, re mod p, Internal Secret random from secret from private secret key number k random Xe, random e where XB<N/C
(note 2) Length of <In(N)/In(2) k x t ln(p)/In(2) internal key Second c= ke mod N xt f= ae mod p message Verification of second none (note 3) none message Recovery of w=Bo;B,: ...: Bt-,, internal k = cd mod N from secret e, f k mod p secret key (note 4) Table 4: PKC Specification Table.
Note 1: Preferably perform the pre-computation of integers a and b such that axP + bxQ = 1, and alpha =((P+1) /4 mod (P-1), and beta =((Q+1) / 4 ) "') mod (Q-1).
Note 2: Compute x=(xB- (xB mod S)) XC + xA-,B xS +(xB mod S), xo x2 mod N, xi+1 = xi2 mod N, where i runs from 0 to t-1, and Bi = xi mod 2', where i runs from 0 to t-1.
P and Q are and Q are large large random random primes random x, x<p Private key primes, and congruent to 3 d x e mod modulo 4 (P-1)(Q-1) = I (note 1) S, C, k, t, where p, a, where p is Other none 0<CxS<N a large prime parameters ' number and a is k<In(N)/In(2) a " enerator"
r, s, where r = ak mod p First random xA_,B, from private message none where x,,-,B<C random k, s from signature equation (note 5) Verification Signature of first n/a none verification message equation (note 5) w=Bo,'B,: ...;Bt.,, re mod p, Internal Secret random from secret from private secret key number k random Xe, random e where XB<N/C
(note 2) Length of <In(N)/In(2) k x t ln(p)/In(2) internal key Second c= ke mod N xt f= ae mod p message Verification of second none (note 3) none message Recovery of w=Bo;B,: ...: Bt-,, internal k = cd mod N from secret e, f k mod p secret key (note 4) Table 4: PKC Specification Table.
Note 1: Preferably perform the pre-computation of integers a and b such that axP + bxQ = 1, and alpha =((P+1) /4 mod (P-1), and beta =((Q+1) / 4 ) "') mod (Q-1).
Note 2: Compute x=(xB- (xB mod S)) XC + xA-,B xS +(xB mod S), xo x2 mod N, xi+1 = xi2 mod N, where i runs from 0 to t-1, and Bi = xi mod 2', where i runs from 0 to t-1.
Note 3: Compute mu =(xt mod P) a'''''a mod P, nu =(xt mod Q) beta mod Q, e = (bxQxmu + axPxnu) mod N, f=(bxQx(P-mu) + axPxnu) mod N, g = (bxQxmu + axPx(Q-nu)) mod N, h = (bxQx(P-mu) + axPx (Q-nu) ) mod N, and then verify that one of e, f, g, or h satisfies xA-,BxS = (? mod (SxC)) - (? mod S).
Note 4: Compute xo = e2 mod N, x;+, = xi2 mod N, where i runs from 0 to t-1, and B; = x; mod 2'', where i runs from 0 to t-1.
Note 5: Lein Ham proposes four possible equation pairs for signature generation/verification, as indicated below in Table 5:
Signature Generation Si nature Verification (1) rXx=k+s mod (p-1) y'=rXas mod p (2) sXx=k+r mod (p-1) y5=rxa' mod p (3) x=rXk+s mod (p-1) y=r'xas mod p (4) x=sxk+r mod (p-1) y=rxa' mod p Table 5 Possible Equation Pairs In the preparation for later secret key establishment instances, the issuer gets a private/public key pair for itself, according to the PKC in use. See the PKC specification table under the row headings "Public key" and "Private key".
This is a controlled computer operation. The issuer makes the issuer private key 205 available in the issuer data processing center 300 with the usual security precautions to prevent disclosure or unauthorized use.
Still in the preparation for later secret key establishment instances, the issuer prepares a set of parameters to be used in controlled computer operations by the applicant. In all cases, the issuer public key is part of this set of parameters. This set of parameters also includes the elements listed under the row heading "Other parameters" in the PKC specification table. This set of parameters may also include identification data for the issuer, like the electronic mail address where the secret key registration should be sent.
In the preferred embodiment, this set of parameters includes additional data for the PEKE cryptosystem intended to reduce the computation load for the controlled computer operations by the applicant. This includes the numbers S
and C, but the numbers S and C could be part of the first message 103 instead.
Still in the preparation for later secret key establishment instances, the issuer preferably transforms this set of parameters, where this transformation includes controlled computer operations that protect the integrity of part or all of this set of parameters, and at least the issuer public key. In the preferred embodiment, the mentioned transformation is encryption and sealing with a Frogbit semi-proprietaly algorithm using a secret key of the issuer. The Frogbit semi-proprietary algorithm is specified in Canadian Patent Application Serial No. 2,177,622 published on November 30, 1997. The transformation may use other proprietary schemes.
Alternatively, the transformation may include affixing a digital signature generated with a private key for digital signature. This private key for digital signature is either the issuer's, or a certification authority's, and correspondingly the digital signature generation is a controlled computer operation respectively by the issuer, or by this certification authority. As is known from the prior art, a chain of security certificates may be used, in which case security certificates may be an integral part of the result of the transformation. Note that with digital signatures, the Frogbit or a proprietary algorithm may still be used to protect the integrity of a certification authority public key. Whenever the mentioned transformation is used, its result is shown as "sealed public key" 203 in the figures.
Still in the preparation for later secret key establishment instances, the issuer prepares an executable computer program comprising at least the applicant registration program 100. If the mentioned transformation was not used, the applicant registration program 100 is compatible with the set of parameters.
If the mentioned transformation was used, the applicant registration program 100 is compatible with the sealed public key 203 and it includes the integrity mechanism 107 that is the programmed reversal of the transformation. If the transformation uses Frogbit semi-proprietary algorithm or other proprietary algorithm, the preparation of this executable program is a controlled computer operation by the issuer because a secret algorithm and a secret key of the issuer must be embedded in the executable program. In the preferred embodiment, the executable program comprises substantially more application code than just the applicant registration program 100, so its look and feel would be difficult to reproduce by a defrauder. The executable program may be embedded in an electronic apparatus like a POS terminal instead of being run by a general-purpose computer. In the preferred embodiment, the executable program is run by a general-purpose computer and the sealed public key 203 is stored in a computer file separate from the executable file.
In preparation for later secret key establishment instances, the applicant has or obtains a copy of an executable program comprising the applicant registration program 100, a copy of the sealed public key 203, and a portable memory device 102. These items may take several forms, and may be combined depending on the variations of the invention. The "portable" memory device 102 is any memory suitable for a given application, including a plurality of inemories if key-splitting is used. In the preferred embodiment, the portable memory device is any very simple small memory device which can be temporarily connected to a personal computer using an inexpensive connector, for example the Dallas Semiconductor DS1992 1K-Bit Touch Memory "button", featuring 1024 bits of non-volatile read/write memory plus a 48 bit unique read-only serial number, in a coin-size metal casing that can be attached to a key ring. The reader/connector is part number DS9092GT which connects the Touch Memory to a serial port of the personal computer.
Some variants of the secret key establishment process use a first message 103. This is mainly dependent on the PKC in use. See the PKC specification table under the row heading "First message". When a first message 103 is used, its generation is the first step of an instance of secret key establishment.
With the DH-Harn cryptosystem, a first message 103 is used and its generation is a controlled computer operation by the issuer because the knowledge of the issuer private key is required. With the PEKE cryptosystem, there is a first message 103 that may be generated by the issuer or by another party. With the preferred embodiment, the first message 103 is generated by the issuer or by another party, but not by the applicant. With the PK-Encr cryptosystem, there is no first message 103. With PEKE, the first message 103 may include the numbers S and C if they were not included in the set of parameters as in the case of the preferred embodiment. When PEKE is used in the present invention, the generation of first message 103 may be assigned to the applicant registration program 100, in which case there is obviously no transmission of the first message 103 to the applicant registration program 100.
If PEKE is used in the present invention and if the generation of the first message 103 is not done by the issuer, the issuer must somehow receive its contents. One possible arrangement is to let the applicant registration program 100 include the contents of the first message 103 in the second message 104.
This is done in the preferred embodiment, in which case the generating party affixes reference numbers to first messages 103 and keeps a log of the first messages 103. This allows the issuer to audit the generation of first messages 103.
The rationale behind the use of a first message 103 is related to subtle weaknesses in cryptographic protocols and their implementations. For instance, if the issuer does not trust the applicant's processor random source 105, PK-Encr should be avoided. With DH-Harn, a passive eavesdropper to the secret key exchange could notice a failure of the applicant's processor random source where the random output would turn out to be constant among a number of instances of secret key exchange. With PEKE, this is not an issue. The issuer may use discipline in the way first messages 103 are generated to ensure absolute uniqueness or freshness of the secret key generated by instances of the secret key exchange. For uniqueness, the issuer should tag each first message 103 with a serial number and make sure any serial number is used only once. For freshness, the issuer should keep a record of creation times for first messages 103 and reject older ones. In the preferred embodiment, the applicant registration program is trusted to timely request a first message 103 on each instance of secret key exchange, and to discard it once used. Also in the preferred embodiment, a system with a trusted random source may generate first messages 103; and no specific tracking of first messages 103 is needed. With PEKE, the presence of the number xA-,B protects the issuer against "chosen cyphertext attacks" known in the prior art, even if the generation of first message 103 is not done by the issuer.
The present invention may be practiced with the first message 103 being prepared upon request by an applicant, and including data specific to this applicant. Although this may enhance the security of the applicant registration process, it may also increase the administrative workload for the issuer.
An instance of secret key exchange starts with the receipt of the first message 103, if any, and may proceed with the other steps of the applicant registration program 100 whenever triggered by the applicant. The execution of the other steps of the applicant registration program 100 is a controlled computer operation by the applicant. It is the applicant's digital processor that executes the applicant registration program 100.
An instance of secret key exchange includes, as part of the applicant registration program 100, the application of integrity mechanism 107 to recover public key 204 from sealed public key 203. This is the reversal of the transformation that resulted in the "sealed public key" 203. As a consequence of this application of integrity mechanism 107, the applicant registration program 100 may abort the instance of secret key exchange. In cases where the integrity mechanism 107 is not used, the public key 204 is directly available to the applicant registration program 100 as part of the set of parameters.
In the case of DH-Harn, an instance of secret key exchange includes, as part of the applicant registration program 100, the verification of the Lein Ham intriguing digital signature, that is the verification that the numbers s and r from the first message 103 satisfy the appropriate verification equation. See the PKC
specification table under the row heading "Verification of first message".
An instance of secret key exchange also includes, as part of the applicant registration program 100, the receipt of two inputs, respectively pass query and pass reply 209, through keyboard input device 101. The applicant should choose unique and unrelated secret phrases for these two inputs. The pass query 206 and pass reply 209 can be displayed by the applicant registration program 100 instead of being input from the input device 101. Then, randomness and secrecy should surround the generation of the pass query 206 and pass reply 209, to ensure a logical bind or link between this instance of secret key exchange and the displayed values for pass query 206 and pass reply 209.
An instance of secret key exchange also includes, as part of the hybrid public/secret key cryptographic processing 106, the local generation of an internal secret key according to the PKC in use. The random source 105 is used to generate at least one secret or private random number. See the PKC
specification table under the row headings "Internal secret key" and "Length of internal key". With PK-Encr, the random source 105 directly produces the internal secret key. With DH-Harn, the random source 105 produces a private random number e and the internal secret key is computed as re mod p. With PEKE, the random source 105 produces the secret random number XB, and the internal secret key is computed from XB, xA-,B, S, C, N, t, and k. In the preferred embodiment, the size of the public key number N is 768 bits and the number k is about 1/3 of that size, hence k=256.
The preferred embodiment for the random source 105 includes some pseudo-random number generator (PRNG) with state information. The said PRNG state information is stored on a computer hard disk, protected with the Frogbit data integrity algorithm, and varied (using available truly random data) both before and after the random source 105 usage in an instance of secret key exchange.
Still according to the PKC in use and as part of the hybrid public/secret key cryptographic processing 106, the applicant's digital processor prepares some components of the second message 104. See the PKC specification table under the row heading "Second message". With PK-Encr, this second message is the public key encryption of the internal secret key, using public key 204, the cyphertext being included in the second message 104. With DH-Harn, this is the computation of a number f=a e mod p where a and p were part of the set of parameters, according to the known art of the Diffie-Hellman cryptosystem, the number f being included in the second message 104. There is no signature generation from the applicant's digital processor; in other words the Lein Ham's improvement to the Diffie-Hellman cryptosystem is applied only for the issuer.
As is well known in the prior art, the components of the second message 104 prepared in this way allow the issuer data processing center 300 to recover the internal secret key while protecting it from adversaries even if they can eavesdrop on the set of parameters, first message 103, and second message 104.
Other PKCs may be used for the local generation of the internal secret key. A likely candidate is any PKC that is a secret key establishment cryptosystem using a public key 204. For instance, the original Diffie-Hellman cryptosystem can be used directly with the same public key as for the DH-Harn improvement, in which case the internal secret key is computed as y e mod p, where e is generated by the random source 105, and y and p were part of the set of parameters.
Another possible arrangement to obtain the internal secret key would rely on a public/private key pair of the applicant that would not require certification as in the prior art public key cryptography. The presence of this public/private key pair of the applicant would make the random source 105 unnecessary. In this alternate scheme, the issuer public key 204 would be like in the PK-Encr case.
The public component of the public/private key pair of the applicant would be encrypted using the issuer public key 204, and then transmitted to the issuer data processing center 300 where it would be decrypted using the issuer private key 205. Still in the issuer data processing center 300, the function of the random source 105 would be performed, thus generating the internal secret key as if done by the applicant registration program 100 in the PK-Encr case. The internal secret key would then be encrypted using the public component of the public/private key pair of the applicant. The encrypted internal secret key would be sent back to the applicant registration program 100 where the knowledge of the private component of the public/private key pair of applicant would allow the decryption of the internal secret key. It should be clear to one skilled in the art that the confidentiality of the internal secret key is preserved if this instance of secret key establishment is thereafter successfully completed, as long as the private component of the public/private key pair of the applicant remains undisclosed, despite the fact that the issuer has no a-priori knowledge of the public component of the public/private key pair of the applicant.
Still according to the PKC in use and as part of the hybrid public/secret key cryptographic processing 106, the applicant's digital processor derives the secret key 201 from part or all of the internal secret key. This derivation may use any unambiguous specification, as long as it uses no input that is not shared with the issuer data processing center 300. For instance, a pseudo-random generator can be used as an "expander of randomness" if the secret key 201 is very large.
In the preferred embodiment, the secret key 201 is simply a part of the internal secret key distinct from the two parts used respectively for the MAC and the DES encryption.
An instance of secret key exchange includes, as part of the hybrid public/secret key cryptographic processing 106, the cryptographic protection of pass query 206, pass reply 209, and possibly other data 108. This other data may include a serial number of the portable memory device 102, the applicant's name, a conventional PIN (that is a secret PIN known by the applicant and stored in the issuer database) chosen by the applicant at the time of secret key establishment, and the like. This cryptographic protection is done with secret key cryptographic algorithms, possibly with the help of key-less hash functions.
This cryptographic protection uses part or the entire internal secret key. For the pass query 206 and the pass reply 209, this cryptographic protection is confidentiality and data integrity protection. For the other data 108, this cryptographic protection may be what is deserved by a particular application. The result of this cryptographic protection is some cyphertext, and possibly some cleartext along with message authentication code, that goes into second message 104.
In the preferred embodiment, the cryptographic protection starts with the computation of a Message Authentication Code (MAC) of the pass query 206, the pass reply 209, and the other data 108 if any, using CBC-MAC with the DES
algorithm, and using a first part of the internal secret key. Then, DES
encryption with the CBC mode of operation is applied to the pass query 206, the pass reply 209, and any portion of the other data 108 that deserves confidentiality protection, using another part of the internal secret key. Thus, the data elements that go into second message 104 as a result of the cryptographic protection are 1) the cyphertext representation of the encrypted data, 2) the non-encrypted portion, if any, of the other data 108, and 3) the calculated MAC.
An instance of secret key exchange also includes, as part of the applicant registration program 100, the loading of the secret key 201 into the portable memory device 102. This is done by key loader 109 that is any interface, connector, smart card reader apparatus, operating system software driver needed to write data to the actual memory device in use. The key loader 109 may encompass intrinsic security functions such as requesting a PIN to unlock a smart card, or the key-splitting of secret key 201 into two or more parts.
In the preferred embodiment, the key loader 109 splits the secret key 201 into three parts as follows: the key loader 109 accepts a local applicant's PIN
Note 4: Compute xo = e2 mod N, x;+, = xi2 mod N, where i runs from 0 to t-1, and B; = x; mod 2'', where i runs from 0 to t-1.
Note 5: Lein Ham proposes four possible equation pairs for signature generation/verification, as indicated below in Table 5:
Signature Generation Si nature Verification (1) rXx=k+s mod (p-1) y'=rXas mod p (2) sXx=k+r mod (p-1) y5=rxa' mod p (3) x=rXk+s mod (p-1) y=r'xas mod p (4) x=sxk+r mod (p-1) y=rxa' mod p Table 5 Possible Equation Pairs In the preparation for later secret key establishment instances, the issuer gets a private/public key pair for itself, according to the PKC in use. See the PKC specification table under the row headings "Public key" and "Private key".
This is a controlled computer operation. The issuer makes the issuer private key 205 available in the issuer data processing center 300 with the usual security precautions to prevent disclosure or unauthorized use.
Still in the preparation for later secret key establishment instances, the issuer prepares a set of parameters to be used in controlled computer operations by the applicant. In all cases, the issuer public key is part of this set of parameters. This set of parameters also includes the elements listed under the row heading "Other parameters" in the PKC specification table. This set of parameters may also include identification data for the issuer, like the electronic mail address where the secret key registration should be sent.
In the preferred embodiment, this set of parameters includes additional data for the PEKE cryptosystem intended to reduce the computation load for the controlled computer operations by the applicant. This includes the numbers S
and C, but the numbers S and C could be part of the first message 103 instead.
Still in the preparation for later secret key establishment instances, the issuer preferably transforms this set of parameters, where this transformation includes controlled computer operations that protect the integrity of part or all of this set of parameters, and at least the issuer public key. In the preferred embodiment, the mentioned transformation is encryption and sealing with a Frogbit semi-proprietaly algorithm using a secret key of the issuer. The Frogbit semi-proprietary algorithm is specified in Canadian Patent Application Serial No. 2,177,622 published on November 30, 1997. The transformation may use other proprietary schemes.
Alternatively, the transformation may include affixing a digital signature generated with a private key for digital signature. This private key for digital signature is either the issuer's, or a certification authority's, and correspondingly the digital signature generation is a controlled computer operation respectively by the issuer, or by this certification authority. As is known from the prior art, a chain of security certificates may be used, in which case security certificates may be an integral part of the result of the transformation. Note that with digital signatures, the Frogbit or a proprietary algorithm may still be used to protect the integrity of a certification authority public key. Whenever the mentioned transformation is used, its result is shown as "sealed public key" 203 in the figures.
Still in the preparation for later secret key establishment instances, the issuer prepares an executable computer program comprising at least the applicant registration program 100. If the mentioned transformation was not used, the applicant registration program 100 is compatible with the set of parameters.
If the mentioned transformation was used, the applicant registration program 100 is compatible with the sealed public key 203 and it includes the integrity mechanism 107 that is the programmed reversal of the transformation. If the transformation uses Frogbit semi-proprietary algorithm or other proprietary algorithm, the preparation of this executable program is a controlled computer operation by the issuer because a secret algorithm and a secret key of the issuer must be embedded in the executable program. In the preferred embodiment, the executable program comprises substantially more application code than just the applicant registration program 100, so its look and feel would be difficult to reproduce by a defrauder. The executable program may be embedded in an electronic apparatus like a POS terminal instead of being run by a general-purpose computer. In the preferred embodiment, the executable program is run by a general-purpose computer and the sealed public key 203 is stored in a computer file separate from the executable file.
In preparation for later secret key establishment instances, the applicant has or obtains a copy of an executable program comprising the applicant registration program 100, a copy of the sealed public key 203, and a portable memory device 102. These items may take several forms, and may be combined depending on the variations of the invention. The "portable" memory device 102 is any memory suitable for a given application, including a plurality of inemories if key-splitting is used. In the preferred embodiment, the portable memory device is any very simple small memory device which can be temporarily connected to a personal computer using an inexpensive connector, for example the Dallas Semiconductor DS1992 1K-Bit Touch Memory "button", featuring 1024 bits of non-volatile read/write memory plus a 48 bit unique read-only serial number, in a coin-size metal casing that can be attached to a key ring. The reader/connector is part number DS9092GT which connects the Touch Memory to a serial port of the personal computer.
Some variants of the secret key establishment process use a first message 103. This is mainly dependent on the PKC in use. See the PKC specification table under the row heading "First message". When a first message 103 is used, its generation is the first step of an instance of secret key establishment.
With the DH-Harn cryptosystem, a first message 103 is used and its generation is a controlled computer operation by the issuer because the knowledge of the issuer private key is required. With the PEKE cryptosystem, there is a first message 103 that may be generated by the issuer or by another party. With the preferred embodiment, the first message 103 is generated by the issuer or by another party, but not by the applicant. With the PK-Encr cryptosystem, there is no first message 103. With PEKE, the first message 103 may include the numbers S and C if they were not included in the set of parameters as in the case of the preferred embodiment. When PEKE is used in the present invention, the generation of first message 103 may be assigned to the applicant registration program 100, in which case there is obviously no transmission of the first message 103 to the applicant registration program 100.
If PEKE is used in the present invention and if the generation of the first message 103 is not done by the issuer, the issuer must somehow receive its contents. One possible arrangement is to let the applicant registration program 100 include the contents of the first message 103 in the second message 104.
This is done in the preferred embodiment, in which case the generating party affixes reference numbers to first messages 103 and keeps a log of the first messages 103. This allows the issuer to audit the generation of first messages 103.
The rationale behind the use of a first message 103 is related to subtle weaknesses in cryptographic protocols and their implementations. For instance, if the issuer does not trust the applicant's processor random source 105, PK-Encr should be avoided. With DH-Harn, a passive eavesdropper to the secret key exchange could notice a failure of the applicant's processor random source where the random output would turn out to be constant among a number of instances of secret key exchange. With PEKE, this is not an issue. The issuer may use discipline in the way first messages 103 are generated to ensure absolute uniqueness or freshness of the secret key generated by instances of the secret key exchange. For uniqueness, the issuer should tag each first message 103 with a serial number and make sure any serial number is used only once. For freshness, the issuer should keep a record of creation times for first messages 103 and reject older ones. In the preferred embodiment, the applicant registration program is trusted to timely request a first message 103 on each instance of secret key exchange, and to discard it once used. Also in the preferred embodiment, a system with a trusted random source may generate first messages 103; and no specific tracking of first messages 103 is needed. With PEKE, the presence of the number xA-,B protects the issuer against "chosen cyphertext attacks" known in the prior art, even if the generation of first message 103 is not done by the issuer.
The present invention may be practiced with the first message 103 being prepared upon request by an applicant, and including data specific to this applicant. Although this may enhance the security of the applicant registration process, it may also increase the administrative workload for the issuer.
An instance of secret key exchange starts with the receipt of the first message 103, if any, and may proceed with the other steps of the applicant registration program 100 whenever triggered by the applicant. The execution of the other steps of the applicant registration program 100 is a controlled computer operation by the applicant. It is the applicant's digital processor that executes the applicant registration program 100.
An instance of secret key exchange includes, as part of the applicant registration program 100, the application of integrity mechanism 107 to recover public key 204 from sealed public key 203. This is the reversal of the transformation that resulted in the "sealed public key" 203. As a consequence of this application of integrity mechanism 107, the applicant registration program 100 may abort the instance of secret key exchange. In cases where the integrity mechanism 107 is not used, the public key 204 is directly available to the applicant registration program 100 as part of the set of parameters.
In the case of DH-Harn, an instance of secret key exchange includes, as part of the applicant registration program 100, the verification of the Lein Ham intriguing digital signature, that is the verification that the numbers s and r from the first message 103 satisfy the appropriate verification equation. See the PKC
specification table under the row heading "Verification of first message".
An instance of secret key exchange also includes, as part of the applicant registration program 100, the receipt of two inputs, respectively pass query and pass reply 209, through keyboard input device 101. The applicant should choose unique and unrelated secret phrases for these two inputs. The pass query 206 and pass reply 209 can be displayed by the applicant registration program 100 instead of being input from the input device 101. Then, randomness and secrecy should surround the generation of the pass query 206 and pass reply 209, to ensure a logical bind or link between this instance of secret key exchange and the displayed values for pass query 206 and pass reply 209.
An instance of secret key exchange also includes, as part of the hybrid public/secret key cryptographic processing 106, the local generation of an internal secret key according to the PKC in use. The random source 105 is used to generate at least one secret or private random number. See the PKC
specification table under the row headings "Internal secret key" and "Length of internal key". With PK-Encr, the random source 105 directly produces the internal secret key. With DH-Harn, the random source 105 produces a private random number e and the internal secret key is computed as re mod p. With PEKE, the random source 105 produces the secret random number XB, and the internal secret key is computed from XB, xA-,B, S, C, N, t, and k. In the preferred embodiment, the size of the public key number N is 768 bits and the number k is about 1/3 of that size, hence k=256.
The preferred embodiment for the random source 105 includes some pseudo-random number generator (PRNG) with state information. The said PRNG state information is stored on a computer hard disk, protected with the Frogbit data integrity algorithm, and varied (using available truly random data) both before and after the random source 105 usage in an instance of secret key exchange.
Still according to the PKC in use and as part of the hybrid public/secret key cryptographic processing 106, the applicant's digital processor prepares some components of the second message 104. See the PKC specification table under the row heading "Second message". With PK-Encr, this second message is the public key encryption of the internal secret key, using public key 204, the cyphertext being included in the second message 104. With DH-Harn, this is the computation of a number f=a e mod p where a and p were part of the set of parameters, according to the known art of the Diffie-Hellman cryptosystem, the number f being included in the second message 104. There is no signature generation from the applicant's digital processor; in other words the Lein Ham's improvement to the Diffie-Hellman cryptosystem is applied only for the issuer.
As is well known in the prior art, the components of the second message 104 prepared in this way allow the issuer data processing center 300 to recover the internal secret key while protecting it from adversaries even if they can eavesdrop on the set of parameters, first message 103, and second message 104.
Other PKCs may be used for the local generation of the internal secret key. A likely candidate is any PKC that is a secret key establishment cryptosystem using a public key 204. For instance, the original Diffie-Hellman cryptosystem can be used directly with the same public key as for the DH-Harn improvement, in which case the internal secret key is computed as y e mod p, where e is generated by the random source 105, and y and p were part of the set of parameters.
Another possible arrangement to obtain the internal secret key would rely on a public/private key pair of the applicant that would not require certification as in the prior art public key cryptography. The presence of this public/private key pair of the applicant would make the random source 105 unnecessary. In this alternate scheme, the issuer public key 204 would be like in the PK-Encr case.
The public component of the public/private key pair of the applicant would be encrypted using the issuer public key 204, and then transmitted to the issuer data processing center 300 where it would be decrypted using the issuer private key 205. Still in the issuer data processing center 300, the function of the random source 105 would be performed, thus generating the internal secret key as if done by the applicant registration program 100 in the PK-Encr case. The internal secret key would then be encrypted using the public component of the public/private key pair of the applicant. The encrypted internal secret key would be sent back to the applicant registration program 100 where the knowledge of the private component of the public/private key pair of applicant would allow the decryption of the internal secret key. It should be clear to one skilled in the art that the confidentiality of the internal secret key is preserved if this instance of secret key establishment is thereafter successfully completed, as long as the private component of the public/private key pair of the applicant remains undisclosed, despite the fact that the issuer has no a-priori knowledge of the public component of the public/private key pair of the applicant.
Still according to the PKC in use and as part of the hybrid public/secret key cryptographic processing 106, the applicant's digital processor derives the secret key 201 from part or all of the internal secret key. This derivation may use any unambiguous specification, as long as it uses no input that is not shared with the issuer data processing center 300. For instance, a pseudo-random generator can be used as an "expander of randomness" if the secret key 201 is very large.
In the preferred embodiment, the secret key 201 is simply a part of the internal secret key distinct from the two parts used respectively for the MAC and the DES encryption.
An instance of secret key exchange includes, as part of the hybrid public/secret key cryptographic processing 106, the cryptographic protection of pass query 206, pass reply 209, and possibly other data 108. This other data may include a serial number of the portable memory device 102, the applicant's name, a conventional PIN (that is a secret PIN known by the applicant and stored in the issuer database) chosen by the applicant at the time of secret key establishment, and the like. This cryptographic protection is done with secret key cryptographic algorithms, possibly with the help of key-less hash functions.
This cryptographic protection uses part or the entire internal secret key. For the pass query 206 and the pass reply 209, this cryptographic protection is confidentiality and data integrity protection. For the other data 108, this cryptographic protection may be what is deserved by a particular application. The result of this cryptographic protection is some cyphertext, and possibly some cleartext along with message authentication code, that goes into second message 104.
In the preferred embodiment, the cryptographic protection starts with the computation of a Message Authentication Code (MAC) of the pass query 206, the pass reply 209, and the other data 108 if any, using CBC-MAC with the DES
algorithm, and using a first part of the internal secret key. Then, DES
encryption with the CBC mode of operation is applied to the pass query 206, the pass reply 209, and any portion of the other data 108 that deserves confidentiality protection, using another part of the internal secret key. Thus, the data elements that go into second message 104 as a result of the cryptographic protection are 1) the cyphertext representation of the encrypted data, 2) the non-encrypted portion, if any, of the other data 108, and 3) the calculated MAC.
An instance of secret key exchange also includes, as part of the applicant registration program 100, the loading of the secret key 201 into the portable memory device 102. This is done by key loader 109 that is any interface, connector, smart card reader apparatus, operating system software driver needed to write data to the actual memory device in use. The key loader 109 may encompass intrinsic security functions such as requesting a PIN to unlock a smart card, or the key-splitting of secret key 201 into two or more parts.
In the preferred embodiment, the key loader 109 splits the secret key 201 into three parts as follows: the key loader 109 accepts a local applicant's PIN
(that is not stored in the issuer database) through the keyboard input device 101, the first component is calculated as kl=hash(PIN) where "hash" is a key-less hash function; the key loader gets a component k2 from the random source 105;
the third component is computed as k3=secret_key XOR kl XOR k2 where secret_key is the secret key 201 and XOR is the exclusive-or operation. The key loader 109 loads the key component k2 into a Dallas Semiconductor DS 1992 memory, and loads the key component k3 into a computer file on the local hard disk. This gives three-factor security: access to the secret key 201 requires 1) knowledge of the local applicant's PIN, 2) access to the Dallas Semiconductor DS 1992 memory, and 3) access to the computer file.
An instance of secret key exchange also includes, as part of the applicant registration program 100, the sending of second message 104 to the issuer data processing center 300, through any ordinary data communications network. Once the second message 104 is received in the issuer data processing center 300, the reversed cryptographic processing 306 may be executed for the instance of secret key exchange characterized by the particular second message 104. The reversed cryptographic processing 306 is essentially the reversal of the hybrid public/secret key cryptographic processing 106. Even if it is a controlled computer operation by the issuer, it can be executed with minimal operator supervision, e.g. as an automated processing upon receipt of an e-mail message containing second message 104.
An instance of secret key exchange includes, as part of the reversed cryptographic processing 306, the reversal of the PKC in use, starting with the private key 205 and recovering the value of the said internal secret key. In the case of PEKE, it is possible for this instance of the secret key exchange to be aborted as a consequence of a suspected security breach detected during the reversal of the PKC in use. See the PKC specification table under the row heading "Verification of second message". With PK-Encr, the reversal of the PKC in use is the public key decryption of the cyphertext found in second message 104. Otherwise, see the PKC specification table under the row heading "Recovery of internal secret key".
From the internal secret key, the reversed cryptographic processing 306 derives the secret key 202, using the same procedures as the hybrid public/secret key cryptographic processing 106. The recovered secret key 202 is stored in the issuer database 303. The secret key status 305 is set to indicate that the verification of applicant's identity is yet to be done.
From the internal secret key, the reversed cryptographic processing 306 moreover reverses the cryptographic protections initially applied to pass query 206, pass reply 209, and possibly other data 108. It is possible for this instance of the secret key exchange to be aborted as a consequence of a suspected security breach detected in this reversal operation. The recovered and verified pass query 207 and pass reply 210 are stored in the issuer database 303.
Once the reversed cryptographic processing 306 is complete, the task of verifying the applicant's identity may be undertaken by an issuer agent. To this end, a display means 301 provides the issuer agent with the human readable form of the query 208, the human readable form of the reply 211, and some relevant applicant identification data. The display means 301 can be a computer screen or a printer. The issuer agent is also provided with an input means 302, possibly with visual feedback 304, with which the issuer agent may input a signal to update the secret key status 305. The update of the key status 305 may indicate successful verification of applicant's identity, and correspondingly the completion of this instance of secret key exchange according to the present invention. The update of the key status 305 may indicate the failure of this instance of secret key exchange. Since the verification of identity is critical for the bind between the secret key 202 and the applicant, the known art of data processing security should be applied to the provision of the human readable form of the query 208, the provision of the human readable form of the reply 211, and the acceptance of the update of the key status 305 through input means 302.
For some uses of the present invention, the computation load of public key cryptography may be a critical design issue, especially if the applicant's digital processor is a low power electronic device. When the PKC is PEKE, the prior art of Montgomery reduction may be applied advantageously in this respect. In this contemplated variant of the present invention, the applicant's processor would do the "modular reduction" operations "mod N" (and respectively "mod S") with the Montgomery algorithm described hereafter. This requires pre-computation of some values, to be stored by the issuer in the set of parameters. Let b be the natural computer word size of the applicant's processor, and n be such that b">N (and respectively s such that bs>S). The values to be pre-computed are Bz" mod N (and respectively B2s mod S) and also No' (and respectively So') to be specified hereafter. Another advantageous change is to replace the PEKE equation B;=x; mod 2k by B;=((x;x(b")) mod N) mod 2'', the latter being more quickly computed by the Montgomery algorithm.
Montgomery multiplication, in the multiple precision case as in the present invention, allows fast modular arithmetic for a modulus N relatively prime to b", where b">N, and arithmetic modulo b is easy (e.g. 276'<N<2768, N
is odd, b=28, n=96, so b"=2'68). Let B=b" (not to be confused with B;, a notation proper to the PEKE specification). Given T satisfying 0<=T<=BxN, the Montgomery reduction algorithm efficiently computes Tx(B-') mod N. Our focus is the modular multiplication, so let T=x'xy' where x'=xxB mod N and y'=yXB mod N; then the Montgomery reduction algorithm efficiently computes x'xy'x(B-') mod N = xxyxB mod N.
Let us use the notation MN,B(X, Y) for the result of XxYx(B-') mod N, using the Montgomery reduction algorithm. Then xxyxB mod N
MN,B(xxB mod N, yxB mod N). To convert an integer x, 0<=x<N, into xxB mod N, compute MN,B(x, Bz mod N). The value BZ mod N should be pre-computed once and for all; this must be done with a general-purpose division operation. To recover x from xxB mod N, compute MN,B(xxB mod N, 1). There are two routes to complete a single modular multiplication: MN,B(MN,B(x,y), BZ mod N) = xxy mod N, or by pre-computing x' = MN,B(x, B2 mod N) and y' =
MN,B(y, Bz mod N), and then MN,B(MN,B(x', y'), 1) = xxy mod N. Whenever a series of multiplication operations is performed on a same set of inputs or intermediate results, the latter route is more efficient. This is the case of the PEKE cryptosystem whenever the PEKE parameter t is greater than 1.
Moreover, if the PEKE equation is changed as suggested above, the PEKE
cryptosystem can be restated as x' = MN,B(x, B2 mod N), xo'=MN,B(x',x'), xi+1'=MN,s(xi',xj'), and B;=x;' mod 2'' .
Now, the internals of the multiprecision Montgomery multiplication algorithm may be stated. There is a need for the value of integer N' such that Bx(B-')-NxN'=1, where Bx(B-') mod N=1. Actually, only the least significant part of N' is needed, hence the definition No'=N' mod b. We reproduce below, in Table 5, the simple algorithm from the above-mentioned article by Dusse and Kaliski to efficiently find No' from No and b, when b is an exact power of two.
Thus, No' can be computed once and for all.
modular_inverse(N,b) Let k be such that b=2k.
t:=1;
fori+-2tokdo if (Noxt mod 2') _ 2'-' t := t+2'-';
return b-t;
Table 5. Algorithm from Dusse and Kaliski In the multiprecision Montgomery multiplication algorithm that follows in Table 6, capital letters are multi-precision variables. The indices are as expected for natural integers, e.g. No is the least significant part of N. The algorithm is an application of the convolution-sum method for the multiplication. The variable c is an accumulator with sufficient capacity for a sum of products and multiple carry bits from the additions (up to 2n of them).
MN,b,n(X,Y) No':= b-(No' mod b);
c.=0;
for kE--0 to n-1 do c := c+Eo<i<k(XiYk-i+QiNk-i);
c := c + XkxYo;
Qk := cxNo' mod b;
c := c +QkxNo;
c .= c/b;
for k<-0 to n-1 do c := c+E k<i<n(Xiyn+k-i+QiNn+k-i);
Rk:=cmodb;
c := Lc/bl Rn = C;
if R_N then R:=R-N;
return R;
Table 6. Multiprecision Montgomery Multiplication Algorithm The variable Rõ is actually a local storage area of this algorithm (like Q
and lower case variables). Consequently, the storage requirement for R is the same as for X and Y. Moreover, if X and Y are the same variable, as in the modular squaring operation of the PEKE cryptosystem, the storage for X, Y, and R can be the same.
the third component is computed as k3=secret_key XOR kl XOR k2 where secret_key is the secret key 201 and XOR is the exclusive-or operation. The key loader 109 loads the key component k2 into a Dallas Semiconductor DS 1992 memory, and loads the key component k3 into a computer file on the local hard disk. This gives three-factor security: access to the secret key 201 requires 1) knowledge of the local applicant's PIN, 2) access to the Dallas Semiconductor DS 1992 memory, and 3) access to the computer file.
An instance of secret key exchange also includes, as part of the applicant registration program 100, the sending of second message 104 to the issuer data processing center 300, through any ordinary data communications network. Once the second message 104 is received in the issuer data processing center 300, the reversed cryptographic processing 306 may be executed for the instance of secret key exchange characterized by the particular second message 104. The reversed cryptographic processing 306 is essentially the reversal of the hybrid public/secret key cryptographic processing 106. Even if it is a controlled computer operation by the issuer, it can be executed with minimal operator supervision, e.g. as an automated processing upon receipt of an e-mail message containing second message 104.
An instance of secret key exchange includes, as part of the reversed cryptographic processing 306, the reversal of the PKC in use, starting with the private key 205 and recovering the value of the said internal secret key. In the case of PEKE, it is possible for this instance of the secret key exchange to be aborted as a consequence of a suspected security breach detected during the reversal of the PKC in use. See the PKC specification table under the row heading "Verification of second message". With PK-Encr, the reversal of the PKC in use is the public key decryption of the cyphertext found in second message 104. Otherwise, see the PKC specification table under the row heading "Recovery of internal secret key".
From the internal secret key, the reversed cryptographic processing 306 derives the secret key 202, using the same procedures as the hybrid public/secret key cryptographic processing 106. The recovered secret key 202 is stored in the issuer database 303. The secret key status 305 is set to indicate that the verification of applicant's identity is yet to be done.
From the internal secret key, the reversed cryptographic processing 306 moreover reverses the cryptographic protections initially applied to pass query 206, pass reply 209, and possibly other data 108. It is possible for this instance of the secret key exchange to be aborted as a consequence of a suspected security breach detected in this reversal operation. The recovered and verified pass query 207 and pass reply 210 are stored in the issuer database 303.
Once the reversed cryptographic processing 306 is complete, the task of verifying the applicant's identity may be undertaken by an issuer agent. To this end, a display means 301 provides the issuer agent with the human readable form of the query 208, the human readable form of the reply 211, and some relevant applicant identification data. The display means 301 can be a computer screen or a printer. The issuer agent is also provided with an input means 302, possibly with visual feedback 304, with which the issuer agent may input a signal to update the secret key status 305. The update of the key status 305 may indicate successful verification of applicant's identity, and correspondingly the completion of this instance of secret key exchange according to the present invention. The update of the key status 305 may indicate the failure of this instance of secret key exchange. Since the verification of identity is critical for the bind between the secret key 202 and the applicant, the known art of data processing security should be applied to the provision of the human readable form of the query 208, the provision of the human readable form of the reply 211, and the acceptance of the update of the key status 305 through input means 302.
For some uses of the present invention, the computation load of public key cryptography may be a critical design issue, especially if the applicant's digital processor is a low power electronic device. When the PKC is PEKE, the prior art of Montgomery reduction may be applied advantageously in this respect. In this contemplated variant of the present invention, the applicant's processor would do the "modular reduction" operations "mod N" (and respectively "mod S") with the Montgomery algorithm described hereafter. This requires pre-computation of some values, to be stored by the issuer in the set of parameters. Let b be the natural computer word size of the applicant's processor, and n be such that b">N (and respectively s such that bs>S). The values to be pre-computed are Bz" mod N (and respectively B2s mod S) and also No' (and respectively So') to be specified hereafter. Another advantageous change is to replace the PEKE equation B;=x; mod 2k by B;=((x;x(b")) mod N) mod 2'', the latter being more quickly computed by the Montgomery algorithm.
Montgomery multiplication, in the multiple precision case as in the present invention, allows fast modular arithmetic for a modulus N relatively prime to b", where b">N, and arithmetic modulo b is easy (e.g. 276'<N<2768, N
is odd, b=28, n=96, so b"=2'68). Let B=b" (not to be confused with B;, a notation proper to the PEKE specification). Given T satisfying 0<=T<=BxN, the Montgomery reduction algorithm efficiently computes Tx(B-') mod N. Our focus is the modular multiplication, so let T=x'xy' where x'=xxB mod N and y'=yXB mod N; then the Montgomery reduction algorithm efficiently computes x'xy'x(B-') mod N = xxyxB mod N.
Let us use the notation MN,B(X, Y) for the result of XxYx(B-') mod N, using the Montgomery reduction algorithm. Then xxyxB mod N
MN,B(xxB mod N, yxB mod N). To convert an integer x, 0<=x<N, into xxB mod N, compute MN,B(x, Bz mod N). The value BZ mod N should be pre-computed once and for all; this must be done with a general-purpose division operation. To recover x from xxB mod N, compute MN,B(xxB mod N, 1). There are two routes to complete a single modular multiplication: MN,B(MN,B(x,y), BZ mod N) = xxy mod N, or by pre-computing x' = MN,B(x, B2 mod N) and y' =
MN,B(y, Bz mod N), and then MN,B(MN,B(x', y'), 1) = xxy mod N. Whenever a series of multiplication operations is performed on a same set of inputs or intermediate results, the latter route is more efficient. This is the case of the PEKE cryptosystem whenever the PEKE parameter t is greater than 1.
Moreover, if the PEKE equation is changed as suggested above, the PEKE
cryptosystem can be restated as x' = MN,B(x, B2 mod N), xo'=MN,B(x',x'), xi+1'=MN,s(xi',xj'), and B;=x;' mod 2'' .
Now, the internals of the multiprecision Montgomery multiplication algorithm may be stated. There is a need for the value of integer N' such that Bx(B-')-NxN'=1, where Bx(B-') mod N=1. Actually, only the least significant part of N' is needed, hence the definition No'=N' mod b. We reproduce below, in Table 5, the simple algorithm from the above-mentioned article by Dusse and Kaliski to efficiently find No' from No and b, when b is an exact power of two.
Thus, No' can be computed once and for all.
modular_inverse(N,b) Let k be such that b=2k.
t:=1;
fori+-2tokdo if (Noxt mod 2') _ 2'-' t := t+2'-';
return b-t;
Table 5. Algorithm from Dusse and Kaliski In the multiprecision Montgomery multiplication algorithm that follows in Table 6, capital letters are multi-precision variables. The indices are as expected for natural integers, e.g. No is the least significant part of N. The algorithm is an application of the convolution-sum method for the multiplication. The variable c is an accumulator with sufficient capacity for a sum of products and multiple carry bits from the additions (up to 2n of them).
MN,b,n(X,Y) No':= b-(No' mod b);
c.=0;
for kE--0 to n-1 do c := c+Eo<i<k(XiYk-i+QiNk-i);
c := c + XkxYo;
Qk := cxNo' mod b;
c := c +QkxNo;
c .= c/b;
for k<-0 to n-1 do c := c+E k<i<n(Xiyn+k-i+QiNn+k-i);
Rk:=cmodb;
c := Lc/bl Rn = C;
if R_N then R:=R-N;
return R;
Table 6. Multiprecision Montgomery Multiplication Algorithm The variable Rõ is actually a local storage area of this algorithm (like Q
and lower case variables). Consequently, the storage requirement for R is the same as for X and Y. Moreover, if X and Y are the same variable, as in the modular squaring operation of the PEKE cryptosystem, the storage for X, Y, and R can be the same.
Claims (16)
1. A method of establishing a secret cryptographic key shared between an applicant and an issuer comprising the steps of:
providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability:
generating said secret key using at least some random information at an applicant end;
generating a pass reply message using at least some arbitrary information at said applicant end;
encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means;
decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
receiving a communication from said applicant at said issuer end separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability:
generating said secret key using at least some random information at an applicant end;
generating a pass reply message using at least some arbitrary information at said applicant end;
encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means;
decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
receiving a communication from said applicant at said issuer end separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
2. The method according to claim 1, wherein said step of confirming comprises displaying said pass reply decrypted to an agent at said issuer end.
3. The method according to claim 1 or 2, wherein said step of receiving a communication from said applicant comprises establishing telephonic communication with an agent at said issuer end and said applicant.
4. The method according to claim 3, further comprising a step of generating a pass query, wherein said step of encrypting comprises encrypting said pass query, said step of decrypting comprises decrypting said pass query, and further comprising a step of communicating said pass query to said applicant from said issuer end prior to receiving said pass reply in said communication, whereby said applicant is reassured that said issuer is genuine as a result of hearing said pass query, and feels safe to proceed with giving said pass reply.
5. The method according to claim 4, wherein said step of communicating comprises displaying said pass query decrypted to said agent.
6. The method according to claim 3, 4 or 5, wherein said agent is provided with some personal identification information about said applicant, said step of confirming further comprising said agent asking a personal identification question to said applicant and listening for a correct response.
7. The method according to one of claims 1 to 6, wherein said pass reply is input by said applicant.
8. The method according to one of claims 1 to 6, wherein said pass reply is displayed to said applicant.
9. The method according to one of claims 1 to 8, further comprising a step of selecting a personal identification number (PIN) for said applicant, wherein said step encrypting further comprises encrypting said PIN, said step of decrypting further comprises decrypting said PIN, said PIN being stored at said issuer end for use in verification of future transactions.
10. The method according to one of claims 1 to 9, wherein said applicant possesses a smart card device and uses a smart card device interface connected to said program means, said secret key being loaded into said smart card device.
11. A method of applying for approval of a secret cryptographic key to be shared between an applicant and an issuer comprising the steps of:
providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability;
generating, at said applicant end, said secret key using at least some random information;
generating, at said applicant end, a pass reply message using at least some arbitrary information;
encrypting, at said applicant end, said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means;
communicating said pass reply to said issuer end separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply.
providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability;
generating, at said applicant end, said secret key using at least some random information;
generating, at said applicant end, a pass reply message using at least some arbitrary information;
encrypting, at said applicant end, said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means;
communicating said pass reply to said issuer end separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply.
12. The method according to claim 11, wherein said applicant possesses a smart card device and uses a smart card device interface connected to said program means, said secret key being loaded into said smart card device.
13. A method of approving a secret cryptographic key to be shared between an applicant and an issuer comprising the steps of:
receiving at least one encryption message from said applicant by telecommunications means, said message including an encryption of a secret key and a pass reply using public key encryption with a public key of said issuer, said message including information allowing said issuer to identify said applicant;
decrypting said encryption message to retrieve said secret key and said pass reply using a private key of said issuer;
receiving a communication from said applicant separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
receiving at least one encryption message from said applicant by telecommunications means, said message including an encryption of a secret key and a pass reply using public key encryption with a public key of said issuer, said message including information allowing said issuer to identify said applicant;
decrypting said encryption message to retrieve said secret key and said pass reply using a private key of said issuer;
receiving a communication from said applicant separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
14. A system for establishing a secret cryptographic key shared between an applicant and an issuer comprising:
applicant registration means having a public key of said issuer and public key encryption capability for generating said secret key using at least some random information at an applicant end, for generating a pass reply message using at least some arbitrary information at said applicant end, and for encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
means for sending said encryption message to said issuer by telecommunications means;
means for decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
means for receiving a communication from said applicant at said issuer end separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
means for confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
applicant registration means having a public key of said issuer and public key encryption capability for generating said secret key using at least some random information at an applicant end, for generating a pass reply message using at least some arbitrary information at said applicant end, and for encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
means for sending said encryption message to said issuer by telecommunications means;
means for decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
means for receiving a communication from said applicant at said issuer end separate from said encryption message over a channel which said issuer believes to be genuinely from said applicant, said communication containing said pass reply;
means for confirming a validity of said secret key at least with said issuer if said pass reply received during said communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
15. A system for approving a secret cryptographic key to be shared between an applicant and an issuer comprising:
receiver means for receiving at least one encryption message from said applicant by telecommunication, said message including an encryption of a secret key and a pass reply using a public key of said issuer, said message including information allowing said issuer to identify said applicant;
means for decrypting said encryption message to retrieve said secret key and said pass reply using a private key of said issuer;
confirmation input means for approval of said secret key;
whereby said approval is determined by a comparison by said issuer of said pass reply as decrypted and said pass reply communicated to said issuer separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant.
receiver means for receiving at least one encryption message from said applicant by telecommunication, said message including an encryption of a secret key and a pass reply using a public key of said issuer, said message including information allowing said issuer to identify said applicant;
means for decrypting said encryption message to retrieve said secret key and said pass reply using a private key of said issuer;
confirmation input means for approval of said secret key;
whereby said approval is determined by a comparison by said issuer of said pass reply as decrypted and said pass reply communicated to said issuer separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant.
16. An applicant registration product for use in applying for approval of a secret cryptographic key to be shared between an applicant and an issuer, the product comprising data specifying a computer program which, when interpreted by a digital processing system compatible with the programming conventions of said computer program, makes the digital processing system perform the following steps:
generating said secret key using at least some random information;
generating a pass reply message using at least some arbitrary information including a pass reply;
encrypting said secret key and said pass reply using a public key of said issuer to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means, whereby approval of said secret key is determined by a comparison by said issuer of said pass reply as decrypted at an issuer end and said pass reply communicated to said issuer separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant.
generating said secret key using at least some random information;
generating a pass reply message using at least some arbitrary information including a pass reply;
encrypting said secret key and said pass reply using a public key of said issuer to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
sending said encryption message to said issuer by telecommunications means, whereby approval of said secret key is determined by a comparison by said issuer of said pass reply as decrypted at an issuer end and said pass reply communicated to said issuer separately from said encryption message over a channel which said issuer believes to be genuinely from said applicant.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US4604797P | 1997-05-09 | 1997-05-09 | |
| US60/046,047 | 1997-05-09 | ||
| PCT/CA1998/000431 WO1998052316A1 (en) | 1997-05-09 | 1998-05-07 | Initial secret key establishment including facilities for verification of identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2289452A1 CA2289452A1 (en) | 1998-11-19 |
| CA2289452C true CA2289452C (en) | 2008-07-29 |
Family
ID=21941295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002289452A Expired - Fee Related CA2289452C (en) | 1997-05-09 | 1998-05-07 | Initial secret key establishment including facilities for verification of identity |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US6061791A (en) |
| EP (1) | EP1000481A1 (en) |
| AU (1) | AU733803B2 (en) |
| BR (1) | BR9809272A (en) |
| CA (1) | CA2289452C (en) |
| WO (1) | WO1998052316A1 (en) |
Families Citing this family (68)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10361802B1 (en) | 1999-02-01 | 2019-07-23 | Blanding Hovenweep, Llc | Adaptive pattern recognition based control system and method |
| ES2248893T3 (en) * | 1997-03-04 | 2006-03-16 | Atx Europe Gmbh | PROCEDURE TO ENTER A SERVICE CODE IN A TERMINAL AND DEVICES TO CARRY OUT THE PROCEDURE. |
| US7403922B1 (en) * | 1997-07-28 | 2008-07-22 | Cybersource Corporation | Method and apparatus for evaluating fraud risk in an electronic commerce transaction |
| EP1027784B2 (en) * | 1997-10-28 | 2010-05-26 | First Data Mobile Holdings Limited | Method for digital signing of a message |
| US6374355B1 (en) * | 1998-07-31 | 2002-04-16 | Lucent Technologies Inc. | Method for securing over-the-air communication in a wireless system |
| US7386727B1 (en) | 1998-10-24 | 2008-06-10 | Encorus Holdings Limited | Method for digital signing of a message |
| US6938154B1 (en) | 2000-06-19 | 2005-08-30 | Xerox Corporation | System, method and article of manufacture for a cryptographic key infrastructure for networked devices |
| KR100505103B1 (en) * | 1999-10-11 | 2005-07-29 | 삼성전자주식회사 | Memory stick for universal serial bus |
| US6895391B1 (en) * | 1999-11-09 | 2005-05-17 | Arcot Systems, Inc. | Method and system for secure authenticated payment on a computer network |
| US7024557B1 (en) * | 1999-12-30 | 2006-04-04 | Samsung Electronics Co., Ltd. | System and method for secure provisioning of a mobile station from a provisioning server using encryption |
| GB0004178D0 (en) * | 2000-02-22 | 2000-04-12 | Nokia Networks Oy | Integrity check in a communication system |
| FI111207B (en) * | 2000-03-24 | 2003-06-13 | Smarttrust Systems Oy | Handling a message |
| FR2810139B1 (en) * | 2000-06-08 | 2002-08-23 | Bull Cp8 | METHOD FOR SECURING THE PRE-INITIALIZATION PHASE OF AN ON-BOARD ELECTRONIC CHIP SYSTEM, ESPECIALLY A CHIP CARD, AND ON-BOARD SYSTEM IMPLEMENTING THE METHOD |
| US7421583B1 (en) | 2000-06-19 | 2008-09-02 | Xerox Corp | System, method and article of manufacture for determining a price of cryptograph IC services based on a computational burden thereof |
| US6754821B1 (en) | 2000-06-19 | 2004-06-22 | Xerox Corporation | System, method and article of manufacture for transition state-based cryptography |
| US7051199B1 (en) | 2000-06-19 | 2006-05-23 | Xerox Corporation | System, method and article of manufacture for providing cryptographic services utilizing a network |
| US6990468B1 (en) * | 2000-06-19 | 2006-01-24 | Xerox Corporation | System, method and article of manufacture for cryptoserver-based auction |
| KR20010016233A (en) * | 2000-11-24 | 2001-03-05 | 김동균 | Coding chatting system |
| US20020106085A1 (en) * | 2001-01-05 | 2002-08-08 | Sandeep Jain | Security breach management |
| US6934389B2 (en) * | 2001-03-02 | 2005-08-23 | Ati International Srl | Method and apparatus for providing bus-encrypted copy protection key to an unsecured bus |
| US7181017B1 (en) | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
| US7676430B2 (en) * | 2001-05-09 | 2010-03-09 | Lenovo (Singapore) Ptd. Ltd. | System and method for installing a remote credit card authorization on a system with a TCPA complaint chipset |
| US7995603B2 (en) * | 2001-05-22 | 2011-08-09 | Nds Limited | Secure digital content delivery system and method over a broadcast network |
| FI114062B (en) * | 2001-06-08 | 2004-07-30 | Nokia Corp | Method for ensuring the security of the communication, the communication system and the communication device |
| JP2003101523A (en) * | 2001-09-21 | 2003-04-04 | Fujitsu Ltd | Communication network system and communication method having concealment function |
| CA2463504C (en) * | 2001-10-12 | 2013-02-19 | Geo Trust, Inc. | Methods and systems for automated authentication, processing and issuance of digital certificates |
| NO20015812A (en) * | 2001-11-28 | 2003-03-10 | Telenor Asa | Registration and activation of electronic certificates |
| US7937089B2 (en) * | 2002-02-06 | 2011-05-03 | Palo Alto Research Center Incorporated | Method, apparatus, and program product for provisioning secure wireless sensors |
| FR2837336B1 (en) * | 2002-03-15 | 2006-03-03 | Oberthur Card Syst Sa | METHOD OF EXCHANGING AUTHENTICATION INFORMATION BETWEEN A COMMUNICATION ENTITY AND A SERVER-OPERATOR |
| JP4474845B2 (en) * | 2002-06-12 | 2010-06-09 | 株式会社日立製作所 | Authentication infrastructure system with CRL issue notification function |
| US6837425B2 (en) | 2002-09-13 | 2005-01-04 | Visa U.S.A. Inc. | Compact protocol and solution for substantially offline messaging between portable consumer device and based device |
| US9818136B1 (en) | 2003-02-05 | 2017-11-14 | Steven M. Hoffberg | System and method for determining contingent relevance |
| US20040225709A1 (en) * | 2003-05-06 | 2004-11-11 | Joseph Kubler | Automatically configuring security system |
| US20050039057A1 (en) * | 2003-07-24 | 2005-02-17 | Amit Bagga | Method and apparatus for authenticating a user using query directed passwords |
| US7353468B2 (en) * | 2003-09-26 | 2008-04-01 | Ferguson John G | Secure exchange of information in electronic design automation |
| US7222312B2 (en) * | 2003-09-26 | 2007-05-22 | Ferguson John G | Secure exchange of information in electronic design automation |
| US20060259978A1 (en) * | 2003-09-26 | 2006-11-16 | Pikus Fedor G | Secure exchange of information in electronic design automation with license-related key generation |
| WO2005050489A1 (en) * | 2003-11-13 | 2005-06-02 | Commvault Systems, Inc. | System and method for stored data archive verification |
| JP3761557B2 (en) * | 2004-04-08 | 2006-03-29 | 株式会社日立製作所 | Key distribution method and system for encrypted communication |
| US7464267B2 (en) * | 2004-11-01 | 2008-12-09 | Innomedia Pte Ltd. | System and method for secure transmission of RTP packets |
| CA2586816C (en) * | 2004-11-11 | 2013-03-26 | Certicom Corp. | Secure interface for versatile key derivation function support |
| ATE478489T1 (en) * | 2005-02-14 | 2010-09-15 | Irdeto Access Bv | METHOD FOR CONTROLLING COMMUNICATION BETWEEN A HEADEND SYSTEM AND SEVERAL CUSTOMER SYSTEMS |
| US8291224B2 (en) | 2005-03-30 | 2012-10-16 | Wells Fargo Bank, N.A. | Distributed cryptographic management for computer systems |
| US7779456B2 (en) * | 2005-04-27 | 2010-08-17 | Gary M Dennis | System and method for enhanced protection and control over the use of identity |
| CA2511366A1 (en) * | 2005-06-30 | 2005-10-16 | Thierry Moreau | Trust anchor key cryptogram and cryptoperiod management method |
| FR2890267B1 (en) * | 2005-08-26 | 2007-10-05 | Viaccess Sa | METHOD FOR ESTABLISHING A SESSION KEY AND UNITS FOR IMPLEMENTING THE METHOD |
| DE102005046353A1 (en) * | 2005-09-28 | 2007-03-29 | Giesecke & Devrient Gmbh | Cryptographic production key transmission method, involves encoding production key from transmission using key, and decoding production key after transmission using another key, where two keys are different |
| US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
| GB2431250A (en) * | 2005-10-11 | 2007-04-18 | Hewlett Packard Development Co | Data transfer system |
| US20090222927A1 (en) * | 2006-04-30 | 2009-09-03 | Pikus Fedor G | Concealment of Information in Electronic Design Automation |
| US9002018B2 (en) * | 2006-05-09 | 2015-04-07 | Sync Up Technologies Corporation | Encryption key exchange system and method |
| JP4994741B2 (en) * | 2006-08-08 | 2012-08-08 | キヤノン株式会社 | Communication encryption processing device |
| US7822207B2 (en) * | 2006-12-22 | 2010-10-26 | Atmel Rousset S.A.S. | Key protection mechanism |
| US20090060183A1 (en) * | 2007-08-29 | 2009-03-05 | Dynasig Corporation | Private lock infrastructure |
| CA2621147C (en) * | 2008-02-15 | 2013-10-08 | Connotech Experts-Conseils Inc. | Method of bootstrapping an authenticated data session configuration |
| US7522723B1 (en) * | 2008-05-29 | 2009-04-21 | Cheman Shaik | Password self encryption method and system and encryption by keys generated from personal secret information |
| US9191200B1 (en) | 2010-10-07 | 2015-11-17 | L-3 Communications Corp. | System and method for changing the security level of a communications terminal during operation |
| US20130055369A1 (en) * | 2011-08-24 | 2013-02-28 | Mcafee, Inc. | System and method for day-zero authentication of activex controls |
| US9172529B2 (en) * | 2011-09-16 | 2015-10-27 | Certicom Corp. | Hybrid encryption schemes |
| US20130226812A1 (en) * | 2012-02-24 | 2013-08-29 | Mads Landrok | Cloud proxy secured mobile payments |
| US9811827B2 (en) | 2012-02-28 | 2017-11-07 | Google Inc. | System and method for providing transaction verification |
| US8819427B2 (en) * | 2012-06-15 | 2014-08-26 | Iolo Technologies, Llc | Device specific secure licensing |
| RU2562913C2 (en) * | 2013-03-29 | 2015-09-10 | Виталий Олегович Клебан | System for monitoring mobile personnel |
| CN104348610A (en) * | 2013-07-31 | 2015-02-11 | 中国银联股份有限公司 | Method and system for securely transmitting transaction sensitive data based on cloud POS |
| US9954848B1 (en) | 2014-04-04 | 2018-04-24 | Wells Fargo Bank, N.A. | Central cryptographic management for computer systems |
| US9288043B1 (en) * | 2014-10-17 | 2016-03-15 | Motorola Solutions, Inc. | Methods and systems for providing high-security cryptographic keys to mobile radios |
| US10382413B1 (en) | 2016-12-23 | 2019-08-13 | Cisco Technology, Inc. | Secure bootstrapping of client device with trusted server provided by untrusted cloud service |
| US11093627B2 (en) | 2018-10-31 | 2021-08-17 | L3 Technologies, Inc. | Key provisioning |
Family Cites Families (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4200770A (en) * | 1977-09-06 | 1980-04-29 | Stanford University | Cryptographic apparatus and method |
| US4405829A (en) * | 1977-12-14 | 1983-09-20 | Massachusetts Institute Of Technology | Cryptographic communications system and method |
| US5020105A (en) * | 1986-06-16 | 1991-05-28 | Applied Information Technologies Corporation | Field initialized authentication system for protective security of electronic information networks |
| US4771461A (en) * | 1986-06-27 | 1988-09-13 | International Business Machines Corporation | Initialization of cryptographic variables in an EFT/POS network with a large number of terminals |
| DE3919734C1 (en) * | 1989-06-16 | 1990-12-06 | Siemens Ag, 1000 Berlin Und 8000 Muenchen, De | |
| JPH04143881A (en) * | 1990-10-05 | 1992-05-18 | Toshiba Corp | Mutual authenticating system |
| US5142578A (en) * | 1991-08-22 | 1992-08-25 | International Business Machines Corporation | Hybrid public key algorithm/data encryption algorithm key distribution method based on control vectors |
| SE468068C (en) * | 1991-09-30 | 1994-01-13 | Comvik Gsm Ab | Procedure for personalization of an active card, for use in a mobile telephone system |
| US5179591A (en) * | 1991-10-16 | 1993-01-12 | Motorola, Inc. | Method for algorithm independent cryptographic key management |
| DE69331006D1 (en) * | 1992-03-30 | 2001-11-29 | Telstra Corp Ltd | SECRET TRANSFER METHOD AND SYSTEM |
| JPH0697931A (en) * | 1992-09-14 | 1994-04-08 | Fujitsu Ltd | Personal communication terminal registration control system |
| US5375159A (en) * | 1992-09-29 | 1994-12-20 | C & P Of Virginia | System and method for remote testing and protocol analysis of communication lines |
| EP0658021B1 (en) * | 1993-12-08 | 2001-03-28 | International Business Machines Corporation | A method and system for key distribution and authentication in a data communication network |
| US5535276A (en) * | 1994-11-09 | 1996-07-09 | Bell Atlantic Network Services, Inc. | Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography |
| GB9422389D0 (en) * | 1994-11-05 | 1995-01-04 | Int Computers Ltd | Authenticating access control for sensitive functions |
| US5583939A (en) * | 1995-06-01 | 1996-12-10 | Chung N. Chang | Secure, swift cryptographic key exchange |
| CA2156780A1 (en) * | 1995-08-23 | 1995-09-23 | Thierry Moreau | Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string |
| US5680458A (en) * | 1995-11-14 | 1997-10-21 | Microsoft Corporation | Root key compromise recovery |
| US5768373A (en) * | 1996-05-06 | 1998-06-16 | Symantec Corporation | Method for providing a secure non-reusable one-time password |
| CA2177622A1 (en) * | 1996-05-29 | 1997-11-30 | Thierry Moreau | Cryptographic data integrity apparatus and method based on pseudo-random bit generators |
| US5784463A (en) * | 1996-12-04 | 1998-07-21 | V-One Corporation | Token distribution, registration, and dynamic configuration of user entitlement for an application level security system and method |
| US5875394A (en) * | 1996-12-27 | 1999-02-23 | At & T Wireless Services Inc. | Method of mutual authentication for secure wireless service provision |
-
1998
- 1998-05-07 WO PCT/CA1998/000431 patent/WO1998052316A1/en not_active Application Discontinuation
- 1998-05-07 AU AU72026/98A patent/AU733803B2/en not_active Ceased
- 1998-05-07 BR BR9809272-3A patent/BR9809272A/en not_active IP Right Cessation
- 1998-05-07 EP EP98919012A patent/EP1000481A1/en not_active Withdrawn
- 1998-05-07 CA CA002289452A patent/CA2289452C/en not_active Expired - Fee Related
-
1999
- 1999-04-22 US US09/296,378 patent/US6061791A/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CA2289452A1 (en) | 1998-11-19 |
| AU7202698A (en) | 1998-12-08 |
| AU733803B2 (en) | 2001-05-24 |
| WO1998052316A1 (en) | 1998-11-19 |
| EP1000481A1 (en) | 2000-05-17 |
| US6061791A (en) | 2000-05-09 |
| BR9809272A (en) | 2000-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2289452C (en) | Initial secret key establishment including facilities for verification of identity | |
| US11394697B2 (en) | Efficient methods for authenticated communication | |
| US6240187B1 (en) | Key replacement in a public key cryptosystem | |
| EP1873960B1 (en) | Method for session key derivation in a IC card | |
| US6119227A (en) | Methods and apparatus for authenticating an originator of a message | |
| US4736423A (en) | Technique for reducing RSA Crypto variable storage | |
| US6738912B2 (en) | Method for securing data relating to users of a public-key infrastructure | |
| US6269445B1 (en) | Electronic shopping method, electronic shopping system and document authenticating method relating thereto | |
| CA2182173C (en) | Efficient electronic money | |
| US8190893B2 (en) | Portable security transaction protocol | |
| US7490069B2 (en) | Anonymous payment with a verification possibility by a defined party | |
| US20070050300A1 (en) | Electronic cash system | |
| US10089627B2 (en) | Cryptographic authentication and identification method using real-time encryption | |
| US20040165728A1 (en) | Limiting service provision to group members | |
| JPS61188666A (en) | Personal identification number validation | |
| NO332206B1 (en) | Document authentication method and device | |
| JPH113033A (en) | Method for identifying client for client-server electronic transaction, smart card and server relating to the same, and method and system for deciding approval for co-operation by user and verifier | |
| JP3812123B2 (en) | Authentication method and apparatus | |
| JPH09233068A (en) | Electronic verification system | |
| US7640432B2 (en) | Electronic cash controlled by non-homomorphic signatures | |
| CN114565382A (en) | Transaction account anonymous payment method and system | |
| JP3497936B2 (en) | Personal authentication method | |
| EP1267516A2 (en) | Method for securing data relating to users of a public-key infrastructure | |
| CN113793149A (en) | Off-line transaction authentication system and method, central server and client | |
| JP2000067134A (en) | Fond moving destination information acquiring method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20140507 |