1. Field of the Invention
The present invention relates to a technique for permitting X.509 certificates to utilize more than a single encryption algorithm. More particularly, the present invention relates to a technique by which a certificate may be extended to support a second encryption algorithm while not requiring a new certificate hierarchy and while maintaining backward compatibility.
2. Description of the Related Art
Security for transactions and documents transmitted over networks such as the Internet have been a stumbling block to having true end-to-end e-commerce. Security flaws in existing systems are well documented, and security which is transparent to the public has been difficult to implement. Thus, many people feel less than secure about sending credit card numbers and the like to merchants via the Internet.
More recently, to address this problem, the companies which produce the VISA and MasterCard credit cards jointly came up with an end-to-end specification for securely transmitting credit card numbers and information as part of electronic transactions over the Internet. This specification, known as SET (Secure Electronic Transactions), was first introduced in 1997 (SET is a trademark of SET Secure Electronic Transaction LLC).
The SET specification relies on the concept of certificates, which are issued to merchants, credit card holders, credit card issuers, etc. Certificates are subject to verification based on their ‘signature’, and are encrypted. The standard certificate type which is used in known as the X.509 certificate.
One drawback to X.509 certificates is that they support only a single encryption algorithm at a time. Also, some encryption algorithms perform better in some environments. Recent highly publicized events have shown that some encryption algorithms can be broken if enough resources are thrown at them. This is not well received by the public. However, it has been demonstrated that most unscrupulous parties have only limited resources. And if the effort to decrypt a certificate outweighs the potential reward, no attempt will be made to break the encryption. In this regard, SET certificates are somewhat vulnerable. The certificates support only a single encryption algorithm, and most certificates use only a single, known standard algorithm. So, while it is not easy, a party bent on decrypting a certificate can intercept a certificate on the Internet and have a pretty good idea of which algorithm is employed. By employing the extensive resources required to decrypt the certificate, the party can then succeed in decrypting the certificate.
Accordingly, a need exists for making X.509 certificates support additional cryptographic algorithms.