As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security; in particular: how to ensure that people who are remotely accessing an application are who they claim they are, how to ensure that transactions being conducted remotely are initiated by legitimate individuals, how to ensure that transaction data has not been altered before being received at an application server, and how to guarantee that an individual, once having engaged in a transaction, is not in a position to repudiate it.
In the past, application providers have relied on static passwords to provide the security for remote applications. In recent years it has become evident that static passwords are not sufficient and that more advanced security technology is required.
One solution is to digitally sign data such as electronic files (e.g., an electronic document) using an asymmetric digital signing algorithm that is parameterized with the private key of a public-private key pair. This may for example happen using a Public Key Infrastructure (PKI). In a Public Key Infrastructure one associates a public-private key pair with each user. The key pair is associated with a certificate (issued by a trusted Certificate Authority) that binds that public-private key pair to a specific user. By using asymmetric cryptography this public-private key pair can be used to: authenticate the user; sign transactions, documents, e-mails (so as to prevent repudiation); set up encrypted communication channels; and decrypt messages or documents that have been encrypted by a sender using the public key of the recipient.
In many cases a user interacts with an application using a general purpose computing device (such as for example a personal computer). At some point in the interaction with the application, the user may be requested to electronically sign an electronic file with a private key associated with the user.
For security purposes the private key of the user is often stored on a separate key storage device that is adapted to securely store a private key of a user. In most cases the key storage device is also adapted to carry out cryptographic calculations according to an asymmetric cryptographic algorithm using the stored private key. Examples of such key storage devices include PKI smart cards and PKI USB (Universal Serial Bus) tokens. Usually the general purpose computer of the user interacts with a smart card using a smart card reader. In most cases these smart card readers have to be connected to the general purpose computer with a USB interface. PKI USB tokens often combine the functionality of USB smart card reader and a PKI smart card in a single dongle-like device.
In most cases the application interfaces through a standard cryptographic API (Application Programming Interface), such as for example MS-CAPI (Microsoft Cryptography API) or PKCS#11 (Public Key Cryptographic Standard 11), with a cryptographic library that offers high level cryptographic services to the application (such as signing or decrypting an electronic file) and the cryptographic library translates the high level application requests in a series of commands-responses that it exchanges with the smart card of the user that holds the private key associated with the user.
There are however a number of problems with this solution. For the solution to work, the PC that the user uses must have such a cryptographic library, but many PCs (Personal Computers) don't have such a cryptographic library by default, which means that the user must install a cryptographic library. Additionally, in practice the interface between a smart card and the cryptographic library is not standardized which means that the user must install the specific cryptographic library that is compatible with the specific smart card of the user. Moreover, while most PCs do support USB, they often don't have support by default for USB smart card readers so that the user must also install a USB driver for smart card readers that is compatible with the smart card reader that happens to be available to the user. This combination of installation requirements in practice often turns out either to be too complicated for many users to begin with in the first place or to result in failed installations leading to unreliable or even not working systems.
What is needed is a solution for signing electronic files with the private key of a user that doesn't require the user to install specific hardware and software on the general purpose computing device of the user.