In the modern telecommunications space, there are numerous scenarios in which it is desirable to be able to securely store and exchange message content between parties. Scenarios in which this type of functionality is desired include, but are not limited to: electronic commerce, in which the message content may include an asset value or monetary amount; electronic voting, in which the message content may include a voter's election; and remote telemetry, in which the message content may include sensor data and/or control commands.
In all such scenarios, message content is stored in a storage media that is “owned” by a party, and it is desired to transfer or send some or all of that message content to a storage media “owned” by another party. The storage media in each case may take any desired form including, for example, a non-volatile memory. The parties involved may be actual people or organizations, or, particularly in the case of remote telemetry systems and the like, an identified station or piece of equipment.
In the context of the present specification, the secure storage and exchange of message contents means that the mechanism for storing and exchanging message content reflects or embodies at least some of the following values:
Message Integrity: When message content is to be transferred from one party to another, a message may be generated which contains the desired message content. It should be computationally infeasible to modify that message in a manner that cannot be detected by a party who subsequently receives that message.
Security: it should be computationally infeasible for a party to obtain unauthorized access to message content within a storage media. Similarly, in a case where a party improperly receives message content addressed to another party, it should be computationally infeasible for the receiving party to improperly store that message content to their own storage media.
Irrevocability: When message content is to be transferred from one party to another, a message may be generated which contains the desired message content. The message generation mechanism should preferably operate in such a manner that the message cannot subsequently be revoked by the sending party.
Non-repudiation: A message containing content to be transferred from a sending party to a receiving party should be tagged in such a manner that the sending party cannot plausibly assert that the message was generated and sent by some other party;
Anonymity: The storage and transfer mechanism should operate in such a manner that parties can exchange message content without the intervention of a third party that has knowledge of the identities of the parties to the actual exchange;
Duplicate detection: The message content transfer mechanism should preferably operate in which a way that duplicate messages are detected and handled properly.
It may be noted that it is not essential for all of the above-described values to be present. For example, in some remote telemetry scenarios, the value of “anonymity” may be irrelevant or even undesirable, because the identity of the station or equipment that has sent a message may be useful to the recipient. On the other hand, in some cases this anonymity may be useful in that an unauthorized party that improperly receives a content transfer message cannot determine the identity of the sending party by analysing the message. In a remote telemetry scenario, for example, this may prevent a hacker from correlating intercepted telemetry data to the particular station or equipment that sent it. Similarly, in an on-line voting system, anonymity enables the implementation of “secret voting”, while the other virtues of irrevocability, non-repudiation, and duplicate detection allows detection and prevention of election fraud.
Techniques are known by which some, but not all, of the above-noted virtues can be achieved. For example, known encryption techniques such as Public Key Infrastructure (PKI) encryption can be used to encrypt the content of a message and/or apply a digital signature to a message. Use of digital signatures provide message integrity, and also affords a degree of non-repudiation.
The application of a unique number to messages is a well known technique of duplicate detection.
Various methods such as passwords, Person Identification Numbers (PINs), Subscriber Identity Module (SIM) cards can be used, either alone or in combination, to secure access to some types of storage media, such as personal computers (PCs), cell-phones, Personal Digital Assistants (PDAs) and on-line user accounts. However, these techniques are designed to prevent a party from gaining unauthorized access to a device or storage media belonging to another party. It does not prevent a party who has improperly received a message from improperly storing that message on their own storage media.
Known systems for securing communications typically rely on the fact that both of the parties to any message exchange are known to a third party, who is directly involved in the message exchange. A common example of this arrangement is the use of bank debit and credit cards, and the like, where a message content exchange between a card-holder and a merchant, for example, necessarily involves the intervention of the card-issuer (e.g. a bank) who has knowledge of the identity of both the card-holder and the merchant. In some cases, this provides a mechanism for generating audit trails, and, particularly in financial systems, may be required by various regulatory agencies. However, in an on-line voting system, the guaranteed anonymity of at least the sending party is essential to maintain the integrity of secret balloting schemes. Known systems for securing communications cannot accommodate such anonymity without compromising other desirable values such as message integrity and non-repudiation,
An electronic message content storage and transfer system that overcomes at least some of the limitations of the prior art remains highly desirable.