Today, there is a great demand to support online financial transactions in a client/server computing environment. The key to the success of such systems are security features to ensure that an authorized party securely transmits a communication to an authorized recipient. At a minimum, five security features are needed: privacy, data integrity, access control, user nonrepudiation, and a server side audit trail.
Current security technology for clients calling financial servers include (A) systems using passwords and the like to indicate a client's identity, (B) systems using session keys to encrypt the communications between a client and server so that outsiders cannot eavesdrop, and (C) systems using a digital signature and certification process.
Session key encryption provides privacy protection, and password mechanisms provide basic access control capabilities. The prior art does not provide absolute assurance that the party claiming to be a client is in fact the identified client (or even that the party is using the client's workstation), and also does not protect the financial institution from claims by clients that they did not send a particular message or request. The audit trail of the prior art systems will only show that the party that sent the message or request used the client's password to log in, which is often not conclusive proof. Thus, the financial institution is at risk of repudiation of transactions by clients.
Furthermore, the systems (e.g., Quicken, Netscape and Schwab's Smart Money using RSA encryption software) for encrypting the communications do so at the TCP/IP protocol layer of each system's software. This type of security technology limits the type of security features that can be provided. For instance, a security feature at the TCP/IP protocol level, such as SSL, typically provides only privacy by encrypting all data transmitted, but it cannot authenticate the client.
Systems utilizing client digital signatures are typically used with digital certificates. Digital certificates require a public key to be signed by a trusted third party. They are typically used to authenticate that a particular public key is really that of a particular user. However, financial institutions are reluctant to utilize digital certificates since they are wary of the potential liability associated with their fraudulent misuse.