Secure transmissions in wireless networks, including ad hoc wireless communication networks, are often based on the use of certificates. A certification authority (CA) is a trusted network entity that issues digital certificates for use by other network entities. CAs are a characteristic of many public key infrastructure (PKI) schemes. A public key certificate is a certificate that uses a digital signature to bind together a public key with personal and/or physical attributes of an entity, which may be one or more people or one or more devices. Attributes of a person can include, for example, a person's name, address, or date of birth; and attributes of a device can include, for example, an internet protocol (IP) address, a medium access control (MAC) address, or a serial number.
A CA can issue a public key certificate that confirms that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other network entity identified in the certificate. The CA thus verifies an applicant's credentials, so that other network users, known as relying parties, can trust the information in the CA's certificates. Commonly, if a user trusts the CA and can verify the CA's signature, then the user can also verify that a certain public key does indeed belong to an entity identified in a certificate issued by the CA.
Prior to issuing a public key certificate to an entity, a CA performs a due diligence step to authenticate the entity's claims to particular personal and/or physical attributes. The CA also authenticates the entity's possession of a claimed private/public key pair.
In a typical public key certificate validation, a relying node validates a remote node's public key certificate. Also, through an authentication procedure, the relying node ensures that the remote node possesses the private key associated with a validated certificate. However, it can be quite difficult for the relying node to determine whether the remote node is the legitimate owner of the private/public key pair. For example, the legitimate owner of a private/public key pair may be careless in safeguarding the private key, which may result in theft of the private/public key pair.
There are many scenarios where a private key can be compromised. For example, some scenarios involve theft of a physical private key/certificate storage device, such as theft of a smart card that stores a private key/certificate. Sometimes such scenarios may be easily and quickly detected by users. However, other scenarios may involve more surreptitious techniques, such as the use of malware or a successful algorithm attack on a network, which may not be easily detected by network users. A stolen private key then may be used for nefarious purposes until its associated certificate expires.
PKI schemes thus often include a chain of trust having many links, and where the chain is only as strong as its weakest link. The security of PKI private keys, particularly in environments where secure key storage is not available, is commonly a weak link in PKI schemes. Accordingly, there is a need for an improved method and device for confirming the authenticity of a PKI transaction event between a relying node and a subject node in a communication network, including determining that a private key of the subject node has not been compromised.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.
The apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.