This invention relates generally to cryptographic public-private key pair security techniques, and more particularly, to methods and systems for increasing the security of private keys used in such techniques.
Computer applications have been known to use public-private key pairs to secure e-mail messages, sign and verify documents, and encrypt and decrypt data. Each public-private key pair is associated with a particular user. The private key is typically secret and is available only to the particular user while the corresponding public key is typically not secret and is available to any member, or entity, of the public that desires to communicate with the user. Software-based processes are generally used to confidentially store each private key in a file in a personal device trusted by the user, for example, a personal computer of the user. Non-software-based processes may also be used for confidentially storing private keys, for example, by storing the private keys in hardware security modules, or smart cards. Public keys are typically stored in many devices.
Public-private key pairs are generally used to ensure that only the user associated with a private key corresponding to a public key, where the public key was used to encrypt a message or document, can decrypt the message or document, and to ensure secure network-based communications between known senders and recipients. Consequently, messages and documents secured with cryptographic key techniques are generally believed to be private and secure.
Unfortunately, imposters have also been known to surreptitiously obtain private keys by phishing over networks and by otherwise conducting malware attacks against computer systems. For example, imposters have been known to surreptitiously arrange for malware that can obtain private keys, to reside on personal devices of users. Imposters fraudulently use the obtained private keys and thus render ineffective the protection provided by cryptographic public-private key security techniques. Attempts have been made to counter such attacks by using password-protection schemes. In such schemes, after the password is confirmed the private key is available for use. However, imposters have also been known to overcome such password protection schemes by conducting equally sophisticated attacks to surreptitiously obtain the passwords.