Typically, when a client application, for example, on a mobile device processor, sends a communication to a processor of a backend server, the client application may sign the communication with its Public Key Infrastructure (PKI) private encryption key. The communication may then travel from the client application to the processor of the backend server encrypted with the private key of the client application. The purpose of the private key, which may be presumed to be known only to the client application, is to enable the backend server to confirm that the communication actually came from the client application and not from an unauthorized party. Currently, the private key of the client application may be vulnerable to compromise, for example, where it is stored on the client device, as well as in the transmission to the backend server.
The commonly-used Secure Sockets Layer (SSL) security protocol is not sufficiently secure for securing authentication credentials, such as a user's password and/or a device fingerprint, between a mobile client application and a backend serve, because of the possibility of compromise. There is presently no known solution that can provide payload encryption, non-repudiation and an integrity check for messages exchanged between mobile applications and backend systems without storing private keys in the mobile application on a device, such as a mobile phone, which makes the private key vulnerable to compromise.
There is a current need for methods and systems for secure electronic communication that secure all sensitive information including authentication credentials, such as user passwords and device fingerprints, by assuring that all communications between a mobile device application and a processor of a backend server are payload encrypted.