The present invention relates to a system, a device and a method of providing secure communication between two parties, and in particular for providing such secure communication over a communication network.
Secure communication between two parties has always been an important but difficult task. The moment information is shared between two parties, a third, unauthorized party may be able to access this information as well. The problem is magnified when the two authorized parties are separated by a distance, so that information must be passed in the form of messages rather than by direct communication. Historically, the content of messages has sometimes been protected by cryptography, in which the content is altered by transformation into another form which is understandable only by the intended recipient or recipients of the message.
As the technology for transferring information has become increasingly complex and sophisticated, so has the technology of cryptography. Currently, cryptography may be performed by encoding the original message into an incomprehensible protected message according to mathematical algorithms using a particular key. Only the correct recipient should have both the same algorithm and the particular key needed to decode the protected message into the original message. Thus, the incomprehensible encoded message can be freely transmitted over a relatively insecure communication channel such as a telephone network, while remaining secure to all but the correct recipient.
Of course, the security of the encoded message depends both upon the possession of the key and the ability of the algorithm to resist being broken by an unauthorized third party. A third party could try to guess the identity of the key, in effect copying it, and then use the actual key to decode the message. Also, just as a door may be broken without having the key to the lock, so can a cryptography algorithm be broken in the absence of the correct mathematical key. In both cases, the longer the key, the more difficult either guessing attacks or brute force attacks become.
However, as computer technology has become ever faster, many heretofore "impregnable" algorithms have yielded to brute force attacks. For example, the DES (Data Encryption Standard) algorithm with a 56-bit key was thought to be impregnable at the time of its inception in 1976. By 1993, DES with the 56-bit key could theoretically have been broken in 7 hours by brute force with a highly sophisticated computer. To solve the problem, the key was lengthened to 128 bits. Other algorithms have proven to be susceptible to brute force attacks, and are now used with longer keys to reduce their vulnerability to attacks.
Since computer technology is still becoming increasingly powerful and faster, there is no reason to expect that the "impregnable" algorithms of today will not fall to a brute force attack tomorrow. Furthermore, certain algorithms have become easier to crack by the discovery of new mathematical functions, such as new factoring algorithms, which cannot be easily anticipated. Such functions can render "secure" cryptography algorithms vulnerable to attack. Thus, expecting mathematical algorithms alone to provide all of the security for information transfer is clearly not sufficient.
An additional layer of security is provided by using public key-private key pairs. In this system, used for example in the PGP (Pretty Good Privacy) cryptography software, the sender encrypts the message using the public key, and the recipient decrypts it with the private key.
As noted previously, such security measures through cryptography are important for sending secure messages over insecure communication channels. For example, voice and facsimile transmissions are typically sent over telephone networks, which can be tapped. The problem is magnified for such highly insecure communication channels as cellular phones, which are easy to access with hardware, such as a scanner, which can be purchased "off the shelf" at an electronics store. Thus, devices and methods for securing communication on insecure channels are important.
One example of such a method is disclosed in U.S. Pat. No. 5,473,689 to Eberhard. In this method, two electronic devices generate and exchange two random numbers, so that each device knows both numbers. Both numbers are then encrypted and compared, by exchanging a portion of each encrypted number. Communication only occurs if both encrypted numbers match. One problem with this method is that both sides must have the same key for the encryption and decryption of the random numbers. Thus, this key is vulnerable to theft by an unauthorized party, particularly if the key is exchanged.
U.S. Pat. No. 5,564,106 to Puhl et al. describes a method of providing blind access to an encryption key, such that the key of a first group member is provided to a second group without the first group knowing the identity of the first group member. Such a method is useful for enabling a government organization which is investigating an employee of a business to access the key of that employee, without enabling the business to know the identity of the employee under investigation. However, this method is not helpful for secure communication over an insecure channel, since it presupposes the security of the original encryption method.
One drawback of some currently available encryption methods for communication over an insecure channel is that they require the user to perform a number of steps before communication occurs. If such encryption were to be performed automatically, for example by a semiconductor chip contained with a communication device, the user would not need to actively perform the encryption before communication would occur. One example of such a device is disclosed in U.S. Pat. No. 5,539,828 to Davis. This device has both a pair of keys, public and private, and a digital certificate which includes the public key encrypted with the private key. Essentially, this device has automated public key encryption, so that again communication through the device is only as secure as the encryption method.
Other commercially available hardware devices, or hardware/software systems, suffer from the same potential drawback: the devices and systems are only as secure as the encryption method which is employed. Examples of such devices and systems include the information security products of Litronic (Costa Mesa, Calif., USA), which include both smartcard readers and cryptographic device drivers, and software for encrypting textual and database information; the network security products of Cylink Corp. (San Francisco, Calif., USA), which help ensure security on LAN (Local Area Networks) and WAN (Wide Area Networks), through the use of the DES encryption algorithm; and the products of Cylink (Sunnyvale, Calif., USA), which provide rapid encryption for digital networks, again using either DES or a proprietary encryption algorithm. These are only a sampling of the many such products available on the market today, indicating the wide-spread popularity of, and commercial need for, products for secure communication and encryption.
Unfortunately, as noted previously, all of these products are only as secure as the encryption method employed. Furthermore, all of the encryption methods employed are based upon mathematical algorithms and keys, which means that they can potentially be cracked by a brute force attack. As computer technology becomes more sophisticated and as new mathematical functions related to these algorithms become available, such brute force attacks become easier to manage, thereby rendering the encrypted data vulnerable to unauthorized interception.
There is one type of encryption, however, which is theoretically unbreakable by a brute force attack on the encrypted message itself. This type of encryption involves random numbers which are as long as the message itself. There is no potentially breakable algorithm. Rather, the message is encoded according to a random number of the same length as the message. The encoded message can then only be decoded by using exactly the same random number as was used for the encoding. Each such random number is used only once for encoding a message. Since random numbers are used for the encoding, the random number used for the encoding cannot be guessed or derived according to a mathematical algorithm, or according to statistical analysis. In order to obtain the random number by guessing, the entire random number used for encoding a particular message must be guessed, which is effectively guessing the message itself. Furthermore, obtaining one such random number by reverse-engineering will not enable other messages to be decoded, since subsequent messages will be encoded with different random numbers.
Currently, this encryption method requires both parties to have the same random number, typically by using a one-time pad of such numbers. This pad can be literally a physical pad of paper, on which a series of random numbers is written. The pad could also be in the form of an electronic storage hardware device such as a diskette. As a message is sent or received, each party uses one number on the pad, and then discards the random number. Since both parties have the same pad and are using the same random numbers, messages can be securely encoded and decoded, without fear of a brute force attack. Of course, the pad of paper or the diskette itself could be physically stolen or copied, but such an occurrence is relatively easier to guard against and to detect than electronic theft of the messages.
One severe drawback of the "one-time pad" in currently available implementations is that both parties must have the same physical pad of paper or diskette before communication can occur, thereby restricting communication to parties which have made the necessary arrangements in advance. Also, the protection of the messages is only as good as the physical protection of the one-time pad itself on both sides. Furthermore, both parties must take certain steps in order for the encoding and decoding steps to occur. In addition, the physical pad of paper or computer diskette cannot hold an infinite quantity of these random numbers, so that the physical pad of paper or the computer diskette must be periodically replaced. Thus, as currently available, the method is both cumbersome and not practicable for wide-spread communication between many different parties.
There is therefore a need for, and it would be useful to have, a method and a system for producing and using an electronic "one-time pad", for example for secure communication on an insecure channel or for secure identification, which is automated and practicable for wide-spread communication and other uses, yet which is not liable to a brute force attack on the "one-time pad" itself.