Despite increasingly pervasive use of complex passwords and cryptographic authentication and encryption measures, both enterprises and individuals continue to be at significant risk for information theft and computer fraud. A contributing factor to this fraud is the fact that in many transactions, the parties to the transaction are typically not personally known to one another and one party or both parties rely on presentation of a federated credential to infer identity (e.g., a recipient presumes that a party presenting a credential such as, a credit card number, driver's license number, social security number, account name or number, company name, etc., is in fact authorized to use that credential).
For example, in a typical purchase scenario, a first party presents a credit card to a second party, and the second party then decides whether it can trust that the first party really owns that credit card; the second party in this example sometimes requires added security measures in the form of one or more authentication checks (e.g., by requesting that one presenting a credit card also further the card owner's statement address zip code, card verification value or “CCV,” or other information), and it then electronically verifies provided values and presumes that the first party is authorized to use the credential if each requested secondary authentication value is correctly presented.
Despite these measures, the risk of fraud is still present, and a number of attacks can be mounted in such a system, including attempts to hack the electronic systems of the various parties, attempts to eavesdrop and/or replay information submission, and in other manners. Once the credential and any associated authentication secret is discovered, a thief can potentially commit fraud for a period of time until the fraud is discovered and the credential revoked, often through painstaking procedures.
What are needed are techniques for independently authenticating a party presenting a credential or secret information where that information will be received, stored or used in an electronic setting. The present invention addresses these needs and provides further, related advantages.
The subject matter defined by the enumerated claims may be better understood by referring to the following detailed description, which should be read in conjunction with the accompanying drawings. This description of one or more particular embodiments, set out below to enable one to build and use various implementations of the technology set forth by the claims, is not intended to limit the enumerated claims, but to exemplify their application. Without limiting the foregoing, this disclosure provides several different examples of techniques used to communicate keys, credentials and various other types of information. The various techniques can be embodied as software, in the form of a computer, device, service, cloud service, system or other device or apparatus, in the form of data encrypted as a result of these techniques, or in another manner. While specific examples are presented, the principles described herein may also be applied to other methods, devices and systems as well.