The invention relates to a method for the generation of forgery-proof documents or data records, whereby key information is generated and encrypted checking information is formed from the key information and from a transaction indicator.
The invention also relates to a value transfer center and to a cryptographic module.
Numerous methods are known for generating forgery-proof documents and for checking them. Familiar methods are based on the generation of digital signatures or encrypted checking information, which are produced within the scope of the generation of the document.
A distinction has to be made between documents for which the writer has an interest in their genuineness and those for which third parties have an interest in their genuineness.
If a third party has an interest in documents being forgery-proof, then it is a known procedure to use a so-called “cryptographic module” for generating the document. Such known cryptographic modules are characterized in that they contain electronic data within them or that they process data that cannot be accessed or manipulated from the outside.
A cryptographic module can be regarded as a secure, sealed unit in which security-relevant processes are carried out that cannot be manipulated from the outside. A worldwide recognized standard for such cryptographic modules is the standard for cryptographic modules published under the designation FIPS Pub 140 by the United States National Institute of Standards and Technology—NIST.
If a cryptographic module is used to generate forgery-proof documents for which third parties have an interest in their genuineness, then a customary implementation is that the cryptographic module is used to securely deposit cryptographic keys that serve within the module, and only there, to encrypt check values. For example, so-called signature cards of the type issued by certification agencies or trust centers for generating digital signatures are a familiar approach. These signature cards, in the form of microprocessor chip cards, also contain a cryptographic module precisely in this microprocessor chip.
As a rule, one or more asymmetrical key pairs are deposited in such modules which are characterized in that encryptions that have been generated with the so-called private key can only be reversed with the associated public key, and in that encryptions that have been generated with the public key can only be reversed with the associated private key. As their name indicates, public keys are intended for public disclosure and widespread dissemination, whereas private keys may not be handed out and, when used together with cryptographic modules, they must not leave these modules at any point in time. Also deposited in such modules are algorithms, for example, for forming checksums or, in the example of the digital signature, for generating a so-called digital fingerprint or “hash value” which is characterized in that it maps any desired data contents onto generally quantitatively considerably abbreviated information in such a way that the result is irreversible and unambiguous and in that, for different data contents with which the algorithm is supplied, different results are obtained in each case.
The generation of a forgery-proof document in whose genuineness third parties have an interest, which is done by means of a cryptographic module containing asymmetrical keys and an algorithm to form check values, is generally carried out in the following manner: first of all, using the algorithm to form check values, a check value is formed that relates to the document that is to be secured. Then a private key in the cryptographic module is used to encrypt the check value. The combination of these two processes is referred to as the generation of a “digital signature.”
The checking of such a digital signature is normally carried out as follows: the recipient receives the document and the encrypted check value. The recipient also needs—and this is the objective of the invention described below—the public key of the document producer and the recipient uses this public key to decrypt the check value that the document producer has encrypted within the cryptographic module with his private key. Therefore, after the decryption, the recipient has the unencrypted check value. Moreover, in the next step, the recipient applies the same algorithm in order to form a check value for the received document. Finally, in the third step, the recipient compares the check value he himself has generated to the decrypted check value of the document producer. If both check values match, then the document was not forged and the genuineness of the document is substantiated beyond a doubt. Normally, in the case of known digital signatures, the authenticity of the document producer is checked. This is done in that the public key of the document producer is likewise digitally signed by a so-called certification agency or “CA” and it is allocated to a certain cryptographic module, or to a certain owner of the cryptographic module. In this case, the recipient of the document does not simply accept the public key of the document producer as a given but rather he likewise ascertains whether it belongs to the document producer by checking the digital signature of the public key in the manner described above.
With this known method, the problem exists that, in order to check the genuineness of a document, it is necessary to have information that is directly related to the document producer's use of keys by means of the cryptographic module. In the typical example described above for generating digital signatures, this is the public key of the document producer or of his cryptographic module, which has to be used for the checking procedure. In the case of the signature of the public key by a certification agency, the entire set comprising the public key, the identification of the user of this key and the digital signature of the certification agency is designated as the “key certificate.”
To sum it up, this problem can be illustrated with reference to an example as follows: in order to check the genuineness of a normally digitally signed document, the public key or the key certificate of the document producer or of his cryptographic module has to be available during the checking procedure. If, as is customary, documents of different document producers are to be checked in a checking station, then it is necessary for all of the public keys or all of the key certificates of all document producers to be available there.
There are various ways to meet the requirement that the public key of the document producer has to be available during the checking procedure. Thus, it is possible to attach the public key or the key certificate of the document producer to the document that is to be secured. Another possibility is to deposit the public key at the checking station and to access it as the need arises.
The known methods, however, are associated with drawbacks.
Attaching the key or the key certificate is disadvantageous if the size of the document has to be kept as small as possible and if an attached key would excessively enlarge the data record that is to be printed, transmitted or processed.
Depositing a public key at the checking station is especially disadvantageous if access to keys deposited at the checking station is not possible for practical or time reasons, for example, in case of a very large number of stored keys which would have to be accessed within a very short period of time.
In order to overcome these known disadvantages, with a method of this generic type, it is disclosed in German patent specification DE 100 20 563 C2 to generate a secret in a security module, to transfer the secret together with information that reveals the identity of the security module in encrypted form to a certification agency, to decrypt the secret in the certification agency, thus recognizing the identity of the security module, to subsequently encrypt the secret together with information on the identity of the document producer in such a way that only a checking station can carry out a decryption, in order to then transmit the secret to a document producer. With this method, the document producer enters his own data into the security module, whereby the data entered by the document producer himself is irreversibly linked to the secret by means of the security module and whereby the secret cannot be reconstructed.
This known method is characterized in that the document that is transmitted to a checking station is formed from the result of the irreversible linking of the secret to the data entered by the document producer, from the data entered by the document producer himself and from the encrypted information of the certification agency.
This known method is especially suitable for generating and checking forgery-proof postage stamps of a postal service provider. Such postage stamps are generated by customers of a postal service provider using a personal cryptographic module and they are applied onto the mail piece as a machine-readable barcode. The machine-readable barcode has only a very limited data scope and consequently, it does not allow the entry of the public key of the customer. Moreover, during the so-called letter production, the digital postage stamps have to be read and checked within a very short period of time, as a result of which the possibility of accessing a database containing perhaps many millions of public keys is likewise not an option.
A method for providing mail pieces with postage indicia is known from German Preliminary Published Application DE 100 20 402 A1. With this method, information that serves to generate a postage indicia is transmitted in encrypted form from a loading station to a crypto-module of a customer system and then serves to generate digital postage indicia. The postage indicia contains a hash value that is formed from the mailing data and from the information that was transmitted and stored temporarily in the crypto-module and also contains a “Crypto-String” encrypted in this information that can only be decrypted in a mail center during the checking of the postage indicia, after which it is provided with a digital signature.
German Preliminary Published Application DE 100 20 566 A1 describes a method of the same type in which customers can load value amounts from a value transfer center and said value amounts can be consumed in order to print out digital postage indicia. Here, in particular, a customer system transmits a random number to the value transfer center and the latter encrypts the random number with a symmetrical key and sends it back to the customer system.
The postage indicia are generated in the same manner as described in German Preliminary Published Application DE 100 20 402, whereby in particular, the encrypted random number can only be decrypted in a mail center.
The invention is based on the objective of allowing the generation of forgery-proof documents in such a way that it can be carried out, independent of direct communication between the cryptographically reliable contact station and the document producer.