1. Field of the Invention
The present invention relates to the field of cryptography, and more particularly, the secure distribution of a Public Key Infrastructure (PKI) certificate or other security token through a mobile telephony provider's infrastructure.
2. Description of the Related Art
User names and passwords are commonly used to authenticate a user for purposes of accessing secure content. By their nature, user name and password combinations can be very insecure. Conveyances of user name and password combinations are susceptible to interception through software. User name and passwords can also be intercepted in many other ways, including if someone watches the keys pressed while a password is typed. Passwords can also be weak in nature. Sometimes people have the habit of using repeating numbers, their birthday, or the name of someone or something they like. Such passwords are very easy to guess.
There are other, more secure methods of authentication. For example, Public Key Infrastructure (PKI) certificates are cryptographically generated tokens that can be used for authentication. These certificates are used to establish the identity of a party involved in a transmission of data. The use of PKI certificates for authentication involves the use of public and private key technology. The public key that is transmitted over the network is signed by a trusted third party, known as a certificate authority. The receiver of the certificate validates it against a set of trusted signing certificates stored in its local trust store. PKI certificates are constructed so they are very difficult to guess or to break using algorithmic methods.
Although PKI certificates generally provide a high level of protection, securely distributing these keys is difficult, in particular when attempting to provide them to a large population of otherwise unknown users. It is difficult to authoritatively establish the identity of a person over the internet in order to grant them a credential, and it is also problematic to attempt to convey that credential to a user over an insecure medium (e.g., the Internet). When conveyed, the PKI certificate can be intercepted. Once intercepted, the certificate can be used to fake the identity of the intended user.
What is needed is a secure means to distribute PKI certificates or other security tokens. Ideally, this distribution mechanism will not involve digitally conveying the certificate over a network since any counter-interception/encryption technique used during such a conveyance can be defeated. Optimally, PKI certificates, especially those protecting particularly valuable or sensitive resources, would be physically delivered to a verified user. The user would be required to provide verifiable physical proof as to their identity, such as a driver's license or similar artifacts. Such physical distribution of PKI certificates, however, would require an extensive infrastructure including a vast number of strategically positioned pick-up locations convenient for users. When PKI certificates are to be used for secure access to a large number of unrelated Web sites accessible over a public internet, the PKI pickup locations should span a wide geographic region, such as the continental United States.