The present invention is intended to be used in contexts which will become apparent from the preambles of the main claims which are attached.
As a result of developments in telecommunications and data communications, an increasing number of sensitive operations are being performed without the participating parties being xe2x80x9cpresentxe2x80x9d for a possible check on their identity. A consequence of this is that it must be possible for individuals and parties participating in an operation to be identified xe2x80x9celectronicallyxe2x80x9d. The methods for doing this up until now have, if they have existed at all, been based on the password technique taken from the espionage trade. During the last few years, the weaknesses of a password technique as the only method of identification have been amply demonstrated by the numerous instances of so-called xe2x80x9chackingxe2x80x9d.
A method which establishes more secure identification is that of digital signatures, which method can be applied in all the areas where an identification of the source of an operation or a document needs to be verified. This method simulates the normal manner of identification which is used for transactions outside the electronics field. The method using digital signatures is based on the party who is to be identified signing for the transaction (compare ordinary signature on, for example, a contract) and the identity being checked against a comparison original which has the same role as an ID card has for ordinary signatures. For this method to be able to function in an electronics context, an infrastructure needs to be available in order to be able to create electronic identity documents.
The information which we use to verify an ordinary ID card has (as FIG. 1 shows) its equivalent in the electronic identity document. Another definition for electronic identity document is certificate.
An electronic ID document contains additional information which is of no importance for this comparison. It is also possible to add other information, in the same way as a given ID card can contain information specific to a company.
In order to identify an individual with the aid of an ID document, we require that the individual concerned will resemble the person in the photograph and will be able to reproduce the signature. In the case of certificates, this is replaced by a technical procedure based on cryptography which uniquely identifies the user.
The confidence we have in an ID document is really a result of the confidence we have in the organization which issues it, for example a company or an authority, combined with the fact that the document is sufficiently secure in technical terms. As an example of the latter, we can compare the old driving licences, with a photo stuck on and a stamp, with today""s licences which are sealed in plastic.
Just as is the case for issuing an ordinary ID document, the issuing of electronic ID documents requires a technical and administrative infrastructure.
Crucial to the quality of any ID document is the identification of the individual which takes place in conjunction with the issuing; this is the absolutely crucial aspect, the quality of which totally determines the quality of the whole document, regardless of whether it is an ordinary ID card or a certificate.
This identification is normally done by the person in question being known, or by some person or persons, already trusted, vouching for the identity. It is obviously preferable if this identification can take place at as xe2x80x9clowxe2x80x9d a level as possible, for example departmental level in a company, where, by and large, all individuals are known to each other and it is easy to determine who belongs to the organization, with what powers, and in what capacity.
As far as this part of the administration is concerned, there is no great difference between a traditional ID document and a certificate, and in the same way there must be the possibility of verifying that the document is still valid etc.
In the case of certificates, the authority which issues and which may revoke these is usually called a Certification Authority or CA. A difference between certificates and ordinary ID documents is that the holder always carries the latter on his or her person, which need not be the case with certificates; the issuer (CA) also has the role of publishing the electronic ID documents (the certificates) in such a way that these are accessible to anyone requiring access to them. If appropriate, information on revoked certificates may be stored together with the certificates.
As regards the CA (Certification Authority), reference is made to ISO 9594-8 (The Directory Authentication Framework). In the text which follows, we introduce, in the same way as in, for example, Privacy Enhanced mail (RFC 1114), the restriction that the CA is a clearly definable part of an organization.
On the basis of the above, the functions of the CA are defined as follows:
The CA represents an organization or a clearly definable part of such an organization in the issuing of certificates. The CA verifies the identity of the person for whom a certificate is to be created. The CA personalizes a xe2x80x9ctokenxe2x80x9d linked to the identified person. By means of this, the CA lets the organization or organization unit guarantee an organizational identity for the person to which a certificate is issued.
The CA represents an organization or a clearly definable part of such an organization in the publication of certificates. The CA makes the certificate known and accessible to anyone, for example through one or more catalogue services.
The CA represents an organization or a clearly definable part of such an organization in the revocation of certificates. The CA discloses, in a reliable manner, that the organization or the organization unit no longer vouches for the previously conferred organization identity.
The CA represents an organization or a clearly definable part of such an organization in the renewal of certificates. The CA extends the validity of the conferred organization identity by issuing a new certificate for this.
Since the CA always represents an organization or organization unit, the CA, independently of its internal structure, will be regarded by those around it as a unit related to the represented organization or organization unit.
Since the familiarity with the persons involved in an organization is often best at the level where the business is conducted, it is also there that a person can best be identified, both in terms of the physical identity of the person and his or her role in the organization. In larger organizations or organization units, no single authority can be expected to be familiar with the various individuals and their roles in the way which is necessary to be able to guarantee the organization identity of the person.
In consideration of the above, the internal organization of the CA will allow certificates to be issued at the organizational level where the abovementioned familiarity is found.
In the following text it is assumed that the identification procedure is based on the technique using public keys, and that the xe2x80x9ctokenxe2x80x9d which is used is an IC card with built-in computing capacity.
In order to issue a certificate, access is needed to the following:
1. A pair of cipher keys unique to the CA, one public and one private, the private one being used for the digital signature which guarantees the identity of the issuer and that the contents of the certificate are not manipulated. The private key must be stored in such a way that unauthorized access is not possible in practice.
2. A terminal where the person carrying out the issuing procedure keys in personal data, a certificate is created and signed (this signature protects against manipulation of the contents in the certificate). For each certificate there is a unique key pair which is linked via the certificate to the individual.
3. A medium where the certificate holder can safely store his private key and carry out the computations necessary during the identification procedure. For this, an IC card is used which offers both secure storage of data and reliable use of the private key for computations.
4. Procedures which make it possible for someone requiring access to certificates to access the latter. This function can be separate from the CA both in technical and administrative terms.
The following security risks can be identified:
False certificates. If there are false certificates in circulation, no one can rely on any certificate issued by this CA.
Manipulation of revocation information. Certificates which are no longer to be valid are not included in revocation lists. Completely legitimate operations will be prevented since the user""s certificate will not be accepted by the other party.
Duplication of information. If several individuals have the same organizational identity, no operation or transaction can safely be committed to one particular individual.
The sources of the above risks can be divided into the following separate cases:
An authorized CA operator abuses this trust.
An unauthorized person procures the possibility to operate the CA.
A person succeeds in presenting a false identity at the time when the certificate is issued.
Functional requirements of the CA:
The certificates are issued in accordance with existing security policy.
Each certificate issued is unique.
Supplied certificates. As regards the storage and supply of certificates, it is necessary that the CA be able to place certificates in the keeping of the authority which is supplying these, for example in a catalogue.
The CA will publish revocation lists.
It will be possible for the certification process to be implemented in a decentralized manner in the organization. This is a precondition for satisfying the requirement for rapid processing combined with maximum personal recognition.
Relation between CAs. Each CA is certified by a higher CA, and each CA can in turn certify other CAs.
The CA will be able to function in a xe2x80x9cmultialgorithm environmentxe2x80x9d where different certificate structures are used. For example, certificates with structures for DSS and RSA will be able to co-exist.
The CA functionality will as far as possible be built on generally wide-spread and accepted techniques and standards.
Damage limitation. The CA will be designed and administered in such a way that as few valid certificates as possible need to be renewed in order to eliminate false certificates.
Full authentication of operator. Each operator will be identified by a method which at least satisfies the requirements for full authentication as defined in ISO 9594-8.
Complete traceability. When a certificate is issued, it will be possible for all the individuals involved, including the operator, to be identified and traced. All transactions in a CA will be logged securely.
Complete integrity. All information produced by an operator will be protected in such a way that both intentional and unintentional changes to said information will be detected. Program codes and logs will also have protected integrity.
Saved status information. The system will have a sufficiently large amount of information saved so that issuing of certificates with duplicated information cannot arise.
Physically protected environment. It will not be possible to technically manipulate the units involved in such a way that the CA can continue to operate with its functionality apparently intact.
Confidentiality. Sensitive information will be inaccessible to both the operator and to outsiders, for example some terminals may need to be protected against clearing signals.
The invention solves the above set of problems.
The features which may principally be regarded as characterizing a method and arrangement which solve the problems mentioned above will become apparent from the patent claims attached.