Digital signatures for verifying or authorizing of transactions, documents, contracts, prescriptions or others over the internet have become more widely used with the implementation of legislation on a global level accepting its use. Parts of the legislation includes guidelines on the security and authentication aspects of ensuring the legality of the digital signature.
Invariably, the use of PKI (Public Key Infrastructure) has been recognized in this legislation. When considering PKI for digital signatures, all entities involved in the transaction rely on a trusted third party to perform the necessary authentication of identity and trustworthiness of the entities. This trusted third-party is known as the CA (Certificate Authority).
The CA issues to each of the entities a digital certificate containing information such as the entity's name, country of origin, the policies governing the use of the digital certificate, and most importantly the Public Key of the entity.
The digital certificate from the CA asserts that the entity described in the digital certificate is the rightful and sole owner of a Private Key corresponding to the Public Key.
When a transaction needs to be signed by a digital signature, the signing entity uses its private key to digitally sign the transaction. An entity receiving the signed transaction will also receive the digital certificate of the signing entity. By using the public key in the digital certificate, the receiving entity can then verify that the transaction has been digitally signed by the correct party, i.e. the signing entity. The operations of PKI and its applications and limitations are well known and will not be further discussed.
One of the limitations imposed by legislation in ensuring the safe use of PKI, is the legal requirement that requires that the Private Keys of the signing entity is always and only in the possession of the signing entity. This attempts to ensure that other parties may not obtain use the private key of the signing entity to misrepresent his digital signature.
At present, there are several methods of ensuring the possession of the private keys as well as to prevent the theft or loss of the private key.
In one prior art method, smart cards are used. The private key is stored electronically on memory means on the smart card. A smart card reader would then be required to read the data from the smart card. To further ensure privacy, a password would have to be entered into a computer linked to the smart card allowing the private key from the smart card to be used for carrying out cryptographic operations. This method is however expensive and cumbersome to implement as a physical smart card as well as a card reader is required. In the event that the smart card is lost, a new smart card must be issued to the user while the private key of the old smart card must also be invalidated.
Microsoft's CSP (Cryptographic Service Provider) provides an alternative to the smart card. The Microsoft CSP is implemented as a software token that operates like a smart card, and would perform the functions of digitally signing transactions. Access to the Microsoft CSP is also via a password. However, a main concern is that the private key would be stored on a hard disk of a computer having the installed Microsoft CSP. This private key is disadvantageously open to attacks by computer viruses as well as hackers attempting to duplicate it.
Another prior art implementation is the KEON Web passport solution by RSASecurity, Inc. This is a “virtual” smart card solution which relies on a back end server to securely store the private key. When a user requires the use of the private key, the private key is then downloaded from the back end server to the user for his use. While this is considered slightly more secure than the CSP implementation, there is dispute as to whether the private key is “always” in the possession of the user.
Therefore, a need exists for an improved system and method for implementing digital signatures over a network which overcomes or at least alleviates the drawbacks of the prior art systems.