The invention relates generally to electronic transactions over computer networks, and more particularly to techniques for ensuring security of electronic transactions without the need for key exchange or other complex arrangements for each transaction.
Transaction security has become an increasingly important aspect of communication over the Internet and other types of wide area computer networks. A number of security techniques developed recently operate at the transport/session layer of a computer network operating in accordance with the Transmission Control Protocol/Internet Protocol (TCP/IP) standard. These techniques include the Secure HyperText Transport protocol (S-HTTP), described in E. Rescorla and A. Schiffman, xe2x80x9cThe Secure HyperText Transport Protocol,xe2x80x9d Internet Draft, draft-ietf-wts-shttp-00.txt, July 1995, the Secure Shell (SSH) protocol, described in T. Ylonen, xe2x80x9cSSHxe2x80x94Secure Login Connections Over the Internet,xe2x80x9d USENIX Workshop on Security, 1996, and the Secure Socket Layer (SSL) protocol, described in P. Karlton, A. Freier and P. Kocher, xe2x80x9cThe SSL Protocol,xe2x80x9d 3.0, Internet Draft, March 1996. These and other security mechanisms implemented at the transport/session layer generally have the advantage of providing universal security xe2x80x9cprimitivesxe2x80x9d which have a wide applicability. For example, the SSL and SSH protocols can be used in conjunction with any TCP connection in the network. However, this universality comes at the expense of a lack of flexibility in the complexity and cost of transactions, and a lack of user mobility. More particularly, transactions which are within the same client-server relationship but execute at different times will generally appear to the network transport layer as unrelated transactions, or may require the storage of data in secure long-term memory at the client side.
Emerging applications in electronic commerce often involve very low-cost transactions, which execute in the context of an ongoing, extended client-server relationship. The increase in low-cost electronic transactions and the need for xe2x80x9clow-cost cryptoxe2x80x9d is described in, for example, R. Rivest, xe2x80x9cPerspectives on Financial Cryptography,xe2x80x9d Invited Lecture, Proc. of Financial Cryptography ""97, Springer-Verlag. For these low-cost transactions, the above-noted general-purpose security mechanisms tend to be prohibitively expensive. In particular, both the S-HTTP and SSL security mechanisms involve a handshake-based key distribution which utilizes complex public key cryptography techniques. A user desiring to conduct a series of low-cost secure transactions with a vendor over the Internet is therefore required to utilize complex and costly arrangements, even though the transactions are carried out within an ongoing client-server relationship.
A need therefore exists for improved security techniques for electronic transactions, which take advantage of an ongoing client-server relationship to provide transaction security without the complexity and cost associated with conventional public key techniques.
The invention provides security protocols that are particularly well-suited for providing security in a series of low-cost transactions carried out between a client and a server within an on-going client-server relationship. In one embodiment of the invention, a novel simplified key establishment protocol (SKEP) is used to establish a shared key which may be used for the series of transactions. The client generates the shared key by computing, for example, the Janus function of (i) a client identifier, (ii) a server identifier and (iii) secret client information, encrypts the shared key using a public key of the server, and sends the encrypted shared key to the server. The server responds by incorporating server information into a response which is encrypted using the shared key and sent to the client. The client decrypts the response, verifies that the server has accepted the shared key, and then encrypts and sends additional client information such as a credit card number to the server using encryption based on the shared key. The server may in turn respond with an encrypted signature which may be used to provide a non-repudiation feature, such that the server cannot later deny having entered into the series of transactions with the client.
The client can use the shared key generated in accordance with the SKEP protocol in all of its subsequent transactions with the server, by simply recomputing the shared key via the Janus function. This eliminates the need for a separate key exchange for each transaction, and also eliminates the need to store shared keys between different transactions. The invention thereby considerably reduces the complexity and cost associated with providing secure client-server communications over the Internet and in numerous other applications. Moreover, because the client need not rely on data stored in secure memory, the security techniques of the invention are well-suited for use in mobile computing applications.
The subsequent client-server transactions may be conducted in accordance with a simplified or extended data delivery protocol (SDDP or EDDP) based on the above-described shared key. In the SDDP protocol, the client requests information, and the server supplies the information encrypted using the shared key. The client sends certain additional information, such as a random nonce, with its data delivery request, such that the client can readily verify that the response is associated with that request. The EDDP protocol operates in a similar manner, but requires that the client demonstrate possession of the shared key to the server before the server responds to a data delivery request, and also prevents third parties from determining the type of information requested by the client.
The generation and use of a shared key in accordance with the invention may be made substantially transparent to the client through the use of a client-side web proxy. The web proxy may, for example, query the client for its identifier and secret information at the beginning of a browsing session and then use the identifier and secret information to generate session keys for each server the client interacts with during the browsing session. After a given shared key is established, the web proxy automatically regenerates the shared key each time the client initiates a transaction with the corresponding server. In this manner, the use of the shared key can be made substantially transparent to the client, and the storage and computation overheads associated with the use of the shared key are minimized.