Creating and issuing access credentials for a typical security system sometimes requires that the credentials be sent to a device or entity. Therefore, sensitive data (e.g. a digital key) is transmitted from an originating sending entity (e.g. a hotel reservation system) to a final receiving entity (e.g. a door lock) via at least one intermediate bearer entity (e.g. a mobile telephone). Generally, a receiving entity will need to verify that the sensitive data has come from an authorized sending entity and has not been altered in transit. However, this approach is limiting. The checks performed by the receiving entity do not place security requirements on any bearer entity.
The current systems include data security means and methods that enable a receiving entity to establish the integrity of a message and to establish that the message was created by a recognized sending entity. For example, the message may include a message authentication code (MAC) computed with a cryptographic key shared by the sending entity and the receiving device. The MAC is verified to determine that the message has not been tampered with. Generally, a receiving entity can establish the authenticity of a fixed population of penultimate intermediate entities. For example, the receiving entity may be enabled to conduct a fixed authentication.
Much of the existing secure message communication systems or methods assume a “dumb pipe” between the sending entity and the receiving entity. This “dumb pipe” architecture does not ignore the possibility that hostile entities may have captured one or more links in the communication path from the sending entity to the receiving entity. Rather, current systems and methods concentrate on differentiating between dumb and hostile. If hostility is detected, then the message is regarded as compromised. If hostility is not detected, then dumbness of the communication path is confirmed, and the receiving entity may proceed to verify that the message is from an acceptable sending entity.
There are at least two disadvantages of the current systems. A first disadvantage is that message verification by the receiving entity is static. For example, in the case where a door lock is unlocked by an integrated circuit card of a mobile device, the door lock may be able to validate that an offered door-opening card is a member of a single, fixed population of cards or, equivalently, an element of a specific access control system. However, should it be desirable to allow cards from a different system to operate with the door lock permanently or temporarily (or should it be desirable to alter the security of the existing system), each lock would have to be physically visited and changed to include a new list of cards.
A second disadvantage is that the current systems do not address the entire communication path between the sending entity and the receiving entity when performing message verification. In the case of the door lock used with a mobile phone, the door lock may be able to verify that the mobile phone is owned by a particular individual but the door lock is not able to establish that a particular short message system center was a component of the communication pathway from the hotel reservation system to the mobile phone.