It is becoming relatively common to exchange electronically stored documents between parties to a transaction, for instance via a widely distributed information network such as the Internet of the World Wide Web (WWW). A common problem with the Internet is a lack of secure communication channels. Thus, in order for hospitals, governments, banks, stockbrokers, and credit card companies to make use of the Internet, privacy and security must be ensured. One approach to solving the aforementioned problem uses data encryption prior to transmission. In a prior art system, a host computer is provided with an encryption unit comprising an encryption processor that is in electrical communication with a memory circuit for storing at least a private encryption key. When information is to be transmitted between the host computer system and a client station via the Internet and is of a confidential nature, the information is passed first to the encryption unit for encryption by the encryption processor using the stored at least a private key. Typically, a same private key is used every time a data encryption operation is performed. Optionally, an encryption key is selected from a finite set of private encryption keys that is stored in the memory circuit of the encryption unit.
Several standards exist today for privacy and strong authentication on the Internet through encryption/decryption. Typically, encryption/decryption is performed based on algorithms which are intended to allow data transfer over an open channel between parties while maintaining the privacy of the message contents. Encryption algorithms are typically classified into secret-key and public-key algorithms. In secret-key algorithms both of the keys are secret. Block ciphers are representative of the secret-key cryptosystems in use today. Usually, for block ciphers, symmetric key cryptography is used. In symmetric key cryptography, the encryption and decryption keys are the same. A block cipher takes a block of data, typically 32-128 bits, as input data and produces the same number of bits as output data. The encryption and decryption operations are performed using the secret-key, having a length typically in the range of 56-128 bits. The encryption algorithm is designed such that it is very difficult to decrypt a message without knowing the secret-key. It will be obvious to one of skill in the art that symmetric key cryptography is other than suitable for use in computer systems that allow public access by a plurality of different client stations via the Internet.
In addition to block ciphers, Internet security protocols also rely on private/public-key based algorithms in which one of the keys is made freely available to the general public. A private/public key cryptosystem such as the Rivest, Shamir, Adelman (RSA) cryptosystem described in U.S. Pat. No. 5,144,667 issued to Pogue and Rivest uses two keys, one of which is private and the other of which is made publicly available. Once someone publishes a public-key, anyone may send that person a secret message encrypted using that public key; however, decryption of the message can only be accomplished by use of the private key. The advantage of such private/public-key encryption is private keys are not distributed to all parties of a conversation beforehand. In contrast, when symmetric encryption is used, multiple secret keys are generated, one for each party intended to receive a message, and each secret key is privately communicated. Attempting to distribute secret keys in a secure fashion results in a similar problem as that faced in sending the message using only secret-key encryption; this is typically referred to as the key distribution problem.
Often, large financial institutions, for instance the chartered banks, rely on private/public key based encryption systems to provide secure transactions for their clients via the Internet. The private portion of the encryption key is stored in a secure area of a computer system maintained by the bank, for instance within an encryption unit in communication with a network server. Often, the computer system is kept in a locked room to which access is limited and controlled.
Despite the security precautions that are taken by the user, as detailed above, from time to time key compromise will occur. The compromise of a private key by an unauthorized third party allows immediately any data that is passed through the encryption unit to be converted back into a plain text form and to be read by the third party. When such data includes financial information or information of a personal and confidential nature, then the potential also exists for the unauthorized third party to cause serious inconvenience and/or financial loss to a legitimate user of the encryption unit. Of course, the unauthorized third party includes outside parties, for instance a hacker, and inside parties, for instance a dishonest computer administrator or a disgruntled employee. A particular threat is an inside party who is conducting industrial espionage to the benefit of a competitor.
In the event of key compromise of a multiple private/public-key system, the user immediately stops using the compromised key and switches to a private/public-key that is secure. Often this involves retrieving a storage medium having a secure private/public-key stored therein and transferring the private/public-key to the memory of the encryption unit. It is a disadvantage of the prior art system that the process of replacing a compromised private/public-key is time consuming. Further, when key compromise occurs outside of regular office hours there is an additional period of system down-time associated with the time for an authorized individual to attend the encryption unit site to replace the private/public-key.
Of course, in the event that every encryption key of an encryption system is compromised during a same overlapping period of time, the user immediately discontinues communication via the Internet and is required to purchase replacement keys from a key provider. At this stage the key provider faces a problem similar to the user's original problem of securely transferring confidential data between the user and the intended recipient, for instance the key provider must deliver the private key to the user via a communications network that is other than secure. Of course, one solution is for the key provider to physically attend at the user's computer system to deliver and install the new the private key. While this raises the security to a very high level there is an extended period of system down-time, which is extremely costly to the user. In major financial institutions such as banks, investment houses, large wholesale businesses and other organizations, to have a communication system out of use for a period of several hours is not acceptable.
A system which provides improved security for the delivery of a private key to a user via a communications network that is other than secure is known in the prior art. In the prior art system the key provider provides initially a root key to the user. The root key is for use by the user in obtaining private key replacements as soon as compromise of an existing private key occurs. For instance, the user is provided with a first private/public key pair and a second private/public key pair. The first private/public key pair is used routinely to encrypt confidential data prior to transfer via the Internet, such that communications between the user and user's clients are substantially secure. The second private/public key pair, referred to as the root key pair herein, is used exclusively for decrypting private keys that are occasionally provided in an encrypted form by the key provider. For instance, the key provider encrypts a new private/public key pair for transmission to the user via the Internet using the public root key associated with the user's private root key. Upon receipt, the user decrypts the encrypted private/public key pair using the private root key and is able to resume business operations with minimal loss of time. The root key is used relatively less often than the first private key and as such the root key is less susceptible to key compromise compared to the first private key other than by an “insider.” Optionally the root key is longer than the first private key, such that encrypting and decrypting data using the root key requires relatively more processing resources than using the first private key, reducing further the incidences of root key compromise.
It is a limitation of the prior art system that once the user is in receipt of a private key the continued secure status of that private key is dependent upon the security precautions that are enacted by the user. If the precautions are other than adequate then more frequent incidences of key compromise are expected. Further, if the user stores the private root key along with the private key then more frequent incidences of root key compromise are expected. Of course, when the root key is itself compromised the user must request the key provider to physically attend the computer site and install replacement private and root keys. Should the user continue to use the root key after it is compromised, then any private keys encrypted for transfer using that root key are susceptible to key compromise during transmission via the information network. It is a further limitation of the prior art system that if the root key is itself compromised then the system for private key replacement is vulnerable.
It would be advantageous to provide a method and a system for the secure transfer of private encryption keys via a widely distributed information network, such as for instance the Internet. The system would allow a key provider to establish a communication path between the customer, for instance the user of a computer system, and the key provider, which path is substantially secure to a level of trust that is determined in dependence upon the key provider system. Advantageously, the security of the “secure” communication path is other than limited by the security level of the customer. Further advantageously, the level of security of the communication path is approximately a same level for every transaction involving the key provider, such that a client of the customer is assured a minimum predetermined level of trust that is related to the key provider.