When communicating over an unsecured public network, such as the Internet, it may be desirable to allow users to securely and privately exchange data. Such security may be particularly desirable when a user is requesting one or more services from a service provider, such as an online store. One method used to enhance security is to encrypt communications between parties. While encryption may prevent a user without a decryption key from reading or eavesdropping on the communications, encryption alone does not verify that the user requesting the service is not an impostor.
One method to verify the identity of a user requesting services, is to require the user to register with the service provider before engaging in a transaction. By providing the right username and password, the user's identity may be verified. Notwithstanding the additional security provided by this identity verification technique, an impostor may still steal the user's password and username. Additionally, this approach may require a user to remember multiple username and password combinations for different service providers.
Another method for identity verification is public key cryptography. Public key cryptography involves the use of asymmetric public-private key pairs. A user may maintain the private key which may be used to decrypt messages that are encrypted using a well-known public key. The private key may also be used to sign messages sent from the user to a service provider. The service provider may verify the authenticity of the signature using the public key. Although a user may not have to remember a user name and password, public key cryptography may not be suitable for identity verification when an impostor steals a given user's communication device. Additionally, if the impostor has gained control or corrupted the user's communication device, then the impostor may have direct access to the private key.
To enhance the security of public key cryptography identity verification, a public key infrastructure (PKI) may be established. In a PKI, a certificate authority may issue digital certificates in response to verifying a request for a digital certificate from a user. So long as the service provider trusts the certificate authority, and the user certificate can be verified, the user's identity may be verified. However, because the user certificate is stored in a key store at the certificate authority or in the user's communication device, an impostor may steal the identity of the user by gaining access to, or control of, the certificate authority and/or the user's communication device.