These inventions relate to systems and methods for providing a verifiable chain of evidence and security for the transfer and retrieval of documents and other information objects in digital formats.
The continuing evolution of the methods of commerce is evident in the increasing replacement of paper-based communications with electronic communications. When communication is by electronically reproduced messages such as e-mail, facsimile machine, imaging, electronic data interchange or electronic fund transfer, however, there no longer exists a signature or seal to authenticate the identity of a party to a deal or transaction. The traditional legally accepted methods of verifying the identity of a document's originator, such as physical presence or appearance, a blue-ink signature, personal witness or Notary Public acknowledgment, are not possible.
To address these problems, a document authentication system (DAS) has been described that provides the needed security and protection of electronic information objects, or electronic documents and other information objects, and that advantageously utilizes an asymmetric cryptographic system to help ensure that a party originating an information object is electronically identifiable as such. This system is one aspect of the methods and apparatus for secure transmission, storage, and retrieval of information objects that are described in U.S. Pat. Nos. 5,615,268 and 5,748,738, both to Bisbee et al., and in U.S. patent application Ser. No. 09/072,079 filed on May 4, 1998, and Ser. No. 09/452,928 filed on Dec. 2, 1999, both by Bisbee at al. These patents and applications are expressly incorporated by reference in this application.
As an initial matter, it will be helpful to understand the following terminology that is common in the field of secure electronic commerce and communications.
“Public key cryptography (PKC)” uses pairs of cryptographic “keys”, each pair having a private (secret) key and a public key, that are associated with respective registered users. The public keys are published for anyone to use for encrypting information intended for the respective users. Only the holder of the paired private key can read information, i.e., an electronic document or more generally an information object, that was encrypted using the respective public key. Conversely, an electronic document that is “digitally signed” using a user's private key can be verified as that user's by anyone who knows the user's public key. The encrypt and decrypt functions of both keys are truly “one-way”, meaning that no one can determine a private key from the corresponding public key, and vice versa, which in popular PKC systems is due to the fact that, at least currently, finding large prime numbers is computationally easy but factoring the products of two large prime numbers is computationally difficult. Example PKC algorithms, which comply with applicable government or commercial standards, are the digital signature algorithm (DSA/RSA) and secure hash algorithm (SHA-1/MD5).
Various aspects of public-key cryptographic (PKC) systems are described in the literature, including R. L. Rivest et al., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM vol. 21, pp. 120–126 (February 1978); M. E. Hellman, “The Mathematics of Public-Key Cryptography”, Scientific American, vol. 234, no. 8, pp. 146–152, 154–157 (August 1979); and W. Diffie, “The First Ten Years of Public-Key Cryptography”, Proceedings of the IEEE, vol. 76, pp. 560–577 (May 1988). It can also be noted that for a PKC system, as for other cryptographic systems, the system's strength, i.e., the computational effort needed to break an encrypted message, depends to a great extent on the length of the key, as described in C. E. Shannon, “Communication Theory of Secrecy Systems”, Bell Sys. Tech. J. vol. 28, pp. 656–715 (October 1949).
A “holographic signature” means a handwritten signature. A “digitized holographic signature” means a handwritten signature that has been captured electronically, e.g., by using a stylus pad or scanner to create a bit image of the holographic signature.
A “digital signature” is an unforgeable data element, which asserts that the user(s) corresponding to the digital signature wrote or otherwise agreed to the contents of an electronic document or other information object to which the digital signature is appended. A digital signature is typically created by “hashing” the electronic document, encrypting the resulting hash (integrity block) using the user's private (secret) key, and appending the encrypted hash to the electronic document.
An “authentication certificate” is an unforgeable digitally signed data element that binds a user's public key to the user's identity information and that advantageously, but not necessarily, conforms to the international standard X.509 version 3, “The Directory-Authentication Framework 1988”, promulgated by the International Telecommunications Union (ITU). Each authentication certificate includes the following critical information needed in the signing and verification processes: a version number, a serial number, an identification of the Certification Authority (CA) that issued the certificate, identifications of the issuer's hash and digital signature algorithms, a validity period, a unique identification of the user who owns the certificate, and the user's public cryptographic signature verification key. Authentication certificates are issued and digitally signed by a CA that is responsible for insuring the unique identification of all users.
An authentication certificate is a digital “ID”, much like a driver's license or other documentation that is used to verify a person's identity. The e-original public key infrastructure can use the X.509v3 certificate that is based on an ISO/ITU standard, as interpreted by the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX) recommendations. These certificates are digitally signed by the issuing Certification Authority, which ensures both content and source integrity. The act of digitally signing makes the certificates substantially tamper-proof, and therefore further protection is not needed. The intent of the certificate is to reliably associate (bind) a user's name to the user's public cryptographic key. The strength of protection equates directly to the strength of the algorithm and key size used in creating the issuer's digital signature (hash and digital signature algorithms). A certificate therefore securely identifies the owner of the public key pair, which is used to provide authentication, authorization, encryption, and non-repudiation services. A typical certificate has the following form:    [Version, Serial No., Issuer Algorithm (Hash & Digital Signature), Issuer Distinguished Name (DN), Validity Period, Subject DN, Subject Public Key Info, Issuer Unique Identifier (optional), Subject Unique Identifier (optional), Issuer Public Key, Extensions (e.g., Subject Alt Name)]Issuer Digital Signature    A unique DN is formed by concatenating naming specific information (e.g., country, locality, organization, organization unit, e-mail address, common name).
Certificate extensions can also be used as a way of associating additional attributes with users or public keys, and for managing the public key infrastructure certificate hierarchy. Guidance for using extensions is available in the recommendations of ITU X.509v3 (1993)|ISO/IEC 9594–8:1995, “The Directory: Authentication Framework” or in IETF Internet X.509 Public Key Infrastructure Certificate and CRL Profile<draft-ietf-pkix-ipki-part1-11>.
A user's authentication certificate is advantageously and preferably appended to an electronic document with the user's digital signature so that it is possible to verify the digital signature. Alternatively, the certificate may be retrieved from the issuing CA or directory archive.
“Public Key Infrastructure (PKI)” is the hierarchy of CAs responsible for issuing authentication certificates and certified cryptographic keys used for digitally signing and encrypting information objects. Certificates and certification frameworks are described in C. R. Merrill, “Cryptography for Commerce—Beyond Clipper”, The Data Law Report, vol. 2, no. 2, pp. 1, 4–11 (September 1994) and in the X.509 specification, which are expressly incorporated by reference in this application.
As described in the cited patents and application, an electronic original object having the same legal weight as a blue-ink-signed paper document (e.g., a negotiable instrument) is made possible by contract and by the PKI and associated technology. An electronic document, or more generally an information object, is created, and the information object is executed by appending one or more digital signatures and authentication certificates. Control of the resulting digitally signed information object is then transferred to a Trusted Custodial Utility (TCU) that is a trusted third-party repository of information objects and that is specifically designed and empowered by contract to store reliably any such object for its full effective life. The contractual aspect is an agreement between the TCU and the party submitting or relying on a digitally signed object to be bound by their digital signatures and to accept reliance on the TCU as custodian of the information objects.
The TCU implements defined business rules for the transactions handled by the TCU (i.e., a complete set of authorized actions). The TCU also implements a defined security policy (i.e., a set of protective measures that is necessary to prevent unauthorized actions). The TCU uses its business rules and security policy to govern transaction requests and access to the repository over the respective life cycles of all documents and objects within its control, verifying the identities and authorities of parties (local and remote) requesting repository services. The TCU securely stores and securely retrieves digitally signed, authenticated, and encrypted electronic documents or information objects. Upon request, the TCU prints and issues certified documents. The TCU advantageously supports a multi-port token server for proving document authenticity, for verifying the identities of signing parties, and for authenticating document submissions. The TCU provides for backup and disaster recovery, and ensures that stored information is not lost within a specified retention period, whether that period is specified by a user, law, or regulation.
A “wrapper” is used to securely hold and associate digitized handwritten and cryptographic digital signatures with part or all of one or more electronic information objects contained therein. Wrappers may take the form of any open standard enveloping or information object (document) formatting schemas. Two examples are the RSA Public Key Cryptographic Standard (PKCS) #7 and the World Wide Web Consortium (W3C) Extensible Markup Language (XML) Signature Syntax and Processing Draft Recommendation. The RSA PKCS #7 standard supports zero, one, and multiple parallel and serial digital signatures (cosign and countersign). PCKS #7 supports authenticated and unauthenticated attributes that are associated with the “signature block”. The signer's digital signature is usually computed over the hash of the information object and authenticated data. An unauthenticated attribute is not protected. Some other formats that provide support for signature syntax, processing and positioning (tags) are S/MIME, HTML, XHTML, and XFDL. Any of these wrapper formats can be applied recursively and markup languages extended to provide signature and protection layering.
A “signature block” includes at least two components: signer information and certificate information. Signer information contains the hash of the information object(s) (content) with an authenticate attribute, digital signature, and unauthenticated attribute appended. A hash is computed over both information object(s) hash and authenticated attribute fields and encrypted using the signer's private key thereby creating a digital signature. The authenticated attribute field contains pertinent additional information relating to the act of signing and is protected by the signer's digital signature. The unauthenticated attribute can be used to convey additional information to the TCU and/or by the TCU to document when the signature arrived at the TCU. Certificate information contains the signer's X.509 certificate. It may also contain some form of attribute certificate signed by a TCU recognized issuing authority. This attribute certificate is used to convey additional qualifying information about the signer that may aid the TCU in making access control decisions.
With all of the advantages of electronic original information objects that are provided by the U.S. patents and application incorporated by reference above, it is important to realize that a digital signature is not valid indefinitely but only during the validity period of its authentication certificate. The validity period of an authentication certificate is also not indefinite but typically is set so as to limit the chances for compromise of the digital signature, e.g., as a result of theft of the secret signature key or decreased cryptographic viability. Validity periods can be in the range of one year to three years, although other periods are also possible. A TCU's authentication certificate's validity period is normally longer than the validity period of a user's certificate, and the cryptographic strength of a TCU's certificate is normally stronger than that of a user's certificate. For these reasons and because of the TCU's verification of content integrity and of digital signature(s) and certificate(s) validity on receipt of an information object, the validity period of the TCU's digital signature as conveyed in the TCU's certificate may supersede, or extend, the validity period(s) of the received information object's digital signature(s), provided the TCU physically protects the received object's contents from external tampering.
Such extension is not unlimited, however, because the validity period of a TCU's signature is itself limited. This poses a problem for information objects that are intended to have legal weight for periods longer than the remaining validity period of a TCU's signature.
In addition, the process of generating e-original objects can provide the evidence necessary to establish the transfer of interests in a “transferable record” since it reliably establishes a document's issuer/owner as the person to which the transferable record was issued or transferred. A “transferable record” means an information object, an interest in which the owner/issuer has expressly agreed is transferable. In particular, a single authoritative copy of the transferable record exists which is unique, identifiable, and unalterable, except that copies or revisions that add or change an identified assignee of the authoritative copy can be made only with the consent of the person asserting control and that each copy of the authoritative copy and any copy of a copy is readily identifiable as a copy that is not the authoritative copy. Also, the authoritative copy identifies the person asserting control as the person to which the transferable record was issued, or if the authoritative copy indicates that the transferable record has been transferred, the person to which the transferable record was most recently transferred. Also, the authoritative copy is communicated to and maintained by the person asserting control or its designated custodian, and any revision of the authoritative copy is readily identifiable as authorized or unauthorized.
In general, however, an e-original may be, but is not required to be, a transferable record. In other words, not all e-originals are transferable records, but transferable records are e-originals. This can be important to information objects such as agreements that may be executed in any number of “counterparts”, each of which should be an e-original with the same effect as if the signatures on the various counterparts were upon one document. A “counterpart” of an agreement or information object is one of possibly many e-originals that are replicas of an agreement or object that may be executed separately, with each counterpart being an original with the same effect as if the signatures on the counterparts were upon the same original.
Agreements may also be executed collaboratively by incorporating multiple signatures within the same document. Collaborative execution may take place non-sequentially at one or more locations. The process of applying multiparty or multiple signatures refers to execution of an agreement where multiple digital signatures are applied either at one time, sequentially, or in parallel.
With all of the advantages of e-original information objects that are provided by the U.S. patents and applications incorporated by reference above, it is important to realize that where transferable records are concerned, copies of an information object that exist outside of the control of a TCU must not be able to be mistaken for an e-original, i.e., the transferable record itself. An e-original may be effective as a blue-ink-signed paper document since one or more digital signatures are applied during execution of an electronic document and control of the resulting digitally signed electronic document is transferred to a TCU, which is a trusted repository of e-original objects that reliably and securely stores e-originals for their full effective lives. On receipt of a digitally signed electronic document, a TCU verifies the authenticity of the electronic document, i.e., verify the integrity of the document's contents, the validity of all digital signatures and associated authentication certificates (e.g., ITU X.509v3 certificates), and the authority of the document's submitter. A successful authenticity verification attests to the legitimacy of the submitted electronic document. The TCU then creates the e-original by appending a date-time stamp and its digital signature and certificate (signature block). This TCU action demonstrates the TCU's assumption of control of the e-original.