Secure yet facile delivery of information is an important goal in the field of electronic communications. Confidentiality and integrity are especially important for communicating certain types of information. For the individual, this may include financial information and medical information. Various schemes employing encryption have been developed to address the security issues related to electronic messages and, in particular, electronic mail messages.
U.S. Pat. No. 5,751,814 discloses a method for transmitting and receiving encrypted messages which includes the steps of encrypting the text of the message to be sent and concatenating the encrypted text together with a password to the end of a decryption application to produce a combined file. The combined file is then converted to an electronic mail format and sent to a designated recipient. To decrypt the sent message, the recipient must de-concatenate the file into its constituents and run the decryption application, using password input from the individual seeking to decrypt the message. If the password inputted by the individual matches the password concatenated with the encrypted message and decryption application, the decryption application is activated and decrypts the encrypted message.
This system is insecure and therefore disadvantageous for the following reasons. First, the combined file contains the password and hence an assault on the combined file by an unauthorized party could yield the password. Second, the decryption application of the combined file is capable of decrypting the encrypted message and only requires password-activation to do so. Since the function of the password is only to activate the decryption application, an unauthorized person could de-concatenate the combined file and seek to activate the decryption application or a derivation thereof without using the password. In view of these two disadvantages, it is clear that a more secure system for sending and receiving messages would be one which does not include the password in the sent message or in any file connected thereto and which employs the password not to simply activate decryption by the decryption program but as an essential component of the decryption process itself. Still another disadvantage of the system of U.S. Pat. No. 5,751,814 is that, since it does not employ a script or applet type decryption program which can be executed from within an Internet communications application from anywhere, the scope of the devices with which the system can be used to receive and decrypt electronic mail messages is limited by the potential requirement for having additional software applications installed on the device
In view of the above, the invention provides computer-enabled methods and systems for the secure transmission and platform-independent receipt and decryption of encrypted messages, using secret-key cryptography. Further, no passwords, unencrypted or encrypted, are included in encrypted messages sent according to the invention, or in files combined with or associated with the messages. Still further, a decryption of encrypted messages cannot be obtained by operating the decryption program of the present invention without providing the correct password.
According to the invention, prepared messages are encrypted by a symmetric encryption algorithm using a secret key. In one embodiment of the invention, the secret key is a password known to both the sender and the intended recipient. In an alternative embodiment of the invention, the secret key is a hash value of a password, which password is known to the intended recipient and which hash value is generated by and known to the sender. The recipient is also sent a decryption computer program which, upon input of the correct password, either uses the password as the secret key or uses the password to generate the secret key, depending on the embodiment of the invention. The decryption program then uses the secret key with the symmetric algorithm to decrypt the encrypted message.
Since the encrypted messages and the corresponding decryption programs of the invention can be sent together to the recipient and can be accessed by the recipient using the same device, the invention provides that messages can be securely sent to and decrypted by the intended recipient, who provides the correct password, from any suitable platform capable of running the decryption program so that the decryption program receives password input and can apply the secret key based thereon with the symmetric algorithm to decrypt the encrypted message. In this manner, the confidentiality of sent and received messages is maintained.
The invention further provides for ensuring the integrity of sent and received messages through the comparison of a hash value generated for a given message (before encryption) by the sending system with that generated by the recipient for a putative decryption of the encrypted message.
The communications medium over which messages are sent according to the invention may be, but is not limited to, a communications network such as the Internet and embodiments of the invention where the messages are electronic mail messages, the messages may be formatted in hypertext markup language (HTML) so that they can be accessed from anywhere via the world wide web using a web browser program or similar Internet application supported by a suitable device. In this case, the decryption program may be sent with the electronic mail in the form of an applet or script that can be executed by the web browser.
The invention also provides for the suitably secure delivery of periodic and non-periodic statement and transaction information from commercial entities to consumers and/or clients of any sort. In this case, the commercial entity may be a consumer financial service provider such as, but not limited to, a banking institution or a brokerage firm and the consumers may be individual customers thereof. For example, in one such embodiment, the method of the invention involves periodically preparing messages with a specific bank customer""s current account information including the account identification number, the account balance and account activity. The prepared bank statement is then encrypted and sent to the customer to be received and decrypted by the customer.