The present invention relates to data communications systems and, more particularly, to the secure processing of messages therein using public key cryptography. The invention finds particular, though not exclusive, application to the generation of digital signatures.
Public key cryptographic algorithms are widely used to authenticate the origin of or ensure the security or integrity of messages in data communications systems. Various types of such algorithms exist of which one well known variant is the RSA algorithm. A general introduction to public key cryptography and the RSA algorithm can be found in: Meyer and Matyas xe2x80x98Cryptography xe2x80x94A New Dimension in Computer Data Securityxe2x80x99, pages 32-48, Wiley 1982. These algorithms have some distinct advantages over the more traditional symmetric key algorithms. In particular, they provide the ability for a key to be published or certified so that any independent third party can receive and verify a message without reference to a central authority.
One example of the use of public key cryptography in data communications is in the generation of digital signatures. The principle behind these techniques is the creation of a public digital valuexe2x80x94the signature xe2x80x94which depends on a message to be transmitted and the signing user, so the receiving user can be sure that the sending user, and no other user, could create the signature value, and that the user created the signature value for this message and no other.
In such systems, the party signing a message has a private key for which there exists a corresponding public key. The public key is available so that anyone can use it to decrypt data which the signer encrypts using the private key, but no-one can create such encrypted data without access to the private key.
Typically, the signer produces a hash value from the message using a strong hash algorithm, such that the chance of another message resulting in the same value is extremely low. The means of calculating this value is public knowledge but there is no feasible way to determine a different message which results in the same value. The signer encrypts the value using the private key, and sends the message and the encrypted value to the recipient. The encrypted value is generally known in the art as a xe2x80x9cdigital signaturexe2x80x9d.
The recipient can use the public key to decrypt the value, and can test whether the calculation on the message produces the same value. If it does, this satisfies the recipient that the message was the one signed because there is no feasible way to calculate another message which produces the same value. The recipient can also be sure that the signer did indeed sign the message because no-one can create the encrypted value without access to the private key.
However, such public key encryption schemes are computationally intensive and demand substantially higher computing resources, such as processing power and memory requirements, for encryption and decryption than symmetric key schemes.
In many applications of public key cryptography to data communications, the message must be processed under the control of a security device and presented by the user. The security device may be a home computer terminal or a portable device such as a smart card, PCMCIA card or laptop computer. Whilst methods have been proposed to enable messages to be signed with much less computational effort than they can be verified, such as in the U.S. Department of Commerce/National Institute of Standards and Technology (NIST) Digital Signature Standard published in Federal Information Processing Standard (FIPS) 186, May 19, 1994, the situation remains that, using current technology, in many cases it is not practical or cost-effective to provide such security devices with the necessary processing power or memory to perform sufficiently strong public key processing in an acceptable time.
Various methods have been proposed in the prior art to enable such a security device to perform the public key processing with the aid of a powerful server computer, without requiring the security device to reveal the secret key to the server. Examples of these techniques can be found, for example, in: Laih et al, xe2x80x98Two efficient server-aided secret computation protocols based on the addition sequencexe2x80x99, Advances in Cryptologyxe2x80x94Asiacrypt 91 Proceedings 1993 pp450-459.
Whilst these methods go some way to alleviating the problem, they suffer from several disadvantages inherent in storing the secret key on a device in the possession of the user.
First, it is possible the device may be probed to obtain the secret key.
Secondly, if the signer""s private key is compromised, a different user might use it to process messages. In this circumstance, a means is required to revoke the secret key so the unauthorised user can no longer use it. Since the security devices are not connected to the system at all times and could be reconnected to the system at any point, withdrawing or preventing use of the secret keys is, in practice, very difficult. Typically this has been achieved using various types of user blacklists. However, there are many practical difficulties associated with controlling, updating and verifying the authenticity of such lists, particularly over widespread networks.
Furthermore, since some smart card implementations which make use of public key algorithms for signing purposes cannot generate the user""s public and private key pair within the smart card, there are potential security exposures when the key is initially loaded into the security device. This is because the key generation algorithm is quite complex, more so than the encryption and decryption functions. Therefore if it is required to store the secret key on the card then it may also be required to generate the secret key off the card and to enter it onto the card during an initialisation process. This initialisation process inevitably exposes the key to some degree.
European Patent Application EP 0 725 512 A2 describes a communications system in which messages are processed using public key cryptography with a private key unique to one or more users under the control of a portable security device held by the, or each, user, the system comprising: a server for performing public key processing using the private key, the server being adapted for data communication with the portable security device; characterised in that the server comprises, or has access to, data storage means in which is stored in a secure manner the private key for the, or each, user in encrypted form only, the private key being encrypted with a key encrypting key, the server comprising secure processing means to receive a message to be processed from the user, retrieve the encrypted private key for the user, decrypt the private key using the key encrypting key, perform the public key processing for the message using the decrypted private key, and delete the key encrypting key and decrypted private key after use, and in that each security device comprises means for storing or generating the key encrypting key and providing the key encrypting key to the server and means for specifying a message to be processed, the system being arranged so that communication of at least the key encrypting key to the server is secure and so that the server can only use the key encrypting key to process the message specified by the user.
In the communication system described in EP 0 725 512, the public key algorithm is performed by a secure server. However, the server has access only to an encrypted form of the private key. A portable security device controls the public key processing by providing the server with a key to enable the server to decrypt the private key, use it, and delete the private key after use.
The present invention is directed to the problem of providing a secure method of enabling messages to be processed using public key processing on behalf of an authorised user in such a manner that it can be shown that only the authorised user could have authorised the processing of a particular message, without requiring the any cryptographic algorithms or keys to be retained by the authorised user.
To solve this problem, in accordance with the present invention there is now provided a communications system for processing messages using public key cryptography with a private key unique to one or more users, the system comprising: server means adapted for data communication with a client via a network, the server means comprising first data storage means for storing in a secure manner a private key for the or each user, the private key being encrypted with a key encrypting key; characterised in that the server means further comprises second data storage means in which is stored applet code executable on the client, the server providing the applet code to the client via the network in response to connection of the client to the server via the network; the applet code comprising secure processing means operable, when executed in the client, to receive a message to be processed from the user, to retrieve the encrypted private key for the user from the server means via the network, to receive the key encrypting key from the or each user, to decrypt the private key using the key encrypting key, and to perform the cryptographic key processing for the message using the decrypted private key; the applet code and the associated keys being removed from the client on termination of the applet code.
Preferably, the secure processing means is operable, when executed in the client during initial registration of a registering user, to generate the private key and an associated public key, to receive a key encrypting key from the registering user, to encrypt the private key using the key encrypting key received from the registering user, and to send the encrypted private key and public key from the client to the server means for storage in the first data storage means.
In preferred embodiments of the present invention, the server means comprises a key server for storing the encrypted private key, a web server connected to the network, and a fire-wall connecting the web server to the key server, the key server supplying the private key to the client via the web server.
Viewing the present invention from another aspect, there is now provided a method for processing messages using public key cryptography with a private key unique to one or more users, the method comprising: storing, in a server means adapted for data communication with a client via a network, in which is stored in a secure manner a private key for the or each user, the private key being encrypted with a key encrypting key; storing in the server means applet code executable on the client; transmitting the applet code from the server to the client via the network in response to connection of the client to the server via the network; supplying secure processing means to the client via the applet code; receiving by the client via the secure processing means, a message to be processed from the user; retrieving by the client via the secure processing means, the encrypted private key for the user from the server means via the network; receiving by the client via the secure processing means, the key encrypting key from the user; decrypting in the client via the secure processing means, the private key using the key encrypting key; performing in the client via the secure processing means the cryptographic key processing for the message using the decrypted private key; and, removing from the client the applet code and the associated keys and algorithms on termination of the applet code.
The method preferably comprises: generating, in the client via the secure processing means during initial registration of a registering user, the private key and an associated public key; receiving a key encrypting key from the registering user; encrypting, in the client via the secure processing means during initial registration of a registering user, the private key using the key encrypting key received from the registering user; and sending the encrypted private key and public key from the client to the server means for storage in the first data storage means.
Viewing the present invention from yet another aspect, there is now provided a server computer system for a communications system in which messages are processed using public key cryptography with a private key unique to one or more users, the system comprising: communication means for communicating data with a client via a network; first data storage means for storing in a secure manner a private key for the or each user, the private key being encrypted with a key encrypting key; characterised in that the server system further comprises second data storage means in which is stored applet code executable on the client, the server providing the applet code to the client via the network in response to connection of the server to the client via the network; the applet code comprising secure processing means operable, when executed in the client, to receive a message to be processed from the user, to retrieve the encrypted private key for the user from the server means via the network, to receive the key encrypting key from the user, to decrypt the private key using the key encrypting key, and to perform the cryptographic key processing for the message using the decrypted private key; the applet code and the associated keys and algorithms being removed from the client on termination of the applet code.