As used herein, an electronic communication. (“EC”) is considered to be any communication in electronic form. ECs have become an integral part of transacting business today, especially with the growth of the Internet and e-commerce. An EC can represent, for example, a request for access to information or a physical area, a financial transaction, such as an instruction to a bank to transfer funds, or a legal action, such as the delivery of an executed contract.
Over recent years, digital signatures also have become an important part of e-commerce. The origination of a digital signature generally comprises: (1) the calculation of a message digest—such as a hash value; and (2) the subsequent encryption of the message digest. The message digest is encrypted by an electronic device generally using a private key of a key pair used in public-private key cryptography (also known as asymmetric cryptography). The resulting ciphertext itself usually constitutes the digital signature, which typically is appended to the message to form the EC. The second part of originating the digital signature—using encryption with a private key—is referred to herein as “generating” the digital signature, and the combined two steps is referred to herein as “originating” the digital signature. Furthermore, while the generation of the digital signature is conventionally understood as the encryption of the message digest, it is contemplated herein that generating the digital signature also may include simply encrypting the message rather than the message digest. Digital signatures are important because any change whatsoever to the message in an EC is detectable from an analysis of the message and the digital signature. In this regard, the digital signature is used to “authenticate” a message contained within the EC (hereinafter referred to as “Message Authentication”).
For example, a message digest may be calculated by applying a hashing algorithm—such as the SHA-1 algorithm—to the message. The hashing algorithm may be applied either within the device or external to the device with the resulting hash value then being transmitted to the device for generation of the digital signature. In order to perform Message Authentication in this example, the recipient of the EC must know or be able to obtain both the identity of the hashing algorithm applied to the message as well as the public key (“PuK”) corresponding to the private key used to encrypt the message digest. With this knowledge, the recipient applies the appropriate hashing algorithm to the message to calculate a hash value, and the recipient decrypts the digital signature using the public key. If the hash value calculated by the recipient equals the hash value of the decrypted digital signature, then the recipient determines that the content of the message contained in the EC was not altered in transmission, which necessarily would have changed the hash value.
In performing Message Authentication, the recipient also authenticates the sender of the EC, in so much as the recipient thereby confirms that the sender of the EC possessed the private key corresponding to the public key used successfully to authenticate the message. This is one type of entity authentication and is based on what the sender “has” (hereinafter referred to as “Factor A Entity Authentication”). Factor A Entity Authentication is useful when the recipient of the EC has trusted information regarding the identity of the owner of the private key. Such trusted information may arise from a digital certificate issued by a trusted third party that accompanies the EC and binds the identity of the private key owner with the public key. This trusted knowledge also may comprise actual knowledge of the identity of the private key owner, such as in the case where the recipient itself has issued the private key or device containing the private key to the owner.
As will be appreciated, trust in the digital signature system depends upon the legitimate possession and use of the private key, i.e., upon the sender of the EC actually being the private key owner. A fraudulent use of a private key to generate a digital signature of an EC currently cannot be detected through the above-described Message Authentication and Factor A Entity Authentication procedures. The digital signature system therefore is susceptible to fraud if a private key of a device is stolen, either by discovery of the private key therein and subsequent copying and use in another device capable of generating digital signatures, or by physical theft of the device containing the private key.
To guard against discovery of a private key and subsequent copying and use in another device, devices are manufactured with electronic shielding, zeroization, auditing, tamper evidence and tamper response, and other security features that safeguard the private key (and other protected data) contained therein. Such security features include hardware, software, and firmware and are well known in the art of manufacturing secure computer chips and other devices having cryptographic modules.
The requirements of such security features are specified, for example, in Federal Information Processing Standards Publication 140-1, Security Requirements for Cryptographic Modules, US DOC/NBS, Jan. 11, 1994 (herein “FIPS PUB 140-1”), which is incorporated herein by reference and which is available for download at http://csrc.nist.gov/publications/fips; and Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules, US DOC/NBS, May 25, 2001 (herein “FIPS PUB 140-2”), which is incorporated herein by reference and which is available for download at http://csrc.nist.gov/publications/fips. FIPS PUB 140-1 and 140-2 also define security levels that may be met by a device based on the device's security features, with each of these defined security levels generally representing a various level of difficulty—in terms of time and money—that would be encountered in attempting to discern a private key of a device. Currently, four security levels are defined with security level 4 being the highest level of security available.
Specifications for such security features also are set forth in Trusted Computing Platform Alliance Trusted Platform Module Protection Profile Version 0.45, TRUSTED COMPUTING PLATFORM ALLIANCE, September 2000; Trusted Platform Module (TPM) Security Policy Version 0.45, TRUSTED COMPUTING PLATFORM ALLIANCE, October 2000; and TCPA PC Implementations Specification Version 0.95, TRUSTED COMPUTING PLATFORM ALLIANCE, Jul. 4, 2001, which are incorporated herein by reference (collectively “TCPA Documents”), and which are available for download at http://www.trustedpc.com; and Common Criteria for Information Technology Security Evaluation, Smart Card Protection Profile, Draft Version 2.1d, SMART CARD SECURITY USER GROUP, Mar. 21, 2001, which is incorporated herein by reference (hereinafter “Smart Card Protection Profile”), and which is available for download at http://csrc.nist.gov.
To guard against fraudulent use of a device through theft of the device itself, a personal identification number (PIN), password, or passphrase (collectively referred to herein as “Secret”) is typically prestored within the device and must be input into the device before it will operate to generate digital signatures. Alternatively, the Secret is shared with the recipient beforehand and, when the EC later is sent to the recipient, the Secret also is sent to the recipient in association with the message. In the first case, verification of the Secret authenticates the user of the device (hereinafter “User Authentication”), and in the second case, verification of the Secret authenticates the sender of the EC (hereinafter “Sender Authentication”). In either case, confirmation of the Secret represents entity authentication based on what the user or sender “knows” (hereinafter “Factor B Entity Authentication”).
Another countermeasure against fraudulent use of the device through physical theft includes the verification of a biometric characteristic—like a fingerprint—of the user of the device or sender of the EC. This type of authentication is based on what the user or sender “is” (hereinafter “Factor C Entity Authentication”). As with the Secret, a biometric value is either maintained within the device for User Authentication, or is shared with the recipient beforehand for Sender Authentication by the recipient.
While Factor B Entity Authentication and Factor C Entity Authentication both reduce the risk of a fraudulent use of a device to generate a digital signature for a message, both also include significant drawbacks. For instance, if the Secret or biometric value is communicated to the recipient in association with a message for sender authentication by the recipient, then the Secret or biometric value first must have been shared with the recipient beforehand and safeguarded by the recipient as part of an established relationship. This conventional paradigm therefore precludes both Factor B Entity Authentication and Factor C Entity Authentication between entities having no such preexisting relationship.
This paradigm also exposes the Secret or biometric value itself to a greater risk of theft. First, the transmission of the Secret or biometric value for verification carries with it the risk of interception and discovery during transit. Second, the Secret or biometric value must be safeguarded by the recipient, thereby exposing the Secret to theft from the recipient. This is especially significant in the corporate context where a rogue employee may steal the safeguarded Secret or biometric value (insider fraud historically has been the greatest risk).
The potential damages also are extensive when the Secret or biometric value is stolen under this paradigm. Since it is difficult for an individual to remember multiple Secrets for multiple recipients, it is common for the same Secret to be used by an individual with different recipients. For example, with regard to credit cards, the same Secret usually is shared with all credit card companies as a matter of convenience, and usually comprises the mother's maiden name of the account holder. The theft of the Secret from one credit card company puts all of the other credit card accounts at jeopardy, at least until the Secret is changed. In the case of the theft of a biometric value, the damages are even more severe, as a person's biometric characteristic cannot be changed and, once lost, potentially compromises any future entity authentication therewith.
Alternatively, when the Secret or biometric value is prestored and maintained within the device for User Authentication, the risks associated with safeguarding of the Secret or biometric value by the recipient and associated with transmission of the Secret or biometric value to the recipient are avoided. In this conventional paradigm, the recipient does not actually perform the verification—it is done at the device level.
A drawback to this alternative paradigm, however, is that because the device remains inoperable until the correct Secret or biometric value of the user is entered, the recipient is unable to monitor repeated attempts to guess the Secret or biometric value. Furthermore, when the device is enabled by the entry of the correct Secret or a biometric value resulting in a match, the device typically remains enabled for a predefined period of time thereafter, such as until it is powered off or resets. Under this alternative paradigm, a recipient is unable to determine whether a particular EC sent during such a time period includes a fraudulently generated digital signature, as the device may have been stolen after being enabled but before its deactivation. Accordingly, while there is User Authentication under this alternative paradigm, there is no provision per se for Sender Authentication.
Yet another drawback is that this alternative paradigm does not particularly accommodate the use of the device to send ECs to different recipients when a biometric value is prestored and maintained within—and Factor C Entity Authentication is performed by—the device. In this regard, different recipients may have different requirements as to what constitutes a biometric “match” so as to be a successful verification; a biometric match is a determination of whether a biometric value input is sufficiently close to a stored biometric value so as to meet at least a minimum security threshold. A security threshold is subjectively set by each recipient and includes factors such as the nature of the communication and the extent of liability to the recipient for actions and responses based on a fraudulently sent EC. Different recipients cannot make their own match/no-match determinations based on their own requirements, standards, and criteria if each recipient does not receive beforehand the biometric value of the sender, make its own comparison thereof with each additional biometric value that is received in association with a message, and apply its own business judgment as to whether the comparison is sufficiently close so as to be a match.
Accordingly, a need exists for a new paradigm in which Factor B Entity Authentication and/or Factor C Entity Authentication is used, but in which the aforementioned drawbacks of the conventional paradigms that use such authentication procedures are overcome. In particular, a need exists for such a paradigm that provides for both User Authentication as well as for Sender Authentication using either or both of Factor B Entity Authentication and Factor C Entity Authentication, and all without requiring a recipient to safeguard either a Secret or a biometric value. In this regard, a need exists for such a paradigm in which Factor B Entity Authentication and Factor C Entity Authentication can be reliably inferred by the recipient without the recipient being privy to the authenticating information, thereby addressing privacy concerns. Furthermore, a need exists in such a paradigm for the recipient to be able to determine, in its own subjective business judgment, what constitutes a successful biometric match when Factor C Entity Authentication is used. A need also exists for such a paradigm in which the recipient is able to monitor repeated attacks on a device to guess a Secret or a biometric value, and for such a paradigm that further accommodates the use of a single device for the sending of ECs to various, unrelated recipients.