Network security measures are becoming increasingly important as the contexts in which communication and information sharing take place expand in scope and location. Public network applications such as instant messaging systems on the open Internet provide only minimal security based on simple login procedures. In addition, the increased popularity of portable computing devices (i.e., PDA's, cell phones, etc.) has resulted in a greater need for the ability to share information between devices in environments where fixed network infrastructure varies or does not exist. Peer-to-peer networks can be established between the devices so that information can be shared. Each party in a peer-to-peer network has the same capabilities and either party can initiate a communication session.
The security of such networks generally comprises two aspects: encryption and authentication. A common security method is to use public-key infrastructure (PKI) for encryption. PKI works by providing each user with two “keys”—one that is public and one that is private. The private key is available only to the user. The public key is available to anyone via the user's digital certificate. The public key is used for encryption, while the private key is used for decryption. When an individual wants to transmit information securely, the individual encrypts the information with the public key of the recipient. That way, only the recipient has the correct private key to decrypt it.
In server-supported PKI networks, a central digital certificate authority can guarantee (by digitally signing) the identity of a digital certificate holder. But in networks where a central digital certificate authority is not present, the users generate or obtain their own digital certificates. Such a network is termed an “insecure network”. As there is no central authority to guarantee identities, authentication must be carried out between peers. Authentication provides an assurance of the identity of a peer user in the network. Authentication is meant to counter impostor and man-in-the-middle attacks, where an intruder impersonates a trusted identity to establish a connection to a valid user and to intercept information.
Peer-to-peer authentication methods often include an interactive process by which compressed versions of the peer's digital certificate (called a digital fingerprint) are compared. The comparison may take place in real time at the moment when both peers are available online. One peer receives a copy of another peer's digital certificate via a network connection and generates a digital fingerprint from it. The peer then compares the digital fingerprint with a digital fingerprint generated by the other peer using the same transformation. This comparison is done using a communication outside the network. Examples of such “out-of-band” communications include a communication via phone, voice, face-to-face visual or facsimile.
The numeric representation used for the digital fingerprint is meant to be so large as to make it computationally infeasible for an impostor to easily generate the digital fingerprint. Digital fingerprints produced by these methods typically use 128 or 160 bits, resulting in hexadecimal representations of 32 or 40 digits, respectively. Unfortunately, the size of the digital fingerprints makes it difficult for two users to efficiently communicate and compare such large values. As a result, many users find the overhead of employing such security methods intrusive enough that they do use them.
Accordingly, a need exists in the art for a relatively efficient solution for peer-to-peer authentication while still providing an acceptable level of security. A further need exists for such a solution that makes it relatively easy for individuals to perform peer-to-peer authentication.