The present invention relates to a method for securing data relating to users of a public key infrastructure according to claim 1.
The present invention relates in particular to a method for securing data which are based on relations between certificate holders and institutions or closed user groups.
More particularly the present invention relates to a method for securing relational data, based on which, for example, business transactions are performed or access to a system may be granted by using an open, public certificate while privacy of the relations between certificate holders and institutions can be maintained.
The emergence of the World wide Web access to the Internet has been accompanied by recent focus on financial transaction vulnerabilities, crypto system weaknesses and privacy issues. Fortunately, technological developments also made a variety of controls available for computer security including tokens, biometric verifiers, encryption, authentication and digital signature techniques using preferably asymmetrical public-key approaches (see [1], Richard C. Dorf, THE ELECTRICAL ENGINEERING HANDBOOK, 2nd Edition, CRC-Press, Boca Raton 1997, chapter 97, pages 2221-2234 and [7], A. Menezes, P. van Oorschot, S. Vanstone, HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC-Press, Boca Raton 1997, chapter 1).
The basic objectives of encryption are secrecy, authentication (assurance of sender identity to recipient), and digital signatures (authentication plus assurance to sender and third parties that the signature had not been created by the recipient). This is normally referred to as non-repudiation, with further variants such as non-repudiation of origin, non-repudiation of sending and so on. Of further importance is integrity which means preventing interference in the information conveying process.
Almost all cryptosystems involve publicly known transformations of information, based on one or more keys, at least one of which is kept secret. The public-key cryptosystem disclosed 1976 by Diffie and Hellman is based on two keys, a private-key and a public-key, owned by users of this system.
As described in [2], U.S. Pat. No. 4,405,829 for the RSA cryptosystem explained below, the public-key cryptosystem provides enciphered communication between arbitrary pairs of people, without the necessity of their agreeing on an enciphering key beforehand. The Diffie and Hellman system also provides a way of creating for a digitised document a recognizable, unforgeable, document-dependent, digitised signature whose authenticity the signer cannot later deny.
The RSA cryptosystem (named after R. L. Rivest, A. Shamir and L. M. Adleman which in [2] are mentioned as inventors) is the most widely used public-key cryptosystem. RSA is a commutative transformation, which allows the private-key and the corresponding public-key to be used interchangeably as encryption and decryption keys, thus providing secrecy and authenticity on a secure channel between two parties A and B with no need for additional keys (see [1], pages 2225-2226).
Since, given only one key of an asymmetric key pair, it is practically infeasible to determine the other key, an owner A of a key pair may publish his public-key so that anyone can use this public-key to encrypt a message that only A can decipher with his private-key.
As described in [3], Marc Branchaud, A SURVEY OF PUBLIC-KEY INFRASTRUCTURES, Department of Computer Science, Mc Gill University, Montreal 1997, page 5, computing with public-key ciphers takes much longer than encoding the same message with a secret-key system. This has led to the practice of encrypting messages with a secret-key system such as DES and then encoding the secret-key with a public-key system such as RSA. In this case the public-key system securely transports the secret-key. In case that a message is sent secretly from A to B then, besides a secret-key, which is used optionally, only the key pair of B is used.
The described public-key system also allows owner A to sign a message to be sent to B with a digital signature. In this case the key pair of A is used. A encrypts the message or a corresponding hash of the message with his private-key which, on the other side of the transmission channel can be decrypted by B using A""s public key. One key pair can therefore be used to receive an encrypted message or to send a digitally signed message.
B (and any third parties), who can decrypt with A""s public-key a message signed by A, can therefore trust that A has signed the message as far as D can trust that the selected public-key truly belongs to A.
In order to ensure that public-keys can systematically be published and truly relate to the persons A, B, . . . indicated by attached public-key values, registration- and certification authorities (RA, CA) have been introduced to certify the relationship between a given key and a claimed identity.
According to [3], page 10 a public-key infrastructure, in its most simple form, is a system for publishing public-key values used in public-key cryptography. There are basic operations, namely registration, certification and validation, which are common to all public-key infrastructures.
Certification is the means by which registered public-key values, and information pertaining to those values, are published. A basic certificate therefore contains at least the public-key of the concerned subject, subject identification information, and identification information of the certifying authority.
The certificate is signed by the certifying authority with the certifying authority""s private-key and can be validated with the publicly known public-key of the certifying authority. In other words a certificate is therefore an encyrypted message issued by the certifying authority declaring that the therein contained public-key relates to the enclosed subject identification information.
As described in [3], pages 19-21, authentication is a process provided by a public-key infrastructure. When a certifying authority certifies an entity and a user then validates that certification, the entity is said to have been authenticated.
The degree to which a user can trust the certificate""s information and it""s validity is a measure of the strength of the authentication.
[4], U.S. Pat. No. 6,202,151 B1 describes a biometric certification system and method which implement an end-to-end security mechanism binding the biometric identification of consumers with digital certificates.
Users can also be authenticated through something possessed such as a token or a smart card. Tokens are, as described in [1], pages 2228-2229, hand-carried devices that are normally intended to increase password security by assuring that passwords are used only once, thereby reducing the vulnerability to password compromise. Tokens may contain internally an algorithm, which either works in synchronisation with an identical algorithm in a host computer or which transform an input derived from a computer prompt into a password that matches the computer-transformed result. In a public-key infrastructure a token containing a private-key may used to sign a message as described above.
The degree of authentication of a user by means of a token is however in many cases not strong enough. A man, to which the token had been assigned, may, rightfully or not, deny at a later stage that the token actually belongs to him.
In order to significantly increase the degree of authentication, in the not yet published European Patent Application No. 01810513.0 it is proposed to register users by means of a token or an other secure device at an authority, preferably the registration authority of a public-key infrastructure based on credentials, including signed biometric data presented to said authority.
The biometric data are signed by means of a private key issued individually by the registration authority automatically for each token. In addition to signing the biometric data with the private key of the registration authority the data can further be signed with the user""s private key contained in the token.
After registration the token is a secure element of the public-key infrastructure allowing to encrypt messages and securely sign messages, with digital signatures, on which a third party can rely on.
It therefore seems that the basic objectives of encryption mentioned before, secrecy, authentication, digital signatures and integrity are achieved by applying the technology described above.
However the use of public key infrastructures still involves risks which are described in [6], Carl Ellison and Bruce Schneier, Ten Risks of PKI: What You""re not Being Told about Public Key Infrastructure, Computer Security Journal, Volume XVI, Number 1, 2000.
For an institution such as bank institute a first risk i.e. question mentioned in [6] is, whom the institution can trust. Further risks or questions are derivatives of this question asking, whether the institute can trust the certification authority or rely on certification processes.
Important is the question, whether the authenticated person, for example OLIVIER HOLDER, is actually the person who is presenting the certificate. With the incorporation of the user""s biometric data into the certification process it can be trusted that OLIVIER HOLDER is correctly authenticated. However the question remains whether OLIVIER HOLDER, with whom the institution is connected over a communication channel, is actually the man with whom the institution formerly communicated or whether it is a different person with the same name. In this respect in [6] also the security of the verifying computer is discussed. For example an attacker could add his own public key to the list of public keys maintained in institution, so that he could issue his own certificates, for example issued on the name of OLIVIER HOLDER, which would be treated exactly like legitimate certificates.
In view of relating a calling client, such as OLIVIER HOLDER, to the correct one among one or more clients with the same name, an institution normally uses a mapping list (see FIG. 1, 32), which maps data retrieved from a certificate to records of a customer database such as the directory 33 shown in FIG. 1. Besides the question whether the certificate from which data is used for mapping purposes, a new question arises, which has not been addressed in [6]. The question is, can the institution trust itself? For the bookkeeper of a bank institute it makes little difference whether a person internal or external to the institution is responsible for an illegal transfer of a million dollars. Therefore in case that the institution is perfectly shielded against external attackers it is still possible that the mapping list or the customer database has been manipulated by an internal attacker.
It would therefore be desirable to reduce the described risks thus improving public-key infrastructures.
It would be desirable in particular to improve overall system reliability, in particular authentication and data integrity.
More particularly it would be desirable to provide a method for securing relational data based on which business transactions are performed by an institution which acts according to instructions received by said certificate holder. In fact it would be desirable that the institution be removed from as many issues as possible concerning liability within an open, public key infrastructure, so that the institution is only responsible for the internal processing and security of any data belonging or related to its customer and does not need to rely on a trusted third party.
It would further be desirable to achieve the described objects with practically no significant investments and efforts by the institution and the certificate holders.
The above and other objects of the present invention are achieved by a method according to claim 1.
The inventive method allows the securing of data related to users of a public key infrastructure, who may present certificates at an institution in order to initiate transactions. For this purposes the institution preferably uses and securely stores a secret key or a key pair which is designed for encrypting and decrypting data.
Based on a request of a client, who is the holder of a certificate, an institution may allow the certificate holder to base future transactions or system access on his certificate. According to security regulations implemented, the institution will preferably verify that the person who is presenting the certificate is the actual owner for whom the certificate had been issued. The institution will further verify whether the certificate holder relates to a registered user or contract holder with the institution, and will demand corresponding proof of this relationship.
Based on an agreement or a contract closed between a certificate holder and the institution, corresponding relational data are generated. Then said relational data are encrypted preferably with the institution""s first key of an asymmetric key pair such as a private/public key pair.
Subsequently the encrypted relational data are integrated into the certificate, which preferably adheres to ITU recommendation X.509 version 3. The relational data could be included in the certificate as a non-standard certificate extension.
At a later stage, whenever the certificate holder contacts the institution in order to initiate a transaction based on said agreement between the certificate holder and the institution, encrypted relational data contained in the certificate is decrypted by means of the secret key or the second key of said key pair of the institution.
Since the certificates, into which relational data are integrated, are elements of the public key infrastructure, other processes provided in this infrastructure are also performed whenever a certificate is presented. In case that an authentication of a certificate holder fails, for example due to expiration of the certificate, then the inventive method would not be applied.
The inventive method therefore allows institutions to integrate relational data into the certificate of a certificate holder, in the form of specific attributes defined and recognized by that institution. These institutional attributes are encrypted by the institution and can only be decrypted by the institution again.
The encryption and decryption of relational data can be performed by means of a single secret key (see [3], page 4) since the encrypted relational data corresponds to a message which is written and read by the same party i.e. the institution only. A transfer of the secret key across the network from a sender to receiver is therefore not required.
However in order to increase security internally in the institution a key pair could be used with one key held in a registration department, where relational data are encrypted, and the other key held securely stored in another department, for example where transactions are handled. Said keys correspond to a private key and a public key of the public key infrastructure although preferably both of these keys are not published.
A holder of a certificate opens for example an account at an institution, for example a bank, which, based on an agreement of terms regarding said account generates relational data which then is integrated in encrypted form into the certificate.
This enables the institution to identify and authenticate a certificate holder in a much stronger fashion than would be possible without the additional institutional attributes. In case that the certificate passes standard authentication, it is established that the certificate belongs for example to an OLIVIER HOLDER. Decrypting the encrypted relational data contained in the certificate confirms the identity of OLIVIER HOLDER, and indicates what relations exist between OLIVIER HOLDER and the institution. In case that several persons with the name HOLDER are registered at the institution, it is simultaneously established which one of these persons is concerned.
In order to prevent transfer of encrypted relational data i.e. of an institutional attribute from an original certificate to a certificate used by an attacker, said encrypted relational data are strongly linked to the original certificate by means of integrating certificate specific data into the institutional attribute, so that manipulated certificates, which contain transferred institutional attributes, can be identified.
The risks described in [6] are therefore significantly reduced by applying the inventive method.
In view of [6], Risk#1 (xe2x80x9cWho do we trust, and for what?xe2x80x9d), trust received by the elements of the public key infrastructure are combined by using the inventive method with the trust the institution has in itself. It is important to note that the additional link in the security chain is not linked serially but in parallel to existing links of the chain. In case that an element of the public key infrastructure fails then the security chain still holds by means of the inventive measures.
In case that the institution uses a pair of keys, which are securely stored in separate departments then the trust in the institution itself can further be increased.
In view of [6], Risk#4 (xe2x80x9cWhich JOHN ROBINSON is he?xe2x80x9d), it has been explained that among several persons bearing the same name (e.g. OLIVIER HOLDER i.e. JOHN ROBINSON) the correct person can easily be identified by means of the decrypted relational data, which comprise for example the client number and further details of the agreement between the institution and the certificate holder or a further institution the certificate holder is working for. By means of the inventive method the institution can therefore reliably answer the extended question xe2x80x9cWhich OLIVIER HOLDER is he and what is our relation to this OLIVIER HOLDER?xe2x80x9d.
Since the relational data are encrypted in the certificate a third party or the certificate holder will not have access to this relational data. The third party will not even have access to one of the keys of the institute""s key pair. A certificate holder can therefore have institutional attributes of different institutions integrated in his certificate and still maintain secrecy, since an institution can decrypt relational data only with the corresponding key.
The certificate remains therefore open to the public except for encrypted relational data integrated therein.
In a preferred embodiment of the invention decrypted relational data is used to verify data of a calling client which data is stored in a directory of the institution. A mapping list is no longer required since data required e.g. for mapping the name of a client to a client number is already contained in the relational data i.e. the institutional attribute. The system on the institute""s side is therefore simplified. A manipulation of the directory can easily be detected during the described verification process, so that integrity of data at least in the used parts of the directory is always established.
The inventive method therefore allows to significantly improve overall system reliability, in particular authentication and data integrity, by selectively simplifying the open cryptographic communications system through selective integration of closed modules.
In a different embodiment of the invention an institution, such as a governmental authority, may also integrate relational data into a certificate, which is based on approved information. The institution confirms correctness of this information by signing the unencrypted relational data with the private key of the institution.
Any third party, particularly the attribute integrating certification authority, can verify said signature contained in the certificate by means of the published public key of the institution whenever the confirmed information needs to be proven.
In a preferred embodiment the information may concern the fact that the certificate holder possesses additional certificates. The institutionor an attribute integrating certification authority may verify and confirm correctness of the additional certificates by generating and signing corresponding unencrypted relational data with the private key of the institution.
In order to integrate the encrypted or signed relational data in the certificate said relational data is sent to the concerned authority of the public key infrastructure which adds the received encrypted or signed relational data and reissues the certificate.
The process of generating, encrypting, transmitting and integrating new relational data into a certificate as well as reissuing and sending the enhanced certificate to the institution and to the certificate holder can take place during the same session established between the certificate holder and the institution. The update of the certificate can therefore automatically be executed in a short time period without any noticeable effort by the concerned parties. The insignificant efforts required for updating certificates stand however in relation to large efforts required instead for maintaining integrity of data of the institution""s databases.
The certificate is preferably stored in a token which is carried by the certificate holder. In case that the token comprises a biometric input device it could be assured that only the certificate holder could use the token.