1. Field of the Invention
The present invention relates to methods and systems utilizing private keys in a networked environment, and more particularly to administration of private keys of users in a manner that private keys are not retained permanently at user equipment.
2. Description of the Related Art
Public key cryptosystems in which a pair of a corresponding public key and a private (or secret) key is assigned for each user can be used in a variety of applications in a networked environment. In such applications, a private key can be used for encryption or for decryption solely by or on behalf of the assigned user. One use of a private key for encryption is to produce a digital signature of a digital document (for all purposes in this application the term “document” is intended to include any message, file, program or other data) on behalf of a user to manifest the user's modification, or review, and approval of the modified and/or reviewed document or otherwise indicate that the user is the source of the document (hereafter “approved document”).
In accordance with such digital signature methods and systems, after the document is modified or reviewed, at the user's end a secure hash function (such as SHA-1 or RIPEMD) is applied to the document to extract a relatively short string, termed a “hash” or “hash result”, which may be thought of as a “fingerprint” of the approved document, which hash, after encryption with an asymmetric algorithm (such as RSA or El Gamal) using the private key of the user, is sent to the recipient or server over the network along with or forming part of the document. At the receiving end the hash is calculated in two ways: (1) the encrypted hash of the document is decrypted with the asymmetric algorithm using the user's public key corresponding to the user's private key and (2) the same secure hash function is applied to the document; the signature is considered verified if the hashes calculated in these two ways match.
In such methods and systems, the user's private key may be maintained at the user's end stored in the user's personal workstation or mobile computer, e.g. notebook or handheld, or may be entered in some fashion by the user into shared equipment. In either case, the personal or shared equipment used is vulnerable to access or theft by a person of malevolent intent. Consequently, there is a significant risk that the user's private key could be extracted by such a person from the user equipment. On the other hand, using a token such as a smartcard to secure the private key at the user's end would necessitate the expense of equipping each user equipment with a reader for such a token.
One solution to this security problem is described in U.S. Pat. No. 5,208,858 wherein the private key is never extant at the user equipment. Therein, a hash of the approved document is sent from the user equipment to a central server which stores and administers users' private keys. At the server, the received hash is encrypted with the user's private key available at the server to form a digital signature which is combined with the user's public key and further data to form a so-called certificate which is transmitted to the user equipment for checking after the signature is decrypted at the user equipment using the user's public key. If the result of the user's checking is positive, the document and the signature-containing certificate may be sent directly from the user equipment to the desired recipients.
The method of U.S. Pat. No. 5,208,858 has the drawback of the need to send the digital signature back to the originator for checking and also that the server must be located in a highly secure place because the private keys are stored therein in the clear (or at least in a form from which they can be derived by the server). It should be noted that the consequences of a person of malevolent intent compromising the server and obtaining the stored private keys would be catastrophic, rendering unreliable all digital signatures made with the system at any time. Further, in this known method it appears that the server could be tricked by a block-replay attack or a man-in-the-middle attack into signing a document which did not originate from the user on behalf of whom the signature is made, or signing duplicates of documents that did originate from the user.
Other systems where the users do not permanently retain keys are known in which temporary keys, e.g. for symmetric encryption/decryption, are distributed to or agreed upon between users specifically for use only in a current session.