The rapid growth and development of Internet technology has resulted in the emergence of new ways to perform transactions, exchange information, and perform “e-commerce” or “e-government” activities. Generally, e-commerce is used to describe a wide range of commercial transactions conducted on or through the Internet, including retail and direct marketing, purchasing goods and services, and the term e-government is used to describe the use of technologies to facilitate the operation of government and the dispersing of government information and services, including exchange of trustworthy documents.
The move towards digitalisation has created a new security paradigm where key concepts such as authenticity and non-repudiation are of primary importance for all stakeholders involved in e-commerce or e-government transactions. Digital signatures are one way of addressing this. However, it remains challenging to ensure that transaction data was unaltered when presented to the stakeholder authorising the transaction, and wilfully accepted by the stakeholder. Fraudsters exploit protocol, browser or other software vulnerabilities to launch “man-in-the-middle” or “man-in-the-browser” attacks which take control over the communication layer between parties attempting to perform a transaction, and proceed to alter the transaction data without being detected. For example, it has been demonstrated that sophisticated attacks such as “advanced cross site scripting” enable fraudsters to hijack a victim's web browsing session and alter the content displayed to the victim on his web browser.
Public-key infrastructure (PKI) smart cards may also be prone to such attacks. For example, it has been shown that using a Common Access Card (CAC) issued by the US Department of Defence on an untrusted workstation can allow a variety of attacks to be performed by malicious software. These attacks range from simple PIN phishing to more serious attacks such as applying signatures on unauthorised transactions and performing authentication of users without consent.
Generally speaking, there are a number of schemes which can be used to authenticate transactions:                Authentication schemes enable party A (e.g. a user) to prove to party B (e.g. a provider of an online banking service) that he is A, but someone else cannot prove to B he is A. An example authentication scheme is one which uses symmetric encryption techniques together with a shared key.        Identification schemes enable A to prove to B that he is A, but B cannot prove to someone else that he is A. In software based protocols, strong identification schemes use public key techniques. These techniques prove that A's private key was involved in the transaction, but they do not require A's key to be applied to a message having particular content. So-called zero-knowledge identification schemes fall in this is category.        Signature schemes allow A to prove to B that he is A, but B cannot even prove to himself that he is A. In the secure signature scheme, the underlying protocol cannot be simulated by B, as opposed to in an identification scheme where this may be possible.        
In one particular implementation of a signature scheme, users are required to carry around their private keys stored on a local signature creation device, such as a smartcard or a signing stick featuring a microchip. This approach has some drawbacks since it requires the availability of a USB port and/or a smart card reader in order for the private key to be used. The unitary combined cost of the smart card reader and the smart card also impedes large deployments in retail. Furthermore, such peripheral devices may not be suitable for web-based transactions, and there may be compatibility issues between old and modern devices, or different brands of devices. It is also essential that the user keeps the signature creation device in a secure location which impedes mobility and ease of use. Due to these drawbacks, this approach has not be implemented on a large scale, and is generally restricted to controlled environments with few users.
An alternative approach for a signature scheme is described in EP1364508B1. This scheme uses a central (secure) signature creation device which centrally stores private keys for the creation of a signature for a user, while ensuring that their owner retains sole control over them. This approach is now widely used in, for example, Denmark, Norway and Luxembourg, by almost all citizens, business and public services organisations.
During the past 30 years, a number of other commercial solutions have also evolved, which have become more and more advanced, as the attacks have become more and more elaborate. The less secure solutions provide some degree of session security, which attempt to identify the user only but do not secure a transaction message itself. For example, one early solution relied on a static password being forwarded with the message. More recent solutions have relied on One Time Passwords (OTPs) to be forwarded with the message, where the OTPs are generated independently of the content of the message.
With the advent of smart phones, a range of new opportunities have appeared. These have been exploited, for example in EP1969880 and EP1959374, in which dedicated hardware is used to meet the two requirements above in relation to authentication and identification, but at the price of requiring quite expensive hardware.
One way to ensure that a user authorises or signs the transaction that they intended to perform is by offering effective What You See Is What You Sign functionality to authenticate electronic transactions. This concept was first introduced by Peter Landrock and Torben Pedersen in “WYSIWYS? What you see is what you sign?”—Information Technology Technical Report, Elsevier Vol 3, No 2, 1998. However, none of the above-mentioned approaches guarantees the WYSIWYS functionality without requiring further measures to be implemented, such as voice confirmation or the use of separate out-of-band channels. One strong realisation of WYSIWYS, albeit perhaps not the most user-friendly, is the Chip Authentication Program (CAP) developed by MasterCard and later adopted by Visa as Dynamic Passcode Authentication (DPA). CAP and DPA require a standalone card reader and a debit or credit EMV chipcard. Once a user has provided the details of a payment on e.g. a workstation, he is asked to engage his debit or credit chipcard in the card reader by keying in his PIN and choosing the function “sign”. He is then required to key in the amount to be paid and the account of the payee, and a message authorisation code (MAC) is generated by his debit or credit chipcard and displayed on the reader. He subsequently keys the MAC and his transaction into his workstation. The cryptography behind this is a symmetric encryption system with a key shared between the payment card and the bank backend. This appears to be an authentication scheme which falls with the definition given above. However, as the key on the payment chipcard and the bank backend is protected by tamper resistant hardware this is arguably in fact a signature scheme. Nevertheless, the CAP system is widely used to securely perform electronic banking transactions.
Thus, WYSIWYS can be achieved using a combination of symmetric cryptographic techniques and tamper resistant hardware. However, signature schemes based on public key techniques are particularly useful if not indispensable in electronic commerce, where many independent parties communicate with other independent parties (e.g. multiple customers buying goods from multiple different vendors), as opposed to electronic banking, where the communication is many-to-one (i.e. multiple bank customers for a particular bank). Moreover, none of the techniques and methods described above have addressed the need to provide strong WYSIWYS functionality bound to a legally binding electronic signature carried out by a local or central signature creation device (SCD), as defined in the European Parliament Regulation on Electronic Identification and Trust Services (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG) as well as the Directive on Electronic Signatures [Directive 1999/93/EC].
In international patent application WO2014/199128, which is incorporated herein by reference in its entirety, the applicant described a method and apparatus for requesting and providing a digital signature based on the WYSIWYS concept. In WO2014/199128, the applicant described a method of generating a signature on behalf of a user having a first and second user device, where the method comprises receiving a request from the first user device to create a signature for a first message M; generating a validation challenge using a second message M′ which is based on the first message M and a first secret shared with the user; sending the validation challenge to the user to enable the second user device to regenerate the second message M′; receiving a validation code from the second user device, the validation code confirming the request to create a signature; and generating the signature for the user for the first message M. Central to this concept is the interaction between the first and second user devices, where the two devices are preferably separate from one another. The request for a signature is received from the first user device and is confirmed from the second user device before the signature is created. Moreover, the validation challenge is generated so that the message can be recreated on the second user device in order that a user can see the message before confirming the signature request. Accordingly, the “What You See Is What You Sign” (WYSIWYS) functionality is provided in that the digital signature is generated on a hash value of the message.
However, one drawback of this method is that the user has to trust that he is signing a hash on the message he has seen. The user does not know whether he is signing a hash on the original seen message, or some other fraudulent message.
Therefore, the present applicant has recognised the need for improved methods and systems to perform secure transactions, preferably using the WYSIWYS concept.
While these improved methods and systems can be used to guaranty sole control of the user over the signature process, people skilled in the art will appreciate that they can equally well be used for user authentication in situations not requiring authentication of transactions.