The present invention is directed, in general, to cryptography and, more specifically, to a distributed protocol that allows transactions to be communicated securely by a small number of messages and a decentralized network in which the protocol may be employed for commerce thereover.
The availability of more efficient, reliable and cost effective computers has allowed great numbers of small to medium sized companies, as well as individuals, to acquire tools necessary to compete in today""s electronic marketplace. The immeasurable gains in technology experienced by the computer industry have allowed both companies and individuals to rely on commercially available computers, such as personal computers (xe2x80x9cPCSxe2x80x9d), to meet their information processing and communication needs. To that end, most PCS are equipped with an interface that may facilitate communication over private or public networks, such as the INTERNET. 
Given the inherent insecurity of electronic commerce, particularly over public networks, it was long felt that a system that could ensure secure electronic transactions would be highly advantageous. In general, such a system would authenticate the parties to the transaction and provide transactions that are resistant to tamperingxe2x80x94a secure system should be resistant to fraud.
One moderately successful effort introduced the concept of xe2x80x9cclosedxe2x80x9d communitiesxe2x80x94local and long distance telephone companies, cable companies, cellular telephone companies, E-mail services and electronic service providers. These communities are xe2x80x9cclosedxe2x80x9d because their customers have to enter into a contractual relationship with a provider before entering into the program, thus the customer must be a member in order to use the offered products and services.
One adaption of this method is described in U.S. Pat. No. 5,453,601 (the xe2x80x9c""601 Patentxe2x80x9d), entitled ELECTRONIC-MONETARY SYSTEM, issued Sep. 26, 1995, which is incorporated herein by reference. The ""601 Patent introduces an anonymous electronic monetary system as an alternative medium of exchange to credit cards, cash, checks, etc. More particularly, the system uses money modules encapsulated in tamper-proof envelopes to store and transfer electronic notes.
This system of remote, anonymous purchases, however, fails to ensure both payment and delivery. If a customer purchases a software package anonymously over the INTERNET, for example, there is no mechanism to ensure that the customer will receive the software if the customer has already paid for the software. Conversely, how can the merchant be sure it will be paid if it delivers its goods before payment. Thus, to ensure payment and delivery, the customer and merchant are required to give up their anonymity, one of the primary objects of the system.
An alternate system uses a distributed, low-overhead, digital cash protocol. See, THE MILLICENT PROTOCOL FOR ELECTRONIC COMMERCE, by Mark S. Maasse, published at the FIRST USENIX WORKSHOP ON ELECTRONIC COMMERCE, New York, N.Y. (Nov. 12, 1995) (the xe2x80x9cMillicent Systemxe2x80x9d). The Millicent System introduces a digital scrip, which is digital xe2x80x9cmoney,xe2x80x9d that is honored by a single merchant. The obvious drawback being the requirement of preparation before a purchase from a new merchant, namely, purchasing scrip from a third-party brokerxe2x80x94a separate transaction having its own overhead. An added complication involves a system for returning change as the value of the scrip is often higher than the price of the goods. Thus the merchant returns change to the user in the form of xe2x80x9cotherxe2x80x9d scripxe2x80x94which is honored only by the issuing merchantxe2x80x94forcing the customer to use the same with the merchant at a later time or to redeem it with the third-party broker, possibly for some processing fee.
These conventional systems and protocols, like others common to the industry, are expensive, whether overtly or surreptitiously. The widespread use of electronic commerce on the INTERNET and, more particularly, the WORLD WIDE WEB, requires mechanisms for dealing with high volumes of low-priced transactionsxe2x80x94transactions of such low monetary value that merchants cannot afford to communicate with the bank for every transaction. There is a need therefore for a class of electronic commerce protocols that structures and secures electronic commercial transactions that can be optimized most preferably to be comparable to substantially free INTERNET and WORLD WIDE WEB browsing in terms of messaging overhead.
The present invention introduces the broad concept of securely communicating a financial transaction without requiring communication between a central authority and either a merchant or a customer during the transaction. This significantly reduces the bandwidth required to complete the transaction, as only three messages (the quotation, order and a reply thereto) are required to complete the transaction. The quotation may be sent in response to an optional quotation request sent from the customer to the merchant.
Thus, to address the above-discussed deficiencies of the prior art, the present invention provides a protocol and system for securely communicating a financial transaction between a customer and a merchant and a distributed computer network employing the protocol or system. An exemplary central authority may be associated with a central authority private key Ksca and a central authority public key Kpca, and is responsible for assigning a customer account (xe2x80x9cCACCTxe2x80x9d) to the customer and a merchant account (xe2x80x9cMACCTxe2x80x9d) to the merchant. The customer is associated with a customer private key Ksc and a customer public key Kpc; the merchant is associated with a merchant private key Ksm and a merchant public key Kpm. Of course, the central authority may be separate entities, one associated with the customer and the other with the merchant.
The protocol includes the steps of: (1) sending a quotation from the merchant to the customer, the quotation including at least the Kpm, a Ksca-signed signature that is a function of the MACCT, an unsigned copy of a price and a Ksm-signed signature that is a function of the MACCT and the price, (2) replying to the quotation by sending an order from the customer to the merchant, the order including at least the Kpc, a Ksca-signed signature that is a function of the CACCT, an unsigned copy of the price and a Ksc-signed signature that is a function of the CACCT, the MACCT and the price and (3) replying to the order by the merchant filling the order. The invention employs signatures based on public key cryptography (e.g., RSA, etc.).
For security purposes, each of the central authority, the customer and the merchant may, be responsible for selecting their respective public and private keys. The central authority may also be responsible for generating a merchant identification, xe2x80x9cMid,xe2x80x9d for the merchant which may contain the merchant""s account, MACCT, and the merchant""s public key, Kpm. The central authority may generate a signed merchant identification, xe2x80x9cSMid,xe2x80x9d that contains Mid and a Ksca-signed signature that is a function of Mid. The central authority may generate a customer identification, xe2x80x9cCid,xe2x80x9d for the customer, that contains the customer account, CACCT, and the customer""s public key Kpc. The central authority may generate a signed customer identification, xe2x80x9cSCid,xe2x80x9d that contains Cid and a Ksca-signed signature that is a function of Cid.
Most preferably, once the customer sends the order and the merchant accepts it (either with or without verification thereof), neither the customer nor the merchant is authorized to repudiate the transaction. It is preferred that only the central authority or an arbiter (to be defined below) be given that authority. Further, public-key encryption allows each party to authenticate the other and any information obtained from the other (such as price) without compromising encryption keys.
It should be noted that, since the private key is known only to the signing party, and the private key is extremely hard to compute given the public key, any message signed by a private key of a given party can be used as a proof that the same was knowingly originated by that party. The terms xe2x80x9ccentral authorityxe2x80x9d and xe2x80x9cbankxe2x80x9d are used interchangeably herein to designate a trusted third party charged with creating and governing the use of CACCTS and MACCTS, and, hence, Cids, SCids, Mids and SMids. xe2x80x9cBankxe2x80x9d therefore does not necessarily mean xe2x80x9cbankxe2x80x9d in the traditional sense. Those skilled in the art will realize that the broad system contemplated by the present invention may include any number of customers, merchants, central authorities, banks, arbiters, etc.
In one embodiment of the present invention, the quotation further includes an unsigned sequence number unique to the merchant, the Ksm-signed signature further being a function of the sequence number. In a related embodiment of the present invention, the order further includes an unsigned sequence number unique to the merchant, the Ksc-signed signature further being a function of the sequence number. The sequence number should be unique to the transaction and unique to the merchant. The sequence number does not, however, have to be unique among all merchants transacting over a single computer network. The sequence number uniquely identifies the transaction, ensuring that duplicate orders (whether inadvertent or intentional) are ignored.
In an advantageous embodiment, the order includes SCid. In an alternate advantageous embodiment, the quotation includes SMid. In related embodiments, the merchant and the customer may use respectively SCid and SMid to verify the other. The use of public key cryptography to provide information between the customer and the merchant enables the parties to verify one another, as well as providing a means for securing the same from third party interference. An eavesdropper may therefore not use the customer""s order to purchase items fraudulently from the same or other merchants, since the order contains a Ksc-signed signature that may be a function of CACCT, MACCT and the price. Thus the order is valid only with connection with the original quotation.
In one embodiment of the present invention, the MACCT has an expiration date associated therewith, the quotation further including the expiration date, the Ksm-signed signature further being a function of the expiration date. In a related embodiment of the present invention, the CACCT has an expiration date associated therewith, the order further including the expiration date, the Ksc-signed signature further being a function of the expiration date. The expiration date ensures that CACCT and MACCT are changed frequently. This prevents long term fraud should a particular CACCT, MACCT, or key become compromised. It should be noted that the expiration dates of these embodiments may be associated with the Mid or Cid of MACCT or CACCT, respectively. Changing keys frequently reduces the possibility of counterfeiting digital signatures by computing private keys from public keys, which is very time consuming. Furthermore, the expiration date forces customers to meet their obligations to the bank, such as paying their bills in a timely manner. Otherwise, the bank may not issue a new SCid to the customer when the current SCid expires.
In one embodiment of the present invention, the central authority has a central authority identification number (xe2x80x9cCAidxe2x80x9d), the quotation further including the CAid, the Ksm-signed signature further being a function of the CAid. In one embodiment of the present invention, the central authority has a central authority identification number (CAid), the order further including the CAid, the Ksc-signed signature further being a function of the CAid. The CAid allows both customer and merchant to reference themselves to a commonly-trusted entity.
In one embodiment of the present invention, the protocol further comprises the step of verifying, by the customer, the MACCT and the price. In one embodiment of the present invention, the protocol further comprises the step of verifying, by the merchant, the CACCT, the MACCT and the price. In the embodiment to be illustrated and described, the customer and the merchant each take advantage of the verification features of the present invention""s protocol to verify the identity of (authenticate) each other and the contents of each other""s messages (quotations and orders).
In one embodiment of the present invention, the order is an order for data to be delivered via a computer network. Those skilled in the art are aware that information itself is often a valuable commodity. The present invention contemplates the sale of information over a computer network, as well as the sale of more traditional services or hard goods.
In one embodiment of the present invention, a database associated with the merchant contains a list of CACCTS revoked by the central authority, the protocol further comprising the step of comparing the CACCT against the list of CACCTS revoked by the central authority. Thus, the central authority can exercise governance over its CACCTS. 
In one embodiment of the present invention, the protocol further comprises the steps of: (1) maintaining, by the merchant, a record of purchases by the customer and (2) sending a message from the merchant to the central authority regarding the customer when the purchases exceed a predetermined maximum allowable amount. In this way, CACCTS can be made subject to credit limits.
In one embodiment of the present invention, the protocol further comprises the steps of: (1) maintaining, by the merchant, a record of purchases and times of the purchases by the customer and (2) sending a message from the merchant to the central authority regarding the customer when the purchases exceed a predetermined maximum allowable rate. This allows the protocol to track suspiciously high account activity (perhaps indicating fraud). In an embodiment to be described, purchase amounts and times are only two of many variables that can be employed to establish security against significant fraud.
In one embodiment of the present invention, the protocol further comprises an arbitration procedure, comprising the steps of: (1) including a field in the quotation that is a function of information that, is a subject of the quotation, (2) sending an arbitration request from the customer to an arbiter, the arbitration request containing the quotation and the order, (3) sending an information request from the arbiter to the merchant, the information request requesting a copy of the information that is the subject of the quotation, (4) forwarding the information that is the subject of the quotation to the customer if the information correlates to the field, (5) repudiating the financial transaction if the merchant fails to respond to the information request and (6) repudiating the financial transaction if the information fails to correlate to the field. The arbitration procedure allows the arbiter (who may also be the central authority acting in the capacity of an arbiter) to resolve conflicts between the customer and the merchant. If the customer is at fault, the arbiter can vouch for the merchant""s compliance with the contract. If the merchant is at fault (either by deviating from the originally bargained-for information or by failing to respond to the request for the information), the arbiter has the power to repudiate (rescind) the financial transaction.
The foregoing has outlined rather broadly the features and technical advantages of the present invention so that those skilled in the art may better understand the detailed description of the invention that follows. Additional features and advantages of the invention will be described hereinafter that form the subject of the claims of the invention. Those skilled in the art should appreciate that they may readily use the conception and the specific embodiment disclosed as a basis for modifying or designing other structures for carrying out the same purposes of the present invention. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the invention in its broadest form.