For mostly practical reasons associated with poor engineering choices and design, encryption techniques have failed to deliver on the promise of secure communication. This is especially true with respect to modern communication networks such as cellular telephone, landline telephone, internet or other public and/private communication networks. In their definitive work on the subject of “Practical Cryptography,” Wiley 2003, authors Niels Ferguson and Bruce Schneier state that “in the past decade, cryptography has done more to damage the security of digital systems than it has enhanced it,” page xvii where they further state: “For the most part, cryptography has done little more than give Internet users a false sense of security by promising security but not delivering it. The reasons for this have less to do with cryptography as a mathematical science, and much more to do with cryptography as an engineering discipline. The fundamentals of cryptography are important, but far more important is how those fundamentals are implemented and used.”
An understanding of why the practical use of encryption has failed to deliver on the promise of secure communication requires, first, an understanding of the fundamental elements cryptographic science. Ferguson et al explain that secure communication between two parties typically requires the generation of a “key” known by the parties who wish to communicate securely over a communication channel. For this reason, key management and key storage is crucial to any cryptographic system.
In its simplest form, secure communication between two parties typically requires implementation of a key negotiation protocol to set up a secret session key K. Thereafter, the two parties can use K along with an agreed upon encryption and decryption function (which may or may not be secret) to exchange data over a secure channel.
Symbolically this classical use of cryptography to permit secure communication between two parties can be represented as follows:m,c:=E(Ke,m)→c,m:=D(Ke,c) where    m is the original message, called a message text, that is desired to be sent securely from one party to another party    c is the encrypted message, called a ciphertext, created by the first party    E is the encryption function used by the first party to create an encrypted version of the message using an agreed upon “key”    Ke is the secret “key” previously agreed to by the two parties    D is the decryption function used by the second party to convert the ciphertext, c, back into the original message text, m
While secure communication of messages could proceed provided either Ke or D is kept secret, the use of a “secret” encryption/decryption function or algorithm is not only difficult but is actually dangerous because it often creates a false impression of security as explained more fully by Ferguson et al, supra, page 23. Secure communication, as practiced over modern communication systems, have often come to rely upon the use of known or “public” encryption functions or algorithms in combination with “secret” keys where some portion of the key required for a secure communication desired between two “parties” is known only to the sending party and to the receiving party. In this context, “parties” may refer to two terminal devices at each end of a communication channel. Because the parties may never have communicated before, implementation of a practical algorithm for establishing the “secret” key(s) to be used by the parties becomes a critical step for which only imperfect solutions have heretofore been proposed.
One technique that has been widely adopted is referred to as “public-key” encryption which is a technique whereby each member of a large pool of “parties,” who may wish to communicate, publishes in advance a “public” key that can then be used by any other member of the pool of potential users to send a message securely using a publicly known encryption function. This approach can be represented as follows:m,c:=E(Preceiving party,m)→c,m:=D(Sreceiving party,c) where    Preceiving party is the public portion of a pair of keys using a special algorithm that the receiving party publishes to all parties of a group who may wish to send a message securely    Sreceiving party is the secret portion of the pair of keys generated by the special algorithm
When one party in the group (the sending party) wants to send a message to another party (the receiving party), the sending party merely looks up the public key, Preceiving party, of the receiving party and uses Preceiving party to encrypt the message, m, to form the cyphertext, c, to be sent over the communication channel. When the cyphertext is received, the receiving party uses her secret or private key, Sreceiving party, to retrieve the message m. This process, referred to as “asymmetric-key” encryption or public-key encryption, works so long as the key-pair generation algorithm, encryption algorithm, and decryption algorithm produce the original message accurately. Practical systems implementing this concept have been developed and used successfully and extensively.
Implementation of public-key techniques provides a major advantage in that it becomes unnecessary to negotiate a secret or private key with a party to whom an encrypted message is to be sent in advance of initial communication with that party. However, there is a trade off. To be secure public-key encrypted communications requires large integer arithmetic which is not easy to implement in the absence of sophisticated software/hardware specifically adapted to handle the necessary calculations. The relative inefficiency of public-key encryption (as compared with secret key encryption) means that both are used. For example, public key encryption can be used to negotiate a secret or private key that is then used to enable secure communication far more efficiently. Doing large integer arithmetic in a higher-level language is typically several times slower than an optimized implementation for the platform. Therefore there is a significant gain to be had by using platform-specific code for the large integer routines, (Ferguson et al. supra, page 279)
Secure communication demands yet another step, namely, “authentication,” to insure that messages received are actually sent by someone who is authorized to send the message. This problem is solved by providing or generating a message authentication code or MAC which may be used to send each message m. Like encryption, authentication uses a secret or private key, Ka, that the sending and receiving parties both know. The MAC for each message, a, can now be generated using a MAC function, h. The process can be represented as follows:
  m  ,      a    :=                  h        ⁡                  (                                    K              a                        ,            m                    )                    →      m        ,      a    ⁢          =      ?        ⁢          h      ⁡              (                              K            a                    ,          m                )            
When a supposedly “authenticated” message is received by a party who knows the correct authentication key, Ka, the function, h, can be used to determine if a correct value, a, can be derived. If yes, then the message is authenticated.
Message authentication can be used in a public-key environment to create a “digital signature” for verifying the authenticity of a message. This may be represented as follows:m,s:=σ(Ssending party,m)→c,ν(Psending party,m,s)? where    σ is a signature creating algorithm    ν is a verification algorithm
The important consequence is that a digital signature for a message is created by a secret or private key S generated by the sending party yet the digital message signature can be verified by anyone simply by knowing the public key of the sender, Psending party. It is important to recognize that a digital signature is typically generated by a data processing device. Thus, the digital signature is no proof that a given user has authorized a message or even seen the message. As stated by Ferguson et al, infra at p. 29, “Given the ease with which viruses take over computers, the digital signature actually proves very little. Nonetheless, when used appropriately, signatures are extremely useful.”
Use of public-key/secret-key pairings can greatly simplify secure communication but each party who wishes to send a secure message must obtain the public key of the person to whom the message is to be sent. This problem can be solved by a public key infrastructure, PKI, which can be established to operate as a central certification authority, called a certificate authority, CA. When a user, Jane Doe, presents the required personal identification and her self generated public key, the certificate authority, CA, issues a digital signature that essentially states “I, the CA, have verified that public key Psender belongs to Jane Doe.”
The creation of a CA gives rise to the following interesting simplification in secure communication. Assume that a sending party already has the CA's public key and has verified that it is correct. The sending party can then retrieve a public key (or be sent a public key) along with a certificate of the public key for another party to whom a message is to be sent. Using the retrieved key and the public key of the CA, the sending party can verify the certificate on the key using the CA's public key. This certificate ensures that the sending party has the correct key with which to communicate with the party to whom the message is to be sent. In a PKI, each participant only has to have the CA certify his public key, and know the CA's public key so that he can verify the certificates of other participants. For the PKI to function, every participant must be able to trust the CA which, for many practical reasons, is not always possible. To quote Ferguson et al at p. 316, “The ultimate dream is a universal PKI. A large organization, like the post office, certifies everybody's public key. The beauty of this is that every person only needs to get a single key certified, as the same key can be used for every application. Because everybody trusts the post office, or whatever other organization becomes the universal CA, everybody can communicate securely with everybody else, and they all live happily ever after. If our description sounds a bit like a fairy tale, that is because it is. There is no universal PKI, and there never will be.”
A number of practical problems are associated with implementation of a universal PKI. For example the simple requirement of associating a user's name and his public key turns out to be a non-trivial problem. A single individual may take on several different “on-line” names or conversely, several people may use the same on-line name. For these and other practical problems discussed more fully by Ferguson et al. infra, pages 323, the use of smaller application-specific PKI's have worked much better than a single large one.
Organizing and supervising a CA for a large group of users is difficult when the users' objectives differ dramatically. Thus a CA for the customers of a bank will have entirely different criteria for granting certificates from a CA for a group of users who are authorized to enter a secure government facility or who are employees of a defense contractor. A single CA for all of these divergent user groups would have to accommodate a diverse number of objectives making the operation of a single CA extremely difficult. A better, more practical solution is to establish separate CA's for each group of users that have a sufficiently common interest to warrant the expense and complications of setting up and operating a CA.
Unless a governmental entity were to establish a CA, the motivation for establishing a CA will typically be profit driven. Thus, private CA's will normally be sponsored by banks, credit card companies, corporations wishing to operate private Wide Area Networks (WANs), telecommunications companies, or other type similar organizations that have need for secure communications. Any one of these organizations may establish a website and wish to interact with its users in a secure fashion. As one might expect, there has arisen a business of providing CA type services, exemplified by Verisign® (http://www.verisign.com/ssl/index.html), to organizations having need for such CA type services such as those described. Such services may take the form of verifying the authenticity of websites to the user of a web browser so that the user can be sure that she is communicating with the lawful operator of the website with whom the user desires to interact. For example, a person who visits any website certified by Verisign using a browser having the appropriate verification algorithm will have a greatly increased confidence that she has not inadvertently accessed a site that is impersonating the desired website.
Difficulty arises however, where service providers, such as website operators, wish to receive and act on communications from customers, such as website visitors who wish to request shipment of goods or services and/or convey instructions for financial transactions such as the transfer of funds in payment for goods or services. Individuals may also be asked for sensitive information, such as when websites are operated to collect information pursuant to governmental functions such as receipt of payment for parking fines or collecting taxes. These functions typically require individuals to provide and/or receive sensitive information. For example, website operators may require highly sensitive information relating to the user's identity, credit card numbers, social security information etc. The requested information is typically needed to verify the identity of the individual who is requesting the services, shipment of goods, transfer of funds or other type information. Most user's are normally reluctant to provide such information for the understandable reason that the user does not wish to communicate such information to third parties where it may fall into the hands of individuals who may misuse the requested information.
In theory, encryption technology holds out the promise of solving many of the problems described above with respect to providing secure communication. Regrettably, the practical problems noted above often become insurmountable because the actions required on the part of the user or on the part of the data processing and communication systems are simply too complicated, expensive and inconvenient for widespread adoption.
What is needed is a system whereby an individual can uniquely and reliably identify himself as desired in a manner that allows the party receiving the identification to be highly confident in the identification via a simple, efficient system that does not require the individual to publish sensitive personal information that could, in the future, allow unscrupulous third parties to impersonate that individual. U.S. Pat. No. 6,189,098 to Kaliski, Jr. discloses a protocol for establishing authenticity of a client to a server by encrypting a certificate with a key known only to the client and the server. While useful for the purposes shown, the invention of the '098 patent does not involve a technique that is ideally suited to users of wireless devices.
Ferguson et al. recognizes the criticality and difficulty of storing long-term secrets, such as passwords and secret or private keys, infra, p. 347, and suggests the use of a PDA, cell phone or wristwatch “but to use them requires updates to the infrastructure.” No suggestion is made for how to employ such devices into a PKI and how to use such devices in a manner that is convenient and efficient and is, at the same time, relatively immune from attack.
Wireless communication, particularly cellular communication, has revolutionized the way that humans communicate. The ubiquity of wireless communication and cellular communication has only exacerbated the problem of achieving acceptable security. Certain industry experts, e.g. Pyramid Research, have predicted total revenues world wide for wireless mobile communications will surpass total fixed communications service revenues in 2006 for the first time, with mobile operators generating US$653 billion to fixed operators' $608 billion, Rarely in the history of mankind has a technology so complex as wireless communication been adopted so quickly by so many human beings. From its origins in Scandinavia and the US and its early development and first commercial adoption in the United States in 1983, cellular communication will have advanced to include approximately 2.6 billion individual subscribers by 2006 and is predicted to reach as many as 3.5 billion subscribers by 2010 according to Pyramid Research http://www.pyr.com/mbl_may17_mobsub.htm. Cellular communication is truly transforming the way that human beings communicate with each other and with remote sources of information, entertainment and services.
Even the relatively inexpensive cellular handsets in use today include fairly robust data processing capability of a type that was unavailable on the most advanced desk top computers or even main frame computers of a few years ago. Another startling fact is that the average cellular handset is being replaced approximately every two years which means that not only new cellular subscribers but existing subscribers are constantly adopting newer, more feature rich devices. These phenomena create a product based “vector” that has the ability to spread, very quickly, new standards for secure communication and creates an environment that is friendly to the implementation of very sophisticated technology, such as encryption techniques, that has previously failed to realize its promised potential.
Heretofore, attempts have been made to marry wireless communication technology with unique identification and encryption technologies to achieve convenient, secure communication in a manner to facilitate accurate identification, controlled access to secure facilities and secure financial transactions as well as other functions requiring unique identification of individuals. For example, enhanced identification appliances have been proposed as in US Patent Application 20030173408 to Mosher et al, in which a “wearable” appliance such as a wristband, bracelet, patch, headband, neckband, ankleband, legband, card, or sticker is disclosed which may be provided with biometric sensors for obtaining information about the wearer such as fingerprint, retina, iris, blood, DNA, genetic data, voice pattern or other characteristics to aid in identifying the individual. Various types of scanning components may be associated with the appliance to aid in transferring the information stored in the appliance. Such components include bar code devices, radio frequency devices (RFID) and more sophisticated communication circuitry employing, for example, Bluetooth® technology. The application specifically teaches the advantages of an appliance that is attached to the user's body for identification purposes in contrast to the use of a “credit card, ticket or the like” and also notes the advantage of using transponder circuitry including an antenna for converting electromagnetic energy into electrical signals for energizing the body worn appliance. While useful for the purposes disclosed, appliances of this type do not suggest how to avoid unauthorized access to the stored data in such a way as to facilitate secure communication using the stored user identification information nor is there any suggestion of how to afford to the user a wide range of secure communication and entertainment Services via a handheld device with a full display and touch sensitive user interface.
U.S. Pat. No. 5,450,491 to McNair discloses an authenticator card such a credit card “smart card” that uses encryption technology to create a changeable bar code display (adapted to be read by conventional bar code readers) for displaying an encrypted message including the identification of the card holder, his account and additional information such as the date and time that insures that the message will be different each time the card is used. In this fashion, interception of the encrypted message will not empower the interceptor to use the information to improperly access the rightful owner's account without knowing a great deal of information that is unavailable from the message itself. Other patent documents (U.S. Pat. No. 5,153,842) have disclosed devices capable of displaying a changeable bar code. Again, while useful for the purposes disclosed, this device can not prevent unauthorized use of the disclosed “smart card” by someone who has found or stolen the card.
In US Patent Application 20010034717 discloses a far more versatile invention for assisting in access control, identification and financial transactions including a portable device such as a cellphone or PDA that includes circuitry for implementing sophisticated encryption algorithms that result in messages that can be decrypted by a certification authority that can verify and certify secure information, such as the user's identity, or authorize secure financial instructions or other secure communication. In one embodiment, the disclosed invention is disclosed for implementation in a cellular telephone that has the capability of displaying an encrypted bar code (including both one dimensional and two dimensional bar codes) containing encrypted messages identifying the user and/or his bank account or other secure information. Again this invention is useful for its disclosed purposes but does not become automatically inoperable when someone other than the authorized user attempts to use the device after either finding or stealing it.
In U.S. Pat. No. 6,853,988 to Dickinson et al., a cryptographic system is disclosed that provides a remote trust engine server for storing cryptographic keys and authentication data which allows users of portable wireless devices (e.g. cell phones) to access various services via a wireless network. This patent discloses varying degrees of authentication, col. 7, lines 35-38, and provides operability over multiple algorithms, keys, standards, certificate types and issuers, protocols etc., col. 2, lines 25-30. In addition, this system allows for added security features involving pin number or “token based” user input as well as bio-metric signals of the type resulting, for example, from finger print scans. The disclosed system does not, however, disclose time varying keys that correspond to variable key information held by the trust engine.
US Published Patent App. 20060094461 addresses the problem of a peripheral device (such as a keyboard) negotiating a key pairing for secure communication but it solves the problem by requiring an initial “wired” connection that is impractical in many situations.
US Published Patent App. 20060005035 discloses a secure automated login for a computing system wherein an interrogation signal is sent to an electronic tag worn by a user upon detection of the proximity of the user. If a correct return signal is received then the user is logged in automatically. This system does not appear to prevent duplication of a tag and improper use of the duplicated tag to secure unauthorized logon. Another type of wireless tag or security badge is disclosed in U.S. Pat. No. 5,960,085. Similarly, US Published Patent App. 20060089126 discloses the concept of causing a cellular telephone to operate only when it has received an appropriate signal from an identification tag (par, 35) but does not suggest how the information on the tag could be made time variable and useable only when the retrieved signal is authenticated by a remote certification authority.
US Published Patent App. 20040247130 discloses a key information issuing device for issuing key information to a key information retaining device which includes an authentication module authenticating an issuer of the key information. Also disclosed is an output module outputting the key information to the key information retaining unit, and a recording module recording a mapping of the issued key information to the key information retaining unit. The key information is issued in response to an indication of the authenticated issuer. The '130 application invention does not appear to appreciate the advantages and the manner by which its broad concepts could be employed in the environment involving a wireless handset.
Published Patent App. 20060085844 discloses a wireless token for use in a credential issuing system for providing access to a network and suggests that the token can take the form of smart cards, credit cards, dongles, badges, biometric devices such as fingerprint readers, mobile devices such as cellular telephones, PDAs, etc. In some embodiments, the token includes circuitry used in a typical smart card. For example, the token may store an encrypted password that may be sent to an authentication system. However, this application does not suggest how the disclosed concepts could be used to enhance security in the use of a handheld wireless device.
Cellular network(s) to some degree are already presented with the need to uniquely identify individual cellular handsets to insure accurate billing and monitoring of a subscriber's use of her handset. However, the portability and ubiquitous use of cellular handsets means that they are frequently misplaced, lost or stolen, and yet, the cellular telephone remains completely operable by anyone who may come into possession with the cellular handset unless the handset has a “password protected” mode of operation (as most cellular handsets have) and the user has placed the cellular handset in its “password protected” mode whereby it requires the input of a password before the phone can be activated by another (which most cellular handsets are not).
In short, a significant unmet need exists for methods and apparatus whereby encryption technology can be used for wireless data communication in a manner that exploits the full promise of encryption technology to produce secure communication and unique user identification while affording reasonable convenience to the end users.