Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2000-03-16
2001-02-13
Cangialosi, Salvatore (Department: 2732)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
Reexamination Certificate
active
06189098
ABSTRACT:
The invention relates to a protocol for one party to an electronic transaction, as for example a client in a client-server transaction, to prove its authenticity to the other party of the transaction.
BACKGROUND OF THE INVENTION
Client-server systems provide electronic access by the client to data, information, accounts and other material stored at the server. In financial transactions, the system provides a client electronic access to accounts and financial resources.
In a client-server transaction, the client is required to prove to the server that it is an authentic client, and not some impersonator or other unauthorized party. Protocols are known by which a client proves to a server its authenticity, while at the same time it does not reveal information that could be misused by a third party.
A standard well known protocol for proving authenticity involves public-key cryptography. The client establishes a public key/private key pair and provides the public key to the server. In a transaction, to prove its authenticity to the server, the client forms a digital signature with its private key on a time-varying message, and the server verifies the digital signature with the client's public key. The time-varying message, which may be a timestamp or a challenge supplied by the server, is different in each instance. This message, when checked by the server, provides safeguards against a third party impersonating the client by simply replaying copies of previous signatures of the client that the third party has intercepted or otherwise acquired.
In the standard protocol described above, the server trusts that the public key belongs to the client, i.e., that the client is in fact actively involved in the transaction because it is presumed that only the client knows the private key and can form valid digital signatures. A convenient way to establish trust in a public key is to use a certificate. This is accomplished by a certification authority issuing public-key certificates signed with the certification authority's private key, which thereby asserts to the server that the client's public key is a valid public key issued by or registered with the certification authority. Assuming the server trusts the certification authority's public key, then it trusts the client's certificate, the client's public key and ultimately the client's authenticity.
With typical public-key cryptosystems, it is computationally expensive to form digital signatures because of the need to perform an exponentiation operation. In some electronic transactions, for example, those involving a smart card client where the computational capacity is limited, the standard protocol using a digital signature is computationally expensive and is therefore a significant burden.
Beller and Yacobi, in an article entitled “Fully-Fledged Two-Way Public Key Authentication and Key Agreement for Low-Cost Terminals”
ELECTRONICS LETTERS
, May 27, 1993, Vol. 29, No. 11, at pages 999-1000, describe a protocol that provides for less on-line computation on one side of the protocol. In this protocol authentication of the server by the client is carried out by the server sending a random challenge with an expected “colour”, structure or format, to the client for verification by the client. Authentication of the client by the server is achieved by the client sending to the server its identity, public key, certificate and a signature on the random challenge for verification of the certificate and the signature by the server. The protocol is described as being useful where one side of the interaction is a low-cost customer device such as portable telephones, home banking terminals, smart cards and notebook computers.
Other protocols are known for establishing the authenticity of a client to a server. Client authentication protocols such as those based on secret-key cryptography exist, but often have the limitation that the server must be on-line, or the server must store a key which can be used to impersonate arbitrary clients. In Cellular Digital Packet Data systems, a client authenticates itself to a server by sending a one time password encrypted with a Diffie-Hellman shared key, and the server returns a new password for the next session. Again, the server must be on-line or the client must share a different password with each server, which can be inconvenient.
BRIEF DESCRIPTION OF THE INVENTION
A protocol that is less computationally expensive for a client but achieves similar goals as the standard protocol is used to develop a server's trust in the client. In this protocol, a certificate provided by a trusted certification authority to the client is encrypted with a key known only to the client and the server or the public key of the server. The client forms no digital signature. Since only the client and the server it trusts have access to the certificate, the certificate itself is proof of the authenticity of the client. This protocol is particularly useful in client devices having small computational capacity, e.g., a smart card.
Additional interactive protocols are disclosed whereby messages are exchanged between client and server to establish authenticity of both the client and the server as well as protocols wherein only a portion of the client's certificate is encrypted. Moreover, the certificate can include a one way function, such as a cryptographic hash function of a secret value or a root of a hash tree of secret values for protection against the certification authority or unauthorized servers, respectively.
A still further more general protocol involves a user, which may be an individual, a computer or some other entity, connected to a verifier by way of an encrypted communications channel such that the user can confidentially deliver to the verifier information essential to verify the message.
REFERENCES:
patent: 4309569 (1982-01-01), Merkle
patent: 4755940 (1988-07-01), Bracht et al.
patent: 4885778 (1989-12-01), Weiss
patent: 5005200 (1991-04-01), Fischer
patent: 5222140 (1993-06-01), Beller et al.
patent: 5224163 (1993-06-01), Gaser et al.
patent: 5261002 (1993-11-01), Perlman et al.
patent: 5367573 (1994-11-01), Quimby
patent: 5428684 (1995-06-01), Akiyama et al.
patent: 5444780 (1995-08-01), Hartman, Jr.
patent: 5625693 (1997-04-01), Rohatgi et al.
patent: 6085320 (2000-07-01), Kaliski, Jr.
patent: 0 148 960 A1 (1985-07-01), None
patent: 0 678 836 A1 (1995-10-01), None
patent: WO 93/10509 (1993-05-01), None
Bellare, et al. “Optimal Asymmetric Encryption—How to Encrypt with RSA,” Nov. 19, 1995, available from http://www-cse.ucsd.edu/users/mihir/papers/pke.html, based on an earlier paper published inAdvances in Cryptology—Eurocrypt 94 Proceedings, Lecture Notes in Computer Science vol. 950, A. De Santis ed., Springer-Verlag, 1994.
Beller, M.J., et al., “Fully-Fledged Two-Way Public Key Authentication and Key Agreement for Low-Cost Terminals,”Electronics Letters, vol. 29, No. 11, May 27, 1993, pp. 999-1000.
Guillou, Louis, et al. “A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory,” Advances in Cryptology—Eurocrypt '88, Springer-Verlog, 1988, pp. 123-128.
European Patent Office, European Search Report, International Application No. EP 97 30 3229, date of completion of search May 14, 1999, 2 pages.
“Information Technology—Security Techniques—Digital Signature Scheme Giving Message Recover,”International StandardISO/IEC 9796 : 1991, pp. i—12.
“Secure Electronic Transaction (SET) specification”, Book 2: Programmers Guide, pp. 56-58, Jun. 21, 1996.
SET Secure Electronic Transaction Specification, Book 2: Programmer's Guide, Version 1.0, May 31, 1997, pp. 207-213.
PKCS #1: RSA Encryption Standard, An RSA Laboratories Technical Note, Version 1.5, Revised Nov. 1, 1993, pp. 1-17.
RSA Laboratories, PKCS #1 v2.0: RSA Cryptography Standard, Oct. 1, 1998, pp. 1-36.
Cangialosi Salvatore
RSA Security Inc.
Testa Hurwitz & Thibeault LLP
LandOfFree
Client/server protocol for proving authenticity does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Client/server protocol for proving authenticity, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Client/server protocol for proving authenticity will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2614920