Data processing: financial – business practice – management – or co – Business processing using cryptography – Secure transaction
Reexamination Certificate
1998-12-07
2002-03-26
Trammell, James P. (Department: 2161)
Data processing: financial, business practice, management, or co
Business processing using cryptography
Secure transaction
C705S078000, C705S037000, C705S026640
Reexamination Certificate
active
06363365
ABSTRACT:
FIELD OF THE INVENTION
The present invention is directed, in general, to the field of computer networking, and, specifically, to a mechanism that provides secure open tendering in an electronic business environment.
BACKGROUND OF THE INVENTION
Broadly speaking, electronic business can be thought of as any type of commercial transaction, or part of a transaction, carried on through a computer network, a configuration of data processing Computer networks can be classified according to the extent of their security, Open networks, such as the Internet, do not have in place any intentional impediments to the free flow of information. (Network traffic and the limitations of hardware may slow or even stop a transmission, but this is random and unintentional.)
On the other extreme, completely closed networks provide communication for a defined group of users over dedicated hardware with no external linkage. Most networks used today by commercial enterprises such as businesses and governments have external communication links to the Internet, but protect internal files and databases from external users with special filtering software usually referred to as a “firewall”. Provided the firewall software is robust enough to withstand “hacking” from external users, users on the internal network can safely access the Internet.
Businesses or governments may extend their closed network connections to their trading partners (e.g., suppliers) to allow the partners to gain limited access to their internal network resources such as inventory database so that adequate inventory level can be maintained.
Improvements in computer hardware and software have made the Internet and other “open” networks an increasingly attractive arena for conducting electronic commercial transactions. Unlike closed systems, dedicated communication links are not required, and a potentially greater “audience” (customers, suppliers, etc.) can be reached.
One area of significant development over the past few years has been in the area of securing transmissions against interception or corruption (tampering) by so-called “hackers” or other third parties not intended as recipient. This is an absolute pre-requisite to any communication of a commercial nature, since these can involve the transmission of sensitive financial information, from consumer credit card numbers to preferential customer pricing, or of information that requires accuracy, such as product orders and bid tenders.
To conduct secure communications, authentication and encryption technologies are required. Authentication is to provide a proof to a network that a network entity (e.g., a network user or a network client) is indeed the one whom it claimed to be. Encryption is to prevent a network entity from assessing the confidential information for which it is not authorized to access.
Third party authentication is one way to secure communications between a client and server over an open network. One well known trusted third party authentication protocol is the “Kerberos” model developed by MIT. (See for example J. G. Steiner, B. C. Neuman, and J. I. Schiller, “Kerberos:
Authentication service for open network systems,” USENIX Conference Proceedings, February 1988, pp. 191-202; and J. T. Kohl, “The evolution of the Kerberos authentication service,” EurOpen Conference Proceedings, May 1991, pp. 295-313.) In the Verberos model, in order to secure communications to a server, the client first contacts a Key Distribution Centre KDC), by identifying itself and presenting a nonce (a non-repeating identifier), in requesting credentials for use with the particular server. The KDC assembles a response that includes a session key, the nonce and a ticket. The ticket identifies the client, specifies the session key and lists start and expiration times for use of the ticket, and is encrypted by the KDC using a key shared with the server. The KDC returns the response to the requesting client which decrypts it, checks the nonce and caches the ticket for future use. When the client want to communicate with the server, it presents the ticket and a freshly-generated authenticator to the server. On receipt, the server decrypts the ticket using the key it shares with the KDC, and uses the session key from the ticket to verify the client's identity and that the time stamp is current.
Kerberos is based on Needham-Schroeder's much earlier work on trusted third party protocol: R. M. Needham and M. D. Schroeder, “Using encryption for authentication in large networks of computers,” Communication of the ACM, Vol. 21, No. 21, December 1978, pp. 993-999; and R. M. Needham and M. D. Schroeder, “Authentication Revised,” Operating Systems Review, Vol. 21, No. 1, January 1987, pp. 7.
Communications can be encrypted, using any of standard or non standard encryption algorithms, such as the algorithms defined in Data Encryption Standard (DES), triple DES, International Data Encryption Algorithm (IDEA), and RC2 and RC4 developed by RSA Data Security Inc. These encryption algorithms are known as symmetric key encryption algorithms since both sending and receiving parties share the same encryption key. The encryption key must be communicated secretly between sending and receiving parties and the key must be kept secretly. Associated with symmetric key encryption, there is key management which handles issues such as how keys are created, distributed, stored, and destructed. The key management can be a problem, particularly when one client or server has millions of correspondents. The distribution and management of the symmetric encryption keys can be a nightmare. The invention of public key crypto-systems has resolved this problem. The public key crypto-systems are also known as asymmetric key systems since encryption keys are different from decryption keys. In a public key crypto-system, there are a key pair, one is known as the public key, and the other is the private key. The public key as by its name is made public so that everyone who wishes to access it can access it. The private key is kept secretly. If A wants to encrypt data and sends to B, A first find B's public key and encrypt the data using the public key, then sends the encrypted data to B. B can decrypt the encrypted data using its private key. Since only B knows its private key, there is no others who can decrypt the encrypted data. Therefore, the confidentiality of data is well kept. Since the current public key encryption and decryption is not efficient comparing to the symmetric key encryption, a common approach is to create a symmetric key known as a session key to encrypt data, and to use the public key of the receiving party to encrypt the session key. After receiving the encrypted session key and the encrypted data, the receiving party first decrypts the encrypted session key using its private key. Then, it decrypts the encrypted data using the session key. To be able to deploy the public key systems, the public key infrastructure (PKI) is required, which enables communications parties to register themselves, and obtain their and others certificates which contains public keys and which are verified by the public key issuer known as the certificate authority (CA).
To conduct electronic transactions over an open network, secure payment is required. Secure payment deals with potentially millions of customers who buy things over the Internet. There are different secure payment protocols which have been developed in the past few years. For example, IBM has developed a secure payment protocol called
10
(Internet K eyed Payment Protocol), which deals with a set of payment mechanisms such as credit and debit card transactions as well as electronic check clearing. Based on iKP, with assistance from IBM, GTE, Microsoft, Netscape, SAIC, Terisa, and Verisign, Visa and MasterCard have developed a secure payment protocol known as Secure Electronic Transaction (SET), as a method to secure payment card transactions over the Internet. Microsoft and Visa International have also developed a protocol called Secure Transaction Technolo
Carstens, Yee & Cahoon
Clay A. Bruce
Greene Daniel
International Business Machines Corp.
LandOfFree
Mechanism for secure tendering in an open electronic network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Mechanism for secure tendering in an open electronic network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Mechanism for secure tendering in an open electronic network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2868719