Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-03-05
2002-06-04
Barron, Jr., Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S183000
Reexamination Certificate
active
06401206
ABSTRACT:
The present invention relates generally to methods for creating the digital identity of an individual, binding an impression of it to electronic documents, and more particularly to producing reliable and consistently verifiable electronic impressions for automatic identity verification.
BACKGROUND OF THE INVENTION
This present invention is designed to enhance the exchange of personal, confidential, legal and proprietary information reliably through electronic means. An embodiment of this invention provides an electronic equivalent of the conventional “paper” paradigm, in which documents are authenticated and validated by signatures and seals. In the paper paradigm, signatures and seals, as imprinted on a document, represent the identity of the signer. That is, handwritten signatures, seals (and sometimes fingerprints) are the true representative of the signer.
The desired requirements of an electronic equivalent of the “paper” paradigm, are listed below. The requirements are:
1. The document and the signatures imprinted on the document can not be forged or broken easily (not usually satisfied by passwords).
2. The receiver or anybody else cannot alter the signed document—the document with which the identity's impression is bound—or the identity's impression itself as it is bound to the document, without being detected.
3. The signer cannot deny the act of signing the document (non-repudiation of the origination source of the document).
4. The document can not be duplicated and still be claimed original for re-submission.
5. Full reconstruction of identity, in case of loss of identity.
6. Consistency of comparison results.
7. The verifier should not be assumed trusted. In other words, the verifier should not be able to use information he has about the signer to forge the signer's identity.
8. The process of signing the document and its verification should be simple and user friendly.
9. The process of signing the document should not rely on sophisticated technology that is not readily available to ordinary computer users other than software implementing the present invention.
10. The signatures, seals and the thumb prints are imprinted on the document and can be inspected by the experts using visual and other verification methods.
We will see that the conventional electronic systems address only a subset of these requirements. A typical electronic replacement of “paper” paradigm uses only cryptographic digital signatures, in which encryption keys generated by the system are used. These keys are provided by the system to the user to be used as their electronic identities. Like seals, these keys have no real binding to the signer because they are not derived from aspects of physical behavior or what the signer knows.
Other typical electronic replacements of the “paper” paradigm use only electronic representations of handwritten signatures. Simpler versions simply use digitized version of handwritten signatures and bind it to the electronic document using cryptography. More sophisticated versions derive probabilistic parameters of the signature and use these parameters as the basis of the identity of the user. Some implementations do bind digitized handwritten signatures cryptographically with the document but provide little protection of the signer's identity from forgeries created by the verifier. Furthermore, the identity of the individual is solely dependent on digitized handwritten signatures.
Simpler versions mentioned above rely completely on encryption and cryptographic checksums (also called hash values) for the sake of binding the digitized handwritten signature with the electronic document. The checksum is digitally signed using cryptography.
One disadvantage of using a digitized handwritten signature is that the digitized version of a handwritten signature can easily be copied once it is decrypted. Another disadvantage is that the digital checksum of two digitized-handwritten-signature samples is almost never the same, even if they belong to the same person. Therefore effectively the identity of the user is derived from the cryptographic key used for digitally signing the checksum rather than the handwritten signature. Hence from a security point of view, systems using digitized handwritten signatures are only as effective as systems that use only cryptographic digital signatures.
More sophisticated versions of the digitized handwritten signature based security systems derive the identity of the user from probabilistic parameters derived from the signature while it is being executed. The input devices used for capturing the signature in such systems are relatively expensive and not widely available. Since no two signatures of the same person are alike, the parameters derived from them are never exactly the same. Therefore, such systems rely on probabilistic comparisons of the stored reference parameters at the location of verification with those provided with the document. The verification process utilizing probabilistic parameters can never be fully trusted as it depends upon several factors not within the control of the system, such as the quality of parameter extraction at the time of reference parameter extraction, the quality of signature capture at the time of authentication of the document, the mood and physical state of the signer and the age of the reference parameters (signatures characteristics for a person change with time). Since, verification can never be fully trusted, it becomes a poor choice for automatic verification systems. Furthermore, the need for availability of these parameters at the destination is a security risk, since anybody in possession of these parameters can create a forgery with some programming effort.
Electronic document signing systems using biometric information are high cost systems. They use biometric information such as voice, fingerprint, and retina scans. These systems authenticate documents based oh probabilistic comparison of one or more stored samples with the freshly retrieved sample. The problems associated with these forms of identity representations are the same as those associated with handwritten signatures. Often, the system operation is based on extraction of statistical and mathematical parameters. Based on these parameters, and the knowledge of algorithms used for calculating the correlation, some identities can be reverse engineered for beating the automatic verification systems.
Yet another conventional replacement of “paper” paradigm is based on the use of passwords for identifying the signer. This is a paradigm based on what the person knows, and relies on the signer to choose a “good” security password. The level of protection against attacks is only as good as the passwords picked. Unfortunately, the best passwords are most unfriendly and difficult to remember. It is well known that users often pick poor passwords that can easily be guessed, or reuse passwords excessively.
The document authentication schemes discussed above only partially satisfy the conventional requirements of binding a document sender's identity to the document.
In systems using public key cryptography, for example U.S. Pat. No. 5,369,702 to Shanton, the signer can deny the act of signing (non-repudiation of the origination source of the document) by claiming that the private key was compromised. Similarly, the verifier can create a forgery of the private key or the cipher text without being detected if the security assumption of the public key cryptography is broken.
There is a need for the following additional requirements for digital identities as well as the impressions made by these identities on electronic documents:
1. Full reconstruction of identity, in case of loss of identity.
2. Consistency of comparison results.
3. The verifier should not be assumed to be trusted. In other words, the verifier should not be able to use the information he has about the signer to forge the signer's identity.
4. The process of signing the document should not rely on sophisticated technology that is not readily availa
Hussain Basit
Khan Shabbir A.
Rajput Saeed A.
Barron Jr. Gilberto
Flehr Hohbach Test Albritton & Herbert LLP
Meislahn Douglas
Skylight Software, Inc.
LandOfFree
Method and apparatus for binding electronic impressions made... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for binding electronic impressions made..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for binding electronic impressions made... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2963982