Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1999-07-08
2003-10-28
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C709S228000, C705S014270, C705S026640
Reexamination Certificate
active
06640301
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to computer mail systems, and more particularly to authentication of e-mail messages.
BACKGROUND OF THE INVENTION
Electronic mail (email) is likely the most frequently used application of the global network known as the Internet. Short text messages, audio or video clips, and attached files of many different formats can be sent to remote users using email.
Emails are often used as evidence in the court of law, such as during the Microsoft Antitrust trial. Companies are now storing email messages so they can be retrieved as evidence. However, since the contents are in digital form, they can be tampered with or forged. Inventors also may wish to document inventions using email.
Unfortunately, the Internet has not escaped the notice of the more sinister elements of society. Since many email messages are digital-based, it is relatively easy to alter the contents of an email message. Even the email header such as the sender's address or Internet Protocol (IP) routing information can be altered. Such ‘forged’ email is often sent to large numbers of recipients with a false sender's address. Such email, known as ‘Spam’, is often an advertisement for pornographic or ‘get-rich-quick’ web sites. Since the sender's email address is forged, there is no easy way to track down the true sender. The innocent person with the sender's address that was forged often has to suffer abusive comments or ‘flames’ from recipients of the Spam email.
The growth of electronic commerce (eCommerce) over the Internet has been impeded by the ease of intercepting and forging email. For example, a vendor cannot be sure that the sender actually sent an email requesting purchase of an item. The sender's email address in the header could have been forged. Most eCommerce today is conducted using secure web sites and browsers, such as the secure-sockets-layer (SSL) protocol that operates on top of TCP/IP. While confirmations may be sent by email, actual transactions avoid email due to the lack of security.
The security of email is increased when encryption is used. Encryption software such as Pretty-Good-Privacy (PGP) originally written by Phil Zimmerman can be installed on local personal computers (PCs) to encrypt and decrypt email. Some client email programs such as Microsoft's Outlook allow for the exchange of digital certificates or keys for encryption. However, both the sender and the recipient's computers must have the encryption software installed, and the encryption keys must be exchanged before the email is sent.
Encryption software such as PGP can also authenticate email messages. The message itself does not have to be encrypted. This allows the message to be viewed as clear text by someone without the PGP software. A digital signature is added to the bottom of the email message by the sender's encryption program. The digital signature can be verified by the recipient using the PGP encryption software and an encryption key. Verifying the digital signature also verifies that the message itself was not changed, since the message is mathematically merged into the digital signature. If either the digital signature or the message body is altered, authentication produces a warning message.
CLIENT-SIDE ENCRYPTION/AUTHENTICATION—FIG.
1
FIG. 1
shows email sent over the Internet where email clients authenticate email using encryption software. Email client
14
sends an email message to remote email client
15
over Internet
10
. The user of email client
14
first writes the message, then inputs the message to encryption software
16
, which attaches a digital signature to the message. The message with the digital signature is then sent from email client
14
to email server
12
, which routes the message over Internet
10
to email server
13
. Finally the message is delivered to the inbox of remote email client
15
. Email servers
12
,
13
are typically on server machines of an Internet Service Provider (ISP) or corporate workgroup. Other routers, bridges, and gateways (not shown) are present on Internet
10
.
The user of remote email client
15
then copies or inputs the message, with the digital signature, to encryption software
17
. Encryption software
17
then uses an encryption key to verify the digital signature and the contents of the message. If the message was altered, encryption software
17
alerts the user with a warning message.
Various email authentication and Internet change-detection schemes are known. See U.S. Pat. No. 5,651,069 by Ragaway, U.S. Pat. No. 5,771,292 by Zouguan, and U.S. Pat. No. 5,898,836 by Freivald et al.
While email can be authenticated, each email client
14
,
15
must have his own encryption software loaded on his local PC. Usually the same brand of encryption software (PGP, etc.) must be loaded on each PC. Since relatively few people have PGP software loaded on their PC, most users cannot authenticate PGP digital signatures. The cost of purchasing and installing PGP or other encryption software on each client PC is prohibitive.
Encryption keys must be exchanged separately from the email message, preferably before the digitally-signed email is sent. PGP uses a complementary pair of keys—a public and a private (secret) key. Management of the key-pairs adds unwanted complexity.
EMAIL WEB SITE—FIG.
2
FIG. 2
shows client-side email authentication using a browser to access an email web site. Web sites or services that allow people to set up an email account that can be accessed from any machine on the Internet have become quite popular. Such email web sites are provided by HotMail, Yahoo, Excite, Juno, and others.
Rather than use a local mail server, the user of browser
24
uses email web site
20
. The user types text into an input box displayed on browser
24
, which is directly input to web site
20
using hyper-text-transfer protocol (HTTP) packets rather than email. Messages are stored at web site
20
in an inbox or sent folders on storage
22
. These messages are sent from email web site
20
over Internet
10
to mail server
13
to reach remote email client
15
. Of course, email can be sent or received from other email web sites rather than from clients of local mail servers such as remote email server
13
.
Although the user of browser
24
does not need email software, encryption software
16
is still needed since email web site
20
does not provide encryption services. Since the user of browser
24
may operate on many different PC's, it is likely that the correct encryption software
16
is not present on all PC's used. Further, the user of browser
24
may not want to leave his encryption keys on some PC's.
Email web site
20
could provide encryption services, but most do not. Since there is often little or no verification needed to open an email account at email web site
20
, verification of encryption keys and their ownership is problematic. Thus authentication using digital signatures and encryption is usually not supported by email web site
20
. Encryption software
16
,
17
on the client PC's is again necessary to attach digital signatures and authenticate email.
DIGITAL SIGNATURES—FIGS.
3
A-D
FIG. 3A
shows an email message with a digital signature. An email message is composed and input to the PGP encryption software. The recipient's public key is used to generate a digital signature for the message. This digital signature is mathematically generated from both the public key and the message body itself. The digital signature is appended to the message between the lines “—BEGIN PGP SIGNATURE—” and “—END PGP SIGNATURE—”. The digital signature ensures that all the message text from the “—BEGIN PGP SIGNED MESSAGE—” until the digital signature has not been altered.
The recipient uses his complementary private key to unlock the digital signature and check the message contents for alterations. The recipient can reply to the message, as shown in FIG.
3
B. However, the recipient could alter the message text, such as to increase the agreed-up
Auvinen Stuart T.
Wright Norman M.
LandOfFree
Third-party e-mail authentication service provider using... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Third-party e-mail authentication service provider using..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Third-party e-mail authentication service provider using... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3164965