Patent Grant
9640012
The present invention relates to methods and apparatus for verifying the authenticity of partners in an electronic transaction.
It has become widely accepted to conduct transactions such that as financial transactions or exchange of documents electronically. In order to verify the transaction, it is also well-known to “sign” the transaction digitally so that the authenticity of the transaction can be verified. The signature is performed according to a protocol that utilizes the message, i.e., the transaction, and a secret key associated with the party. Any attempt to tamper with the message or to use a key other than that of the signing party will result in an incompatibility between the message and the signature or will fail to identify the party correctly and thereby lead to rejection of the transaction.
The signature must be performed such that the parties' secret key cannot be determined. To avoid the complexity of distributing secret keys, it is convenient to utilize a public key encryption scheme in the generation of the signature. Such capabilities are available where the transaction is conducted between parties having access to relatively large computing resources but it is equally important to facilitate such transactions at an individual level where more limited computing resources are available.
Automated teller machines (ATMs) and credit cards are widely used for personal transactions and as their use expands, so the need to verify such transactions increases. Transaction cards are now available with limited computing capacity, so-called “Smart Cards,” but these are not sufficient to implement existing digital signature protocols in a commercially viable manner. As noted above, in order to generate a digital signature, it is necessary to utilize a public key encryption scheme. Most public key schemes are based on the Diffie Helman Public key protocol and a particularly popular implementation is that known as DSS. The DSS scheme utilizes the set of integers Zp where p is a large prime. For adequate security, p must be in the order of 512 bits although the resultant signature may be reduced mod q, where q divides p−1, and may be in the order of 160 bits.
The DSS protocol provides a signature composed of two components r, s. The protocol requires the selection of a secret random integer k from the set of integers (0, 1, 2, . . . q−1), i.e.
kε{0, 1, 2, . . . q−1).
The component r is then computed such that
r={βkmod p}mod q
where β is a generator of q.
The component s is computed as
s=[k−1(h(m))+ar]mod q
where m is the message to be transmitted,
The signature associated with the message is then sr which may be used to verify the origin of the message from the public key of the user.
The value of βk is computationally difficult for the DSS implementation as the exponentiation requires multiple multiplications mod p. This is beyond the capabilities of a “Smart Card” in a commercially acceptable time. Although the computation could be completed on the associated ATM, this would require the disclosure of the session key k and therefore render the private key, a, vulnerable.
An alternative encryption scheme that provides enhanced security at relatively small modulus is that utilizing elliptic curves in the finite field 2m. A value of m in the order of 155 provides security comparable to a 512 bit modulus for RSA and therefore offers significant benefits in implementation. Diffie Hellman Public Key encryption utilizes the properties of discrete logs so that even if a generator β and the exponentiation βk are known, the value of k cannot be determined.
A similar property exists with elliptic curves where the addition of two points on a curve produces a third point on the curve. Similarly, multiplying a point by an integer k produces a point on the curve.
However, knowing the point and the origin does not reveal the value of the integer ‘n’ which may then be used as a session key for encryption. The value kP, where P is an initial known point, is therefore equivalent to the exponentiation βk.
Elliptic Curve Cryptosystems (ECC) offer advantages over other public key cryptosystems when bandwidth efficiency, reduced computation, and minimized code space are application goals.
The preferred embodiment of the present invention discloses a protocol optimized for an ECC implementation for use with a “smartcard” having limited computing capacity. The protocol has been found to provide superior performance relative to other smartcard protocols and is achievable with an ECC implementation.
The protocol disclosed is appropriate for smartcard purchase applications such as those that might be completed between a terminal or ATM and a user's personal card. The protocol provides a signature scheme which allows the card to authenticate the terminal without unnecessary signature verification which is a computationally intense operation for the smart card. The only signature verification required is that of the terminal identification (as signed by the certifying authority, or CA, which is essential to any such protocol. In the preferred embodiment, the protocol protects the card and terminal from fraudulent attacks from impostor devices, either a card or terminal.
A method of performing a transaction between a first and a second participant wherein the second participant permits a service to be provided to the first participant in exchange for a payment. The method comprising the steps of the first participant verifying the legitimacy of the second participant to obtain assurance that the service will be provided upon payment, the second participant verifying the legitimacy of the first participant to obtain assurance that payment will be secured upon provision of the service, and the second participant obtaining a digital signature for the first participant on the transaction whereby the second participant may obtain payment from a third participant.
An embodiment of the invention will now be described by way of example only with reference to the accompanying drawings, in which:
Referring therefore to
To avoid fraudulent transactions being recorded at either the card or terminal the protocol shown in
Upon the scanner sensing the card through coupling 12, a unique purchase I.D. (PID) is generated by the terminal 10. The terminal 10 has a private key, t, stored in a secure location and a corresponding public key Yt equal to α1. The terminal 10 generates a message, M1, consisting of the purchase I.D. PID and the transaction amount, TA. It also appends to the message M1 a certificate signed by the certifying authority CA that includes terminal identification information TIU ID and the public key Yt. The message M1 is received by the card 14.
Card 14 has a private key a stored securely in memory 16 and a public key Yc equal to αa (α is the generator point for the curve). The card verifies the terminals certificate as signed by the certifying authority CA according to a normal elliptic curve scheme. Having verified the certificate, the card generates a pair of random numbers R2 and R3 and signs the unique purchase I.D. PID using the terminals public key according to an established protocol.
To effect signing, the card generates a random integer k and computes a session parameter αk. It also computes Ytk and generates signature components r1 and s1.
The component r1 is provided by M2Ylk, mod L where:
The component s1 is provided by h=a+k mod q where:
The card now sends signature components r1, s1 the hash h and a certificate issued by the certifying authority CA containing its ID and public key to the terminal 10.
The terminal verifies the cards credentials as signed by the CA. Given the hash h and s1 it can calculate the value αkt and thereby recover the message M2 from r1 using the cards public key. As the message M2 includes the PID, the terminal is able to verify the authenticity of the card 10.
The recovered message includes R2 which is then returned to the card 10 to prove that the terminal is extracting R2 in real time, i.e., during the transit of the card through the coupling 12, using its private key. This also prevents a reply attack by the terminal 10.
The receipt of R2 also serves to acknowledge provision of the service. Upon receipt, the card checks R2 to ensure the message was recovered using the terminals private key. This confirms that the card was talking to the terminal rather than a fraudulent device which would not have the private key, t, available.
If the card confirms the receipt of R2, it transmits the random R3 to the terminal 10 to complete the transaction. R3 is required for card signature verification by the bank and so R3 is retained by the terminal 10 for central processing purposes. R3 is not released by the card until it has received R2 which confirms that the terminal 10 is performing computations in real time.
The terminal 10 is required to submit to the financial institution the stored values of R2, R3, TA, PID, TIU ID, s1 and αk in addition to the credentials of both card and terminal 10. With this information the bank card is able to reproduce hash h, i.e. h(M2//αk//R3) by using the cards public key Yc to prove that the transaction was authentic.
It will be noted that the last two passes are essentially trivial and do not require computation. Accordingly the computation required by the card is minimal, being restricted to one verification and one signature that involves two exponentiations, with the balance avoiding computationally intense operations.
As indicated in
The particular benefits and attributes may be summarized as:
| Number | Date | Country | Kind |
|---|---|---|---|
| 9601924.5 | Jan 1996 | GB | national |
The present application is a continuation of U.S. patent application Ser. No. 09,360,575 flied on Jul. 26, 1999 now U.S. Pat. No. 7,328,338 which is a continuation of U.S. patent application Ser. No. 08/790,545 filed on Jan. 30, 1997 and issued as U.S. Pat. No. 5,955,717, and claims priority from United Kingdom Patent Application No. 9601924.5 filed on Jan. 31, 1996, the contents of which are hereby incorporated by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4326098 | Bouricius et al. | Apr 1982 | A |
| 4405829 | Rivest et al. | Sep 1983 | A |
| 4720859 | Aaro et al. | Jan 1988 | A |
| 5224164 | Elsner | Jun 1993 | A |
| 5276736 | Chaum | Jan 1994 | A |
| 5295188 | Wilson et al. | Mar 1994 | A |
| 5396558 | Ishiguro et al. | Mar 1995 | A |
| 5420926 | Low et al. | May 1995 | A |
| 5455407 | Rosen | Oct 1995 | A |
| 5461217 | Claus | Oct 1995 | A |
| 5475756 | Merritt | Dec 1995 | A |
| 5485519 | Weiss | Jan 1996 | A |
| 5502765 | Ishiguro et al. | Mar 1996 | A |
| 5544086 | Davis et al. | Aug 1996 | A |
| 5590196 | Moreau | Dec 1996 | A |
| 5608801 | Aiello et al. | Mar 1997 | A |
| 5637846 | Boers et al. | Jun 1997 | A |
| 5657389 | Houvener | Aug 1997 | A |
| 5671279 | Elgamal | Sep 1997 | A |
| 5678010 | Pittenger et al. | Oct 1997 | A |
| 5699528 | Hogan | Dec 1997 | A |
| 5715314 | Payne et al. | Feb 1998 | A |
| 5721781 | Deo et al. | Feb 1998 | A |
| 5757917 | Rose et al. | May 1998 | A |
| 5955717 | Vanstone | Sep 1999 | A |
| 6049785 | Gifford | Apr 2000 | A |
| 6069952 | Saito et al. | May 2000 | A |
| Number | Date | Country |
|---|---|---|
| 0588339 | Mar 1994 | EP |
| 2283349 | May 1995 | GB |
| Entry |
|---|
| Dictionary of Computers, Information Processing, and Telecommunications; 2nd Ed. ; Jerry M. Rosenberg, Ph.D, 1987; John Wiley & Sons. |
| NSA provides value-added crypto security by Communications News (May 1995); 2 pages. |
| Definition of Smart Card, http://en.wikipedia.org/wiki/Smart-card accessed on Aug. 31, 2006. |
| Number | Date | Country | |
|---|---|---|---|
| 20080183607 A1 | Jul 2008 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 09360575 | Jul 1999 | US |
| Child | 11959098 | US | |
| Parent | 08790545 | Jan 1997 | US |
| Child | 09360575 | US |
