WO2000035141A1 - A certification method - Google Patents

A certification method Download PDF

Info

Publication number
WO2000035141A1
WO2000035141A1 PCT/AU1999/001096 AU9901096W WO0035141A1 WO 2000035141 A1 WO2000035141 A1 WO 2000035141A1 AU 9901096 W AU9901096 W AU 9901096W WO 0035141 A1 WO0035141 A1 WO 0035141A1
Authority
WO
WIPO (PCT)
Prior art keywords
person
code
certification
public key
communicable
Prior art date
Application number
PCT/AU1999/001096
Other languages
French (fr)
Inventor
James Howard Manger
Edward Andrew Zuk
Original Assignee
Telstra R & D Management Pty. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telstra R & D Management Pty. Ltd. filed Critical Telstra R & D Management Pty. Ltd.
Priority to AU30266/00A priority Critical patent/AU3026600A/en
Publication of WO2000035141A1 publication Critical patent/WO2000035141A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A certification method, system and program which involve processing a public key of a public/private key pair generated by a system of a person, to generate a communicable code representative of the public key. The person is identified by having the person convey the communicable code, and a digital certificate is generated including the public key and identifying information of the person. The certificate binds the public key and the identifying information. The communicable code is a limited character string, which may be generated using a secure one-way hash function.

Description

A CERTIFICATION METHOD
The present invention relates to a certification method and system. The present invention particularly, but not exclusively, relates to public key cryptography and a process for the issuing of digital certificates to bind a person's identity to a particular public key.
The basis of public key cryptography is the generation of a public and private key pair for use in the encryption and decryption, and signing and verifying, of information transmitted over public access communication lines. Key pairs are mathematically related, but it is not practically feasible to derive a private key from its corresponding public key. A person may openly distribute the public key but the person must keep secret the private key. Anyone wishing to send information to a person encrypts the information using that person's public key. The recipient, being the sole possessor of the corresponding private key, is the only person who can decrypt that information.
For a number of electronic commerce applications, a trusted third party, known as a Certification Authority (CA), is needed to bind a person's identity or information, such as privileges, memberships, account numbers, etc., to their public key. The CA issues a digital certificate, which is essentially a form of electronic identification that binds two or more pieces of information, such as the identity of the person and a particular public key. Throughout the specification a reference to person is intended to include a reference to an organisation or individual.
The process of binding a public key to a person must be secure so that the CA can issue a digital certificate and be accordingly held responsible for it. At present, there is a weakness in certification processes used by CAs. Once the CA receives the public key generated by a person's equipment, together with other data concerning the person, a registrar of the CA contacts the person, or vice versa, to correctly identify them with reference to the person's identifying or personal data that has been provided. This is normally done by having the contacted person repeat to the registrar personal details, such as mothers' maiden names and drivers' licence numbers. This identifying information however is only related to the identifying or personal data submitted by the person and does not relate whatsoever to the public key which is used for all future communications. The public key can therefore become separated from the person's data held by the CA or substituted and there is currently no method of relating the public key to the person other than by storing it with the person's data. It is desired to overcome this problem or at least provide a useful alternative.
The present invention provides a certification method, including: receiving a public key of a public/private key pair generated by a system of a person; processing said public key to generate a communicable code representative of said public key; identifying said person, said identifying including having said person convey said communicable code; and generating a digital certificate, said certificate including said public key.
The present invention also provides a certification system, including: means for receiving a public key of a public/private key pair generated by a system of a person; means for processing said public key to generate a communicable code representative of said public key; and means for generating a digital certificate after identifying said person, said identifying including having said person convey said commumcable code, and said certificate including said public key.
The present invention also provides a certification program stored on computer readable storage media, including: code for receiving a public key of a public/private key pair generated by a system of a person; code for processing said public key to generate a communicable code representative of said public key; and code for generating a digital certificate after identifying said person, said identifying including having said person convey said communicable code, and said certificate including said public key.
The present invention also provides an identification process, including: receiving a public key of a public/private key pair and identifying information of a person; deriving a communicable code from said public key; and having said person convey said communicable code.
5 The present invention also provides an identification process, including: generating a communicable code from a public key of a public/private key pair; and binding said public key to identifying information of a person when said person conveys said communicable code.
0 A preferred embodiment of the present invention is hereinafter described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a block diagram of a preferred embodiment of a certification system; and Figure 2 is a flowchart of steps executed by the system.
5 Referring to Figure 1 , there is shown a person 20 who can interact with a telephone 42 or the person's computer system 32. The computer system 32 can communicate with a certification computer system 30 of a Certification Authority (CA), or a registrar acting for or on behalf of the CA, via a communications channel 60. A registrar 10 of the CA interacts with the certification system 30 and a telephone 40 to communicate with and confirm the identity of 0 the person 20. The registrar 10 and the person communicate verbally over a communications channel 62 connecting the telephones 40, 42. The computer systems 30, 32 may communicate with each other independently or on instructions from the registrar 10 or person 20, respectively. The communications channels 60, 62 may be constituted by any voice or data transmission media. For example, the communications channel 60 may be a TCP/IP link. 5
Referring to Figure 2, a person wishing to obtain a certificate from the CA would visit the CA web site 100 using the person's computer system 32. This is the first step in the process of obtaining a certificate and is one way by which the person may perform the second step of filling out the registration form 110 and sending it to the CA over the communications channel
30 60. The registration form captures personal or identifying information about the person which could be used to confirm the identity of that person over the telephone. Once the person fills out and sends the registration form 110, the person is not aware of the subsequent steps in the process until he or she receives a registration ID, at step 210, in the form of a communicable code. The intervening parts 120 to 200 of the process are conducted by the computer systems 30, 32 automatically.
The computer system 30 of the CA receives and processes the submitted registration form at step 120 and sends an instruction to generate the public/private key pair 130 to the computer system 32 of the person. The received registration information may be stored in a database at this point or may be stored once the person's public key is received and the corresponding alphanumeric code is generated together with that information. Once the computer system 32 has received the instruction to generate a public/private key pair, it generates, according to algorithms commonly used by browser applications, such as Netscape Navigator or Microsoft Internet Explorer, a public/private key pair at step 140. The private key is kept securely by the person in the memory of the computer system 32 or another data storage medium, while the public key may be used by anyone wishing to send information to the person. The person's computer system 32 sends the public key 150 to the computer system 30 of the CA. Once the computer system 30 receives the public key it generates the communicable code, at step 180. The public key is represented as a value of the Abstract Syntax Notation No. 1 (described in ASN.l by ITU) data type SubjectPublicKeylnfo (defined in standard X.509 by ITU), encoded according to the distinguished encoding rules (DER by ITU) and passed through a secure one-way hash algorithm such as SHA-1 (defined in the U.S. Government Federal Information Processing Standard (FIPS) 180-1). The output of the hash algorithm is truncated to 40 bits and converted to 8 base-32 characters. The numerals and upper case letters (excluding '0', ' 1 ', 'O' and T to avoid confusion) are used as the base-32 character set. For example, the code may be 8JQ3 UEB5. The code is communicable, to the extent that it is sensibly communicable by the person to the registrar on the communications channel 62, which may include a telephone call or facsimile message. The public key is not sensibly communicable on an identification channel 62 as it is a large mathematical quantity typically consisting of hundreds of decimal digits. The information on the person generated and received is then stored in a database, at step 190, by the CA.
The communicable alphanumeric code is sent to the person as a registration ID, at step
200. The person will probably not know that the registration ID is, in fact, derived from the public key generated by the person's computer system 32. At some time after the person receives the registration ID 210, he or she establishes telephone communication with the registrar of the CA and provides the registrar with relevant person identification information, at step 220. The registrar confirms the relevant information 230 and requests the person to say the registration ID 240. Once the person provides the registration ID 250 to the registrar, the CA has a public key from computer system 30 and a confirmed identity and communicable code from the registrar. The CA compares, at step 260, the code to a value recalculated from the public key using the secure hash algorithm and, if they match, issues a digital certificate that lists the public key and confirmed identity 270. The digital certificate thereby incorporates the public key and the confirmed identity data and is signed by the CAs private key. The certificate may be sent, at step 280, to the person and stored, at step 290, on their hard drive, floppy disk, smart card, etc. and/or the certificate may be published in another system, such as electronic white pages.
As the alphanumeric code used in the identification process is derived directly from the public key, the CA can ensure the identification information confirmed by the registrar and the public key are bound as a pair, which ensures the digital certificate contains the correct information.
The steps of the certification process described above which are executed on the computer systems 30 and 32 are preferably executed by, or under the control of, computer programs resident on the respective systems 30 and 32. The steps may also be wholly or partly executed by dedicated hardware included in the systems, such as application specific integrated circuits (ASICs). The systems 30 and 32 may comprise single systems in one location or may comprise distributed systems with their software and hardware components in different locations.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described. For example, the person 20 being identified may be aware that the registration ID is a summary of the public key. Their system 32 could be used to generate the alphanumeric code, which acts as a key summary, and the person can then convey the code with the identifying information which is to be bound to the public key. Also when the registrar identifies the person and has the person convey the communicable code, a number of techniques could be employed to initiate or achieve this. For example, the registrar may phone the person, the person may phone the registrar, as discussed above, or the person can physically visit, fax or send mail to the registrar, and/or vice versa.

Claims

CLAIMS:
1. A certification method, including: receiving a public key of a public/private key pair generated by a system of a person; processing said public key to generate a communicable code representative of said public key; identifying said person, said identifying including having said person convey said communicable code; and generating a digital certificate, said certificate including said public key.
2. A certification method as claimed in claim 1 , wherein said identifying includes verifying identification information of said person, and said certificate binds said identifying information and said public key.
3. A certification method as claimed in claim 2, wherein said communicable code is a limited character string.
4. A certification method as claimed in claim 3, wherein said communicable code is generated using a secure one-way hash function.
5. A certification method as claimed in claim 1, including requesting generation of the public/private key pair by the system of the person, in response to receiving a registration request from the person.
6. A certification method as claimed in claim 5, wherein said registration request includes said identifying information for said person.
7. A certification method as claimed in claim 1 , wherein said identifying includes matching a communicable code generated from said public key with the communicable code conveyed by said person.
8. A certification method as claimed in claim 1, including sending said digital certificate to said system of said person.
9. A certification method as claimed in claim 1 , including sending said code to said system for said person.
10. A certification method as claimed in claim 9, wherein said sending includes transmitting 5 display data to said system for display of said communicable code by said system.
11. A certification method as claimed in claim 1 , wherein said processing of said public key is executed by said system of said person.
10 12. A certification method as claimed in claim 1, wherein said conveying involves oral communication of said communicable code.
13. A certification method as claimed in claim 12, wherein the oral communication occurs during a telecommunications call.
15
14. A certification system, including: means for receiving a public key of a public/private key pair generated by a system of a person; means for processing said public key to generate a communicable code representative 20 of said public key; and means for generating a digital certificate after identifying said person, said identifying including having said person convey said communicable code, and said certificate including said public key.
25 15. A certification system as claimed in claim 14, wherein said identifying includes verifying identification information of said person, and said certificate binds said identifying information and said public key.
16. A certification system as claimed in claim 15, wherein said communicable code is a 30 limited character string.
17. A certification system as claimed in claim 16, wherein said communicable code is generated using a secure one-way hash function.
18. A certification system as claimed in claim 14, including means for sending said code to said system for said person.
19. A certification system as claimed in claim 14, including means for requesting generation 5 of the public/private key pair by the system of the person, in response to receiving a registration request from the person.
20. A certification system as claimed in claim 19, wherein said registration request includes said identifying information for said person.
10
21. A certification system as claimed in claim 14, wherein said identifying includes matching a communicable code generated from said public key with the communicable code conveyed by said person.
15 22. A certification system as claimed in claim 14, including means for sending said digital certificate to said system of said person.
23. A certification system as claimed in claim 18, wherein said means for sending transmits display data to said system for display of said communicable code by said system.
20
24. A certification system as claimed in claim 14, wherein said conveying involves oral communication of said communicable code.
25. A certification system as claimed in claim 24, wherein the oral communication occurs 25 during a telecommunications call.
26. A certification system as claimed in claim 14, including means for executing said identifying.
30 27. A certification program stored on computer readable storage media, including: code for receiving a public key of a public/private key pair generated by a system of a person; code for processing said public key to generate a communicable code representative of said public key; and code for generating a digital certificate after identifying said person, said identifying including having said person convey said communicable code, and said certificate including said public key. 5
28. A certification program as claimed in claim 27, wherein said identifying includes verifying identification information of said person, and said certificate binds said identifying information and said public key.
10 29. A certification program as claimed in claim 28, wherein said communicable code is a limited character string.
30. A certification program as claimed in claim 29, wherein said communicable code is generated using a secure one-way hash function.
15
31. A certification program as claimed in claim 27, including code for sending said code to said system for said person.
32. A certification program as claimed in claim 27, including code for requesting generation 20 of the public/private key pair by the system of the person, in response to receiving a registration request from the person.
33. A certification program as claimed in claim 32, wherein said registration request includes said identifying information for said person.
25
34. A certification program as claimed in claim 27, wherein said identifying includes matching a communicable code generated from said public key with the communicable code conveyed by said person.
30 35. A certification program as claimed in claim 27, including code for sending said digital certificate to said system of said person.
36. A certification program as claimed in claim 31 , wherein said code for sending transmits display data to said system for display of said communicable code by said system.
37. A certification program as claimed in claim 27, wherein said conveying involves oral communication of said communicable code.
5
38. A certification program as claimed in claim 37, wherein the oral communication occurs during a telecommunications call.
39. A certification program as claimed in claim 27, including code for executing said 10 identifying.
40. An identification process, including: receiving a public key of a public/private key pair and identifying information of a person; 15 deriving a communicable code from said public key; and having said person convey said communicable code.
41. An identification process as claimed in claim 40, including comparing a communicable code derived from the public key with the conveyed communicable code, and issuing a digital
20 certificate binding the public key and identifying information when the codes match.
42. An identification process as claimed in claim 41, wherein said communicable code is a limited character string.
25 43. An identification process as claimed in claim 42, wherein said communicable code is generated using a secure one-way hash function.
44. An identification process, including: generating a communicable code from a public key of a public/private key pair; and 30 binding said public key to identifying information of a person when said person conveys said communicable code.
PCT/AU1999/001096 1998-12-08 1999-12-08 A certification method WO2000035141A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU30266/00A AU3026600A (en) 1998-12-08 1999-12-08 A certification method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPP7570 1998-12-08
AUPP7570A AUPP757098A0 (en) 1998-12-08 1998-12-08 A public key process and a certification method

Publications (1)

Publication Number Publication Date
WO2000035141A1 true WO2000035141A1 (en) 2000-06-15

Family

ID=3811775

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU1999/001096 WO2000035141A1 (en) 1998-12-08 1999-12-08 A certification method

Country Status (2)

Country Link
AU (1) AUPP757098A0 (en)
WO (1) WO2000035141A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2381700A (en) * 2001-11-01 2003-05-07 Vodafone Plc Verifying the authenticity and integrity of information transmitted over the air to a receiving station at the receiver using hash functions

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5664017A (en) * 1995-04-13 1997-09-02 Fortress U & T Ltd. Internationally regulated system for one to one cryptographic communications with national sovereignty without key escrow
WO1998025375A1 (en) * 1996-12-04 1998-06-11 V-One Corporation Token distribution and registration system and method
US5796833A (en) * 1996-09-23 1998-08-18 Cylink Corporation Public key sterilization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5664017A (en) * 1995-04-13 1997-09-02 Fortress U & T Ltd. Internationally regulated system for one to one cryptographic communications with national sovereignty without key escrow
US5796833A (en) * 1996-09-23 1998-08-18 Cylink Corporation Public key sterilization
WO1998025375A1 (en) * 1996-12-04 1998-06-11 V-One Corporation Token distribution and registration system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2381700A (en) * 2001-11-01 2003-05-07 Vodafone Plc Verifying the authenticity and integrity of information transmitted over the air to a receiving station at the receiver using hash functions
GB2381700B (en) * 2001-11-01 2005-08-24 Vodafone Plc Telecommunication security arrangements and methods

Also Published As

Publication number Publication date
AUPP757098A0 (en) 1999-01-07

Similar Documents

Publication Publication Date Title
US9813249B2 (en) URL-based certificate in a PKI
US7020778B1 (en) Method for issuing an electronic identity
CN1565117B (en) Data certification method and apparatus
US6792531B2 (en) Method and system for revocation of certificates used to certify public key users
US8583928B2 (en) Portable security transaction protocol
JP3982848B2 (en) Security level control device and network communication system
US6868160B1 (en) System and method for providing secure sharing of electronic data
CN1701561B (en) Authentication system based on address, device thereof, and program
US20030163687A1 (en) Method and system for key certification
JP2002099211A (en) System and method for processing public key certificate issuing request
CN112565294B (en) Identity authentication method based on block chain electronic signature
JPH05347617A (en) Communication method for radio communication system
US20060136714A1 (en) Method and apparatus for encryption and decryption, and computer product
WO2003049358A1 (en) A method and system for authenticating digital certificates
JPH06334798A (en) Communication network and signal generator
US7565528B1 (en) Method for generating asymmetrical cryptographic keys by the user
WO2000035141A1 (en) A certification method
US20050066057A1 (en) Method and arrangement in a communications network
AU3026600A (en) A certification method
JP3796528B2 (en) Communication system for performing content certification and content certification site device
JP2005217808A (en) Information processing unit, and method for sealing electronic document
Perschau et al. Security and facsimile
JP2003143137A (en) Apparatus and method for lapse confirmation
JP2006081225A (en) Communications system and contents-certified site apparatus to conduct contents certification
WO2001071971A1 (en) Digital contract

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 30266/00

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 09857725

Country of ref document: US

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase