WO2002005481A1 - Systeme de chiffrement et dechiffrement a trois voies - Google Patents

Systeme de chiffrement et dechiffrement a trois voies Download PDF

Info

Publication number
WO2002005481A1
WO2002005481A1 PCT/US2001/002916 US0102916W WO0205481A1 WO 2002005481 A1 WO2002005481 A1 WO 2002005481A1 US 0102916 W US0102916 W US 0102916W WO 0205481 A1 WO0205481 A1 WO 0205481A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
key
public key
bits
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2001/002916
Other languages
English (en)
Inventor
Hitae Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to AU2001236580A priority Critical patent/AU2001236580A1/en
Publication of WO2002005481A1 publication Critical patent/WO2002005481A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/20Manipulating the length of blocks of bits, e.g. padding or block truncation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates generally to computer networks, and more specifically, to an encryption and decryption process for the transmission of digital data.
  • the Internet is basically a public network, but the messages sent over it often need to be kept private. Because of this, data encryption has become a fundamentally important aspect of data communication over the Internet and other public and private computer networks. Indeed, the success of the burgeoning electronic commerce industry relies on effective encryption means to protect sensitive data.
  • Traditional encryption methods rely on the concept of a key based cipher system to encode and decode transmitted data.
  • a key is a piece of data, basically a long random number that can be used to encrypt or decrypt a given message.
  • a symmetric-key cryptography system is an encryption system in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message.
  • the key must be known at both ends of a connection, which poses a challenge with regard to communicating and protecting the integrity of the key.
  • the problem with secret key cryptography, from the standpoint of transactions over the Internet, is that anyone who can get both the key and the encrypted information can decrypt the information.
  • symmetric-key systems are relatively simple and fast, their main drawback is that the two parties must somehow exchange the key in a secure way.
  • the most popular symmetric-key system is the Data Encryption Standard (DES).
  • An asymmetric or public key encryption system is a cryptographic system that uses two keys, a public key known to everyone and a private known only to the recipient of the message.
  • the sender uses the recipient's public key to encrypt the message.
  • the recipient then uses his private key to decrypt it. Together the public and private keys make an 'asymmetric key pair'.
  • a message encrypted with a public key can only be decrypted with the matching private key, and vice versa. If a public key is used at encryption time, the message can only be unscrambled using the matching private key. This technique can safely be used to transmit a secret key, because only the intended recipient can decipher it.
  • Public-key encryption represents an improvement over symmetric-key systems because the public key can be distributed in a non-secure way, and the private key is never transmitted.
  • a public-key scheme can also be used to show that a particular message is genuine. If a private key is used at encryption time, then the message can be read only with the corresponding public key. Without the private key, it is virtually impossible to forge an intelligible message that will unscramble with the public key, or to tamper successfully with a message that has already been encrypted.
  • An important characteristic of public key systems is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them.
  • One difficulty with public-key systems is that the sender needs to know the recipient's public key to encrypt a message for the recipient. Because of this, public-key cryptography systems are not foolproof.
  • One risk is that a sender must be certain of who owns a public key. It is usually necessary to have public keys verified by a trustworthy third party. Companies, such as VeriSignTM, offer a commercial service for verifying and signing the public keys of other organizations.
  • Certificate authorities are trusted third-party organization or company to issue digital certificates used to create digital signatures and public-private key pairs.
  • the role of the Certificate Authority in this process is to guarantee that the individual granted the unique certificate is the proper individual.
  • the Certificate Authority usually has an arrangement with a financial institution, such as a credit card company, to obtain information to confirm an individual's claimed identity.
  • Certificate authorities are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
  • the most widely used standard for digital certificates is the X.509 standard.
  • One significant disadvantage of present key distribution and certificate processes is that keys are recycled. This creates a situation in which breaking one key results in the compromise of many other keys.
  • a three-way encryption/decryption process for use in digital data transmission is described.
  • a message is encrypted using public key/private key encryption methods.
  • the encrypted message text is bit manipulated to further code the secret message text.
  • the bit manipulation process includes a process of rearranging bits in a byte, thus preventing an attacker from deciphering any readable text even though an attacker might successfully decipher the encrypted message or acquire either the password and/or private key to decipher the encrypted message.
  • a bit recovery process is used by the receiver after a public key decryption step to recover the bit manipulated encoded text.
  • Figure 1 illustrates a block diagram of a computer network system that implements embodiments of the present invention
  • Figure 2 is a flowchart that illustrates the steps of performing digital data transmission using a three-way encryption/decryption process, according to one embodiment of the present invention
  • Figure 3 is a flowchart that illustrates the steps of distributing a key using a three way encryption/decryption process according to one embodiment of the present invention
  • Figure 4 is a flow chart that illustrates the step of encrypting a message using a three way encryption/decryption process according to one embodhent of the present invention
  • Figure 5 is a flow chart that illustrates the step of decrypting a message using a three way encryption/decryption process according to one embodhent of the present invention
  • Figure 6 is a flow diagram that illustrates a three-way encryption/decryption method for a key distribution process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention
  • Figure 7 is a flow diagram that illustrates a three-way encryption/decryption method for an encryption process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention
  • Figure 8 is a flowchart that illustrates a three-way encryption/decryption method for a decryption process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention.
  • server and client computer systems transmit and receive data over a computer network or standard telephone line.
  • the steps of accessing, downloading, and manipulating the data, as well as other aspects of the present invention are implemented by central processing units (CPU) in the server and client computers executing sequences of instructions stored in a memory.
  • the memory may be a random access memory (RAM), read-only memory (ROM), a persistent store, such as a mass storage device, or any combination of these devices. Execution of the sequences of instructions causes the CPU to perform steps according to embodiments of the present invention.
  • the instructions may be loaded into the memory of the server or client computers from a storage device or from one or more other computer systems over a network connection.
  • a client computer may transmit a sequence of instructions to the server computer in response to a message transmitted to the client over a network by the server.
  • the server receives the instructions over the network connection, it stores the instructions in memory.
  • the server may store the instructions for later execution, or it may execute the instructions as they arrive over the network connection.
  • the downloaded instmctions may be directly supported by the CPU.
  • the instructions may not be directly executable by the CPU, and may instead be executed by an interpreter that interprets the instructions.
  • hardwired circuitry may be used in place of, or in combination with, software instructions to implement the present invention.
  • the present invention is not limited to any specific combination of hardware circuitry and software, nor to any particular source for the instructions executed by the server or client computers.
  • Figure 1 illustrates a computer network system 100 that implements one or more embodiments of the present invention.
  • a network server computer 104 is coupled, directly or indirectly, over line 125 to one or more network client computers 102 and 103 through a network 110.
  • the network interface between server computer 104 and client computer 102 may also include one or more routers that serve to buffer and route the data transmitted between the server and client computers over lines 121 and/or 123.
  • Network 110 may be the Internet, a Wide Area Network (WAN), a Local Area Network (LAN), or any combination thereof.
  • the server computer 104 is a
  • WWW World-Wide Web
  • server 104 in network system 100 is a server that executes an encryption/decryption software program 112.
  • Client versions of the encryption/decryption software program 105 may also be executed on the client computers, such as client computer 102.
  • the encryption/decryption program 112 may represent one or more executable program modules that are stored within network server 104 and executed locally within the server.
  • encryption/decryption program 112 may be implemented in a plurality of different program modules, each of which may be executed by two or more distributed server computers coupled to each other, or to network 110 separately.
  • network 110 is the
  • network server 104 and content provider 103 execute a web server process (not shown to avoid obscuring the illustration) to provide HTML documents to client computers coupled to network 110.
  • client computer 102 runs a web client process (typically a web browser, such as Netscape NavigatorTM or Microsoft ExplorerTM) that accesses and provides links to web pages available on server 104 and other Internet server sites.
  • a network system 100 that implements embodiments of the present invention may include a larger number of interconnected client and server computers than shown in Figure 1.
  • the client computer 102 may access the Internet network 110 through an Internet Service Provider (ISP) 107.
  • ISP Internet Service Provider
  • the representative networked computers of Figure 1 can be implemented as any standard computer that includes a CPU coupled through a bus to various other devices. These devices could include random access memory (RAM), a read only memory (ROM), and mass storage devices (e.g., a magnetic disk, optical compact disk, or tape drive for storing data and instructions).
  • RAM random access memory
  • ROM read only memory
  • mass storage devices e.g., a magnetic disk, optical compact disk, or tape drive for storing data and instructions.
  • the computer also typically includes input/output devices, such as, a display device, keyboard, and network interface device, along with other similar devices or interfaces. Any of the computers in Figure 1 could be implemented in the form of personal computers, laptop computers, mainframe computers, or other type of workstation computers. Encryption/Decryption Process
  • the client and server encryption/decryption software processes 112 and 105 serve to encrypt data transmitted between the network client 102 and the network server 104 and other networked computers, such as content providers on network 110. It is assumed that network client 102 implements known versions of a public key encryption system, such as the RSA Encryption system. In one embodiment, the encryption/decryption software processes 112 and 105 add a further level of encryption to the RSA system.
  • the encryption/decryption process described herein may be implemented to be run from the client computer 102 as a client side application 105 or applet. Preferably, however, the encryption/decryption process is executed from the server computer 104 as a server side program 112 or servlet. Alternatively, the encryption/decryption process can consist of modules that reside on both the server and client computers.
  • a secret key is first generated using a one-way method, such as a DES method.
  • the secret key is then used to encrypt the message, and the PKC key is used to encrypt the secret key.
  • the PKC-encrypted secret key is then attached to the secret key-encrypted message.
  • the standard RSA system thus includes two levels of encryption comprising encryption/decryption of the secret key (password) and the PKCS message encryption/decryption.
  • Embodiments of the present invention add a third level of encryption comprising a bit manipulation step prior to the PKCS encryption step, and a bit recovery step after the private key retrieval process.
  • the encryption/decryption process uses a simple methodology of rearranging bits in a byte, thus preventing an attacker from deciphering any readable text even though an attacker might successfully decipher the encrypted message, or acquire either the password and/or private key to decipher the encrypted message.
  • embodiments of the present invention enhance the security of private and confidential financial information transmitted over the Internet and increase throughput of the Certificate Authority engine where the validation of key information occurs.
  • the three-way encoding process of the present invention has several different applications.
  • bit manipulation step can be used when encoding a digital envelope with a user provided password or private key and revoking the
  • a digital envelope is a type of security that uses two layers of encryption to protect a message.
  • the message itself is encoded using symmetric encryption, and then the key to decode the message is encrypted using public-key encryption.
  • the Certificate Authority can revoke the authentication certificate after a light decryption process such as DES or password based encryption prior to actual PKCS private key decryption.
  • the Certificate Authority can validate the SHA value and revoke the certificate prior to the actual PKCS private key decryption.
  • the SHA result refers to a 'hash' process that is used to generate a smaller digest of a message that depends on the contents of the large message, since, in practice, it is not necessary to scramble all of a large message when signing it. If the original is changed even slightly, the hash will generate a different result.
  • the digest alone is encrypted using the private key, and sent out alongside the main message as a certificate.
  • the recipient can apply the same hash algorithm to the incoming main message to create a new digest, decrypt the sender's certificate, and compare the two results. If the digests are identical then the code cannot have been altered and must have been sent by the owner of the appropriate public key.
  • FIG. 2 is a high-level flowchart that illustrates the steps of a three-way encoding/decoding process, according to one embodiment of the present invention, hi general, the message recipient provides his or her public key to the message sender, the message sender then uses the public key to encrypt the message and sends the encrypted message to the recipient. The recipient then uses his or her private key to decrypt the sent message.
  • the public key can be distributed to the message sender using known PKCS techniques, such as looking up the key on an Internet site or key registry or asking the recipient to provide his or her public key, for the embodiment illustrated in Figure 2, the public key is distributed to the user using a bit manipulation encryption process.
  • step 202 the public (PCKS) key for the recipient is distributed to the message sender.
  • this step entails retrieving a public key, performing a bit manipulation process on the key, encrypting the key, and then distributing the key to the sender.
  • step 204 the sender encrypts the message to be sent to the recipient.
  • Step 204 generally entails decrypting the key and any password that may be used, rebuilding the public key, performing PKCS encryption, and certifying the key with a Certificate Authority.
  • step 206 the transmitted message is decrypted at the recipient's computer.
  • This step generally entails the recipient retrieving his or her private key, performing PKCS decryption, checking the consistency of the secure hashing algorithm, and rebuilding the secret message.
  • bit manipulation and bit recovery processes are executed to further encode the message being sent.
  • the bit manipulation and bit recovery processes can also be used to encrypt the public key when it is distributed from the message recipient to the message sender.
  • FIG. 3 is a flowchart that illustrates the steps of distributing a public key from a message recipient to a message sender, using a three way encryption/decryption process according to one embodiment of the present invention.
  • the message recipient retrieves his or her public key.
  • a password that is used to code the public key for distribution to the message sender is then determined.
  • a salt value is determined using standard RSA salt routines. Salt is an additional string, usually 40 to 88 bits long, that can be added to a message as an additional measure to thwart attackers who try to precompute a large look-up table of possible encryption. The salt is appended to the encryption key, and the lengthened key is then used to encrypt the message.
  • the key text is built by combining the recipient's public key, the sender's password, and the salt.
  • a bit manipulation process is performed on the key text.
  • the bit manipulation process comprises a nibble exchange among pairs of nibbles that make up the message.
  • the bit manipulation process can comprise a bit exchange process.
  • the bit manipulation process is described in greater detail in the description that follows below.
  • the bit manipulation process of step 310 serves to further scramble the key text so that an attacker cannot rebuild the key by breaking the password and salt values.
  • the key text is encrypted with the password, step 312.
  • the encrypted key is then distributed to the message sender, step 314.
  • the distribution step is accomplished by transmitting the encrypted key message to the recipient over the Internet using a secure electronic mail (e-mail) communication, or similar communication method.
  • e-mail electronic mail
  • FIG. 4 is a flow chart that illustrates the steps of encrypting a message using a three way encryption/decryption process according to one embodiment of the present invention.
  • step 402 the character string of the recipient's public key is decrypted using the password and the salt value.
  • the key text is then recovered using a bit recovery process, step 404.
  • the bit recovery process is the opposite of the bit manipulation process performed in step 310. Thus, if the bit manipulation swapped the position of every two nibbles (four bits) comprising the original message, the bit recovery process would swap the nibbles back to their original position.
  • the recovered password is checked. If the password is approved, the expiration date of the recovered password is checked, step 408.
  • step 410 the recipient's public key is rebuilt.
  • the secret message is encrypted by the message sender.
  • the sender builds the message text by encrypting the text and the SHA of the public key.
  • a bit manipulation process is performed on the message text.
  • the bit manipulation process performed in step 414 can be either a nibble exchange or a bit exchange of the ASCII characters that comprise the message. Such a process is described in the description that follows below, hi step 416, standard PKCS encryption is performed on the bit manipulated message text. This step is performed as many times as required for full encryption of the message. Multiple encryption steps might be required for messages that are longer than the maximum allowable length specified by present PKCS systems.
  • the public key is passed to a Certificate Authority to verify that the message recipient is a valid entity authorized to receive the message.
  • FIG. 5 is a flow chart that illustrates the step of decrypting a message using a three way encryption/decryption process according to one embodiment of the present invention.
  • the message recipient retrieves his or her matching private key.
  • a PKCS decryption process is then performed on the encrypted message, step 504.
  • the decrypted message is now a bit manipulated version of the message, since a bit manipulation process was performed by the sender, step 506, as described in step 414 of Figure 4.
  • the recipient performs a bit recovery process on the decrypted text. After the text is recovered, the consistency of the SHA value is checked, step 508.
  • the three-way encryption/decryption method includes a bit manipulation/bit recovery scheme to further encrypt transmitted data.
  • data could include keys, passwords, and the message data itself.
  • 'bit manipulation' refers to reordering the sequence of bits during encryption of a data string
  • 'bit recovery' refers to recovering the original order of the sequence of bits during decryption of the data string by performing the opposite sequence of the bit manipulation sequence.
  • the bit manipulation and recovery steps are performed as part of the three-way encryption/decryption method as illustrated as part of the processes shown in Figures 3, 4, and 5.
  • nibble exchange examples will be illustrated, however, it should be noted that any form of bit alteration can be implemented for the process of three-way encryption/decryption described herein.
  • the following plain text sentence "This is the cat who ate the mouse! is bit manipulated.
  • the hexadecimal values of the ASCII format characters before nibble exchange are as follows:
  • the values of the sentence are basically the inverted hexadecimal values as follows:
  • bit manipulation process is used as part of a key distribution process, as illustrated in the flowchart of Figure 3.
  • Figure 6 is a flow diagram that illustrates a three-way encryption/decryption method for a key distribution process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention.
  • a client computer 602 executing a web browser program, such as Netscape
  • NavigatorTM or Microsoft ExplorerTM establishes communication with an e-commerce site web server 608 through a local ISP 604 and e-commerce ISP 606.
  • the client computer 602 typically transmits sensitive information such as order and payment information.
  • the encryption/decryption process to provide the public key to the client 602 is provided by an encryption server 612, which is coupled to the e-commerce site server 608 through a private encryption server ISP 610.
  • An example of a bit manipulation process used to encrypt a public key in the transaction system 600 illustrated in Figure 6 is as follows. First, a proper public key or X.609 certificate based on floor level authorization is selected by the user of the client computer 602. For example, by choosing a 768 RSA public key, the public key will expressed in the following hexadecimal format: E5 26 Al E3 EF 61 71 2D EB OC EB 4E 91 27 OF 8A 95 D7 FF 46 E8 7F 2D 2A FB El 7F D8 OE E5 82 3B 22 3D El C3 IF 3C 85 CB BC 35 DE 11 61 28 C7 38 81 52 EF FE F7 OB 4C 22 5F BB 7D B6 OC IF 3C 3C 40 C2 73 44 99 C4 81 72 C2 B9 3A EA 65 99 BC 6A 71 41 36 70 28 C4 C2 43 3B 88 21 E5 ID C8 83 67
  • the password for the key is transmitted from the client computer 602 to the e-commerce web server 608 through the appropriate networking apparatus.
  • the e-commerce web server 608 determines if a public key exists for the client computer user, step 621. If a public key does exist, that public key is used, and the process ends, since there is no need for further key distribution processing. If a public key for the user does not exist the password and transaction data is passed from the e-commerce web server 608 to the encryption server 612.
  • the encryption server 612 then builds an input to the password based encryption process, step 622.
  • the input to the password based encryption process in plain text is then constructed using the following formula to produce the secret message:
  • ? is the number of x'BB's (padding characters) to make the length of the plain text to be a multiple of 8 bytes and if the resulting byte is 0x00, it will be changed to x'BB'.
  • step 624 a nibble exchange process is performed on the key string.
  • an eight byte randomly generated number hexadecimal number is generated as a salt value to be used as part of the password encryption process.
  • the salt value could be the string: Al 3E DO 69 67
  • step 626 standard RSA encryption is performed on the key information using the salt.
  • the resulting password-based encrypted value resulting from the combination of the constructed secret message shown above, plus the salt value exemplified immediately above, in hexadecimal format is shown as follows:
  • the above encrypted value and salt value can then be distributed to either a client computer desktop using Secure Sockets Layer, a Smart Card or an e-commerce database repository 614.
  • the Secure Sockets Layer (SSL) is a security-enhanced abstraction of sockets that provides transaction security at the link or transport level. With SSL, security properties are attached to the link or channel of communication between two parties, not the documents themselves.
  • SSL Secure Sockets Layer
  • security properties are attached to the link or channel of communication between two parties, not the documents themselves.
  • step 628 it is determined whether a smart card service is to be used to distribute the encrypted key to the client computer user. If the smart card service is to be used, the smart card is personalized to the user using the encrypted key and the salt value, step 630. The smart card is then mailed or otherwise delivered to the client computer user, step 632.
  • the encrypted key is distributed to the user through the e-commerce site ISP 606 and e-commerce web server 608.
  • the encrypted key is then ultimately delivered to the user through the user's local ISP 604 using SSL transmission processes.
  • Message Encryption For Transaction Processing the three-way encryption/decryption process is used in an e-commerce application in which sensitive information, such as address and credit card information is transmitted from a buyer (message sender) to an e-commerce merchant web site (message recipient) over a network.
  • Figure 7 is a flow diagram that illustrates a three-way encryption/decryption method for an encryption process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention.
  • the client computer user (buyer) 602 may pass information that comprises the secret message, password, salt, and the encrypted public key to an e-commerce site web server through one or more ISP's 604 and 606.
  • the message could be as follows: 4211232155678123 HITAE LEE 4319 N. LARWIN
  • the secret message is encrypted using an encryption server, such as encryption server 612 of figure 6.
  • the encryption server performs a series of operations illustrated as process steps within block 702.
  • the e-commerce site 608 decrypts the encrypted public key using the provided password and salt. Successful decryption requires the proper password and salt value. If the recipient, or a would be attacker supplies an incorrect password; for example, 'joel', the decryption process will generate the following value:
  • the next step is to compute the offset of the password using the key length.
  • the hexadecimal value of the offset is: 8B 3A IB 96 2F 5F 4D 75.
  • the hexadecimal value of the offset is: B8 3A Bl 69 F2 F5 D4 57, which is not 'joel', so the password is in fact incorrect.
  • the next step is to compute the offset of the password using the key length and retrieve the password from the decrypted public key and perform the nibble exchange, step 706.
  • the retrieved password before the nibble exchange could be: 27 5646 36 F6 27 16 C6. If a would be attacker tries to decipher this value by displaying the contents of this returned value it would display as: ' 66'_/£
  • the retrieved password after nibble exchange is as follows: 72 65 64 63 6F 72 61 6C. This produces the following string 'redcoral', which is the proper password.
  • step 708 it is determined whether the password matches. If the retrieved password does not match, the transaction is declined, this produces an 'authorization failed' situation. If the password validation process fails more than a pre-determined maximum number of failures, as determined in step 710, the certificate is revoked and the registered owner is informed, such as through e-mail using the owner's registered e-mail address or through other validated means, step 712.
  • the server next checks whether the key is expired, step 714. If a key has expired or is revoked, the transaction is declined and the e- commerce site is informed and instructed to expel or terminate the shopping process, step 712.
  • step 714 If, in step 714, it is determined that the password has not expired, it is assumed that the password is valid, and the process continues from step 716.
  • step 716 a nibble exchange process is performed on the retrieved public key.
  • An exemplary public key, after a nibble exchange process can be expressed as: E5 26 Al E3 EF 61 71 2D EB 0C EB 4E 91 27 OF 8A 95 D7 FF 46 E8 7F 2D
  • a hashing operation is then performed on the nibble-exchanged public key, step 718.
  • SHAl hashing is performed on the recovered public key to produce a 20-byte SHAl hexadecimal value as follows: 4A F8 29 C9 55 43 C2 DO 83
  • step 720 the secret message to be sent from client computer user to the e- commerce site is built for PKCS encryption. This step entails bit manipulating
  • nibble exchanging the hexadecimal characters comprising the ASCII text of the message.
  • a nibble exchange for an exemplary secret message can be as shown:
  • RSA PKCS processes generally cannot encrypt a string longer than the length of the public key, that is 11 bytes.
  • the secret message is broken into two groups, one group of 64 bytes and the second group of 72 bytes.
  • Standard PKCS encryption techniques are then performed on the nibble exchanged secret message.
  • PKCS encryption will be performed on each group.
  • multiple PKCS processes are performed on the nibble exchanged secret message.
  • the first encryption produces the plain text string (in hexadecimal): 43 23 13 13 23 33 23 13 53 53 63 73 83 13 23 33 02 84 94 45 15 54 C4 54 54
  • the encrypted text for this string is: OF 1A 25 A3 FA 07 7D D8 C7 05 EA BA 28 D5 5E CB 98 D8 0B 5D 98 FC
  • the second encryption operation (for the second group) produces the plain text (in hexadecimal): 02 03 03 03 13 23 03 03 E2 33 43 43 02 75 F4 35 C4 44 02 D4 55 35 94 34 02 14 E4 44 02 65 9444 54 F4 02 54 15 55 94 05 D4 54 E4 45 02 13 23 23 33 D2 33 43 53 13 D2 13 02 24 14 E4 B4 02 F4 64 02 14 D4 54 24 94 34 14 BB
  • the encrypted text for this string, in hexadecimal is:
  • the encrypted secret message is built using the SHAl of the public key and the encrypted message text.
  • the encrypted message is built using the following equation: First block of Encrypted plain text + SHA 1 of public key + Second block of
  • the encrypted message is then passed to a Certificate Authority for validation, step 726.
  • FIG. 8 is a flowchart that illustrates a three-way encryption/decryption method for a decryption process implemented in an Internet-based e-commerce transaction system, according to one embodiment of the present invention.
  • the Certificate Authority retrieves the key length and key sequence from the encrypted message.
  • the Certificate Authority retrieves the matching public key from the Certificate Authority repository using the key length and key sequence.
  • the Certificate Authority performs hashing (SHAl) on the retrieved public key. In the above example message, an SHAl value is placed after first block of the encrypted text which starts at 97 to 106.
  • SHAl hashing
  • An example of an SHAl string for a particular secret message is: 4A F8 29 C9 55 43 C2 DO 83 43 DF 0D 32 D8 95 5D 85 73 DC 14 BB BB BB BB
  • the Certificate Authority next retrieves the SHAl from the secret message and validates the public key/private key pair, step 806. If, in step 808, it is determined that the recovered SHAl and resulting SHAl of the retrieved public key do not match, the transaction/certificate is revoked, and a rejection is sent to the e-commerce site, step 828. If the SHAl values do match, the encrypted secret message information
  • signed application data blocks are retrieved by joining the blocks of the message together, step 810.
  • the first and second part of the encrypted message from bytes 1 to 96 and bytes 121 to 216 are joined to retrieve the message.
  • the proper RSA PKCS private key is retrieved using key length and key sequence information.
  • the RSA PKCS private key has the following components: Public Key Modulus, Public Exponent, Private Exponent, Primary Modulus 1, Primary Modulus 2, Primary Exponent 1, Primary Exponent 2, and Coefficient.
  • PKCS decryption is performed on the private key. Again, if the string is too long, repeated decryption on the encrypted message may be performed.
  • step 816 a nibble exchange process is executed on the combined message blocks to rebuild the original secret message, hi step 820, the original secret message is rebuilt, and the message is then sent to the e-commerce site, step 820.
  • the further processing of the secret message conforms to the requirements of the system in which the e-commerce transaction is being performed. For example, if the transaction is being performed using a credit system, certain validation steps may need to be implemented using a credit bureau and/or other financial institutions.
  • the secret message is transmitted to the e-commerce site for fulfillment of the transaction.
  • the transmission client/server software is implemented in a network that utilizes point to point telephony infrastructure. It is to be noted, however, that alternative embodiments can be implemented for use with point to point video conferencing or point to multi-point homing, or similar network systems. In addition, embodiments of the present invention can be implemented over networks that partially or wholly implement wireless data communication technology.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de chiffrement et de déchiffrement à trois voies à utiliser dans une transmission de données numériques (402, 416 et 418). Dans un premier temps, un message secret est codé au moyen de procédés de chiffrement par clé publique/privée. Après le chiffrement par clé publique, le texte du message codé est manipulé au niveau des bits, de manière à coder à nouveau le texte du message secret. Dans un mode de réalisation, le procédé de manipulation des bits comprend un procédé consistant à réarranger des bits dans un multiplet, prévenant ainsi le déchiffrement d'un texte quelconque lisible par un agresseur même si ce dernier peut déchiffrer avec succès le message codé ou acquérir le mot de passe et/ou de la clé privée, en vue de déchiffrer le message codé. Le récepteur met en oeuvre un procédé de récupération des bits suite à l'étape de déchiffrement de la clé publique, de manière à récupérer le texte codé et manipulé au niveau des bits.
PCT/US2001/002916 2000-07-06 2001-01-30 Systeme de chiffrement et dechiffrement a trois voies Ceased WO2002005481A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001236580A AU2001236580A1 (en) 2000-07-06 2001-01-30 Three-way encryption/decryption system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US61072300A 2000-07-06 2000-07-06
US09/610,723 2000-07-06

Publications (1)

Publication Number Publication Date
WO2002005481A1 true WO2002005481A1 (fr) 2002-01-17

Family

ID=24446155

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/002916 Ceased WO2002005481A1 (fr) 2000-07-06 2001-01-30 Systeme de chiffrement et dechiffrement a trois voies

Country Status (2)

Country Link
AU (1) AU2001236580A1 (fr)
WO (1) WO2002005481A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004011555A1 (fr) 2002-07-29 2004-02-05 Mitsubishi Paper Mills Limited Colorant organique, materiau transducteur photoelectrique, et dispositif transducteur photoelectrique
JP2007045946A (ja) * 2005-08-10 2007-02-22 Shipro Kasei Kaisha Ltd チアゾリジン誘導体を用いた有機色素
US8521182B2 (en) 2004-12-06 2013-08-27 Lg Electronics Inc. Method of canceling location information request
WO2014021720A3 (fr) * 2012-08-02 2014-05-15 Chipcap Plc Procédé, système et dispositif de commande d'accès intelligent à un paiement de commerce électronique
US10285902B2 (en) 2014-02-11 2019-05-14 Koya, Inc. Compression garment apparatus
US10922292B2 (en) 2015-03-25 2021-02-16 WebCloak, LLC Metamorphic storage of passcodes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4596898A (en) * 1984-03-14 1986-06-24 Computer Security Systems, Inc. Method and apparatus for protecting stored and transmitted data from compromise or interception
US5778069A (en) * 1996-04-10 1998-07-07 Microsoft Corporation Non-biased pseudo random number generator
US5799086A (en) * 1994-01-13 1998-08-25 Certco Llc Enhanced cryptographic system and method with key escrow feature
US5995624A (en) * 1997-03-10 1999-11-30 The Pacid Group Bilateral authentication and information encryption token system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4596898A (en) * 1984-03-14 1986-06-24 Computer Security Systems, Inc. Method and apparatus for protecting stored and transmitted data from compromise or interception
US5799086A (en) * 1994-01-13 1998-08-25 Certco Llc Enhanced cryptographic system and method with key escrow feature
US5778069A (en) * 1996-04-10 1998-07-07 Microsoft Corporation Non-biased pseudo random number generator
US5995624A (en) * 1997-03-10 1999-11-30 The Pacid Group Bilateral authentication and information encryption token system and method

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004011555A1 (fr) 2002-07-29 2004-02-05 Mitsubishi Paper Mills Limited Colorant organique, materiau transducteur photoelectrique, et dispositif transducteur photoelectrique
US8521182B2 (en) 2004-12-06 2013-08-27 Lg Electronics Inc. Method of canceling location information request
US8929917B2 (en) 2004-12-06 2015-01-06 Lg Electronics Inc. Method of canceling location information request
JP2007045946A (ja) * 2005-08-10 2007-02-22 Shipro Kasei Kaisha Ltd チアゾリジン誘導体を用いた有機色素
WO2014021720A3 (fr) * 2012-08-02 2014-05-15 Chipcap Plc Procédé, système et dispositif de commande d'accès intelligent à un paiement de commerce électronique
RU2644132C2 (ru) * 2012-08-02 2018-02-07 Сюпод Текнолоджи Ас Способ, система и устройство для проверки достоверности процесса транзакции
US9953325B2 (en) 2012-08-02 2018-04-24 Cypod Technology As Method, system and device for E-commerce payment intelligent access control
US10285902B2 (en) 2014-02-11 2019-05-14 Koya, Inc. Compression garment apparatus
US10922292B2 (en) 2015-03-25 2021-02-16 WebCloak, LLC Metamorphic storage of passcodes

Also Published As

Publication number Publication date
AU2001236580A1 (en) 2002-01-21

Similar Documents

Publication Publication Date Title
US12294661B2 (en) Personal device security using cryptocurrency wallets
CN101789934B (zh) 网上安全交易方法和系统
US7937584B2 (en) Method and system for key certification
CA2545015C (fr) Protocole de transaction securise portable
EP0880254B1 (fr) Système et méthode de securité de serveur d'institution financière et de client browser de réseau
CN1148035C (zh) 连接到互联网的移动通信系统中用户信息保密装置及方法
KR101132148B1 (ko) 키 관리 프로토콜에 권한부여의 클라이언트 승인을 제공하기 위한 시스템 및 방법
US8417941B2 (en) Apparatus and method to prevent man in the middle attack
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
US20020038420A1 (en) Method for efficient public key based certification for mobile and desktop environments
CN1439207A (zh) 用于建立可核查身份而又保密的平台和方法
Weaver Secure sockets layer
JP3980145B2 (ja) チップカード用暗号鍵認証方法および証明書
CN119766433A (zh) 一种支持后量子算法的加密通信方法、装置及系统
CN119628842A (zh) 数据交换传输中基于数字签名的加密技术方法
Curry An introduction to cryptography and digital signatures
WO2002005481A1 (fr) Systeme de chiffrement et dechiffrement a trois voies
JP2003198541A (ja) データ検証システムとその装置
Spenger Authentication, Identification Techniques, and Secure Containers–Baseline Technologies
US12261946B2 (en) System and method of creating symmetric keys using elliptic curve cryptography
KR20010096036A (ko) 도메인내에서 검증가능한 사인크립션 방법
CN118827062A (zh) 一种基于传输内容的轻量化量子数字签名和签密方法
Andre Domain 5. Cryptography
Khelifi et al. Open Source Cryptographic Algorithm to Better Secure E-Banking Services and Enhance its Protection Techniques
Severino Methods for Key Distribution and Algorithms

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AU CA CN JP KR MX

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP