High security system for electronic signature verification
First Claim
1. A method for effecting a high security electronic signature verification operation in a computer based communication system comprising a central data communication network controller which includes a high security verify unit (Vault) therein said system further including at least two remotely located terminals selectively connectable to said Vault over said data communication network and wherein said Vault and each of said terminals includes substantially identical key-controlled block-cipher cryptographic devices included therein and wherein said Vault has available therein means for obtaining the individual keys KX of each terminal (or user X) connected to said system, said method comprising:
- User A (sender) at a first terminal sending the Vault a first message (A⊕
C1) including a first segment which comprises an identification code of the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) and the message to be communicated to user B (Data) at a second terminal, said second portion being encrypted under user A'"'"'s key KA,the Vault upon receipt of said message A⊕
C1 obtaining the key KA based on the first portion of said message A, and decrypting said message portion C1 using key KA, verifying the identity of user A and upon a successful verification of the user A said Vault forming a second message to be sent to user B (receiver) at said second terminal, said second message including the message segment C1 from the first message and a new message segment comprising the identity A/B of the sender and receiver and Data which message is encrypted as a function of user B'"'"'s key KB,user B upon receipt of said second message from the Vault decoding same and saving the message C1 in a `Legal Store`, and forming a third message B⊕
C2 to be returned to the Vault said third message including the identity of user B in clear format as a first segment and a second segment C2 comprising at least the previous message segment C1 and the identity A/B of the sender and receiver, enciphering this second message segment under key KB, and sending the message B⊕
C2 to the Vault,the Vault upon receipt of the message from the user B decrypting the message C2 to obtain segment C1 therefrom, said Vault then forming a fourth message C1⊕
C2 and encrypting said message as a function of user A'"'"'s key KA and sending said message to user A,user A upon receipt of said fourth message from the Vault decrypting the message to obtain C1 and C2, and storing C2 in a `Legal Store`.
0 Assignments
0 Petitions
Accused Products
Abstract
The system provides both electronic signature and message verification with a minimum of excess coding information on an instantaneous basis and is easily restartable in a store and forward environment. The system is based on the concept of a vault or central authority. The vault is in essence a physically secured Authenticator designed as a hardware automation which is not under control of any operating system. The system is a terminal based network wherein all terminals or users may communicate directly or through a central CPU. All secure electronic signature verification transactions must be transacted through the central facility which includes said vault. The vault and all terminals include an identical key-controlled block-cipher cryptographic facility wherein each user at a terminal has access only to his own key and wherein the vault has access to all user keys. At the end of a transaction, a user A (originator) and a user B (receiver) each have uniquely encrypted messages which can be utilized in later arbitration proceedings wherein user A cannot later deny having sent a message or its contents and similarly user B cannot deny having received the message or its specific content. The vault provides facilities for effective legal arbitration and is also simple to operate in such a n-to-n network without using more than one key per person.
159 Citations
14 Claims
-
1. A method for effecting a high security electronic signature verification operation in a computer based communication system comprising a central data communication network controller which includes a high security verify unit (Vault) therein said system further including at least two remotely located terminals selectively connectable to said Vault over said data communication network and wherein said Vault and each of said terminals includes substantially identical key-controlled block-cipher cryptographic devices included therein and wherein said Vault has available therein means for obtaining the individual keys KX of each terminal (or user X) connected to said system, said method comprising:
-
User A (sender) at a first terminal sending the Vault a first message (A⊕
C1) including a first segment which comprises an identification code of the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) and the message to be communicated to user B (Data) at a second terminal, said second portion being encrypted under user A'"'"'s key KA,the Vault upon receipt of said message A⊕
C1 obtaining the key KA based on the first portion of said message A, and decrypting said message portion C1 using key KA, verifying the identity of user A and upon a successful verification of the user A said Vault forming a second message to be sent to user B (receiver) at said second terminal, said second message including the message segment C1 from the first message and a new message segment comprising the identity A/B of the sender and receiver and Data which message is encrypted as a function of user B'"'"'s key KB,user B upon receipt of said second message from the Vault decoding same and saving the message C1 in a `Legal Store`, and forming a third message B⊕
C2 to be returned to the Vault said third message including the identity of user B in clear format as a first segment and a second segment C2 comprising at least the previous message segment C1 and the identity A/B of the sender and receiver, enciphering this second message segment under key KB, and sending the message B⊕
C2 to the Vault,the Vault upon receipt of the message from the user B decrypting the message C2 to obtain segment C1 therefrom, said Vault then forming a fourth message C1⊕
C2 and encrypting said message as a function of user A'"'"'s key KA and sending said message to user A,user A upon receipt of said fourth message from the Vault decrypting the message to obtain C1 and C2, and storing C2 in a `Legal Store`. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A high security electronic signature verification system for use in a computer based communication facility comprising a central data communication network controller which includes a high security verify unit (Vault) therein said system further including at least two remotely located terminals selectively connectable to said Vault over said data communication network and wherein said Vault and each of said terminals includes substantially identical key-controlled blockcipher cryptographic devices included therein and wherein said Vault has available therein means for obtaining the individual keys KX of each terminal (or user X) connected to said system,
means at a first terminal to enable a user A (sender) to send the Vault a first message (A⊕ - C1) comprising a first segment which comprises an identification code for the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) and the message to be communicated to user B (Data), means for encrypting said second portion under user A'"'"'s key KA,
means in the Vault operable upon receipt of said message A⊕
C1 for obtaining the key KA based on the first segment, A, of said message and means for decrypting said message portion C1, under key KA verifying the identity of user A and upon a successful verification of the user A means operable to form a second message to be sent to user B (receiver) at a second terminal including the message segment C1 from the message and a new message segment including at least A/B and Data which message is encrypted as a function of user B'"'"'s key KB,means at said second terminal operable upon receipt of said second message from the Vault for decoding same and saving the message C1 in a `Legal Store`, and forming a third message to be returned to the Vault said third message including the identity of user B in clear format as a first segment and a second segment C2 comprising at least the previous message segment C1 and the identity A/B of the sender and receiver, enciphering this second message segment under key KB, and sending the message B⊕
C2 to the Vault,means at the Vault operable upon receipt of the message from the second terminal (user B) for decrypting the message C2 to obtain segment C1 therefrom, further means operable for forming a fourth message C1⊕
C2 and for encrypting said message as a function of user A'"'"'s key KA and for sending said message to said first terminal,said first terminal including means operable upon receipt of said fourth message from the Vault for decrypting the message to obtain C1 and C2, and storing C2 in a `Legal Store`. - View Dependent Claims (7, 8, 9, 10)
- C1) comprising a first segment which comprises an identification code for the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) and the message to be communicated to user B (Data), means for encrypting said second portion under user A'"'"'s key KA,
-
11. A method for effecting a high security electronic signature verification operation in a computer based communication system comprising a central data communication network controller which includes a high security verify unit (Vault) therein said system further including at least two remotely located terminals selectively connectable to said Vault over said data communication network and wherein said Vault and each of said terminals connected to said system includes substantially identical key-controlled block-cipher cryptographic devices included therein and wherein said Vault has available therein means for obtaining the individual Keys KX of each terminal (or user X) connected to said system, and wherein said Vault and all terminals connected to the system each contain synchronized binary counters said method comprising:
-
User A (sender) at a first terminal sending the Vault a first message (A ⊕
C1) including a first segment which comprises an identification code of the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) the current value BC1 of the counter resident in user A'"'"'s terminal and the message to be communicated to user B (Data) at a second terminal, said second portion being encrypted under user A'"'"'s key KA,the Vault upon receipt of said message A ⊕
C1 obtaining the key KA based on the first portion of said message A, and decrypting said message portion C1 using key KA, verifying the identity of user A and verifying the decoded counter value BC1 by comparing with its own counter value and upon a successful verification of the user A and the counter value said Vault forming a second message to be sent to user B (receiver) at said second terminal, said second message including the message segment C1 from the first message and a new message segment comprising the identity A/B of the sender and receiver the Vault'"'"'s current counter value and Data which message is encrypted as a function of user B'"'"'s key KB,user B upon receipt of said second message from the Vault decoding same and saving the message C1 in a `Legal Store`, verifying the decoded counter value BC2 by comparing with his terminal'"'"'s counter value and forming a third message B ⊕
C2 to be returned to the Vault said third message including the identity of user B in clear format as a first segment and a second segment C2 comprising at least the previous message segment C1, the terminals current counter value BC3 and the identity A/B of the sender and receiver, enciphering this second message segment under key KB, and sending the message B ⊕
C2 to the Vault,the Vault upon receipt of the message from the user B decrypting the message C2 to obtain segment C1 therefrom and verifying the decoded counter value BC3 with its own counter value, said Vault then forming a fourth message C1 ⊕
C2 ⊕
BC4 where BC4 is the Vault'"'"'s current counter value and encrypting said message as a function of user A'"'"'s key KA and sending said message to user A,user A upon receipt of said fourth message from the Vault decrypting the message to obtain C1 and C2 verifying the decoded counter value with its own counter value, and storing C2 in a `Legal Store`. - View Dependent Claims (12)
-
-
13. A high security electronic signature verification system for use in a computer based communication facility comprising a central data communication network controller which includes a high security verify unit (Vault) therein said system further including at least two remotely located terminals selectively connectable to said Vault over said data communication network and wherein said Vualt and each of said terminals connected to said system includes substantially identical key-controlled block-cipher crytographic devices included therein and wherein said Vault has available therein means for obtaining the individual keys KX of each terminal (or user X) connected to said system, and wherein said Vault and all terminals connected to the system each contain synchronized binary counters said system comprising:
-
means at a first terminal (sender) for enabling User A to send the Vault a first message A ⊕
C1) including a first segment which comprises an identification code of the user A in clear format and a second segment C1 including at least an identification of the sender, user A, the receiver user B (A/B) the current value (BC1) of the counter resident in user A'"'"'s terminal and the message to be communicated to user B (Data) at a second terminal, said second portion being encrypted under user A'"'"'s key KA,means in the Vault operative on receipt of said message A ⊕
C1 for obtaining the key KA based on the first portion of said message A, and means for decrypting said message portion C1 using said key KA, means for verifying the identity of user A and for verifying the decoded counter value BC1 by comparing it with its own counter value and means operable upon a successful verification of the user A and the counter value for forming a second message to be sent to user B (receiver) at said second terminal, said second message including the message segment C1 from the first message and a new message segment comprising the identity A/B of the sender and receiver the Vault'"'"'s current counter value and Data and means for encrypting said second message as a function of user B'"'"'s key KB,means in user B'"'"'s terminal operable upon receipt of said second message from the Vault for decoding same and saving the message C1 in a `Legal Store`, means for verifying the decoded counter value BC2 by comparing it with the terminal'"'"'s current counter value and means for forming a third message B ⊕
C2 to be returned to the Vault said third message including the identity of user B in clear format as a first segment and a second segment C2 comprising at least the previous message segment C1, the terminal'"'"'s current counter value BC3 and the identity A/B of the sender and receiver, and means for enciphering the second message segment under key KB, and sending the message B ⊕
C2 to the Vault,means in the Vault operable on receipt of the third message from the user B for decrypting the message C2 to obtain segment C1 therefrom and means for verifying the decoded counter value BC3 against its own counter value, means for forming a fourth message C1 ⊕
C2 ⊕
BC4 where BC4 is the Vault'"'"'s current counter value and for encrypting said fourth message as a function of user A'"'"'s key KA and sending said message to user A,means in user A'"'"'s terminal operable on receipt of said fourth message from the Vault for decrypting the message to obtain C1 and C2, verifying the decoded counter value with its own counter value, and for storing C2 in a `Legal Store`. - View Dependent Claims (14)
-
Specification