Initial secret key establishment including facilities for verification of identity

US 6,061,791 A
Filed: 04/22/1999
Issued: 05/09/2000
Est. Priority Date: 05/09/1997
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a secret cryptographic key shared between an applicant and an issuer comprising the steps of:

providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability;

generating said secret key using at least some random information at an applicant end;

generating a pass reply message using at least some arbitrary information at said applicant end;

encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;

sending said encryption message to said issuer by telecommunications means;

decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;

receiving a second communication from said applicant at said issuer end separate from said encryption message over a channel that enables said issuer to ascertain said second communication to be genuinely from said applicant, said second communication containing said pass reply;

confirming a validity of said secret key at least with said issuer if said pass reply received during said second communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An issuer offers any type of service secured with a secret cryptographic key assigned to an applicant according to the present invention, which includes a secret key registration process. Usually, the secret key will be loaded on a portable memory device or other secret key store of the applicant. As preliminary steps, the issuer sets up its public key for the Probabilistic Encryption Key Exchange (PEKE) cryptosystem, and the applicant obtains a copy of a secret key registration software, a copy of the issuer'"'"'s public key, and an uninitialized portable memory device. Once initiated by the applicant, the registration software generates an internal PEKE secret key. The applicant chooses a registration pass query and pass reply that the registration software MACs and encrypts with a key derived from the PEKE secret key. The registration software derives the key assigned to the applicant from the PEKE secret key, and loads it into the secret key store. A message is sent to the issuer data processing center where the cryptographic processing (PEKE, MAC, encryption) is reversed. Using an alternate channel (e.g. telephone conversation) an issuer agent verifies the identity of the applicano: the agent asks the pass query, the applicant replies with the pass reply, and the issuer verifies the applicant'"'"'s knowledge of some relevant personal data. The issuer agent can approve the applicant'"'"'s registration in the issuer database. There is no need for the issuer to personalize either the software or the secret key store before delivery to the applicant, and there is a single personal contact between the applicant and the issuer agent.

Citations

15 Claims

1. A method of establishing a secret cryptographic key shared between an applicant and an issuer comprising the steps of:
- providing said applicant with a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability;
  
  generating said secret key using at least some random information at an applicant end;
  
  generating a pass reply message using at least some arbitrary information at said applicant end;
  
  encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
  
  sending said encryption message to said issuer by telecommunications means;
  
  decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
  
  receiving a second communication from said applicant at said issuer end separate from said encryption message over a channel that enables said issuer to ascertain said second communication to be genuinely from said applicant, said second communication containing said pass reply;
  
  confirming a validity of said secret key at least with said issuer if said pass reply received during said second communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein said step of confirming comprises displaying said pass reply decrypted to an agent at said issuer end.
  - 3. The method according to claim 1, wherein said step of receiving a communication from said applicant comprises establishing telephonic communication with an agent at said issuer end and said applicant.
  - 4. The method according to claim 3, further comprising a step of generating a pass query, wherein said step of encrypting comprises encrypting said pass query, said step of decrypting comprises decrypting said pass query, and further comprising a step of communicating said pass query to said applicant from said issuer end prior to receiving said pass reply in said communication, whereby said applicant is reassured that said issuer is genuine as a result of hearing said pass query, and feels safe to proceed with giving said pass reply.
  - 5. The method according to claim 4, wherein said step of communicating comprises displaying said pass query decrypted to said agent.
  - 6. The method according to claim 3, wherein said agent is provided with some personal indentification information about said applicant, said step of confirming further comprising said agent asking a personal identification question to said applicant and listening for a correct response.
  - 7. The method according to claim 5, wherein said agent is provided with some personal indentification information about said applicant, said step of confirming further comprising said agent asking a personal identification question to said applicant and listening for a correct response.
  - 8. The method according to claim 1, wherein said pass reply is input by said applicant.
  - 9. The method according to claim 1, wherein said pass reply is displayed to said applicant.
  - 10. The method according to claim 1, further comprising a step of selecting a personal identification number (PIN) for said applicant, wherein said step of encrypting further comprises encrypting said PIN, said step of decrypting further comprises decrypting said PIN, said PIN being stored at said issuer end for use in verification of future transactions.
  - 11. The method according to claim 1, wherein said applicant possesses a smart card device and uses a smart card device interface connected to said program means, said secret key being loaded into said smart card device.

12. A method of applying for approval of a secret cryptographic key to be shared between an applicant and an issuer comprising the steps of:
- obtaining a registration computer program means, said registration computer program means having a public key of said issuer and public key encryption capability;
  
  generating said secret key using at least some random information;
  
  generating a pass reply message using at least some arbitrary information;
  
  encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
  
  sending said encryption message to said issuer by telecommunications means;
  
  communicating said pass reply to said issuer end separately from said encryption message over a channel that enables said issuer to ascertain said pass reply to be genuinely from said applicant, said communication containing said pass reply.
- View Dependent Claims (13)
- - 13. The method according to claim 12, wherein said applicant possesses a smart card device and uses a smart card device interface connected to said program means, said secret key being loaded into said smart card device.

14. A method of approving a secret cryptographic key to be shared between an applicant and an issuer comprising the steps of:
- receiving at least one encryption message from said applicant by telecommunications means, said message including an encryption of a secret key and a pass reply using public key encryption with a public key of said issuer, said message including information allowing said issuer to identify said applicant;
  
  ;
  
  decrypting said encryption message to retrieve said secret key and said pass reply using a private key of said issuer;
  
  receiving a second communication from said applicant separate from said encryption message over a channel that enables said issuer to ascertain said second communication to be genuinely from said applicant, said second communication containing said pass reply;
  
  confirming a validity of said secret key at least with said issuer if said pass reply received during said second communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.

15. A system for establishing a secret cryptographic key shared between an applicant and an issuer comprising:
- applicant registration means having a public key of said issuer and public key encryption capability for generating said secret key using at least some random information at an applicant end, for generating a pass reply message using at least some arbitrary information at said applicant end, and for encrypting said secret key and said pass reply using said public key to form at least one encryption message, said message including information allowing said issuer to identify said applicant;
  
  means for sending said encryption message to said issuer by telecommunications means;
  
  means for decrypting said encryption message at an issuer end to retrieve said secret key and said pass reply using a private key of said issuer;
  
  means for receiving a second communication from said applicant at said issuer end separate from said encryption message over a channel that enables said issuer to ascertain said second communication to be genuinely from said applicant, said second communication containing said pass reply;
  
  means for confirming a validity of said secret key at least with said issuer if said pass reply received during said second communication matches said pass reply decrypted, whereby said secret key may be confirmed for use in future transactions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Connotech Experts-Conseils Incorporated
Original Assignee
Connotech Experts-Conseils Incorporated
Inventors
Moreau, Thierry
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
DI LORENZO, ANTHONY

Application Number

US09/296,378
Time in Patent Office

383 Days
Field of Search

380/283, 380/285, 713/168, 713/169, 713/171
US Class Current

713/171
CPC Class Codes

H04L 2209/56 Financial cryptography, e.g...

H04L 9/0841 involving Diffie-Hellman or...

Initial secret key establishment including facilities for verification of identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Initial secret key establishment including facilities for verification of identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links