 |
Claims  |
|
|
I claim:
1. In a communication system having a plurality of terminal devices coupled
to a channel over which users of said terminal devices may exchange
messages, at least some users having a public key and an associated key,
an improved method for managing authority by digitally signing and
certifying a message to be transmitted to an independent recipient
comprising the steps of:
formulating at least a portion of a digital message;
digitally signing at least said portion of said message; and
including within said message an authorizing digital certificate having a
plurality of digital fields created by a certifier, said authorizing
certificate being created by the steps of:
specifying by the certifier in at least one of said digital fields, the
authority which is vested in the certifier and which has been delegated to
the signer of said message, by including sufficient digital information to
enable said independent recipient of said message to verify, be
electronically analyzing said message in accordance with a predetermined
validation algorithm, that the authority exercised by the signer in
signing the content of said message created by the signer was properly
exercised by the signer in accordance with the authority delegated by the
certifier; and
identifying the certifier who has created the signer,s certificate in other
of said digital fields by including sufficient digital information for
said recipient of the message to determine by electronically analyzing
said message that the certifier has been granted the authority to grant
said delegated authority.
2. A method according to claim 1, further including the step of providing
at least one digital field in said message identifying the nature of the
digital data being transmitted.
3. A method according to claim 2, wherein the nature of the digital data is
identified as being a digital signature.
4. A method according to claim 2, wherein the nature of the digital data is
identified as being a certificate.
5. A method according to claim 2, wherein the nature of the digital data is
identified as being a business document
6. A method according to claim 1, wherein the formulating step includes the
step of providing a digital field allowing the user to insert a
predetermined comment regarding the data being transmitted.
7. A method according to claim 1, further including the step of applying a
hashing function to at least a portion of the message to be transmitted to
form a presignature hash; and wherein said digitally signing step includes
the step of processing said presignature hash with the signer's private
key to form said digital signature.
8. A method according to claim 7, further including the step of forming a
digital signature packet comprising the digital signature and a
representation of said at least a portion of the message to be
transmitted.
9. A method according to claim 1, wherein said authorizing certificate
includes digital fields defining the cosignature requirements which must
accompany the signer's signature in order for the signer's signature to be
treated as properly authorized.
10. A method according to claim 9, wherein said digital fields defining
co-signature requirements set forth a required digital signature by a
specified third party indicating approval of the signer's signature to
thereby define a counter signature requirement.
11. A method according to claim 10, wherein the third party countersigns by
digitally signing the signer,s digital signature.
12. A method according to claim 9, wherein the cosignature requirements
include a digital field specifying at least one other digital signature
which is required to appear in the digital message thereby defining a
joint signature requirement.
13. A method according to claim 1, wherein said authorizing certificate
includes at least one digital field defining limitations as to the
authority granted by the certificate.
14. A method according to claim 1, wherein said authorizing certificate
defines the plurality of the signer.
15. A method according to claim 13, further including the step of
specifying a monetary limit for the signer in a digital field in said
certificate.
16. A method according to claim 1, wherein said authorizing certificate
includes at least one digital field defining a trust level indicative of
the degree of responsibility delegated to the signer by the certifier.
17. A method according to claim 1, wherein said identifying step includes
the step of specifying in digital fields in said authorizing certificate a
hierarchy of certificates, whereby a recipient of the message can
electronically verify in accordance with a predetermined validation
algorithm the authority of the signer based upon an analysis of the signed
message.
18. A method according to claim 1, wherein said step of creating an
authorizing certificate includes the steps of creating a certificate by a
certifier, whereby the certifier signs the certificate by using the
private key associated with one of the certifier,s own certificates.
19. A method according to claim 1, including the step of transmitting a
plurality of certificates, and wherein at least one of the transmitted
certificates is a meta-certificate, where a meta-certificate is a digital
authorizing certificate from which authority flows which originates from a
trusted source commonly known to both the signer and prospective
recipients.
20. In a communications system having a plurality of terminal devices
coupled to a communications channel over which users of said terminal
devices may exchange messages, at least some of said users having a public
key and an associated private key, an improved method of digitally signing
and certifying a message to be transmitted for managing authority
comprising the steps of:
formulating at least a portion of a digital message;
digitally signing at least said portion of said message;
including within said message an authorizing digital certificate having a
plurality of digital fields created for the signer by a certifier, said
authorizing certificate being created by the steps of:
specifying by the certifier in at least one of said digital fields at least
one party whose digital signature, in addition to the signer's signature,
is required to be transmitted with said message in order for said signer's
signature to be treated as properly authorized; and
identifying the certifier who has created the signer,s certificate in other
of said digital fields by including sufficient digital information to
enable the recipient of said message to determine by electronically
analyzing said message that the certifier has been granted the authority
to certify the signer's certificate.
21. A method according to claim 20, wherein said certificate includes
digital fields representative of a list of each of the public keys of the
parties at least one of which is required to cosign any message signed
with the authority of the certificate.
22. A method according to claim 20, wherein said certificate includes
digital fields representative of a list of public keys of the parties at
least one of which may be required to sign any message created under the
authority of said certificate and a field defining the minimum member of
such signatures which must appear in said message in order for the
signer's signature to be treated as properly authorized.
23. A method according to claim 20, wherein said certificate includes
digital fields representative of a list of each of the certificates of the
parties at least one of which is required to sign any message created
under the authority of said certificate.
24. A method according to claim 20, including the step of including digital
fields in said message associating with each digital signature in said
message an authorizing certificate generated by a certifying party which
specifies the authority which has been granted to the message sender.
25. A method according to claim 21, further including the steps of
transmitting said message including said certificates and verifying at the
recipient,s terminal device each signature through the use of at least one
public key.
26. A method according to claim 20, wherein said step of including an
authorizing certificate includes the step of defining a hierarchial ladder
of certificates within digital fields in the transmitted message, whereby
a recipient of the message can electronically verify in accordance with a
predetermined validation algorithm the authority of the sender based upon
an analysis of the signed message.
27. A method according to claim 20, further including the step of creating
an authorizing certificate by a certifier, wherein the certifier creates a
certificate by signing the certificate by using the private key associates
with one of the certifier's own certificates.
28. A method according to claim 20, further including the step of providing
at least one field in said message identifying the nature of the digital
data being transmitted.
29. A method according to claim 28, wherein the nature of the digital data
is identified as being a digital signature.
30. A method according to claim 28, wherein the nature of the digital data
is identified as being a digital certificate.
31. A method according to claim 20, further including the step of applying
a hashing function to at least a portion of the message to be transmitted
to form a presignature hash; and wherein said digitally signing step
includes the step of processing said presignature hash with the signer's
private key to form said digital signature.
32. A method according to claim 20, wherein said authorizing certificate
includes at least one digital field defining the requirement of at least
one digital signature by at least one third party indicating approval of
the sender's signature, thereby defining a countersignature requirement,
wherein the third party countersigns by digitally signing the sender's
digital signature.
33. A method according to claim 20, wherein said authorizing certificate
includes at least one digital field specifying at least one additional
party required to sign said portion of the digital message to thereby
define a joint signature requirement.
34. A method according to claim 20, wherein said authorizing certificate
includes at least one digital field defining limitations as to the
authority granted by the certificate.
35. A method according to claim 34, wherein said limitations includes a
monetary limit for the signer.
36. A method according to claim 20, wherein said authorizing certificate
includes at least one digital field indicative of the degree of
responsibility delegated to the signer by the certifier.
37. A method according to claim 36, wherein said at least one field defines
a trust level indicating the degree of responsibility the certifier is
willing to assume for subcertification done by the signer.
38. A method according to claim 20, wherein said authorizing certificate
includes at least one field identifying the signer.
39. A method according to claim 20 further including the step of
transmitting a plurality of certificates, and wherein at least one of the
transmitted certificates is a meta-certificate where a meta-certificate is
a digital authorizing certificate from which all authority flows, said
meta-certificate originating from a trusted source commonly known to both
the signer and the recipient.
40. A method of digitally signing and certifying a sender's message to
enable a recipient to determine that the send-r is properly authorized
comprising the steps of:
specifying in at least one digital field in an authorizing digital
certificate created by a certifier the delegated authority which has been
granted to the sender, said authorizing certificate including a plurality
of digital fields;
identifying in other of said digital fields in said certificate the
identity of the certifier by including sufficient digital information for
said recipient to determine that the certifier has been granted the
authority to grant the delegated authority;
transmitting a message to said recipient having at least one digital
signature, said message including said digital certificate which specifies
the authority which has been granted to the sender;
receiving said message by said recipient and validating the identity of the
sender by electronically analyzing the at least one digital signature; and
determining the authority which has been granted to the sender by analyzing
the delegated authority information specified in said authorizing
certificate and determining by electronically analyzing said digital
fields that said certifier has been granted the authority to grant said
delegated authority.
41. A method according to claim 40, wherein said at least one digital
signature is created by computing a presignature hash and said step of
validating the identity of the sender including the step of recomputing
said presignature hash with the received message,
encrypting the signature to be verified, comparing the recomputed
presignature hash and said encrypted signature to be verified; and
rejecting said signature if there is not a match.
42. A method according to claim 41, wherein said encrypting operation is
performed with the sender's public encrypting key.
43. A method according to claim 40, further including the step of
electronically verifying by a predetermined verification algorithm that
the received message is identical to the message as it was initially
signed.
44. A method according to claim 40, further including the steps of:
specifying in digital fields in said message at least one digital signature
in addition to the signer's signature required to be transmitted;
transmitting said at least one digital signature required to be transmitted
and at least one associated certificate;
electronically examining, upon receipt of said message, all received
digital certificates and signatures; and
determining in accordance with a predetermined validation algorithm that
all necessary signatures are present and that the sender is properly
authorized based on data contained in said certificates.
45. A method according to claim 40, wherein said authorizing certificate
includes at least one field defining the identity of the signer.
46. A method according to claim 40, further including transmitting a
plurality of certificates and wherein at least one of the transmitted
certificates is a meta-certificate, where a meta-certificate is a digital
authorizing certificate from which authority flows which originates from a
trusted source commonly known to both the signer and the recipient. |
|
 |
|
 |
Claims |
|
|
|
Description |
|
|
FIELD OF THE INVENTION
This invention relates to a cryptographic communications system and method.
More particularly, the invention relates to a public key or signature
cryptosystem having improved digital signature certification for
indicating the identity, authority and responsibility levels associated
with at least the sender of a digital message.
BACKGROUND AND SUMMARY OF THE INVENTION
The rapid growth of electronic mail systems, electronic funds transfer
systems and the like has increased concerns over the security of the data
transferred over unsecured communication channels. Cryptographic systems
are widely used to insure the privacy and authenticity of messages
communicated over such insecure channels.
In a conventional cryptographic system, a method of encryption is utilized
to transform a plain text message into a message which is unintelligible.
Thereafter, a method of decryption is utilized for decoding the encrypted
message to restore the message to its original form.
Conventional crypotographic signature and authentication systems typically
utilize a "one way" hashing function to transform the plain text message
into a form which is unintelligible. A "hashing" function as used herein
is a function which can be applied to an aggregation of data to create a
smaller, more easily processed aggregation of data.
An important characteristic of the hashing function is that it be a
"one-way" function. A hash is a "one-way" function, if it is far more
difficult to compute the inverse of the hashing function than it is to
compute the function. For all practical purposes, the value obtained from
applying the hashing function to the original aggregation of data is an
unforgeable unique fingerprint of the original data. If the original data
is changed in any manner, the hash of such modified data will likewise be
different.
In conventional cryptographic systems, binary coded information is
encrypted into an unintelligible form called cipher and decrypted back
into its original form utilizing an algorithm which sequences through
encipher and decipher operations utilizing a binary code called a key. For
example, the National Bureau of Standards in 1977 approved a block cipher
algorithm referred as the Data Encryption Standard (DES). Data Encryption
Standard, FIPS PUB 46, National Bureau of Standards, Jan. 5, 1977.
In DES, binary coded data is cryptographically protected using the DES
algorithm in conjunction with a key. Each member of a group of authorized
users of encrypted computer data must have the key that was used to
encipher the data in order to use it. This key held by each member in
common is used to decipher the data received in cipher form from other
members of the group.
The key chosen for use in a particular application makes the results of
encrypting data using the DES algorithm unique. Selection of a different
key causes the cipher that is produced for a given set of inputs to be
different. Unauthorized recipients of the cipher text who know the DES
algorithm, but who do not have the secret key, cannot derive the original
data algorithmically.
Thus, the cryptographic security of the data depends on the security
provided for the key used to encipher and decipher the data. As in most
conventional cryptographic systems the ultimate security of the DES system
critically depends on maintaining the secrecy of the cryptographic key.
Keys defined by the DES system include sixty-four binary digits of which
fifty-six are used directly by the DES algorithm as the significant digits
of the key and eight bits are used for error detection.
In such conventional cryptographic systems, some secure method must be
utilized to distribute a secret key to the message sender and receiver.
Thus, one of the major difficulties with existing cryptographic systems is
the need for the sender and receiver to exchange a single key in such a
manner that an unauthorized party does not have access to the key.
The exchange of such a key is frequently done by sending the key, prior to
a message exchange, via, for example, a private courier or registered
mail. While providing the necessary security such key distribution
techniques are usually slow and expensive. If the need for the sender and
receiver is only to have one private message exchange, such an exchange
could be accomplished by private courier or registered mail, thereby
rendering the cryptographic communication unnecessary. Moreover, if the
need to communicate privately is urgent the time required to distribute
the private key causes an unacceptable delay.
Public key cryptographic systems solve many of the key distribution
problems associated with conventional cryptographic systems. In public key
cryptographic systems the encrypting and decrypting processes are
decoupled in such a manner that the encrypting process key is separate and
distinct from the decrypting process key. Thus, for each encryption key
there is a corresponding decryption key which is not the same as the
encryption key. Even with knowledge of the encryption key, it is not
feasible to compute the decryption key.
With a public key system, it is possible to communicate privately without
transmitting any secret keys. The public key system does require that an
encryption/decryption key pair be generated. The encryption keys for all
users may be distributed or published and anyone desiring to communicate
simply encrypts his or her message under the destination user's public
key.
Only the destination user, who retains the secret decrypting key, is able
to decipher the transmitted message. Revealing the encryption key
discloses nothing useful about the decrypting key, i.e., only persons
having knowledge of the decrypting can decrypt the message. The RSA
cryptographic system which is disclosed in U.S. Pat. No. 4,405,829 issued
to Rivest et al. discloses an exemplary methodology for a practical
implementation of a public key cryptographic system.
A major problem in public key and other cryptographic systems is the need
to confirm that the sender of a received message is actually the person
named in the message. An authenticating technique known utilizing "digital
signatures" allows a user to employ his secret key to "sign a message"
which the receiving party or a third party can validate using the
originator's public key. See for example U.S. Pat. No. 4,405,829.
A user who has filed a public key in a publicly accessible file can
digitally sign a message by decrypting the message or a hash of it with
the user's private key before transmitting the message. Recipients of the
message can verify the message or signature by encrypting it with the
sender's public encryption key. Thus, the digital signature process is
essentially the reverse of the typical cryptographic process in that the
message is first decrypted and then encrypted. Anyone who has the user's
public encryption key can read the message or signature, but only the
sender having the secret decryption could have created the message or
signature.
Serious problems still persist in public key cryptosystems of assuring that
a specified public key is that actually created by the specified
individual. One known technique for addressing this problem is to rely on
some trusted authority, e.g., a governmental agency, to insure that each
public key is associated with the person who claiming to be the true
author.
The trusted authority creates a digital message which contains the
claimant's public key and the name of the claimant (which is accurate to
the authority's satisfaction) and a representative of the authority signs
the digital message with the authority's own digital signature. This
digital message, often known as a certificate, is sent along with the user
of the claimant's own digital signature. Any recipient of the claimant's
message can trust the signature, provided that the recipient recognizes
the authority's public key (which enables verification of the authority's
signature) and to the extent that the recipient trusts the authority.
Prior to the present invention, the transmitted certificate failed to
provide any indication of the degree of trust or the level of
responsibility with which the sender of the message should be empowered.
Instead, the certification merely indicates that the identified trusted
authority recognized the sender's public key as belonging to that person.
The public key system is designed to operate such that the public keys of
various users are published to make private communications easier to
accomplish. However, as the number of parties who desire to use the public
key system expands, the number of published keys will soon grow to a size
where the issuing authority of the public keys can not reasonably insure
that the parties whose public keys are published are, in fact, the people
who they are claiming to be. Thus, a party may provide a public key to be
maintained in the public directory under the name of the chairman of a
major corporation, e.g., for example, General Motors Corporation. Such an
individual may then be in a position to receive private messages directed
to the chairman of General Motors or to create signatures which ostensibly
belong to the impersonated chairman.
There are also technologies for producing digital signatures which may not
require full public key capability, including, for example, the
Fiat-Shamir algorithm. Any digital signature methodology may be employed
to implement the digital signatures referenced herein. Any reference to
public key cryptosystems should also be construed to reflect signature
systems. Any reference to public key decryption should be taken as a
generalized reference to signature creation and any reference to
encryption should be taken as a reference to signature verification.
The present invention addresses such problems with the public key or
signature cryptographic system relating to authenticating the identity of
the public key holder by expanding the capability of digital signature
certification. In this regard, a certification methodology is utilized
which employs multiple level certification while at the same time
indicating the authority and responsibility levels of the individual whose
signature is being certified as is explained in detail below.
The present invention enhances the capabilities of public key cryptography
so that it may be employed in a wider variety of business transactions,
even those where two parties may be virtually unknown to each other.
The digital signature certification method and apparatus of the present
invention provides for a hierarchy of certifications and signatures. It
also allows for co-signature requirements. In this regard,
counter-signature and joint-signature requirements are referenced in each
digital certification to permit business transactions to take place
electronically, which heretofore often only would take place after at
least one party physically winds his way through a corporate bureaucracy.
In the present invention, a digital signature is certified in a way which
indicates the authority the has been granted to the party being certified
(the certifiee). The certifier in constructing a certificate generates a
special message that includes fields identifying the public key which is
being certified, and the name of the certifiee. In addition, the
certificate constructed by the certifier includes the authority which is
being granted and limitations and safeguards which are imposed including
information which reflects issues of concern to the certifier such as, for
example, the monetary limit for the certifiee and the level of trust which
is granted to, the certifiee. The certificate may also specify
co-signature requirements as being imposed upon the certifiee
The present invention further provides for certifying digital signatures
such that requirement for further joint certifying signatures is made
apparent to any receiver of a digital message. The requirement for joint
signatures is especially useful in transactions where money is to be
transferred or authorized to be released. To accomplish this end, the
certificate of the present invention is constructed to reflect (in
addition to the public key and the name of the certifiee and other fields)
the number of joint signatures required and an indication as to the
identity of qualifying joint signers. Thus, an explicit list of each of
the other public key holders that are required to sign jointly may be
included in the certificate. In this fashion, the recipient is informed
that any material which is signed by the authority of the sender's
certificate, must also be signed by a number of other specified signators.
The recipient is therefore able to verify other joint and counter
signatures by simply comparing the public keys present in each signature
in the certificate. The present invention also includes other ways of
indicating co-signature requirements such as by indicating other
certificates. Such indications of other public key holders may be explicit
(with a list as described here), or implicitly, by specifying some other
attribute or affiliation. This attribute or affiliation may also be
indicated in each co-signer' certificate.
Additionally, the present invention provides for the certification of
digital signatures such that a trust level is granted to the recipient for
doing subcertifications. In this manner, a trust level of responsibility
flows from a central trusted source.
In an exemplary embodiment of the present invention, a certifier is
permitted to assign with one predetermined digital code a trust level
which indicates that the certifier warrants that the user named in the
certificate is known to the certifier and is certified to use the
associated public key. However, by virtue of this digital code, the user
is not authorized to make any further identifications or certifications on
the certifier's behalf. Alternatively, the certifier may issue a
certificate having other digital codes including a code which indicates
that the user of the public key is trusted to accurately identify other
persons on the certifier's behalf and is further trusted to delegate this
authority as the user sees fit.
The present invention further provides for a user's public key to be
certified in multiple ways (e.g., certificates by different certifiers).
The present invention contemplates including the appropriate certificates
as part of a user's signed message. Such certificates include a
certificate for the signer's certifier and for the certifiers' certifier,
etc., up to a predetermined certificate which is trusted by all parties
involved. When this is done, each signed message unequivocally contains
the ladder or hierarchy of certificates and the signatures indicating the
sender's authority. A recipient of such a signed message can verify that
authority such that business transactions can be immediately made based
upon an analysis of the signed message together with the full hierarchy of
certificates.
BRIEF DESCRIPTION OF THE DRAWINGS
These as well as other features of this invention will be better
appreciated by reading the following description of the preferred
embodiment of the present invention taken in conjunction with the
accompanying drawings of which
FIG. 1 is a exemplary block diagram of a cryptographic communications
system in accordance with an exemplary embodiment of the present
invention;
FIG. 2 is a flow diagram that indicates how a digital signature is created
in accordance with an exemplary embodiment of the present invention;
FIG. 3 is a flow diagram that indicates how a digital signature created in
accordance with FIG. 2 is verified;
FIG. 4 is a flow diagram that indicates how a countersignature is created
for a digital signature;
FIG. 5 is a flow diagram that indicates how a digital certificate in
created in accordance with an exemplary embodiment of the present
invention;
FIG. 6 is a flow diagram that indicates how a joint signature is added to a
certificate; and
FIG. 7 is a flow diagram that indicates how the signatures and certificates
are verified by a recipient of the transmitted message.
DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENT
FIG. 1 shows in block diagram form an exemplary communications system which
may be used in conjunction with the present invention. This system
includes an unsecured communication channel 12 over which communications
between terminals A,B . . . N may take place. Communication channel 12
may, for example, be a telephone line. Terminals A,B through N may, by way
of example only, be IBM PC's having a processor (with main memory) 2 which
is coupled to a conventional keyboard/CRT 4. Each terminal A,B through N
also includes a conventional IBM PC communications board (not shown) which
when coupled to a conventional modem 6, 8, 10, respectively, permits the
terminals to transmit and receive messages.
Each terminal is capable of generating a plain text or unenciphered
message, transforming the message to an encoded, i.e., enciphered form,
and transmitting the message to any of the other terminals connected to
communications channel 12 (or to a communications network (not shown)
which may be connected to communications channel 12). Additionally, each
of the terminals A,B through N is capable of decrypting a received
enciphered message to thereby generate a message in plain text form.
Each of the terminal users (as discussed above with respect to public key
systems) has a public encrypting key and an associated private secret
decrypting key. In the public key cryptosystem shown in FIG. 1, each
terminal user is aware of the general method by which the other terminal
users encrypt a message. Additionally, each terminal user is aware of the
encryption key utilized by the terminal's encryption procedure to generate
the enciphered message.
Each terminal user, however, by revealing his encryption procedure and
encryption key does not reveal his private decryption key which is
necessary to decrypt the ciphered message and to create signatures. In
this regard, it is simply not feasible to compute the decryption key from
knowledge of the encryption key. Each terminal user, with knowledge of
another terminal's encryption key, can encrypt a private message for that
terminal user. Only the terminal end user with his secret decrypting key
can decrypt the transmitted message.
Besides the capability of transmitting a private message, each terminal
user likewise has the capability of digitally signing a transmitted
message. A message may be digitally signed by a terminal user decrypting a
message with his private decrypting key before transmitting the message.
Upon receiving the message, the recipient can read the message by using
the sender's public encryption key. In this fashion, the recipient can
verify that only the holder of the secret decryption key could have
created the message. Thus, the recipient of the signed message has proof
that the message originated from the sender. Further details of a digital
signature methodology which may be used in conjunction with the present
invention is disclosed in U.S. Pat. No. 4,405,829.
Before describing the details of the enhanced digital certification in
accordance with the present invention, the general operation of FIG. 1 in
an electronic mail, public key cryptographic context will initially be
described. Initially, presume that the user of terminal A is a relatively
low level supervisor of a General Motors computer automated design team
who wishes to purchase a software package from a computer software
distributor located in a different state. The computer software
distributor has terminal N and an associated modem 10 located at his
store.
The General Motors supervisor at terminal A constructs an electronic
purchase order which identifies the item(s) being ordered and the address
to which the items must be sent as well as other items which are necessary
in a standard purchase order. It should be recognized that, although this
example relates to an electronic purchase order, any aggregation of data
which can be represented in a manner suitable for processing with whatever
public-key method is being used for signatures may likewise be
transmitted. In the more detailed description which follows such an
aggregation of data, e.g., a computer data file, will generically be
referred to as an "object".
The terminal A user, the General Motors supervisor, digitally signs the
purchase order under the authority of a certificate which is appended to
the transmitted message which will be discussed further below. Turning
first to the supervisor's digital signature, a message can be "signed" by
applying to at least a portion of the object being signed, the privately
held signature key. By signing an image of the object (or a more compact
version thereof known as a digest or hash of the object to be explained in
more detail below) with the secret key, it is possible for anyone with
access to the public key to encrypt this result and compare it with the
object (or a recomputed hash or digit version thereof). Because only the
owner of the public key could have used the secret key to perform this
operation, the owner of the public key is thereby confirmed to have signed
the message.
In accordance with the present invention, a digital signature is
additionally accompanied by at least one valid certificate which specifies
the identity of the signer and the authorization which the signer has been
granted. The certificate may be viewed as a special object or message
which specifies the identity of the user of a particular public key and
the authority which has been granted to that user by a party having a
higher level of authority than the user.
To be valid a certificate must be signed by the private key(s) associated
with one or more other valid certificates which are hereafter referred to
as antecedents to that certificate. Each of these antecedent certificates
must grant the signer the authority to create such a signature and/or to
issue the purchase order in our example. Each of the antecedent
certificates may in turn have its own antecedent(s).
An exemplary embodiment of the present invention contemplates utilizing an
ultimate antecedent certificate of all certificates, which is a
universally known and trusted authority, e.g., hypothetically the National
Bureau of Standards, and which is referred to as a meta-certificate. The
meta certificate is the only item that needs to be universally trusted and
known. There may be several meta-certifiers, and it is possible that
meta-certificates may even reference each other for required
co-signatures.
Turning back to our example, when the message is ultimately transmitted
from terminal A to the computer software distributor at terminal N, the
recipient in a manner which will be described in detail below, verifies
the signature of the General Motors supervisor. Additionally, he verifies
that all the other signatures on the message certificate and the
antecedent certificates are present which provides further assurance to
the terminal N software distributor that the transaction is a valid and
completely authorized. As should be recognized, such assurances are
critically important prior to shipping purchased items and are perhaps
even more important in an electronic funds transfer context.
Any party who receives a message transmitted by the user of terminal A
(whether such a party is the ultimate recipient of the message at terminal
N or other parties within for example a corporate hierarchy such as
General Motors) can verify and validate A's signature and the authorit | | |
