[go: up one dir, main page]

WO2003081840A1 - Method and system relating to a non-repudiation message exchange - Google Patents

Method and system relating to a non-repudiation message exchange Download PDF

Info

Publication number
WO2003081840A1
WO2003081840A1 PCT/GB2003/000965 GB0300965W WO03081840A1 WO 2003081840 A1 WO2003081840 A1 WO 2003081840A1 GB 0300965 W GB0300965 W GB 0300965W WO 03081840 A1 WO03081840 A1 WO 03081840A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication method
message identifier
communicates
communication
encrypted
Prior art date
Application number
PCT/GB2003/000965
Other languages
French (fr)
Inventor
Melih Abdulhayoglu
Original Assignee
Melih Abdulhayoglu
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Melih Abdulhayoglu filed Critical Melih Abdulhayoglu
Priority to AU2003214390A priority Critical patent/AU2003214390A1/en
Publication of WO2003081840A1 publication Critical patent/WO2003081840A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to methods of communication and to communication systems.
  • M represents an original message
  • H represents a one way digest function such as a hash. Where different hash functions are used, these are distinguished as HI, H2 etc. For convenience the one-way digest functions are agreed between the parties.
  • Kr represents a release key used to decrypt an encrypted message M. Often this will also be the encryption key.
  • K represents a symmetric key.
  • Kl is a first symmetric key, K2 a second symmetric key etc.
  • Xpk represents a public key using user X's key.
  • Xsk represents a private key using user X's key.
  • Xsig (M) is X's digital signature of message M ie Xsk(H(M) ) .
  • A is a message originator/sender.
  • B is a message recipient.
  • T is a third party trusted transaction authority.
  • R is a transaction record.
  • K(M) is a message encrypted using a key K.
  • Bpk (Asi (K( ) ) ) is a message encrypted using a key K, taking a hash of K(M) , which is further encrypted using a secret key of A and finally encrypted using a public key of B.
  • any such method and system should have the following properties:
  • a sender (A) must have some way of proving that a recipient (B) received the message, should B later try to deny it .
  • B must have some way of proving that B could not read the message, should A later try to claim that B could do so. In some methods and systems it is enough for just one of the criteria to be satisfied.
  • a certified e-mail delivery communication method and system is suggested in "A Certified E-mail Protocol" by Bruce Schneier and James Riordan available at www. counterpane . com/certified-email .pdf .
  • A chooses a random key Kr and sends to B the encrypted message Kr (M) .
  • B sends to A a digitally signed message requesting A to publish the key for the received encrypted message, the hash of which is H(Kr(M)) by date D at location , which is a public record.
  • A publishes the pair H(Kr(M)) and Kr in L on or before date D.
  • B retrieves the key, Kr from L and decrypts the message.
  • location L will be a newspaper, . a world-wide web kiosk service or a Usenet newsgroup.
  • This method has the disadvantages that it involves an unnecessary number of process steps, B has to break the method to refuse delivery and the use of a public location for key release storage is potentially unreliable.
  • a communication method comprising a sender (A) sending to a recipient (B) a digital communication (M) encrypted with an encryption for which there is a release key (Kr) and a message identifier, the recipient communicating the message identifier to a third party (T) , the third party verifying the message identifier and communicating the release key (Kr) to the recipient for the recipient to decrypt the encrypted digital communication (Kr(M)).
  • the release key is generated as a session key.
  • the message identifier comprises a one-way function of predetermined data, which suitably is at least part of the encrypted message.
  • the message identifier is encrypted.
  • the message identifier sent from A to B is encrypted by a session key (K2) and the session key is communicated to B encrypted by B's public key (Bpk(K2)) .
  • the communication from A to B includes a digital signature from A.
  • the digital signature comprises Ask(H(K2)).
  • A communicates the message identifier to T in encrypted form.
  • A communicates to T Ask(H (Kr (M) ) ) .
  • A' s communication to T comprises a digital signature.
  • the digital signature comprises Ask(H(Kl)).
  • A communicates Tpk(Kl) to T.
  • the message identifier sent from B to T is generated by an operation carried out on the communication received by B from A.
  • the message identifier sent from A to B comprises Hl(Kr(M)) .
  • the message identifier sent from B to T comprises H2(Kr( ) wherein H1 ⁇ H2.
  • A communicates the release key (Kr) to T.
  • the communication of Kr is encrypted.
  • A communicates to T Bpk(Kr) .
  • A communicates to T Kl(Bpk(Kr) ) .
  • B communicates a message identifier to T with a digital signature.
  • the digital signature comprises Bsk(H (Kr (M) ) ) .
  • T communicates to B Bpk(Kr) .
  • T communicates to B Bpk(Kr) .
  • A communicates a message identifier to a transaction record.
  • B communicates a message identifier to a transaction record.
  • T communicates the encryption key (Kr) to a transaction record.
  • Kr the encryption key
  • T communicates an encrypted version of the encryption key to the transaction record.
  • the message identifier used between A and B differs from that used between A and T and B and T.
  • the message identifier used between A and T corresponds to that used between B and T.
  • H(Kr(M)) is the message identifier, which is generated by B .
  • the transaction record is time stamped to produce a time stamp record.
  • the time stamp record is published.
  • a communication system comprising a senders computer node, a recipients computer node and a third party computer node, which computer nodes are in communication via a distributed electronic network and configured to operate according to the method of the first aspect of the invention.
  • the message (M) may be data in any form eg financial or database data, as well as letters.
  • PKI public key infrastructure
  • RSA public key infrastructure
  • recognised digest function such as a hash.
  • the hash is a one-way function.
  • Figure 1 shows a schematic functional illustration of a protocol, method and system according to an embodiment of the present invention.
  • Figure 2 shows a schematic functional illustration of a protocol, method and system according to a second embodiment of the present invention.
  • Figure 3 shows a schematic functional illustration of a protocol, method and system according to another embodiment of the present invention.
  • Trent (T) is used as a trusted third party.
  • the operations of A, B and T are carried out on respective computer nodes 2, 4, 6 connected by a distributed electronic network such as the internet.
  • T maintains a TCP/IP server at computer node 6, typically using an ORACLE (trade mark) database.
  • the database provides user, account, financial, configuration and transaction details to the transaction server 6.
  • the operations on computer nodes 2, 4, 6 are carried out automatically by software thereon.
  • a given user may set options within the software enabling them to have the opportunity to refuse to accept communications and/or to authorise the onward transmission of data.
  • the digital message will be an e-mail message.
  • step 1 A transmits to T a message packet comprising:
  • A sends to T a session key (Kl) encrypted sub-packet message including the release key (Kr) for the message (M) , encrypted by B's public key and Kl, and a digital signature (AskHl (Kr (M) ) ) of the encrypted message (Kr(M)) .
  • A also sends T a digital signature of Kr for verification purposes.
  • A sends to T Tpk(Kl) to enable T to decrypt Kl therefrom using Tsk, thereby enabling T to decrypt message sub-packet la.
  • T can verify A as the source of the communication by verifying the digital signature of this step lc.
  • A sends to B a message packet comprising the following elements :
  • A sends to B K2(Kr(M), H2(Kr(M)), H2 (Kr) ) .
  • B has the encrypted message (Kr(M)), but needs the encryption key K2 to obtain Kr (M) and release key Kr to obtain the message M.
  • A sends to B Bpk(K2) thus enabling B with its secret key Bsk to obtain K2 , thereby enabling it access to Kr(M), to H2(Kr(M)) and to H2 (Kr) .
  • B can use H2(Kr(M)) -from step 2a- to verify the integrity of the received Kr(M) .
  • A sends to B Ask(H2(K2)) as a digital signature hash of K2 enabling B to verify that the message originates from A.
  • A sends to a transaction record (R) the following message:
  • the transaction record can, therefore, using A' s public key Apk obtain Hl(Kr(M)) and HI (Kr) as message identifiers and also by deriving this from use of A' s public key Apk, R (or anyone checking R) can verify that this originates from A.
  • B generates Hl(Kr(M) from the decrypted Kr (M) . If necessary information about which hash to use can be communicated to B via an open channel . B sends to T a message packet consisting of Bsk (HI (Kr (M) ) ) . Thus using B's public key (Bpk) T can obtain the message identifier Hl(Kr(M)).
  • B also transmits to T Bsk(Hl (Kr) ) to T as a Kr verification.
  • T first verifies that the Hl(Kr(M)) received from A matches the Hl(Kr(M)) received from B. Only if the two match does T proceed as follows:
  • T sends to B a message packet comprising the following elements :
  • T sends to B Bpk(Kr).
  • T sends to BTskHl (Bpk (Kr) ) .
  • B can use its own secret key (Bsk) to obtain the release key (Kr) , which release key can be used to decrypt the encrypted message (Kr(M)) to obtain the original message (M) .
  • B can verify the release key is correct by generating H2 (Kr) and comparing that with the H2 (Kr) received originally from A.
  • Tsk HI (Bpk (Kr) )
  • B sends Bsk (HI (Kr (M) ) ) to the transaction record R.
  • B sends Bsk HI (Kr) ) to the transaction record R.
  • the transaction record can verify that it has received from both A and B message identifiers in digested hash form.
  • B can only have obtained the hash digests from A which confirms both B's receipt of the message and A's transmission thereof.
  • T sends to the transaction record Bpk(Kr) .
  • A can refer to the transaction record showing B has sent Hl(Kr(M)) to R, B can only have generated Hl(Kr(M)) if he has received Kr(M) .
  • A can also show B was able to read Kr (M) because B has sent HI (Kr) to R, and B can only have generated Hl(Kr) if he has received Kr.
  • the fact that Hl(Kr(M)) and HI (Kr) are both encrypted by Bsk shows they can only have been sent by B.
  • the message M can be validated to A by virtue of A's transmission to R of Ask (Hl(Kr(M)), Hl(Kr)). Without this data in the transaction record, B can deny readability of message M.
  • T can obtain Kl, giving it access to Kr, Ask (HI (Kr (M) ) ) and Ask (HI (Kr) ) .
  • A sends to B the encrypted message Kr (M) .
  • A sends to B Asig(Kr(M. Using Apk, B can generate H (Kr) .
  • A sends to B Asig (Transaction) as a message verifier.
  • A sends to the transaction record R a message consisting of: Asig(Kr( ), Asig(Kr)).
  • B transmits to T: Bsig (Kr (M) ) .
  • B transmits to T Bsig(Kr) as a verifier.
  • T first confirms that the H (Kr(M)) received from B, having been decrypted using Bpk, matches the H (Kr(M)) received from A in step 1 above. If so:
  • T transmits to B Bpk(Kr) .
  • B can use Bsk to obtain Kr which in turn it can use to decrypt Kr(M) .
  • T transmits Tsi (Bpk (Kr) ) as a verifier.
  • B transmits to R Bsig(Kr(M), Bsig(Kr)) to enable message verification.
  • T transmits to R Kr.
  • Kr may be encrypted using A or B's public key, or another agreed encryption.
  • Verification is carried out as for the Figure 1 embodiment .
  • the method of Figure 3 can also be used in the situation in which B originally does not have a certificate but upon receipt of the original message from A can obtain a certificate for use in the subsequent steps of the method.
  • a time stamp of the transaction record can be generated to enable verification of the transaction record.
  • A, B, T and R will be computer nodes and that some or all of the steps 1-7 may be automated thereby.
  • the transaction record will be at and controlled by T, a trusted third party or certification authority. It can, however, be maintained by another party (not A, B or T) .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

There is disclosed a communication method comprising a sender (A) sending to a recipient (B) a digital communication (M) encrypted with an encryption for which there is a release key (Kr) and a message identifier, the recipient communicating the message identifier to a third party (T), the third party verifying the message identifier and communicating the release key (Kr) to the recipient for the recipient to decrypt the encrypted digital communication (Kr(M)).

Description

METHOD AND SYSTEM RELATING TO A NON-REPUDIATION MESSAGE EXCHANGE
Field of the Invention
The present invention relates to methods of communication and to communication systems.
Background to the Invention
In this specification the following terminology is used:
M represents an original message.
H represents a one way digest function such as a hash. Where different hash functions are used, these are distinguished as HI, H2 etc. For convenience the one-way digest functions are agreed between the parties.
Kr represents a release key used to decrypt an encrypted message M. Often this will also be the encryption key.
K represents a symmetric key. Kl is a first symmetric key, K2 a second symmetric key etc.
Xpk represents a public key using user X's key.
Xsk represents a private key using user X's key.
Xsig (M) is X's digital signature of message M ie Xsk(H(M) ) .
A is a message originator/sender. B is a message recipient.
T is a third party trusted transaction authority.
R is a transaction record.
Thus:
K(M) is a message encrypted using a key K.
Bpk (Asi (K( ) ) ) is a message encrypted using a key K, taking a hash of K(M) , which is further encrypted using a secret key of A and finally encrypted using a public key of B.
For transactions, especially business-to-business transactions, to become common over the internet, in particular financial transactions, a certified message delivery system is essential.
To fulfil all the needs of a certified delivery, any such method and system should have the following properties:
1. A sender (A) must have some way of proving that a recipient (B) received the message, should B later try to deny it .
2. B must have some way of proving that B could not read the message, should A later try to claim that B could do so. In some methods and systems it is enough for just one of the criteria to be satisfied.
A certified e-mail delivery communication method and system is suggested in "A Certified E-mail Protocol" by Bruce Schneier and James Riordan available at www. counterpane . com/certified-email .pdf .
According to this protocol A chooses a random key Kr and sends to B the encrypted message Kr (M) . B sends to A a digitally signed message requesting A to publish the key for the received encrypted message, the hash of which is H(Kr(M)) by date D at location , which is a public record. A publishes the pair H(Kr(M)) and Kr in L on or before date D. B retrieves the key, Kr from L and decrypts the message.
Typically, location L will be a newspaper, .a world-wide web kiosk service or a Usenet newsgroup.
This method has the disadvantages that it involves an unnecessary number of process steps, B has to break the method to refuse delivery and the use of a public location for key release storage is potentially unreliable.
It is an aim of preferred embodiments of the preferred embodiments of the present invention to obviate or overcome a problem of the prior art, whether refused to herein or otherwise. Summary of the Invention
According to the present invention in a first aspect, there is provided a communication method comprising a sender (A) sending to a recipient (B) a digital communication (M) encrypted with an encryption for which there is a release key (Kr) and a message identifier, the recipient communicating the message identifier to a third party (T) , the third party verifying the message identifier and communicating the release key (Kr) to the recipient for the recipient to decrypt the encrypted digital communication (Kr(M)).
Suitably, the release key is generated as a session key.
Suitably, the message identifier comprises a one-way function of predetermined data, which suitably is at least part of the encrypted message.
Suitably, the message identifier is encrypted.
Suitably, the message identifier sent from A to B is encrypted by a session key (K2) and the session key is communicated to B encrypted by B's public key (Bpk(K2)) .
Suitably, the communication from A to B includes a digital signature from A. Suitably the digital signature comprises Ask(H(K2)).
Suitably, A communicates the message identifier to T in encrypted form. Suitably, A communicates to T Ask(H (Kr (M) ) ) . Suitably, A' s communication to T comprises a digital signature. Suitably, the digital signature comprises Ask(H(Kl)). Suitably, A communicates Tpk(Kl) to T.
Suitably, the message identifier sent from B to T is generated by an operation carried out on the communication received by B from A. Suitably, the message identifier sent from A to B comprises Hl(Kr(M)) . Suitably, the message identifier sent from B to T comprises H2(Kr( ) wherein H1≠H2.
Suitably, A communicates the release key (Kr) to T. Suitably, the communication of Kr is encrypted. Suitably, A communicates to T Bpk(Kr) . Suitably, A communicates to T Kl(Bpk(Kr) ) .
Suitably, B communicates a message identifier to T with a digital signature. Suitably, the digital signature comprises Bsk(H (Kr (M) ) ) .
Suitably, T communicates to B Bpk(Kr) . Suitably T communicates to B Bpk(Kr) .
Suitably, A communicates a message identifier to a transaction record. Suitably, B communicates a message identifier to a transaction record. Suitably, T communicates the encryption key (Kr) to a transaction record. Suitably, T communicates an encrypted version of the encryption key to the transaction record. Suitably, the message identifier used between A and B differs from that used between A and T and B and T. Suitably, the message identifier used between A and T corresponds to that used between B and T. Suitably, H(Kr(M)) is the message identifier, which is generated by B .
It is noted that B cannot pass on the message identifier to T without some intervention on B's behalf.
If A does not know B's public key (Bpk), A transmits simply the encrypted message (Kr(M)) and the message identifier. This is not as secure as the embodiments in which A knows Bpk, since a third party obtaining Kr could decrypt the message, but is a satisfactory compromise for many applications.
Suitably, the transaction record is time stamped to produce a time stamp record. Suitably, the time stamp record is published.
According to the present invention in a second aspect, there is provided a communication system comprising a senders computer node, a recipients computer node and a third party computer node, which computer nodes are in communication via a distributed electronic network and configured to operate according to the method of the first aspect of the invention.
The message (M) may be data in any form eg financial or database data, as well as letters.
It will be appreciated by those skilled in the art that the steps need not all be carried out in the order set out above . Preferred embodiments of the present invention rely on a public key infrastructure (PKI) , such as RSA, and a recognised digest function such as a hash. The hash is a one-way function.
Brief Description of the Drawings
The present invention will now be described, by way of example only, with reference to the drawings that follow, in which:
Figure 1 shows a schematic functional illustration of a protocol, method and system according to an embodiment of the present invention; and
Figure 2 shows a schematic functional illustration of a protocol, method and system according to a second embodiment of the present invention.
Figure 3 shows a schematic functional illustration of a protocol, method and system according to another embodiment of the present invention.
Description of Preferred Embodiments
A sender referred to as Alice (A) wishes to send to Bob, a recipient (B) a digital message (M) . Trent (T) is used as a trusted third party. The operations of A, B and T are carried out on respective computer nodes 2, 4, 6 connected by a distributed electronic network such as the internet. T maintains a TCP/IP server at computer node 6, typically using an ORACLE (trade mark) database. The database provides user, account, financial, configuration and transaction details to the transaction server 6.
The operations on computer nodes 2, 4, 6 are carried out automatically by software thereon. A given user may set options within the software enabling them to have the opportunity to refuse to accept communications and/or to authorise the onward transmission of data.
In this first embodiment of the present invention, illustrated in Figure 1 of the drawings that follow it is assumed that A knows B's public key.
Typically, the digital message will be an e-mail message.
Step 1
In step 1, A transmits to T a message packet comprising:
la. Kl(Bpk(Kr), Ask (HI (Kr (M) ) , skHl (Kr) ) ) . Thus, A sends to T a session key (Kl) encrypted sub-packet message including the release key (Kr) for the message (M) , encrypted by B's public key and Kl, and a digital signature (AskHl (Kr (M) ) ) of the encrypted message (Kr(M)) . A also sends T a digital signature of Kr for verification purposes.
lb. A sends to T Tpk(Kl) to enable T to decrypt Kl therefrom using Tsk, thereby enabling T to decrypt message sub-packet la.
lc. A transmits to T Ask(Hl(Kl)), ie a digital signature of Kl . Thus, when T has decrypted Kl from step IB above, T can verify A as the source of the communication by verifying the digital signature of this step lc.
Step 2
A sends to B a message packet comprising the following elements :
2a. A sends to B K2(Kr(M), H2(Kr(M)), H2 (Kr) ) . Thus, B has the encrypted message (Kr(M)), but needs the encryption key K2 to obtain Kr (M) and release key Kr to obtain the message M.
2b. A sends to B Bpk(K2) thus enabling B with its secret key Bsk to obtain K2 , thereby enabling it access to Kr(M), to H2(Kr(M)) and to H2 (Kr) . B can use H2(Kr(M)) -from step 2a- to verify the integrity of the received Kr(M) .
2c. A sends to B Ask(H2(K2)) as a digital signature hash of K2 enabling B to verify that the message originates from A.
Step 3
A sends to a transaction record (R) the following message:
3a. A sends to R Ask (HI (Kr (M) ) ) , As (Hl (Kr) ) . The transaction record can, therefore, using A' s public key Apk obtain Hl(Kr(M)) and HI (Kr) as message identifiers and also by deriving this from use of A' s public key Apk, R (or anyone checking R) can verify that this originates from A.
Step 4
4a. B generates Hl(Kr(M) from the decrypted Kr (M) . If necessary information about which hash to use can be communicated to B via an open channel . B sends to T a message packet consisting of Bsk (HI (Kr (M) ) ) . Thus using B's public key (Bpk) T can obtain the message identifier Hl(Kr(M)).
4b. B also transmits to T Bsk(Hl (Kr) ) to T as a Kr verification.
Step 5
T first verifies that the Hl(Kr(M)) received from A matches the Hl(Kr(M)) received from B. Only if the two match does T proceed as follows:
T sends to B a message packet comprising the following elements :
5a. T sends to B Bpk(Kr).
5b. T sends to BTskHl (Bpk (Kr) ) .
Thus, B can use its own secret key (Bsk) to obtain the release key (Kr) , which release key can be used to decrypt the encrypted message (Kr(M)) to obtain the original message (M) . B can verify the release key is correct by generating H2 (Kr) and comparing that with the H2 (Kr) received originally from A.
B can use Tsk (HI (Bpk (Kr) ) as a verifier.
If A and B's supposed Hl(Kr(M)) messages do not match, B is informed that it cannot be sent the decryption key.
Step 6
6a. B sends Bsk (HI (Kr (M) ) ) to the transaction record R.
6b. B sends Bsk HI (Kr) ) to the transaction record R.
Thus the transaction record can verify that it has received from both A and B message identifiers in digested hash form. B can only have obtained the hash digests from A which confirms both B's receipt of the message and A's transmission thereof.
Step 7
7a. T sends to the transaction record Bpk(Kr) .
If A wishes to prove that B received the message M, A can refer to the transaction record showing B has sent Hl(Kr(M)) to R, B can only have generated Hl(Kr(M)) if he has received Kr(M) . A can also show B was able to read Kr (M) because B has sent HI (Kr) to R, and B can only have generated Hl(Kr) if he has received Kr. The fact that Hl(Kr(M)) and HI (Kr) are both encrypted by Bsk shows they can only have been sent by B. The message M can be validated to A by virtue of A's transmission to R of Ask (Hl(Kr(M)), Hl(Kr)). Without this data in the transaction record, B can deny readability of message M.
Referring to Figure 2 of the drawings that follow, there is shown a further embodiment of the present invention in which it is assumed that A knows B's public key.
The embodiment illustrated in Figure 2 is similar to that shown in Figure 1 (and so a further detailed description is not included) apart from the fundamental difference that B is not sent any hash of Kr(M) at all. In this way the hashes used throughout the protocol can remain unchanged. Thus, in this embodiment H1=H2. As a message verifier Asig (Transaction) is sent from A to B, where Transaction is the remainder of the step 2 communication.
It is noted that B must generate Kr (M) itself.
Referring to Figure 3 of the drawings that follow, the method and system of communication is shown for the case in which the sender A does not know the recipient (B) certificate .
Step 1
la. A sends to T Kl (Kr, Asig(Kr(M)), Asig (HI (Kr) ) .
lb. A sends to T Tpk(Kl) . Thus T can obtain Kl, giving it access to Kr, Ask (HI (Kr (M) ) ) and Ask (HI (Kr) ) .
lc. A sends to T Asig(Kl) . Thus T can both verify the integrity of the transmitted Kl and confirm that the message originates with A. Step 2
2a. A sends to B the encrypted message Kr (M) .
2b. A sends to B Asig(Kr(M. Using Apk, B can generate H (Kr) .
2c. A sends to B Asig (Transaction) as a message verifier.
Step 3
3a. A sends to the transaction record R a message consisting of: Asig(Kr( ), Asig(Kr)).
Step 4
From Kr(M), B generates Hl(Kr(M)) .
4a. B transmits to T: Bsig (Kr (M) ) .
4b. B transmits to T Bsig(Kr) as a verifier.
Step 5
T first confirms that the H (Kr(M)) received from B, having been decrypted using Bpk, matches the H (Kr(M)) received from A in step 1 above. If so:
5a. T transmits to B Bpk(Kr) . B can use Bsk to obtain Kr which in turn it can use to decrypt Kr(M) .
5b. T transmits Tsi (Bpk (Kr) ) as a verifier. Step 6
6a. B transmits to R Bsig(Kr(M), Bsig(Kr)) to enable message verification.
Step 7
T transmits to R Kr. Optionally Kr may be encrypted using A or B's public key, or another agreed encryption.
Verification is carried out as for the Figure 1 embodiment .
The method of Figure 3 can also be used in the situation in which B originally does not have a certificate but upon receipt of the original message from A can obtain a certificate for use in the subsequent steps of the method.
In both cases, there is an additional verification step in that if B seeks to interfere with step 6, A can use T to show that B transmitted to T in step 4 Hl(Kr(M)) which it could only have obtained from Kr (M) received from A and T can show that it transmitted a receivable version of Kr to B.
As a final step in either method a time stamp of the transaction record can be generated to enable verification of the transaction record.
It is noted that in a typical embodiment A, B, T and R will be computer nodes and that some or all of the steps 1-7 may be automated thereby. Normally, the transaction record will be at and controlled by T, a trusted third party or certification authority. It can, however, be maintained by another party (not A, B or T) .
The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) , may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of the foregoing embodiment (s) . The invention extend to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Claims

Claims
1. A communication method comprising a sender (A) sending to a recipient (B) a digital communication (M) encrypted with an encryption for which there is a release key (Kr) and a message identifier, the recipient communicating the message identifier to a third party (T) , the third party verifying the message identifier and communicating the release key (Kr) to the recipient for the recipient to decrypt the encrypted digital communication (Kr(M)).
2. A communication method as claimed in claim 1, wherein the release key is generated as a session key.
A communication method as claimed in claim 1 or claim 2, wherein the message identifier comprises a one-way function of predetermined data, which suitably is at least part of the encrypted message.
A communication method as claimed in any preceding claim, wherein the message identifier is encrypted.
5. A communication method as claimed in claim 4, wherein the message identifier sent from A to B is encrypted by a session key (K2) and the session key is communicated to B encrypted by B's public key (Bpk(K2)) .
6. A communication method as claimed in any preceding claim, wherein the communication from A to B includes a digital signature from A.
7. A communication method as claimed in claim 6, wherein the digital signature comprises Ask(H(K2)).
8. A communication method as claimed in any preceding claim, wherein A communicates the message identifier to T in encrypted form.
9. A communication method as claimed in claim 8, wherein A communicates to T Ask (H (Kr (M) ) ) .
10. A communication method as claimed in any preceding claim, wherein A's communication to T comprises a digital signature.
11. A communication method as claimed in claim 10, wherein the digital signature comprises Ask(H(Kl)).
12. A communication method as claimed in any preceding claim, wherein A communicates Tpk(Kl) to T.
13. A communication method as claimed in any preceding claim, wherein the message identifier sent from B to T is generated by an operation carried out on the communication received by B from A.
14. A communication method as claimed in claim 13, wherein the message identifier sent from A to B comprises Hl(Kr(M) ) .
15. A communication method as claimed in claim 14, wherein the message identifier sent from B to T comprises H2(Kr(M) wherein H1≠H2.
16. A communication method as claimed in any preceding claim, wherein A communicates the release key (Kr) to T.
17. A communication method as claimed in claim 16, wherein the communication of Kr is encrypted.
18. A communication method as claimed in claim 17, wherein A communicates to T Bpk(Kr) .
19. A communication method as claimed in claim 17, wherein A communicates to T Kl(Bpk(Kr)) .
20. A communication method as claimed in any preceding claim, wherein B communicates a message identifier to T with a digital signature.
21. A communication method as claimed in claim 20, wherein the digital signature comprises Bsk (H (Kr (M) ) ) .
22. A communication method as claimed in any preceding claim, wherein T communicates to B Bpk(Kr) .
23. A communication method as claimed in claim 22, wherein T communicates to B Bpk(Kr) .
24. A communication method as claimed in any preceding claim, wherein A communicates a message identifier to a transaction record.
25. A communication method as claimed in any preceding claim, wherein B communicates a message identifier to a transaction record.
26. A communication method as claimed in any preceding claim, wherein T communicates the encryption key (Kr) to a transaction record.
27. A communication method as claimed in claim 26, wherein T communicates an encrypted version of the encryption key to the transaction record.
28. A communication method as claimed in any preceding claim, wherein the message identifier used between A and B differs from that used between A and T and B and T.
29. A communication method as claimed in any one of preceding claims 1 to 27, wherein the message identifier used between A and T corresponds to that used between B and T.
30. A communication method as claimed in any preceding claim, wherein H(Kr(M)) is the message identifier, which is generated by B.
31. A communication method as claimed in any preceding claim, wherein the transaction record is time stamped to produce a time stamp record.
32. A communication method as claimed in claim 31, wherein the time stamp record is published.
3. A communication system comprising a senders computer node, a recipients computer node and a third party computer node, which computer nodes are in communication via a distributed electronic network and configured to operate according to any one of claims 1 to 32.
PCT/GB2003/000965 2002-03-19 2003-03-07 Method and system relating to a non-repudiation message exchange WO2003081840A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003214390A AU2003214390A1 (en) 2002-03-19 2003-03-07 Method and system relating to a non-repudiation message exchange

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0206429.3 2002-03-19
GB0206429A GB0206429D0 (en) 2002-03-19 2002-03-19 Improvements in and relating to communication methods and systems

Publications (1)

Publication Number Publication Date
WO2003081840A1 true WO2003081840A1 (en) 2003-10-02

Family

ID=9933257

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2003/000965 WO2003081840A1 (en) 2002-03-19 2003-03-07 Method and system relating to a non-repudiation message exchange

Country Status (3)

Country Link
AU (1) AU2003214390A1 (en)
GB (1) GB0206429D0 (en)
WO (1) WO2003081840A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100191964A1 (en) * 2009-01-26 2010-07-29 Qualcomm Incorporated Communications methods and apparatus for use in communicating with communications peers
US20160134593A1 (en) * 2014-11-12 2016-05-12 Yaron Gvili Manicoding for communication verification
US9886573B2 (en) 2015-08-06 2018-02-06 Red Hat, Inc. Non-repudiation of broadcast messaging

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6134326A (en) * 1996-11-18 2000-10-17 Bankers Trust Corporation Simultaneous electronic transactions
EP1300980A1 (en) * 2001-10-02 2003-04-09 Institut Eurecom G.I.E. Process for providing non repudiation of receipt (NRR) in an electronic transaction environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6134326A (en) * 1996-11-18 2000-10-17 Bankers Trust Corporation Simultaneous electronic transactions
EP1300980A1 (en) * 2001-10-02 2003-04-09 Institut Eurecom G.I.E. Process for providing non repudiation of receipt (NRR) in an electronic transaction environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HERDA S: "Non-repudiation: Constituting evidence and proof in digital cooperation", COMPUTER STANDARDS AND INTERFACES, ELSEVIER SEQUOIA. LAUSANNE, CH, vol. 17, no. 1, 1995, pages 69 - 79, XP004046750, ISSN: 0920-5489 *
LIEW C-C ET AL: "Non-Repudiation in an agent-based electronic commerce system", PROCEEDINGS. INTERNATIONAL WORKSHOP ON DATABASE AND EXPERT SYSTEMS APPLICATIONS, XX, XX, 1 September 1999 (1999-09-01), pages 864 - 868, XP002164806 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100191964A1 (en) * 2009-01-26 2010-07-29 Qualcomm Incorporated Communications methods and apparatus for use in communicating with communications peers
US9118699B2 (en) * 2009-01-26 2015-08-25 Qualcomm Incorporated Communications methods and apparatus for use in communicating with communications peers
US20170359316A1 (en) * 2014-11-12 2017-12-14 Yaron Gvili Manicoding for communication verification
CN107113179A (en) * 2014-11-12 2017-08-29 亚伦.吉利 Multiple encodings for communication verification
US9749297B2 (en) * 2014-11-12 2017-08-29 Yaron Gvili Manicoding for communication verification
EP3219050A4 (en) * 2014-11-12 2017-11-29 Yaron Gvili Manicoding for communication verification
US20160134593A1 (en) * 2014-11-12 2016-05-12 Yaron Gvili Manicoding for communication verification
US9961050B2 (en) 2014-11-12 2018-05-01 Yaron Gvili Manicoding for communication verification
US20180255031A1 (en) * 2014-11-12 2018-09-06 Yaron Gvili Manicoding for communication verification
EP3627797A1 (en) * 2014-11-12 2020-03-25 Yaron Gvili Manicoding for access verification
US11388152B2 (en) 2014-11-12 2022-07-12 Yaron Gvili Manicoding for communication verification
US11848920B2 (en) 2014-11-12 2023-12-19 Yaron Gvili Manicoding for communication verification
US9886573B2 (en) 2015-08-06 2018-02-06 Red Hat, Inc. Non-repudiation of broadcast messaging
US10181025B2 (en) 2015-08-06 2019-01-15 Red Hat, Inc. Non-repudiation of broadcast messaging
US10783236B2 (en) 2015-08-06 2020-09-22 Red Hat, Inc. Non-repudiation of broadcast messaging

Also Published As

Publication number Publication date
AU2003214390A1 (en) 2003-10-08
GB0206429D0 (en) 2002-05-01

Similar Documents

Publication Publication Date Title
Adams et al. Internet X. 509 public key infrastructure certificate management protocol (CMP)
US6161181A (en) Secure electronic transactions using a trusted intermediary
US8560655B2 (en) Methods and apparatus for controlling the transmission and receipt of email messages
Schaad et al. Secure/multipurpose internet mail extensions (s/mime) version 4.0 message specification
US6199052B1 (en) Secure electronic transactions using a trusted intermediary with archive and verification request services
US6145079A (en) Secure electronic transactions using a trusted intermediary to perform electronic services
US7146009B2 (en) Secure electronic messaging system requiring key retrieval for deriving decryption keys
US20010037453A1 (en) Secure electronic transactions using a trusted intermediary with non-repudiation of receipt and contents of message
US20030115456A1 (en) Customizable public key infrastructure and development tool for same
US20050044369A1 (en) Electronic document management system
US20030196080A1 (en) Secure communication via the internet
Adams et al. Internet X. 509 Public Key Infrastructure data validation and certification server protocols
EP2372947A1 (en) Secure and traceable digital transmission method and envelope
WO2002017553A2 (en) Apparatus and methods for the secure transfer of electronic data
Adams et al. Rfc2510: internet x. 509 public key infrastructure certificate management protocols
JP2000196583A (en) Broadcast communication system
US20110154037A1 (en) Secure digital communications
Moberg et al. MIME-based secure peer-to-peer business data interchange using HTTP, Applicability Statement 2 (AS2)
WO2001030016A2 (en) A method for non-repudiation using a trusted third party
WO1998013970A1 (en) A system and method for securely transferring plaindata from a first location to a second location
JP2000031957A (en) Communications system
WO2003081840A1 (en) Method and system relating to a non-repudiation message exchange
WO2001025883A2 (en) A method for preventing repudiation of an executed transaction without a trusted third party
EP1357697B1 (en) Secure communication via the internet
Brockhaus et al. RFC 9810: Internet X. 509 Public Key Infrastructure--Certificate Management Protocol (CMP)

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP