AU2003222410A1

AU2003222410A1 - Secure electronic polling method and cryptographic processes therefor

Info

Publication number: AU2003222410A1
Application number: AU2003222410A
Authority: AU
Inventors: Jordi Castella Roca; Andreu Riera Jorba
Original assignee: Scytl Online World Security SA
Current assignee: Scytl Election Technologies SL
Priority date: 2003-05-09
Filing date: 2003-05-09
Publication date: 2004-11-26
Anticipated expiration: 2023-05-09
Also published as: AU2003222410B2; MXPA05011853A; WO2004100031A1

Description

VERIFICATION OF TRANSLATION File No. PCT/IB2003/001884 I, the undersigned, Xavier Metzger Torell6, in the name of the Metzger Technical Translations Bureau, located in Barcelona (Spain), do solemnly and sincerely declare as follows: That a well-acquainted native English translator from our staff has carried out to the best of his knowledge and belief a true correct translation from Spanish into English of the above mentioned File. DATED this on the 7* day of December 2005 SIGNED: Xavier Metzger Tore116 met iger TaADUCCt@NES TOCNICA% DE INGENERIA Roger do LIdria, 42 1a 2' 08009 BARCELONA Talaf - 93 317 A4 81 1 Method for secure electronic surveys and the employed cryptographic processes Scope of the invention 5 This invention describes a method for carrying out secure surveys over a communications network, such as the Internet, with aid of computational methods and/or associated software. The description of this invention contains material that is subject to copyright protection. The holders of said copyright do not have any objection 10 with respect to the reproduction of the description in this patent application document, just as it appears in its published or final version in the Patent Office, by third parties, but they reserve all rights with respect to the copyright in any other aspects deriving from the said document. 15 Background to the invention Computer networks and, above all, the global system of interconnected networks known as the Internet, have enabled certain common activities, for example, purchasing, searching for information or gaming, that can be carried out remotely. 20 This invention refers to the electronic surveys carried out over communications networks, such as the Internet, and especially to the security requirements with which they must comply. As is already well-known, the traditional systems for collecting information by postal mail, telephone or in person, require a certain amount of 25 human resources proportional to the number of desired responses. Moreover, the time necessary to obtain the response may also be a factor to be taken into account, with the postal mail system being the slowest. The publication of the surveys on a communications network allows said surveys to potentially reach all users that have access to this network, which will 30 notably increase the number of possible participants. In this case, an increase in the number of responses due to the increase in the number of participants is not strongly linked to the amount of human resources required to carry out the 2 survey, so the necessary human resources are reduced, together with process costs. Another significant factor to be stressed with respect to surveys over a communications network, is the reduced human resources necessary for the 5 handling and processing of the data obtained form the surveys because the responses are already in digital format. In addition to this, those surveyed obtain benefits such as independence of place and time for participating in the survey and can complete it at whatever time they prefer. These benefits make it possible to obtain information from the 10 population, the public, students or employees in an ever-increasingly easy manner and consequently, this information is taken more into consideration. One example of this could be the surveys for television competitions, in which the public decides who the winner is. However, not all surveys are similar or have the same requirements. 15 Employees at a given company may not be fully sincere if they believe their superiors can correlate the survey to its author. The employees may fear reprisals depending on their responses, in which case, if the employees do not freely express their opinions, the survey lacks any sense. It is therefore necessary to guarantee privacy or anonymity of response to those being 20 surveyed. In addition, those surveyed may also feel defrauded if they know that the results can be easily manipulated and that their opinions might not be taken into consideration. In that way, security against possible modification of the results is essential, so it must not be possible to add, delete or modify surveys without 25 such manipulation being detected. As is evident, the survey may be carried out on a specific group, in which case certain mechanisms must be enabled to guarantee that each response actually comes from a member of the said group. This requirement refers to response authenticity. 30 On the other hand, those surveyed may be influenced if they know any intermediate survey results. For this reason, in certain cases, it may be necessary to preserve all intermediate results secret.

3 Inventions are known that present systems and/or methods for carrying out electronic surveys over a communications network. Patents WO 88/05239 and US 6,418,308 describe survey systems by means of telephone lines. In the said first document, those surveyed use a land 5 telephone to carry out the survey, whereas the second document describes a system in which those surveyed employ a mobile telephone. Patent US 5,226,177 refers to a system and apparatus for obtaining information in real time from users that make use of remote wireless response units. In this case, the communications network is a radio link. 10 Patents US 6,477,504, US 5,893,098, US 6,189,029, and WO 00/46699 together with patent applications EP 1 115 073, US 2002/0007303, US 2002/0002482 and US 2001/0052009 carry out the survey over the Internet communications network. The said patents describe quite similar operations, in which the surveyor generates the survey and makes it accessible to those 15 surveyed. Each surveyed person has a device that allows to access to the survey and the possibility to respond to it. At the end of the survey period, the system processes the responses and provides the surveyor with the results. However, none of the described patents covers the previously mentioned requirements for privacy protection and survey authenticity, results modification 20 guarantees and the maintenance of intermediate results secrecy. The objective of this invention is, therefore, to achieve the requirements relating to electronic survey security cited in the previous paragraph. Description of the invention 25 This invention describes a method for automated information acquisition, such as opinions, convictions or judgments, from certain subjects, together with employed cryptographic processes. The invention also refers to the software required to put the cited cryptographic processes into practice by means of some computation means 30 and/or communications systems and associated software.

4 One objective of this invention is to guarantee the privacy of those surveyed and the accuracy of the survey responses. It is also an objective of this invention to maintain the intermediate survey results in secret. Thus, the method for automated information acquisition is characterized 5 in that it comprises the following steps: a) to provide an authority with at least one pair of asymmetric keys and to make the public component of the said at least one pair of asymmetric keys of the said authority accessible to certain subjects. b) to protect the information acquired from each of the said subjects 10 by means of the associated software, consisting of: the generation of a random factor, the encryption of the said acquired information by means of said public component of the said at least one pair of asymmetric keys of the said authority and said random factor, obtaining a cryptogram that can only be decrypted exclusively by the said authority. 15 c) make the said cryptogram of step b) accessible to the said authority, and d) employ, in a secure, manipulation-free environment, the private component of the said at least one pair of asymmetric keys of the said authority to decrypt the said cryptogram of step b), accessing the information acquired 20 from each subject, and permute the order of the said acquired information so that the order of the said cryptograms is uncorrelated from the order of the said acquired information. Hereinafter, the term "acquired information" will be understood as being a response to opinions, views or judgments and, more specifically, as a response 25 to a survey, whereas "the subjects" are understood as being the persons that contribute their opinions, views or judgments and, more specifically, as those surveyed. A first step in the invention is the generation of a pair of asymmetric keys by the authority responsible for the survey and the public component of this pair 30 of keys is made available to those surveyed. The response of those surveyed is protected by a random factor and the authority's public key component. The construction of a digital envelope in accordance with [PKCS#7, Cryptographic 5 Message Syntax Standard, A RSA Laboratories Technical Note, Version 1.5, 1 st of November 1993] is the preferred method for protecting the response by means of a random factor and a public key component. Another way of achieving the said protection is based on probabilistic encryption in accordance 5 with the Blum and Goldwasser proposal [Blum, M. y Goldwasser, S. An Efficient Probabilistic Public Key Encryption Scheme which Hides All Partial Information, Advances in Cryptology - CRYPTO '84 Proceedings, pages 289-299, Springer Verlag, 1985]. Hereinafter, the protected response from the surveyed person will receive the name of cryptogram. 10 The cryptogram is made available to the authority, or an intermediate service, where the intermediate service temporarily stores the cryptogram until the end of the surveying period and then makes it available to the authority. Once the surveying period is completed, the authority starts the process of tabulation of the responses, first decrypting the cryptogram using the private 15 component of its pair of asymmetric keys. In a preferred embodiment example, the response order is permuted before, after or simultaneously with its decryption. Another objective of this invention is the authentication of those surveyed and guaranteeing that the responses to the surveys carried out only belong to 20 authorised surveyed persons in order to fulfill the authenticity of the surveys' responses. This invention achieves these two objectives in two ways, depending on whether those surveyed have a pair of asymmetric keys or not. In a first alternative, those surveyed people have a pair of asymmetric keys prior to starting the surveying. In a second alternative, the key pair is supplied to the 25 surveyed persons at the moment they start the survey. In this second alternative, the key pair remains on a computer platform remote from the person surveyed until the time she starts to respond to the survey. At this precise moment, the keys are sent to the surveyed person over a communications system. In both cases, access to the private component must be protected so 30 that only the surveyed person can access it. In the first alternative, in which the surveyed person is in possession of an asymmetric key pair, the private component is preferably protected by 6 means of a secure device, such as card with microprocessor incorporated. The private component can also be protected by means of encryption by means of a symmetric encryption system using a secure key or password. Some representative examples of symmetric encryption that can be employed are 5 described in [Applied Cryptography, Protocols, Algorithms, and Source Code in C (second edition), Bruce Schneier, editor John Wiley & Sons, Inc., 1996] and [The Design of RyndaeL: AES - The Advanced Encryption Standard (Information Security and Cryptography), Joan Daemen and Vincent Rymen, Springer Verlag, 2002]. The key or password is supplied in secret to the 10 surveyed person or is directly chosen by the latter. In the second alternative, in which the surveyed person receives the key pair during the survey, the protection of the private component is achieved by encryption, just as previously described. The authentication of those surveyed persons in the first alternative 15 consists of implementing a strong authentication cryptographic protocol based on public key cryptography. Authenticity of the survey response is guaranteed by the digital signature of the cryptogram by means of the private key from the surveyed person's asymmetric key pair. In the cited second alternative, the authenticity of the surveyed person is 20 implemented through the possession of a certain piece of information, such as a password, a PIN, or the result of a challenge protocol. In this case, the authentication of the surveyed person consists of providing the mentioned piece of information. Authenticity of the survey response is achieved in a similar way, attaching the piece of information to the response and protecting the whole as 25 previously described. Another objective of this invention is to guarantee the integrity of the set of cryptograms that is in the possession of the authority, by means of digital signature of them using the private component of the asymmetric key pair belonging to the authority or the said intermediate service. 30 Another objective of this invention is to guarantee the integrity of the survey questions by means of a digital signature of them using the private key from one of the asymmetric key pairs belonging to the authority.

7 The mentioned survey authority can consist of a group of independent members. In this case, the invention uses a cryptographic secret-sharing scheme to allow the access to the private component of the authority's asymmetric key pair. The cryptographic secret-sharing scheme employed here 5 consist of splitting the private key in fragments or shares and establishing a minimum threshold of members necessary to recover the private key. The presence of a lower number of the said shares will not permit recovery of the private key, nor will it provide any advantage in facilitating access to it. It is only possible to access to the private key if a part, established by a minimum 10 threshold, or the totality of said independent assembly members collaborate in the protocol. Each share is distributed among the said independent members. Optionally, the fragments or shares can be encrypted by an encryption system, such as a symmetric encryption system, using either secure keys or passwords. These passwords can be chosen by the members or automatically generated, 15 in which case, the secure passwords are distributed among the members in a secret way. Fragment integrity can be guaranteed by means of a digital signature using the private key of the authority or the mentioned intermediate service. 20 Brief description of the figures For better understanding with respect to the above description, figures are attached which, schematically in a non-limiting example manner, represent a practical embodiment example. In the drawings: 25 Figure 1 is a flow diagram showing the initialization steps for an asymmetric key pair and the steps carried out by the surveyor with the aid of some means of computation and/or communications system for the method for carrying out secure electronic surveys, which is the object of this invention; Figure 2 is a flow diagram showing the steps of the method used by the 30 surveyor with the aid of some means of computation and/or communications system; 8 Figure 3 is a flow diagram showing a first embodiment example of the invention; and Figure 4 is a flow diagram showing a second embodiment example of the invention. 5 Detailed description of the invention This invention describes a method for carrying out secure electronic surveys over a communications network, such as the Internet. The invention also refers to computer software for putting the said method into practice. 10 The objective of this invention is to satisfy the full list of mentioned security requirements: the privacy of surveyed people, the authentication of the authorized surveyed persons, and the accuracy of the survey results and the secrecy of any intermediate results up top the end of the survey, should this be necessary. 15 This objective is achieved by means of a cryptographic surveying protocol implemented by the parties taking part in the survey, in other words, those surveyed, a survey authority and optionally, an intermediate service. The said method involves the carrying out of complex calculations that the surveyed person could not perform without the aid of some means of computation and/or 20 software. Normally, the surveyed person has some device available with access to a communications network and processing capacity in order to carry out the necessary method steps. This device may belong to the surveyed person or supplied to him or her in order to take part in the survey. This will normally be a personal computer however this could also be a Personal Digital Assistant 25 (PDA) or mobile telephone with the capability, for example, of running applications. Preferably, the cryptographic part of the protocol that has to be run on the surveyed person's device is implemented as an application that can run within an Internet Browser, although the invention can also be implemented as 30 a conventional application, or a plug-in for an Internet Browser. The term "Internet Browser" is the name given to the application used to access Web pages that are in HTML format.

9 That part of the protocol corresponding to the authority managing the survey is executed on a server platform. The platform has access to the communications network and receives requests from those surveyed. Hereinafter, the "authority" refers to that formed by the said platform and the 5 implementation needed to carry out the cryptographic process. The notation given below is employed in the following detailed description of the invention: e E: Surveyed person identifier. 0 Eid: The data string that uniquely identifies the survey. For example, 10 this could be a sequential identifier, or the date and a descriptive survey text. 0 CS: The password supplied to the surveyed person in order to carry out the survey. 0 Enc: Survey. 15 e Renc: Survey response. 0 M1 I M2: The concatenation of two messages, M1 and M2. * H{M}: A summary of the message M obtained by means of a hash cryptographic function. * K: The key for a specific symmetric encryption system. 20 0 EK[MI: The symmetric encryption of message M using key K. 0 Pentity and Sentity: Asymmetric key pair (public and private keys respectively) that belongs to the entity. * Pentity[M]: The asymmetric encryption of message M using public key Pentity. 25 * EK[M] I Pentity[K]: Digital envelope of message M addressed to entity. This digital envelope consists of the encryption of M using symmetric session key K, concatenating said encryption of session key K with the public key Pentity of the addressee. The digital envelope mechanism is described in [PKCS#7, Cryptographic Message Syntax 30 Standard, A RSA Laboratories Technical Note, Version 1.5, 1 st of November 1993].

10 Sentity<M>: Digital signature of message M generated with the private key of entity. The signature involves a cryptographic transformation using the entity private key on the summary of the message M, which is obtained by a cryptographic hash function. [Rivest, R.L., Shamir, 5 A., and Adleman, L.M A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Comm. of the ACM, V. 21, n. 2, pages 120-126, 1978] may be taken as reference to the said cryptographic transformation. The resulting format of a digital signature is described in [PKCS#7, Cryptographic Message Syntax Standard, A RSA 10 Laboratories Technical Note, Version 1.5, 1 st of November 1993]. The obtaining of any random value during the survey process is carried out by pseudo-random number generation (PRNG) routines The said routines employ an initial value called a "seed" to generate a sequence of unpredictable 15 values. In general, all random number generation in this invention make use of natural noise sources to produce the seeds. Examples of such sources could be sequences of mouse movements or keyboard events produced by the surveyed person. Some examples of pseudo-random generators are given in [FIPS PUB 140-2: Security Requirements for Cryptographic Modules, 20 http://csrc.nist.gov/cryptva/140-2.htm, April 2003], [Appendix 3 of FIPS PUB 186: Digital Signature Standard, http://csrc.nist.gov/publications/fips/fips186 21fips186-2-changel.pdf, April 2003] and [RFC 1750: Randomness Recommendations for Security, http://www.ieff org/rfc/rfc1750.txt, April 2003]. Figure 1 shows the initialisation steps for an asymmetric key pair and the 25 steps carried out by the surveyed person with the aid of some means of computation and/or communications system of the method, which are the object of this invention. In a first step 102, an asymmetric key pair PA and SA, is generated, which belongs to the surveying authority. The public component of the said pair is subsequently employed to protect the survey response. In a 30 case in which the authority consists of a group of members, the private component SA is divided into step 104 in accordance with a secret-sharing cryptographic protocol, the properties of which are described below. The 11 protocol specifies the number of shares in which the private key is divided and the minimum threshold necessary to recompose the said key. The assembly of a number of shares lower than the threshold does not allow the reconstruction of the said private key nor does it provide any information that facilitates its 5 recovery in any way. An attacker with one share has the same advantage as an attacker with a number of shares equal to the threshold minus one. The split of the private key avoids depositing too much confidence in a single share. This cryptographic protocol prevents a single authority member, or a certain minority of them, from obtaining the private key SA. In general, it is assumed that 10 majority coalitions among the authority members are not produced for dishonest purposes, since each of the members may have conflicting interests. In this invention, it is possible to use several cryptographic secret-sharing protocols for the division of the authority's private SA key among its members. [Applied Cryptography, Protocols, Algorithms, and Source Code in C (second edition), 15 Bruce Schneier, editor John Wiley & Sons, Inc., 1996] contains a description of the same. Once the private key SA has been divided into individual shares in step 104, each of them is stored in a secure way. In one case, the received share is stored in a secure personal memory device, belonging to a corresponding 20 authority member. These devices only allow the access to the information they contain by a PIN. In the invention, the said PIN is only in the possession of the authority member. In another case, if a secure memory device is not employed, the private key shares are encrypted by means of a suitable encryption system, typically symmetric, together with a secure random key that is different for each 25 share. Each authority member receives one of the shares and the random key used to encrypt the said share, generated with or without his/her intervention. Optionally, in order to guarantee the share integrity, the said shares can by digitally signed with a secret key, and the said signature is attached to the encrypted share. In accordance with another case, the combination of 30 encryption protection and the secure memory can be employed. The shares are encrypted in the same way as previously described; the information is then delivered to each authority member and protected by means of a secure 12 memory device. The original private key, together with the unencrypted shares are finally destroyed, eliminating all traces of them in the devices and processing systems. In order to guarantee authentication 110 of those surveyed and the 5 accuracy of the results, the invention provides an authentication validation that checks if the response comes from one of the authorised surveyed persons. In a first option, public key encryption is preferentially employed by those surveyed. According to this, in a first alternative 106A, each surveyed person has his or her own asymmetric key pair and uses them for authenticate 110 and 10 guarantee that the results are correct. In a second alternative 106B, in the case in which those surveyed do not have an asymmetric key pair, it contemplates the possibility of generating an asymmetric key pair for each surveyed person. The public component of the asymmetric key pair is certified by a trusted body. The private component of the said key pair can be kept in the custody of the 15 surveyed person or the authority. In this second alternative, the private component must be protected by a symmetric encryption system using a password that meets certain security parameters, in particular, in relation to its entropy. The surveyed person is the only one who knows and protects the password. The protection of the private keys prevents them from being used 20 without knowing the correct password, and therefore can be transmitted in a secure way over a communications network. In a second option, the authentication of those surveyed and of the result accuracy is implemented through the use of credentials of the identity of the surveyed person, such as passwords or PINs. It is evident that the second 25 option provides a security level that is clearly lower than the previous option. For security reasons, this credential must only'be employed in a single survey. The invention contemplates the alternative 106C of generating this credential of the surveyed person's identity for each of those surveyed and makes it accessible 108B to the said surveyed persons. A random data string is obtained 30 using a pseudo-random generator. The length of this string depends on the required security level, with a length of not less than 64 bits being recommended. The obtained password is Base64 formatted so that its owner 13 can enter it using the keyboard. This credential is securely stored so that nobody can access it. In accordance with a first example, the password is encrypted with key belonging to the authority. In a second example, the password is printed in hard copy format by some physical means, such as a 5 printer, in a manner that can only be read by tearing the paper. The following step 110 is optional and consists of surveyed person authentication. This authentication guarantees that only the group to be surveyed is able to access it. If several surveys are being carried out on different groups at the same time, authentication allows the identification of the 10 group to which the surveyed person belongs and provides it the correct survey. The invention contemplates two types of authentication in accordance with whether those surveyed have a duly certified asymmetric key pair, or information, such as a password, that accredits the identity of the surveyed person. In the case of having an asymmetric key pair, authentication is 15 preferably carried out by a strong authentication protocol, for example, as described in the X.509 [ITU-T standard, Recommendation X.509 (08/97) Information Technology - Open Systems Interconnection -- the Directory: Authentication Framework, 1997], or the WTLS industry standards [WAP Forum, Wireless Transport Layer Security specification, Version 06-Apr-2001, 20 April 2001], TLS [Dierks, T. y Allen, C. The TLS protocol, version 1.0. Request for Comments 2246, January 1999], or its SSL predecessor [Freier, A.O., Karlton, P. y Kocher, P.C. The SSL protocol, version 3.0. Internet-Draft, November 1996], with bilateral authentication. The use of biometric identification can be combined with the strong authentication mechanism in 25 order to add further security to remote authentication of those surveyed. In the second option, in which the surveyed person has a password, authentication is performed in a traditional way by means of the said password. Once the surveyed person accesses survey he or she can respond to it. Optionally, the survey can include authenticity and integrity proofs of the same. The said proofs 30 can guarantee that the survey has been issued by the authority and has not been modified. This proof is a digital signature for the survey Enc 112, 14 SA<Enc>, carried out by the authority, and which must be verified prior to the surveyed person responding to the survey. Once the survey has been completed by the surveyed person, the privacy of the responses is protected Renc 116, through the prior generation of 5 a random factor 114 with one of the previously described methods. The random factor is used to encrypt the response and guarantees that the cryptogram obtained by those surveyed is different even though the response is the same for all of them, and is protected by the same public key. If the survey has a duly certified pair of public keys M=RenclEid is concatenated and protected using 10 the random factor and the authority's public key, generating a cryptogram 116. In the case in which the surveyed person does not have the said key pair, his or her password is concatenated with the previous data M=RenclEidICS and protected using the random factor and the authority's public key, generating a cryptogram 115 (Figure 4). In a first alternative, this protection is implemented 15 using a digital envelope using the authority's public key EK[M] I PA[K]. The digital envelope protects the privacy of the response. In a second alternative, the survey response is protected by means of probabilistic encryption. As previously mentioned, if the authority's private key is divided into shares, the response cannot be accessed until a certain number of the authority members 20 equal to or greater than the threshold are available to reconstruct it. The intermediate results are secret because up to this moment the digital envelopes cannot be opened since the private component of the authority's asymmetric key pair is not available. If the surveyed person has an asymmetric key pair, the constructed envelope SE< EK[M] I PA[K]> is digitally signed 118. The digital 25 signature guarantees the response authenticity and integrity. An attacker cannot add valid responses because he/she can not access to the private component of the key pair of those surveyed, so cannot digitally sign the encrypted responses. In the case of the surveyed person not having an asymmetric key pair, the password will prevent an attacker adding valid responses because 30 he/she does not know the valid passwords. This method is not as secure as the digital signature, but it also proves that the response comes from an authorised surveyed person.

15 In step 120, the surveyed person makes the cryptogram available to the authority or intermediate service,'which subsequently forwards the response to the authority. If the surveyed person has an asymmetric key pair, the digital signature for the cryptogram SE< EK[M] I PA[K]> is also made available. 5 The cryptograms are securely stored until the time allowed for survey response is closed. In a second possible alternative, the cryptograms are stored on physical media that only allows a single write session, such as a CD or DVD without any rewriting possibilities, in other words, it is only possible to write to the physical media once and will block any further write attempts in the same 10 media position. In this way, it becomes impossible to modify or delete the said cryptogram from the said media. In the case of an outside attacker accessing the system holding the cryptograms, they cannot be deleted because the physical media does not support this operation. In a second possible alternative, the cryptograms are stored in two different databases, so that the 15 attacker has to delete the cryptograms from the two databases in order to alter the survey results. The second alternative is not as secure as the first, but it still makes it difficult for any attacker. Once the time allowed for the surveying is over, the responses held in the cryptograms are accessed. In the case of a digitally signed cryptogram, the 20 signature is verified 122 (Figure 2). If the signature is correct it is separated from the digital envelope, otherwise the digital envelope is discarded. The order in which those surveyed responded to the survey and the order in which the responses are shown will make it possible to correlate those surveyed with their responses. The invention contemplates the alternative of 25 performing a permutation 126 on the order of the responses protected by means of the cryptogram, before or after the signature verification. When the authority's private key SA has been split, it is necessary to implement an additional prior step 124 in order to reconstruct it. In accordance with the method employed to protect the shares of the private key, each 30 member carries out certain different actions. When using a secure memory device to protect the shares, each authority member provides the device and introduces the secret PIN. When the shares are protected by encryption, each 16 authority member provides his or her share and the associated password for the share decryption. In the second option, in which the share is protected by encryption and stored in a secure memory device, the authority member provides the device and enters the PIN and password. Once all the shares are 5 available, the authority's private key SA is reconstructed. If the protected shares have been digitally protected before using them, reconstruction of the private key requires their digital signature validation. The validation uses the public key corresponding to the private key employed to generate the digital signature. The next step is to remove the protection 128 from the responses. To do 10 this, the cryptograms containing the responses are decrypted using the private component of the authority's asymmetric key pair. In the response protection preferred alternative (digital envelope) the private key allows to access to the random factor, which is then used to decrypt the cryptogram, obtaining the response. 15 In the option in which those surveyed do not have an asymmetric key pair, the validity of each response is verified by checking 130 the password attached to the response. The accuracy of all the attached data is also verified in this step. In a preferred embodiment, before or after the opening of the responses, 20 a random permutation of the order of the responses 132 is made in order to prevent correlation between the identities of those surveyed (authenticity tests accompanying the responses) and their respective responses (data inside the digital envelopes). The software implementing the permutation process and opening of the protected responses must be duly audited and certified in order 25 to guarantee that no operation outside the processes of this invention has taken place. Finally, the survey responses are tabulated 134 to facilitate their processing. Some of the operations performed by the authority with the aid of 30 computation methods and associated software are highly sensitive, for example, the reconstruction of the authority's private key 124, the recovering of the response 128, the password verification 130 and the permutation of the 17 response order 132. Consequently, in a preferred embodiment example, these operations are performed by a device that is secure against manipulation, such as an nShield device manufactured by nCipher. The use of this device prevents an attacker from accessing the data and/or software it contains. In another 5 embodiment example, the mentioned operations are carried out on a conventional computation device, such as a personal computer, but disconnected from any communications network. This method prevents any type of unauthorised remote access and so guarantees a high level of security for the mentioned operations. 10 Figure 3 shows a first embodiment example, which describes the secure electronic survey method of the invention in the case in which the surveyed person does not have a previous asymmetric key pair. First, an asymmetric key pair belonging to the authority is generated 102, where the public component of the said asymmetric key pair is subsequently 15 used to protect the survey response. In the case where the authority consists of a group of members, the split 104 of the private component of the authority's asymmetric key pair is implemented by means of a determined secret-sharing cryptographic protocol as previously described. Once the split of the private key into individual shares has been accomplished, each of the said resulting shares 20 is securely stored. Preferably, since the surveyed person does not have an asymmetric key pair and that this embodiment example uses public key encryption by the surveyed person, the said asymmetric key pair is generated 106B, making the protected private key accessible 108A to the surveyed person. The protection 25 for the said key has already been described. Subsequently, authentication 110 of those surveyed can be carried out using a strong authentication protocol. Once authenticated 110, the surveyed person can now access the survey in order to respond to it. The said survey can include an authenticity and integrity proof, which guarantees that the survey has 30 been issued by the authority and has not been modified. This test is a survey digital signature 112, which must be verified prior to the surveyed person responding to the survey.

18 Once the surveyed person has responded to the survey, a random factor is generated 114 to protect the response privacy. With said random factor and the authority's public key, the response is protected 116, producing a cryptogram. The said cryptogram is digitally signed 118 in order to guarantee 5 the integrity and authenticity of the response. Once the protection is implemented, the surveyed person makes the cryptogram available 120 to the authority, maintaining the cryptograms securely stored until the surveying time is over. From this moment, the cryptograms are processed, verifying 122 the cryptogram digital signature. Since the authority's private key has been split, 10 step 124 is required to reconstruct the said authority's private key. Then a permutation 126 of the cryptograms is performed and the responses are obtained 128 after having been decrypted with the survey authority's private component of the asymmetric key pair. In this case, the authority's private key allows the retrieving of the random factor, which is then 15 used to decrypt the response. Once the responses have been decrypted, they are permuted 132 to prevent any possible association between the identities of those surveyed and the respective responses. The following step is to tabulate 134 the responses to facilitate their processing. 20 Figure 4 shows a second embodiment example, which describes the method for secure electronic surveys of the invention, in which a piece of information accrediting the surveyed person is generated, such as a password, for the authentication of the surveyed person and to guarantee the accuracy of the survey responses. 25 In a first step, an asymmetric key pair belonging to the authority is generated 102, where the public component of the said asymmetric key pair is subsequently used to protect the survey response. In the case where the authority consists of a group of members, the split 104 of the private component of the authority's asymmetric key pair is performed by a determined secret 30 sharing cryptographic protocol. Once the division of the private key into individual shares has been accomplished, each of the said resulting shares is securely stored.

19 Then, a piece of information accrediting the surveyed person, such as a password, is generated 106C to authenticate it. As has already been commented, the said second embodiment example provides less security than that of the first embodiment example shown in Figure 3. Once the said 5 password is generated 106C, it is distributed 108B to the surveyed person. Subsequently, authentication 110 of those surveyed can be carried out using the traditional password method. Once authenticated 110, the surveyed person can now access the survey in order to respond to it. The said survey can include an authenticity and integrity proof, which guarantees that the survey has 10 been issued by the authority and has not been tampered with. This test is a digital signature of the survey 112, which must be verified prior to the surveyed person responding to the survey. Once the surveyed person has responded to the survey, a random factor is generated 114 to protect the response privacy. Using said random factor and 15 the authority's public key, the response and password are protected 115, generating a cryptogram. Once the protection is implemented, the surveyed person makes the cryptogram available to the authority, maintaining the cryptograms securely stored until the surveying time is over. From this moment, the cryptograms are processed. Since the authority's private key has been split, 20 step 124 is required to reconstruct the said authority's private key. Then a permutation 126 of the cryptogram order is performed and the responses are obtained 128 after having been decrypted with the survey authority's private component of the key pair. In the following step, the validity of each response is verified by verification 130 of the password attached to the 25 response, also checking the accuracy of all data included in the response. Once the responses are decrypted and if the permutation of the cryptogram order 126 has not been performed, the responses are permuted 132 to prevent any possible correlation between the identities of those surveyed and the respective responses, and the said responses are tabulated 134 to 30 enable its processing.

Claims

1. An automated acquisition method for information, such as opinions, convictions or judgements, from subjects, by means of computation methods and/or communications systems, together with associated software, 5 guaranteeing the privacy of the said subjects, characterised in that it consists of the following steps: a) to provide (102) an authority with at least one pair of asymmetric keys and to make the public component of the said at least one pair of asymmetric keys of the said authority accessible to the said 10 subjects; b) to protect the said information acquired from each of the said subjects by means of the said associated software, consisting of: the generation (114) of a random factor, the encryption (116) of the said acquired information employing the said public 15 component of the said at least one pair of asymmetric keys of the said authority and said random factor, obtaining a cryptogram that can only be decrypted exclusively by the said authority. c) make the said cryptogram of step b) available (120) to the said authority, and 20 d) employ, in a secure, manipulation-free environment, the said private component of the said at least one pair of asymmetric keys of the said authority to decrypt (128) the said cryptogram of step b), obtaining the information acquired from each subject, and permuting (132) the order of the said acquired information so that 25 the order of the said cryptograms is unlinked from the order of the said information.

2. A method, in accordance with claim 1, characterised in that the said secure environment is a conventional computing device, such as a personal computer, that allows local access exclusively. 30

3. A method, in accordance with claim 1, characterised in that the said secure environment is a device that cannot be manipulated, such as a smart 21 card or cryptographic accelerator, with the possibility for internal code execution.

4. A method, in accordance with claim 1, characterised in that the said cryptogram of step b) is made available to an intermediate service, which stores 5 and, once the time allowed for automated data acquisition is over, makes the said cryptogram available to the said authority.

5. A method, in accordance with claim 1, characterised in that an authentication proof of the said cryptogram is attached by the said subjects, with the aid of the said computing means. 10

6. A method, in accordance with claim 5, characterised in that the said subjects are also provided (108B) with a piece of information that accredits their identities, such as a password or a PIN in order to generate the said authentication proof.

7. A method, in accordance with claim 6, characterised in that it verifies 15 (130) the said authentication proof attached with the said acquired information piece using the said piece of information that accredits the subject identity.

8. A method, in accordance with claim 6 or 7, characterised in that the said authentication proof is the result of a cryptographic question-response protocol. 20

9. A method, in accordance with any of the claims 6 to 8, characterised in that the said authentication proof is encrypted (115) in step b), together with the said acquired information.

10. A method, in accordance with claim 1, characterised in that it provides (108A) an asymmetric key pair to each of the said subjects, certifying 25 the public component of each asymmetric key pair and maintaining the private key under secure conditions.

11. A method, in accordance with claim 10, characterised in that the said private component of the said pair of asymmetric key pair of the said subjects is held in a suitable computing device, advantageously in a secure device, such 30 as a card with a microprocessor incorporated.

12. A method, in accordance with claim 10, characterised in that the said private component of the said pair of asymmetric key pair of the said subjects is 22 held on a remote computing platform and the said private key is protected by means of a method, such as symmetric encryption, using a secure key or password, facilitating the said key or password in secret to the said subjects or being directly chosen by the said subjects, and in that the said private 5 component is made available at the beginning of the said automated information acquisition.

13. A method, in accordance with claim 10, characterised in that it issues (118) a digital signature for the said cryptogram of step b), with the private component of the said asymmetric key pair belonging to the said subjects and 10 attaching the said digital signature with the said cryptogram of step b) as an authentication proof of the said cryptogram.

14. A method, in accordance with claim 1, characterised in that it digitally signs the said cryptogram of step b) with the private component of the said at least one asymmetric key pair belonging to the said authority or to an 15 intermediate service which stores the cryptogram and, once the time allowed for automated information acquisition is over, makes the said cryptogram accessible to the authority.

15. A method, in accordance with claim 1, characterised in that it digitally signs (112) certain data, for example, matters, questions or options that are 20 used as the base to generate the said acquired information, with the private component of the at least one asymmetric key pair from the said authority.

16. A method, in accordance with claim 1, characterised in that in step b) it encrypts the said acquired information with a symmetric encryption system using the said random factor as the key and encrypts the said random factor 25 with the public component of the said at least one asymmetric key pair from the said authority.

17. A method, in accordance with claim 1, characterised in that it encrypts the said information with a probabilistic encryption system, using as the base of said encryption the said random factor and the public component of 30 the said at least one asymmetric key pair from the said authority. 23

18. A method, in accordance with claim 1, characterised in that it stores the said cryptogram of step b) on physical media, such as a CD or DVD that cannot be rewritten.

19. A method, in accordance with claim 1, characterised in that it stores 5 the said cryptogram of step b) in two different databases.

20. A method, in accordance with claim 1, characterised in that it implements a codification of said cryptogram of step b), such as base64 or bar code formatting, and makes a hard copy of the codification on, for example, paper. 10

21. A method, in accordance with claim 1, characterised in that it permutes (126) the order of the said cryptograms of step b), before, after or simultaneously with their decryption.

22. A method, in accordance with claim 13, characterised in that it carries out verification (122) of the said digital signature of the said cryptogram of step 15 b) using the public component of the said asymmetric key pair of the said subjects.

23. A method, in accordance with claim 1, characterised in that the said authority consists of a group of independent members.

24. A method, in accordance with claim 23, characterised in that it 20 controls the access to the private component of the said at least one asymmetric key pair from the said authority, which is necessary to decrypt the said cryptogram of step b), to only a part fixed by a minimum threshold or all of the said group of the said independent members, preferably in accordance with a cryptographic secret-sharing protocol.

25 25. A method, in accordance with claim 24, characterised in that the said cryptographic secret-sharing protocol consists of (104) splitting the said private component of the said at least one asymmetric key pair from the said authority into fragments or shares and distributing the said fragments among the said independent members, with the characteristic of that the assembly of a number 30 less than the threshold for the said shares provides no information whatsoever.

26. A method, in accordance with claim 25, characterised in that the said fragments or shares are encrypted by means of an encryption system, such as 24 a symmetric encryption system using secure keys or passwords, obtaining encrypted shares that are stored and the said secure keys or passwords are distributed among the said independent members.

27. A method, in accordance with claim 26, characterised in that at least 5 one of the said encrypted shares is digitally signed using the private component of the said asymmetric key pairs from the said authority or of an asymmetric key pair of the said intermediate service.

28. A method, in accordance with claim 1, characterised in that it consists of an additional authentication step (110) of the said subjects. 10

29. A method, in accordance with claim 28, characterised in that the said additional authentication step consists of the said subjects providing a piece of information, such as a password or PIN.

30. A method, in accordance with claim 10, characterised in that it consists of the authentication of the said subjects by means of executing a 15 strong authentication protocol based on public key cryptography.

31. A method, in accordance with claim 1, characterised in that it uniquely identifies the said acquired information by means of an identifier, such as a number or data string.

32. A method, in accordance with claim 31, characterised in that the said 20 identifier is digitally signed with the private component of a pair of the said asymmetric key pairs from the said authority or the said intermediate service.