CA2605569C - Electronic negotiable documents - Google Patents
Electronic negotiable documents Download PDFInfo
- Publication number
- CA2605569C CA2605569C CA2605569A CA2605569A CA2605569C CA 2605569 C CA2605569 C CA 2605569C CA 2605569 A CA2605569 A CA 2605569A CA 2605569 A CA2605569 A CA 2605569A CA 2605569 C CA2605569 C CA 2605569C
- Authority
- CA
- Canada
- Prior art keywords
- tamper
- document
- seller
- document carrier
- resistant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Abstract
A method of issuing an electronic negotiable document (END) comprising: creating as data an END and storing this in a tamper-resistant document carrier, the document carrier containing a unique public-secret key pair for signing and verifying and a unique document carrier identifier; signing the unique document-carrier identifier, the END and an END identifier using the secret key of the public-secret key pair and storing the result in the document carrier.
Description
ELECTRONIC NEGOTIABLE DOCUMENTS
This is a divisional application of Canadian Patent Application Serial No. 2,212,457 filed on February 8, 1996.
Background of the Invention This invention relates to methods and devices for the issue and negotiation of electronic negotiable or quasi negotiable documents (END), and is particularly relevant to systems which are sufficiently secure in open environments.
It should be understood that the expression "the invention"
and the like encompasses the subject matter of both the parent and the divisional application.
The goal to achieve is that an electronic document - or rather, an electronic realisation of a document - at any particular time can be proved to be the (temporary) property of a particular user. This is clearly required for what is known as negotiable or quasi-negotiable documents. The most interesting examples in trading are Bills of Lading, apart from cash and cheques. The main requirement is thus that these documents be unforgeable.
With ordinary paper documents, the problem is solved by giving the original of a document certain physical attributes that are difficult to reproduce. With this precaution, it makes sense to speak of the original of a document and define the owner simply as the person holding the original. An electronic (quasi)-negotiable document will in the following be denoted by END.
la The important property required is apparently that of uniqueness. The problem is to find a suitable attribute on an electronic document which somehow would give it the property of uniqueness, explicitly or implicitly.
Obviously the concept of an original does not make sense for electronic documents, and other (e.g. cryptographic) methods must ensure that the owner of a '0 96/24997 PCT/IB96/00163 particular electronic document can be identified. One question is to what extent this will involve a trusted third party (TTP).
Any document of some value must initially be generated by someone, who will guarantee this value. This requires the proof of, or non-repudiation of, origin service, which is a well known art and realized using digital signatures.
The question now is how to develop a protocol to cover the situation, where an END, once issued, is to change hands. The main problem is to ensure, that the new owner is uniquely identified, or, in other words, that the seller cannot circumvent the measures and sell the same END to two different entities.
It is now generally recognized that this could only be achieved using cryptographic techniques, in the sense that violation will be detected. Further, it is necessary to use tamper resistant document carriers, such as smart cards (plastics cards containing an integrated circuit) or workstations. "Tamper-proof" or "tamper-resistant" means that the functionality of the device cannot be changed, and that any attempt to do so can be readily detected; in many cases, the device would simply be destroyed by tampering.
One obvious solution would be to introduce a trusted third party (TTP) to register at all times the possession of a particular document, but this would leave the TTP with heavily liability burdens, and is not a popular solution.
Another solution would be to represent each END with a unique chip card, but transfer of the END would necessitate physical transfer of the chip card, which in many cases would be impractical.
The only other way to provide uniqueness is physically to prohibit free copying. This would involve tamper resistance to realize a protected communication with restricted functionality, if possible.
It is known to provide an encryption technique which ensures uniqueness. in the transfer of data between two devices. Such a technique is described for example in "New Directions in Cryptography", W. Diffie and M.
Hellman, IEEE IT 22 (1976), 644-654. Briefly, each device stores a unique pair of codes known as the public key and the secret key. These constitute a set of matching keys with an underlying algorithm. Such algorithms include RSA and DSA, which are described respectively in U. S. patents 4 405 829 (R. Rivest, A.
Shamir and L. Adleman) and 5 231 668 ("Digital Signature Algorithm", by D. Kravitz). The secret key S can be used to provide in effect a digital signature S(D) on input data D. The corresponding public key P can then be used to verify that the input for S(D) must have been S and D. Data from a seller's document carrier, for example, can be encrypted using the public key P of the buyer's document carrier, transmitted to the buyer, and then decrypted using the buyer's secret key, if the public key scheme is of encryption type.
The basic principle for achieving uniqueness here is simple but fundamental: A message encrypted under a key known to only one entity is unique, as long as it is encrypted, and establishes undisputable ownership by the mere fact that it will only be useful to the owner of the key. Only the person in possession of the right key can make any use of the document, which in effect is the property of uniqueness.
On the other hand, the only way the rightful owner can verify that the right END has been encrypted by his key is by decrypting it. But this will give him access to the message and he may subsequently be able to "sell" it to two different persons by encrypting it with their respective keys. A purpose of the invention is to provide a way of avoiding this. This requires tamper resistant hardware, perhaps a chipcard, or a hardware protected PC. In the following, this hardware and equivalent hardware will be called the DOC-carrier, or D-C when abbreviated. Its properties will be described in detail below.
Summary of the Invention The purpose is to replace paper documents such as cash, bank cheques and bills of lading with freely-transmissible electronic data.
The invention provides a system with the following properties:
An END (or at least the digital signature component of the END) is generated electronically, for instance by using non-repudiation of origin, in a tamper resistant unit and then loaded onto a DOC-carrier (if not the same). As mentioned, this requires some care. It is essential that the signature thus appended to provide the non-repudiation is never disclosed. (it would of course suffice to represent the END by a hash value and the generating digital signature inside the DOC-carrier if storage is a problem). The message itself does not need to be protected.
1 i 1 4a More specifically, an END (or at least the signature component) is transferred from one DOC-carrier to another, through a public unprotected network, in such a way that 1. It can only be transferred as a meaningful document to one particular DOC-carrier, which nevertheless can be chosen from any number of registered DOC-carriers 2_ Recovery is possible, if the transfer is unsuccessful 3. The protocol cannot be completed by any other device than an authorized DOC.
The system should be completely open to communication, between any two DOC-carriers, - without bilateral agreements.
Accordingly, in one aspect, the invention provides a method of issuing an electronic negotiable document (END), the method comprising creating as data an END and storing this in a tamper-resistant document carrier, the document carrier containing a unique public-secret key pair for signing and verifying and a unique document carrier identifier, and signing the unique document-carrier identifier, the END and an END identifier using the secret key of.the public-secret key pair and storing the result in the document carrier.
In another aspect, the invention provides a method of negotiating an END between a seller and a buyer each possessing a tamper-resistant document carrier having its own public-secret key pair, in which the END is stored in the seller's document carrier in the form of END data, and PAGE 11124"RCVD AT 101212009 4:54:13 PM (Eastern Daylight Time] I
SVR:F000031201 DNIS:3907"CSID:6132308821 t DURATION (mm.ss):0240 5a a signature generated by the secret signing-key of a document carrier of an issuer of the END, together with a negotiability status flag indicative of whether the END is currently negotiable from the document carrier on which it is stored, comprising establishing mutual recognition between the seller and buyer using a predetermined protocol between the respective document carriers, verifying in the seller's document carrier that the negotiability status flag is "negotiable" and aborting the negotiation if not, sending the public encryption key of the buyer's document carrier to the seller's document carrier, and using it to encrypt a message comprising the END together with the negotiability status flag, sending that encrypted message to the buyer, decrypting that message using the buyer's secret decryption key, and setting the negotiability status flag for that END of the buyer's and seller's document carriers respectively to "negotiable" and "non-negotiable".
In another aspect, the invention provides a method of negotiating an END between a seller and a buyer each possessing a tamper-resistant document carrier having its own public-secret key pair, in which the END is stored in the seller's document carrier in the form of END data, and a signature generated by the secret signing key of a document carrier of an issuer of the END, together with a serial number counter indicative of the number of times that the END has been negotiated since issue, comprising establishing mutual recognition between seller and buyer using a predetermined protocol between their respective document carriers, verifying in the seller's document carrier that the END, if it has been stored previously in that document carrier, has a different counter value this time and is therefore negotiable, but aborting the Sb negotiation if it is not negotiable, sending the public encryption key of the buyer's document carrier to the seller's document carrier, and using it to encrypt a message comprising the END together with the counter, sending that encrypted message to the buyer, decrypting that message using the buyer's secret decryption key, and incrementing the counter by one.
In another aspect, the invention provides a tamper-resistant document carrier adapted to store an END, the document carrier comprising a unique public-secret key pair for signing and verifying and a unique document carrier identifier, means for encrypting the unique document carrier identifier, the END and an END identifier using the secret key of the public-secret key pair and means for storing the result in a memory of the document carrier.
In another aspect, the invention provides a method of electronically negotiating an electronic negotiable document, transferred along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein the seller is not a bank, the method comprising:
issuing from a trusted supplier said seller with seller tamper-resistant document carrier hardware, said seller tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said seller, said seller tamper-resistant document carrier bearing said electronic negotiable document and a signature calculated using said Secret key;
issuing from a trusted supplier said buyer with buyer tamper-resistant document carrier hardware, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said buyer;
PAGE 13124: RCVD AT 1012f 2009 4:54:13 PM tEastern Daylight Time] I
SVR:F00003120 E DNIS:39071 C$ID:6132308821 E DURATION (mm.ss):02.40 5c transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware;
splitting the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
inputting to said buyer tamper-resistant document carrier hardware, now acting as seller tamper-resistant document carrier hardware, values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and which each new said split version has a value such that the sum of the values of said two or more split versions adds up to a value of said original electronic negotiable document;
digitally signing said split versions using said secret key of said buyer tamper-resistant document carrier hardware acting as seller tamper-resistant document carrier hardware to generate a splitting signature; and transferring said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
According to an aspect of the present invention, there is provided a method of electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the method comprising:
5d using seller tamper-resistant document carrier hardware issued from a trusted supplier to issue an electronic negotiable document, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, using said seller tamper-resistant document carrier hardware to calculate a signature using said secret key;
transferring via a network, said electronic negotiable document from said seller tamper-resistant document carrier hardware to buyer tamper-resistant document carrier hardware which has been issued by a trusted supplier and which has its own public-secret key pair, wherein said secret key is not accessible to said seller;
using said buyer tamper-resistant document carrier hardware to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
define values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature; and transfer via said network, said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
5e wherein said buyer tamper resistant document carrier hardware is now acting as seller tamper resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
According to another aspect of the present invention, there is provided a system for electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the system comprising:
seller tamper-resistant document carrier hardware issued from a trusted supplier, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, and said tamper-resistant document carrier hardware issues said electronic negotiable document and calculates a signature using said secret key;
buyer tamper-resistant document carrier hardware issued from a trusted supplier, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said buyer; and a network for transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware; wherein said buyer tamper-resistant document carrier hardware is configured to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating 5f two or more split versions of said electronic negotiable document each with a new sequence number;
generate values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature; and said network transfers said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper-resistant document carrier hardware is acting as a seller tamper-resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
Brief Description of the Drawings In order that the invention may be better understood, an embodiment of the invention will now be described, with reference to the accompanying drawings, in which:
5g Figure 1 is a diagram illustrating, by way of an overview, the negotiation of an END between two document carriers, showing the main components of the document carriers;
Figure 2 is a schematic flow diagram of the generation of an END; and Figure 3 is a schematic flow diagram of the negotiation of an END.
Description of the Preferred Embodiment Each DOC-carrier "possesses" a public key pair. The secret key of this pair must not even be known to the owner of the DOC-carrier. It would be required to realise this in such a way that not even the system provider knows the DOC-secret keys. Thus the secret key must be generated on the DOC-carrier and never leave it unprotected. The DOC-carrier itself should be freely available, but stationary, and certified by some Certification Authority along the lines of the X.509 security architecture.
The END consists of the information as represented in an electronic message, and the corresponding digital signature, calculated by means of the secret key of the issuer and -typically - a hash value of the electronic message. The format could for instance be a special-EDIFACT message for the electronic message, whereas the signature will be calculated and stored securely on the DOC-carrier.
Now, the problem is that this shall only be released through a selling process to another DOC-carrier. So the question is, how can one DOC-carrier identify another?
The most attractive solution seems to be the following approach: A trusted party called the Certification Authority CA, authorizes all DOC-carriers in the following manner: The public key of the CA is installed on the DOC-carrier, as well as the secret DOC-carrier key, in a ROM, and in such a way that the secret key cannot be disclosed. Moreover, when a document, or rather the accompany key protected signature is entered on the DOC-carrier, the DOC-carrier software must ensure that it can only be realised again encrypted under a public key certified by the CA secret key (and verified by means of the corresponding public key on the DOC-carrier). The point behind this is that it will prevent the use of a non-authorized DOC-carrier to get access to the vital signature on an END, which defines that particular negotiable electronic document. In particular this encrypted message is useless excepted when imported into the DOC-carrier holding the corresponding secret key. It is thus important to realize that the value of the negotiable document is represented by the digital signature of the issuer.
Furthermore, and this is an essential property, such an encryption of a particular END on an individual DOC-carrier can take place only once, or rather, once a public key has been selected, it is impossible at any later stage to go through the same procedure with another public key.
Such a system would solve the problem of uniqueness in general - provided it works in practice. The difficult part, which also requires a careful analysis, is to recover from failure. In,other words, the problem has been reduced to that of availability.
First of all the DOC-carrier may go down. The only way to. recover from that is to have the same information on a backup DOC-carrier. This requires" that a protocol is developed, which ensures that the back-up card cannot be used to sell the END to a different entity. Another possibility is to demand that whenever aback-up copy is required, the CA must be contacted.
Secondly, something may go wrong with the encryption in a selling process. This will be easy to recover from, by encrypting once again under the same public key. The use of certificates will ensure with extremely high probability that the public key used for encryption is correct:
Thirdly, something may go wrong in the data transmission from one DOC-carrier to another. But this is handled by re-transmission. The encrypted version of an END needs not be protected. In particular, a totally insecure network may be used to exchange the encrypted END.
Finally, something may go wrong in the receiving DOC-carrier. This may best be handled by a back-up card, with special procedures for recovery.
The functionality of the DOC-carrier is explained in Figure 1. With the notation of the discussion above, this gives an overview of the design of a DOC-carrier.
The general principle of the protocol between two DOC-carriers A and B is represented in the following sequence, the numerical stages 1 to 6 of which are shown in Figure 1:
1. The certificate of B is forwarded to A
2. A verifies the certificate of B
If this is successful, 3. A encrypts the relevant electronic END (or rather, the defining signature) with the public key of B
and 4. forwards this to B
This is a divisional application of Canadian Patent Application Serial No. 2,212,457 filed on February 8, 1996.
Background of the Invention This invention relates to methods and devices for the issue and negotiation of electronic negotiable or quasi negotiable documents (END), and is particularly relevant to systems which are sufficiently secure in open environments.
It should be understood that the expression "the invention"
and the like encompasses the subject matter of both the parent and the divisional application.
The goal to achieve is that an electronic document - or rather, an electronic realisation of a document - at any particular time can be proved to be the (temporary) property of a particular user. This is clearly required for what is known as negotiable or quasi-negotiable documents. The most interesting examples in trading are Bills of Lading, apart from cash and cheques. The main requirement is thus that these documents be unforgeable.
With ordinary paper documents, the problem is solved by giving the original of a document certain physical attributes that are difficult to reproduce. With this precaution, it makes sense to speak of the original of a document and define the owner simply as the person holding the original. An electronic (quasi)-negotiable document will in the following be denoted by END.
la The important property required is apparently that of uniqueness. The problem is to find a suitable attribute on an electronic document which somehow would give it the property of uniqueness, explicitly or implicitly.
Obviously the concept of an original does not make sense for electronic documents, and other (e.g. cryptographic) methods must ensure that the owner of a '0 96/24997 PCT/IB96/00163 particular electronic document can be identified. One question is to what extent this will involve a trusted third party (TTP).
Any document of some value must initially be generated by someone, who will guarantee this value. This requires the proof of, or non-repudiation of, origin service, which is a well known art and realized using digital signatures.
The question now is how to develop a protocol to cover the situation, where an END, once issued, is to change hands. The main problem is to ensure, that the new owner is uniquely identified, or, in other words, that the seller cannot circumvent the measures and sell the same END to two different entities.
It is now generally recognized that this could only be achieved using cryptographic techniques, in the sense that violation will be detected. Further, it is necessary to use tamper resistant document carriers, such as smart cards (plastics cards containing an integrated circuit) or workstations. "Tamper-proof" or "tamper-resistant" means that the functionality of the device cannot be changed, and that any attempt to do so can be readily detected; in many cases, the device would simply be destroyed by tampering.
One obvious solution would be to introduce a trusted third party (TTP) to register at all times the possession of a particular document, but this would leave the TTP with heavily liability burdens, and is not a popular solution.
Another solution would be to represent each END with a unique chip card, but transfer of the END would necessitate physical transfer of the chip card, which in many cases would be impractical.
The only other way to provide uniqueness is physically to prohibit free copying. This would involve tamper resistance to realize a protected communication with restricted functionality, if possible.
It is known to provide an encryption technique which ensures uniqueness. in the transfer of data between two devices. Such a technique is described for example in "New Directions in Cryptography", W. Diffie and M.
Hellman, IEEE IT 22 (1976), 644-654. Briefly, each device stores a unique pair of codes known as the public key and the secret key. These constitute a set of matching keys with an underlying algorithm. Such algorithms include RSA and DSA, which are described respectively in U. S. patents 4 405 829 (R. Rivest, A.
Shamir and L. Adleman) and 5 231 668 ("Digital Signature Algorithm", by D. Kravitz). The secret key S can be used to provide in effect a digital signature S(D) on input data D. The corresponding public key P can then be used to verify that the input for S(D) must have been S and D. Data from a seller's document carrier, for example, can be encrypted using the public key P of the buyer's document carrier, transmitted to the buyer, and then decrypted using the buyer's secret key, if the public key scheme is of encryption type.
The basic principle for achieving uniqueness here is simple but fundamental: A message encrypted under a key known to only one entity is unique, as long as it is encrypted, and establishes undisputable ownership by the mere fact that it will only be useful to the owner of the key. Only the person in possession of the right key can make any use of the document, which in effect is the property of uniqueness.
On the other hand, the only way the rightful owner can verify that the right END has been encrypted by his key is by decrypting it. But this will give him access to the message and he may subsequently be able to "sell" it to two different persons by encrypting it with their respective keys. A purpose of the invention is to provide a way of avoiding this. This requires tamper resistant hardware, perhaps a chipcard, or a hardware protected PC. In the following, this hardware and equivalent hardware will be called the DOC-carrier, or D-C when abbreviated. Its properties will be described in detail below.
Summary of the Invention The purpose is to replace paper documents such as cash, bank cheques and bills of lading with freely-transmissible electronic data.
The invention provides a system with the following properties:
An END (or at least the digital signature component of the END) is generated electronically, for instance by using non-repudiation of origin, in a tamper resistant unit and then loaded onto a DOC-carrier (if not the same). As mentioned, this requires some care. It is essential that the signature thus appended to provide the non-repudiation is never disclosed. (it would of course suffice to represent the END by a hash value and the generating digital signature inside the DOC-carrier if storage is a problem). The message itself does not need to be protected.
1 i 1 4a More specifically, an END (or at least the signature component) is transferred from one DOC-carrier to another, through a public unprotected network, in such a way that 1. It can only be transferred as a meaningful document to one particular DOC-carrier, which nevertheless can be chosen from any number of registered DOC-carriers 2_ Recovery is possible, if the transfer is unsuccessful 3. The protocol cannot be completed by any other device than an authorized DOC.
The system should be completely open to communication, between any two DOC-carriers, - without bilateral agreements.
Accordingly, in one aspect, the invention provides a method of issuing an electronic negotiable document (END), the method comprising creating as data an END and storing this in a tamper-resistant document carrier, the document carrier containing a unique public-secret key pair for signing and verifying and a unique document carrier identifier, and signing the unique document-carrier identifier, the END and an END identifier using the secret key of.the public-secret key pair and storing the result in the document carrier.
In another aspect, the invention provides a method of negotiating an END between a seller and a buyer each possessing a tamper-resistant document carrier having its own public-secret key pair, in which the END is stored in the seller's document carrier in the form of END data, and PAGE 11124"RCVD AT 101212009 4:54:13 PM (Eastern Daylight Time] I
SVR:F000031201 DNIS:3907"CSID:6132308821 t DURATION (mm.ss):0240 5a a signature generated by the secret signing-key of a document carrier of an issuer of the END, together with a negotiability status flag indicative of whether the END is currently negotiable from the document carrier on which it is stored, comprising establishing mutual recognition between the seller and buyer using a predetermined protocol between the respective document carriers, verifying in the seller's document carrier that the negotiability status flag is "negotiable" and aborting the negotiation if not, sending the public encryption key of the buyer's document carrier to the seller's document carrier, and using it to encrypt a message comprising the END together with the negotiability status flag, sending that encrypted message to the buyer, decrypting that message using the buyer's secret decryption key, and setting the negotiability status flag for that END of the buyer's and seller's document carriers respectively to "negotiable" and "non-negotiable".
In another aspect, the invention provides a method of negotiating an END between a seller and a buyer each possessing a tamper-resistant document carrier having its own public-secret key pair, in which the END is stored in the seller's document carrier in the form of END data, and a signature generated by the secret signing key of a document carrier of an issuer of the END, together with a serial number counter indicative of the number of times that the END has been negotiated since issue, comprising establishing mutual recognition between seller and buyer using a predetermined protocol between their respective document carriers, verifying in the seller's document carrier that the END, if it has been stored previously in that document carrier, has a different counter value this time and is therefore negotiable, but aborting the Sb negotiation if it is not negotiable, sending the public encryption key of the buyer's document carrier to the seller's document carrier, and using it to encrypt a message comprising the END together with the counter, sending that encrypted message to the buyer, decrypting that message using the buyer's secret decryption key, and incrementing the counter by one.
In another aspect, the invention provides a tamper-resistant document carrier adapted to store an END, the document carrier comprising a unique public-secret key pair for signing and verifying and a unique document carrier identifier, means for encrypting the unique document carrier identifier, the END and an END identifier using the secret key of the public-secret key pair and means for storing the result in a memory of the document carrier.
In another aspect, the invention provides a method of electronically negotiating an electronic negotiable document, transferred along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein the seller is not a bank, the method comprising:
issuing from a trusted supplier said seller with seller tamper-resistant document carrier hardware, said seller tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said seller, said seller tamper-resistant document carrier bearing said electronic negotiable document and a signature calculated using said Secret key;
issuing from a trusted supplier said buyer with buyer tamper-resistant document carrier hardware, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said buyer;
PAGE 13124: RCVD AT 1012f 2009 4:54:13 PM tEastern Daylight Time] I
SVR:F00003120 E DNIS:39071 C$ID:6132308821 E DURATION (mm.ss):02.40 5c transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware;
splitting the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
inputting to said buyer tamper-resistant document carrier hardware, now acting as seller tamper-resistant document carrier hardware, values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and which each new said split version has a value such that the sum of the values of said two or more split versions adds up to a value of said original electronic negotiable document;
digitally signing said split versions using said secret key of said buyer tamper-resistant document carrier hardware acting as seller tamper-resistant document carrier hardware to generate a splitting signature; and transferring said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
According to an aspect of the present invention, there is provided a method of electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the method comprising:
5d using seller tamper-resistant document carrier hardware issued from a trusted supplier to issue an electronic negotiable document, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, using said seller tamper-resistant document carrier hardware to calculate a signature using said secret key;
transferring via a network, said electronic negotiable document from said seller tamper-resistant document carrier hardware to buyer tamper-resistant document carrier hardware which has been issued by a trusted supplier and which has its own public-secret key pair, wherein said secret key is not accessible to said seller;
using said buyer tamper-resistant document carrier hardware to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
define values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature; and transfer via said network, said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
5e wherein said buyer tamper resistant document carrier hardware is now acting as seller tamper resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
According to another aspect of the present invention, there is provided a system for electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the system comprising:
seller tamper-resistant document carrier hardware issued from a trusted supplier, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, and said tamper-resistant document carrier hardware issues said electronic negotiable document and calculates a signature using said secret key;
buyer tamper-resistant document carrier hardware issued from a trusted supplier, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said buyer; and a network for transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware; wherein said buyer tamper-resistant document carrier hardware is configured to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating 5f two or more split versions of said electronic negotiable document each with a new sequence number;
generate values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature; and said network transfers said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper-resistant document carrier hardware is acting as a seller tamper-resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
Brief Description of the Drawings In order that the invention may be better understood, an embodiment of the invention will now be described, with reference to the accompanying drawings, in which:
5g Figure 1 is a diagram illustrating, by way of an overview, the negotiation of an END between two document carriers, showing the main components of the document carriers;
Figure 2 is a schematic flow diagram of the generation of an END; and Figure 3 is a schematic flow diagram of the negotiation of an END.
Description of the Preferred Embodiment Each DOC-carrier "possesses" a public key pair. The secret key of this pair must not even be known to the owner of the DOC-carrier. It would be required to realise this in such a way that not even the system provider knows the DOC-secret keys. Thus the secret key must be generated on the DOC-carrier and never leave it unprotected. The DOC-carrier itself should be freely available, but stationary, and certified by some Certification Authority along the lines of the X.509 security architecture.
The END consists of the information as represented in an electronic message, and the corresponding digital signature, calculated by means of the secret key of the issuer and -typically - a hash value of the electronic message. The format could for instance be a special-EDIFACT message for the electronic message, whereas the signature will be calculated and stored securely on the DOC-carrier.
Now, the problem is that this shall only be released through a selling process to another DOC-carrier. So the question is, how can one DOC-carrier identify another?
The most attractive solution seems to be the following approach: A trusted party called the Certification Authority CA, authorizes all DOC-carriers in the following manner: The public key of the CA is installed on the DOC-carrier, as well as the secret DOC-carrier key, in a ROM, and in such a way that the secret key cannot be disclosed. Moreover, when a document, or rather the accompany key protected signature is entered on the DOC-carrier, the DOC-carrier software must ensure that it can only be realised again encrypted under a public key certified by the CA secret key (and verified by means of the corresponding public key on the DOC-carrier). The point behind this is that it will prevent the use of a non-authorized DOC-carrier to get access to the vital signature on an END, which defines that particular negotiable electronic document. In particular this encrypted message is useless excepted when imported into the DOC-carrier holding the corresponding secret key. It is thus important to realize that the value of the negotiable document is represented by the digital signature of the issuer.
Furthermore, and this is an essential property, such an encryption of a particular END on an individual DOC-carrier can take place only once, or rather, once a public key has been selected, it is impossible at any later stage to go through the same procedure with another public key.
Such a system would solve the problem of uniqueness in general - provided it works in practice. The difficult part, which also requires a careful analysis, is to recover from failure. In,other words, the problem has been reduced to that of availability.
First of all the DOC-carrier may go down. The only way to. recover from that is to have the same information on a backup DOC-carrier. This requires" that a protocol is developed, which ensures that the back-up card cannot be used to sell the END to a different entity. Another possibility is to demand that whenever aback-up copy is required, the CA must be contacted.
Secondly, something may go wrong with the encryption in a selling process. This will be easy to recover from, by encrypting once again under the same public key. The use of certificates will ensure with extremely high probability that the public key used for encryption is correct:
Thirdly, something may go wrong in the data transmission from one DOC-carrier to another. But this is handled by re-transmission. The encrypted version of an END needs not be protected. In particular, a totally insecure network may be used to exchange the encrypted END.
Finally, something may go wrong in the receiving DOC-carrier. This may best be handled by a back-up card, with special procedures for recovery.
The functionality of the DOC-carrier is explained in Figure 1. With the notation of the discussion above, this gives an overview of the design of a DOC-carrier.
The general principle of the protocol between two DOC-carriers A and B is represented in the following sequence, the numerical stages 1 to 6 of which are shown in Figure 1:
1. The certificate of B is forwarded to A
2. A verifies the certificate of B
If this is successful, 3. A encrypts the relevant electronic END (or rather, the defining signature) with the public key of B
and 4. forwards this to B
5. B decrypts with its secret key BB and is now the owner of the END
6. B stores the END (or rather, the defining signature) as DOC 1.
The main content of DOC 1 may be transmitted separately from one workstation to another; it does not matter that there may be insufficient memory in the DOC-carrier for the whole of DOC 1, because it is only necessary to store and encrypt the signature portion.
The following is a more detailed description of the generation and negotiation of-an END.
The following describes the basic protocol for issuing an END
and for negotiating that END from its original document carrier to subsequent document carriers. One example is of a document carrier in the form of a chip card containing memory and a program, in a tamper-resistant format. There is also a Trusted Third Party in the certification_of the document carriers including their original programming with public-secret key pairs, and the tracing of negotiations between document carriers. One important benefit of the present invention is that the role of the Trusted Third Party is minimized, in that it is not necessarily involved directly in the performance of a negotiation .of 'an END
between buyer and seller. In other words, no third party'need be involved in the actual negotiation protocol. it is also an important benefit of the invention that each END can be negotiated only from one document carrier to one other document carrier, and only once (the system is arranged that the seller can, in future, receive the END back again, but only as a result of a genuine transaction: the system achieves this by, counting the number of transactions for each END, and this is described in more detail below).
In this description, the party, such as a bank, which issues the END, is known as the issuer. The issuer has a public-secret key pair, of which the secret key is used to sign the END. The END consists of a bit string which can be read by conventional coding rules, such as ASCII characters written in English. The END is not complete until it is signed by the issuer. As indicated above, a public-secret key pair consists of a set of matching keys P and S with an underlying algorithm. A
Trusted Third Party initializes the document carriers of the system, and each document carrier is initialized with a public-secret key pair for signature generation and verification, and a public-secret key pair for encryption and decryption, unique to the device.
However, the two public-secret key pairs can be identical, i.e: can be used for both purposes. This depends partly on whether the document-carrier is used for issuing as well as for negotiation: the public key pair for issuing can be different from that for negotiation. Each document carrier is identified by a unique device number or identifier, referred to as the No (D-C).
Each document carrier is given to one legal person, called the owner. The buyer of an END is the document carrier in current possession of the END. The seller is the document carrier which is to take position of the END from a buyer through the protocol. The validity period of each END is the interval between the time of issue and the time that the issuer requires it to expire. The time of issue is recorded as a time stamp with the END.
As indicated above, each document carrier must be tamper resistant, with a limited functionality. It could take the form of a specially designed chip card, or an enhanced work station. The digital signature could typically be stored in an EEPROM, or some sufficiently protected memory.
The Trusted Third Party (TTP) has its own public-secret key pair, of which the public key P is installed on each document carrier. Further, a certificate, consisting of a digital signature of the device number No (D-C) and of the public key of the document carrier, is installed on the document carrier, for each of its public key pairs.
In the case of bank cheques for example, an electronic "water mark" is added to each END upon creation.
Normally, the document carrier upon which the END is issued has the electronic watermark stored on it, for addition to the END upon i-ssue.
In the detailed description which follows of the issue and negotiation of an END, reference is made to the hash value of data. This refers to a technique described for example in ISO/IEC IS 10118, "Information Technology-Security Techniques-Hash Functions". The hash function is a representative abbreviation of the original data, and it is used where the hardware dictates economy in the use of storage space. For example, chip cards at present are unable-to store much data, and the hash value is used to reduce the amount of encrypted data to be stored.
Examples of END include electronic cash, in which the issuer is called a "Bank", with special equipment for issuing ENDs; here, the document carriers are used for negotiation, not issue. A further example is electronic bank cheques, in which each document carrier comes with a watermark of the Trusted Third Party (again called the "Bank") and each document carrier may be an issuer. A
further example is the bill of lading, which is similar to the example of bank cheques, but need not necessarily have watermarks. The same applies to bills of exchange.
Various back-up procedures are possible in any instance, and the TTP involved will then have a copy of the keys of the document carriers. As the buyer always receives the END encrypted under the public key of the device, it will keep copies of the received encrypted information for later recovery by means of the TTP. Thus the negotiation can be recovered later once decryption becomes possible. Alternatively, each document carrier is formed with a duplicate, complete with the unique public-secret key pair (S), certificate and device number; the device number identifies the device which is being backed up by the duplicate. One possibility for this is to have one chip card with two chips, but a more secure solution is to have two independent chip cards or other work stations. Whenever a negotiation takes place, the protocol is duplicated with the backup document carrier. If the primary document carrier should break down, the back up is authorized to sell to the issuer after the expiration time of the END's which could not be negotiated. In this case, the TTP needs only to keep a copy of the back up device secret key.
A preferred feature for electronic bank cheques is the so-called "splitting" of a purchased cheque. A
purchased cheque may be split into two by means of two digital signatures by the buyer. The document carrier verifies that the total amount of the two split parts adds up to the amount of the original. A digital signature is generated by the document carrier and the two separate parts can then be negotiated individually.
Subsequently, buyers will have to authenticate not only the issuing signature but also the splitting signature.
The split is performed in the following manner: the original END, as represented in the document carrier of the current owner, may be split into two or several numbered versions, the sum.of their values adding up to the value of the original. A split version consists of the original, together with some information such as its value and sequence number, and this is signed with the secret key of the document carrier. If the document carrier has the status of an issuer, the original issuing signature may be deleted to save space.
Any END could be split, even for example a bill of lading, in which case the information could include attributes such as quantities of goods as well as, or instead of, monetary value. An oil cargo for example could be divided, and the electronic bill of lading split accordingly.
With reference now to Figure 1, an END is issued on a document carrier D-Cj. The content of an END is generated freely in an unprotected environment by any issuer, and the certificate of the issuer is contained in the END together with a time stamp indicating the time of issue. A hash value hi of fixed bit length is created from the certificated END plus the time stamp, and this is provided as an input to the document carrier.
In the example of bank cheques, the document carrier is initialised by one or more banks. The banks personalise the D-C for the user by recording the user's account number etc. and enabling the user to issue a specific number of electronic cheques drawn on that account -these are. ENI's (electronic negotiable instruments).
The same D-C can be initialised by several banks for respective accounts, and it is an "electronic cheque book".
To create an ENI, the user puts his D-C into a smart-card reader connected to his PC, and he fills in details such as value, payee, period of validity, which appear as blank spaces on his PC screen, adjacent the bank details which appear automatically. The user transfers the message or a hash value of it onto his D-C
where it is signed.
At the initiation of the user, therefore, the document carrier performs certain functions. which are beyond the control of the user. Specifically, the document carrier adds its device number D(j), which is in one-to-one correspondence with the public key of the device used for verification of digital signatures generated by the device. This device number could form part of the certificate, or it could be for example the upper bits of the public key after the most significant 1. The document carrier then appends the sequential serial number S(i) for the END. In the case of the END being bank cheques, or if otherwise required, the document carrier also appends the watermark WM, which is a bit sequence identifying a certain party such as a bank.
The concatenation of this data is then, if necessary, WO 96/24997 PCTlIB96/00163 hashed to produce a hash value h2. The data or the hash value of the data are then signed by the secret key of the document carrier, to produce Sj(h2). This signed value is stored adjacent to the other concatenated data. Next, the document carrier appends to this data the value of a serial counter, set to zero; and the value of a one bit flag, set to one, indicative of whether the END is currently negotiable (value 1) or non negotiable (value 0) from the particular document carrier.
The END has thereby been issued, and made ready for negotiation with another document carrier certified as being part of the system.
The negotiation of this END originating from document carrier D-Cj, between a seller document carrier D-CA
and a buyer document carrier D-CB will now be described with reference to Figure 2.
The negotiation involves the seller and the buyer, and may involve a TTP as well, but for tracing only. The seller, which may possess many different ENDS, decides to sell this particular END to the buyer Br. The seller first authenticates the buyer, in Stage 1, by receiving from it the certificate CB, corresponding to the unique public key PB of the document D-CB. It is transmitted over a public channel in an open environment.
The program on the seller's document carrier D-CA
checks, in Stage 2, whether the certificate CB is authenticated, and aborts the negotiation if not. it then extracts the public key PB for future encryption. The seller identifies the negotiability status flag of the particular END it wishes to sell, accessing it, in Stage 3, with the device number D(j) and the END serial number S(i). It then checks in Stage 4 that the flag is 1, and if not it aborts the negotiation. If the END is shown to be negotiable, then further action is not denied, and the full END record or message M is encrypted by means of the public key PB, and sent over the public channel to the buyer.
To ensure that the seller cannot repeat the negotiation of the same END, the negotiability status flag is set to zero, in Stage 6.
On receipt of the encrypted message or ciphertext C
corresponding to message M, the buyer decrypts the information using its own secret key SB: this provides the original message M=SB(C). The buyer also requests and receives, in Stage 6, the certificate of the issuer Cer(D -Cj ), and the hash value of the original content of the END, and in Stages 7 and 8 it decrypts the message M
from the ciphertext C, and it verifies the signature Sj(h2) and the device number D(j) of the issuer. If verification should fail, the buyer informs the issuer and ceases negotiation.
The buyer then checks the timestamp T of the END, and informs the issuer and aborts the negotiation if the timestamp indicates expiration of validity of the END.
The buyer then returns to the seller, through the same open channel, an acknowledgement in the form of a digital signature on the concatenation of-the serial number of the END, the generating signature and the counter. It is accompanied by its own certificate CB. A copy may also be returned to the issuer for tracing purposes.
The seller D-CB verifies the acknowledgment and then outputs the result for information to the seller. The same thing happens at the issuer, if applicable.
In Stage 10, the received information, i.e. the hash value of the content of the END, the device number of the generating END, the serial number of the END, the generating signature and the counter, which is incremented by 1 in Stage 11, is then stored in a new record. It is important to increment the counter, so that each document carrier can recognize that the END
has undergone a further negotiation, allowing it to return to a previous document carrier.
The negotiability status flag is then set to 1, to indicate that this END, with this particular counter, has become negotiable.
After a number of negotiations, the END will be presented to the issuer for settlement, whether it is a cheque or cash or whatever. The settlement involves electronic tracing effectively in the reverse direction back to the original issue.
Whilst a specific example has been given to illustrate the different inventions claimed in the following claims, it will be appreciated that the objects of the invention can be realized in different forms, using different software or different hardware. The various different features which have been described in this specification are not all essential, but we claim separate inventions in all possible combinations of such features, within the scope of the claims. For example, although the method of issuing an END and then negotiating that END from the issuing document carrier to a buying document carrier is not claimed separately, this is intended to be a separate invention. Further, features such as the ability to recover from failure, although not claimed specifically, are intended to constitute an invention when combined with other features which are claimed specifically.
The main content of DOC 1 may be transmitted separately from one workstation to another; it does not matter that there may be insufficient memory in the DOC-carrier for the whole of DOC 1, because it is only necessary to store and encrypt the signature portion.
The following is a more detailed description of the generation and negotiation of-an END.
The following describes the basic protocol for issuing an END
and for negotiating that END from its original document carrier to subsequent document carriers. One example is of a document carrier in the form of a chip card containing memory and a program, in a tamper-resistant format. There is also a Trusted Third Party in the certification_of the document carriers including their original programming with public-secret key pairs, and the tracing of negotiations between document carriers. One important benefit of the present invention is that the role of the Trusted Third Party is minimized, in that it is not necessarily involved directly in the performance of a negotiation .of 'an END
between buyer and seller. In other words, no third party'need be involved in the actual negotiation protocol. it is also an important benefit of the invention that each END can be negotiated only from one document carrier to one other document carrier, and only once (the system is arranged that the seller can, in future, receive the END back again, but only as a result of a genuine transaction: the system achieves this by, counting the number of transactions for each END, and this is described in more detail below).
In this description, the party, such as a bank, which issues the END, is known as the issuer. The issuer has a public-secret key pair, of which the secret key is used to sign the END. The END consists of a bit string which can be read by conventional coding rules, such as ASCII characters written in English. The END is not complete until it is signed by the issuer. As indicated above, a public-secret key pair consists of a set of matching keys P and S with an underlying algorithm. A
Trusted Third Party initializes the document carriers of the system, and each document carrier is initialized with a public-secret key pair for signature generation and verification, and a public-secret key pair for encryption and decryption, unique to the device.
However, the two public-secret key pairs can be identical, i.e: can be used for both purposes. This depends partly on whether the document-carrier is used for issuing as well as for negotiation: the public key pair for issuing can be different from that for negotiation. Each document carrier is identified by a unique device number or identifier, referred to as the No (D-C).
Each document carrier is given to one legal person, called the owner. The buyer of an END is the document carrier in current possession of the END. The seller is the document carrier which is to take position of the END from a buyer through the protocol. The validity period of each END is the interval between the time of issue and the time that the issuer requires it to expire. The time of issue is recorded as a time stamp with the END.
As indicated above, each document carrier must be tamper resistant, with a limited functionality. It could take the form of a specially designed chip card, or an enhanced work station. The digital signature could typically be stored in an EEPROM, or some sufficiently protected memory.
The Trusted Third Party (TTP) has its own public-secret key pair, of which the public key P is installed on each document carrier. Further, a certificate, consisting of a digital signature of the device number No (D-C) and of the public key of the document carrier, is installed on the document carrier, for each of its public key pairs.
In the case of bank cheques for example, an electronic "water mark" is added to each END upon creation.
Normally, the document carrier upon which the END is issued has the electronic watermark stored on it, for addition to the END upon i-ssue.
In the detailed description which follows of the issue and negotiation of an END, reference is made to the hash value of data. This refers to a technique described for example in ISO/IEC IS 10118, "Information Technology-Security Techniques-Hash Functions". The hash function is a representative abbreviation of the original data, and it is used where the hardware dictates economy in the use of storage space. For example, chip cards at present are unable-to store much data, and the hash value is used to reduce the amount of encrypted data to be stored.
Examples of END include electronic cash, in which the issuer is called a "Bank", with special equipment for issuing ENDs; here, the document carriers are used for negotiation, not issue. A further example is electronic bank cheques, in which each document carrier comes with a watermark of the Trusted Third Party (again called the "Bank") and each document carrier may be an issuer. A
further example is the bill of lading, which is similar to the example of bank cheques, but need not necessarily have watermarks. The same applies to bills of exchange.
Various back-up procedures are possible in any instance, and the TTP involved will then have a copy of the keys of the document carriers. As the buyer always receives the END encrypted under the public key of the device, it will keep copies of the received encrypted information for later recovery by means of the TTP. Thus the negotiation can be recovered later once decryption becomes possible. Alternatively, each document carrier is formed with a duplicate, complete with the unique public-secret key pair (S), certificate and device number; the device number identifies the device which is being backed up by the duplicate. One possibility for this is to have one chip card with two chips, but a more secure solution is to have two independent chip cards or other work stations. Whenever a negotiation takes place, the protocol is duplicated with the backup document carrier. If the primary document carrier should break down, the back up is authorized to sell to the issuer after the expiration time of the END's which could not be negotiated. In this case, the TTP needs only to keep a copy of the back up device secret key.
A preferred feature for electronic bank cheques is the so-called "splitting" of a purchased cheque. A
purchased cheque may be split into two by means of two digital signatures by the buyer. The document carrier verifies that the total amount of the two split parts adds up to the amount of the original. A digital signature is generated by the document carrier and the two separate parts can then be negotiated individually.
Subsequently, buyers will have to authenticate not only the issuing signature but also the splitting signature.
The split is performed in the following manner: the original END, as represented in the document carrier of the current owner, may be split into two or several numbered versions, the sum.of their values adding up to the value of the original. A split version consists of the original, together with some information such as its value and sequence number, and this is signed with the secret key of the document carrier. If the document carrier has the status of an issuer, the original issuing signature may be deleted to save space.
Any END could be split, even for example a bill of lading, in which case the information could include attributes such as quantities of goods as well as, or instead of, monetary value. An oil cargo for example could be divided, and the electronic bill of lading split accordingly.
With reference now to Figure 1, an END is issued on a document carrier D-Cj. The content of an END is generated freely in an unprotected environment by any issuer, and the certificate of the issuer is contained in the END together with a time stamp indicating the time of issue. A hash value hi of fixed bit length is created from the certificated END plus the time stamp, and this is provided as an input to the document carrier.
In the example of bank cheques, the document carrier is initialised by one or more banks. The banks personalise the D-C for the user by recording the user's account number etc. and enabling the user to issue a specific number of electronic cheques drawn on that account -these are. ENI's (electronic negotiable instruments).
The same D-C can be initialised by several banks for respective accounts, and it is an "electronic cheque book".
To create an ENI, the user puts his D-C into a smart-card reader connected to his PC, and he fills in details such as value, payee, period of validity, which appear as blank spaces on his PC screen, adjacent the bank details which appear automatically. The user transfers the message or a hash value of it onto his D-C
where it is signed.
At the initiation of the user, therefore, the document carrier performs certain functions. which are beyond the control of the user. Specifically, the document carrier adds its device number D(j), which is in one-to-one correspondence with the public key of the device used for verification of digital signatures generated by the device. This device number could form part of the certificate, or it could be for example the upper bits of the public key after the most significant 1. The document carrier then appends the sequential serial number S(i) for the END. In the case of the END being bank cheques, or if otherwise required, the document carrier also appends the watermark WM, which is a bit sequence identifying a certain party such as a bank.
The concatenation of this data is then, if necessary, WO 96/24997 PCTlIB96/00163 hashed to produce a hash value h2. The data or the hash value of the data are then signed by the secret key of the document carrier, to produce Sj(h2). This signed value is stored adjacent to the other concatenated data. Next, the document carrier appends to this data the value of a serial counter, set to zero; and the value of a one bit flag, set to one, indicative of whether the END is currently negotiable (value 1) or non negotiable (value 0) from the particular document carrier.
The END has thereby been issued, and made ready for negotiation with another document carrier certified as being part of the system.
The negotiation of this END originating from document carrier D-Cj, between a seller document carrier D-CA
and a buyer document carrier D-CB will now be described with reference to Figure 2.
The negotiation involves the seller and the buyer, and may involve a TTP as well, but for tracing only. The seller, which may possess many different ENDS, decides to sell this particular END to the buyer Br. The seller first authenticates the buyer, in Stage 1, by receiving from it the certificate CB, corresponding to the unique public key PB of the document D-CB. It is transmitted over a public channel in an open environment.
The program on the seller's document carrier D-CA
checks, in Stage 2, whether the certificate CB is authenticated, and aborts the negotiation if not. it then extracts the public key PB for future encryption. The seller identifies the negotiability status flag of the particular END it wishes to sell, accessing it, in Stage 3, with the device number D(j) and the END serial number S(i). It then checks in Stage 4 that the flag is 1, and if not it aborts the negotiation. If the END is shown to be negotiable, then further action is not denied, and the full END record or message M is encrypted by means of the public key PB, and sent over the public channel to the buyer.
To ensure that the seller cannot repeat the negotiation of the same END, the negotiability status flag is set to zero, in Stage 6.
On receipt of the encrypted message or ciphertext C
corresponding to message M, the buyer decrypts the information using its own secret key SB: this provides the original message M=SB(C). The buyer also requests and receives, in Stage 6, the certificate of the issuer Cer(D -Cj ), and the hash value of the original content of the END, and in Stages 7 and 8 it decrypts the message M
from the ciphertext C, and it verifies the signature Sj(h2) and the device number D(j) of the issuer. If verification should fail, the buyer informs the issuer and ceases negotiation.
The buyer then checks the timestamp T of the END, and informs the issuer and aborts the negotiation if the timestamp indicates expiration of validity of the END.
The buyer then returns to the seller, through the same open channel, an acknowledgement in the form of a digital signature on the concatenation of-the serial number of the END, the generating signature and the counter. It is accompanied by its own certificate CB. A copy may also be returned to the issuer for tracing purposes.
The seller D-CB verifies the acknowledgment and then outputs the result for information to the seller. The same thing happens at the issuer, if applicable.
In Stage 10, the received information, i.e. the hash value of the content of the END, the device number of the generating END, the serial number of the END, the generating signature and the counter, which is incremented by 1 in Stage 11, is then stored in a new record. It is important to increment the counter, so that each document carrier can recognize that the END
has undergone a further negotiation, allowing it to return to a previous document carrier.
The negotiability status flag is then set to 1, to indicate that this END, with this particular counter, has become negotiable.
After a number of negotiations, the END will be presented to the issuer for settlement, whether it is a cheque or cash or whatever. The settlement involves electronic tracing effectively in the reverse direction back to the original issue.
Whilst a specific example has been given to illustrate the different inventions claimed in the following claims, it will be appreciated that the objects of the invention can be realized in different forms, using different software or different hardware. The various different features which have been described in this specification are not all essential, but we claim separate inventions in all possible combinations of such features, within the scope of the claims. For example, although the method of issuing an END and then negotiating that END from the issuing document carrier to a buying document carrier is not claimed separately, this is intended to be a separate invention. Further, features such as the ability to recover from failure, although not claimed specifically, are intended to constitute an invention when combined with other features which are claimed specifically.
Claims (12)
1. A method of electronically negotiating an electronic negotiable document, transferred along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein the seller is not a bank, the method comprising:
issuing from a trusted supplier said seller with seller tamper-resistant document carrier hardware, said seller tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said seller, said seller tamper-resistant document carrier bearing said electronic negotiable document and a signature calculated using said secret key;
issuing from a trusted supplier said buyer with buyer tamper-resistant document carrier hardware, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said buyer;
transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware;
splitting the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
inputting to said buyer tamper-resistant document carrier hardware, now acting as seller tamper-resistant document carrier hardware, values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and which each new said split version has a value such that the sum of the values of said two or more split versions adds up to a value of said original electronic negotiable document;
digitally signing said split versions using said secret key of said buyer tamper-resistant document carrier hardware acting as seller tamper-resistant document carrier hardware to generate a splitting signature; and transferring said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
issuing from a trusted supplier said seller with seller tamper-resistant document carrier hardware, said seller tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said seller, said seller tamper-resistant document carrier bearing said electronic negotiable document and a signature calculated using said secret key;
issuing from a trusted supplier said buyer with buyer tamper-resistant document carrier hardware, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, and wherein said secret key is not accessible to said buyer;
transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware;
splitting the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
inputting to said buyer tamper-resistant document carrier hardware, now acting as seller tamper-resistant document carrier hardware, values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and which each new said split version has a value such that the sum of the values of said two or more split versions adds up to a value of said original electronic negotiable document;
digitally signing said split versions using said secret key of said buyer tamper-resistant document carrier hardware acting as seller tamper-resistant document carrier hardware to generate a splitting signature; and transferring said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
2. A method as claimed in claim 1, wherein said seller and said buyer tamper-resistant document carrier hardware each have a document carrier identifier, and wherein each said document carrier identifier is signed by said secret key.
3. A method as claimed in claim 1, wherein said seller tamper-resistant document carrier hardware bears an issuing signature, and wherein said transferring includes transferring said issuing signature from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware.
4. A method as claimed in claim 3 further comprising deleting said issuing signature after said transferring.
5. A method of electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the method comprising:
using seller tamper-resistant document carrier hardware issued from a trusted supplier to issue an electronic negotiable document, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, using said seller tamper-resistant document carrier hardware to calculate a signature using said secret key;
transferring via a network, said electronic negotiable document from said seller tamper-resistant document carrier hardware to buyer tamper-resistant document carrier hardware which has been issued by a trusted supplier and which has its own public-secret key pair, wherein said secret key is not accessible to said seller;
using said buyer tamper-resistant document carrier hardware to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
define values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature;
and transfer via said network, said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper resistant document carrier hardware is now acting as seller tamper resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
using seller tamper-resistant document carrier hardware issued from a trusted supplier to issue an electronic negotiable document, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, using said seller tamper-resistant document carrier hardware to calculate a signature using said secret key;
transferring via a network, said electronic negotiable document from said seller tamper-resistant document carrier hardware to buyer tamper-resistant document carrier hardware which has been issued by a trusted supplier and which has its own public-secret key pair, wherein said secret key is not accessible to said seller;
using said buyer tamper-resistant document carrier hardware to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
define values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature;
and transfer via said network, said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper resistant document carrier hardware is now acting as seller tamper resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
6. The method as claimed in claim 5 wherein said seller and said buyer tamper-resistant document carrier hardware each have a document carrier identifier, and wherein each said document carrier identifier is signed by a said secret key.
7. The method as claimed in claim 5 wherein said seller tamper-resistant document carrier hardware bears an issuing signature, and wherein said transferring includes transferring said issuing signature from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware.
8. The method as claimed in claim 7 further comprising deleting said issuing signature after said transferring.
9. A system for electronically transferring an electronic negotiable document along a chain of sellers and buyers, wherein said electronic negotiable document has a value which is an amount of money or quantity of goods, and wherein said seller is not a bank, the system comprising:
seller tamper-resistant document carrier hardware issued from a trusted supplier, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, and said tamper-resistant document carrier hardware issues said electronic negotiable document and calculates a signature using said secret key;
buyer tamper-resistant document carrier hardware issued from a trusted supplier, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said buyer; and a network for transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware; wherein said buyer tamper-resistant document carrier hardware is configured to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
generate values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature;
and said network transfers said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper-resistant document carrier hardware is acting as a seller tamper-resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
seller tamper-resistant document carrier hardware issued from a trusted supplier, said seller tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said seller, and said tamper-resistant document carrier hardware issues said electronic negotiable document and calculates a signature using said secret key;
buyer tamper-resistant document carrier hardware issued from a trusted supplier, said buyer tamper-resistant document carrier hardware having its own public-secret key pair, wherein said secret key is not accessible to said buyer; and a network for transferring said electronic negotiable document from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware; wherein said buyer tamper-resistant document carrier hardware is configured to:
split the original value of said electronic negotiable document electronically in said buyer tamper-resistant document carrier hardware by creating two or more split versions of said electronic negotiable document each with a new sequence number;
generate values defining values of each new said split version, wherein each new said split version comprises the signature of the original electronic negotiable document, and wherein each new said split version has a value such that the sum of the values of said two or more split versions adds up to said value of said original electronic negotiable document; and digitally sign said split versions using said secret key of said buyer tamper-resistant document carrier hardware to generate a splitting signature;
and said network transfers said two or more split versions separately to one or more further buyers without the involvement of a trusted third party;
wherein said buyer tamper-resistant document carrier hardware is acting as a seller tamper-resistant document carrier hardware; and wherein each of said further buyers is able to transfer a said split version to one or more buyers in the chain.
10. The system as claimed in claim 9 wherein said seller and said buyer tamper-resistant document carrier hardware each have a document carrier identifier, and wherein each said document carrier identifier is signed by a said secret key.
11. The system as claimed in claim 9 wherein said seller tamper-resistant document carrier hardware bears an issuing signature, and wherein said transferring includes transferring said issuing signature from said seller tamper-resistant document carrier hardware to said buyer tamper-resistant document carrier hardware.
12. The system as claimed in claim 11 wherein said seller tamper-resistant document carrier hardware is configured to further delete said issuing signature after said transferring.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB9502414A GB9502414D0 (en) | 1995-02-08 | 1995-02-08 | Electronic negotiable documents |
| GB9502414.7 | 1995-02-08 | ||
| GB9510215A GB2297856B (en) | 1995-02-08 | 1995-05-19 | Electronic negotiable documents |
| GB9510215.8 | 1995-05-19 | ||
| CA002212457A CA2212457C (en) | 1995-02-08 | 1996-02-08 | Electronic negotiable documents |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002212457A Division CA2212457C (en) | 1995-02-08 | 1996-02-08 | Electronic negotiable documents |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2605569A1 CA2605569A1 (en) | 1996-08-15 |
| CA2605569C true CA2605569C (en) | 2012-07-10 |
Family
ID=38830312
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2605569A Expired - Lifetime CA2605569C (en) | 1995-02-08 | 1996-02-08 | Electronic negotiable documents |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2605569C (en) |
-
1996
- 1996-02-08 CA CA2605569A patent/CA2605569C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CA2605569A1 (en) | 1996-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20070168291A1 (en) | Electronic negotiable documents | |
| KR100455327B1 (en) | Document authentication system and method | |
| EP1302018B1 (en) | Secure transactions with passive storage media | |
| JP5190036B2 (en) | System and method for electronic transmission, storage and retrieval of authenticated documents | |
| ES2352743T3 (en) | ELECTRONIC METHOD FOR STORAGE AND RECOVERING ORIGINAL AUTHENTICATED DOCUMENTS. | |
| US5615268A (en) | System and method for electronic transmission storage and retrieval of authenticated documents | |
| US7818812B2 (en) | Article and system for decentralized creation, distribution, verification and transfer of valuable documents | |
| GB2297856A (en) | Electronic negotiable documents | |
| CZ11597A3 (en) | Method of safe use of digital designation in a commercial coding system | |
| JP2005328574A (en) | Cryptographic system and method with key escrow feature | |
| CA2212457C (en) | Electronic negotiable documents | |
| WO2001022373A1 (en) | Method and system for performing a transaction between a client and a server over a network | |
| CA2605569C (en) | Electronic negotiable documents | |
| AU3010700A (en) | Electronic negotiable documents | |
| Effross | Notes on PKI and Digital Negotiability: Would the Cybercourier Carry Luggage | |
| AU758834B2 (en) | Document authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20160208 |