EP1221145A1 - Method and system for performing a transaction between a client and a server over a network - Google Patents

Method and system for performing a transaction between a client and a server over a network

Info

Publication number
EP1221145A1
EP1221145A1 EP00917485A EP00917485A EP1221145A1 EP 1221145 A1 EP1221145 A1 EP 1221145A1 EP 00917485 A EP00917485 A EP 00917485A EP 00917485 A EP00917485 A EP 00917485A EP 1221145 A1 EP1221145 A1 EP 1221145A1
Authority
EP
European Patent Office
Prior art keywords
client
server
record
message
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00917485A
Other languages
German (de)
French (fr)
Inventor
Michiel Mosterd
Hildebrand Ruben Krop
Paul Richard Heiden
Paul Anthony Van Wachem
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ba Cards And Security Bv (bacs)
Original Assignee
Ba Cards And Security Bv (bacs)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ba Cards And Security Bv (bacs) filed Critical Ba Cards And Security Bv (bacs)
Publication of EP1221145A1 publication Critical patent/EP1221145A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4093Monitoring of device authentication
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • the present invention relates to a method for performing a transaction between a first client and a server over a network, including the steps of providing a server authentication to the first client, providing a first client authentication to the server, sending a record from the server to the first client via the network, the record comprising information to be accepted by the first client, providing a first signed record by digitally signing the record by the first client, sending a first message from the first client to the server via the network, the first message at least comprising the first signed record, and storing the record, first message and the first client authentication by the server upon positive verification of the first signed record with the first client authentication.
  • the network may be an untrusted network.
  • Such a method is known from US-A-5, 850,442, which describes a method for performing secure electronic transactions between two parties, e.g. clients and servers, via a network.
  • the electronic transactions can be securely performed using a public key infrastructure and smart token technology, such as smart cards.
  • Information originating from one of the two parties is authenticated as to origin, using encryption keys from a smart token.
  • One of the applications disclosed is the placing of an order.
  • a client connects to a server via the network and obtains an order form for placing an order with the server.
  • the client digitally signs the order and sends it to the server, which may validate the origin of the digitally signed order by checking the signature by means of the encryption keys from the smart token.
  • Another application described is a method for performing an electronic money withdrawal.
  • An electronic withdrawal slip is electronically signed by a customer and transferred to a bank, which stores the signed slip.
  • the bank prepares an electronic cash certificate, digitally signs it and sends it to the customer, which may store the cash certificate.
  • This method is in fact a series combination of two subsequent methods as described above and involves two different groups of information.
  • a disadvantage in this and other present day methods and systems for performing secure electronic transactions via a network is that no proof of the transaction can be made by at least one of the parties involved. Usually only one party keeps a verifiable record of the transaction. Furthermore, the records stored by one of the parties may be tampered with.
  • the object of the present invention is to provide a method for performing secure electronic transactions via a network, in which both parties obtain solid proof of the transaction.
  • the method further comprises the steps of providing a second signed record by digitally signing the record by the server, sending a second message to the first client, the second message at least comprising the second signed record, and storing the record, the second message and the server authentication by the first client upon verification of the second signed record with the server authentication.
  • the method according to the present invention has the advantage that both the first client and the server have stored the record and the respective signed records and authentication. At all times after the transaction, both the server and the first client are able to verify and provide proof of the transaction made. Tampering with information in the record describing the transaction can be detected by both the first client and the server by checking the digitally signed records.
  • the first client authentication further comprises an application serial number
  • the method further comprises the steps of computing a unique application key from the application serial number and a master key by the server, using the unique application key to encrypt the second message by the server before sending the second message to the first client, and decrypting the second message by the first client.
  • the application serial number may, e.g., be a smart card serial number. This enables the storing of the record and other data by the first client to be write-protected. Only a server that has a correct master key and the proper application serial number, as received from the first client in the first message, is able to generate the appropriate unique application key.
  • the first client also has the unique application key, and is able to decrypt the second message properly and store the decrypted data.
  • the first message further comprises a random number
  • the method further comprises the step of performing an exclusive- or-operation by the server on the second message using the random number before sending the second message to the first client.
  • an exclusive-or-operation with the same random number resulting in an unscrambled second message can only be performed by the first client who sent that second message and knows the random number. This embodiment ascertains that a certain second message can only be stored once by the first client.
  • the step of providing a second signed record comprises the steps of computing a hash of the record and digitally signing the hash of the record by the server.
  • This embodiment enables to send a second message with only a limited size, rendering advantages with respect to transfer times and required memory size.
  • the step of digitally signing the record by the server may be performed using an additional secret server key, the server authentication further comprising an additional public server key.
  • the first and second message further comprises a file address for storing the second message by the first client.
  • Storage by the first client may be done on, e.g. a smart card with only a limited memory size. This embodiment enables to attach a file address on the smart card to a certain transaction. When the memory of the smart card is full, a previously stored record may be replaced by the new record, replacing e.g. the oldest record or the record with the lowest priority.
  • the second message further comprises a unique record number
  • the method further comprises the step of sending a third message to the server by the first client upon positively verification of the content of the second message, the third message comprising the unique record number
  • An embodiment of the method uses a record, in which the record comprises unformatted text, such as a plain text document, or a plain text description of the document format.
  • the record comprises unformatted text, such as a plain text document, or a plain text description of the document format.
  • Graphical user interfaces may show information in a manner invisible or unclear to one of the parties (client or server), enabling the possibility that one of the parties digitally signs an order comprising information the party concerned does not want to sign when presented to one of the parties for visual verification before digitally signing the record.
  • This embodiment greatly reduces the chance of tampering with the information in the record when using graphical user interfaces to show the record to the first client.
  • the textual content of the record comprises, next to possible video and/or audio fragments, unformatted text only.
  • the step of providing server authentication and first client authentication is obtained by means of RSA-keys and X.509 certificates.
  • Methods using RSA-keys and X.509 certificates have proven to be safe in use and are wide spread.
  • Another possible method is the DSS algorithm. Preferably, these are based on large prime numbers.
  • the second signed record is provided by the server by digitally signing the record using a signing key from a second client, the signing key allowing transactions between the second client and at least the first client.
  • the signing key is formed by a certificate signed by the second client, the certificate being received from the second client and stored by the server.
  • a sales manager may, e.g., authorise the company server to sign purchase orders from one or more customers. This is preferably done by means of a certificate, allowing deals to be made automatically between the company server and one or more customers, while the manager remains responsible for these deals, and not the IT department.
  • a further embodiment of the method according to present invention comprises the further steps of sending a non-verifiable escrow of the second signature by the server to the first client before sending the second message, and sending a verifiable escrow of the first signature by the first client to the server before sending the first message.
  • the first client can simply abort the transaction in a first instance, by not reacting further when the record, comprising information to be accepted by the first client is received.
  • the transaction can be aborted by the server when the verifiable escrow of the first signature is incorrect.
  • a signature turns out to be incorrect, both parties can obtain the opposite party's signature by means of resolving the transaction, e.g. by means of a trusted third party which provides the second signature associated with the non-verifiable escrow to the first client or the first signature associated with the verifiable escrow to the server.
  • the present invention relates to a system for performing a secure transaction over a network, comprising at least one server computer, at least one client computer and a network, the network providing a connection between the at least one server computer and the at least one client computer, the server computer and client computer being arranged to execute the respective server and first client steps of the method according to one of the method claims of the present invention.
  • the client computer further comprises memory interface means for communicating with smart memory means, the smart memory means being arranged to execute at least one of the steps of the method according to one of the method claims according to the present invention which are performed by the first client.
  • the present invention relates to a computer program comprising computer program code, which in operation provides a computer system with the functionality of the method according to the present invention.
  • the present invention also relates to a computer program product comprising such a computer program.
  • Fig. 1 shows a schematic view of a system for performing a secure transaction between a server computer and a client computer over a network
  • Fig. 2 shows a schematic view of an alternative system according to the present invention.
  • Fig. 3 shows a flow diagram of an embodiment of the method according to the present invention.
  • the present invention provides a method for conducting transactions over a network, more specifically over the Internet and a system for performing the present method.
  • Fig. 1 shows a schematic view of a network 2, such as the Internet, in which two parties are shown being connected to each other via the network 2.
  • a first party offers a product or service via the network 2, the first party being connected to the network 2 by a server computer 6.
  • the other party may be willing to buy a product or service from the first party and is connected to the network 2 by a client computer 4.
  • the network 2 may be any open network, such as the Internet, which provides an unsecured connection for exchange of data or information between the client 4 and the server 6.
  • the client computer 4 is connected to the network 2 by a client network interface 11, which may be arranged to establish a Secure Socket Layer connection with the network 2. Furthermore, the client computer 4 is equipped with a web browser application 10 to retrieve information from the network 2 and a transaction client service, further called QTM client service 12 implementing the client part of the method according to the present invention. Furthermore, the client computer 4 comprises a smart card reader 13 to exchange data with a smart card 14.
  • the server computer 6 is equipped with a web server 15, providing information about the product and services for sale onto the network 2.
  • the web server 15 is connected to the network 2 via a server network connection 16, which may also be equipped to provide a Secure Socket layer connection.
  • the server computer 6 may be arranged to host further services communicating with the network 2 via the web server 15, including an order application 17 and a transaction service, further called QTM service 18.
  • the order application 17 processes orders received from the client computer 4 via the network 2.
  • the QTM service 18 is arranged to provide mutual proof of a transaction via the network 2.
  • the QTM service 18 may be exchanging information with a Q tm order database 19 and with a QTM Security Access Module (SAM) 20.
  • SAM QTM Security Access Module
  • QTM service 18, QTM order database 19 and QTM SAM 20 may be located on a separate QTM server computer 25 (as e.g. shown in Fig. 2) which is connected to the server computer 6, which in that case hosts the web server 15 and order application 17.
  • the method according to the present invention assures that, after the transaction is confirmed, both the server and the client have evidence of this event.
  • the client has a receipt stored on the smart card 14 and the server stores the proof of transaction in his database 19. Neither the server nor the client will be able to modify this information.
  • the client who wishes to process an order contacts the web server 15 on the server computer 6 with an Internet browser 10 and establishes a secure connection, e.g. a Secure Socket Layer (SSL) connection.
  • SSL Secure Socket Layer
  • the secure connection may be established using mutual authentication, e.g. using RSA key-pairs and X.509 certificates.
  • the server computer 6 After the server computer 6 has been authenticated as a part of the SSL protocol, the client computer 4 needs to identify itself.
  • the RSA key pair of the client resides on the smart card 14 owned by the user.
  • the cryptographic functions needed to establish the connection are preferably executed inside the smart card 14.
  • the client can compose its order. This will be an interactive process between the client and the server. At the end of this process, there will be a concept of the order, ready for the client to accept.
  • the server computer 6 sends a page to the client computer 4, the page comprising the order content and a confirmation request.
  • the client has the choice between accepting the order or revoking it.
  • the client needs to provide proof of his acceptance and acknowledge the server. This proof is given by processing a digital signature over the page with the order content.
  • the digital signature is computed using the RSA encryption algorithm with the private (secret) key on the smart card 14.
  • graphical user-interfaces which are commonly used in Internet browsers, it is rather easy to tamper with the content of a message, such as the page with the order content. In order to prevent this, the order content is displayed in a tamperproof 'flat text' display.
  • the client is assured of the correct content of the concept order and no signature will be given for erroneous or fraudulent order content.
  • the text may be made visible to the first client by a text-only dialog on the first client computer, but alternatively, the smart card reader 13 may be provided with an integrated text-only display.
  • the client also needs to prepare the smart card 14 to accept a receipt, or QTM record.
  • the smart card 14 will process a random challenge number that will be used later for the secure write operation to that smart card 14.
  • the confirmation, the digital signature and the random number will be sent to the server computer 6.
  • An address of the first free position in a QTM file on the smart card 14 will be sent as well. If there is no free position available, an existing QTM record needs to be replaced.
  • the issue date, the expiration date or the priority can be part of the record and will determine which record will be replaced first.
  • the record that is to be replaced can be stored on e.g. a hard disk (not shown) on the client computer 4.
  • the server computer 6 receives the information as described above. This information, along with the client certificate and the order content, is made available to the QTM service 18 that is running at the server computer 6. First, the QTM service 18 checks the digital signature by means of the client authentication received earlier, a.o. comprising the client public key, and the order content already available in the server computer 6. If the digital signature is right, the service notifies the order application 17 of the fact that the order is confirmed.
  • the order content, the client information (including public key) and the digital signature will be stored in the QTM service database 19.
  • This QTM service database 19 will act as an order administration for the server that stores copies of each order.
  • Each modification of information in this database be it either to the order content or the digital signature, will be noticed when the digital signatures are checked by means of the public key of the client information.
  • the smart card 14 is equipped with a QTM file that is write-protected to prevent unauthorised server computers 6 from writing to the smart card 14. Every smart card 14 has a unique application key that can be computed using a master key in combination with the serial number of the card. The owner of the master key will be able to generate a secure message that can be stored in the QTM file on the smart card 14.
  • the Q tm record that will be stored in the QTM file on the smart card 14 client may e.g. contain 40 bytes: -5 bytes unique QTM number
  • a special signature key of the server computer 6 signs the 16 bytes hash of the order content.
  • This key is the secret part of a RSA key pair.
  • This key pair can be the same as the authorisation key pair from the server, but it is also possible to use an extra key pair and certificate for this purpose.
  • the public part of the RSA key pair should be made available to the client computer 4, when different from the public authorisation key.
  • the message will be encrypted using the diversified application key, calculated from the master key and serial number of the smart card 14, and XORed with the random number.
  • the master key resides on the tampe ⁇ roof SAM (Security
  • server computer 6 which also may be provided as a smart card and a smart card reader.
  • the server computer 6 sends a response to the client's browser 10 saying that the order is accepted.
  • This response contains the secure, encrypted message.
  • the encrypted message is sent to the smart card 14 where it will be decrypted and stored.
  • the client can now read this message (there will be no read protection on this file).
  • the client computer 4 checks whether the signature and the hash on the card correspond with the server's public key as known to the client computer 4 and the hash of the processed order. If this is not the case, the QTM client service 12 will inform the client that something went wrong and the added QTM will be deleted.
  • the client computer 4 sends the unique 5-byte QTM number back to the server. This proofs that the QTM record is saved on the right smart card 14 of the right client.
  • the QTM service 18 on the server receives this response and stores in the database 19 that the QTM record is received on the smart card 14. If this QTM number does not return, the QTM service 18 will be able to repeat these steps later.
  • the estimated time for the complete transaction depends mostly of the response time of the network 2 being used. Using state-of-the-art hardware, the operations performed on the client computer 4 and the server computer 6 together will not take more than one second.
  • the server 6 is able to sign by proxy for one or both parties involved in the transaction.
  • Fig. 2 an embodiment is shown of a further network situation.
  • a first client computer 4 is connected to a web server computer 6 via a network 2 (such as the Internet).
  • the web server computer 6 is connected to a QTM server computer 25 by means of a direct connection.
  • the web server computer 6 may also be connected to a second client computer 26, e.g. operated by a sales manager.
  • a trusted third party computer 24 may be connected to the network 2.
  • a user such as a manager responsible for (part of) the sales via the web server 6, can authorise the QTM service 18 to sign specific transactions on his behalf, for one or more possible clients.
  • the authorisation may be accomplished directly on the web server computer 6, the QTM server computer 25 or by means of the second client computer 26.
  • sales manager X can authorise the QTM service 18 to sign purchase orders from customer Y. Manager X does this by signing a certificate that the QTM service 18 can then use for signing for transactions between the web server 6 and customer Y, via the customer's client computer 4.
  • Manager X effectively becomes a Certifying Authority for the QTM service 18. This makes Manager X responsible for what the QTM service 18 can sign, not the company IT department. The QTM service 18 simply cannot sign a transaction with customer Z, if there is no certificate from manager X allowing transactions with customer Z.
  • the customer Y sends a certificate to the QTM service 18, allowing the QTM service 18 to sign by proxy on behalf of the customer Y, via the client computer 4. This may e.g. be utilised in reverse auction transaction schemes.
  • the QTM server 25 can have a certificate that warrants it to sign content for either or both parties. If the QTM server 25 has to sign for both parties, the originator of the transaction must be verified. The QTM server 25 must have a warrant that states that the originator (e.g., X or Y) may instruct the server 25 to sign. A policy should be that the originator authorises by way of a QTM validated order to the server 25.
  • the proxy certificates the QTM server 25 has in store must be added by authorised managers, using standard public-key-infrastructure systems, such as X.509 certificates to validate the both identity of the manager and the correctness of the generated warrant.
  • the actual proxy signatures that the QTM server 25 generates must be traceable back to the party that it is signing for. This can either be a simple warrant or a signing- key that is mathematically derived from the original.
  • a further embodiment of the present invention uses a fair exchange of signatures. This way both participants can be sure that they will receive the signature of the other party, once they commit their signature. This is accomplished by way of a trusted third party on a trusted third party computer 24. This arbitrator only needs to be consulted when the exchange fails. Resolving the transaction means that the arbitrator returns a valid QTM to the QTM server 25 and/or first client computer 4.
  • a customer logs onto a supplier web server 6, and builds an order and requests the order to be shipped.
  • the web server 6 now has a content that needs to be signed by two parties and knows the identity of the customer (Y) and the sales person (X) for the company.
  • the web server 6 now contacts the local QTM server 25 to start the QTM process.
  • trusted arbitrator for fair signature exchange located in the trusted third party computer 24, which can be contacted by both the first client computer 4 and by the QTM server 25 (via the web server 6).
  • the QTM server 25 receives a content to be signed, the identity of the third party Y and the identity of the local signing party X.
  • the QTM server 25 verifies the identities of X and Y. If either identity cannot be traced back to a trusted Certificate Authority, the QTM server 25 returns an error.
  • the QTM server 25 locates the signing key (S) that X has authorised for signing with Y, this way the QTM server will be signing by proxy for X.
  • S may be a key that has a warrant for only a X(Y) transaction, but the warrant may also state that S may be used for signing with other parties X(Y, Yl, Y2, ... Yn).
  • the QTM server now 25 adds to the information a QTM version number, a timestamp, a transaction ID, and the Transaction Server ID.
  • the QTM server 25 now generates or requests a signature for X and creates an ordinary Escrow (non- verifiable) of that signature and attaches to this escrow a description of the signature that Y is supposed to create.
  • a pre-QTM package is then created from all information except the actual signature for X. This pre-QTM package is then sent to Y.
  • the first client computer 4 receives the pre-QTM package and verifies the content. If the customer Y accepts the pre-QTM package, the first client computer 4 generates its signature for Y and creates a verifiable escrow of this signature in block 305, that is then sent to the QTM server 25.
  • the QTM server 25 verifies the escrow that Y sent in decision block 306 and if it is correct, the QTM server 25 sends its signature (i.e. the signature of X) to the first client computer 4 in block 308. Otherwise it sends a request to the trusted third party computer 24 to abort the transaction in block 307.
  • the first client computer 4 receives the signature of X and verifies it in decision block 309. If it is correct, the first client computer 4 in block 311 prepares the secure write to it's token (smart card), as described above with reference to the first embodiment. The first client computer 4 then sends its signature Y and the secure write information to the QTM server 25. If the signature of X was incorrect, the first client computer 4 contacts the trusted third party computer 24 and asks it to resolve the transaction in block 310.
  • both the first client computer 4 and the QTM server 25 have essentially signed the content. Only the QTM server 25 needs to sign one last thing, the receipt it self. In block 312, the QTM server 25 can now verify all signatures and, if it is satisfied, sign the receipt itself with its own private key. It will then prepare the secure write to the smart card 14 on the first client computer 4 with its own application key, and send the result to the first client computer 4. (Block 315, see also the first embodiment described above).
  • the QTM server 25 asks the trusted third party computer 24 to resolve the transaction in block 314.
  • the first client computer 4 confirms the secure write by returning the received signature of the QTM server 25.
  • the customer Y by means of first client computer 4, can abort the use of the further method using escrows of the signatures by simply sending its signature Y upon acceptance of pre-QTM package, and not the escrow.
  • the QTM server 25 cancels the procedure by either immediately sending its signature to the first client computer 4 or by not sending the escrow.
  • Abort (by originator): The QTM server 25, which first created a non-verifiable escrow, instructs the trusted third party computer 24 to not resolve this transaction in the future. Neither the customer Y nor the QTM server 25 can obtain signatures. Only the QTM server 25 can initiate this request. If the first client computer 4 has already requested a resolve, the QTM server gets the signature from the customer Y. Only the originator (in the above described example, the QTM server 25, see block 307) can initiate this sub-protocol.
  • Resolve (by first client computer 4, see block 310): This resolves the QTM transaction when the first client computer 4 has sent the verifiable escrow to the QTM server 25, but has not received a good signature of X back. In exchange for this, the first client computer 4 must deposit the customer's signature Y at the trusted third party computer 24. Because the escrow of signature X is non-verifiable, there is no guarantee that the content of the escrow is correct. If it is not, the resolve will simply fail, any future resolve by the QTM server 25 will also fail.
  • Resolve (by QTM server, see block 314): This resolves the QTM transaction when the first client computer 4 has not sent a good signature of customer Y to the QTM server 25 after the QTM server 25 has sent the signature of manager X. Before doing this, the trusted third party computer 24 verifies that the escrow the first client computer 4 sent to the QTM server 25 was correct; it does this by checking the condition attached to the verifiable escrow. Only the QTM server 25 is able to initiate this resolve.
  • two main options exist as to what parts of the QTM information need to be signed by whom. First, all parties sign the QTM package. In this situation, all parties agree on the content, date/time and identities. Signing of the (order/contract) content is indirect. The other possibility is that the two contract signers only sign the contract, and the QTM server 25 signs the identities, signatures, content hash and timestamp.
  • the following information is signed in the QTM process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the QTM server 25 (sign by proxy): 1.
  • a QTM version number is signed in the QTM process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the QTM server 25 (sign by proxy): 1.
  • a QTM version number is signed in the QTM process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the QTM server 25 (sign by proxy): 1.
  • a QTM version number is signed in the QTM process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the QTM server 25 (sign by proxy): 1.
  • a QTM version number is signed in the QTM process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the QTM server 25 (sign by proxy)
  • the QTM server 25 signs item 1 through 5. It does not need to sign the identities of either party, as the receipt only has to state that it administered a transaction over the content. It does not have to vouch for the identities of the signers. An added benefit is that the receipt remains relatively small.
  • the full QTM package structure contains the actual QTM package content with all information:
  • a transaction (QTM) server ID (SHA finge ⁇ rint of the QTM server RSA1024 bit public key)
  • the transaction date/time a Unix 4 byte time structure (seconds since 00:00:00 1970 UTC)
  • a SHA hash of the transaction content (content ID). 6.
  • the SHA finge ⁇ rint of the public key of signing party A (as in item 2)
  • Signature of B over 1 through 7 10. Signature of QTM server over 1 through 5 A version 1 full QTM package with 1024 bits signing keys thus amounts to 1 +20+4+4+20+20+20+3 *( 1024/8)- 473 bytes.
  • the QTM secure write file is preferably just be a statement from the QTM server 25.
  • a signature is optional, as the QTM server is the only one that can write to the file (which implies a signature).
  • the secure write file comprises:

Abstract

Method and system for performing a transaction between a first client (4) and a server (6) over a network (2), including the steps of providing a first signed record by digitally signing a record by the first client (4), the record comprising information to be accepted by the first client (4). Furthermore, a second signed record is provided by digitally signing the record by the server (6), which is sent to the first client (4). The information is stored both by the server (6) and the first client (4), thereby providing proof of the transaction. Furthermore, the server (6) may sign for one or more parties (4, 26) by proxy, based on a certificate. Also, the method and system may be used to provide fair exchange of signatures of the parties (4, 26) involved, by using escrows of the signatures required.

Description

Method and system for performing a transaction between a client and a server over a network
The present invention relates to a method for performing a transaction between a first client and a server over a network, including the steps of providing a server authentication to the first client, providing a first client authentication to the server, sending a record from the server to the first client via the network, the record comprising information to be accepted by the first client, providing a first signed record by digitally signing the record by the first client, sending a first message from the first client to the server via the network, the first message at least comprising the first signed record, and storing the record, first message and the first client authentication by the server upon positive verification of the first signed record with the first client authentication. The network may be an untrusted network.
Such a method is known from US-A-5, 850,442, which describes a method for performing secure electronic transactions between two parties, e.g. clients and servers, via a network. The electronic transactions can be securely performed using a public key infrastructure and smart token technology, such as smart cards.
Information originating from one of the two parties is authenticated as to origin, using encryption keys from a smart token. One of the applications disclosed is the placing of an order. A client connects to a server via the network and obtains an order form for placing an order with the server. The client digitally signs the order and sends it to the server, which may validate the origin of the digitally signed order by checking the signature by means of the encryption keys from the smart token. Another application described is a method for performing an electronic money withdrawal. An electronic withdrawal slip is electronically signed by a customer and transferred to a bank, which stores the signed slip. In return, the bank prepares an electronic cash certificate, digitally signs it and sends it to the customer, which may store the cash certificate. This method is in fact a series combination of two subsequent methods as described above and involves two different groups of information. A disadvantage in this and other present day methods and systems for performing secure electronic transactions via a network is that no proof of the transaction can be made by at least one of the parties involved. Usually only one party keeps a verifiable record of the transaction. Furthermore, the records stored by one of the parties may be tampered with.
The object of the present invention is to provide a method for performing secure electronic transactions via a network, in which both parties obtain solid proof of the transaction.
This object is achieved by a method as defined in the preamble, in which the method further comprises the steps of providing a second signed record by digitally signing the record by the server, sending a second message to the first client, the second message at least comprising the second signed record, and storing the record, the second message and the server authentication by the first client upon verification of the second signed record with the server authentication.
The method according to the present invention has the advantage that both the first client and the server have stored the record and the respective signed records and authentication. At all times after the transaction, both the server and the first client are able to verify and provide proof of the transaction made. Tampering with information in the record describing the transaction can be detected by both the first client and the server by checking the digitally signed records.
In a further embodiment, the first client authentication further comprises an application serial number, and the method further comprises the steps of computing a unique application key from the application serial number and a master key by the server, using the unique application key to encrypt the second message by the server before sending the second message to the first client, and decrypting the second message by the first client. The application serial number may, e.g., be a smart card serial number. This enables the storing of the record and other data by the first client to be write-protected. Only a server that has a correct master key and the proper application serial number, as received from the first client in the first message, is able to generate the appropriate unique application key. The first client also has the unique application key, and is able to decrypt the second message properly and store the decrypted data. Preferably, in a further embodiment, the first message further comprises a random number, and the method further comprises the step of performing an exclusive- or-operation by the server on the second message using the random number before sending the second message to the first client. In this case, an exclusive-or-operation with the same random number resulting in an unscrambled second message can only be performed by the first client who sent that second message and knows the random number. This embodiment ascertains that a certain second message can only be stored once by the first client. In a still further embodiment, the step of providing a second signed record comprises the steps of computing a hash of the record and digitally signing the hash of the record by the server. This embodiment enables to send a second message with only a limited size, rendering advantages with respect to transfer times and required memory size. The step of digitally signing the record by the server may be performed using an additional secret server key, the server authentication further comprising an additional public server key.
In a further embodiment, the first and second message further comprises a file address for storing the second message by the first client. Storage by the first client may be done on, e.g. a smart card with only a limited memory size. This embodiment enables to attach a file address on the smart card to a certain transaction. When the memory of the smart card is full, a previously stored record may be replaced by the new record, replacing e.g. the oldest record or the record with the lowest priority.
In a further embodiment, the second message further comprises a unique record number, and the method further comprises the step of sending a third message to the server by the first client upon positively verification of the content of the second message, the third message comprising the unique record number.
This enables the server to verify that the second message was received correctly by the first client and that the first client has obtained proof of the transaction. When no third message is received, the server can try to contact the first client again at a later time.
An embodiment of the method uses a record, in which the record comprises unformatted text, such as a plain text document, or a plain text description of the document format. Graphical user interfaces may show information in a manner invisible or unclear to one of the parties (client or server), enabling the possibility that one of the parties digitally signs an order comprising information the party concerned does not want to sign when presented to one of the parties for visual verification before digitally signing the record. This embodiment greatly reduces the chance of tampering with the information in the record when using graphical user interfaces to show the record to the first client. Preferably, the textual content of the record comprises, next to possible video and/or audio fragments, unformatted text only.
Preferably, the step of providing server authentication and first client authentication is obtained by means of RSA-keys and X.509 certificates. Methods using RSA-keys and X.509 certificates have proven to be safe in use and are wide spread. Another possible method is the DSS algorithm. Preferably, these are based on large prime numbers.
In a further embodiment of the present invention the second signed record is provided by the server by digitally signing the record using a signing key from a second client, the signing key allowing transactions between the second client and at least the first client. Preferably, the signing key is formed by a certificate signed by the second client, the certificate being received from the second client and stored by the server.
In this embodiment, it is possible that the server signs by proxy for one or both parties to the transaction. A sales manager may, e.g., authorise the company server to sign purchase orders from one or more customers. This is preferably done by means of a certificate, allowing deals to be made automatically between the company server and one or more customers, while the manager remains responsible for these deals, and not the IT department. A further embodiment of the method according to present invention comprises the further steps of sending a non-verifiable escrow of the second signature by the server to the first client before sending the second message, and sending a verifiable escrow of the first signature by the first client to the server before sending the first message. This makes it possible that either both parties end up with each other's signatures, or that no party to the transaction has the opposite party's signature. This can be especially important in contract negotiations where both parties want the other party to sign first. This embodiment does however require more data traffic and data processing. The first client can simply abort the transaction in a first instance, by not reacting further when the record, comprising information to be accepted by the first client is received. When the first client has sent the verifiable escrow, the transaction can be aborted by the server when the verifiable escrow of the first signature is incorrect. When further on in the transaction process, a signature turns out to be incorrect, both parties can obtain the opposite party's signature by means of resolving the transaction, e.g. by means of a trusted third party which provides the second signature associated with the non-verifiable escrow to the first client or the first signature associated with the verifiable escrow to the server.
In a second aspect, the present invention relates to a system for performing a secure transaction over a network, comprising at least one server computer, at least one client computer and a network, the network providing a connection between the at least one server computer and the at least one client computer, the server computer and client computer being arranged to execute the respective server and first client steps of the method according to one of the method claims of the present invention. Preferably, the client computer further comprises memory interface means for communicating with smart memory means, the smart memory means being arranged to execute at least one of the steps of the method according to one of the method claims according to the present invention which are performed by the first client.
Furthermore, the present invention relates to a computer program comprising computer program code, which in operation provides a computer system with the functionality of the method according to the present invention. The present invention also relates to a computer program product comprising such a computer program. The present invention will now be described in more detail with reference to the accompanying drawings, in which
Fig. 1 shows a schematic view of a system for performing a secure transaction between a server computer and a client computer over a network;
Fig. 2 shows a schematic view of an alternative system according to the present invention; and
Fig. 3 shows a flow diagram of an embodiment of the method according to the present invention.
The present invention provides a method for conducting transactions over a network, more specifically over the Internet and a system for performing the present method.
Fig. 1 shows a schematic view of a network 2, such as the Internet, in which two parties are shown being connected to each other via the network 2. A first party offers a product or service via the network 2, the first party being connected to the network 2 by a server computer 6. The other party may be willing to buy a product or service from the first party and is connected to the network 2 by a client computer 4.
The network 2 may be any open network, such as the Internet, which provides an unsecured connection for exchange of data or information between the client 4 and the server 6.
The client computer 4 is connected to the network 2 by a client network interface 11, which may be arranged to establish a Secure Socket Layer connection with the network 2. Furthermore, the client computer 4 is equipped with a web browser application 10 to retrieve information from the network 2 and a transaction client service, further called Q™ client service 12 implementing the client part of the method according to the present invention. Furthermore, the client computer 4 comprises a smart card reader 13 to exchange data with a smart card 14.
The server computer 6 is equipped with a web server 15, providing information about the product and services for sale onto the network 2. The web server 15 is connected to the network 2 via a server network connection 16, which may also be equipped to provide a Secure Socket layer connection. Furthermore, the server computer 6 may be arranged to host further services communicating with the network 2 via the web server 15, including an order application 17 and a transaction service, further called Q™ service 18. The order application 17 processes orders received from the client computer 4 via the network 2. The Q™ service 18 is arranged to provide mutual proof of a transaction via the network 2. The Q™ service 18 may be exchanging information with a Qtm order database 19 and with a Q™ Security Access Module (SAM) 20. It will be clear that the Q™ service 18, Q™ order database 19 and Q™ SAM 20 may be located on a separate Q™ server computer 25 (as e.g. shown in Fig. 2) which is connected to the server computer 6, which in that case hosts the web server 15 and order application 17.
The method according to the present invention assures that, after the transaction is confirmed, both the server and the client have evidence of this event. The client has a receipt stored on the smart card 14 and the server stores the proof of transaction in his database 19. Neither the server nor the client will be able to modify this information.
The method for providing proof of a transaction via a network 2 will now be described with reference to a preferred embodiment of the method according to the present invention. The client who wishes to process an order contacts the web server 15 on the server computer 6 with an Internet browser 10 and establishes a secure connection, e.g. a Secure Socket Layer (SSL) connection. The secure connection may be established using mutual authentication, e.g. using RSA key-pairs and X.509 certificates. After the server computer 6 has been authenticated as a part of the SSL protocol, the client computer 4 needs to identify itself. The RSA key pair of the client resides on the smart card 14 owned by the user. The cryptographic functions needed to establish the connection are preferably executed inside the smart card 14. It is impossible (and not necessary) that the private key leaves the smart card 14. When the client sends his PIN to the smart card 14, this smart card 14 will be enabled to respond to the server challenge to authenticate itself, via the card reader 13, web browser 10 and client network interface 11. A serial number of the smart card 14 will also be part of the client certificate. It is the responsibility of the card-owner to keep the PIN secret.
When a secure connection is established between the client computer 4 and the server computer 6, the client can compose its order. This will be an interactive process between the client and the server. At the end of this process, there will be a concept of the order, ready for the client to accept.
When the concept order is composed, the server computer 6 sends a page to the client computer 4, the page comprising the order content and a confirmation request. Now, the client has the choice between accepting the order or revoking it. When the order is accepted, the client needs to provide proof of his acceptance and acknowledge the server. This proof is given by processing a digital signature over the page with the order content. The digital signature is computed using the RSA encryption algorithm with the private (secret) key on the smart card 14. In graphical user-interfaces, which are commonly used in Internet browsers, it is rather easy to tamper with the content of a message, such as the page with the order content. In order to prevent this, the order content is displayed in a tamperproof 'flat text' display. Thus, the client is assured of the correct content of the concept order and no signature will be given for erroneous or fraudulent order content. The text may be made visible to the first client by a text-only dialog on the first client computer, but alternatively, the smart card reader 13 may be provided with an integrated text-only display. In a next step the client also needs to prepare the smart card 14 to accept a receipt, or Q™ record. For this purpose, the smart card 14 will process a random challenge number that will be used later for the secure write operation to that smart card 14. The confirmation, the digital signature and the random number will be sent to the server computer 6. An address of the first free position in a Q™ file on the smart card 14 will be sent as well. If there is no free position available, an existing Q™ record needs to be replaced. This can be the oldest Q™ or the Q™ with the lowest priority. The issue date, the expiration date or the priority can be part of the record and will determine which record will be replaced first. The record that is to be replaced can be stored on e.g. a hard disk (not shown) on the client computer 4.
The server computer 6 receives the information as described above. This information, along with the client certificate and the order content, is made available to the Q™ service 18 that is running at the server computer 6. First, the Q™ service 18 checks the digital signature by means of the client authentication received earlier, a.o. comprising the client public key, and the order content already available in the server computer 6. If the digital signature is right, the service notifies the order application 17 of the fact that the order is confirmed.
The order content, the client information (including public key) and the digital signature will be stored in the Q™ service database 19. This Q™ service database 19 will act as an order administration for the server that stores copies of each order. Each modification of information in this database, be it either to the order content or the digital signature, will be noticed when the digital signatures are checked by means of the public key of the client information. The smart card 14 is equipped with a Q™ file that is write-protected to prevent unauthorised server computers 6 from writing to the smart card 14. Every smart card 14 has a unique application key that can be computed using a master key in combination with the serial number of the card. The owner of the master key will be able to generate a secure message that can be stored in the Q™ file on the smart card 14. These messages need to be modified with a random number generated by the smart card 14, as described above. This guarantees that a message can only be written once. If a server computer 6 has the master key, the serial number of the smart card 14 and the random number previously generated by the smart card, this server computer 6 can generate a message that may be saved to the Q™ file on the smart card 14.
The Qtm record that will be stored in the Q™ file on the smart card 14 client may e.g. contain 40 bytes: -5 bytes unique Q™ number
-16 bytes signed hash of the order content
-19 bytes identification of the server
A special signature key of the server computer 6 signs the 16 bytes hash of the order content. This key is the secret part of a RSA key pair. This key pair can be the same as the authorisation key pair from the server, but it is also possible to use an extra key pair and certificate for this purpose. Of course, the public part of the RSA key pair should be made available to the client computer 4, when different from the public authorisation key. The message will be encrypted using the diversified application key, calculated from the master key and serial number of the smart card 14, and XORed with the random number. The master key resides on the tampeφroof SAM (Security
Access Module) on the server computer 6, which also may be provided as a smart card and a smart card reader.
The server computer 6 sends a response to the client's browser 10 saying that the order is accepted. This response contains the secure, encrypted message. The encrypted message is sent to the smart card 14 where it will be decrypted and stored.
The client can now read this message (there will be no read protection on this file).
The client computer 4 checks whether the signature and the hash on the card correspond with the server's public key as known to the client computer 4 and the hash of the processed order. If this is not the case, the Q™ client service 12 will inform the client that something went wrong and the added Q™ will be deleted.
Normally however, this will not happen. In this case the client computer 4 sends the unique 5-byte Q™ number back to the server. This proofs that the Q™ record is saved on the right smart card 14 of the right client. The Q™ service 18 on the server receives this response and stores in the database 19 that the Q™ record is received on the smart card 14. If this Q™ number does not return, the Q™ service 18 will be able to repeat these steps later.
The estimated time for the complete transaction depends mostly of the response time of the network 2 being used. Using state-of-the-art hardware, the operations performed on the client computer 4 and the server computer 6 together will not take more than one second. In a further embodiment of the present invention, the server 6 is able to sign by proxy for one or both parties involved in the transaction. In Fig. 2, an embodiment is shown of a further network situation. As discussed with reference to Fig. 1, a first client computer 4 is connected to a web server computer 6 via a network 2 (such as the Internet). The web server computer 6 is connected to a Q™ server computer 25 by means of a direct connection. The web server computer 6 may also be connected to a second client computer 26, e.g. operated by a sales manager. Finally, a trusted third party computer 24 may be connected to the network 2. With the Q™ system, a user, such as a manager responsible for (part of) the sales via the web server 6, can authorise the Q™ service 18 to sign specific transactions on his behalf, for one or more possible clients. The authorisation may be accomplished directly on the web server computer 6, the Q™ server computer 25 or by means of the second client computer 26. For example, sales manager X can authorise the Q™ service 18 to sign purchase orders from customer Y. Manager X does this by signing a certificate that the Q™ service 18 can then use for signing for transactions between the web server 6 and customer Y, via the customer's client computer 4. Manager X effectively becomes a Certifying Authority for the Q™ service 18. This makes Manager X responsible for what the Q™ service 18 can sign, not the company IT department. The Q™ service 18 simply cannot sign a transaction with customer Z, if there is no certificate from manager X allowing transactions with customer Z.
Of course, it would also be possible that the customer Y sends a certificate to the Q™ service 18, allowing the Q™ service 18 to sign by proxy on behalf of the customer Y, via the client computer 4. This may e.g. be utilised in reverse auction transaction schemes.
The Q™ server 25 can have a certificate that warrants it to sign content for either or both parties. If the Q™ server 25 has to sign for both parties, the originator of the transaction must be verified. The Q™ server 25 must have a warrant that states that the originator (e.g., X or Y) may instruct the server 25 to sign. A policy should be that the originator authorises by way of a Q™ validated order to the server 25.
The proxy certificates the Q™ server 25 has in store must be added by authorised managers, using standard public-key-infrastructure systems, such as X.509 certificates to validate the both identity of the manager and the correctness of the generated warrant.
The actual proxy signatures that the Q™ server 25 generates must be traceable back to the party that it is signing for. This can either be a simple warrant or a signing- key that is mathematically derived from the original.
A further embodiment of the present invention uses a fair exchange of signatures. This way both participants can be sure that they will receive the signature of the other party, once they commit their signature. This is accomplished by way of a trusted third party on a trusted third party computer 24. This arbitrator only needs to be consulted when the exchange fails. Resolving the transaction means that the arbitrator returns a valid Q™ to the Q™ server 25 and/or first client computer 4.
This further method is optional, as not all transaction types require it. Furthermore it requires additional communication and computations that may take too much time or are not possible at all with simple token device. The transaction process (or Quitum process) will now be explained in more detail with reference to an exemplary embodiment according to the flow diagram shown in Fig. 3.
At the beginning of the Q™ process, in block 301, it is assumed that there is content that needs to be signed. This can be something like a simple order confirmation, a digitally recorded conversation or any other contract.
A customer logs onto a supplier web server 6, and builds an order and requests the order to be shipped. The web server 6 now has a content that needs to be signed by two parties and knows the identity of the customer (Y) and the sales person (X) for the company. The web server 6 now contacts the local Q™ server 25 to start the Q™ process.
There is also a trusted arbitrator for fair signature exchange located in the trusted third party computer 24, which can be contacted by both the first client computer 4 and by the Q™ server 25 (via the web server 6).
In block 302, the Q™ server 25 receives a content to be signed, the identity of the third party Y and the identity of the local signing party X.
In block 303, the Q™ server 25 verifies the identities of X and Y. If either identity cannot be traced back to a trusted Certificate Authority, the Q™ server 25 returns an error. In its local database, the Q™ server 25 locates the signing key (S) that X has authorised for signing with Y, this way the Q™ server will be signing by proxy for X. S may be a key that has a warrant for only a X(Y) transaction, but the warrant may also state that S may be used for signing with other parties X(Y, Yl, Y2, ... Yn). The Q™ server now 25 adds to the information a Q™ version number, a timestamp, a transaction ID, and the Transaction Server ID.
Furthermore, the Q™ server 25 now generates or requests a signature for X and creates an ordinary Escrow (non- verifiable) of that signature and attaches to this escrow a description of the signature that Y is supposed to create. A pre-Q™ package is then created from all information except the actual signature for X. This pre-Q™ package is then sent to Y.
In block 304, the first client computer 4 receives the pre-Q™ package and verifies the content. If the customer Y accepts the pre-Q™ package, the first client computer 4 generates its signature for Y and creates a verifiable escrow of this signature in block 305, that is then sent to the Q™ server 25.
The Q™ server 25 verifies the escrow that Y sent in decision block 306 and if it is correct, the Q™ server 25 sends its signature (i.e. the signature of X) to the first client computer 4 in block 308. Otherwise it sends a request to the trusted third party computer 24 to abort the transaction in block 307. The first client computer 4 receives the signature of X and verifies it in decision block 309. If it is correct, the first client computer 4 in block 311 prepares the secure write to it's token (smart card), as described above with reference to the first embodiment. The first client computer 4 then sends its signature Y and the secure write information to the Q™ server 25. If the signature of X was incorrect, the first client computer 4 contacts the trusted third party computer 24 and asks it to resolve the transaction in block 310.
At this point, both the first client computer 4 and the Q™ server 25 have essentially signed the content. Only the Q™ server 25 needs to sign one last thing, the receipt it self. In block 312, the Q™ server 25 can now verify all signatures and, if it is satisfied, sign the receipt itself with its own private key. It will then prepare the secure write to the smart card 14 on the first client computer 4 with its own application key, and send the result to the first client computer 4. (Block 315, see also the first embodiment described above).
If the signature from the customer Y does not verify, the Q™ server 25 asks the trusted third party computer 24 to resolve the transaction in block 314. In block 316, the first client computer 4 confirms the secure write by returning the received signature of the Q™ server 25.
At this point the Q™ transaction is complete (block 317).
The customer Y, by means of first client computer 4, can abort the use of the further method using escrows of the signatures by simply sending its signature Y upon acceptance of pre-Q™ package, and not the escrow. The Q™ server 25 cancels the procedure by either immediately sending its signature to the first client computer 4 or by not sending the escrow.
The method using fair exchange makes use of the following additional protocols:
Abort (by originator): The Q™ server 25, which first created a non-verifiable escrow, instructs the trusted third party computer 24 to not resolve this transaction in the future. Neither the customer Y nor the Q™ server 25 can obtain signatures. Only the Q™ server 25 can initiate this request. If the first client computer 4 has already requested a resolve, the Q™ server gets the signature from the customer Y. Only the originator (in the above described example, the Q™ server 25, see block 307) can initiate this sub-protocol.
Resolve (by first client computer 4, see block 310): This resolves the Q™ transaction when the first client computer 4 has sent the verifiable escrow to the Q™ server 25, but has not received a good signature of X back. In exchange for this, the first client computer 4 must deposit the customer's signature Y at the trusted third party computer 24. Because the escrow of signature X is non-verifiable, there is no guarantee that the content of the escrow is correct. If it is not, the resolve will simply fail, any future resolve by the Q™ server 25 will also fail.
Resolve (by Q™ server, see block 314): This resolves the Q™ transaction when the first client computer 4 has not sent a good signature of customer Y to the Q™ server 25 after the Q™ server 25 has sent the signature of manager X. Before doing this, the trusted third party computer 24 verifies that the escrow the first client computer 4 sent to the Q™ server 25 was correct; it does this by checking the condition attached to the verifiable escrow. Only the Q™ server 25 is able to initiate this resolve. In all the above described embodiments, two main options exist as to what parts of the Q™ information need to be signed by whom. First, all parties sign the Q™ package. In this situation, all parties agree on the content, date/time and identities. Signing of the (order/contract) content is indirect. The other possibility is that the two contract signers only sign the contract, and the Q™ server 25 signs the identities, signatures, content hash and timestamp.
In a first example, the following information is signed in the Q™ process (sample 1) by the customer Y by means of the first client computer 4 and the manager X by means of the Q™ server 25 (sign by proxy): 1. A Q™ version number.
2. A transaction server ID.
3. A transaction ID linked to the server ID from 2.
4. A time stamp.
5. A cryptographically secure hash of the content that has to be signed. 6. The identity of party A.
7. The identity of party B. The Q™ server 25 signs item 1 through 5. It does not need to sign the identities of either party, as the receipt only has to state that it administered a transaction over the content. It does not have to vouch for the identities of the signers. An added benefit is that the receipt remains relatively small.
As an example, the full Q™ package structure contains the actual Q™ package content with all information:
1. A single byte indicating Q™ version number (currently 1).
2. A transaction (Q™) server ID (SHA fingeφrint of the Q™ server RSA1024 bit public key)
3. (4 byte) Transaction ID (server related).
4. The transaction date/time: a Unix 4 byte time structure (seconds since 00:00:00 1970 UTC)
5. A SHA hash of the transaction content (content ID). 6. The SHA fingeφrint of the public key of signing party A (as in item 2)
7. The SHA fingeφrint of the public key of signing party B (as in item 2)
8. Signature of A over 1 through 7
9. Signature of B over 1 through 7 10. Signature of Q™ server over 1 through 5 A version 1 full Q™ package with 1024 bits signing keys thus amounts to 1 +20+4+4+20+20+20+3 *( 1024/8)- 473 bytes.
The Q™ secure write file is preferably just be a statement from the Q™ server 25. A signature is optional, as the Q™ server is the only one that can write to the file (which implies a signature). The secure write file comprises:
1. Version number
2. Transaction ID
3. Date/time 4. HASH of order content
The result would then be, 1+4+4+20=29 bytes. Note that this file is only valid if it remains on the card.
It will be understood that the above description relates to embodiments and examples related to the present invention. These examples are however not intended to limit the scope of the present invention, which is defined by the claims as attached.

Claims

1. Method for performing a transaction between a first client (4) and a server (6) over a network (2), including the steps of: providing a server authentication to the first client (4); providing a first client authentication to the server (6); sending a record from the server (6) to the first client (4) via the network (2), the record comprising information to be accepted by the first client (4); providing a first signed record by digitally signing the record by the first client (4); sending a first message from the first client (4) to the server (6) via the network (2), the first message at least comprising the first signed record; and storing the record, first message and the first client authentication by the server (6) upon positive verification of the first signed record with the first client authentication, characterised in that the method further comprises the steps of providing a second signed record by digitally signing the record by the server (6); sending a second message to the first client (4), the second message at least comprising the second signed record; and storing the record, the second message and the server authentication by the first client
(4) upon verification of the second signed record with the server authentication.
2. Method according to claim 1, characterised in that the first client authentication further comprises a smart card serial number, and in that the method further comprises the steps of computing a unique application key from the smart card serial number and a master key by the server (6); using the unique application key to encrypt the second message by the server (6) before sending the second message to the first client (4); decrypting the second message by the first client (4).
3. Method according to claim 1 or 2, characterised in that the first message further comprises a random number, and in that the method further comprises the step of performing an exclusive-or-operation by the server (6) on the second message using the random number before sending the second message to the first client (4).
4. Method according to one of the claims 1 through 3, characterised in that the step of providing a second signed record comprises the steps of computing a hash of the record and digitally signing the hash of the record by the server (6).
5. Method according to one of the claims 1 through 4, characterised in that the step of digitally signing the record by the server (6) is performed using an additional secret server key, the server authentication further comprising an additional public server key.
6. Method according to one of the claims 1 through 5, characterised in that the first and second message further comprise a file address for storing the second message by the first client (4).
7. Method according to one of the claims 1 through 6, characterised in that the second message further comprises a unique record number, and in that the method further comprises the step of sending a third message to the server by the first client (4) upon positively verification of the content of the second message, the third message comprising the unique record number.
8. Method according to one of the claims 1 through 7, characterised in that the record comprises unformatted text.
9. Method according to one of the claims 1 through 8, characterised in that the steps of providing server authentication and first client authentication is obtained by means of RSA-keys and X.509 certificates.
10. Method according to one of the claims 1 through 9, characterised in that the second signed record is provided by the server (6) by digitally signing the record using a signing key from a second client (26), the signing key allowing transactions between the second client (26) and at least the first client (4).
11. Method according to claim 10, characterised in that the signing key is formed by a certificate signed by the second client (26), the certificate being received from the second client (26) and stored by the server (6).
12 Method according to one of the claims 1 through 11, characterised in that the method comprises the further steps of: sending a non-verifiable escrow of the second signature by the server (6) to the first client (4) before sending the second message; and sending a verifiable escrow of the first signature by the first client (4) to the server (6) before sending the first message.
13. Method according to claim 12, characterised in that the transaction is aborted by the server (6) when the verifiable escrow of the first signature is incorrect.
14. Method according to claim 11 or 12, characterised in that the transaction is resolved by a trusted third party (24) when either the second signature or first signature is not correct, by providing the second signature associated with the non-verifiable escrow to the first client (4) or the first signature associated with the verifiable escrow to the server (6).
15. System for performing a secure transaction over a network (2), comprising at least one server computer (6), at least one client computer (4) and a network (2), the network providing a connection between the at least one server computer (6) and the at least one client computer (4), the server computer and client computer being arranged to execute the respective server and first client steps of the method according to one of the claims 1 through 14.
16. System according to claim 15, in which the at least one client computer (4) further comprises memory interface means (13) for communicating with smart memory means (14), the smart memory means (14) being arranged to execute at least one of the first client steps of the method according to one of the claims 1 through 14.
17. System according to claim 15 or 16, in which the system further comprises a trusted third party computer (24) able to communicate with the server computer (6) and the at least one client computer (4).
18. Computer program comprising computer program code, which in operation provides a computer system with the functionality of the method according to one of the claims 1 through 14.
19. Computer program product comprising the computer program of claim 18. *******
EP00917485A 1999-09-22 2000-04-03 Method and system for performing a transaction between a client and a server over a network Withdrawn EP1221145A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
NL9900590 1999-09-22
WOPCT/NL99/00590 1999-09-22
PCT/NL2000/000217 WO2001022373A1 (en) 1999-09-22 2000-04-03 Method and system for performing a transaction between a client and a server over a network

Publications (1)

Publication Number Publication Date
EP1221145A1 true EP1221145A1 (en) 2002-07-10

Family

ID=19866614

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00917485A Withdrawn EP1221145A1 (en) 1999-09-22 2000-04-03 Method and system for performing a transaction between a client and a server over a network

Country Status (3)

Country Link
EP (1) EP1221145A1 (en)
AU (1) AU3844900A (en)
WO (1) WO2001022373A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10120290A1 (en) * 2001-04-25 2002-11-07 Siemens Ag Method for securing a data transmission between several data transmission units and associated components
ATE291319T1 (en) 2001-04-30 2005-04-15 Activcard Ireland Ltd METHOD AND SYSTEM FOR AUTHENTICATING A PERSONAL SECURITY DEVICE AGAINST AT LEAST ONE REMOTE COMPUTER SYSTEM
US20020162021A1 (en) 2001-04-30 2002-10-31 Audebert Yves Louis Gabriel Method and system for establishing a remote connection to a personal security device
ATE366968T1 (en) 2001-04-30 2007-08-15 Activcard Ireland Ltd METHOD AND SYSTEM FOR REMOTE ACTIVATION AND MANAGEMENT OF PERSONAL SECURITY DEVICES
US7225465B2 (en) 2001-04-30 2007-05-29 Matsushita Electric Industrial Co., Ltd. Method and system for remote management of personal security devices
US7363486B2 (en) 2001-04-30 2008-04-22 Activcard Method and system for authentication through a communications pipe
ITTO20010771A1 (en) * 2001-08-03 2003-02-03 T I S S Srl AUTHENTICATION METHOD BY STORAGE DEVICE.
US7162631B2 (en) 2001-11-02 2007-01-09 Activcard Method and system for scripting commands and data for use by a personal security device
GB0219909D0 (en) * 2002-08-28 2002-10-02 Koninkl Philips Electronics Nv Secure logging of transactions
DE10242673B4 (en) * 2002-09-13 2020-10-15 Bundesdruckerei Gmbh Procedure for identifying a user
DE102005062307A1 (en) * 2005-12-24 2007-06-28 T-Mobile International Ag & Co. Kg Chip card e.g. subscriber identity module card, pre-arranging method for electronic signature services, involves generating asymmetrical code pair and signature-personal identification number on card, and conveying number to user by card

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL75702A0 (en) * 1984-07-27 1985-11-29 Technion Res & Dev Foundation Apparatus for effecting and recording monetary transactions
US5018196A (en) * 1985-09-04 1991-05-21 Hitachi, Ltd. Method for electronic transaction with digital signature
GB9121995D0 (en) * 1991-10-16 1991-11-27 Jonhig Ltd Value transfer system
US5577121A (en) * 1994-06-09 1996-11-19 Electronic Payment Services, Inc. Transaction system for integrated circuit cards
DE4427039C2 (en) * 1994-07-29 2003-06-12 Giesecke & Devrient Gmbh Method for determining the current amount of money in a data carrier and system for carrying out the method
US5677955A (en) * 1995-04-07 1997-10-14 Financial Services Technology Consortium Electronic funds transfer instruments
US5809144A (en) * 1995-08-24 1998-09-15 Carnegie Mellon University Method and apparatus for purchasing and delivering digital goods over a network
US5850442A (en) 1996-03-26 1998-12-15 Entegrity Solutions Corporation Secure world wide electronic commerce over an open network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0122373A1 *

Also Published As

Publication number Publication date
WO2001022373A1 (en) 2001-03-29
AU3844900A (en) 2001-04-24

Similar Documents

Publication Publication Date Title
US5915022A (en) Method and apparatus for creating and using an encrypted digital receipt for electronic transactions
US6105012A (en) Security system and method for financial institution server and client web browser
US6367013B1 (en) System and method for electronic transmission, storage, and retrieval of authenticated electronic original documents
US8620814B2 (en) Three party account authority digital signature (AADS) system
US7003480B2 (en) GUMP: grand unified meta-protocol for simple standards-based electronic commerce transactions
AU2001277943B2 (en) Digital receipt for a transaction
CA2306865C (en) Digitally certifying a user identity and a computer system in combination
US6363365B1 (en) Mechanism for secure tendering in an open electronic network
US20070168291A1 (en) Electronic negotiable documents
AU2001277943A1 (en) Digital receipt for a transaction
WO2001022373A1 (en) Method and system for performing a transaction between a client and a server over a network
CA2212457C (en) Electronic negotiable documents
KR20020037188A (en) Apparatus and method for receipting and endorsing of electronic receipt
CA2605569C (en) Electronic negotiable documents
AU3010700A (en) Electronic negotiable documents

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020422

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20041103