Note: Descriptions are shown in the official language in which they were submitted.
CA 02350321 2005-06-13
SYSTEM, METHOD AND COMPUTER PRODUCT FOR DEPLOYING PKI
(PUBLIC KEY INFRASTRUCTURE) IN WIRELESS DEVICES CONNECTED TO
THEINTERNET
Field of the Invention
Tliis invention relates in general to public key infrastructure, the Internet
and wireless
netwoi-king. This invention more pai-ticulai-ly relates to designing and
implenienting PKI
applications using a wireless device whereby integration of such wireless
devices into
Internet based applications is achieved.
Background of the Invention
The explosive gi-owth of Internet usage has resulted in an expansion in the
development of Internet based applications. At the same time, there has been
rapid
development and expansion of wireless communication networks. A significant
proportion
of this development and expansion llas been in the area of WAP (wireless area
protocol)
environments. These WAP environments, however, are for the most part separate
from the
Internet.
Tliis division between Intei-net and WAP environments results in increased
developnient costs in that separate applications are generally required for
both the Internet
and WAP environnients. In addition, due to the separate nature of the Internet
and WAP
environments, applications designed for the one of such environments are
generally not
operable within the other environnient.
Prioi- art solutions are known for providing interoperability between the
Internet and
WAP networks. For example, there ai-e nunierous solutions that provide a
gateway device
that acts as a bridge between the WAP network and the Internet. Such solutions
generally
eniploy a scaled down version of a browser (mini browser) in a wireless device
(cellular
phone, personal digital assistant or the like) capable of accessing and
retrieving "web pages"
developed for the web. These mini browsers operate in tandem with a pi-oxy
server which
translates WAP requests to Internet protocol formats and thereby returning
answers to sucll
i-equests back to the wireless device, in a nianner that is well known.
Generally, in known
applications of such proxy servers, images and other lai-ge data sets are
stripped from web
pages accessible via the Internet, such that the request will be transmitted
relatively quickly
CA 02350321 2005-06-13
-2-
to the wireless device and the data can be viewed in the display space of the
wireless device
that is generally i-estricted as compared to the colour monitor of a laptop,
for example.
Security of data is an important concei-n in development and implementation of
e-
conimerce applications. Data security related attention has been focused
predoniinantly on
securing the netwoi-k used for transmission of data so that data passed
through the network
used for transmission of data so that data passed tlirough the netwoi-k is
protected. The
predominant technology acconiplishing this security in wired networks is know
as SSL or the
secure socket layer, where the server that hosts the Internet application
establishes a secure
connection with thee browser connected to it. Othei- technologies which pi-
otect data ti-affic
include VPN (virtual private network technologies) and IPSEC (Internet
protocol security)
technologies. These technologies are based on derivatives of various
cryptographic
techniques. The strength of these technologies is their simplicity in use and
development.
The use of such SSL, VPN, or IPSEC technologies, however, has certain
disadvantages. First, as referenced above, in the case of SSL, this particular
security
technology operates generally in a wii-ed network environment only. Therefore,
in ordei- to
pi-ovide seciu=ity on the wireless network side, security standards ai-e
generally required
tliroughout the wireless network. While VPN provides data security in a
wireless network as
well as a wii-ed network, systems, computer products and methods for data
security in a
wii-eless envii-onment are generally such that data ai-rives at a wireless
device on an
unenci-ypted basis. This has the disadvantage of requiring the user of a
wireless device to
rely on the security and data integi-ity of the system from which the data is
forwarded whether
this is based on proprietary wii-eless security standards or VPN oi- IPSEC. In
addition, this
means that (without the use of a further security means that encrypts data on
a coniputer or
netwoi-k of computers at which the data has been received), data stored on,
foi- exaniple, a
coniputer network can notwithstanding the security technology employed during
ti-ansmission, be stolen by liacking oi- othei- means.
Thei-e exists the furtlier disadvantage of such prior art systems, computer
products and
method for pi-oviding communication of a data foi- a wireless device described
above in that
same do not generally provide nieans for authenticating the sender of such
data, for example,
by means of digital signatures, not the data itself.
In conti-ast such prior art data security systems, computer products and
methods
described above, a further systeni, computer product or method based on the
well known PKI
CA 02350321 2005-06-13
-3-
(publick key infi-astructure) provides means for delivering data on an
encrypted basis, as well
as authentication of the sender of such data. In order to preserve the
confidentially of a
message transmitted between two parties using the PKI method, both the sender
of the data
and the recipient thereof have a pair of keys, one of which is private that
the party keeps
secret and the other of wliich is a public key and wliich each party niakes
available to others.
The encryption method is asymmetric in that if a user's public key was used to
encrypt the
message the user's private key must then be used to decrypt the message.
PKI is particularly useful in applications where the authentication of a
docunient is
required to conform to standards for legal acceptance for electronic
docLuiients, for example,
in accordance with legal standards set out in the federal "E-Sign Legislation"
in the United
States. Siniilar legislation has been proposed or enacted in numerous other
jurisdictions.
However, PKI has generally been difficult to implement in wireless
applications,
particularly as development of PKI in the wireless environment has generally
required costrly
custom development of wireless PKI applications. There is a need therefore foi-
a system,
computer product and method that permits deployment of PKI in a wireless
environment that
is relatively easy and inexpensive to deployment across a wide array of
applications liaving
functionally of a varied nature.
There is still furtlier need for deploying PKI in a wireless environment
wherein such
deployment is supported from a pi-ogramming perspective by development tool
that permit
inexpensive and rapid deployment of PKI in the wireless environment with
minimal custom
development.
Brief Description of the Drawings
A detailed description of the preferred embodiment(s) is (are) provided herein
below
by way of example only and with reference to the following drawings, in which:
Figure 1 is a scliematic view illustrating a typical gateway implementation of
PKI in a
wireless environment;
Figure 2 is a program resource flowchart illustrating the systeni components
of a
preferred embodiment of the present invention; and
CA 02350321 2007-02-28
-4-
Figure 3 is a schematic view iilustrating tha enaryption and decryption of
data at a wireless device
in accordance with a prcferred embodiment of the present invention.
In the drawings, prefenred embodin-4nts of the invention are illustrated by
way of example. It is
to be expressly understood that the description and drawings are only for the
purpose of illustration and as
an aid to understanding, and are not Intended as a definition of the lin-iits
of the invention.
Detailed Description of the Preferred Embodiment
Referring to Figure 1, the,re is illustra.ted a wired and a wireless network
integrated in accordance
with PKI. The representative PKI environment described includes clients
(whether a wircless device or a
personal computer (collectively referred to as "network-connected device"), an
Internet based camputer, a
wireless device (10), a Gateway Proxy Server (107), a Web server (106) which
is typically linked to a
Certificate Authority (103) and corresponding Registration Authority LDAP
Directory (not shown).
These components are provided in a rnEmner that is well known.
On the client side, associated with the wiretess device (10) corresponding to
one of such clients, a
plug-in (22) is provided in accordance with the computer product of the
present invention. The plug-ia
(22) is linked to a k.nown browser (20). It should be further understood
however, that the present
invention also contemplates provision of the fimctionality of such plug-in by
rtxeans of niodifflcation of
existing browser technology to provida the computer product described herein
in and/for modification to
permit a browser to process the steps of the method described in titis
disclosure. The plug-in illustrated in
this disclosure is hereafter refeoted to as the "Application".
The system of the present invention is best understood as a system
incorporating a wireless
component, as illustrated in Fig. 1, and further incorporating the Application
(22) provided at least at one
wireless device (10).
The present invention provided a simple, cost effectivc mcans for developing
user level, dual key
PKI transactions from a browser (20). Such browsers (20) can be standard
Internet based browsers such
as Netscape's Navigatorl" or Microsoft's Internet Rxplorer"''. It may also be
used with niini browsers for
wireless products such as cell phones or PDAs (personal digital assistants) as
is the subject of this patent
application.
CA 02350321 2005-06-13
-5-
The Application (22) is opei-ably associated with such prior art bi-owsers
(20) in a
manner that is well known, for example, using customized HTML tags. The
Application (22)
associated with browser (20) (i.e. a mini browser on wireless device (10) is
best understood
as a PKI enabled browser, by the Application (22) providing the PKI
fi,inctionality desci-ibed
lierein.
The Application (22) is provided and implemented on a wireless device (10) so
as to
function with any tliird pai-ty PKI system, including for example, ENTRUST"m
MICROSOFTTM, BALTIMORE"M, RSATM and so forth.
Through the use of the custoniized HTML tags, the Application (22) described
herein
pei-mits signatLire and encryption of data on the client's wii-eless device
(10), and then
transmission of sucli data to another web application (16) (for example linked
to the web
server (106)) requesting sanie, as particularized herein. The Application (22)
of the present
invention is also capable of exchanging data with an Internet based browser.
The use of the
mini browser interface allows this implementation to fall into a number of
diffei-ent
categoi-ies including: Secure WAP, Secure E-Forms, Secure E-Comnierce, SecLn-e
E-Mail etc.
The Application is designed to nui on a wireless client device in a wireless
network
environment that is integrated into the Intei-net via a Gateway proxy Server
using Web
sei-vei-s and a PKI Certificate Authority pi-oduct to maintain security, in a
mannei- that is well
known. Each wireless client device genei-ally requires a separate installation
of the
Application. The Application facilitates the communication between the
wireless mini
browser, the Web Sei-ver 106) and PKI System described througll a Gateway
Proxy or WAP
to Web gateway (107).
The flow of data for the encryption process is illustrated in Figure 3. The
transaction
begins with the web sei-ver custom HTML tags in a web form to trigger the
Application (22).
The Application (22) first uses the User Authentication Module (23) to verify
the identity of
the current usei- based on a locally stored user profile conforming with PKI
standards,
pi-ovided in a nianner that is well laiown. The Application (22) then i-
equests the usei- to
specify a recipient. The recipient profile is retrieved from the PKI system
and validated
against CRL (certificate revocation list) of the PKI system. By operation of
the Application
(22), the web fornl can be undei-stood as a "PKI enabled form".
CA 02350321 2007-02-28
-b-
The application is further provided with a Crypto Library (24), in a manner
that is well known as
shown in Fig. 2. In the particular embodiment of the present invention, the
Crypto Library (24) is
provided with a set of ECC algorithms. New user profiles are provided to the
Application via the
Internet, for example, using a synchronization cradle and related routines, in
a manner that is also well
known. The Crypto Library (24) is used to enarypt apd sign the data. The data
is then sem to the web
server (106) through the Gateway Proxy (107).
A similar procedure is used for the decryption process, as illustxated in Fig.
3_ The web page
provides custom HT1vIL. tags (in a web form) to trigger the Application (22)
and request the authcntication
of the said local user profile by way of the "iJser Authentication Module"
(23) provided in a manner that
is well known. Once the user is authenticated, the Application (22) requests
the web server (106) to send
tthe encrypted data through the Gateway Proxy (107) to the mini browser (20),
which is in turn passed to
the Crypto Library (24) for decryption and signature verification. A local
pagc is created and displayed
for the user with the decryption contents. Tn other words, the Crypto Library
(24) is a cryptogxaphic
facility that enables eneryption/decryption/authentication signature of data.
Further details of the method executed by the Application for
encayptiugldeorypting and
signing/verifying signature of data in aceoidance with this invention are
described below in the discussion
of the method of the present invention.
It is inzportant to note that in use the invention results in provision of the
data at the wireless
device on an enarypted basis. This provides the fuather benefit of permitting
the encrypted data to bc
saved to a suitable storage medium e.g. by posting encrypted data in a manner
that is known. This
encryption of data for storage put'poses as well as during tnattsmission
provides a significant security
benefit. Fuxther, in aceordance with database programming mcthods that are
well known, including for
exanYple, P'f;P, ASP~"'', Coldfusion, pBRL, Python, Javascript'm, etc. the
AppliceQion (22) provides means
for storing selected data on an encrypted basis. For example, selected fields
in a web form are
programirwble in a nt:anner that is well known to engage the Application (22)
to store data residing in
such particular fields on an encrypted basis. This in contrast to prior art
solutions that genarally permit
encryption and signature of daca only as an unstructured batch of data. This
results in the benefit of
support of customized fields whera encryption only of specified fields is
desired, andlor a saving in
processing resotutcas that would have otherwise been devoted to encrypting
data that is not of a sensitive
nature.
CA 02350321 2007-02-28
-7-
The Application and the method disclosed have several relatod applications.
For example, the
invention should be understood as:
1. A method for integrating PKI encryption with standard Internet programming
languages such as
PHP. ASP"'', Cold Pusion, ISP, Java, VBScript, Perl, Python etc.
2. Amthod for eliminating the "mart in the middle" security note of proxy
based gateways between
the Internet and wireless networks.
3. A method for integrating wireless applications with Jnternet based PKi
Systems.
4. A method for supporting X509 V3 PKI ceitificate standards in wireless
applications.
S. A method for deploying etliptic curve eryptographic functions for
encrypting and decrypting and
generatfng digital signatures in a wireless device. In particular, this is
achieved by conzputing a
hash value on a message intended to be sent from a wireless devicc, in a mamer
that is known.
The Application (22) thereafter engages the signature of the message with a
private key provided
by the Crypto Library (24) described above. The privatc key is then encrypted
with the hash
value by the Application (22) to create a digital signature, thereby
permitting the message to be
signed. This permits authentication of the source of the message at a remate
device such as
wireless device (10). The Application (22) then generates a session key which
locks the digital
signature and the signed message for transnussion of the entire m,essage. The
public key of a
recipient associated whh a particular PKI is requested, and the session key is
encrypted using this
public key. Thereafter, the encrypted message is recelved by a remote client.
The recipient, at a
computer connected to the Internet, or a wireless devices (10) on which the
Application (22) has
been installed decrypts the session key with their private key, in accordance
with known P1CI
solutions. The session key is used to decrypt the rrmessage. The public key of
the sender is
generally obtained from a Certificate Authority (103). The hasb value is
separated from the
message by the Application (22), in a manner that Is well known. The recipient
calculates the
hash value of the message received and compares this hash value against the
driven hash value,
thereby permitting the ntessage to be
CA 02350321 2005-06-13
-8-
authenticated as being a"ti-ue copy" in accordance with, for example,
electronic
signature legislation.
6. A method for storing user profiles, X509 certificates and private keys in a
wireless
device (10).
7. A metllod of user authentication in a wireless device (10).
8. A metliod for developing web based applications that require PKI
funetionality.
9. A method for perniitting applications to inter-operate between wireless and
Internet
based on other networks.
10. A method to integrate encryption and decryption methods into mini browsers
(20).
1 0 1 1. A nietliod that allows a user to review and sign messages and
transactions in a mini
browser such that message or transactions will be legally binding.
12. A method that allows the design of application for databases where the
encryption of
such data can be selected specifically as to which field(s) of the database is
to be
encrypted.
13. A niethod that allows data to be encrypted for a multiple of recipients
with particular
application to the method for encrypting to the field level of a database.
Other variations and modifications of the invention ai-e possible. In the
preferred
embodiment of the invention the particular system, computer product and method
for
providing data security in a network incorporating a wireless component is
provide in the
context of a PKI system. However, provided the essential components of data
security and
authentication are present, a lesser security system could be used, including
for exaniple the
combination of secret passwords exchanged on a secure basis in combination
witli
encryption. Or as a further example, use of encryption/encryption keys that
are provided on a
secure basis to a plurality of users only whereby such keys identify such
plurality of users to
each other. Further, while the disclosure focuses on transmission of data
provided in HTML,
the pi-esent invention provides means for secure data delivery to a wireless
device that is in
XML oi- other foi-mats, niarkup languages or other computer languages. All
such
modifications oi- variations are believed to be within the sphere and scope of
the invention as
defined by the claims appended hereto.