Search

US-12627643-B2 - System and method to improve user authentication for enhanced security of cryptographically protected communication sessions

US12627643B2US 12627643 B2US12627643 B2US 12627643B2US-12627643-B2

Abstract

A computerized method supporting SSL-based or TLS-based communications with multiple cryptographically protected transmissions is described. Responsive to a first transmission including a first content encrypted with a public key of an intended recipient and a first digital signature for use in detect tampering to the first content, a second transmission is received. The second transmission includes a combined result including the first content and a second content, which is encrypted with a public key of the sender. Recovery of the first content verifies to the sender that the second transmission originated from the intended recipient. Thereafter, a third transmission is sent. The third transmission has data including at least the second content, being the remaining data after extraction of the first content from the combined result, which is encrypted with the public key of the intended recipient and a third digital signature for use in verifying non-tampering of the data.

Inventors

  • Michael R. Feinberg
  • Richard J. Blech

Assignees

  • CHOL, INC.

Dates

Publication Date
20260512
Application Date
20240126

Claims (20)

  1. 1 . A computer-implemented method comprising, as performed by a first computing device associated with an intended recipient of transmissions: receiving a first transmission from a second computing device associated with a sender of transmissions, the first transmission comprising first encrypted data corresponding to first data; generating a second transmission comprising (1) a first digital signature signed by a private key assigned to the intended recipient and (2) second encrypted data encrypted using a public key assigned to the sender of transmissions, wherein the second encrypted data comprises an encrypted version of the first data and second data, and wherein the first digital signature comprises a representation of the first data and the second data; sending the second transmission to the second computing device; receiving a third transmission from the second computing device, the third transmission comprising (3) a second digital signature signed by a private key assigned to the sender and (4) third encrypted data encrypted with a public key assigned to the intended recipient; and verifying that the third transmission originated from the sender based at least partly on the second digital signature, and on determining that the third encrypted data comprises at least a portion of the second data, wherein the second digital signature is used to verify non-tampering of the second data during transit from the second computing device to the first computing device.
  2. 2 . The computer-implemented method of claim 1 , further comprising verifying a third digital signature signed by the private key assigned to the sender, wherein the third digital signature comprises a representation of first data encrypted by the second computing device to produce the first encrypted data.
  3. 3 . The computer-implemented method of claim 2 , further comprising generating a hash of the first data, wherein the representation of the first data comprises the hash of the first data.
  4. 4 . The computer-implemented method of claim 1 , further comprising: generating a first hash of the second data; recovering a representation of at least a portion of the second data from the second digital signature using the public key assigned to the sender, wherein the representation of the portion of the second data comprises a second hash of the second data; and comparing the first hash to the second hash, wherein verifying that the second transmission originated from the sender is based on results of comparing the first hash to the second hash.
  5. 5 . The computer-implemented method of claim 1 , further comprising generating an encrypted version of the first data concatenated to the second data using the public key assigned to the sender.
  6. 6 . The computer-implemented method of claim 1 , further comprising generating an encrypted version of a logical bitwise aggregation of the first data the second data.
  7. 7 . The computer-implemented method of claim 1 , further comprising decrypting the third encrypted data to recover a symmetric key combined with the portion of the second data.
  8. 8 . The computer-implemented method of claim 7 , wherein the second digital signature includes an encrypted combined result signed using the private key assigned to the sender.
  9. 9 . The computer-implemented method of claim 1 , further comprising decrypting a symmetric key using the private key assigned to the intended recipient to generate a decrypted symmetric key, wherein the third transmission includes an encrypted version of the symmetric key.
  10. 10 . The computer-implemented method of claim 9 , wherein the second digital signature comprises the encrypted version of the symmetric key digitally signed using the private key assigned to the sender.
  11. 11 . A system comprising: computer-readable memory storing a private key assigned to an intended recipient of transmission; and one or more processors in communication with the computer-readable memory and programmed by executable instructions to at least: receive a first transmission from a computing device associated with a sender of transmissions, the first transmission comprising first encrypted data corresponding to first data; generate a second transmission comprising (1) a first digital signature signed by the private key and (2) second encrypted data encrypted using a public key assigned to the sender of transmissions, wherein the second encrypted data comprises an encrypted version of the first data and second data, and wherein the first digital signature comprises a representation of the first data and the second data; send the second transmission to the computing device; receive a third transmission from the computing device, the third transmission comprising (3) a second digital signature signed by a private key assigned to the sender and (4) third encrypted data encrypted with a public key assigned to the intended recipient; and verify that the third transmission originated from the sender based at least partly on the second digital signature, and on determining that the third encrypted data comprises at least a portion of the second data, wherein the second digital signature is used to verify non-tampering of the second data during transit from the second computing device to the first computing device.
  12. 12 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to verify a third digital signature signed by the private key assigned to the sender, wherein the third digital signature comprises a representation of first data encrypted by the computing device to produce the first encrypted data.
  13. 13 . The system of claim 12 , wherein the one or more processors are programmed by further executable instructions to generate a hash of the first data, wherein the representation of the first data comprises the hash of the first data.
  14. 14 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to: generate a first hash of the second data; recover a representation of at least a portion of the second data from the second digital signature using the public key assigned to the sender, wherein the representation of the portion of the second data comprises a second hash of the second data; and compare the first hash to the second hash, wherein verifying that the second transmission originated from the sender is based on results of comparing the first hash to the second hash.
  15. 15 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to generate an encrypted version of the first data concatenated to the second data using the public key assigned to the sender.
  16. 16 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to generating an encrypted version of a logical bitwise aggregation of the first data the second data.
  17. 17 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to decrypt the third encrypted data to recover a symmetric key combined with the portion of the second data.
  18. 18 . The system of claim 17 wherein the second digital signature includes an encrypted combined result signed using the private key assigned to the sender.
  19. 19 . The system of claim 11 , wherein the one or more processors are programmed by further executable instructions to decrypt a symmetric key using the private key assigned to the intended recipient to generate a decrypted symmetric key, wherein the third transmission includes an encrypted version of the symmetric key.
  20. 20 . The system of claim 19 , wherein the second digital signature comprises the encrypted version of the symmetric key digitally signed using the private key assigned to the sender.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 17/448,180, filed Sep. 20, 2021, which is a continuation of U.S. patent application Ser. No. 16/219,746, filed Dec. 13, 2018, the contents of which are incorporated by reference herein and made part of this specification. EXPORT CONTROL Information in this patent application is controlled by the U.S. Government and authorized for access only by U.S. persons and licensed non-U.S. persons. Please contact the assignee for further guidance if you wish to give access to the subject application to a non-U.S. person. This statement attaches to any use or incorporation of said patent application into other applications or any other use. 1. Field Embodiments of the disclosure relate to the field of cryptography. More specifically, an embodiment of the disclosure is directed to a cryptographic communication scheme configured to provide more reliable user authentication and/or key exchange. 2. General Background The use of electronic data and other information has become an integral part of our daily lives. Each day, more and more emails, texts, electronic documents, and other forms of electronic data are stored and transmitted throughout the world by businesses and individuals alike. Accordingly, there exists an increasing need to protect the confidentiality of information contained within the electronic data from unauthorized disclosure and avoid man-in-the-middle attacks that are becoming more prevalent every year. In some cases, the electronic data may include sensitive data, such as wiring instructions, bank account statements, credit card numbers, trade or government secrets, intellectual property or personally identifiable information, which has intrinsic value to both legitimate and non-legitimate actors. Encryption is one technique for protecting the confidentiality of this sensitive data from eavesdroppers or other unauthorized parties. The goal of encryption is not to hide the existence of such information, but rather, to hide its meaning and to ensure that legitimate (authenticated) person have access to the information as plaintext (e.g., non-encrypted data). Hence, encrypted data includes data that has been obfuscated according to a selected cryptographic key and cryptographic cipher. By obfuscating the data, the confidentiality is assured and the data is rendered computationally secure. That is, although an attacker may “theoretically” break a cryptographic scheme by enumerating all possible keys, the confidentiality of the data is protected when it is considered infeasible for the attacker to uncover data as plaintext from stored or transmitted ciphertext (e.g., encrypted data) in any reasonable amount of time given available computing power. In the past, prior cryptography techniques have been configured to prevent unauthorized access to the data by third parties. One popular type of cryptographic technique involves asymmetric key cryptography such as RSA (Rivest Shamir Adleman) based cryptography. RSA-based cryptography has been widely used to support standardized security communication protocols such as Secure Socket Layer (SSL) and Transport Layer Security (TLS). SSL and TLS based communications rely on a single peer-to-peer transmission for user authentication, which involves obtaining a SSL certificate for a targeted destination to confirm that the SSL certificate is active (i.e., unexpired and unrevoked). This authentication scheme fails to conduct an analysis of results of secured communications to more precisely confirm that communications are, in fact, occurring with the targeted destination. Furthermore, with the recent advancement of quantum computing, RSA-based cryptography up to 15-bit key lengths have been compromised. Given the wide adoption of RSA, increased exposure to any attack on RSA-based cryptography, especially as quantum computing advancements grow exponentially, is highly problematic as millions of secure communications on a daily basis could be compromised, and thus, any data transmitted over RSA-based cryptography would be suspect. While certain key lengths of RSA-based cryptosystems are still difficult to attack and bypass (e.g., 256-bit key lengths), with the advent of quantum computing and other technological advancements that increase the likelihood of successful man-in-the-middle attacks, a more reliable and secure user authentication scheme would greatly improve the longevity and continued utility of asymmetric key cryptographic schemes such as RSA. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which: FIG. 1 is an exemplary embodiment of a communication system utilizing an improved asymmetric cryptographic communication protocol referred to as Secure Authentication and Identity Lo