System and method for electronic transactions

Abstract

A system and method for performing an electronic transaction, including registration, audit and trusted recovery features. A transaction request message is received from a registered user that includes an unblinded validated certificate, and a blinded unvalidated certificate. If the unblinded validated certificate is determined to be legitimate, then a transaction can be performed, and the blinded unvalidated certificate is validated to obtain a blinded, validated certificate that is sent to the user. An audit protocol can be used to further verify the legitimacy of the transaction request message, and a user can recover from a broken connection by replaying a protocol run.

Description

FIELD OF THE INVENTION [0001] The field of this invention is electronic transactions, and in particular to providing electronic transactions that cannot be linked to a party to the transaction, even when more than one related transaction occur. BACKGROUND OF THE INVENTION [0002] Electronic transactions should be convenient, reliable, accurate and resistant to fraud. Certain electronic transactions should also protect the privacy of at least one party to the transaction. For example, a customer purchasing a service from a vendor over a network should be able to pay for the service in an electronic transaction without revealing their identity. [0003] The need for one party to a transaction to remain private (e.g., anonymous) can conflict with the interests of another party to the transaction. For example, a vendor needs assurance that the an electronic transaction is reliable, e.g., that the customer in the transaction will pay for the services rendered by the vendor. Typically, a ven...

AI Technical Summary

Benefits of technology

[0013] The present invention advantageously uses the exchange of blinded certificates to provide a reliable, private system for electronic transactions that deters the illicit sharing of certificates for such transactions. Rather than operating like e-cash, in which a payment vehicle is redeemed for a product (as used herein, the term “product” means goods and / or services) in a way that changes the funds available to the customer, the present invention acts more like a membership pass. That is, the customer starts with a certificate, gains access to a product in exchange for the certificate, and ends with both the product and a certificate. Unlike e-cash, the value of the customer's use of certificates in accordance with the present invention is related to the amount of time (or number of certificates) remaining in the customer's contract (e.g., membership or subscription term). Theoretically, this could allow the customer to be profiled by tracking the number of certificates used (or available for use) by the customer. However, this would not be a practical problem for applications where, for example, thousands of people subscribe to something that can only be used 5 times. Indeed, knowing that a customer has, say, three certificate redemptions left cannot reveal very much to a vendor. Audit and trusted recovery methods are provided to enhance the security and robustness of the present invention.

[0014] The present invention is private and reliable both for a single electronic transaction, and a series of related transactions. In accordance with an embodiment of the present invention, a first party (e.g., a customer) registers with a registrar to obtain an initial validated certificate. In one embodiment, the registrar is a second party. In subsequent transactions, a first party (e.g., a customer) submits a validated certificate along with an unvalidated certificate to a third party (e.g., a vendor) for each transaction. The third party tests the validity of the certificate purported by the first party to be validated. If it proves to be valid, the third party performs a response action (e.g., provides a service) and ordinarily validates the unvalidated certificate and returns it to the first party to be used as the validated certificate for the next transaction. Alternatively, the registrar (if different from the third party, then in cooperation with the third party) can declare an audit, and determine if the first party has presented its certificate fraudulently. These exchanges are atomic in nature, meaning that they can be reliably correlated with each other (e.g., a practically unforgeable secret session key is sent along with each related message in the exchange, guaranteeing that the messages are part of the same transaction).

[0016] Hashing of random numbers (i.e., nonces) and the technique of blinding are used in the present invention to provide unlinkable certificates. As known in the art, the technique of blinding is used differently, e.g., to provide pseudonyms in an alternative to a universal identification system. See D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, CACM (28,10), October 1985, pp. 1030-1044. Each such pseudonym is supposed to identify its owner to some institution and not be linkable across different institutions. The present invention is designed to provide certificates that are designed to be unlinkable both across institutions and across transactions within a single institution. In particular, the present invention prevents a vendor from linking transactions to a single customer, even if that customer had to identify itself initially (e.g., during the registration process). At the same time, the present invention advantageously allows the vendor to protect itself against customers that abuse the vendor's service.

[0017] Another difference between the present invention and the prior art is the manner in which blinding is performed. In known systems, some mechanism is typically needed to assure either the issuing bank or receiving vendor that the certificate blindly signed by the issuer has the right form, i.e., that the customer has not tricked the signer into signing something inappropriate. The present invention advantageously eliminates this requirement by providing assurances in other parts of the system, simplifying the blinding scheme.

Problems solved by technology

However, this would not be a practical problem for applications where, for example, thousands of people subscribe to something that can only be used 5 times. Indeed, knowing that a customer has, say, three certificate redemptions left cannot reveal very much to a vendor.

Images