Tel-ID

This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. It does not describe an actual complete program. I have no source, object, specifications, file layouts or anything else useful to implementing this project. Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; I have too many other projects of my own.

I do contract work for a living, which could include writing a program such as this. However, I don’t do people’s homework for them. That just robs them of an education.

You have my full permission to implement this project any way you please.

The Problem

Lets say an unfamiliar voice phones you and claims to be:

A representative of your bank.
The police (perhaps combined with some loud angry-sounding people pounding on your door clamining to be the police.)
The gas company.
a Greenpeace fundraising representative.
Joshua Smashem of Smashem & Dye, lawyers appointed to collect a debt.
The CBC wanting to feature you in a television biography series.
etc.

How do you know they are telling the truth? How do you know they are whom they claim to be? Telephone scams and pranks are ever more common.

The Solution

You might think my BusTel project would be just the ticket. The problem with BusTel is there is nothing to prevent people from creating totally fake electronic business cards. However, its delivery technology for a secure business card, likely will form part of the solution.

It might work like this. Joshua Smashem of Smashem & Dye telephones you and claims to be an agent for Mastercard. You say “Do you have Tel-ID (pronounced Tell-Eye-Dee) to verify that?” You then each hit a button on your computer. Your phone line goes dead for a few seconds while modems exchange information. And your screen says:
“name: Joshua Smashem
Role: barrister and solicitor and squeezer of blood from stones
Company: Smashem & Dye
agent for: MasterCard, Visa, American Express.
phoning from: (555) 555-1212.
mailing address: 123 Rue St. Denis, Montréal QC, Canada H8G 3P5
ID: 987-364-123-238
issuer: Thawte” Depending on which key you hit, Mr. Smashem might also get a similar message identifying you.

Also consider phoning your bank. They have no way of knowing you are truly you, so won’t even tell you your balances. Even if you are lucky enough to have a bank where they know you, employees are prevented by general policy from trusting that you are who you say you are. They need a legal way to be extremely sure you are whom you claim to be.

Implementation

First you need a company like Thawte to issue a new kind of digital certificate. It is much like a Java coding certificate, but it contains the additional identification information. Like a code-signing certificate, it has a private key known only by the owner, and a public key visible to everyone. The certificate is digitally signed by Thawte. Unfortunately, this certificate will be quite expensive since Thawte would need to verify all that information. The cost of the certificate is essentially the cost of verifying the attested information.

When you hit the button, Mr. Smashem sends you a copy of his public certificate using a BusTel-like protocol. Your computer can verify it is valid by checking the Thawte digital signature. This just proves it is a valid certificate, not necessarily one belonging to the person on the end of the line. Your computer then sends Mr. Smashem’s computer a random challenge phrase to be encrypted with his private key. His computer then sends the encrypted version back. You decrypt it with his public key. If you get back where you started, you know that whomever you are talking to has access to Mr. Smashem’s computer (or Java-equipped cellphone) containing his private key.

Note that only the person attempting to prove his identity needs a certificate. The other end just needs some free verification software.

You could also implement this without using the BusTel technique (which requires a modem to break into the phone conversation). You exchange the messages over the Internet with UDP, TCP/IP or via a webserver or even an email.

The phone company provides caller-id. If you monitor that, you can further check that Mr. Smashem is calling from one of his registered phone numbers. This protects you against a hacker who electronically breaks into Mr. Smashem’s computer and steals his private keys. Most modems have the ability to monitor the 1200 BPS caller id bursts that come before you pick up the phone.

Encryption

To implement identification verification, you have all the mechanisms for high quality encrypting. So you could also use the system to send short messages that only the true recipient could read, e.g. credit card numbers. It might be useful for ordering things by phone, where you need to transmit part numbers, or other things difficult to get right by voice.

Prototyping

You can cook up your own interim certificate and certificate-creating software using the light-weight public key cryptography in the Transporter. You can implement this even in the tiny Javas available for cell phones. Alternatively, you can use JCE, but that is only available on desktops. You might even go into the lucrative business of issuing the certificates. To get the idea seeded, you will likely need to give a ton of it away, and swallow the costs of verification.

BusTel
JavaPhone
Thawte
vCard

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.59]	The information on this page is for non-military use only.
	You are visitor number 11.	Military use includes use by defence contractors.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
	http://mindprod.com/project/telid.html	J:\mindprod\project\telid.html