Mom forwarded an email that was attempting to scam her in response to a Craigslist ad she placed for some furniture.
While I was thinking about this I realized we have the ability to essentially stop check forgery, specifically cashier's checks and money orders, but the principle would also apply to personal checks if we could develop a trusted lookup source for public keys.
Public-key cryptography allows you to publish a public key that can be used to either verify that you digitally signed something with your private key or to encrypt something which can only be decrypted with your private key.
The application would be as follows.
First, the banks put together a trusted database of public keys. This part is essential, as it must be possible to lookup a public key for any bank and you need to have a trusted source where at you do the lookup. A central database is mainly a convenience factor, you could simply have each bank publish their public key on their own site, but a more integrated solution is more likely to be used. This is not an insurmountable hurdle.
Second, when a bank creates a cashier's check it uses the data on the check (name, amount, date, etc.) and their private key to produce a digitally signed digital copy (or digitally signed hash) of the data which could be printed directly on the check as a QR code (or set of QR codes depending on size) [QR codes are those square barcodes].
Third, when someone attempts to cash the check the cashing bank scans the QR code(s) and verifies that the data matches what's printed on the check and also looks up the public key of the issuing bank and verifies that the signature is legitimate. In fact the actual printed data would be unnecessary at this point if it was encoded in the QR code, but I imagine we'd want to leave it on for the sake of the humans handling the check.
That's it. If implemented correctly and securely it would guarantee the authenticity of cashier's checks. The same system could be used for money orders as well. The other great thing about it is that individuals could verify a check the same way. They could scan the QR codes themselves with their fancy phones and then lookup the bank's public key (either from a trusted central repository or from the individual bank) and verify the authenticity of the check without any risk.
The biggest hurdles would really be getting a trusted repository set up and having banks securely store their private keys. There are easy extensions making this process even more feasible. You can use a master key to create sub-keys which could be used by individual branches. That would limit the risk if any individual branch's private key were compromised. With a central repository a compromised bank would revoke the published public key and flag it as compromised. Any outstanding checks would need to be brought back to the issuing bank to be reissued using a new key. A hassle, but it should be a world-shattering occurrence for a private key to be compromised.
This system is totally possible with today's technology. It would just be a matter of setting it up and getting banks to participate. Maybe I should go talk to some venture capitalists...
2 thoughts on “Check forgery protection using public-key cryptography”
And really, is this the most exciting thing you have to blog about?