EA021508B1 - Method of protected data exchange in e-auction and system for implementation thereof - Google Patents

Abstract

The invention relates to e-auctions. The technical result provides guaranteed information safety of data flow, arising as the result of interaction between interested sides of an e-auction. A method of data protected exchange in an e-auction and a computer system for implementation thereof are proposed. According to the present proposal specialized protocols of sides interaction attracting a wide spectrum of cryptographic decisions are used. The e-auction consists of four phases: a preparation phase, a phase of submitting bids by a tender, comprising steps of notification of submitting bids, forming and submitting the bid by participants and registration of bids by an intermediary; a phase of processing bids, comprising the steps of notification of receiving participants decipher keys, publishing the decipher keys and their registration; and a phase of publication of the results by the tender, comprising the steps of determination of the e-auction winner, publication of the results and the conciliation approval.

Description

The invention, in General, relates to a network exchange of information and, in particular, to an electronic auction with guaranteed information security of data flows resulting from the interaction of interested parties.

Description of the Related Art

An electronic auction is a targeted sequence of actions for the exchange of information to identify the winner in accordance with a predefined criterion. The rules for interaction between the parties are known in advance and are reflected in a specialized protocol. It is assumed that the parties are loyal and follow the rules of interaction.

The auction involves three parties: an intermediary, a customer and a bidder. The intermediary provides a platform (i.e., technical and organizational resources and funds) for the auction. The customer has access to reseller resources. The customer and the intermediary are bound by a contractual relationship. Combination of the customer and the intermediary in one person is allowed.

Interaction of participants with the customer is always carried out through an intermediary. The customer, using the services of an intermediary, publishes an application. The participant, with the help of an intermediary, places his proposal. For simplicity, the interaction of two parties is always considered - the participant and the intermediary, or the participant and the customer. There are no restrictions on the number of participants, and in the case of an arbitrary number of participants, such two-way interaction is carried out with each of them.

An offer is a reaction to an application. At the time of placing the proposal, the participant does not know the content of the proposals of other participants. The customer at a predetermined point in time gets access to the content of all posted offers at once.

The purpose of the auction is to determine the winner among those participants who have posted their bids. The criteria and rules for determining the winner are made public before the auction. Traditionally, the decision on the winner is made based on the results of consideration of proposals by the competitive commission, however, in some cases, an automatic decision is possible.

The main task of the subjects of interaction is, generally speaking, to optimize some objective function, and the objective functions of the customer and participant may vary. The customer buys a product / service and minimizes costs, while the efforts of the participant are aimed at maximizing profits. Optimization may also take into account some additional factors. To achieve the goal, the customer and participants can resort to various strategies. All parties involved are interested in the outcome of the auction.

In patent application KI 2005132988 A, an online auction method is described in which the server computer for the auction is connected to several client computers via a communication network through a client-server relationship.

The patent application KI 2005135202 A describes a method for conducting an auction with the participation of the seller, which includes generating information on the conditions for the acquisition of an object put up for auction at the request of the seller and bringing this information to the public.

KI patent 2229743 C1 describes a method of conducting auctions in a multivariate scheme using the Auction software and hardware complex, which consists of at least a host’s workstation, participants' workstations and an auction server with an information base connected by a communication network to the workstation lead and workstations of participants.

KI Patent Application 2006135691 A describes a method for conducting a lease auction using a network by which a lessor receives payment from a tenant and an auction is leased.

The main disadvantage of these solutions is that during the interaction of the parties, information security of data streams, in fact, is not guaranteed.

SUMMARY OF THE INVENTION

The present invention eliminates the disadvantages associated with the prior art, guaranteeing the security of information processes during an electronic auction, which is achieved through the use of specialized protocols for the interaction of the parties involving a wide range of cryptographic solutions.

A method for secure data exchange in an electronic auction is provided, implemented in a computer system comprising a customer-configured messaging device, an intermediary subsystem, participant devices and a time stamp server, as well as the computer system, which in a preferred embodiment is a computer system based on the Internet, where the interaction with the intermediary subsystem is preferably carried out through the \ Usb-site or \ Usb-portal but. provided by the intermediary subsystem.

The proposed method contains step A), in which the customer’s application is placed in the intermediary subsystem as part of an electronic auction and each participant is uniquely registered anonymously.

- 1 021508

Next, at step B) of the method, the participants' requests for the application are placed in the intermediary subsystem.

At the same time, at sub-stage B-1), participants are notified about the placement of proposals by means of the fact that through the intermediary subsystem they generate a notification about the time for receiving proposals; contact the time stamp server to obtain a time stamp for notification of the time for receipt of proposals; certify by means of a digital signature of the intermediary a joint notice of the end time of the acceptance of proposals and the received time stamp and send to the devices of the participants a notification of the end time of the acceptance of proposals and a time stamp for notification of the end time of the acceptance of proposals, jointly certified by the digital signature of the intermediary.

In sub-step B-2), by means of each of the devices of the participants, a proposal is generated and submitted by generating a secret encryption key and attesting it by means of a digital signature of the participant; form a proposal for the application and certify it through a digital signature of the participant; generate a secret start value and calculate the final value of the hash chain formed by η-fold (n> 3) iterative application of the hash function, starting from the secret start value; encrypt the generated offer, certified by the digital signature of the participant, using the generated encryption key and symmetric cryptographic conversion; form the participant’s certificate by encrypting the encryption key, authenticated by the participant’s digital signature, using the secret start value and send a sealed envelope formed by the participant’s digital signature to the intermediary subsystem in the form of a message, calculated by the final value of the hash chain and the participant’s certificate.

At sub-step B-3), each of the submitted proposals of the participants is recorded by means of the fact that by means of the intermediary subsystem, a sealed envelope corresponding to the proposal is stored; calculating and storing the value of the hash function from the sealed envelope in such a way that a one-to-one correspondence between the sealed envelope and the calculated value of the hash function from the sealed envelope is guaranteed; access the time stamp server to obtain a time stamp for the sealed envelope; certify by means of a digital signature of the intermediary the value of the hash function from the sealed envelope and the received time stamp; and transmit the hash value of the sealed envelope and the time stamp for the sealed envelope, jointly certified by the digital signature of the intermediary, to the participant’s respective device.

Finally, in sub-step B-4), through the intermediary subsystem, the certificate of the intermediary is calculated by the fact that at the first predetermined point in time in the intermediary subsystem, proposals are stopped and the certificate of the intermediary is calculated based on all sealed envelopes accepted at that time; calculate the value of the hash function from the certificate of the intermediary; accessing the time stamp server to obtain a time stamp for the calculated value of the hash function from the intermediary certificate; certify through a digital signature of the intermediary jointly the value of the hash function from the certificate of the intermediary and the received time stamp; send to the devices of participants the value of the hash function from the certificate of the intermediary and the time stamp for the value of the hash function from the certificate of the intermediary, jointly certified by the digital signature of the intermediary; and place freely sealed envelopes that were used to calculate the certificate of the intermediary.

In a preferred embodiment, the intermediary certificate is calculated based on the concatenation of the hash values calculated for the binary representations of the sealed envelopes.

Then, at step C) of the method, the proposals of the participants are considered.

At the same time, at sub-step C-1) in the intermediary subsystem, a notification is generated for each participant about the completion of receiving encryption keys by generating the first one-time random number; generate a notification about the end time for receiving encryption keys; form the first request by combining notifications about the end time for receiving encryption keys and the first one-time random number; accessing the time stamp server to obtain a time stamp for the first request; certify together with the digital signature of the intermediary the first request and the received time stamp; transmit to the participant the first request and the time stamp for the first request, jointly certified by the digital signature of the intermediary.

In sub-step C-2), an encryption key is published by each or at least some of the devices of the participants, as a result of which the corresponding participant is no longer anonymous, by calculating the previous value of the hash chain preceding the final value of the hash chain using secret start value, and save the current length η-1 of the hash chain; encrypt the encryption key using asymmetric cryptographic conversion using the first public key of the customer; form the first receipt by combining the first one-time number, the hash value of the sealed envelope, the previous value of the hash chain, encrypted using an asymmetric conversion on the first public key of the customer's encryption key and time stamp for the first request; accessing the time stamp server to obtain a time stamp for the first receipt; certify by means of digital signature of the participant the first receipt together with the received time stamp and pass the first receipt and time stamp for the first receipt to the intermediary subsystem, jointly certified by the digital signature of the participant.

At sub-step C-3), the encryption keys are registered in the intermediary subsystem by the fact that for each participant who has published the encryption key, using the hash function from the sealed envelope from the composition of the first receipt, the corresponding sealed envelope is saved that was saved earlier; apply the hash function to the previous value of the hash chain from the composition of the accepted first receipt and make sure that the result of this application matches the final value of the hash chain from the detected sealed envelope, and save this previous hash value instead of the final hash value -chains; form the second request by combining the first one-time number, the hash value of the sealed envelope, the previous value of the hash chain, the encryption key encrypted using an asymmetric transformation on the first public key of the customer, a time stamp for the first receipt and a time stamp for the first request; accessing the time stamp server to obtain a time stamp for the second request; certify by means of a digital signature of the intermediary the value of the hash function from the second request and the received time stamp; transmit to the participant the value of the hash function from the second request and the time stamp for the second request, jointly certified by the digital signature of the intermediary.

At sub-step C-4), the customer’s certificate is calculated by the fact that at the second predefined point in time in the intermediary subsystem the reception of encryption keys is stopped and a sealed envelope and the first receipt of each participant whose encryption key is registered in the intermediary subsystem are transmitted to the customer’s device; in the customer’s device, for each received sealed envelope and the first receipt, an asymmetric cryptographic conversion is used to decrypt the encryption key with the secret key paired with the customer’s first public key, and decrypt the proposal with the encryption key; by means of the customer’s device, they form the customer’s certificate on the basis of decrypted offers and encryption keys; by means of the customer’s device for the mentioned each participant, a second one-time random number is generated and a third request is generated by combining the second one-time number and the hash function values from the generated customer certificate, they contact the time stamp server to obtain a time stamp for the third request, and the third is jointly certified by the customer’s digital signature the request and the received time stamp and transmit to this participant the third request and the time stamp for the third request, jointly certified by Frova signed by the customer; through the customer’s device, encryption keys and offers that were used to generate the customer’s certificate are freely available.

According to a preferred embodiment, the customer certificate is calculated based on the concatenation of the hash values calculated for the binary representations of the encryption keys and corresponding sentences.

Finally, in sub-step C-5), the customer’s accepted certificate is recorded on each of the participant devices by calculating the previous previous hash chain value preceding the previous hash chain value using the secret start value, and storing the current length n-2 hash Chains form a second receipt by combining the second one-time number, the hash value from the sealed envelope, the previous value of the hash chain mentioned above, the hash value from the customer’s certificate and a time stamp for the third request; accessing the time stamp server to obtain a time stamp for the second receipt; certify by means of a digital signature of the participant the jointly mentioned previous previous value of the hash chain, the value of the hash function from the second receipt and the received time stamp; transmit the aforementioned previous value of the hash chain, the value of the hash function from the second receipt and the time stamp for the second receipt, jointly authenticated by the participant’s digital signature, to the customer’s device.

At step Ό) of the method, the results of the electronic auction are obtained.

At the same time, in sub-step Ό-1), the winner of the electronic auction is determined on the customer’s device.

At sub-step Ό-2), by means of the customer’s device, participants are notified of the result of determining the winner of the electronic auction by generating a third one-time random number; form a notice in which it is indicated that a certain participant is recognized as the winner of the electronic auction; form the fourth request by combining the third one-time number, the generated notification of the winner, the hash function values from its sealed envelope and the hash function values from its encryption key and offers; accessing the time stamp server to obtain a time stamp for the fourth request; certify together with the digital signature of the customer the fourth request and the received time stamp; the fourth request is sent to the winner’s participant’s device and placed freely available for the fourth request and a time stamp for the fourth request, jointly certified by the customer’s digital signature.

In sub-step Ό-3), through the device of the participant of the winner, a conciliation confirmation is generated by calculating the pre-previous value of the hash chain preceding

- 3 021508 to the aforementioned previous value of the hash chain, using a secret start value, and save the current length of the n-3 hash chain; form the third receipt by combining the third one-time number, the hash function of the sealed envelope, the aforementioned pre-previous value of the hash chain, the value of the hash function of the encryption key and the sentence, time stamp for the fourth request; contact the time stamp server to obtain a time stamp for the third receipt; certify by means of a digital signature of the participant the jointly mentioned pre-previous value of the hash chain, the value of the hash function from the third receipt and the received time stamp; transmit to the customer’s device the aforementioned pre-previous value of the hash chain, the value of the hash function of the third receipt and the time stamp for the third receipt, jointly certified by the digital signature of the participant.

An order placed at step A) may contain at least one lot, and steps Β) -Ό) of the method are performed for each lot of the application, and each of the messages by default includes the identifier of the lot to which it relates.

The application preferably contains the information necessary for conducting an electronic auction, and this information contains the aforementioned time for the end of the acceptance of offers, the end time for the receipt of encryption keys and the first and second predefined time points.

The computer system preferably has access to the Public Key Infrastructure (ΡΚΙ), wherein the first public key of the customer is available through the first public key certificate of the customer issued by the certification authority ΡΚΙ for the customer.

In anonymous registration of participants, each of them is preferably assigned a unique pseudonym. When assigning a unique alias to the participant, the secret start value is generated through the intermediary subsystem, the initial value of the hash chain is calculated as the value of the hash function of the secret start value and the binary sequence representing the registration data of the participant, and the final value of the hash chain formed by ν times iterative application of the hash function starting from the initial value of the hash chain, where the length ν of the hash chain is equal to a value one more lots Twa on the number of proposals; save the record formed by the initial value of the hash chain, the final value of the hash chain and the length ν of the hash chain; transmit to the participant a source alias representing a hash chain value preceding the final hash chain value.

To issue a new alias for the participant, the alias issued to the participant last time is transferred to the intermediary subsystem to the intermediary subsystem, and the intermediary subsystem checks to see if the value obtained by applying the hash function to the accepted alias is the final value of the hash chain from the composition records stored in the intermediary subsystem. If the verification result is positive, the hash chain value preceding the hash chain value corresponding to the accepted alias is calculated using the intermediary subsystem using the initial hash chain value from the mentioned record and the calculated hash chain value is transmitted to the participant’s device as a new alias; correct the record by replacing the final hash chain value with a hash chain value corresponding to the accepted alias, and reducing the current length of the hash chain by one.

In a preferred embodiment, for each of the messages verified by the intermediary’s digital signature, the intermediary’s digital signature is verified by the device of the recipient of the message by receiving the certificate of the intermediary’s public key issued by the certification authority through which the intermediary’s public key is accessible, and intermediary key is obtained as a result of certification of the intermediary's public key and its credentials with a digital signature certifying ΡΚΙ center; check the serial number of the intermediary’s public key certificate against the list of revoked certificates; if the certificate of the intermediary’s public key has not been revoked, verify the digital signature of the certification center ΡΚΙ using the public key of the certification center при and if the verification is successful, verify the digital signature of the intermediary using the intermediary’s public key.

In a preferred embodiment, for each of the messages authenticated by the participant’s digital signature, the intermediary receiving the message verifies the participant’s digital signature by receiving a participant’s public key certificate through which the participant’s public key is available, and the certificate of public the participant’s key was obtained by verifying the participant’s public key and his credentials with a digital signature of the certification center a ΡΚΙ; check the serial number of the participant’s public key certificate against the list of revoked certificates; if the participant’s public key certificate has not been revoked, verify the digital signature of the certification center ΡΚΙ using the public key of the certification center ΡΚΙ and if the verification is positive, verify the digital signature of the participant using the participant’s public key.

In a preferred embodiment, for each of the messages authenticated by the customer’s digital signature, the customer’s device that receives the message verifies the customer’s digital signature by receiving the second customer’s public key certificate issued by the certification center through which the second public key is accessible the customer’s key, and the second customer’s public key certificate was obtained as a result of certification of the second public key of the customer and his credentials digital by the signature of the certification authority ΡΚΙ; check the serial number of the second customer’s public key certificate against the list of revoked certificates; if the second customer’s public key certificate has not been revoked, verify the digital signature of the certification authority ΡΚΙ using the public key of the certification authority ΡΚΙ and if the verification is positive, verify the customer’s digital signature using the customer’s second public key.

In a preferred embodiment, for each of the messages authenticated by the participant’s digital signature, the participant’s device that has received the message verifies the participant’s digital signature by receiving a participant’s public key certificate through which the participant’s public key is available, and the certificate is public the participant’s key was obtained by verifying the participant’s public key and his credentials with a digital signature of the certification center a ΡΚΙ; check the serial number of the participant’s public key certificate against the list of revoked certificates; if the participant’s public key certificate has not been revoked, verify the digital signature of the certification center ΡΚΙ using the public key of the certification center ΡΚΙ and if the verification is positive, verify the digital signature of the participant using the participant’s public key.

In a preferred embodiment, each of the time stamps received from the time stamp server is digitally signed by the time stamp server, and for this time stamp, the digital signature of the time stamp server is verified by receiving a stamp server public key certificate issued by the certification center ΡΚΙ the time after which the public key of the time stamp server is available, and the public key certificate of the time stamp server is obtained as a result of certification openly the key of the time stamp server and its credentials with a digital signature of the certification authority ΡΚΙ; check the serial number of the certificate of the public key of the time stamp server using the list of revoked certificates; if the certificate of the public key of the time stamp server has not been revoked, the digital signature of the certification center ΡΚΙ is checked using the public key of the certification center ΡΚΙ and if this test is positive, the digital signature of the time stamp server is checked using the public key of the time stamp server.

List of drawings

FIG. 1 is a block diagram of a system according to the present invention; FIG. 2 is a flowchart of a method according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

1. Introductory provisions.

1.1. General requirements.

The requirements for information security for auctions arise from the provisions of Federal Law No. 94 of July 21, 2005. On the placement of orders for the supply of goods, performance of work, and the provision of services for state and municipal needs as amended on November 8, 2007 (hereinafter the Law ) So, for example, the law requires documents to be stored in sealed envelopes until they are made public. Obviously, in the transition to electronic technology, the confidentiality of information must be guaranteed. Information security is especially important when it comes to holding a tender for the supply of goods and services for state needs. More information security requirements of electronic auctions are formulated below.

Timeliness. The customer, as well as other interested parties, get access to the content of the proposals at a certain predetermined point in time.

Confidentiality. Until a certain point in time, the content of the proposals is not known to the customer or the intermediary. Each participant knows the content of his own proposal and does not know the content of the proposals of other participants.

Authenticity / Integrity. The authenticity and integrity of the bids placed by the participants must be guaranteed so that the attacker could not forge the bids and thereby affect the outcome of the electronic auction.

Anonymity. It is necessary to ensure the anonymity of proposals at the placement stage. An anonymous offer is an offer for which it is not possible to identify the participant who is the author of this offer. Note that anonymity does not follow from confidentiality and vice versa.

Indisputability. The participant is not entitled to refuse the placed proposal after its publication. A verification mechanism is needed.

Verifiability. Free access should be placed information to verify the correctness of the interaction of interested parties. In addition, public certificates are generated that provide unambiguous evidence of the timely placement and consideration of proposals, and the publication of the results. A mechanism for confirming the winner of the auction is also needed.

In addition to information security, it is necessary to ensure robustness and computational efficiency of electronic auctions.

Robustness. Stakeholders do not always strictly follow the rules of engagement. The purpose of the electronic auction must be guaranteed, regardless of the malicious or random actions of the parties.

Efficiency. It is necessary to ensure the computational effectiveness of the electronic auction, especially in cases where a significant number of participants are involved. The number of messages exchanged between the parties during the interaction, as well as the amount of information transmitted, should be minimized as much as possible.

The following principles are fundamental to any auction.

Equal opportunity. Each participant must be sure that his proposal is considered on a par with the proposals of other participants.

Competitiveness. Each participant and customer must be sure that the proposals of the participants reflect their true capabilities, and each acts independently of the others.

1.2. Attack Models.

The information security provisions listed above, namely timeliness, confidentiality, non-repudiation, authenticity / integrity, anonymity and verified ^, logically follow from the risk assessment associated with the possibility of carrying out malicious actions not provided for by the rules of the auction. Such actions are possible both on the part of entities participating in the electronic auction, and on the part of third parties. In cryptographic literature, actions of this kind are commonly called attacks. In this case, it is necessary to distinguish between attacks of a general type and specific attacks specific to electronic auctions.

The following actions can be attributed to general type attacks:

1) control of the environment of distribution, storage and processing of information in order to read data;

2) control of the distribution, storage and processing of information in order to falsify and impose false data (for example, partial or complete replacement, replication and removal of messages during transmission through unprotected communication channels);

3) impersonification, i.e. an attempt to impersonate a legal subject of interaction.

Specific attacks include the following:

1) non-observance of time limits (for example, premature disclosure of the contents of a proposal, sending / receiving messages later / earlier than a predetermined point in time);

2) the authentication of the subject, in particular his name, by the assigned pseudonym;

3) change of results by using messages from previous auctions, as well as messages from auctions held simultaneously;

4) a waiver of obligations (for example, a waiver of previously placed offers after they are made public);

5) disavow the results (for example, by denying the fact of timely posting and consideration of proposals, as well as the publication of the results).

It should be noted that to enhance the resulting effect, the listed attacks of both types can be used both independently and in combination.

1.3. Definitions and notation.

When describing the protocols of an electronic auction, the following notation and definitions are used.

An arbitrary participant is indicated by the symbol B.

The set of participants is denoted by {B ₁ }, ΐ> 1.

An arbitrary anonymous member is identified by an X. Anonymous members are uniquely identified by their assigned aliases.

Many anonymous participants are indicated by {XD, ΐ> 1.

The intermediary is indicated by the symbol A.

Customer is indicated by V.

An arbitrary binary sequence of length μ is denoted by {0,1} ^μ .

The symbol двум denotes the binary operation of concatenation of binary sequences. For example, if x = 10110, y = 0111011, then x || y = 101100111011.

The concatenation of several variables x ₁ (binary sequences) is denoted by

The direct symmetric (single-key) cryptographic transformation E _к (·) is a mapping of the form Е _к : {0,1} ^μ ^ {0,1} ^μ

- 6 021508

Then c = E _K (p) is the ciphertext obtained by encrypting the plaintext p with the private key K. If encryption is performed on the key of participant X, then

E ^x (·) ^{to the} designation

The inverse symmetric (single-key) cryptographic transformation _К ((·) is a map of the form Ό _κ : {0,1} ^μ ^ {0,1} ^μ .

Then p = In _K (s) = e _K (E _K (p)) - plaintext resulting from decryption of the ciphertext using a secret key K. When using the key K for encryption will call it the key encryption. The same key used for decryption will be called the decryption key. Also used is its generic designation of the encryption key.

for customer V

Direct asymmetric (two-key) cryptographic conversion; {0.1G -> {0.1} ’'.

there is a display of the form

Then - the ciphertext obtained as a result of encryption of the plaintext p using the public key of the customer V. The public key for asymmetric encryption is extracted from the certificate (upon confirmation of authenticity), which is issued by public key infrastructure certification centers (PK1) for customer V. The certificates are located in public directories. Inverse asymmetric (two-key) cryptographic transformation for customer V is a mapping of the form

Then - plaintext obtained as a result of decrypting the ciphertext with the customer’s secret key V, paired (functionally connected) to the public key on which encryption was performed (note that letters with different writing styles are used to distinguish a single-key cryptographic conversion from a two-key one).

H (t) is a cryptographic hash function that maps the binary representation x of the message t to the binary hash value of a fixed length. If the argument of the hash function is the set of messages M = {tD, then λ (Μ) = Λ ({^ ₂ , 4) = Χ4 where Χί is the binary representation of the message t ^

For simplicity, instead of y ({m!, M ₂ , ...}) we will use a notation of the form y (m!, M ₂ , ...) with curly braces omitted.

^ = ((Λ (... Λ (yk ₀ ))

A transformation of the form ^η * ° is called iterative hashing, where η is the number of iterations. The final value ψ _{η is} obtained from the starting g ₀ .

The set of values ψ _η , ψ _η-1 ,., Ψ _1? r ₀ will be called a hash chain. Usually, when using hash chains, r _{0 is} secret, but ψ _{η is} not. Further in the text we will use the abbreviation for iterative hashing

If the final value is formed by the participant X, and the starting value by the participant B, then the notation ^{Ψη and r} ° 'are used, respectively.

Further explanation of hash chains is given below.

8 _c (·) - the function of calculating the electronic digital signature (EDS) of participant B (clarification is given below). To calculate 8 _in (·), a secret key is used, known only to participant B. Intermediary A and customer V calculate the digital signature using the similar functions 8 _A (·) and 8Ц ·).

P _in (·) is the function of checking the digital signature of participant B (clarification is given below). Calculation of P _in (·) is performed using the public key of the participant B of the pair (functionally related) secret key, by which the digital signature was calculated. EDS verification of the intermediary A and customer V is carried out using the similar functions P _A (·) and RC ·).

K is a one-time random number (explanation is given below).

Specific implementations of the above cryptographic primitives are fixed in a number of national and international standards.

The design of a block cipher providing direct / inverse symmetric cryptographic conversion is described in the national standard GOST 28147-89 [2]. A number of block encryption algorithms, both symmetric and asymmetric, are also proposed in the international standards 18O / 1ES 18033-3 [5] and 18O / 1ES 18033-2 [6]. Hash and digital signature algorithms are introduced by national standards GOST R 34.10-2001 [3] and GOST R 34.11-94 [4]. Similar international standards 18O / 1ES 10118-2, 18O / 1ES 10118-3 [7, 8] and 18O / 1ES 14888-3 [9] are also available.

We give additional explanations regarding the functions 8c (·) and Pv (·).

Let subject B sign the message M using a secret key. For this, he calculates

- 7 021508 th (M) and then applies the algorithm for calculating the digital signature. The value of the EDS (binary sequence), which is obtained as a result of applying the algorithm for calculating the EDS, is denoted by 8ί§ _Β (·).

8ί§ _Β (Η (Μ)) - EDS value for message M. Then

In other words, 8 _Β (Μ) is a two-element set, which consists of the message M itself and the value 8ί§ _Β (Η (Μ)).

In the event that M is a set of messages, that is, M = {m ₁ , m ₂ ,. } then

For simplicity, instead of 8 _Β (Χ ₁ ^ _2, ...}) we write with lowered braces 8Tst form _{s 2} t, ...).

To check the digital signature, you must use the function

The argument Ρ _Β (·) is a two-element set satisfying the definition (1.3.1). The value Ρ _Β (·) is a Boolean variable. If the variable takes the true value (Tgie), then this indicates the authenticity and integrity of the message M. False value (Ea1ze) indicates the fact that the authenticity and / or integrity of the message M is compromised. The public keys for signature verification are extracted from the certificates (upon confirmation of authenticity) participant B, intermediary A and customer V. Certificates are issued by certification authorities ΡΚΙ. Certificates are posted in publicly accessible directories.

The following are explanations regarding time stamps.

So, any party participating in an electronic auction can receive a time stamp (time stamp) for an arbitrary message or document. To do this, you must use the services of the T8A time stamp server (the authority responsible for the formation of time stamps).

The basic procedure (in accordance with KES3161 [1]) for forming a time stamp for message M is as follows. The initiator calculates the hash function d (M) and passes it to the T8A server. The T8A server reads the current clock ΐ _Μ , forms the set T = {th (M), 1 _M }, assures it with its digital signature and then returns ⁸ T8A ^{(T) to the} initiator.

The time stamp for the message M will be denoted as

Time stamps allow you to resolve contentious issues regarding the time of creation of various information objects (documents, messages, etc.). For example, the presence of a time stamp allows you to prove that the corresponding message was created before the time specified in this stamp. The T8A server must be trusted in the sense that the certification authority ΡΚΙ is trusted. Typically, such a server uses a high-precision reference time source and is a component of даже or even part of the certification center.

Further, it is understood that the delay between accessing the T8A server and the point in time indicated in the stamp is negligible. In practical terms, this means that the server has sufficient bandwidth.

The following are explanations regarding hash chains.

Submission of a proposal is an act of two-way interaction during which various messages are transmitted and received. All these messages are interconnected in the sense that the transmission of a message by the interaction subject at a certain step is a reactive consequence of the processing of some other message that the subject received at the previous step. Obviously, this relationship is due to the protocol logic. In addition to the logical analysis of protocol messages, a mechanism for formal verification of their relationship is needed. For this purpose, it is proposed to use hash chains.

Hash chains allow you to uniquely associate a message from an anonymous participant and subsequent messages of the same participant, the authenticity of which is verified using the EDS mechanism. After the first message has been delivered to the intermediary, the attacker will not be able to generate any subsequent messages for the participant, since he does not know the starting value of the hash chain.

Hash chains allow you to avoid attacks using messages from other auctions. Such attacks can be especially effective when lots of the same content are announced at auctions held at different times.

Hash chains are used in the protocol as follows. Before submitting a proposal, each participant generates a starting value of r ₀ for the chain. Then, starting with the starting value of r ₀ , sequentially applies the hash function and gets the final value

The number of iterations η is chosen sufficient so that the chain is not exhausted during any development of events within the protocol. The final value is included in the first message.

- 8 021508

Further, each subsequent message contains ψ; ^χ with index ί is 1 less than in the previous step.

If more than one lot is declared in one or several auctions at the same time, then each lot is associated with a separate hash chain. Moreover, the starting value for each such chain is generated randomly and independently. The participant stores the starting value of the hash chain in secret.

The following are explanations regarding one-time random numbers.

Since all posted offers are anonymous, the intermediary is forced to accept any offers, real or false, both from registered participants and from any others. Note that in the general case, anonymity and authenticity are mutually exclusive requirements. Therefore, any abuse is possible: spoofing individual messages, sending false messages, impersonation, ϋοδ-attacks (denial of service), etc. Objects of malicious influence can be both the participant and the intermediary with the customer. The participant is less, the intermediary and the customer are more. This is due to the fact that the resource controlled by the intermediary is usually fixed in the geographical and address space, while the participant can use any suitable terminal to interact with the intermediary.

As a preventive measure, it is proposed to use one-time random numbers. The intermediary transmits a one-time random number K as part of the message. In the response message, the participant returns the same random number to the intermediary, which allows the intermediary to make sure that the message they received is a response to his own message from the correct participant and this is the answer to the message that was sent to the participant in this round.

For each participant and for each message, the intermediary (or customer) generates a separate random number.

The following is an explanation of the supporting agreements, the so-called default figures, which simplify the notation for the submission of electronic auction protocols.

In protocol messages, the sender and receiver identifiers are not explicitly indicated, but are present by default. Also, by default, lot identifier b is present. If several lots are declared, then the identifier b allows you to distinguish between messages related to different lots.

Let us illustrate this with an example. It is assumed that the sender identifier appears in the message first in order to emphasize its active role as the initiator, and the recipient identifier second. The third position is the identifier of the lot.

Consider a one-round protocol in which A transmits message X to B, then B transmits message A, A, both of which are related to lot L.

(1) A -> B: {A, B, b, X} (2) A <- B: {B, A, b, Y}

The identifiers of the sender, recipient and lot are indicated explicitly. The transmitted messages are interpreted as finite sets of arbitrary power. In accordance with the agreement, messages (1) and (2) will be recorded as follows.

(1) A -> B: {X} (2) A <- B: {¥}

If the message consists of a single element, then, for simplicity, curly brackets may be omitted. Then the protocol will be presented in the following notation.

(1) A -> B: X (2) A <- B: Υ

1.4. Message delivery issues.

The interaction of subjects is carried out according to the protocol, which consists of a sequence of steps. Messaging is an essential attribute of this interaction. For electronic auctions, it is important that messages are delivered to the recipient in a timely manner, namely within a predefined time interval. Moreover, the fact of transmission / reception of the message must be established reliably. We denote the following problem.

The sender may, without actually sending the message or being late with its sending, claim that the message was allegedly sent in a timely manner.

The recipient may claim that he allegedly did not receive the message or received later than the agreed deadline, although in reality the message arrived on time.

Such tactics may be associated, for example, with the acquisition of benefits not foreseen by the auction. We emphasize once again that this is not about the content of messages, but about the fact of transmission / reception. This problem is fundamental and exists not only in virtual cyberspace, but also in the material world, when the subjects of interaction are not abstract informational entities, but real physical objects.

- 9 021508

Let there be a pair of subjects, one of which does not follow the established rules of interaction. Then, based on the assumption of the presumption of innocence, it is impossible to reliably establish whose statement regarding the delivery time of the message is true and whose is false.

To solve the problem, you can seek the assistance of a trusted party. The other side, usually called the notary public, must be trusted by both entities. The function of a notary public is to verify that a message has been transmitted. The notary acts as a transfer link between the sender and the recipient: any sent message goes first to the notary, and only then the notary passes it to the recipient. At the same time, the notary saves a copy of the message or some evidence unconditionally confirming the fact of transmission of the message. Since the sender trusts the notary, he is sure that the notary will always confirm the fact of the transmission of the message. The recipient is obligated to receive any notifications from the notary and never refuse them, to acknowledge the fact of receipt of the message if the notary makes a corresponding statement.

However, interaction schemes involving a trusted party are highly resource intensive and difficult to implement. Note that according to the level of trust, the notary corresponds to the certification center ΡΚΙ. The number of messages to be recorded can be significant. A notary must have a resource that guarantees high bandwidth, as well as providing long-term storage of significant amounts of information. As a rule, a notary does not perform labor-intensive processing of messages, but carries out their registration, archiving and logging.

If the interaction scheme involving a trusted party for any reason is not applicable, then it is not possible to establish the fact of timely delivery of a message. In practice, it is reasonable to use the simplifying assumption that the subjects strictly follow the prescribed rules of interaction, and to confirm the fact of receiving the message, the recipient transmits a receipt with a time stamp to the sender.

2. Description of a preferred embodiment of the invention.

The approach proposed in this application is implemented in the computer system shown schematically in FIG. one.

The proposed computer system comprises at least one participant device 1, a reseller subsystem 4, a customer device 5, and a time stamp server 3. Devices 1 of the participants are connected via communication channels to the server 3 time stamps, subsystem 4 intermediaries and infrastructure 2 public keys (ΡΚΙ), which includes a certification center. The participant interacts with the customer using the intermediary resource provided by subsystem 4 of the intermediary, the possible implementation of which is a specialized \ Us site or \ Us portal. Customer device 5 is connected via communication channels to the server 3 time stamps, subsystem 4 intermediaries and infrastructure 2 public keys (ΡΚΙ).

Each of the participant’s devices, the intermediary subsystem, and the customer’s device can be a computer device adapted to work on the network configured to perform the functions assigned to it within the framework of the present invention by means of properly designed and developed software installed on it. Such computer devices can be personal computers, server computers (including distributed systems), laptops, portable (handheld) computers and communicators, etc., composed of hardware components widely known in the art (for example, processors, system, network and graphics cards, various storage modules, input / output modules, interface units, etc.). Any suitable of widely known and used technologies and programming environments can be used to develop the mentioned software. Communication between the above devices can be carried out over the Internet using a suitable wired and / or wireless access technology that is widely known and used.

A description of the possible implementations and operation of ΡΚΙ and time stamp servers ΤδΆ, which are widely known in the art, is not given in this application so as not to obscure the invention disclosed therein, since such implementations and work are not directly related to the subject of the present invention.

Next, with reference to FIG. 2 provides a detailed description of the implementation of secure data exchange in an electronic auction in the system of FIG. 1. Mentioning the action performed by the participant, intermediary or customer, unambiguously implies that this action is performed by, respectively, the participant’s device, the intermediary subsystem and the customer’s device described above.

The electronic auction (200) consists of four phases. Each phase consists of several stages. Each step involves several consecutive steps. We list these phases and the corresponding stages.

1. Preparatory (202).

2. Placement of proposals (204).

1. Notification of the placement of proposals.

- 10 021508

2. Formation of the proposal by the participant.

3. Submission of proposals by the participant.

4. Registration of the proposal by the intermediary.

5. Calculation of the certificate by the intermediary.

3. Consideration of proposals (206).

1. Notification of acceptance of decryption keys.

2. Disclosure of the decryption key.

3. Registration of the decryption key.

4. Calculation of the certificate by the customer.

5. Registration of the certificate by the participant.

4. Disclosure of results (208).

1. Determination of the winner.

2. Notification of the results.

3. Conciliation confirmation.

Consider the phases of an electronic auction and give a detailed description of the steps of each stage.

During the preparatory phase (202), the customer agrees with the intermediary on the conditions for providing the site for the auction. All interested parties are informed about the rules of interaction with the resource provided by the intermediary. The customer uses this resource to place an application containing a list of lots and other information necessary for the auction.

For each declared lot, the customer selects a unique identifier b, which is included in the messages associated with this lot (see above). For simplicity, it is assumed that only one lot is declared.

The customer sets four points in time 1a, 1 _s , C and 1 ₈ .

The intermediary stops accepting offers at time 1 _s . After a moment of ₁ nobody can submit a new proposal to amend or withdraw the proposal already submitted.

In accordance with the requirements of the Law, before gaining access to the content of proposals, the customer is obliged to notify participants of the possibility of submitting, amending or withdrawing proposals (see article 26, paragraph 2 of the Law). After granting access, no manipulation of offers is permissible, and therefore, in accordance with the Law, before introducing restrictions, participants must be notified in advance that such restrictions will be introduced. Therefore, a time point 1a is set such that (, <1 _s . When all participants are sent a notification that at time time 1 _{s the} intermediary stops accepting offers. At the same time, such a notification is placed in the public domain for other potential participants.

When placing an encrypted offer, it is assumed that at the right time the decryption key will be made public. Moreover, if the key is not made public in a timely manner, then the proposal will not be decrypted and, as a result, will not be considered. The intermediary proceeds to receive decryption keys at time point C.

At the same time, at the time point Ts, he sends out notifications (in accordance with Article 26, paragraph 2 of the Law) that the keys will be received in the time interval [1C ₆ ].

At time 1 _{8, the} customer finishes accepting the decryption keys and proceeds to determine the winner. Obvious inequalities hold.

The values of all points in time must be published in advance. The actual values of the intervals | 1,, D _with | (for submitting, amending or withdrawing offers) and | 1 <|, 1 „| (for the publication of decryption keys) are determined by the technical capabilities of the intermediary and potential participants, the number of participants, the Public Key Infrastructure (ΡΚΙ) and also depend on the conditions of the auction.

The considered time points are planned and fixed in the conditions of the auction. However, actual values confirmed by time stamps will differ from them. Such times are indicated by superscript * (asterisk).

All the aforementioned and associated information is certified by means of the EDS of the customer and placed in the public domain with the involvement of an intermediary resource.

In the preparatory phase, registration of participants is also carried out. The need for registration of participants is determined by the type and conditions of the auction. In particular, registration is necessary during closed auctions or, as follows from a number of provisions of the Law, when the requirement for financial support for participation in the auction is established.

To comply with the anonymity of the proposals, each participant B is assigned a unique pseudonym, after which participant B is considered as an anonymous participant X, up to a voluntary rejection of anonymity at the appropriate stage.

One of the possible approaches to the formation of aliases is based on the iterative method

- 11,021,508 hashes. The idea is to use hash chain elements as aliases. For each participant, the broker generates its own hash chain. Since the hash chain is finite, of course there are many aliases. Each previously released alias can be used to make an unambiguous decision on the relative release of a new one. The properties of the cryptographic hash function are such that the attacker is not able to independently issue a new alias.

Only messages from participants whose aliases are the essence of the intermediary hash chain element will be accepted for processing. In long-term memory, it is enough to store the initial value ψ ₀ ^χ , the last issued alias ψ ^χ and the current length of the hash chain ΐ + 1. Suppose that for representing in memory ψ ₀ ^χ , ψΓ and ΐ + 1, binary digits are required. Then, to store all the aliases, no more than 3k binary digits are required, where N is the number of participants.

The method guarantees optimal use of the memory resource, since the amount of memory for storing pseudonyms is now determined by the parameter N and does not depend on L, where L is the number of declared lots, M is the number of offers for each lot.

Let the registration data be represented by a binary sequence K ^x .

The first alias is issued by the intermediary upon the registration of participant X. The intermediary performs the following actions.

1. Using a pseudo-random number generator, it produces a secret starting value r ₀ ^x .

ι / ζ (and /%)

2. Iterative hashing method calculates the final value ^ψν ' ^{, ψ0} ' _where ν = ΙΜ + 1 and (r0 ^x , K ^x ).

3. Saves the record 'Ψ ^ν ''and / ^x in long-term memory

4. Transmits to participant X the first pseudonym 'which was obtained as an intermediate result during the calculation of ψ _ν ^χ . In the future: the release of aliases is as follows.

1. The participant, using the appropriate intermediary service (for example, through the ^ e3-site provided by him), enters the pseudonym issued in the previous step. For example, ψ ^x .

2. The record {ψο *, ψί + ι, Д + 1} is stored in the long-term memory of the intermediary.

Intermediary checks

3. If the verification condition is met, the intermediary decides on the release of a new alias and calculates

4. The mediator corrects the previously saved record * ψ _{ί +} ^χ , 1 + 1} by replacing Ψί ⁺¹ with ^ψ1 and

1 + 1 on ί.

5. The intermediary transfers ^ - ^{1 to} participant X as his pseudonym.

It should be noted that the Law guarantees the possibility of withdrawing offers. Usually a participant simply picks up an envelope with a proposal. In an electronic auction, the situation is different: until the decryption key is published, access to the contents of the proposal is not possible. We assume that the bid is withdrawn in an electronic auction implicitly: by not providing the decryption key. Unencrypted sentences, obviously, cannot be considered and, therefore, are ignored.

Suppose a participant wants to change their proposal. According to the rules, he must first withdraw the offer, and then submit another one instead. In an electronic auction, it is enough for the participant to submit an offer, but encrypted on another secret key. In this case, the participant can use both a new and an existing alias. As a result, the intermediary will keep two offers. During the specified time interval, the participant will publish the decryption key, on which the current offer is encrypted. All other offers will be ignored by the customer.

Thus, the participant has the opportunity to submit several offers both simultaneously and with some time delay, and then choose which one (necessarily one) to disclose to the customer, having published the corresponding decryption key. If the participant publishes decryption keys for two or more offers, then in accordance with the Law all his offers will be withdrawn from the auction. If the decryption key is not made public for any of the submitted proposals, this means refusing to participate in the auction.

As mentioned earlier, in the described embodiment, it is assumed that the application contains one lot. If the application contains more than one lot, the phases described below and the related actions are performed for each of the declared lots.

The following is a description of the protocol in the proposal posting phase (204).

- 12 021508

(1.1) X 4- - BUT : M, = Щ, ТМ) (1.2) X - -> A : M _r = {E% (8 _Β (Κ _Β )), ψ *, 1 ¥ _x } (1.3) X <- - BUT : M ₂ = 8MM ^ s (1.4) X <- - BUT : M ₃ = 8 _A (^ m ^ X))

Protocol 1. Placement of proposals.

1. Notification of the placement of proposals. At the point in time to _a mediator on behalf of the customer sends the participants notice of the time of acceptance of proposals and places it in the public domain. To do this, the intermediary performs the following actions.

1. Generates a notification b ₁ , which indicates the time of the end of the acceptance of proposals to _s .

2. Interacting with the server T8L, generates time stamp T (b _1, to _a *), where _a - the arrival time L (L ₁₎ to T8L server to _a <k _a *.

3. Together with its digital signature, it certifies the notification b ₁ and the time stamp T (b ₁ , k _a *).

4. Sends a message M _{0 to the} participants in step (1.1) of Protocol 1.

2. Formation of the proposal by the participant. Participant B performs the following actions.

1. Generates a private encryption key K.

2. Generates a secret starting value of r ₀ ⁱⁿ .

3. Assures, using its digital signature, the secret encryption key K.

4. Forms proposal K _{in the} application published by the customer.

5. By means of its digital signature, certifies the offer of K_ _in .

3. Submission of proposals by the participant. Member B, under the alias X, performs the following sequence of actions.

1. Iterative hashing method calculates the final value ( ^r ° 1 hash chain for a predefined parameter n> 3.

2. Encrypts the offer K _in , certified by the digital signature at the previous stage, using the key K and a symmetric cryptographic conversion.

3. Encrypts the key K, certified by the digital signature at the previous stage, using the secret start value of the hash chain and generates a certificate

This certificate is intended for subsequent use in order to confirm the fact of participation in the auction.

4. Transmit to intermediary A the message Μι in step (1.2) of Protocol 1, which is a sealed envelope.

4. Registration of the proposal by the intermediary. The intermediary A processes the message M ₃ from the participant X and generates a receipt M ₂ . To this end, the intermediary performs the following sequence of actions.

1. Saves the encrypted sentence ^Е к ^ в (^ вУ) -> the final value ψ _η ^χ (that is, a sealed envelope in the aggregate) in long-term memory.

2. Calculates the hash value and evidence

saves the result of calculations in long-term memory so that a one-to-one correspondence is guaranteed

3. Interacting with the T8L server, it forms a time stamp T (MxDb), where kb is the time of arrival of b (MD to the T8A server.

4. Assures by means of its EDS jointly Η (Μχ) and the time stamp T (Mts1b).

5. Transmits to participant X the message M ₂ in step (1.3) of Protocol 1.

5. Calculation of the certificate by the intermediary. At the point in time to _a mediator A stops receiving proposals and proceeds to the formation of evidence Wx, which is calculated on the basis of all encrypted proposals submitted to the time to _c.

This certificate is intended to confirm that only timely submitted proposals are accepted for consideration. To do this, the intermediary performs the following actions.

1. Assume that anonymous participants submitted 1 encrypted offers by the time point to _sec . Then 1 record of the form is stored in long-term memory

Let

- 13 021508

In other words, evidence is computed based on the concatenation of the hash function values calculated for the binary representations of the sealed envelopes.

2. Interacting with the server ΤδΑ, forms a time stamp where is the time of arrival of Η (Ψ _Χ ) to the server ΤδΆ, ΐ ₀ <ΐ ₀ *.

3. Assures by means of its digital signature together Η (^ ι) and the time stamp Τ (^ ι, ΐ ₀ *).

4. Transmits to participant X a message M ₃ in step (1.4) of Protocol 1.

5. Places in open access those encrypted sentences that were used to calculate ^ ₁ .

Let us describe the protocol at the stage of consideration of proposals (206).

Protocol 2. Consideration of proposals.

1. Notification of acceptance of decryption keys. After the lapse of time Ts, but before the time ΐ _§ , participant X must transmit to the intermediary A the decryption key Κ. At time Ts, the intermediary notifies participants of the end time for receiving decryption keys. The notice is also publicly available. To do this, the intermediary performs the following actions.

1. Generates a one-time random number K ₁ .

2. Generates a notification L ₂ , which indicates the end time of reception of decryption keys ΐ _§ .

3. Interacting with the server ΤδΑ, forms a time stamp for the request ⁼ ^ 'Ar! ”Where And * is the arrival time to the server ΤδΑ,

4. Together with its digital signature, certifies the request and time stamp

5. Distributes the message M _{4 to the} participants in step (2.1) of Protocol 2.

2. Disclosure of the decryption key. At the time of the release of the decryption key Κ participant X voluntarily refuses anonymity and interacts with intermediary A as participant B. To release the key, participant B performs the following actions.

1. Iterative hashing method calculates the preceding ψ _η ^χ value of the hash chain

ΨΪ-r = b ”- \ r _o ^c ).

Saves its current length p-1 instead of p.

2. Applies asymmetric cryptographic conversion to encrypt the key Κ using the customer’s public key V. This public key is available through the corresponding public key certificate issued by the certification authority ΡΚΙ for the customer.

3. Interacting with the server ΤδΑ, forms a time stamp ^t

Here ΐ _ε is the arrival time to the server ΤδΑ, ~ ^< for receipt

4. Together with its digital signature, certifies the receipt ^T ' ^{and the} time stamp

5. Transmits to the intermediary A message M ₅ in step (2.2) of Protocol 2.

3. Registration of the decryption key. The intermediary A processes the message M ₅ from the participant B and generates a receipt M ₆ . To this end, broker A performs the following sequence of actions.

fx_)

1. Using the value of And (M |), finds the record of participant B. Computes

Verifies that

- 14 021508

D · and saves instead

2. Interacting with the T8L server, forms a time stamp ' ² ' for the request t ₂ = {K „A (L / ,,, where ίί is the arrival time Η (τ ₂ ) to the T8L server, '

3. Assures by means of its digital signature together Η (τ ₂ ) and the time stamp T (t ₂ , Ф).

4. Transmits to participant B message M ₆ in step (2.3) of Protocol 2.

4. Calculation of the certificate by the customer. At time point ί _§, intermediary A stops receiving decryption keys and transmits all the information received from each participant, namely messages Μι and М ₅ , to the customer. Note that information is transmitted only about those participants from whom decryption keys were received.

After that, the customer V proceeds with the formation of the certificate, which is intended for the subsequent confirmation of the fact that the proposals for which decryption keys were received later than the deadline were not taken into account when determining the winner. To do this, the customer performs the following actions.

1. Applies asymmetric cryptographic transformation to decrypt key K, namely

K = Fy (b (KU).

Decryption is carried out by the customer using a secret key paired with his public key V (see also subsection 1.3 above).

2. Decrypts each sentence, using the decryption key K available for this sentence, and in a known manner performs all the necessary checks (in particular, digital signature, time stamps, hash chain connectivity, random numbers).

3. Assume that 1 * sentences, 1 * <1, have been successfully decoded. Then the customer has 1 * records of the form {K, K _B ) _G 1 </ <g.

He calculates the evidence

Ψ ₂ =

Central Committee ,, *,) ·

In other words, evidence ^ _{2 is} computed based on the concatenation of the hash function values computed for binary representations of the encryption keys and corresponding sentences.

4. Generates a one-time random number K ₂ .

5. Interacting with the T8A server, forms a time stamp for the request

1 (= (1 ^ (^)), where Ts * is the time of arrival of Η (τ ₃ ) to the T8A server, ί ,, 'ί ,, *.

6. Together with its digital signature, it certifies the request τ ₃ and the time stamp Τ (τ ₃ , ί _§ *).

7. Transmits to participant B a message M ₇ in step (2.4) of Protocol 2.

8. Places freely decrypted keys and decrypted sentences that were used to calculate ^ ₂ .

5. Registration of the certificate by the participant. The participant B processes the message M ₇ and generates a receipt M ₈ . To do this, participant B performs the following actions.

1. Iterative hashing method calculates the previous value of the hash chain

Saves its current length p-2 instead of p-1.

2. Interacting with the T8A server, forms a time stamp T (t ₄ D) for the receipt

T ₄ = (^, ^,), ^, ^), 7 (^, / *)}, where is the time of arrival of And (T ₄ ) to the T8A server, ⁱⁿ

3. Assures by means of its digital signature together ^ ^l_2 'and the time stamp

4. Transmits to the customer V message M ₈ in step (2.5) of Protocol 2.

Let us describe the protocol at the stage of the publication of the results (208).

- 15 021508 (3.1) in <- V: М ₉ = 8 _у ^, Т ^ _к У) (3.2) В -> V where <Г ₅ = {К ₃ , 1з, Л (МДЛ (£ Л)}

T _b = ^, ^), ^, ^, ^), 7 (^, 4)}

Protocol 3. Disclosure of results.

1. Determination of the winner. Customer V, in a known manner, analyzes the submitted proposals to determine the winner of the auction in accordance with the criteria and rules fixed in the conditions of the auction.

2. Notification of the results. Suppose that participant B is selected as the winner. Customer V is obliged to notify the participants of the results and personally B about the fact of his election as the winner. To do this, customer V performs the following actions.

1. Generates a one-time random number K ₃ .

2. Generates a notification L ₃ , which indicates that bidder B is recognized as the winner of the auction.

3. Interacting with the T8L server, forms a time stamp T (t ₅ , 1 _k ) for the request

r, = _{k; 4.l (H) -№-k _g )),

C <n.

where 1 _k is the arrival time Η (τ ₅ ) to the T8L server,

4. Assures by means of its digital signature together the request and time stamp T) (t ₅ , 1 _k ).

5. Transmits to participant B message M ₉ in step (3.1) of Protocol 3.

6. Places the message M ₉ in the public domain.

3. Conciliation confirmation. Participant B processes the message M ₉ and forms a receipt M ₁₀ and, thereby, agrees with the election of the winner of the auction. To do this, participant B performs the following actions.

1. Iterative hashing method calculates the previous value of the hash chain

Saves p-3 instead of p-2.

2. Interacting with the T8L server, forms a time stamp T (t ₆ , 1 _p ) for the receipt = {^, ^ (^), ^ 3 ^ (^, ^), ^, 4)), where 1 _p is the arrival time Η (τ ₆ ) to the T8A server, 1 _k <1 _p .

3. Certifies by its electronic signature and time stamp together ^g №'4) ·

4. Transmits to the customer V the message M ₁₀ in step (3.2) of Protocol 3.

In the above statement, when indicating that a certain message is being transmitted to the participant, it was implied that it is also freely available. This rule applies to any messages addressed to participants from both the intermediary and the customer.

Above, when describing an electronic auction, it was repeatedly mentioned that the participant, intermediary, or customer used their digital signature to certify a certain message. Naturally, these EDS are then checked for their validity upon receipt of this message by the relevant party.

So, the digital signature of the intermediary is checked by the participants at steps (1.1), (1.3), (1.4) of the proposal placement phase (204) and steps (2.1), (2.3) of the proposal consideration phase (206). For this verification, the participant receives an intermediary public key certificate issued by a certification authority, through which the intermediary's public key is available. The intermediary public key certificate in itself is obtained by certifying the intermediary's public key and its credentials with a digital signature of the certification authority ΡΚΙ. Then, the participant checks the serial number of the intermediary’s public key certificate against the list of revoked certificates. If the intermediary’s public key certificate is not revoked, the participant verifies the digital signature of the certification authority ΡΚΙ using the public key of the certification authority ΡΚΙ. If the verification result is positive, the participant verifies the digital signature of the intermediary using the intermediary's public key.

Then, the electronic signature of the participant is verified by the intermediary at step (2.2) of the proposal consideration phase (206). To do this, the intermediary receives a certificate of the public key of the participant issued by the certification center ΡΚΙ through which the public key of the participant is available. The certificate of the participant’s public key is obtained by certifying the participant’s public key and his credentials with a digital signature of the certification authority ΡΚΙ. The intermediary checks the serial number of the member’s public key certificate against the list of revoked certificates. If the participant’s public key certificate is not revoked, the intermediary checks the digital signature of the certification authority ΡΚΙ using the public key of the certification authority ΡΚΙ. If the result of this check is positive

- 16,021,508, the intermediary verifies the digital signature of the participant using the member’s public key.

Further, the customer’s digital signature is checked by the participants at step (2.4) of the proposal consideration phase (206) and step (3.1) of the results publication phase (208). For this verification, the participant receives a certificate of the customer’s public key issued by the certification center, through which the customer’s public key is available. By itself, a customer’s public key certificate is obtained by certifying the customer’s public key and its credentials with a digital signature of the certification authority ΡΚΙ. The participant checks the serial number of the second customer’s public key certificate against the list of revoked certificates. If the customer’s public key certificate is not revoked, the participant verifies the digital signature of the certification authority ΡΚΙ using the public key of the certification authority ΡΚΙ. If the verification result is positive, the participant verifies the customer’s digital signature using the customer’s public key.

It should be noted that the customer’s public key and the certificate associated with it may differ from the customer’s public key and the certificate associated with it, which are used for encryption during the proposal review phase (206) described above. In other words, two public keys may be required for a customer.

Then the EDS of the participant is checked by the customer at step (2.4) of the proposal consideration phase (206) and step (3.2) of the results publication phase (208). For this check, the customer receives a certificate of the public key of the participant issued by the certification center ΡΚΙ through which the public key of the participant is available. The certificate of the participant’s public key is obtained by certifying the participant’s public key and his credentials with a digital signature of the certification authority ΡΚΙ. The customer checks the serial number of the member’s public key certificate against the list of revoked certificates. If the participant’s public key certificate is not revoked, the customer verifies the digital signature of the certification authority ΡΚΙ using the public key of the certification authority ΡΚΙ. If the result of this check is positive, the customer verifies the participant’s digital signature using the participant’s public key.

Finally, each of the aforementioned time stamps received from the T8L server is certified by the digital signature of the T8L server, for which a check is also properly performed. To do this, it is necessary to obtain the T8L server public key certificate issued by the certification center ΡΚΙ, through which the T8L server public key is available. By itself, this certificate is again obtained by certifying the public key of the T8L server and its credentials with a digital signature of the certification authority удостовер. Then, the serial number of the public key certificate of the T8L server is checked against the list of revoked certificates. If the T8L server’s public key certificate is not revoked, the digital signature of the certification authority ΡΚΙ is verified using the public key of the certification authority ΡΚΙ. If the result of this check is positive, the digital signature of the T8L server is verified using the public key of the T8L server.

It should be noted that the implementation of the digital signature verification described above is widely known. Its description is given for illustrative purposes only and does not apply directly to the present invention.

The following are various illustrative (but not the only possible) scenarios that are implemented in the event of an unsuccessful result of the digital signature verification (the so-called signature discrepancies).

Consider the step (1.1) of the proposal placement phase (204). Here, messaging is initiated by a broker. If a problem is found, then anonymous participant X may try to receive a similar message by contacting a public resource. If there is a problem for this message or if there is no message at all, then the auction can be considered invalid. It turns out that the intermediary, on behalf of the customer, did not notify the participants about the deadline for accepting proposals, and this is a direct violation of the Law.

Then, we consider step (1.3) of the proposal placement phase (204). If a problem is found, then anonymous participant X initiates the exchange of messages with intermediary A in order to obtain a genuine and complete message M ₂ . The parameter m is introduced, which determines the number of rounds in such a subprotocol. It is reasonable to ask t for reasons

where I, - is the delay associated with one round, and 1 _C is the time for the end of the acceptance of proposals, as was said earlier. In other words, no more than t rounds. If a complete and genuine message is not received from intermediary A in the nth round, then the auction is considered failed, as the intermediary will not be able to subsequently prove that the offer of participant X was registered in a timely manner.

At step (1.4), the proposal placement phase (204) should be done similarly to step (1.3) (see above). That is, if a complete and genuine message was not received from the intermediary in the nth round, then the auction is considered failed, because participant X will not be able to subsequently make sure that his proposal was posted in a timely manner.

At the step (2.1) of the consideration phase of the proposals (206), again, one should proceed similarly to the step (1.3). For the number of rounds, the parameter m ₁ is introduced, and (£ gXL11) <£ d,

- 17 021508 where ΐ ₈ is the end time for receiving decryption keys, as mentioned earlier.

At step (2.2), the consideration phase of proposals (206) should be done similarly to its step (2.1). Moreover, for the number of rounds, the parameter t ₂ is introduced with a similar restriction in по ₈ for t ₂ <t !.

At step (2.3), the consideration phase of proposals (206) should be done similarly to step (2.1). In this case, for the number of rounds, the parameter t ₃ is introduced with a similar restriction in ί ₈ for t ₃ <t ₂ <t !.

At step (2.4), the consideration phase of proposals (206) should be done similarly to step (2.1). In this case, for the number of rounds, the parameter m ₄ is introduced with a similar restriction in ΐ ₈ for m ₄ <m ₃ <m ₂ <m ₁ .

At step (2.5), the consideration phase of proposals (206) should be done similarly to step (2.1). Moreover, for the number of rounds, the parameter m ₅ is introduced with a similar restriction in по ₈ for m ₅ <m ₄ <m ₃ <m ₂ <m !.

At step (3.1), the disclosure phase of results (208) should again be done similarly to step (1.3), but the parameter m is chosen from other reasonable considerations without taking into account specific time constraints. At step (3.2), the results disclosure phase (208) should be done similarly to its step (3.1).

Thus, the present invention ensures the security of information processes during an electronic auction in accordance with the requirements specified by the Law. Thus, the anonymity of the participants, confidentiality, integrity and authenticity of the proposals, as well as the timely provision of access to their contents are guaranteed. The EDS mechanism provides non-repudiation. In addition, publicly available evidence makes it possible to unequivocally establish the fact of timely posting and consideration of proposals, as well as the publication of the results.

The invention has been disclosed above with reference to a specific embodiment. Other specialists may be obvious to other embodiments of the invention, without changing its essence, as it is disclosed in the present description.

Accordingly, the invention should be considered limited in scope only by the following claims.

List of cited literature [1] KES3161. 1p1sgps1 Kh.509 RiNS Keu 1pGga51gis1igs Tnpe-81atr PrgoYuso1 (T8R). Lidi81 2001.

[2] GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic conversion algorithm. Standards Publishing House, 1996.

[3] GOST R 34.10-2001. Information technology. Cryptographic information security. The processes of formation and verification of electronic signatures. Standards Publishing House, 2001.

[4] GOST R 34.11-94. Information technology. Cryptographic information security. Hash function. Standards Publishing, 1994.

[5] 18O / 1ES 18033-3. 1Gogtayoi 1bio1o§u - 8esigyu Yuskpishchek - Epsguryop a1dogkktk - Paradise 3: B1osk S1rkeg8. 2005.

[6] 180 / 1EC 18033-2. 1Gogtayoi 1esbio1o§u - 8sigku Yuskspschiek - Epsguryop a1dogkktk - Paradise 2: Akutteyu arkegk. 2005.

[7] 18O / 1ES 10118-2. 1Gogtayoi 1bio1o§u - Zesshyu (eskpitsgek - Nakk-Hzpsyopk - Paradise 2: NakkGiisyoiz I81pd ap p-bk bosk arkeg. 2000.

[8] 18O / 1ES 10118-3. 1pGogtaiop 1skop1o§u - 8sigku (eskpshchiek - Nakk-Gipsyopk - Paradise 3: Geytsey kakk-Gipsyopk. 2003.

[9] 18O / 1ES 14888-3. 1GGTOPAK 1 EXCLUSIVE - ZESSHYU (EXCLUSIVE - I1dka1 KShPaTsiek take arrePh Paradise 3: I18sge1e 1odagkt Bakey teskatktk. 2005.

Claims (24)

CLAIM 1. A method of secure data exchange in an electronic auction, implemented in a computer system comprising a customer-configured device, an intermediary subsystem, participant devices and a time stamp server, configured to exchange messages, comprising the steps of: A) in the intermediary subsystem place the customer’s application within the framework of the electronic auction and register each participant anonymously, B) in the intermediary subsystem place the offers of participants on the application, while B-1) notify participants of the placement of proposals by means of the fact that by means of the intermediary subsystem they generate a notification about the time for accepting offers, contact the time stamp server to receive a time stamp for notifying about the end times for accepting offers, and certify together the digital notification of the time the deadline for receiving proposals and the received time stamp and send to the devices of participants a notification about the time for the end of the reception of proposals and a time stamp for withdrawal ablution about the time for the end of the acceptance of proposals, jointly certified by digital signature 18 021508 by the intermediary, B-2) using each of the participants' devices, they form and submit a proposal by generating a secret encryption key and attesting it with a digital signature of the participant, generating a proposal on the application and attesting it with a digital signature of the participant, generating a secret starting value and calculating the final hash value -chains formed by the n-fold (n> 3) iterative application of the hash function, starting from the secret starting value, encrypt the generated sentence, certified by a digital signature Using a generated encryption key and symmetric cryptographic conversion, an astronomer generates a participant’s certificate by encrypting the encryption key verified by the participant’s digital signature using a secret start value and sends a sealed envelope formed by the participant’s digital signature to the intermediary subsystem, encrypted by the encrypted offer calculated The final value of the hash chain and the generated certificate of the participant, B-3) register each of the submitted proposals by the participants by means of the intermediary subsystem saving the sealed envelope corresponding to the offer, calculating and storing the hash function value from the sealed envelope in such a way that the sealed envelope and the calculated hash function are uniquely matched from the sealed envelope envelope, contact the time stamp server to obtain a time stamp for the sealed envelope, authenticate by digital signature of the intermediary the hash function value from the sealed envelope and the received time stamp are transmitted to the participant’s respective device the hash function value of the sealed envelope and the time stamp for the sealed envelope, jointly certified by the digital signature of the intermediary, B-4) through the intermediary subsystem, the intermediary certificate is determined by the fact that at the first predetermined time in the intermediary subsystem, the offers are stopped and the intermediary’s certificate is determined based on all sealed envelopes received at that time, the hash function value from the intermediary certificate is calculated, to the time stamp server to obtain a time stamp for the calculated value of the hash function from the certificate of the intermediary, authenticate by digital signature together with the hash function value from the intermediary certificate and the received time stamp, send the hash function from the intermediary certificate and the time stamp for the hash function from the intermediary certificate, jointly authenticated by the intermediary's digital signature, to the devices of the participants and place sealed envelopes in free access that were used to determine the mediator's evidence; C) consider the proposals of the participants, while C-1) in the intermediary subsystem, for each participant, a notification is received on the completion of reception of encryption keys by generating the first one-time random number, a notification on the end time of receiving encryption keys is generated, a first request is generated by combining the notification on the end time for receiving encryption keys and the first one-time random number, they contact the time stamp server to obtain a time stamp for the first request, they are certified by digitally signing the intermediary first request and the obtained time stamp is transmitted first party and request the time stamp for the first request, together Operation certified digital signature, C-2) through each of at least some of the devices of the participants, the encryption key is freely available, as a result of which the corresponding participant ceases to be anonymous by calculating the previous value of the hash chain preceding the final value of the hash chain using the secret start value, and save the current length of the p-1 hash chain, encrypt the encryption key using asymmetric cryptographic conversion using the first public key of the customer, form the first receipt by combining the first one-time number, the value of the hash function - 19 021508 from the sealed envelope, the previous value of the hash chain, encrypted using an asymmetric conversion on the first public key of the customer's encryption key and time stamp for the first request, contact the time stamp server to obtain a time stamp for the first receipt, verified by digital signature of the participant jointly the first receipt and the time stamp received, and transmit to the intermediary subsystem the first receipt and time stamp for the first receipt, jointly certified by a digital odpisyu party C-3) encryption keys are registered in the intermediary subsystem by the fact that for each participant who has published the encryption key, using the hash function value from the sealed envelope from the composition of the accepted first receipt, the corresponding sealed envelope saved earlier is detected, the hash function is applied to the previous value of the hash chain from the composition of the accepted first receipt and make sure that the result of this application coincides with the final value of the hash chain from the detected sealed of the second envelope, and save this previous value of the hash chain instead of the final value of the hash chain, form the second request by combining the first one-time number, the value of the hash function of the sealed envelope, the previous value of the hash chain, the encryption key encrypted using an asymmetric conversion to the first public key of the customer, the time stamp for the first receipt and the time stamp for the first request, turn to the time stamp server to receive the time stamp for the second request, I assure t through the digital signature of the intermediary, together the hash value from the second request and the received time stamp, transmit to the participant the value of the hash function from the second request and the time stamp for the second request, jointly certified by the digital signature of the intermediary, C-4) determine the customer’s certificate by the fact that at the second predefined point in time in the intermediary subsystem the reception of encryption keys is stopped and a sealed envelope and the first receipt of each participant, the encryption key of which is registered in the intermediary subsystem, are transferred to the customer’s device, in relation to of each received sealed envelope and the first receipt, an asymmetric cryptographic transformation is used to decrypt the encryption key using a secret key paired with the first public key of the customer, and decrypt the offer using the encryption key, using the customer’s device generate a customer’s certificate based on the decrypted offers and encryption keys, generate a second one-time random number for the mentioned each participant and form the third request by combining the second one-time number and the hash function values from the generated customer certificate, contact the time stamp server to obtain the stamp in the belts for the third request, jointly certify the third request and the received time stamp by digitally signing the customer and transmit the third request and the time stamp for the third request, jointly authenticated by the digital signature of the customer, to this participant, using the customer’s device, encryption keys and offers that were used are freely available for the formation of a customer certificate, C-5) register the customer’s accepted certificate on each of the participants ’devices by calculating the previous previous hash chain value previous to the previous hash chain value using the secret start value, and keeping the current length η-2 hash chains, form the second receipt by combining the second one-time number, the hash value from the sealed envelope, the mentioned previous hash value, the hash value from the customer’s certificate and the time stamp for the third wasp, contact the time stamp server to obtain a time stamp for the second receipt, verify the jointly mentioned previous previous hash value, the hash value from the second receipt and the received time stamp by digitally signing the participant, transfer the said previous hash value to the customer’s device , the value of the hash function from the second receipt and the time stamp for the second receipt, jointly certified by the digital signature of the participant; Ό) receive the results of an electronic auction, while Ό-1) on the customer’s device determine the winner of the electronic auction, Ό-2) by means of the customer’s device, participants are notified about the result of determining the winner of the electronic auction by - 20 021508 generate the third one-time random number, generate a notification indicating that a certain participant is recognized as the winner of the electronic auction, form the fourth request by combining the third one-time number, the generated notification of the winner, the hash function value from its sealed envelope and the hash function value from it encryption key and offers, contact the time stamp server to obtain a time stamp for the fourth request, authenticate by digital signature of the customer together the fourth request and the received time stamp are transmitted to the winner’s participant’s device and the fourth request and the time stamp for the fourth request, jointly certified by the customer’s digital signature, are freely available, Ό-3) by means of the winner’s participant’s device, a conciliation confirmation is generated by calculating the pre-previous value of the hash chain preceding the said previous value of the hash chain using the secret start value and storing the current length of the n-3 hash chain, forming the third receipt by combining the third one-time number, the hash function of the sealed envelope, the aforementioned pre-previous value of the hash chain, the value of the hash function of the encryption key and offer, time stamp d For the fourth request, they contact the time stamp server to obtain a time stamp for the third receipt, verify the jointly mentioned pre-previous value of the hash chain, the value of the hash function from the third receipt and the received time stamp using the digital signature of the participant, transfer the said previous previous hash value to the customer’s device -chains, the value of the hash function from the third receipt and the time stamp for the third receipt, jointly certified by the digital signature of the participant. 2. The method according to claim 1, in which the application contains at least one lot, wherein steps B), Ό) are performed for each lot of the application, and each of the messages by default includes the identifier of the lot to which it relates. 3. The method according to claim 2, in which the application additionally contains information necessary for conducting an electronic auction, and this information contains the aforementioned time for the end of the acceptance of offers, the end time for the receipt of encryption keys and the first and second predefined time points. 4. The method according to claim 1, in which the computer system has access to the public key infrastructure (ΡΚΙ), while the first public key of the customer is available through the first public key certificate of the customer, issued by the certification center of the public key infrastructure for the customer. 5. The method according to claim 2, in which upon anonymous registration of participants, each of them is assigned a pseudonym. 6. The method according to claim 5, in which when assigning an alias to the participant through the intermediary subsystem generate a secret start value, calculate the initial value of the hash chain as the value of the hash function of the secret start value and a binary sequence representing the registration data of the participant, and calculate the final the value of the hash chain formed by the ν-fold iterative application of the hash function, starting from the initial value of the hash chain, where the length ν of the hash chain is one more eniya number of lots in the number of sentences stored record formed heshtsepochki initial value, and final value heshtsepochki heshtsepochki length ν, transmitting party source alias representing value heshtsepochki preceding heshtsepochki final value. 7. The method according to claim 6, in which to release a new alias for the participant through the device of the participant of this participant, the nickname issued to the participant last time is transmitted to the intermediary subsystem, through the intermediary subsystem, a check is performed to determine whether the value obtained by applying the hash is equal -functions to the accepted alias, the final value of the hash chain from the structure of the record stored in the intermediary subsystem, if the verification result is positive, the hash value is calculated by the intermediary subsystem points preceding the hash chain value corresponding to the accepted alias using the initial hash chain value from the composition of the record and transmit the calculated hash chain value to the participant’s device as a new alias, correct the record by replacing the final hash chain value in it by the value of the hash chain corresponding to the accepted alias, and reduce the current length of the hash chain by one. - 21 021508 8. The method according to claim 1, in which the certificate of the intermediary is determined based on the concatenation of the hash function values calculated for the binary representations of the sealed envelopes. 9. The method according to claim 1, wherein the customer’s certificate is determined based on the concatenation of the hash function values calculated for binary representations of the encryption keys and corresponding sentences. 10. The method according to claim 1, in which the computer system is based on the Internet, and interaction with the intermediary subsystem is carried out through the \ UH site provided by the intermediary subsystem. 11. The method according to claim 1, in which for each of the messages authenticated by the digital signature of the intermediary, the digital signature of the intermediary is verified by the device of the participant who received the message by receiving an intermediary public key certificate issued by the public key infrastructure center through which the intermediary’s public key is available, and the intermediary’s public key certificate is obtained as a result of certification of the intermediary’s public key and its credentials with a digital signature the trust center of the public key infrastructure, check the serial number of the broker's public key certificate from the list of revoked certificates, if the broker’s public key certificate is not revoked, verify the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and verify Digital signature of the broker using the broker's public key. 12. The method according to claim 1, in which, for each of the messages authenticated by the participant’s digital signature, the intermediary subsystem that has received the message is verified by verifying the participant’s digital signature by receiving a participant’s public key certificate issued by the public key infrastructure center through which the public key of the participant is available, and the certificate of the public key of the participant is obtained as a result of certification of the public key of the participant and his credentials with a digital signature I certify its public key infrastructure center, check the serial number of the participant’s public key certificate according to the list of revoked certificates, if the participant’s public key certificate has not been revoked, check the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and verify digital signature of the participant using the public key of the participant. 13. The method according to claim 1, in which, for each of the messages authenticated by the customer’s digital signature, the customer receiving the message verifies the customer’s digital signature by receiving the second customer’s public key certificate issued by the public key infrastructure center through which is available to the second public key of the customer, and the second certificate of the public key of the customer is obtained as a result of certification of the second public key of the customer and his credentials by the front-end signature of the public key infrastructure certification center, verify the serial number of the second customer’s public key certificate according to the list of revoked certificates, if the second customer’s public key certificate is not revoked, check the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and if positive the result of this check verifies the digital signature of the customer using the second public key the customer. 14. The method according to claim 1, in which, for each of the messages authenticated by the participant’s digital signature, the user receiving the message verifies the participant’s digital signature by receiving a participant’s public key certificate issued by the public key infrastructure center through which the public key of the participant is available, and the certificate of the public key of the participant is obtained as a result of certification of the public key of the participant and his credentials with a digital signature I certify its public key infrastructure center, check the serial number of the participant’s public key certificate according to the list of revoked certificates, if the participant’s public key certificate has not been revoked, check the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and verify digital signature of the participant using the public key of the participant. 15. The method according to claim 1, in which each of the time stamps received from the time stamp server is not authenticated by a digital signature of the time stamp server, and against this time stamp, the digital signature of the time stamp server is checked by get the time stamp server public key certificate issued by the public key infrastructure certification center through which the time stamp server public key is available, and the time stamp server public key certificate is obtained as a result of verifying the public key of the time stamp server and its credentials by digitally signing the public key infrastructure certification center, check the serial number of the public time stamp server public key certificate against the list of revoked certificates, if the public key certificate of the time stamp server is not revoked, check the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and with a positive result of this Erki verify a digital signature timestamp server by using the public key of the server time stamps. 16. A computer system for implementing secure data exchange in an electronic auction, comprising a customer’s device, an intermediary subsystem, participant devices and a time stamp server connected to the network and capable of exchanging messages, while the intermediary subsystem is configured to place a customer’s bid in an electronic auction and register each participant in an anonymous manner, to place the participants' offers on the application in the intermediary subsystem, to notify the participants about When placing proposals, the intermediary subsystem is configured to generate a notification about the time for accepting offers, to contact the time stamp server to receive a time stamp for notifications about the end time for accepting offers, to certify together with a digital signature of the intermediary a notification about the end time for accepting offers and the received time stamp and send on the devices of participants, a notification about the end time for receiving proposals and a time stamp for notifying about the end time the acceptance of proposals, jointly certified by the digital signature of the intermediary, for the formation and submission of the proposal, each of the participants' devices is able to generate a secret encryption key and authenticate it using the digital signature of the participant, generate a proposal on the application and certify it using the digital signature of the participant, generate a secret starting value and calculate the final value of the hash chain formed by an η-fold (n> 3) iterative application of the hash function, starting from the secret start value I, to encrypt the generated offer, certified by the participant’s digital signature, using the generated encryption key and symmetric cryptographic conversion, generate the participant’s certificate by encrypting the encryption key verified by the participant’s digital signature using the secret start value and send a sealed envelope to the intermediary subsystem as a message, formed by a certified digital signature of the participant in an encrypted offer calculated by the final value We have a hash chain and formed a participant’s certificate, to register each of the submitted offers of the participants, the intermediary subsystem is able to save a sealed envelope corresponding to the offer, calculate and save the value of the hash function from the sealed envelope in such a way that an unambiguous correspondence between the sealed envelope and the calculated hash value is guaranteed -functions from a sealed envelope, contact the time stamp server to obtain a time stamp for a sealed envelope, verify the value of the hash function from the sealed envelope together with the digital signature of the intermediary and the received time stamp and transfer the hash value of the sealed envelope and the time stamp for the sealed envelope, jointly verified by the digital signature of the intermediary, to determine the certificate of the intermediary, to the intermediary subsystem with the ability at the first predefined time point in the intermediary subsystem to stop accepting offers and determine It’s up to the intermediary, on the basis of all the sealed envelopes accepted at that time, to calculate the hash value from the intermediary’s certificate, contact the time stamp server to obtain a time stamp for the calculated hash function from the intermediary’s certificate, and verify the hash value together with the digital signature of the intermediary functions of the certificate of the intermediary and the received time stamp, - 23 021508 send to the participants' devices the value of the hash function from the intermediary’s certificate and the time stamp for the value of the hash function from the intermediary’s certificate, jointly certified by the intermediary’s digital signature, and place freely sealed envelopes that were used to determine the intermediary’s certificate; to consider the proposals of the participants for the formation in the intermediary subsystem for each participant of the notification of the completion of reception of encryption keys, the intermediary subsystem is configured to generate a first one-time random number, generate a notification about the end time for receiving encryption keys, generate a first request by combining the notification about the end time for receiving encryption keys and the first one-time random number, contact the time stamp server to obtain a time stamp for of the first request, to certify together the first request and the time stamp received by digitally signing the intermediary, to transmit the first request and the time stamp for the first request, jointly verified by the digital signature of the intermediary, to place the encryption key in the public domain, each of the devices of the participants is able to calculate the previous value hash chains preceding the final value of the hash chain, using a secret start value, and keep the current length of the p-1 hash chain, encrypt encryption key using asymmetric cryptographic conversion using the first public key of the customer, generate the first receipt by combining the first one-time number, the hash value of the sealed envelope, the previous value of the hash chain, encrypted using the asymmetric conversion on the first public key of the customer, the encryption key and time stamp for the first request, contact the time stamp server to obtain a time stamp for the first receipt, assure by means of a digital signature of the participant jointly the first receipt and the time stamp received, and transmit to the intermediary subsystem the first receipt and time stamp for the first receipt, jointly authenticated by the digital signature of the participant, for registration in the intermediary subsystem of the encryption keys, the intermediary subsystem is configured for each participant who has published the key encryption, using the value of the hash function from the sealed envelope from the composition of the accepted first receipt, identify the corresponding sealed save the previous envelope, apply the hash function to the previous value of the hash chain from the received first receipt and make sure that the result of this application matches the final hash value from the detected sealed envelope, and save this previous hash value instead of the final value of the hash chain, generate a second request by combining the first one-time number, the hash value of the sealed envelope, the previous value of the hash chain, the key encryption, encrypted using an asymmetric transformation on the first public key of the customer, a time stamp for the first receipt and a time stamp for the first request, contact the time stamp server to obtain a time stamp for the second request, verify the value of the hash function from the second using the digital signature of the intermediary request and the received time stamp, transmit to the participant the value of the hash function from the second request and the time stamp for the second request, jointly certified by a digital signature intermediary, to determine the customer’s certificate, the intermediary subsystem is configured to stop receiving encryption keys at the second predetermined point in time and transmit to the customer’s device a sealed envelope and the first receipt of each participant whose encryption key is registered in the intermediary subsystem, the customer’s device is configured with respect to each received sealed envelope and first receipt apply asymmetric cryptographic conversion to decrypt encryption key using the secret key, the public key of the pair to the first customer, and decrypt a bid using an encryption key, the client device is arranged to generate a certificate based on the decrypted client proposals and encryption keys, - 24 021508 the customer’s device is configured to generate a second one-time random number for each participant and generate a third request by combining the second one-time number and the hash function value from the generated customer certificate, contact the time stamp server to obtain a time stamp for the third request, certify by the customer’s digital signature together the third request and the received time stamp and transmit to this participant the third request and the time stamp for the third request and, jointly certified by the customer’s digital signature, the customer’s device is able to freely place the encryption keys and offers that were used to generate the customer’s certificate, to register the customer’s received certificate, each of the participant’s devices is able to calculate the previous previous hash chain value prior to the mentioned to the previous value of the hash chain, using the secret starting value, and save the current length η-2 of the hash chain, form the second receipt by combining the second one-time number, the hash value of the sealed envelope, the previous value of the hash chain mentioned, the hash value of the customer’s certificate and the time stamp for the third request, contact the time stamp server to obtain the time stamp for the second receipt, authenticated by digital participant’s signatures the jointly mentioned previous value of the hash chain, the value of the hash function from the second receipt and the received time stamp, transmit to the device Single said predpredyduschee the hash chain, the hash value of the second receipt time stamp for the second receipt, jointly certified digital signature of party; to obtain the results of an electronic auction, the customer’s device is configured to determine the winner of the electronic auction, to notify the participants of the result of determining the winner of the electronic auction, the customer’s device is configured to generate a third one-time random number, generate a notification indicating that a certain participant is recognized as the winner of the electronic auction, generate the fourth request by combining the third one-time number, the generated notification of thinner, the hash function values from its sealed envelope and the hash function values from its encryption key and offers, contact the time stamp server to obtain a time stamp for the fourth request, verify the fourth request together with the received time stamp by digitally signing the customer, transmit to the winner’s participant’s device and place the fourth request and the time stamp for the fourth request, jointly certified by the customer’s digital signature, in free access to form a conciliation confirmations by the winner, each of the participant’s devices is able to calculate the pre-previous value of the hash chain using the secret start value and store the current length η-3 of the hash chain, generate the third receipt by combining the third one-time number, hash functions from a sealed envelope, the mentioned pre-previous value of the hash chain, values of the hash function from the encryption key and sentences, time stamp for the fourth of the first request, contact the time stamp server to obtain a time stamp for the third receipt, verify the jointly mentioned pre-previous value of the hash chain, the value of the hash function from the third receipt and the received time stamp using the digital signature of the participant, transfer the said previous previous hash value to the customer’s device chains, the value of the hash function from the third receipt and the time stamp for the third receipt, jointly certified by the digital signature of the participant. 17. The computer system according to clause 16, in which to assign an alias to each participant during anonymous registration of participants, the intermediary subsystem is configured to generate a secret start value, calculate the initial value of the hash chain as the value of the hash function of the secret start value and binary sequence, representing the registration data of the participant, and calculate the final value of the hash chain formed by the ν-fold iterative application of the hash function, starting from the initial hash value -chain, where the length of the hash chain ν is equal to the value one greater than the product of the number of lots by the number of offers, save the record formed by the initial value of the hash chain, the final value of the hash chain 25 021508 and the length of the hash chain ν, transmit the initial alias to the participant representing the value of the hash chain preceding the final value of the hash chain. 18. The method according to clause 16, in which to release a new nickname for the participant, the device of the participant is configured to transmit to the intermediary subsystem the nickname issued to the participant last time, the intermediary subsystem is configured to check whether the value obtained is equal by applying the hash function to the accepted alias, the final value of the hash chain from the record stored in the intermediary subsystem, the intermediary subsystem is configured to, if the verification result is positive, use the hash chain value preceding the hash chain value corresponding to the accepted alias using the initial hash chain value from the mentioned record, and transfer the calculated hash chain value to the participant’s device as a new alias, correct the said record by replacing the final one hash chain values by the hash chain value corresponding to the accepted alias, and reduce the current hash chain length by one. 19. The computer system according to clause 16, in which the network is an Internet network, while the intermediary subsystem is configured to provide \ Ve site to ensure interaction with the intermediary subsystem. 20. The computer system according to clause 16, in which, for each of the received messages verified by a digital signature of an intermediary, to verify the digital signature of an intermediary, each device of the participant is configured to receive an intermediary public key certificate issued by the public key infrastructure center through which the public key is available intermediary, moreover, the certificate of the public key of the intermediary is obtained as a result of certification of the public key of the intermediary and his credentials with a digital signature the certification authority of the public key infrastructure, check the serial number of the reseller’s public key certificate against the list of revoked certificates, if the reseller’s public key certificate has not been revoked, verify the digital signature of the public keys infrastructure certification center using the public key of the public keys infrastructure certification center and verify Digital signature of the broker using the broker's public key. 21. The computer system according to clause 16, in which, for each of the received digitally signed participant’s digital signature verification messages, the intermediary subsystem is configured to receive a public key certificate issued by the public key infrastructure center through which the public key is available moreover, the participant’s public key certificate is obtained by certifying the participant’s public key and his credentials with a digital signature certifying of the public key infrastructure center, check the serial number of the participant’s public key certificate according to the list of revoked certificates, if the participant’s public key certificate has not been revoked, verify the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and verify digital signature of the participant using the public key of the participant. 22. The computer system according to clause 16, in which, for each of the received digitally signed customer’s signature verification messages, each participant’s device is configured to receive a second customer’s public key certificate issued by the public key infrastructure center through which the second customer’s public key, and the second customer’s public key certificate was obtained as a result of certification of the customer’s second public key and its credentials digital signature of the public key infrastructure certification center, check the serial number of the second customer’s public key certificate on the list of revoked certificates, if the second customer’s public key certificate is not revoked, verify the digital signature of the public key infrastructure certification center using the public key of the public key infrastructure certification center and a positive result of this verification, verify the digital signature of the customer using the second open to Lucha customer. 23. The computer system according to clause 16, in which for each of the received verified digital signature of the participant verification of the digital signature of the participant, the customer’s device is configured to - 26 021508 to receive a participant’s public key certificate issued by the public key infrastructure certification center through which the participant’s public key is available, and the participant’s public key certificate is obtained by attesting the participant’s public key and his credentials with a digital signature of the public key infrastructure certification center, check the serial number of the certificate member’s public key according to the list of revoked certificates; if the member’s public key certificate has not been revoked, check the digital odpis Certification Authority public key infrastructure using the public key of the certification center public key infrastructure, and with a positive result of this test to check the digital signature of party using the public key participant. 24. The computer system according to clause 16, in which each of the time stamps received from the time stamp server is authenticated by digitally signing the time stamp server, and to perform a digital signature of the time stamp server on each time stamp for this time stamp, each of the customer’s device, subsystem the intermediary and the participants' devices are configured to receive the time stamp certificate public key certificate issued by the public key infrastructure certification center through which the public key of the server is available time stamps, and the public key certificate of the time stamp server is obtained by verifying the public key of the time stamp server and its credentials with a digital signature of the public key infrastructure certification center, check the serial number of the public key certificate of the time stamp server against the list of revoked certificates, if the public key certificate the time stamp server is not revoked, verify the digital signature of the public key infrastructure certification center using the public key In order to verify the public key infrastructure of the public key infrastructure, and if the result of this check is positive, verify the digital signature of the time stamp server using the public key of the time stamp server.