This invention relates to a protocol for the secure verification of correspondents in a data communication system and in particular to the verification of at least one of the correspondents having limited computing power.
Traditionally, a mechanical turnstile system was used to restrict the entry of persons into or out of a pre-determined area. In order to gain entry, the user is required to pay a fee, the fee being in the form of cash, tokens, fee cards or other payment medium. These mechanical turnstiles however allow entry without being able to identify the persons entering or leaving. In order to monitor users, an operator is required.
In order to alleviate this problem electronic card entry and exit systems were devised. In these types of systems, a user is issued with an identification card beforehand which is then inserted into a card reader and upon positive verification will allow entry via a locked door or similar barrier thus obviating the need for an operator. A disadvantage of this system is that for a large number of users, a database has to be maintained listing each of the users, particularly if each user has a unique identification then the verification system is required to scroll through each of the records to find a matching identity. Secondly, this system is also inconvenient if there are a large number of users entering a particular location at a given time such as a public transit way, the insertion and withdrawal of cards from a card reader is apt to cause bottlenecks at the entrance way.
Transit systems have been devised in which users are provided with a pre-programmed smart card. In this system, the turnstile or a terminal is able to monitor the smart card remotely thus the user simply walks past the turnstile without having to physically insert the card in a slot. The card is generally activated by the presence of a electromagnetic field generated by the terminal, the card then transmits an appropriate identification back to the terminal which verifies the card identification and allows entry of the user. These cards generally have limited computing power and are not able to perform complex computations. It is also desirable to authenticate these cards to prevent duplication or fraudulent entry. Because the cards have limited computing power, it is necessary to implement a authentication protocol that minimizes the computation performed by the card and furthermore is able to provide verification of the card by the terminal in a very short period of time, generally less than one second.
This invention seeks to provide a solution to the problem of card verification between a terminal and a card where the card device has limited computing power.
According to one aspect of this invention there is provided a method of authenticating at least one of a pair of correspondents T and C in an information exchange session, and wherein one of the correspondents T includes a secret key t and the other correspondent C has a public key C and a shared secret value tC derived from said public key C and said secret key t the method comprising the steps of:
the first correspondent C transmitting to the second correspondent T said public key C;
the second correspondent T generating a challenge value "khgr" and transmitting said challenge value "khgr" to said first correspondent C;
said second correspondent T generating a session shared secret value ss by combing said private key t with said public key C of said first correspondent C;
said second correspondent T generating a response test value kt by combining said session shared secret ss with said challenge "khgr", in a mathematical function ƒ1;
said first correspondent C generating a response value kc by combining said shared secret tC with said challenge value "khgr" in said mathematical function ƒ1 and sending said response value kc to said second correspondent T; and
said second correspondent T comparing said response test value kt to said challenge response value kc to verify said first correspondent C.
A further aspect of this invention provides for said public key C being included in a certificate CertC, whereby the second correspondent verifies the certificate on C and the identity of the first correspondent C before generating the challenge "khgr".
In accordance with a further aspect of this invention the mathematical function ƒ1 is a one way function.