Secure authenticated channels, well known in the art of cryptography, are established to allow two mutually authenticated devices (often called peers) to exchange information confidentially. A secure authenticated channel should preferably have the following characteristics:                mutual authentication of the peers;        key confirmation, i.e. a common secret is established and at least one peer is able to verify that the secret indeed is common;        forward secrecy, i.e. old session keys cannot be calculated even when long-term secret keys (such as certificate secret keys) are known.        
These characteristics can be formally proven mathematically, and it has been proven that if there exists a way to circumvent one of the above characteristics for a given cryptographic protocol, then the whole protocol may be broken with relative ease.
Over the years, the cryptographic community has proposed many protocols for secure authenticated channels. Only a few of these channels have been proven to fulfill the characteristics above.
The protocols that do provide channels with the required characteristics all use a number of different cryptographic primitives: at least one asymmetric primitive (such as asymmetric encryption or digital signature), hash functions, Message Authentication Code (MAC), and, in some of them, other primitives such as symmetric encryption. A problem with these protocols is that they are quite resource consuming and are as such difficult to implement in a device with limited computing capabilities, such as for example a portable security module, like a smart card. Another problem is that the use of many cryptographic primitives makes it difficult to prove that a protocol is secure.
The present invention provides a secure access channel protocol that has the required characteristics and that is particularly suitable for implementation in a device with limited computing capabilities.
Throughout the description, it will be assumed that, as cryptography is a mature art, the basic concepts are well known. These concepts will for reasons of clarity and succinctness not be described more than necessary for the comprehension of the invention.