Modern computing and telecommunication systems have enabled a rapid and continuing increase in exchange of information between individuals and organizations, e.g. via the system commonly known as the Internet. However, the full potential of such systems is currently restricted by the difficulty of providing secure transfer of valuable information over the system. Many organizations would like to use publically-accessible networks for conducting various transactions, such as the sale of goods and services. In principle payment for such transactions could be obtained from a customer by transfer over the network of relevant information such as credit card details. However it is clearly possible for a dishonest third party to intercept such information during transmission, and then mis-use it to the third party's financial advantage. Various other fraudulent activities are possible, such as false repudiation of orders. Accordingly most transactions which may be initiated over a network still have to be completed using conventional methods such as exchange of paper invoices and payments or voice messages, using more trusted systems such as mail or voice telephone networks.
It is essential for an effective electronic transaction mechanism to have several properties:
authentication (i.e. confirmation of origin) of messages involved in a transaction; PA0 protection of the integrity of messages involved in the transaction, and ability to prove if a message has been corrupted; PA0 prevention of false repudiation of an agreement to make a payment; PA0 prevention of frauds involving recording and replaying of messages involved in a transaction; PA0 economy of implementation; and PA0 compatibility with national security interests. PA0 a) receiving a protected version of a password, said protected version being derived from a first of said component one-way functions using said password as said respective value; PA0 b) generating another value; PA0 c) generating a protected version of said other value by applying a second of said component one-way functions; PA0 d) generating a digital signature for the protected version of said other value; PA0 e) applying said second component one-way function using said other value to said protected password to derive a ticket key; PA0 f) generating a session key; PA0 g) protecting said session key with said ticket key; PA0 h) supplying said protected version of said other value, said digital signature and said protected session key to the source of said protected password; and PA0 i) thereafter destroying said other value, said ticket key and said session key.
Various proposals have been made for electronic message authentication. Although they tend to satisfy the primarily technical requirements, they also tend to be either costly and/or contrary to national security interests. Thus many proposals involve reliance on a specialized third-party security service, for example for authentication of messages in each transaction or to supply and certify public encryption keys. In addition many of these proposals involve the use of reversible encryption algorithms, i.e. algorithms in which information is concealed by encryption by a sender and retrieved again by decryption by the recipient. Such algorithms can also be used for transfer of other information which is contrary to national security interests, so the distribution and in particular export from some countries of products which incorporate reversible encryption algorithms is often controlled or prohibited. Any proposal which involves decryption, and thus requires a reversible encryption algorithm, is unlikely to be suitable to be made available for use on a widespread basis.
It is an object of this invention to provide a method and apparatus for authenticating messages which avoids the problems entailed in prior proposals, and in particular does not require any specialist security service nor involve the use of a reversible encryption technique.