This invention relates to a protocol for verifying parties in a transaction and, in particular, cryptographic protocols for providing secure personal ATM transactions between an electronic device and a server and in which the protocols are based on a public key algorithm.
With advent of electronic commerce, the use of cash in financial transactions in becoming less popular, in favour of electronic wallets. Typically, a financial institution will issue its customers with a personal ATM device (P-ATM) and an electronic cash card. The user then uses the electronic cash card, which stores a cash amount thereon, in various financial transactions. The cash card communicates with the financial institution""s central server via the personal ATM. Because there is less control exercised by a financial institution on a P-ATM than a regular ATM installed, for example, at a bank site, it is necessary for the P-ATMs to be authenticated both by the issuing financial institution as well as by the cash card user in addition to the usual verification of the cash card used by the institution and sometimes vice versa.
In order to simplify the manufacturing process for personal ATMs, the mapping of a P-ATM""s cryptographic parameters to a server is unknown until the customer purchases the P-ATM device. To perform P-ATM to server binding, it is necessary to issue the appropriate server public key to the P-ATM and to issue the P-ATM public key and ID to the appropriate server. Both of these actions must be done securely. The difficulty in the authentication presented by this type of application is that the cash card must trust the server and vice versa. Thus, it is necessary that the server then verify the P-ATM and vice versa. Once the server and the P-ATM trust each other, the user can then use the cash card with the ATM with relative confidence. Furthermore, these verifications must be performed relatively quickly. Thus, there is a need for a verification and authentication protocol that meets the needs of this type of transaction.
This invention seeks to provide a verification and authentication protocol that enables at least one party in at least a three party transaction to be authenticated by the remaining parties.
Furthermore this invention seeks to provide an authentication protocol in a cash-card, personal ATM and server transaction.
This invention also seeks to provide a key distribution method for personal ATM""s and the like.
In accordance with an aspect of the invention there is provided a method of authenticating a pair of correspondents C,S to permit exchange of information therebetween, each of said correspondents C,S having a respective private key e,d and a public key Qu and Qs derived from a generator P and a respective ones of said private keys e,d, a list of said correspondents C having a unique identification information IDu stored therein, said a second of said correspondent a including a memory for storing public keys of one or more of said first correspondents, said method comprising steps of:
a) said second of said correspondents generating a random value y upon initiation of a transaction between said correspondents;
b) said second correspondent S forwarding to said first correspondent C said value y;
c) said first correspondent C generating a first random number x and computing a public session key tP from a private key t;
d) said first correspondent C generating a message H by combining said first random number x, said value y, said public session key tP and said unique identification information IDu and computing a signature Se of said message H;
e) said first correspondent C transmitting said signature Se, said public session key tP, said value x and said identification IDu to said second correspondent;
f) said second correspondent upon receipt of said message from said previous step (Q) retrieving said public key Qu of said first correspondent from said memory using said received identification information IDu;
g) said second correspondent verifying said received signature using said recovered public key Qu and verifying said message H and computing a shared secret key d(tP), whereby both said correspondents may calculate a shared secret key k by combining the computed secret tQs=d(tP) with said first random number x and said random value y, said key K being utilized in subsequent transactions between said correspondents for a duration of said session.
Also, this aspect of the invention provides for apparatus for carrying out the method. Such an apparatus can comprise any computational apparatus such as a suitably programmed computer.