METHOD AND DEVICE FOR MUTUAL AUTHENTICATION

US 20100115277A1
Filed: 12/21/2007
Published: 05/06/2010
Est. Priority Date: 12/22/2006
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating communication between a first and second party (or node) over an insecure, high bandwidth communications network, in which the first party (C) authenticates the second party (M) using a communications protocol comprising a first communications phase through a first communications channel over the insecure, high bandwidth communications network to establish a secure mode of communications between the first and second party, followed by a second communications phase of receiving information from the second party over a second communications channel, such as an empirical channel, and enabling a user to make a human comparison of the information received from the second party with information generated by the first party thereby enabling the user to authenticate the second party in the event of the information from both parties agrees.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating communication between a first and second party (or node) over an insecure, high bandwidth communications network, in which the first party (C) authenticates the second party (M) using a communications protocol comprising a first communications phase through a first communications channel over the insecure, high bandwidth communications network to establish a secure mode of communications between the first and second party, followed by a second communications phase of receiving information from the second party over a second communications channel, such as an empirical channel, and enabling a user to make a human comparison of the information received from the second party with information generated by the first party thereby enabling the user to authenticate the second party in the event of the information from both parties agrees.

Citations

30 Claims

1. A method of authenticating communication between a first and second party (or node) over an insecure, high bandwidth communications network, in which the first party (C) authenticates the second party (M) using a communications protocol comprising a first communications phase through a first communications channel over the insecure, high bandwidth communications network to establish a secure mode of communications between the first and second party, followed by a second communications phase of receiving information from the second party over a second communications channel, such as an empirical channel, and enabling a user to make a human comparison of the information received from the second party with information generated by the first party thereby enabling the user to authenticate the second party in the event of the information from both parties agrees.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 18, 19, 20, 21, 22, 23, 29)
- - 5. The method according to claim 1 comprising the step of agreeing a session key for communication between the first and second nodes, and preferably wherein the session key is randomly generated by either first or second node, or created by the Diffie-Hellman process.
  - 6. The method according to claim 1 comprising the following the steps of communicating the following messages:
    - 1;
      
      M->
      
      C;
      
      M, C, pkM, longhash(hkM.M)2;
      
      C->
      
      M;
      
      M, C, longhash(hkC, C), {k}_pkM3;
      
      M->
      
      C;
      
      hkM4;
      
      C->
      
      M;
      
      hkC5a;
      
      C, M display;
      
      digest(hkM XOR hkC, (M, C, PkM, k)); and
      
      5b;
      
      C, M agree on this value through human checking or other empirical channel.
  - 7. The method according to claim 6 wherein the second message stage, {k}_pkM, is replaced by one of longhash(k) and longhash(pkM,k).
  - 8. The method according to claim 1 comprising the following the steps of communicating the following messages:
    - 1;
      
      M->
      
      C;
      
      M, C, ĝ
      
      X, longhash(hkM, M)2;
      
      C->
      
      M;
      
      M, C, ĝ
      
      Y, longhash(hkC, C) k;
      
      =g^A{XY}3;
      
      M->
      
      C;
      
      hkM4;
      
      C->
      
      M;
      
      hkC5a;
      
      C, M display;
      
      digest(hkM XOR hkC,(M, C, k)); and
      
      5b;
      
      C, M agree on this value via human checking or other empirical channel.
  - 9. The method according to claim 8 wherein the value of k in the message 5a, digest(hkM XOR hkC,(M, C, k)), is replaced by the pair (ĝ
    - X, ĝ
      
      Y).
  - 10. The method according to claim 1 comprising the steps of communicating the following messages:
    - 0;
      
      C->
      
      M;
      
      C, INFO_c1;
      
      M->
      
      C;
      
      M, INFO_M2;
      
      C->
      
      M;
      
      longhash(hk)2b;
      
      Ensure C does not send a Message 3 while M is waiting for Message3;
      
      C->
      
      M;
      
      {hk}_pkM4a;
      
      Each A, A displays;
      
      digest(hk, (C, INFO_c, M, INFOM)),4b;
      
      Each A, A->
      
      _EEach B;
      
      Users compare information.
  - 11. The method of performing a financial transaction agreed between a customer and a merchant comprising the method of authenticating the merchant to the customer using the method of claim 1 and enabling appropriate instructions to a third party, such as a bank, via the communications network thereby to enable completion of the transaction.
  - 12. The method of claim 11 wherein instructional data, such as a PIN, required by the third party to enable the transaction, is communicated to the third party in a secure form such that it is not evident to the merchant.
  - 13. The method according to claim 1 wherein the digest is a digest function of (hk,m) chosen so that, for any distinct m1 and m2, as hk varies uniformly over b-bit values the probability that digest(hk,m1)=digest(hk,m2) is never significantly greater than 2⁻
    - b and preferably the length b of the digests is chosen so that a probability of an attack succeeding of 2^−
      
      bis acceptable.
  - 15. The method of according to claim 1 of enabling secure communication by a customer with a bank, wherein the customer has a long term shared secret (SId) with the bank to enable secure communication therewith and the communications protocol enables the customer'"'"'s knowledge of the long term shared secret (SId) to be communicated to the bank but remain secret during such communication.
  - 16. The method according to claim 13 comprising the step of using the long term secret key (SId) to create a one-time entropy that can be used within the SD.
  - 18. The method of according to claim 1 comprising the step of implementing a digest function based on the Toeplitz model, and preferably wherein the digest function makes use of aggregating the effects of using integer multiplication or other suitable operation on groups of bits that is logically similar to a convolution.
  - 19. The method of according to claim 1 comprising the step of using a pseudo-random number generator (PRNG) to enable determination of a digest function, preferably comprising the stepsinitialising a first and second memory store (58, 60) for storing strings of bits by shifting each of the lengths of bits in a predetermined manner and initialising the length of bits in each memory store with values functionally dependent on a key k,storing a first length of pseudo-random bits in the first store (58) and storing a second length of bits of digest information (M) in the second store (60), operating on both the stored strings of bits in each of the first and second memory store to produce a digest.
  - 20. The method according to claim 19 comprising the steps of:
    - using a PRNG (56) as a feedback shift register seeded with a key k in which some of the parameters are randomly driven by part of k independent of the register'"'"'s feed,for each bit-per cycle (bpc) of the PRNG (56), using a separate circuit containing two shift registers (58, 60), one of length b/2+1 containing pseudo-random bits from the PRNG (56) and one of length b/2 through which a fraction of digested information (M) is piped, wherein preferably M is divided for this purpose into bpc fractions,shifting each of the registers (58, 60) by one bit each cycle in opposite directions, the registers being initialised with values (possibly
      
      0) functionally dependent on the key k, to produce b bits by &
      
      -ing each bit of the M-stream with the bit of the PRNG-stream above it and the bit of the PRNG-stream to the right of this place,followed by the step XOR-ing the resulting b bits into an accumulator (62), which is itself preferably initialised with some value functionally dependent on k, andthe b-bit values produced from each of the bpc fractions of M are XOR-ed together to produce the final digest.
  - 21. The method according to claim 1 comprising the step of enabling every bit of a data stream influence every bit of the output, preferably while only shifting the input stream efficiently while dealing with that stream in whole or half-word blocks, to enable determination of a digest function.
  - 22. The method of according to claim 1 or independent thereof, of enabling an electronic card transaction between a customer, merchant and a bank wherein the merchant is assured that the card is genuine and that all correct identification information required for a transaction such as a PIN have been entered for the transaction, the customer is assured that he is paying the amount of money desired to the intended merchant and is assured that the information given cannot be abused by a third party who may be listening or who may be interfering with the interaction, and wherein the customer'"'"'s information cannot be abused, intentionally or otherwise (e.g. in a security leak or via a corrupt employee) by the merchant, and preferably wherein the bank authorises the transaction.
  - 23. A method according to any preceding claim or independent thereof, of enabling a secure electronic transaction between a customer, a merchant and a bank, wherein an authenticated communications channel is established between the customer and the merchant providing the customer with satisfaction of the authenticity of the merchant, and a secure communication channel is provided between the merchant and the bank, the method enabling transfer of requisite data from the customer to the merchant and from the customer to the bank via the merchant to enable the transaction to occur and wherein at least part of the data transferred to the bank is kept secret from the merchant.
  - 29. The security device according to claim 24 adapted to enable one or more of the steps set out in the method according to claim 1.

2. A method of authenticating communication by a first node with a second node over an insecure communications network, comprising:
- an agreement stage comprising agreeing a hash function and communications protocol;
  
  a first message stage comprising sending a first message from the second node to the first node comprising a longhash element,a second communication stage comprising the second node communicating to the first node a first argument operated on by the agreed hash function to provide a longhash element,a third message stage comprising sending a second message from the first node to the second node enabling the second node to determine the data committed by the longhash element it received,a fourth message stage comprising sending a second message from the second node to the first node enabling the first node to determine the data committed by the longhash element it received,a digest stage wherein the first and second node generate a digest using at least the two pieces of committed data thereby to enable the user of the first node to authenticate the second node by human comparison of both the digests.
- View Dependent Claims (3)
- - 3. The method according to claim 2 wherein the digest generated by the second node is communicated to a user of the first node to enable the user personally to compare the digest of the first and second nodes, and preferably wherein the communication to the user is one of verbal, such as over a telephone network, or visual, such as through display over the insecure communications network.

4. (canceled)

14. (canceled)

17. (canceled)

24. The security device for enabling authentication of a merchant to a customer over an insecure communications network, the security device comprising a processor adapted to perform encrypted communication of data via a data transfer interface to the communications network, and a user interface enabling user input of data and output of data to a user, the security device further being adapted to enable communication of secure information, such as financial data, to a third party, such as a bank, via the data transfer interface over the insecure communications network after the user has authenticated the identity of the merchant using the security device.
- View Dependent Claims (25, 26, 27)
- - 25. The security device according to claim 24 wherein the data transfer interface enables wireless communication with the communications network such as using radio frequency and/or infra red communications.
  - 26. The security device according to claim 24 comprising a user interface enabling a user to determine a digest value determined through communication with a merchant, and preferably means such as a button to confirm further communication is to proceed.
  - 27. The security device according to claim 24 comprising a pseudo-random number generator (PRNG) to enable determination of a digest function, preferably further comprisingfirst and second memory store (58, 60) for storing strings of bits by shifting each of the lengths of bits in a predetermined manner and being adapted to enable initialising the length of bits in each memory store with values functionally dependent on a key k, anda controller adapted to enable storage of a first length of pseudo-random bits in the first store (58) and storage of a second length of bits of digest information (M) in the second store (60), followed by operating on both the stored strings of bits in each of the first and second memory store to produce a digest.

28. (canceled)

30. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oxford University Innovation Limited (University of Oxford)
Original Assignee
Isis Innovation Limited
Inventors
Roscoe, Andrew William

Granted Patent

US 9,270,450 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 9/0844   with user authentication or...

H04L 9/3215   using a plurality of channe...

METHOD AND DEVICE FOR MUTUAL AUTHENTICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR MUTUAL AUTHENTICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links