Method and Device for Mutual Authentication

1. A method of performing a financial transaction agreed between a customer and a merchant comprising authenticating the merchant to the customer by authenticating communication between the customer and the merchant over an insecure, high bandwidth communications network, in which the customer (C) authenticates the merchant (M) using a communications protocol comprising a first communications phase through a first communications channel over the insecure, high bandwidth communications network to establish a secure mode of communications between the customer and merchant, followed by a second communications phase of receiving information from the merchant over a second communications channel, and enabling a user to make a human comparison of the information received from the merchant with information generated by the customer thereby enabling the user to authenticate the merchant in the event that the information from both the customer and the merchant agrees and thereby enabling appropriate instructions to a third party, via the communication network thereby to enable completion of the financial transaction, the method comprising the step of agreeing to a key for communication between the customer and the merchant.

2. The method according to claim 1 , wherein the key is a session key.

3. The method according to claim 1 comprising the following the steps of communicating the following messages: 1: M→C: M, C, pkM, longhash(hkM.M) 2: C→M: M, C, longhash(hkC, C), {k}_pkM 3: M→C: hkM 4: C→M: hkC 5a: C, M display: digest(hkM XOR hkC, (M, C, PkM, k)); and 5b: C, M agree on this value through human checking or other empirical channel.

4. The method according to claim 3 wherein the second message stage, {k}_pkM, is replaced by one of longhash(k) and longhash(pkM,k).

5. The method according to claim 1 comprising the following the steps of communicating the following messages: 1: M→C: M, C, g^X, longhash(hkM, M) 2: C→M: M, C, g^Y, longhash(hkC, C) k:=g^{XY} 3: M→C: hkM 4: C→M: hkC 5a: C, M display: digest(hkM XOR hkC,(M, C, k)); and 5b: C, M agree on this value via human checking or other empirical channel.

6. The method according to claim 5 wherein the value of k in the message 5a, digest(hkM XOR hkC,(M, C, k)), is replaced by the pair (g^X, g^Y).

7. The method according to claim 1 comprising the steps of communicating the following messages: 0: C→M: C, INFO.sub.c 1: M→C: M, INFO.sub.M 2: C→M: longhash(hk) 2b: Ensure C does not send a Message 3 while M is waiting for Message 3: C→M: {hk}_pkM 4a: Each A, A displays: digest(hk, (C, INFO.sub.c, M, INFOM)), 4b: Each A, A→.sub.E Each B: Users compare information.

8. The method of claim 1 wherein instructional data, required by the third party to enable the transaction, is communicated to the third party in a secure form such that it is not evident to the merchant.

9. The method according to claim 1 wherein the digest is a digest function of (hk,m) chosen so that, for any distinct m1 and m2, as hk varies uniformly over b-bit values the probability that digest(hk,m1)=digest(hk,m2) is never significantly greater than 2.sup.-b and preferably the length b of the digests is chosen so that a probability of an attack succeeding of 2.sup.-b is acceptable.

10. The method according to claim 9 comprising the step of using the long term secret key (SId) to create a one-time entropy that can be used within the SD.

11. The method of according to claim 1 comprising the step of implementing a digest function based on the Toeplitz model.

12. The method of according to claim 1 , comprising the step of using a pseudo-random number generator (PRNG) to enable determination of a digest function.

13. The method according to claim 12 comprising the steps of: using a PRNG ( 56 ) as a feedback shift register seeded with a key k in which some of the parameters are randomly driven by part of k independent of the register's feed, for each bit-per cycle (bpc) of the PRNG ( 56 ), using a separate circuit containing two shift registers ( 58 , 60 ), one of length b/2+1 containing pseudo-random bits from the PRNG ( 56 ) and one of length b/2 through which a fraction of digested information (M) is piped, wherein preferably M is divided for this purpose into bpc fractions, shifting each of the registers ( 58 , 60 ) by one bit each cycle in opposite directions, the registers being initialized with values (possibly 0) functionally dependent on the key k, to produce b bits by &-ing each bit of the M-stream with the bit of the PRNG-stream above it and the bit of the PRNG-stream to the right of this place, followed by the step XOR-ing the resulting b bits into an accumulator ( 62 ), which is itself preferably initialized with some value functionally dependent on k, and the b-bit values produced from each of the bpc fractions of M are XOR-ed together to produce the final digest.

14. The method according to claim 1 comprising the step of enabling every bit of a data stream to influence every bit of the output.

15. The method of according to claim 1 , wherein the merchant is assured that the card is genuine and that all correct identification information required for a transaction such as a PIN have been entered for the transaction, the customer is assured that he is paying the amount of money desired to the intended merchant and is assured that the information given cannot be abused by a third party who may be listening or who may be interfering with the interaction, and wherein the customer's information cannot be abused, intentionally or otherwise by the merchant.

16. The method according to claim 1 , wherein an authenticated communications channel is established between the customer and the merchant providing the customer with satisfaction of the authenticity of the merchant, and a secure communication channel is provided between the merchant and the bank, the method enabling transfer of requisite data from the customer to the merchant and from the customer to the bank via the merchant to enable the transaction to occur and wherein at least part of the data transferred to the bank is kept secret from the merchant.

17. The method according to claim 1 wherein the method is performed by a security device for enabling authentication of a merchant to a customer over an insecure communications network, the security device comprising a processor adapted to perform encrypted communication of data via a data transfer interface to the communications network, and a user interface enabling user input of data and output of data to a user, the security device further being adapted to enable communication of secure information to a third party via the data transfer interface over the insecure communications network after the user has authenticated the identity of the merchant using the security device.

18. A method of performing a financial transaction agreed between a customer and a merchant comprising authenticating the merchant to the customer by authenticating communication between the customer and the merchant over an insecure, high bandwidth communications network, in which the customer (C) authenticates the merchant (M) using a communications protocol comprising a first communications phase through a first communications channel over the insecure, high bandwidth communications network to establish a secure mode of communications between the customer and merchant, followed by a second communications phase of receiving information from the merchant over a second communications channel, and enabling a user to make a human comparison of the information received from the merchant with information generated by the customer thereby enabling the user to authenticate the merchant in the event that the information from both the customer and the merchant agrees and thereby enabling appropriate instructions to a third party, via the communication network thereby to enable completion of the financial transaction, wherein the customer has a long term shared secret (SId) with the bank to enable secure communication therewith and the communications protocol enables the customer's knowledge of the long term shared secret (SId) to be communicated to the bank but remain secret during such communication.

19. A security device for enabling authentication of a merchant to a customer over an insecure communications network, the security device comprising a processor adapted to perform encrypted communication of data via a data transfer interface to the communications network, and a user interface enabling user input of data and output of data to a user, the security device further being adapted to enable communication of secure information to a third party via the data transfer interface over the insecure communications network after the user has authenticated the identity of the merchant using the security device, wherein the security device is further adapted to agree to a key for communication between the customer and the merchant.

20. The security device according to claim 19 wherein the data transfer interface enables wireless communication with the communications network.

21. The security device according to claim 19 comprising a user interface enabling a user to determine a digest value determined through communication with a merchant.

22. The security device according to claim 19 comprising a pseudo random number generator (PRNG) to enable determination of a digest function.