Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
SECURE LOGIN WITHOUT PASSWORDS
Document Type and Number:
WIPO Patent Application WO/2015/108410
Kind Code:
A1
Abstract:
A process is disclosed for authorizing a user's access to a limited access network. The process comprises sending an encrypted server random number to a previously registered user. If the user can demonstrate an ability to successfully decrypt the server random number, the user is authenticated and access is authorized. The process may further comprise an encrypted user random number. The web server's ability to return to the user a decryption of the encrypted user random number serves as confirmation that the web site is legitimate. In a preferred embodiment all communications of login values between the user and the web server are encrypted. In an embodiment a user is provided with a key for encrypting user random numbers and for decrypting server random numbers. The key may be automatically updated on a predetermined schedule.

Inventors:
RUITER TIMOTHEUS MARTINUS CORNELIS (NL)
Application Number:
NL2014/050017
Publication Date:
July 23, 2015
Filing Date:
January 15, 2014
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
XORKEY B V (NL)
International Classes:
H04L9/32
Other References:
SATYANARAYANAN M: "Integrating security in a large distributed system", ACM TRANSACTIONS ON COMPUTER SYSTEMS (TOCS), vol. 7, no. 3, 1 August 1989 (1989-08-01), pages 247 - 280, XP058039479, ISSN: 0734-2071, DOI: 10.1145/65000.65002
MENEZES A J ET AL: "Handbook of Applied Cryptography , Chapter 10: Identification and Entity Authentication", 1 January 1997, HANDBOOK OF APPLIED CRYPTOGRAPHY; [CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS], CRC PRESS, BOCA RATON, FL, US, PAGE(S) 385 - 386,397, ISBN: 978-0-8493-8523-0, XP002386305
MIHIR BELLARE ET AL: "Entity Authentication and Key Distribution", 22 August 1993, ADVANCES IN CRYPTOLOGY (CRYPTO). SANTA BARBARA, AUG. 22 - 26, 1993; [PROCEEDINGS OF THE ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO)], BERLIN, SPRINGER, DE, PAGE(S) 232 - 249, ISBN: 978-3-540-57766-9, XP019194060
Attorney, Agent or Firm:
NEDERLANDSCH OCTROOIBUREAU (JS The Hague, NL)
Download PDF:
Claims:
WHAT IS CLAIMED IS:

1. A process for authenticating a user of an Internet domain, said process comprising: a. receiving at a web server a user's login request comprising a value representing a UserlD;

b. locating, at the web server or a server associated with the web server, a key associated with the UserlD;

c. at the web server or a server associated with the web server, generating a server random number and encrypting the server random number with the user key;

d. sending the encrypted server random number to the user.

e. receiving a value from the user confirming the user's ability to decrypt the encrypted server random number.

2. The process of claim 1 wherein the user's login request further comprises an encrypted user random number, and the web server provides authentication to the user by successfully decrypting the encrypted user random number and by sending to the user a value confirming the server's ability to decrypt the encrypted user random number.

3. The process of claim 1 or 2 wherein the user and the web server, or a server associated with the web server, share a user key.

4. The process of claim 1 or 2 wherein, at the web server, or a server associated with the web server, the user key is generated by encrypting a stored site key, associated with the user, using a secret key.

5. The process of claim 4 wherein the user key is deleted from the web server or a server associated with the web server after a login decision is made.

6. The process of any one of claims 2 through 5 wherein the user random number is encrypted with the user key by the user, and decrypted with the user key by the web server or a server associated with the web server.

7. The process of any one of claims 1 through 6 wherein the server random number is encrypted with the user key by the web server or by a server associated with the web server, and decrypted with the user key by the user.

8. The process of any one of the preceding claims which is preceded by an account creation process comprising creating a site key associated with the user.

9. The process of claim 8 wherein, during the account creation process, a user key is created.

10. The process of claim 9 wherein, during the account creation process, the user key is calculated by encrypting the site key with a current secret key.

11. The process of any one of claims 3 through 10 wherein the user key is refreshed on a regular basis by creating a new key and labeling the previous user key as old key.

12. The process of claim 11 wherein the new key and a predetermined number of old keys are stored as active keys.

13. The process of claim 12 wherein the user is authorized access to the Internet domain upon receipt by the web server of a valid UserlD and confirmation of the user's ability to decrypt the encrypted server random number with an active key associated with the UserlD.

14. The process of claim 13 comprising sequential login attempts wherein active keys are used in inverse chronological order of creation.

15. The process of claim 13 or 14 wherein the user is denied access to the Internet domain if the user key used for decrypting the user random number is not an active key.

16. The process of claim 13 or 14 wherein the new key is communicated to the user if the user was authorized access to the Internet domain upon use of an active key that is not the new key.

17. The process of claim 13 or 14 wherein the new key is not communicated to the user if an account associated with the user is considered delinquent.

18. The process of claim 13 or 14 wherein the user is notified of an account delinquency, and the new key is communicated to the user upon the user having remedied the delinquency.

19. The process of claim 15, wherein the user is denied access to the Internet domain until a predetermined condition is met, by temporarily limiting the number of active keys that will be tried in the process, and not communicating to the user a new key until the condition is met.

20. The process of any one of the preceding claims wherein all values related to user

authentication are communicated between the user and the web server in encrypted form.

21. The process of any one of the preceding claims wherein the web server is associated with a login server.

22. The process of claim 21 wherein the login server handles calculation of values.

23. The process of any one of the preceding claims wherein the web server is associated with an account server comprising a table of values representing UserlDs and associated site keys.

Description:
SECURE LOGIN WITHOUT PASSWORDS

BACKGROUND OF THE INVENTION

1. Field of the Invention [0001] The invention relates generally to a secure protocol for authorizing a user's access to an Limited access network or a local network.

2. Description of the Related Art

[0002] Prior art processes authorize access of a user to a restricted access network, such as an Limited access network or a local network, using a combination of two strings of characters. The first such string generally serves to identify the user, and may be referred to as a "user id", a "user name" or a similar term. The second string is generally referred to as a "password", a "pass code", a "personal identification number" or PIN, or some such term.

[0003] An account server associated with the restricted access network keeps a lookup table of registered combinations of first strings and second strings. A user presenting a registered combination of a first string (hereinafter referred to as UserlD) and a second string

(hereinafter referred to as password") is provided access to the restricted access network. The UserlD is generally left unchanged during the lifetime of an account. The password is supposed to be changed frequently, but this practice is experienced as cumbersome and often neglected. [0004] The existing systems are attractive for unauthorized entry attempts, such as hacking. For example, a user may use identical UserlD and password combinations for a number of different limited access networks. If only one becomes compromised, a whole number of that user's limited access accounts may be open to unauthorized access. Many users choose UserlDs and passwords that are easy to guess. Even if users choose more or less random strings to make guessing difficult, they are tempted to use short strings that are increasingly vulnerable to cracking by brute force computing. And, as mentioned earlier, most users do not follow the advice of frequently changing their passwords.

[0005] Hackers may also gain access to a user's computer, where a file with UserlDs and passwords may be stored in memory, for example on a hard drive. Hackers may also gain access to UserlD and password combinations by a method called "phishing", in which a hacker poses as a legitimate website, thereby enticing users to enter their UserlD and password combinations.

[0006] Another source of vulnerability is the communication of UserlDs and passwords via unsecure connections. In most cases a user communicates with a limited access network via the Internet, and the user's UserlD and password are communicated to, for example, a web server via unsecure communication channels, where they are vulnerable to interception.

[0007] Yet another area of vulnerability is the lookup table stored in the account server. There have been frequent reports of unauthorized access to, and theft of, the login accounts of thousands, sometimes millions of users of a particular service. Given the common practice of re-using UserlDs and passwords for a number of different accounts, these break-ins have a serious multiplier effect. In addition, there have no doubt been break-ins that have not been reported, making the problem even bigger than the general public may realize.

[0008] In summary, existing systems are vulnerable to attack for any one or a combination of the following reasons:

UserlDs and passwords are easy to guess;

UserlDs and passwords are too short, and open to brute force attacks; UserlDs and passwords are re-used for various login accounts; Passwords are changed insufficiently frequently, if at all; UserlDs and passwords are transmitted over unsecure communication lines; UserlDs and passwords are stored in unsecure places;

Once stolen, UserlDs and passwords can be used by a hacker without risk of detection of the unauthorized use;

Attempts at improving the security of existing systems fail due to the need of many users to have UserlDs and passwords that are easy to remember.

[0009] Thus, there is a need for a secure login protocol that avoids or mitigates some or all of the above problems. BRIEF SUMMARY OF THE INVENTION

[0010] The present invention addresses these problems by providing a process for authorizing a user's access to a limited access network, said process comprising: a. receiving at a server a user's login request comprising a UserlD; b. locating a user key associated with the UserlD; c. generating a server random number and encrypting the server random number with the user key; d. sending the encrypted server random number to the user; e. receiving a value from the user confirming the user's ability to decrypt the encrypted server random number.

DETAILED DESCRIPTION OF THE INVENTION

[0011] The following is a detailed description of the invention.

Definitions [0012] The term "limited access network" as used herein means any form of stored data that is accessible via the Internet or some other type of computer connection. The term

encompasses websites; local networks; distributed networks; data collections; and the like. The present invention is inter alia concerned with a process for authorizing a user's access to any form of data that is accessible via the Internet. The form of data being accessed is in not in any way critical to the process of the invention, and is generically described as "limited access network."

[0013] In its broadest aspect the present invention relates to a process for authorizing a user's access to a limited access network, said process comprising: a. receiving at a server a user's login request comprising a UserlD; b. locating a user key associated with the UserlD; c. generating a server random number and encrypting the server random number with the user key; d. sending the encrypted server random number to the user; e. receiving a value from the user confirming the user's ability to decrypt the encrypted server random number.

[0014] The term "server" refers to any type of device that provides an interface between the user and the limited access network. In many cases the server is a web server. The term "web server" is hereinbelow used broadly to mean any server that provides an interface between a user and a network, and has a much broader meaning than its customary usage. As described in more detail below, specific tasks involved in the process of the invention may be delegated to specific servers, such as an account server and/or a login server. The account server and/or the login server may be dedicated portions of the web server, or may be standalone servers that are in communication with the web server.

[0015] The UserlD may be a string of characters, such as a name or an alphanumeric string, memorized by the user. In this embodiment the login protocol relies on a combination of something that the user knows (the UserlD) and something that the user has in possession (a key for decrypting the encrypted server random number). In an alternate embodiment the UserlD may be a piece of biometric data, for example obtained from the user's retina or fingerprint. In this embodiment the login protocol relies on a combination of something that the user has exclusive control over (the UserlD) and something that the user has in possession (a key for decrypting the encrypted server random number). [0016] Of the two, only the UserlD is communicated. Gaining access to a UserlD, for example by interception of its transmission, does not provide a hacker with access to the limited access network, because such access also requires the ability to decrypt the server random number.

[0017] As will be discussed in more detail below, in preferred embodiments the UserlD is communicated in a computationally constructed form, making its interception even less useful to hackers.

[0018] It is also impossible to gain access to the Limited access network by replaying a previous successful login attempt, because the process involves the decryption of a server random number that is used only once. The value returned to the login server by the user in step e. will be an incorrect value in a subsequent login attempt, and therefore useless to a hacker.

[0019] The above-described process essentially serves to confirm to the web server that the user making the login attempt is who he pretends to be, that is, someone who knows (or has control over) the UserlD, and has control over the key needed for decrypting the server random number.

[0020] The security of the process can be improved further by providing confirmation to the user of the authenticity of the limited access network. For this purpose the user's login request further comprises an encrypted user random number. The server provides authentication to the user by successfully decrypting the encrypted user random number and by sending to the user a value confirming the server's ability to decrypt the encrypted user random number. This feature provides protection against phishing attempts, because illegitimate "look-alike" websites will be unable to provide the user with the required authentication.

[0021] For step b. it is possible to have a lookup table located in the web server, or in an account server associated with the web server. The step of locating the user key associated with the UserlD, or a value representing the UserlD can be a matter of looking up the user key in the lookup table. Such a lookup table may be vulnerable to hacking attempts, however.

In a preferred embodiment the step of locating the user key associated with the UserlD comprises generating the user key upon receipt of a login request. The user key may be generated by encrypting a stored site key using a secret key. The stored site key is associated with the user. The user key may be discarded immediately after use, so it is never stored. It is regenerated when a new login request is made.

[0022] The process of encrypting the site key with the secret key must be protected from outside attacks, and is preferably carried out in a Hardware Security Module (HSM). In preferred embodiments the process of the invention comprises additional server-side encryption and decryption operations. Preferably all such operations take place in the HSM. The HSM may be located inside the web server, or in a separate login server. In the latter case the communication channel between the web server and the login server preferably is a secure communications line. [0023] The above-described process presupposes that the user has an account with the limited access network. The account can be set up in an account creation process. The main purpose of the account creation process is for the server to open an account for the user, and to create a site key associated with the user. [0024] In an embodiment the login server also creates a user key during the account creation process. In an embodiment the user key is calculated by encrypting the site key with a current secret key. The user key may itself be encrypted, for example using a dummy key received from the user.

[0025] Still during the account creation process, the site key and the encrypted user key may be encrypted with a common key, for example a website key that is pre-shared by the login server and a web server, or with a public/private key pair. The login server may be used for carrying out calculations for the authentication protocols of several limited access networks. Preferably the login server uses a unique website key with each of the web servers that it operates with. [0026] The encrypted values calculated with the website key are shared with an account server. The account server decrypts the received values with the pre-shared website key or with the private key of a public/private key pair, and stores the decrypted values. In an embodiment the account server stores the decrypted values alongside the UserlD or, preferably, a value representing the UserlD, such as a hash value. [0027] In both the account creation process and in the login process the secret key plays an important role. The secret key may be static, but preferably the secret key is dynamic, that is, the secret may be changed from time to time.

[0028] In an embodiment the secret key is selected from a plurality of secret keys. The plurality of secret keys may be placed in an array, preferably indexed in chronological order of creation. The user key is updated with the new current secret key. This may be done automatically, in a process that is invisible to the user.

[0029] The user may be allowed access to the limited access network based on the user's use of an old user key. Restrictions may be put on the authorized access based on an old user key. For example, such access could be restricted to a specific time period since the last successful login. If a user has failed to meet a condition for network access, for example by failing to pay a required subscription fee, the user may be allowed one login for correcting the deficiency. Certain users may be denied access altogether, for example by limiting the number of secret keys available to that user to zero.

DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS/EXAMPLES

[0030] The following is a description of certain embodiments of the invention, given by way of example only.

[0031] The invention will be illustrated with reference to an Internet website having controlled access. It will be appreciated, however, that the invention is equally applicable to other situations where a user seeks access to a controlled access network, such as a local network belonging to the user's employer, etc. For this reason terms like "website" and "web server" should be given an expansive interpretation.

1. Setting up an Account [0032] In this example a person wishing to gain access to a controlled access network, such as a website, is referred to as a "User." The User wishes to connect to a server running the website. This server is referred to as the "web server." For gaining access to the website the User needs to have an account with the website. The account of the User, together with the accounts of other users, is administered by an account server. The account server may be a dedicated portion of the web server, or it may be a separate server. In the latter case the account server and the web server may be located in physical proximity to each other, for example in the same room, or they may be in physically remote locations. It is desirable that communications between the web server and the account server take place via secure communication channels. [0033] For a proper understanding of the present invention it is not always necessary to distinguish between the web server and the account server. In the following discussion, reference may from time to time be made to the web server when, strictly speaking, the term account server could have been used. Nevertheless, the skilled person will have no problem understanding the operation of the invention. [0034] The web server is connected to a login server. The login server may be a dedicated portion of the web server, or it may be a separate server. In the latter case the login server and the web server may be located in physical proximity to each other, for example in the same room, or they may be in physically remote locations. It is desirable that communications between the web server and the login server take place via secure communication channels. It is conceivable to have the login server operated by a separate entity that provides secure login services to one or a number of websites.

[0035] For setting up an account with the web server, the User must be in possession of a key. In this embodiment the User has possession of a collection of keys, for example 99 keys, which can be stored in a mathematical matrix in a memory that is accessible to the User. The matrix can be seen as a mathematical equivalent of a physical key ring, and will be referred to herein as the key ring. Each of the 99 keys on the key ring is identified by a whole number 1 through 99, which corresponds to its position in the matrix. The key ring may further comprise a key ring Identifier, which is a key with reference number 0 (zero) on the key ring, referred to as Z[0]. Each key on the key ring can be a string of random bits, for example 128 bits. The User does not need to remember, or even know, these strings. The User only needs to remember, or write down, the number of the key used for a particular website.

[0036] As in existing login schemes, the User needs a user identification, or UserlD. This should be a string of characters that is easy for the User to remember, or something based on data over which the User has exclusive control, such as biometric data. The User does not send his UserlD to the Web Server, but an encrypted form of the UserlD, such as a hash value. The hash value may be constructed using a combination of the UserlD and the Key Ring Identifier Z[0].

[0037] First, hashes are computed for the key ring Identifier and the UserlD:

[0038] Then U h is calculated in an XOR operation on the two hash values: [0039] The hash value U h is constructed from something the User controls (the key ring identifier) and something the User knows. The User may choose a simple UserlD, because the UserlD itself is not communicated to the web server. Moreover, there is little harm in the User' s use of the identical UserlD for a number of different websites. [0040] When the User for the first time uses the key ring in applying for a website account, none of the keys on the key ring is in active use. Put differently, all keys on the key ring are dummy keys at that point. When the User applies for a new account, the website notifies the User of the number of bits n that are used for keys. The website also makes the public key part Ki e of a public/private key combination available to the User. The private key K LE is kept by the login server.

[0041] The User selects dummy key with index number (d) from the Key Ring.

[0042] The User' s computer then encrypts the selected dummy key with the public key.

[0043] The User then sends U h and K h to the web server, together with any other information that is considered relevant for opening an account. The web server creates a new account identified by U h , and sends K h and n to the login server.

[0044] All mathematical operations of the login server are carried out inside a High Security Module (HSM). The login server creates a new site key K s , which it encrypts using the private key K LE : = Random(«)

wherein K ae is a public key of which the accounts server holds the private key K AE - [0045] K s is encrypted using a current Secret Key SfOJ:

and the (2048 bit) value K h is decrypted with the private key K LE to yield K d : which is then used to encrypt K u .

[0046] Values K y and K x are sent to the web server. The web server relays K y and U h to the accounts server, which uses its private key to decrypt K y to get the site key K s . The site key is immediately encrypted again.

[0047] The encrypted value K a is stored in the accounts server alongside U h . In future login attempts value K a is sent to the login server without further processing.

[0048] The encrypted user key K x is sent to the user, who can decrypt it using the dummy key that was used in the account creation:

[0049] Finally, the user key is placed in the key ring at location d with something like:

[0050] The account creation protocol is summarized in Table 1.

[0051] As a result of the account creation protocol, the User is now in possession of a unique user key K u , which is based on a Secret Key that is never communicated outside the HSM of the login server. User key K u can be as long as the operator of the website desires it to be, to (in this embodiment) a maximum of 128 bits. The User only needs to remember its index number k in the key ring. Instead of using a number, the User key may be remembered by some other means. For example, all keys on the key ring may be associated with icons or photos. The User then only needs to remember the photo or icon associated with the key for a particular website.

[0052] Moreover, K u can be modified on a frequent basis without any inconvenience to the User, as will be explained in more detail below.

[0053] As the User creates accounts with other websites, an increasing number of keys on the key ring will become active, and a decreasing number will be dummy keys. If a hacker were to obtain the key ring, it will be impossible to determine which of the keys are active and which are dummies, or for what website a key may be usable. Unauthorized access to the website is virtually excluded, because the hacker would not be able to use the key ring without knowing the UserlD. Security can be enhanced further by storing the Key Ring in a secure area. [0054] Algorithm 1 shows the account creation steps on the side of the User:

Algorithm 2 shows the account operation steps on the side of the Login Server:

2. Login in a Static Secret Key Environment [0055] The simplest login protocol applies to embodiments in which the Secret Key is static, that is, it is not changed. The login protocol proceeds as follows. [0056] When the User connects to the Web Server the latter communicates the value of n, that is, the number of bits in a key, to the User. The User' s computer generates a pseudorandom number R u , and encrypts this number with the user key K u , which was put on the User' s key ring at index k during the account setup procedure:

[0057] The User' s computer also re-calculates the value U h . The values A u and U h are communicated to the web server. In addition the User's computer calculates a hash value B u of the pseudo-random number R u .

Value B u is temporarily stored in the User's computer.

[0058] The Web Server looks up encrypted site key K a based on the received value U h , and sends values A u , K a and n to the Login Server. In case n is static, the login server may have the value n stored in memory, so that this value does not need to be communicated.

[0059] The login server carries out a number of calculations within the HSM. It decrypts K a and regenerates the User key K u , using the same calculations that were used during the account setup procedure:

[0060] It then uses K u to decrypt A u .

[0061] In addition the login server calculates a hash value B s of R„ [0062] The value B S may be returned to the User, allowing the User to verify the authenticity of the website. Alternatively, in case the login server has possession of the private portion K LS of a signing key pair, the value B S may be replaced with a signature thereof with the signing key K LS :

In this case the signature is sent to the User, not the value B S itself. The User combines B S and B U and conducts a verify on this combination.

[0063] In addition the login server may generate a pseudo-random number R s , which is encrypted and can be used to verify the bona fides of the User:

R Rando R s

0 R u

[0064] The login server sends Q S , B S and P S to the web server, which forwards B S and P S to the User. The value Q s is temporarily stored by the web server. The User's computer compares B S and B U . If the two values are identical the User knows that the website is legitimate, and identical to the website with which the account has previously been set up. If the two values are not identical the User should abort the login attempt.

[0065] If B S matches B U , the User' s computer proceeds to decrypt P S to obtain R s , and calculates a hash of R s :

The value Q u is returned to the Web Server. If Q u matches Q s the Web Server has confirmation that the User has possession of K U , and the User is logged in. Both values Q S and Q U are erased.

[0066] The login procedure is very similar in case a dynamic secret key is used, but the key held by the User is up to date. This procedure is summarized in Table 2.

In the embodiment of Table 2 ^ is used by the login server, instead of K u .

[0067] The login procedure does not involve communication of a UserlD or a password. Instead, meaningless strings of numbers are communicated. Successful interception of communications between the User and the Web Server does not provide a hacker with any tools that could be used for an illegitimate login attempt.

3. Login in a dynamic Secret Key environment

[0068] For added security a new Secret Key may be created and added to array S from time to time. The Secret Key is never communicated outside the HSM, and is not particularly vulnerable to a security attack. The corresponding User key K u , however, is stored on a User's computer and therefore far more vulnerable to a security attack than the Secret Key itself. The User key can be updated after the Secret Key has been changed in a manner that does not require any intervention on the part of the User, as illustrated by the following example.

[0069] A new Secret Key S[0J is created on a schedule determined by the login server. The Secret Key in position S[m-1] s removed from the array. All other Secret Keys are moved up one position in the array, so that position S[0J becomes free for the new Secret Key. The oldest Secret Key in array S is only deleted if necessary to avoid that the number of Secret Key s in array S exceeds a predetermined number m. If the Secret Key is unchanged since the last successful login attempt by the User, the User Key K u held by the User is up to date, and the login attempt will be successful.

[0070] If, however, the Secret Key has been modified since the User's last successful login attempt, the User Key K u held by the User is not up to date, and the value B s does not match B u . In a dynamic Secret Key environment this does not lead to a failed login attempt. Instead, the web server instructs the login server to increment the value i by one. In other words, the login server is instructed to repeat the login protocol with the most recent old key S[i+lJ. If the User's last successful login attempt was made when S[i+1] was the current Secret Key, the User Key held by the User corresponds to this Secret Key, and the login will be successful at this second try. If not, the value of i may again be incremented by one, and the login protocol may be repeated with the next youngest old Secret Key. The web server may put a limit on the number of iterations, so that a User holding a very old User Key may need to request an account reset, or repeat the account setup procedure. [0071] When a successful login attempt has been made with an old User Key, the session is used to update the User Key. The new User Key is calculated in a manner similar to the account setup protocol. The new User Key R s is encrypted with the old User Key K u , so that the User will be able to decrypt it:

[0072] The User' s computer decrypts P s and stores it in the Key Ring, overwriting the old key the User has just used:

whereby all bits of ZfkJ are replaced. [0073] The User does not need to be aware that any of this takes place. The User simply remembers the index number k for the key that is used for logging in to this particular website. The User may not know whether, or how often, the key is changed.

[0074] Table 3 summarizes the login procedure for a dynamic Secret Key environment:

[0075] The procedure is similar to that of Table 2, but because in the first attempt an invalid key was used, the web server concludes that Q u (being zero) is not equal to Q s . This leads the web server to increment index / by 1, that is, to instruct the login server to repeat the calculations with i=\ . This loop is repeated until a working key is found, or the limit m of value i is reached.

[0076] By way of example, a web site may replace its Secret Key once a month, and may permit access to "active" users who have accessed the web site less than a year prior. The active key set of this web site holds twelve keys, the current key and the eleven most recent old keys. The value of m in this example is 12. If a user makes a login attempt with a key that is more than 12 months old, this user will be denied access. This is summarized in Table 4.

[0077] Note that also in Table 4 K s is used instead of K a .

[0078] The roles of the User, the Web Server and the Login Server are outlined in

Algorithms 3, 4 and 5, respectively:

[0079] Thus, the invention has been described by reference to certain embodiments discussed above. It will be recognized that these embodiments are susceptible to various modifications and alternative forms well known to those of skill in the art. For example, the login protocol may be modified by having the web server decide the value of i based on the most recent successful login attempt of the User, so that the correct Secret key is used in the first.

[0080] Many modifications in addition to those described above may be made to the structures and techniques described herein without departing from the spirit and scope of the invention. Accordingly, although specific embodiments have been described, these are examples only and are not limiting upon the scope of the invention.