Public/private key cryptography is in widespread use throughout the Internet and the World Wide Web and is relied on to prevent hackers, thieves, or other malicious individuals, parties, or governments from intercepting and decrypting personal, private, or otherwise sensitive information. Increasingly, however, these malicious parties are able to overcome and/or circumvent standard public/private key cryptography. At its core, this kind of cryptography relies on its complexity for its security; the system relies on the fact that malicious third parties will not have access to computers powerful enough to, for example, find primes of large numbers in real time (or in near-real time) and thereby crack the encryption with a brute-force attack. As computers become more powerful, however, and new types of computers (especially quantum computers) become more readily realizable, this assumption becomes less and less valid.
In addition to brute-force attacks, hackers have become adept at undermining, circumventing, or weakening standard public/private key cryptography such that a brute-force attack is not required or necessary. For example, malware surreptitiously installed on a client computer may log a user's keystrokes and a script injection attack can acquire credentials as a user is typing them in or modify the script completely so https or any other secure protocol is completely disabled, and thereafter credentials are transmitted via plaintext completely unknown to the user. Typically, once credentials are acquired by a third party intending to sign in, no brute-force attack on the user's encryption method is required. Similarly, a phishing attempt (via a web page, email, or malware application) may acquire the user's log-in name and password directly. Existing public/private key cryptography utilizes a trusted signing authority; a malicious third party may corrupt and/or stand in the place of this trusted signer and thereby weaken the strength of or eliminate the user's encryption (even if the user is presented with a warning that the signing authority is not recognized, the user may click through anyway). Finally, the public/private key encryption algorithms themselves may be attacked and weakened by a third party, the government or even the designer, for example, coercing a business or service to use weaker encryption algorithms and/or to generate weak random numbers (i.e., numbers that purport to be random but exhibit some pattern or history known to the malicious third party), and the best performing, most popular encryption algorithms today, Blowfish and AES, have a built-in key size limitation weakness, degrading their ability to stand the test of time and eventually rendering them useless as computing power continues to improve.
For any or all of these reasons, a need therefore exists for a system and method for securely and a) creating a key that is unbreakable by either a brute-force attack of one or more computers, or as computer CPU capacity improves, able to stand the test of time, and b) definitively establishing a connection between entities on a computer network, and c) detecting the presence of malware or an unauthorized participant to the transmissions, and d) transmitting sensitive information in an un-hackable format therebetween, and e) monitoring the session and client state by the server, so when an attack is detected an unaware, inattentive or negligent user cannot simply by-pass warning messages and log into a corrupt session, and f) allowing for key size and encryption strength to grow in size automatically to compensate for faster computers able of attack ciphers with brute force.