1. Technical Field
This invention relates generally to password authentication of a user, and specifically to a system and method for verification of a password by a signing authority while protecting the password from malicious users.
2. Description of the Related Art
When a user seeks to be authenticated and registered by a signing or certification authority, typically the user must provide initial authentication data to the authority. Such authentication data often comprises at least a password or a personal identification number (PIN), and preferably both. As is known in the art, when a user seeks authentication, the user enters the password or PIN at a client machine, which transmits the authentication data to the authenticating server for verification. If the authentication data is verified, then the user is authenticated by the server and can then be registered by the signing authority.
Because the user must submit a password or PIN in order to be authenticated, there is the potential that the authentication data may be intercepted by a malicious user if the communications between the user and the authenticating server are intercepted. Even if the authentication data is hashed, there is a risk that a malicious user, in possession of the hashed information, may launch a brute force attack in order to guess the password or PIN.
While it is known to configure a server to disable login or authentication attempts after a predetermined number of failed attempts, it is desirable to provide a system and method that further discourages brute force attacks on an authentication server. It is further desirable to provide a system and method for authenticating a user that does not require the transmission of authentication data either in the clear or in a hashed form.