The present invention relates to methods of, and computer programs and systems for, controlling access to a resource via a computing device.
Data stored in storage media in computer systems is commonly protected by a password or security code to prevent unauthorized access of the data. For applications where high levels of security are required, data may be stored in an encrypted form so that it cannot be read by an unauthorized user who gains access to it.
Cryptographic algorithms are used to encrypt data using an encryption key and fall into two main categories. Asymmetric key algorithms use a pair of cryptographic keys, one of which (commonly referred to as a public key) is used to encrypt data and another of which (commonly referred to as a private key) is used to decrypt data. Symmetric key algorithms encrypt and decrypt data using a single cryptographic key. Once encrypted, the data is unreadable to anyone except those who possess, or are able to generate, the cryptographic key to transform encrypted data into a readable form that can be displayed to the user. The cryptographic key is a security code comprising a string of bits that is input to the encryption algorithm with data to transform the data to/from encrypted form. It is desirable that the string of bits be long enough to provide a sufficient level of unpredictability, or entropy, such that an unauthorized user cannot guess or otherwise break the key by, for example, trying different possible combinations of bits, and decrypt the data.
Typically, users are not required to input the cryptographic key directly, since in secure systems the string of data is too long to be easily remembered or input. More commonly, the user enters a password that is known, or available, only to authorized users, and which is converted using a mathematical transformation such as a hash function into a security code. The security code may then be used as the cryptographic key, or may be used as a seed for the cryptographic key, to encrypt or decrypt data. Commonly, passwords used for these purposes are alphanumeric. Passwords chosen by users tend to have poor entropy and are therefore vulnerable to so-called “shoulder-surfing” attacks in which an unauthorized user observes an authorized user entering their password. To reduce the risk of such attacks and improve security of stored data, these alphanumeric passwords may be generated as one-time passcodes (OTPs). OTPs may be generated, for example, by providing the user with a “tag”, “token” or other device containing logic for generating a time and/or event dependent code. Systems that employ OTP verification typically use a hash function to combine a time value or event/sequence number with a secret seed value to produce a set of digits that the user must input to a computing device that is being used to access stored data.
In OTP authentication systems that enable offline authentication, such as the Disconnected Authentication scheme developed by RSA Security Inc., a set of short-term verification codes (for example, possible OTP values) is downloaded from an authentication server to a local system to be subsequently used to verify OTP values presented by a user if the server is unavailable (for example, if the local system does not have a direct connection to a server). However, such systems require that the local device or system connects to the authentication server periodically to download an updated set of verification codes.
It is an object of the present invention to at least mitigate some of the problems of the prior art.