The increase in electronic commerce in recent years has also led to a rapid growth in computer crime. In particular, financial transactions over computer networks proved to be a major target of attacks, where the attackers are using a variety of techniques such as phishing. As an example, at the time of this writing, almost all major banks worldwide are under attack by various forms of identity theft, and while the financial losses are significant, the more important danger is that of bank users losing confidence in online banking.
It has become clear that the old recipes for protecting client-server connections over insecure networks (as e.g. user passwords or their combination with one-time passwords) no longer provide the necessary level of security. Attackers use a combination of more and more advanced techniques, such as man-in-the-middle attacks, phishing, DNS spoofing, and malware (e.g. viruses and Trojan horses). In this context, new protection techniques are required to secure financial online transactions.
The present invention can prevent most man-in-the-middle, phishing, and malware attacks on for example net bank applications, online investment applications, and online entertainment applications.
Nomenclature
Some of the terms used in this document are described in the following:
Argument: An input, e.g. to a function, a server, or a HTTP request
    Asymmetric key: A cryptographic key to be used in an asymmetric algorithm.    Asymmetric algorithm: An algorithm using one key for encryption and another key for decryption or an algorithm using one key for signing and another key for verifying the signature, Can for example be RSA or ECC.    Authentication tag: See tag.    Block cipher: An encryption/decryption algorithm operating on plaintext/ciphertext blocks of fixed length. Can for example be AES or 3DES. Also see [Sc96] pp. 4 and 189-211.    Cipher: See encryption/decryption algorithm.    Ciphertext: An encrypted string.    Client application: A computer program that can connect to a server application. An application being a client towards a server might also be a server towards another client.    Composition: In this text, the composition of a function or algorithm that is different for each copy denotes the functionality of the specific function or algorithm in a specific copy. For example, one composition can be f(x)=3x+4 and another composition can be f(x)=7x−2.    Computer-executable program file: For example an .exe, .dll, .ocx, class, or jar file.    Copy: Two different copies of a computer program have the same overall features but may have different internal functions, e.g. key generators.    Cryptographic algorithm/function: In this text, this denotes a mathematical function (or its implementation) that is used for communication or storage in the presence of an adversary. Examples include encryption/decryption algorithms, message authentication codes (MAC), or hash functions.    Digital document: Includes HTML, XHTML, XML, PDF, word process files, and spread sheet files.    Encryption/decryption algorithm: An encryption algorithm encodes data under a key such that it cannot be distinguished from random data. A decryption algorithm reverses the encryption algorithm and restores the original data, using a key. Can e.g. be a block cipher, a stream cipher or an asymmetric cipher. Also see [Sc96] pp. 1-5.    Hash function: A function that takes a string of any length as input and returns a string of fixed length as output. The function achieves a strong mixing of the string, and its output can be used as a short identifier for the input. Examples are collision resistant hash functions, one-way functions, or any family of pseudo-random functions). Also see [Sc96] pp. 30-31.    IV: Initialization vector. A publicly known string that is used to avoid that a cryptographic algorithm always produces the same output.    Key: A string usually known only by some parties. Keys are used as input to cryptographic algorithms. Also see [Sc96] p. 3.    MAC function: A message authentication code (or MAC) takes a key and a data string as input and produces an authentication tag as output. If the key is a secret shared by sender and receiver and if the tag is appended to the message, the receiver can re-run the MAC to verify that the data has not modified since it was written. Also see [Sc96] p. 31.    One-time password (OTP) or one-time key (OTK): A key or password used only once, e.g. for authenticating a user.    Plaintext: An un-encrypted string.    PRNG: A pseudo-random number generator (or PRNG) takes a seed as input and generates an output string of arbitrary length. If the key is not known, the output string cannot be distinguished from random. Also see “pseudorandom sequence generator” in [Sc96] pp. 44-45.    Request: A digital document is requested from one party from another party. Includes HTTP requests, e.g. using the GET or POST methods.    Seed: Input to a PRNG.    Server application: A computer program that can receive connections from a client application and/or provide services to a client application.    Server: Software (i.e. server application), hardware, or combination thereof that can receive connections from a client application and/or provide services to a client application.    Source code: For example the content of a .java, .c, .cpp, .h, or .pas file.    Stream cipher: An encryption/decryption algorithm operating on streams of plaintext or ciphertext. Also see [Sc96] pp. 4, 189, and 197-199.    String: A block of data. Can be a text string (a set of characters) or a binary string (a set of bits).    Symmetric key: A cryptographic key to be used in a symmetric algorithm.    Symmetric algorithm: An algorithm using the same key for both encryption and decryption or for both creating an authentication tag and verifying an authentication tag. Can for example be a block cipher, a stream cipher, or a MAC function,    Tag: Output of a MAC function.    Time stamp: A string containing information about date and/or time of day.    Version: Two different versions of a computer program have different features. Usually, a new version has more or better features than the previous version.    XOR: Binary operation often denoted by ⊕. 0 ⊕0=0, 0 ⊕1=1, 1 ⊕0=1, and 1 ⊕1=0.    [Sc96]: Bruce Schneier, Applied Cryptography, John Wiley & Sons, 1996.