1. Field of the Invention
The present invention relates generally to the field of secure communications between remote devices. More particularly, the invention relates to ensuring the authenticity of communications using passwords and encryption keys.
2. Description of the Related Art
Terminals on a computer network normally communicate over an electronic communication path that is open to everyone with access to the network. In each communicated packet, each terminal normally will identify itself with a header in each packet. In a closed network, these identification packets can be trusted as well as each terminal user on the network can be trusted. In an open network, for example the internet, and in networks that are insecure, such as wireless local area networks and wide area networks, it may be possible for outsiders to assume the identity of a user or terminal and gain access to the network without authorization. This can threaten the security and viability of the network. In e-commerce applications, it can result in purchases being made using someone else's identity.
Currently digital signatures are used in internet transactions in order to authenticate a user, i.e. determine that the user is who it purports to be. However, even in such systems the encrypted password is sent over the accessible network. In such networks, due to the normally insecure nature of the communication path, an encrypted password can be seen by anyone with access to the network including service providers and web administrators. In order to break the system security, it may not be necessary to decrypt the password. Sending the encrypted password may allow access to network transactions. Encrypting the password as is done with digital signature algorithms does not guarantee security because the protocol typically used in a net transaction will log the encrypted password with the user identification in files that may be accessible to outsiders. To eliminate this possibility, the password must be changed after every transaction. This requires, however, that the initiating request be unencrypted until the passwords are reset.
Some network systems, e.g. TCP/IP (Transfer Control Protocol/Internet Protocol) use sockets for identification. This provides another accessible location where passwords and user identities may be stored. The Secure Sockets Layer (SSL) and Transport Layer Security(TLS) protocols are widely used for e-commerce security on the World Wide Web, verifying the authenticity of Web sites, encrypting the transfer of sensitive data, and ensuring the integrity of information exchanged. SSL encrypts all messages beginning with identification but it requires RSA encryption (a patented public key encryption algorithm named for its developers Rivest, Shamir and Adleman). Another approach is Open SSH, a secure shell suite providing encryption for network services like remote login or remote file transfer. Open SSH encrypts all traffic (including passwords) to reduce eavesdropping, connection hijacking, and other network-level attacks. Additionally, Open SSH provides some secure tunnelling capabilities. These programs and many others use the complexity of the encryption algorithms to create the security. In both RSA and DES encryption significant computer resources are consumed in performing the encryption and encryption.
Accordingly, existing authentication systems do not provide enough security. Passwords can be captured either from a register in the server or the client or from the communications path. Even if the passwords are encrypted, they may still be used. In addition, the additional burden of encryption can tax the computational resources of the network. The present invention provides a flexible, scalable authentication approach. Users can be safely, accurately and securely identified. Passwords are very well protected and are not openly communicated. Instead a unique temporary identification code is sent. The identification code is changed frequently and is determined in a way that cannot be perceived by examining the transmitted messages. In addition, the present invention includes a counting mechanism using ordered random strings. This allows the system to easily track usage and cause passwords to expire after a certain amount of time or a certain amount of use. The passwords are also very well protected on the communicating terminals. While encryption is used, the values that are encrypted are small so that even very complex encryption can be performed without unduly burdening the resources available.