U.S. patent application Ser. No. 08/552,029, filed Nov. 2, 1995, now U.S. Pat. No. 5,960,086 issued on Sep. 28, 1999, herein incorporated by reference in its entirety, discloses unified end-to-end security methods and systems for operating on insecure networks. In the '029 application, systems and methods are provided which allow a working key (i.e. the key used to encrypt a message) to be used only once and then changed in a manner which is essentially random, fast and unique to each user. In accordance with the invention disclosed in the '029 application, a user accessing a network computer is issued a randomly selected bit stream of a given length, typically 10,000 bytes for an individual user and of the order of megabytes for a computer node. This bit stream, called the "master signature", is divided into bytes, and each byte is assigned a byte address. Thus, each byte can be uniquely identified by an address. When this byte is addressed, the bits associated with this byte can be read out. In one embodiment of the '029 application, a split signature, asymmetric mode technique is used to secure communications between computer and users. From the computer's "master signature", a portion is randomly selected. This portion, called the "access signature", is placed at the user. The computer, which could be at a bank or any service provider, retains the corresponding addresses filed under the user's I.D. This access signature retains both the bit information in the bytes selected from the master signature as well as the addresses of those bytes in the master signature. To establish a secure communication session between a bank and a user, each selects a random set of addresses from the user's access signature. These independent sets of addresses are exchanged between sides. Each side, the bank and the user, now having both sets of addresses, obtains the corresponding bit contents which determine a unique session signature. Of importance, the particular bytes making up the session signature are never transmitted between the bank computer and the user. All that is transmitted are the addresses of the bytes making up the session signature. Both the user's terminal and the bank's computer have the identical session signature (also called the "session key").
With this process, the session keys at both the user's terminal and the bank's computer have been synchronized without ever transmitting the session key over any type of network. Of importance, the session signature is never transmitted in any form, encrypted or otherwise, over any network.
The invention in the '029 application provides a unique key which is capable of being changed before each transaction between a user and a central computer and which allows great flexibility, ease and reliability of key management, and high speed performance.