1. Field of the Invention
The invention relates to improvements to data processing systems in which access of a user to one or more programs, for example applications, is controlled by one or more credentials.
2. Description of the Prior Art
The security of a data processing system, and in particular the security of access to programs such as operating systems or applications (home banking, e-commerce, etc.), is based on authentication of the user by means of static credentials which usually consist of a name assigned to the user (their “login name”) and a static password.
In the remainder of this document the expression “data processing system” means any system comprising a personal computer, a telephone, a mobile telephone, or a personal digital assistant, etc. enabling a user to execute either a local application or the client part of an application, for example in the context of a client-server architecture.
Authentication protocols based on a user knowing a static password are known in the art:                basic authentication: the password is transmitted in clear to a server-end authentication module;        encrypted password: a session key is transmitted using a public key algorithm (for example a DIFFE-HELLMAN algorithm), which enables a secure channel to be set up between two entities via which the password is transmitted, without it being necessary for those entities to share a secret password between them beforehand;        digest authentication: the client part of the application encrypts the password (or a digest of the password) using a challenge sent by the server-end authentication module;        Kerberos: the credentials are transmitted to the user by the server-end authentication module, encrypted using the user's password, so that only the user can use the credentials.        
However, static passwords are vulnerable in a number of ways, because they can be divulged (if knowledge of the password is gained legitimately or fraudulently by a third person), broken if they are weak (passwords used repetitively without modification, short passwords, dictionary attack), discovered by tapping a communication line or emulating an authentication server, or replayed by reproducing an authentication sequence.
To remedy the above drawbacks it is known in the art to use other mechanisms which are more secure than static passwords.
A first solution known in, the art consists of using dynamic passwords, i.e. passwords which are modified each time they are used. Dynamic passwords can be synchronous (modified synchronously at the user end and at the server-end, for example as a function of the time and/or the number of uses) or asynchronous (on each access request the server-end authentication module generates a different random challenge which is transmitted to the user end to generate the dynamic password by means of an appropriate algorithm). In either case (synchronous or asynchronous passwords), secret keys are shared at the server-end and the user end. At the user end, the dynamic passwords can be generated by a personal security device (PSD) such as a smart card, a secure portable electronic device (“token”), etc.
Another solution uses public key cryptographic systems, the user holding a private key and the public key being certified by a certification authority. An authentication sequence using a system of this kind can proceed as follows:                the user transmits a certificate (containing their login name, public key, address, etc.) to the server;        on receiving the certificate, the authentication module of the server generates a challenge and sends it to the user;        the user signs the challenge using their private key; and        the authentication module verifies the signed challenge using the public key and authenticates the user if there is a match.        
Solutions based on a dynamic password or public key replace authentication mechanisms based on a static password or call on an external authentication server.
It is also known in the art to use a single sign on (SSO) server (password server) by means of which, through a single authentication and authorization process, a user can access all computers and systems they are authorized to access without having to enter many different passwords. Once they have been authenticated, by an authentication process employing a strong password (a password including a large number of characters), the user can request the password server to execute an application. The password server then loads into the user's terminal a set of data including the user's credentials for the requested application, enabling the terminal to start running the application. However, this solution requires a specific authentication (SSO) server and is still based on a first authentication of the user vis-à-vis that server on the basis of a static password.