AMENDED CLAIMS received by the International Bureau on 19 March 2007 (19.03.2007)
+ STATEMENT
1) I claim a symmetric encryption key system, a system for authenticating and securing Internet Contract/Network transactions by providing one symmetric encryption key for each object, two symmetric encryption keys for each transaction and a plurality of symmetric encryption keys for a session, wherein authenticating user using a single variable password at the beginning of a session, using a single encryption key for securing a session having a plurality of transactions, characterized ϊrt that: (a) authenticating USER/Previousty Unknown USER, using one variable Password for each transaction and a plurality of variable Passwords for a session having a plurality of transactions, using the said plurality of variable Passwords and Cails for said plurality of variable Passwords as encryption keys, thus obtaining two encryption keys per transaction and a plurality of encryption keys per session; (b) securing every single object employing one encryption key for each object, the said single object include all communications arising from one lap of a transaction between US€R/Previσusiy Unknown USEf? and SERVICE PROVIDER, the said communications include files, message packets, Call, Password/encryption keys bundled in to single folder; (c) securing of every single transaction between USER/Previously Unknown USER and SERVICE PROVIDER employing two encryption keys per transaction of two consecutive laps, one lap from USER to SERVICE PROVIDER, the other lap from SERVICE PROVIDER to USER; (d) the first of the sard two encryption keys per transaction, furnished by USER/Previously Unknown USER as Password/ encryption key, the second of the said two encryption keys per transaction generated by concatenating the 'Call' excluding the first Call of session, available from the system; (e) employing a plurality of encryption keys per session, half the number of the said plurality of encryption keys provided by at least one method of (f) generating a plurality of encryption keys from single initial Password/Encryption Key furnished by USER/Previously Unknown USER in step (d), using a software termed as USER AGENT SOFTWARE and (g) direct keying in by USER/Previously Unknown USER for every transaction, (h) the second half the number of the said plurality of encryption keys generated by concatenating the 1CaU' available from the system; (i) initiating secure session of plurality of transactions making a CaI! termed as the first Call of session, in open network, the said first Call identifying the first encryption key to be used for securing the first object of the first transaction between USER and SERVICE PROVIDER, the said Call decipherable only between USER/ Previously Unknown USER and SERVICE PROVIDER, whereby secure communication link is established only with the authorized, preventing unauthorised substitutions and clandestine diversions of the said secure communication φ continuously changing encryption keys at the rate of one encryption key for each lap of transaction, the said changing of encryption keys integrated in the system, dispensing with the effort for prior communication of encryption keys (k) the said continuously changing encryption keys decipherable only at the Internet Protocol address wherefrom the USER/Previously Unknown USER/SERVICE PROVIDER commenced transaction and upon furnishing valid Password for each object; (I) steps {i} to (k), ensuring continuous link between USER/Previously Unknown USER and SERVICE PROVIDER from the first to the last transaction preventing attacks such as intrusions, spoofing, sniffing, substitutions, diversions and remote operations by unauthorised (m> incorporating functions upgrading capability of encryption keys; (n) comprising: (n1) a second system of authentication devices, (n2)
54
font/distinguishing property modification of the said second system of authentication devices, (n3) transformation of the said second system of authentication devices, (n4) a key generation process generating two Encryption Keys per transaction, (nδ) generating a plurality of Encryption Keys from a single Password/Encryption Key using (n6) a software, (n7) padding of encryption keys, (n8) 45 preventing breach attempts on encryption key during/after the session and (n9) methods of using the said encryption key system for authenticating and securing of every individual Internal Contract/Network transactions of USERs/previously unknown USERs, (o) the said system implemented by a data processor loaded with software implementing the system for USER and SERVICE PROVIDER, connected by communication network.
50 2) The .system claimed in any preceding claim, (a) USER is a person or a process or software or
* specified sector(s) of data storage media or a system or server or a Network or any thing that uses a Password/Encryption key for authentication and securing transactions; (b) a previously unknown
USER is a USER having an USER account with a Internet SERVICE PROVIDER or Network server but is yet to establish an USER account with a SERVICE PROVIDER with whom such USER wants
55 to transact and includes first time/temporary USERs/short duration USERs excused from having an USER account such as participants in auctions; (c) SERVICE PROVIDER is a person or a process or software or specified sector(s) of data storage media or a system or server or a Network or any thing who/which provides access to the USER upon furnishing of valid Password/Encryption key for authentication/securing transactions.
60 3) The system claimed in any preceding claim, (a) Internet Contract transaction is an Internet transaction between USER and SERVICE PROVIDER which has a monetary or other value; (b) authentication/ securing of every individual transactions is to authenticate/secure every transaction using different Password/Encryption keys from USER either individually furnished by USER or generated from single Password/Encryption key initially furnished by USER, the said encryption
65 keys linked to the identity of USER.
4} The system claimed in any preceding claim, encryption keys generated using the said system, include either one of (a) Bilaterally Generated Encryption Keys or IMon Repeating Bilaterally Generated Encryption Keys and (b) Ca(Is, excluding the first Call of session, concatenated, (c) the said encryption keys optionally padded to increase the strength of the said encryption keys.
70 5} The system claimed in any preceding claim, ensuring continuous link is to ensure both USER/USER Agent Software and SERVICE PROVIDER and IP address from which USER/USER Agent Software and SERVICE PROVIDER are transacting remains one and the same from beginning to end of a session.
6} The system claimed irt any preceding claim, incorporating functions upgrading capability of
75 encryption keys is (a) preventing breach attempts on the encryption key during/after the session;
(b) each one of the said plurality of encryption keys of linked with USER'S identity thus providing computationally non-intensive proof for each object of the transactions of USERs/previousfy
55
unknown USERs and SERVICE PROVIDERS; the system dispensing with (c) pre-cornmunication of public/symmetric keys, (d) mandatory memorisation (e) need for third party certification/need to 80 trust third parties; (t) the USER AGENT SOFTWARE relieving USER/Previously Unknown USER from further input of second and subsequent Passwords/encryption keys v
7) The system claimed in any preceding claim, providing proof for a transaction is to preserve the Call and Password/Encryption key of each transaction along with Internet Protocol address wherefrom USER transacted, date, time and USER details, including Internet Protocol address of Internet
85 Service Provider/Network Server who forwarded the request of previously unknown USERs, as means of tracing source of objects in a direct and computationally non intensive manner as the proof of that transaction.
8) The system claimed in any preceding claim preventing breach attempts on the encryption key is (a) when the USER and SERVICE PROVIDER are in session, (a1) USER failing to furnish the correct
90 Encryption key within given chances resulting in aborted transaction; (a2) subsequent attempt taking place only after specified time and (a3) the USER furnishing two Encryption keys successively/furnishing twice the strength of single Encryption key, the said furnishing of Encryption key mandated in single chance; (a4) USER failing to furnish Encryption key in a two Encryption key Call or twice Hie strength of single Encryption key Call at first chance, is denied access until USER 95 establishes his authenticity to the satisfaction of the SERVIGE PROVIDER through other means (b)
» when the USER and SERVICE PROVIDER are not in session and a USER attempts to open an encrypted message such as a saved message, (bt) the system after allowing specified number of chances, rejecting, noting the date and time of rejection and disallowing further attempts; (b2) the system creating a fiie having failed attempt data in the USER'S system, such file is created only if
100 there is a failure, such file's access is restricted to particular encrypted message by a Password, such Password is known only to SERVICE PROVIDER; {b3} USER mandated to contact the SERVICE PROVIDER to recover the message; {b4) recovery of such message shall be effected by SERVICE PROVIDER sending the Password to delete the file having failed attempt data; (b5) after deleting the file, USER is allowed to furnish encryption again, referring to authentication device,
105 whereby, unauthorised persons breach attempts are prevented totally.
9) The system claimed in any preceding claim, methods of using the said encryption keys comprising authenticating and securing of every individual Internet ContractfNetwork transactions of (a) USER, with one Password/encryption key furnished by a USER for each transaction; (b) USER, with a plurality of different encryption keys, generating said plurality of different encryption keys
110 from a single Password/Encryption key furnished by USER at the beginning of a session (c) previously unknown USER with a plurality of different Password/Encryption keys, generating said plurality of different Password/Encryption keys from one Password/Encryption key furnished from a temporary authentication device by a previousiy unknown USER at the beginning of a session.
10} The system claimed in any preceding claim, temporary authentication device is an authentication 115 device generated from said second system of authentication devices by SERVICE PROVIDER; the
56
method of use comprising: sending temporary authentication device to a second SERVICE PROVIDER known to a Previously Unknown USER, securely exchanging identification data of said Previously Unknown USER; () passing a second temporary authentication device, through the said second SERVICE PROVIDER to the said Previously Unknown USER () performing continuous 120 mutual authentication and securing transactions of Previously Unknown USERs and SERVICE PROVIDER, using Password/encryption keys from the second temporary authentication device.
11 ) The system claimed in any preceding claim, the second system of authentication devices is the means of generating Passwords^Encryption Keys for authenticating/securing transactions of USERs and SERVICE PROVIDERS in Bilaterally Generated Encryption Keys System, the said
125 second system of authentication devices printed/stored on a physical medium such as paper, digital form on a memory device and/or similar means for USER, stored in database with database connectivity for trie SERVICE PROVIDER, comprising: (a) Variable Character Sets {VCS 1 to VCS 6}, (b) Master Variable Character Sets {MVCS 1}, (c) Sub Variable Character Sets and (d) Sub Variable Character Sets of Level 2 or below; wherein the functional combinations comprising: (e)
130 both SERVICE PROVIDER and USER using Variable Character Set; (f) SERVICE PROVIDER using Master Variable Character Set with a Sub Variable Character Set expressed in brief form and USER using Sub Variable Character Set; <g) SERVICE PROVIDER using Master Variable Character Set with a Sub Variable Character Set of Level 2 or below expressed in brief form and USER using a Sub Variable Character Set of Level 2 or below, wherein at least one of the said
135 combinations given herein as (e), (f) and (gj are used as the authentication device, wherein an authentication device of the said system further comprising: (h) an arrangement of a plurality of Character Units in which the Character Units are identified using unique Serial Number of Character Units; (i) the Character Unit consist of either one or a permutation of more than one Basic Character wherein the said random permutation inciudes repeating a Basic Character within
140 same Character Unit; {j} the Basic Characters are selected from a plurality of characters including alphanumeric characters chosen from a plurality of languages/scripts/numbers/symbol systems including non familiar languages/scripts/numbers/ symbol and graphical characters chosen from a plurality of representation of objects including diagrams, drawings, images, photos, pictures and sketches; (k) the characters are further differentiated by font/distinguishing properties; (i)
145 memorization is dispensed with; (m) the Character Units of the said arrangement comprise of completely random characters; (n) the total number of Character Units in the authentication device is unrestricted by human rnemorisable level removing the corresponding limit on Serial Number of Character Units irnposable by memorization; (o) the Serial Number of Character Units identify corresponding Character Unit; no further relationship exists between Character Units and Serial
150 Number of Character Units and no relation ship exists among the Character Units in the said arrangement; (p) the said arrangerrtsnt is free from algorithms/pattern forming methods, requiring recalling and implementation of the said algorithms/pattern forming methods to produce Password; (q) the authentication devices produce Passwords of chosen level of safety; (r) the functional combinations given herein as (f) and (g), facilitating single authentication device providing required
155 number of related sub authentication devices for assigning to a plurality of USERs/USER groups/uses, reducing data storage requirement of SERVICE PROVIDER, providing ease of
57
identifying Character Units in programs in terms of Serial Number of Character Units of Master Variable Character Set; (s) facilitating classification of USERs and generation of several Passwords from single Password initially furnished by a USER linking with identity of USER.
160 12) The system ciaimed in any preceding claim, in the second system of authentication devices, method of generating and using a Variable Character Set comprising the steps of (a) selecting the required number of Character Units; (b) arranging the Character Units in any one form of lists, i tables, arrays and matrices, in which each of the Character Unit is distinctly identifiable and easily readable; (c) assigning unique Serial Number of Character Unit to identify each Character Unit in
165 Variable Character Set; (d) specifying the method of identifying/calculating the Serial Number of Character Unit, facilitating USER to read the Character Units corresponding to the Serial Number of Character Units; (e) ensuring that the Character Units and the Serial Number of Character Units are unrelated and the Character Units of a Variable Character Set are unrelated to each other; (f) printing the said arrangement in a physical medium such as paper, digital form optionally in
170 encrypted file form and/or similar means; (g) SERVICE PROVIDER and USER storing the arrangement securely in a memory device; (h) optionally, SERVICE PROVIDER validating USER generated Variable Character Set for compliance of the above steps (a) to (g); wherein (i) USER upon being a Previously Unknown USER to a SERVICE PROVIDER but known to a second SERVICE PROVIDER passing the said Variable Character Set to the said Previously Unknown
175 USER through the said second SERVICE PROVIDER, the said passing of Variable Character Set is in encrypted form and decrypting key and method sent directly by SERVICE PROVIDER.
13) The system claimed in any preceding claim, in the second system of authentication devices, method of generating and using a Master Variable Character Set comprising the steps of (a) 180 generating a Variable Character Set and designating it as the Master Variable Character Set; (b) uport generation of Sub Variable Character Sets by USERs, generating the Master Variable Character Set by combining the said USER generated Sub Variable Character Sets of all USERs of a SERVICE PROVIDER, as continuous and non-overlapping lists or tables or arrays or matrices; (C) storing and using the arrangement securely by SERVICE PROVIDER
185 14) The system claimed in any preceding claim, in the second system of authentication devices, method of generating and using Sub Variable Character Set comprising the steps of (a) selecting the total number of Character Units of the Sub Variable Character Set; (b) identifying Serial Number of Character Units of the Master Variable Character Set, the method of identifying the said Serial Number of Character Units adopting at least one of the following ways: (b1) specifying rules of
190 selection such as criteria for filtering data, (b2) specifying discrete numbers, (b3) specifying continuous numbers and (b4) specifying random sequences; the Character units corresponding to the identified Serial Number of Character Units constituting the Sub Variable Character Set (c) selecting Character Units including a limited number of Character Units of other Sub Variable Character Sets, duly ensuring that no specific relationship exists, between Character Units of Sub
195 Variable Character Sets of same origin (d) arranging Character Units selected as per steps (a) to (c) herein, to any one of the form of lists, tables, arrays and matrices, in which each of the
Character Unit is distinctly identifiable and easily readable; (e) assigning unique Serial Number of Character Units, independent of Serial Number of Character Units of Master Variable Character Set to identify each Character Unit in the Sub Variable Character Set; (f) specifying the method of identifying/calculating the Serial Number of Character Unit, facilitating USER to read the Character
MΌ units corresponding to me serial Numoer oτ unaracter units; (g; ensuring uπaracier units ano Serial Number of Character Units are unrelated and the Character Units of a Sub Variable Character Set are unrelated to each other, (h) assigning a Serial Number/identification number to each Sub Variable Character Set, (i) optionally USER generating Variable Character Set and using it as Sub Variable Character Set (j) SERVICE PROVIDER storing Sub Variable Character Sets in
205 brief form as in step (b); (k) USERs storing Sub Variable Character Sets in complete form (I) wnerem wnen using SUD vaπaDie unaracter bets, (irij tne password/ tncryption κ.ey uairs are in Serial Number of Character Units of Sub Variable Character Sets and SERVICE PROVIDER compares with Character Units of Master Variable Character Set corresponding to the called Serial Number of Character Units of Sub Variable Character Sets; (n) prefixing or suffixing identification
210 number of Sub Variable Character Sets with Password/Encryption Key, is used to identify any Password/Encryption Key specific to a particular Sub Variable Character Set, which in turn is used
1 for identification of groups and classification of USERs; (o) replacing with another Sub Variable
Character Set generated from the same Master Variabte Character Set upon suspected compromise of a Sub Variable Character Set.
215 15) The system claimed in any preceding claim, m the second system of authentication devices, where method of generating and using Sub Variable Character Sets of level 2 or below comprising steps of (a) selecting the total number of Character Units of the Sub Variable Character Set of- level 2 or below, (b) identifying Serial Number of Character Units of the of one level up Sub Variable Character Set, the method of identifying the said Serial Number of Character Units adopting at least
220 one of the following ways: (b1 ) specifying rules of selection such as criteria for filtering data, (b2) specifying discrete numbers, (b3) specifying continuous numbers and (b4) specifying random sequences; the Character units corresponding to the identified Serial Number of Character Units constituting the Sub Variable Character Set of level 2 or below; (c) selecting Character Units including a limited number of Character Units of one level up Sub Variable Character Sets/Master
225 Variable Character Set, duly ensuring that no specific relationship exists, between Character Units of Sub Variable Character Sets any level of same origin; (d) arranging Character Units selected as per steps (a) to {c) of this claim in to any one of the form of lists, tables, arrays and matrices, in which each of the Character Unit is distinctly identifiable and easily readable; (e) assigning unique Serial Number of Character Unit, independent of Serial Number of Character Units of one level up
230 Sub Variable Character Set/Master Variable Character Set to identify each Character Unit in the Sub Variable Character Set of Level 2 or below; (f) specifying the method of identifying/calculating the Serial Number of Character Unit, facilitating USER to read the Character Units corresponding to me aerial Numoer or unaracter units; igj ensuring tne unaracter units ana me serial Numoer oτ Character Units are unrelated and the Character Units of a Sub Variable Character Set of Level 2
235 or below are unrelated to each other; (h) assigning a Serial Number/identification number to each Sub Variable Character Set of Level 2 or below., (i) optionally, USER generating Sub Variabte
59
Character Set of level 2 or below duly selecting randomly the Character Units provided by SERVICE PROVIDERS from one level up Sub Variable Character Sets; (j) SERVICE PROVIDERS storing buo vaπaoiβ unaracter t>ets oτ level -i or DΘIOW in oneτ rorm αuiy lαβmrryiπg *enai iMumoer
240 of Character Units of Sub Variable Character Sets of level 2 or below in terms of Serial Number of Character Units the Master Variable Character Set, the method of identifying the said Serial Number of Character Units, adopting at least one of the following ways: (J1) specifying rules of selection such as criteria for filtering data, 02) specifying discrete numbers, (}3) specifying continuous numbers and (j4) specifying random sequences; (k) USERs storing Sub Variable
245 Character Sets of Level 2 or beiow in complete form; wherein when using Sub Variable Character Sets of level 2 or below, (I) the Password/Encryption Key Calls are in Serial Number of Character
* Units of Sub Variable Character Sets of level 2 or below and SERVICE PROVIDER compares with
Character Units of Master Variable Character Set corresponding to the called Serial Number of Character Units of Sub Variable Character Sets of level 2 or below; (m) prefixing or suffixing
250 identification number of Sub Variable Character Sets of level 2 or below with Password/Encryption Key, is used to identify any Password/Encryption Key specific to a particular Sub Variable Character Set of level 2 or below, which in turn is used for identification of groups and classification of USERs; (n) replacing with another Sub Variable Character Set of level 2 or below, generated τrom ine same one level up SUD vanaoie unaracier set upon suspected compromise oτ a buo
255 Variable Character Set of level 2 or below.
16) The system claimed in any preceding claim, the method of repeated variation of font/distinguishing properties of the second system of authentication devices claimed in any preceding claim, as means of differentiation between same characters of Passwαrd/Eπcryptiσn Key, in printed second system of Authentication Devices, including implementing the method by means of a transparent
260 sheet and a memory device with data processor loaded with software, (a) generating new Character Units and new authentication devices while retaining original characters, enhancing security against breach of Password/Encryption Keys, enhancing life of authentication Devices and ability of use with any number of SERVICE PROVIDERS, comprising steps of: (b) USER, proposing variation to font/distinguishing properties of characters of Password/Encryption Key/Character Units
265 of Variable Character Sets/Sub Variable Character Sets of any level; (c) optionally SERVICE PROVIDER proposing said variation of font/distinguishing properties at regular intervals and USER agreeing to such variations; (d) SERVICE PROVIDER registering the changes; (e) USER using a separate transparent sheet to the size of printed Variable Character Sets/Sub Variable Character Sets of any level, indicating font/distinguishing property variation (f) willing USER memorising the
270 changes; (g) furnishing font/distinguishing properties varied characters for Password/Encryption Key.
17) The system claimed in any preceding claim, the method of transformation of the second system of authentication devices claimed in any preceding claim to derive new Character Units including implementing the method by means a memory device with data processor loaded with software
275 comprising steps of: (a) USER proposing at least one rule of transformation of characters of Password/Encryption Key/Character Units of authentication device such as shifting Serial number
60
of Character Units of authentication device by a specified number/shifting characters from natural order by a specified number, (b) USER keeping the said rule of transformation separate from authentication device; (c) willing USER memorising the said rule of transformation on the Character
280 Units or Basic Characters of the authentication device; (d) SERVICE PROVIDER registering the rules; (e) USER furnishing the transformed characters/Character Units for Password/Encryption
- Key.
18) I claim a key generating process of the Encryption key System implemented by a memory device, a data processor loaded with software for USER and SERVICE PROViDER, connected by
285 communication network, comprising the steps of: (a) USER and SERVICE PROVIDER using a pre agreed authentication device of the second system of authentication devices; (b) the Password/encryption key comprising of a permutation of selected number of Character Units of ihe authentication device wherein optionally same Character Units are repeated in Password/encryption key on repetition of same random number within a Call; (c) USER
290 approaching the SERVICE PROVIDER with opening the website or dialogue window or switching on the SERVICE PROVIDER system; (d) SERVICE PROVIDER requesting the USER to furnish USER name or identification number; (e) USER furnishing USER name or identification number; (f) SERVICE PROVIDER <f1) verifying USER name, and refusing the unregistered USER; (β) identifying and referring to the authentication device of particular USER; (f3) generating a specified
395 number of random numbers wherein the said specified number is at least two; (f4) ensuring each of the generated random number is less than or equal to the total number of Character Units in the authentication device, further validating the said random numbers for compliance of rules preagreed between SERVICE PROVIDER and USER; (f5) sending the random numbers to the USER, termed as Call; (g) USER responding with a continuous string of Character Units of the
300 authentication device, wherein the serial numbers of Character Units, are the random numbers of Call, in the order of Call, termed as Response, wherein the said continuous string is making Basic Characters indistinguishable as belonging to particular Character Unit; (h) SERVICE PROVIDER when required, requesting the identification number of Sub Variable Character Set of any level as part of Password/encryption key, along with Call and the USER complying with such request; (i)
305 SERVICE PROVIDER (M) verifying the Response to the Call with the respective authentication device and authenticating the USER when the Response furnished is correct; (i2) allowing the USER up to preagreed number of chances to furnish the correct Password/encryption key when the Response furnished in step (i1) is incorrect; (i3) denying access and advising the USER to make subsequent attempt only after preagreed time when USER fails to furnish the correct
310 Password/encryption key within preagreed number of chances; (i4) making a Call to furnish a strong Password/encryption keys comprising two Passwords/encryption keys called simuttaπeαusty/successively, in one chance to the USER reaching step (i3); (iδ) denying access to the USER, who failed to provide correct Password/encryption key in step (i4) advising such USER to establish authenticity to the satisfaction of the SERVICE PROVIDER through other means,
315 characterized in that (j) dispensing with memorization of PIN/equivalent facilitating generation of Passwords/Encryption keys without human intervention; (k) enhancing the limit on maximum value of random numbers in Call, imposable by memorization from up to human rhemorisable level to tne
61
total number of Character Units in the authentication device; (I) free from algorithms/pattern forming methods involving multi step procedures to produce Password/encryption key (m) Call to furnish
320 two Password/encryption keys simultaneously/successively prevents breaking and automatically notifies the authentic USER on failed attempts; (n) generating two Encryption keys for each transaction, the process is suited to generate plurality of Passwords/Encryption keys from one Password/ Encryption key to secure each one of the transactions by different Encryption keys; (o) generating and validating Encryption keys by referring and comparing in a computationally non
325 intensive manner; (p) generating Passwords/Encryption keys of specified strength, the said specified strength directly proportional to the number of character units in the Password/Encryption Key, the said number (of character units in the Password/Encryption Key) having a lower limit of two and unrestricted upper limit; (q) Optionally USER and SERVICE PROVIDER, by prior arrangement adopt padding of keys to enhance the strength of USER furnished
330 Password/encryption key to preagreed length encryption key; (r) USER furnishing Password/encryption key as obtainable from authentication device, system designed to pad the keys to get keys of required length, (s) enabling USER verifying authenticity of SERVICE PROVIDER for every transaction.
19) In the key generating process of the Encryption key System as claimed in claim 18, further 335 comprising the steps of. (a) after the initial identification/authentication, the USER desiring to ascertain the authenticity of SERVICE PROVIDER, by pre arrangement, (b) issuing a Call; (c) SERVICE PROVIDER responding; (d) USER verifying the Response, with the authentication device and authenticating the SERVICE PROVIDER, whereby USER and SERVICE PROVIDER mutually authenticate and secure connection.
340 20) In the key generating process of the Encryption key System as claimed in claim 18, the valid Response to the Call in step (g) of claim 18, is Bilaterally Generated Encryption key, wherein chance of repeating is more than zero for the Bilaterally Generated Encryption key.
21) In the key generating process of the Encryption key System as claimed in claim 18, the method of generating Non Repeating Bilaterally Generated Encryption key comprising of the steps of (a)
345 SERVICE PROVIDER in step (f4) of Claim 18, verifying for compliance of the rule according to which, at least one Character Unit constituting a Password/Encryption key occurs for the first time in the said Password/Encryption key, wherein compliance of the said rule making the chance of repeating is zero for Non Repeating Bilaterally Generated Encryption key (b) wherein the said rule is observed till atl Character Units of pre agreed authentication device are exhausted (c) wherein all
350 the said Character Units of pre agreed authentication device are revived by transformation/font/distinguishing property change to the authentication device.
22) In the key generating process of the Encryption key System as claimed in claim 18, further comprising the steps of; using the random numbers of Call, concatenated, as Password/ Encryption key, in addition to USER furnished Password/Encryption key, thereby generating two
,155 Passwords/Encryption keys for a transaction.
62
23) In the key generating process of the Encryption key System as claimed in claim 18, strong Password/Encryption key is a Password/ Encryption key, which has twice the normal number of Character Units in a Call, designed to test physical availability of authentication device with USER after a failed attempt.
360 24) The method of padding of keys, a process of addition of characters to the USER furnished encryption key to make keys with preagreed number of characters to reduce the USER'S efforts v when furnishing Password/encryption key done by software of SERVICE PROVIDER/USER system, suited to the system, wherein one method is stated herein (a) the required number of padding characters are calculated (b) the Basic Characters of Password/Encryption key are
365 converted to the assigned serial number in the same order as it was assigned when forming the Variable Character Set or Sub Variable Character Set of any level and obtain a few random numbers; (c) the geometric mean of the random numbers obtained in previous step is calculated; when the geometric mean is a round number, the said geometric mean is multiplied by 'if and the resultant number is used; (d) from the geometric mean or the resultant number in step (c) the
370 decimal characters are extracted and used as initial seed "S0'; (e) Any mathematical/statistical function such as Fishers Number, Standard normal cumulative distribution, logarithm, that takes a single input value and gives an output value is operated on 'S0'; (Tj the decimal characters of output value of step (e) is the seed S1; (g) the random numbers obtained in step (b) are split to single digits d(; (h) one or more characters to be padded is/are selected from each of one of the output value S-,,
375 starting from character at dj +1; (h) steps (e) to (g) is correspondingly repeated to get as marψ characters that is required (i) when the first few digits of Si is/are '0' then the first nonzero number is moved to first decimal position with corresponding move of all other numbers; Q) when dι is even
4 number, the numbers obtained in step (h) is placed first followed by one Character Unit of
Password/Encryption Key ; when dj is odd number, one Character Unit of Password/Encryption Key
380 is placed first followed by the numbers obtained in step (h); (k) the step (j) is repeated till all Character Units αf Password/Encryption Key is exhausted (I) followed by adding characters of step (h) remaining unutilised till step (k); (m) When padding encryption keys made of Calls, using the Password/Encryption Key corresponding to the Call for generating padding numbers; (n) achieving variability between padding keys of Password/Encryption Key and that of Call by adopting harmonic
385 mean of random numbers obtained in step (b) adding ail but the last Character Unit of the Password/Encryption Key is as in step (j); (o) the algorithm for padding is pre agreed between USER/SERVICE PROVIDER; (p) the padding process is done by the software and USER is relieved from doing any calculation, characterized in that (q) the padding algorithm herein uses data from the Encryption key itself derived from the authentication devices of Bilaterally Generated
390 Encryption keys; (r) the position occurrence of numeric character is varied on par with characters of Password/encryption key making the encryption key as strong as the one which is directly made from authentication device; (s) any length of key is obtainable.
25) I claim a method of authenticating and securing of Internet Contract/Network transactions using one
Password/Encryption Key for each transaction furnished by a USER, including a memory device, a
395 data Drocessor loaded with software implementing the system for USER and SERVICE
63
PROVIDER, connected by communication network, {Fig. 5}, using Bilaterally Generated Encryption Key System, the method comprising steps of fa) SERVICE PROVIDER and USER (a1) recording their mutual Internet Protocol/Network addresses at the beginning of a session; (a2) placing all unexposed Galls, Password/Encryption Keys, file and message packets in to folders, exchanging
400 the folders after encrypting and access restricting, utilizing any one of unexposed Calls/Passwords as Passwords and encryption keys, using a pre agreed cryptographic algorithm to encrypt; wherein all the unexposed Cails/Password/Encryption Keys generated up to a transaction in a session are available for encrypting and access restricting a specific folder by prior agreement; (a3) access restriction and maintaining continuity of link by ensuring IP address from which USER or
405 SERVICE PROVIDER are transacting remains the one and the same from beginning to end of session and by obtaining a variable Password/Encryption Key known only to USER and SERVICE PROVIDER for each object exchanged; (a4) confirming correctness of Calls, Password/Encryption Keys and allowing pre agreed number of chances to rectify; exiting upon occurrence of at least one of the following events: failure to furnish valid information, lapse of time, inability to open and
410 inability to decrypt folders; (aδ) checking objects exchanged before accepting, the said checks are for compliance of regulations, contract conditions and freedom from undesirable programs (ike virus; (b) USER furnishing USER Name and issuing a Call termed as 'initial Call of the session' to SERViCE PROViDER; (c) SERVICE PROVIDER creating a folder containing Password/Encryption Key for initial Call of the session, a Call, termed as ' SERVICE PROVIDER'S first Call' and optional
415 message, encrypting and access restricting the folder as detailed in step (a); sending the folder to USER; (d) USER opening and decrypting the folder, checking Password/Encryption Key; creating a folder containing Password/Encryption Key for SERVICE PROVIDER'S first Call, any message, encrypting and access restricting the folder as detailed in step (a); sending the folder to SERVICE PROVIDER; (e) SERVICE PROVIDER opening and decrypting the folder, verifying
420 Password/Encryption Key from USER; creating a folder containing next Call, authentication message, encrypting and access restricting the folder as detailed in step (a); sending the folder to USER; (f) USER opening and decrypting the folder, getting the next Call; (g) after an Internet Contract/Network Transaction is created, USER, creating a foider containing Password/Encryption Key for the Call received in previous step, and the file or message packet containing the USER'S
425 Internet Contract/Network Transaction; encrypting and access restricting the folder as detailed in step (a); sending the folder to SERVICE PROVIDER; (h) SERVICE PROVIDER opening and
1 decrypting the folder, verifying Password/Encryption Key furnished by USER, checking and processing the contents of file or message packet; responding by creating a folder containing Call for the next transaction and the file or message packet containing the SERVICE PROVIDER'S
430 Internet Contract/Network Transaction; encrypting and access restricting the folder as detailed in step (a); sending the folder to USER; (i) USER opening and decrypting the folder from SERVICE PROVIDER, checking and processing the contents of file or message packet; Q) Repeating steps (g) to (i), till the transactions are completed and (k) exiting after advising SERVICE PROVIDER (i) wherein SERVICE PROVIDER keeping proof for every transaction of USERs including the USER
435 name, the IP address of USER system, the date and time, the details of internet Contract/Network Transaction, the Call and the Password/Encryption Key for each transaction providing direct and computationally non intensive means of tracing ail actions/objects of a USER from access to exit.
64
26) I claim a method of generating multiple Password/Encryption Keys from single Password/ Encryption Key using User agent software wherein all Character Units of the USER'S authentication
440 device has equal number of characters; SERVICE PROVIDER'S Call for at least 4 Character Units from USER, which provides at least 60 unique permutations from the said 4 Character Units comprising steps of (a) USER Agent Software (b) collecting the Call and Password/Encryption Key for initial access of USER; (c) determining the total number of Character Units and Character Units from said Call and Password/Encryption Key collected in step (b); (d) forming a Sub Variable
445 Character Set of any level termed as 'authentication device of the session' using all Character Units determined in step (c); (e) assigning Serial Number of Character Units to the said Character Units; i (f) communicating the assigned Serial Number of Character Units to SERVICE PROVIDER in encrypted folder using the Password/Encryption Key for initial access of USER as encryption key; (g) SERVICE PROVIDER making Call from Serial Number of Character Units communicated in
450 step (f); (h) USER Agent Software furnishing Response; (i) Repeating the steps (g) to (h) till end of session; (}} whereby a plurality of Password/Encryption Keys are generated; (R) wherein the first unexposed Call from SERVICE PROVIDER is optionally used as Serial Number of Character Units, dispensing with the need of communicating Serial Number of Character Units in step (f).
27) i claim a software termed as USER Agent Software, integrated with USER system connected 455 through communication network to SERVICE PROVIDER system, the said software combined with
Internet Contract/Network Transaction software optionally an independent software comprising modules to perform steps/functions of (a) USER Agent Software adopting to USER name as Internet Protocol/Network address of the computer, wherefrom, USER accesses SERVICE PROVIDER; (b) functioning from the USER Terminai representing USER, transacting with
460 SERVICE PROVIDER; (c) recording Internet Protocol/Network address of SERVICE PROVIDER; (d) forming the authentication device of the session; (e) generating multiple Password/Encryption
11 Keys from a single Password/ Encryption Key furnished by USER; (f) authenticating USER for individual transactions comprising: (M) seeking Call (f2) furnishing Response, (f3) confirming correctness of Calls, Password/ Encryption Keys and allowing specified number of chances to
465 rectify; (g) exchanging objects after securing and access restricting the said objects to Internet Protocol/Network address of SERVICE PROVIDER; (h) checking for origination of USER'S message from USER'S system by (hi) ensuring continuity of connection with SERVICE PROVIDER; (h2) ensuring the integrity of command to do the Internet Contract/Network Transaction, through checking the keyboard and other input entries; (i) passing on the objects
470 received from Service Provider to USER after checks such as presence of virus; (j) upon authentication failure, informing the USER to decide corrective action; (k) allowing USER doing authentications directly; (I) denying access to unauthorised USER created internet Contract/Network Transactions; (m) blocking the unauthorised user, from substituting the USER/ USER Agent Software/SERVICE PROVIDER, through any other computer, (n) rejecting the
475 attempts to originate ϊnternet Contract/Network Transaction from the USER'S Computer, through remote commands; (o) advising SERVICE PROVIDER upon end of transactions and exiting.
65
28) I claim a method of authenticating and securing of every individual Internet Contract/Network transaction with different Password/Encryption Keys, generating said different Password/Encryption Keys from single Password/Encryption Key furnished at the beginning of a session by a known
480 USER using USER Agent Software {Fig. 6}, using Bilaterally Generated Encryption Key System, a memory device, a data processor loaded with software implementing the method for USER and SERViCE PROVIDER, connected by communication network, comprising steps of: (a) SERVICE PROVIDER and USER/USER Agent Software (a1) recording their mutual Internet Protocol/Network addresses at the beginning of a session; (a2) placing all unexposed Calls, Password/Encryption
485 Keys, file and message packets in to folders, exchanging the folders after encrypting and access restricting using any one of unexposed Calls/Passwords as Passwords and encryption keys, using a pre agreed cryptographic algorithm to encrypt; wherein all the unexposed Calls/Password/ Encryption Keys generated up to a transaction in a session is available for encrypting and access restricting a specific folder by prior agreement; (a3) access restriction and maintaining continuity of
490 link by ensuring \P address from which USER or SERVICE PROVIDER are transacting remains the one and the same from beginning to end of session and by obtaining a variable Password/Encryption Key known oniy to USER and SERVICE PROVIDER, from the respective systems, for each object exchanged; (a4) confirming correctness of Calls, PasswordiΕncryptioπ Keys and allowing pre agreed number of chances to rectify; exiting upon occurrence of at least one
495 of the following events: failure to furnish valid information, lapse of time, inability to open and inability to decrypt folders; (aδ) checking objects exchanged before accepting, the checks are for compliance of regulations, contract conditions, and freedom from undesirable programs like virus; (b) USER furnishing USER Name and issuing a Call termed as ' initial Call of the session ' to SERVICE PROVIDER; (c) SERVICE PROVIDER creating a folder containing Password/Encryption
500 Key for initial Cail of the session, a Call, termed as 'SERVICE PROVIDER'S first Call' and optional message, encrypting and access restricting the folder as detailed in step (a); sending the folder to USER; fd) USER opening and decrypting the folder, checking Password/Encryption Key; creating a folder containing Password/Encryption Key for SERVICE PROVIDER'S first Call, any message, encrypting and access restricting the folder as detailed in step (a); sending the folder to SERVICE
505 PROVIDER; (e) SERVICE PROVIDER opening and decrypting the folder, verifying Password/ Encryption Key from USER; creating a folder containing authentication message, encrypting and access restricting the foider as detailed in step (a); sending the folder to USER; (f) USER opening and decrypting the folder, upon being authenticated, authorizing USER Agent Software for doing transactions passing on Password/Encryption Key furnished in step (f) and Call received in step
510 (e); (I) USER Agent Software forming a Sub Variable Character Set of any Level, using all
\ Character Units of the Password/Encryption Key furnished in step (f), assigning Serial Number of
Character units as Call received in step (e) or in a different manner ana using it as the authentication device of that session
29) In the method claimed in Claim 28, (a) USER Agent Software creating a folder containing assigned 515 Serial Number of Character Units and request for a Call; encrypting and access restricting the folder as in step (a) of claim 28; sending it to SERVICE PROVIDER; (b) SERVICE PROVIDER upon confirming the Internet Protocol/Network address of the USER Agent Software and USER are
66
same, opening and decrypting the folder, registering Serial Number of Character Units, creating a folder containing Call within the authentication device of the session, encrypting and access
520 restricting the folder as in step (a) of claim 28, sending it to USER Agent Software; USER Agent Software opening and obtaining the Call for next transaction; (c) USER creating Internet Contract/Network Transaction and passing on to USER Agent Software; USER Agent Software checking for the origination of Internet ContracWNetwork Transaction from within USER system such as; (d) ensuring continuity of connection with SERVICE PROVIDER; (c2) ensuring the
525 integrity of command to do the Internet Contract/Network Transaction, through checking the keyboard and other input entries; (c3) upon confirming the origination, the USER Agent Software, (c4) creating a folder containing Password/Encryption Key for the Call obtained in step (b) and the file or message packet containing the USER'S Internet Contract/Network Transaction; (c5) encrypting and access restricting the folder as in step (a) of claim 28; (cδ) sending the folder to
530 SERVICE PROVIDER; (d) SERVICE PROVIDER opening and decrypting the folder, (d1) verifying
Password/Encryption Key furnished by USER Agent Software; (d2) checking and processing the contents of fiie or message packet; (d3) responding by creating a folder containing Call for the next
, transaction and the fiie or message packet containing the SERVICE PROVIDER'S Internet
Contract/Network Transaction; (d-4) encrypting and access restricting the folder as in step (a) of
535 cfaim 28; (d5) sending the folder to USER Agent Software; (e) USER Agent Software opening and decrypting the folder from SERVICE PROVIDER, checking and passing "on the file or message packet to USER; retaining the Call; (f) repeating steps (c) to (e) ti the transactions are completed and exiting after advising SERVICE PROVIDER; (g) USER Agent Software performing further steps as claimed in claim 27; (h) SERVICE PROVIDER keeping proof for every transaction of
640 USERs including the USER name, the IP address of USER system, the date and time, the details of Internet Contract/Network Transaction, the Gall and the Password/Encryption Key for each transaction; (i) providing direct and computationally non intensive means of tracing all actions/objects of a USER/SERVICE PROVIDER from access to exit.
30) I claim a method of authenticating and securing of every individual Internet/Network transaction of a
545 with different Password/Encryption Keys, generating said different Password/Encryption Keys from single Password/Encryption Key furnished at the beginning of a session by Previously Unknown
USER from a temporary authentication device, using Bilaterally Generated Encryption Key System, including implementing the method by means a memory device, a data processor loaded with software implementing the method for Previously Unknown USER and SERVICE PROVIDER,
550 connected by communication network {Fig.7}, comprising steps of (a) Previously Unknown USER'S
System using USER Agent Software, provided on request by SERVICE PROVIDER; (b) SERVICE
PROVIDER and Previously Unknown USER/USER Agent Software (b1) recording their mutual
Internet Protocol/ Network addresses at the beginning of a session; (b2) placing all unexposed
Calls, Password/Encryption Keys and file or message packets in to folders, exchanging the folders
555 after encrypting and access restricting using the Call for a transaction for object exchange from
Previously Unknown USER/USER Agent Software to SERVICE PROVIDER and the Password for a transaction for object exchange from SERVICE PROVIDER to Previously Unknown USER/USER
Agent Software; (b3) access restriction and ensuring continuity of the link is by ensuring IP address
67
from which the Previously Unknown USER/USER Agent Software or SERVICE PROVIDER are
560 transacting remains the one and the same from beginning to end of session and by obtaining a variable Password/Encryption Key known only to Previously Unknown USER/USER Agent Software and SERVICE PROVIDER for each object exchanged from respective systems; (b4) confirming correctness of Calls, Password/Encryption Keys and allowing prβ agreed number of chances to rectify; exiting upon failure to rectify or lapse of time or inability to open or decrypt
565 folders'; (bδ) optionally checking objects exchanged before accepting, the checks are for compliance of regulations, contract conditions as agreed at the commencement of session, and freedom from undesirable programs like virus; (c) Previously Unknown USER requesting a known Internet SERVICE PROVIDER/Network server to facilitate transactions with an Unknown SERVICE PROVIDER, furnishing the domain name of the website or IP address of the SERVfCE
570 PROVIDER; ^d) Internet SERVICE PROVIDER/Network server authenticating said USER with a Password from that USER'S account, conveying the request of the said USER, passing on the USER name, the IP address of the USER and USER data as required to that SERVICE PROVIDER; (e) SERVICE PROVIDER, (e1) considering the request; (e2) when unwilling to transact with that USER, conveying unwillingness through the Internet SERVICE
575 PROVIDER/Network server to that USER; (e3) when willing to transact with that Previously Unknown USER, storing a newly assigned USER name, linked with validated USER data furnished by Internet SERVICE PROVIDER/Network server, IP address of the USER and IP address of Internet SERVICE PROVIDER/Network server for record; (e4) creating a folder containing temporary Sut> Variable Character Set of at least eight Character Units and a Call for the Internet
^80 SERVICE PROVIDER or Network server, a sub folder for Previously Unknown USER containing temporary USER Name, temporary Sub Variable Character Set of at least eight Character Units having equal number of Basic Characters in al! Character Units and a Call for at least four Character Units; jeδ} encrypting and access restricting the subfolder to IP address of Previously Unknown USER as USER Name with a Password; (e6) sending the folder to Internet SERVICE
585 PROVIDER or Network server, (f) Internet SERVICE PROVIDER/Network server conveying SERVICE PROVIDER'S unwillingness to USER or opening the folder, furnishing Password to SERVICE PROVIDER, passing on the subfolder to USER and exiting; (g) SERVICE PROVIDER checking Password from Internet SERVICE PROVIDER/Network server and upon finding it correct, sending the Password to open the subfolder directly to Previously Unknown USER (h)
590 Previously Unknown USER exiting on unwillingness of SERVICE PROVIDER to transact or opening the subfolder using Password received from SERVICE PROVIDER and obtaining temporary Sub Variable Character Set (i) Previously Unknown USER accessing SERVICE PROVIDER'S website, recording IP address of SERVICE PROVIDER, furnishing USER Name, creating folder containing Password to the Call received in the subfolder, encrypting and access
595 restricting as in step (b); sending the folder to SERVICE PROVIDER; Q) SERVICE PROVIDER verifying USER Name, recording IP address of USER, locating authentication device; upon finding the Password as correct, advising about successful authentication, for that session, from when, on, that Previously Unknown USER becomes an authenticated but temporary USER to that SERVICE PROVIDER; (k) Previously Unknown USER, authorising USER Agent Software to act
600 further, passing on the Password and Call used for initial access; (I) USER Agent Software forming
68
a Sub Variable Character Set of any Level, using all Character Units of the Password for initial access, assigning Serial Number of Character Units as Call for initial access or in a different manner and using it as the authentication device of that session;
31) The method of authenticating and securing of every individual Internet/Network transaction of a
605 Previously Unknown USER as claimed in claim 30, further comprising the steps of (a) USER Agent Software seeking a Call; (b) SERVICE PROVIDER upon confirming the Internet Protocol/Network address of the USER Agent Software and temporary USER are same, creating a folder containing Call within the authentication device of the session, encrypting and access restricting the folder as in step (b) of claim 30, sending it to USER Agent Software; USER Agent Software opening and
610 obtaining the Call for next transaction; (c) temporary USER creating Internet GαπtractfNetwork Transaction and passing on to the USER Agent Software; USER Agent Software checking for the origination Internet Contract/Network Transaction from within temporary USER'S system such as; (c1) ensuring continuity of connection with SERVICE PROVIDER; (c2) ensuring the integrity of command to do the Internet Contract/Network Transaction, through checking the keyboard and
015 other input entries (c3) upon confirming the origination, the USER Agent Software, (c4) creating a folder containing Password/Encryption Key for the Call obtained in step (b) and the file or message packet containing the temporary USER'S Internet Contract/Network Transaction; (c5) encrypting and access restricting the folder as in step (b) of claim 30; (c6) sending the folder to SERVICE PROVIDER (d) SERVICE PROVIDER opening and decrypting the folder, (d1) verifying
620 Password/Encryption Key furnished by USER Agent Software; {d2} checking and processing the contents of file or message packet; (d3) responding by creating a folder containing Call for the next transaction and the file or message packet containing the SERVICE PROVIDER'S Internet Contract/Network Transaction; (d4) encrypting and access restricting the folder as in step (b) of claim 30; (d5) sending the folder to USER Agent Software; (e) USER Agent Software opening and
625 decrypting the folder from SERVICE PROVIDER, checking and passing on the file or message packet to temporary USER; retaining the Gall (f) Repeating steps (c) to (e) till the transactions are completed and exiting after advising SERVICE PROVIDER (g) USER Agent Software performing further required steps as claimed in claim 27; (h) SERVICE PROVIDER keeping proof for every transaction of Previously Unknown USER including the USER name, the IP address of Previously
630 Unknown USER, fP address of the Internet SERVICE PROVl DE R/Network server authenticating said Previously Unknown USER, the date and time, the details of internet Contract/Network Transaction, the Call and the Password/Encryption Key for each transaction; (i) providing direct and computationally non intensive means of tracing all actions/objects of a Previously Unknown USER/SERVICE PROVIDER from access to exit.
635 32) I claim the use of the symmetric encryption key system claimed in claims 1 to 31
69