1. User enters password → unlock secure key. 2. Server sends random nonce. 3. Client signs nonce with DK (Ed25519). 4. Server verifies signature with public key registered during enrollment. | Threat | Mitigation | |--------|-------------| | Keylogger captures password | Secure key seed required; password alone insufficient | | Phishing site | Token bound to origin (WebAuthn-like binding) | | Server database leak | Only public key or seed verifier stored, not seed | | Replay attack | Time window or nonce freshness | | Lost secure key | Recovery mnemonic (offline, high entropy) | 5. User Interface Design (Example) Setup screen:
Secure key storage: (✓) Use hardware security (TPM / Secure Enclave) ( ) Software encrypted vault
✅ Secure key created.
Name: Digital Secure Key Password (DSKP) Purpose: Generate, store, and authenticate using a time-based or event-based secure key that is mathematically bound to a user’s password, without transmitting the actual password.
POST /v1/dskp/recover
"client_nonce": "base64...", "signature": "base64..."
Recovery phrase (store offline): ┌─────────────────────────────────────┐ │ candle pilot storm bridge fish │ │ lunar kite brave frost draft │ └─────────────────────────────────────┘ digital secure key password
# For signature mode private_key = Ed25519PrivateKey.from_private_bytes(secure_key_seed) public_key = private_key.public_key()