scispace - formally typeset
Search or ask a question

Showing papers on "Password published in 2001"


Proceedings Article
13 Aug 2001
TL;DR: A statistical study of users' typing patterns is performed and it is shown that these patterns reveal information about the keys typed, and that timing leaks open a new set of security risks, and hence caution must be taken when designing this type of protocol.
Abstract: SSH is designed to provide a secure channel between two hosts. Despite the encryption and authentication mechanisms it uses, SSH has two weakness: First, the transmitted packets are padded only to an eight-byte boundary (if a block cipher is in use), which reveals the approximate size of the original data. Second, in interactive mode, every individual keystroke that a user types is sent to the remote machine in a separate IP packet immediately after the key is pressed, which leaks the interkeystroke timing information of users' typing. In this paper, we show how these seemingly minor weaknesses result in serious security risks. First we show that even very simple statistical techniques suffice to reveal sensitive information such as the length of users' passwords or even root passwords. More importantly, we further show that by using more advanced statistical techniques on timing information collected from the network, the eavesdropper can learn significant information about what users type in SSH sessions. In particular, we perform a statistical study of users' typing patterns and show that these patterns reveal information about the keys typed. By developing a Hidden Markov Model and our key sequence prediction algorithm, we can predict key sequences from the interkeystroke timings. We further develop an attacker system, Herbivore, which tries to learn users' passwords by monitoring SSH sessions. By collecting timing information on the network, Herbivore can speed up exhaustive search for passwords by a factor of 50. We also propose some countermeasures. In general our results apply not only to SSH, but also to a general class of protocols for encrypting interactive traffic. We show that timing leaks open a new set of security risks, and hence caution must be taken when designing this type of protocol

573 citations


Book ChapterDOI
19 Aug 2001
TL;DR: It is shown that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method.
Abstract: We study the question of how to generically compose symmetric encryption and authentication when building "secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.

456 citations


Book ChapterDOI
TL;DR: The potential security holes in a biometrics-based authentication scheme are outlined, the numerical strength of one method of fingerprint matching is quantified, then how to combat some of the remaining weaknesses are discussed.
Abstract: In recent years there has been exponential growth in the use of biometrics for user authentication applications because biometrics-based authentication offers several advantages over knowledge and possession-based methods such as password/PIN-based systems. However, it is important that biometrics-based authentication systems be designed to withstand different sources of attacks on the system when employed in security-critical applications. This is even more important for unattended remote applications such as e-commerce. In this paper we outline the potential security holes in a biometrics-based authentication scheme, quantify the numerical strength of one method of fingerprint matching, then discuss how to combat some of the remaining weaknesses.

422 citations


Book ChapterDOI
06 May 2001
TL;DR: In this paper, a 3-round, password-authenticated key exchange protocol with human-memorable passwords was proposed, which is provably secure under the decisional Diffie-Hellman assumption.
Abstract: There has been much interest in password-authenticated key-exchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3,10,22]. Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell [17]. Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, [17] only proves that solutions are possible "in principal". The main question left open by their work was finding an efficient solution to this fundamental problem. We show an efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than "standard" Diffie-Hellman key exchange [14] (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a "random oracle" assumption.

380 citations


Proceedings ArticleDOI
14 May 2001
TL;DR: The technique is sufficiently robust to enable the user to reliably regenerate the key by uttering her password again, and an empirical evaluation of this technique is described using 250 utterances recorded from 50 users.
Abstract: We propose a technique to reliably generate a cryptographic key from a user's voice while speaking a password. The key resists cryptanalysis even against an attacker who captures all system information related to generating or verifying the cryptographic key. Moreover, the technique is sufficiently robust to enable the user to reliably regenerate the key by uttering her password again. We describe an empirical evaluation of this technique using 250 utterances recorded from 50 users.

374 citations


Patent
24 Apr 2001
TL;DR: In this paper, the authentication service of the present invention allows a card issuer to verify a cardholder's identity using a variety of authentication methods, such as the use of passwords, and the only system participant requiring a certificate is the issuing financial institution.
Abstract: A payment authentication service authenticates the identity of a payer during online transactions. The authentication service of the present invention allows a card issuer to verify a cardholder's identity using a variety of authentication methods, such as the use of passwords. Also, the only system participant requiring a certificate is the issuing financial institution. One embodiment of the invention for authenticating the identity of a cardholder during an online transaction involves querying an access control server to determine if a cardholder is enrolled in the payment authentication service, requests a password from the cardholder, verifies the password, and notifies a merchant whether the cardholder's authenticity has been verified. In another aspect of the invention, a chip card and the authentication service independently generate cryptograms that must match in order for the service to verify that the correct chip card is being used by the cardholder.

361 citations


Patent
26 Feb 2001
TL;DR: In this article, a system and method for providing networked communication using a public safety answering point is described, where a participant can request bidirectional communications with an operator or with a predetermined user.
Abstract: A system and method for providing networked communication using a public safety answering point. In one embodiment, networked communications include providing access to an encrypted website, or page, that is customized for a particular emergency or security event. The website is accessible using an Internet address. In one embodiment, access to the website is subject to access control, such as a password. The website, and password, is available to dispatch operators and emergency response personnel in the field. In one embodiment, a participant can request bidirectional communications with an operator or with a predetermined user.

341 citations


Journal ArticleDOI
TL;DR: This work presents a remote password authentication scheme for multiserver environments that is a pattern classification system based on an artificial neural network that can withstand the replay attack.
Abstract: Conventional remote password authentication schemes allow a serviceable server to authenticate the legitimacy of a remote login user. However, these schemes are not used for multiserver architecture environments. We present a remote password authentication scheme for multiserver environments. The password authentication system is a pattern classification system based on an artificial neural network. In this scheme, the users only remember user identity and password numbers to log in to various servers. Users can freely choose their password. Furthermore, the system is not required to maintain a verification table and can withstand the replay attack.

324 citations


Patent
19 Apr 2001
TL;DR: In this paper, the authors describe a system for providing user logon and stateless authentication in a distributed processing environment, where a logon component verifies the provided information, and upon successful identification, a security context is constructed from information relevant to the user.
Abstract: Systems and methods for providing user logon and state-less authentication are described in a distributed processing environment. Upon an attempted access by a user to an online resource, transaction, or record, a logon component asks the user to supply a logon ID and a password. The logon component verifies the provided information, and upon successful identification, a security context is constructed from information relevant to the user. The security context is sent to the user and is presented to the system each time the user attempts to invoke a new resource, such as a program object, transaction, record, or certified printer avoiding the need for repeated logon processing.

296 citations


Patent
16 Jan 2001
TL;DR: In this article, a method and system for registering, storing and managing personal data for use over a network, and for allowing users to register for, link to and log onto third party Web sites is presented.
Abstract: A method and system for registering, storing and managing personal data for use over a network, and for allowing users to register for, link to and log onto third party Web sites. The invention queries a user for registration, authentication credentials information, such as user names, passwords, etc., for any type of application, and securely stores this data in a centralized user database. The invention prompts when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user. The invention further monitors a user's network browsing, detects when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user. The invention then securely transmits authentication credentials data for automatic login at third party Web sites.

223 citations


Patent
20 Jun 2001
TL;DR: In this article, a method and system for automatically configuring a hand-held electronic device for accessing a site on a public network is disclosed, which includes establishing a connection to a website server which is responsible for establishing and maintaining website accounts, and sending information uniquely identifying the electronic device to the website server.
Abstract: A method and system for automatically configuring a hand-held electronic device for accessing a site on a public network is disclosed. The method and system include establishing a connection to a website server, which is responsible for establishing and maintaining website accounts, and sending information uniquely identifying the electronic device to the website server. The server then sends user account information to the device, including an account ID and password, created based on the electronic device information. The user account information is then stored on electronic device for use the next time the electronic device accesses the website, whereby the user does not have to enter account information in order to establish the ISP connection or the website account before accessing the public network.

Book ChapterDOI
19 Aug 2001
TL;DR: This work presents session-key generation protocols in a model where the legitimate parties share only a human-memorizable password and states that the security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel, and may omit, insert and modify messages at their choice.
Abstract: We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form "is w the password of Party A". We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.

Patent
31 May 2001
TL;DR: In this paper, the authors proposed a zero-knowledge password (ZKP) protocol to provide strong authentication using low-grade passwords that people can easily memorize, where a user chooses a password and constructs a master key composed of multiple shares.
Abstract: Systems, methods and software employ zero-knowledge password, ZKP, protocols to provide strong authentication using low-grade passwords that people can easily memorize. To enroll, a user chooses a password (201) and constructs a master key K composed of multiple shares. A set of random values, {y1, y2,...yn} is selected (202), and each share is computed as Ki=Pyi in a suitable finite group. Each yi value is distributed to the ith one of N servers (203). To authenticate, the client chooses a random secret with each server. The client reconstructs K (203, 204), performs a validation test on K (206), and uses K to decrypt a private digital signature key U (208). When the validation test succeeds, the client signs a message with U that contains P and any other values sent by the client based on incorrect passwords entered by the same user (207). Each server verifies the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server fine-tunes the accounting of bad access attempts. Password security is maintained in a very simple model, requiring no previously secured or server authenticated channel between the client and any servers.

Proceedings ArticleDOI
10 Sep 2001
TL;DR: It is argued that password mechanisms and their users form a socio-technical system, whose effectiveness relies strongly on users' willingness to make the extra effort that security-conscious behavior requires, and methods that can be used to persuade users to employ proper password practice.
Abstract: In the past, research on password mechanisms has focussed almost entirely on technical issues. Only in recent years has the security research community acknowledged that user behavior plays a part in many security failures, and that policies alone may not be sufficient to ensure correct behavior. We argue that password mechanisms and their users form a socio-technical system, whose effectiveness relies strongly on users' willingness to make the extra effort that security-conscious behavior requires. In most organizations, users cannot be forced to comply; rather, they have to be persuaded to do so. Ultimately, the mechanisms themselves, policies, tutorials, training and the general discourse have to be designed with their persuasive power in mind. We present the results of a first study that can guide such persuasive efforts, and describe methods that can be used to persuade users to employ proper password practice.

Patent
Burton S. Kaliski1
12 Mar 2001
TL;DR: In this paper, the authors propose an approach for regenerating a strong secret for a user based on input of a weak secret, such as a password, assisted by communications exchanges with a set of independent servers, each server holds a distinct secret value (i.e., server secret data).
Abstract: Methods for regenerating a strong secret for a user, based on input of a weak secret, such as a password, are assisted by communications exchanges with a set of independent servers. Each server holds a distinct secret value (i.e., server secret data). The strong secret is a function of the user's weak secret and of the server secret data, and a would-be attacker cannot feasibly compute the strong secret without access to both the user's weak secret and the server secret data. Any attacker has only a limited opportunity to guess the weak secret, even if he has access to all messages transmitted in the generation and regeneration processes plus a subset (but not all) of the server secret data.

Patent
29 Nov 2001
TL;DR: In this article, the authentication method adopted by the present invention comprises: a step that forwards to a communication device of a user a registration identifier that identifies the user and/or the communication device by including the identifier in an address of registration screen peculiar to the user, and when the address is accessed, and a first password is entered and replied to the registration screen, authenticates the user based on the registration identifier and the first password.
Abstract: [PROBLEM] Person authentication and authentication device of the present invention aims at providing a user with services of easy, inexpensive, highly secure, and reliable person authentication. [MEANS TO SOLVE THE PROBLEMS] Authentication method adopted by the present invention comprises: a step that forwards to a communication device of a user a registration identifier that identifies the user and/or the communication device by including the identifier in an address of registration screen peculiar to the user and/or the communication device; and a step that, when the address is accessed, and a first password is entered and replied to the registration screen, authenticates the user based on the registration identifier and the first password; and a step that sends a login screen display to the user when the authentication step is successful, which the step is comprised of a step where the login screen display comprises a field for entering a second password, and a login identifier to identify the user and/or the communication device; and a step that authenticates the user based on the login identifier contained in the login screen display replied by the user, and the second password.

Proceedings ArticleDOI
14 May 2001
TL;DR: A simple technique by which a device that performs private key operations in networked applications and whose local private key is activated with a password or PIN can be immunized to offline dictionary attacks in case the device is captured is presented.
Abstract: We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured Our techniques do not assume tamper resistance of the device, but rather exploit the networked nature of the device, in that the device's private key operations are performed using a simple interaction with a remote server This server however, is untrusted-its compromise does not reduce the security of the device's private key unless the device is also captured and need not have a prior relationship with the device We further extend this approach with support for key disabling, by which the rightful owner of a stolen device can disable the device's private key even if the attacker already knows the user's password

Patent
12 Mar 2001
TL;DR: In this paper, a secure transfer of data and data management on the Internet has a data encryption and transfer module operable in a user computing system, a data management module operability in a sewer computing system.
Abstract: A system for the secure transfer of data and data management on the Internet has a data encryption and transfer module operable in a user computing system, a data management module operable in a sewer computing system, the transfer of data between the user and the server computing systems being effected on the user computing system through use of the data encryption and transfer module, by moving the data to or from a first desktop window, associated with the user computing system, from or to a second desktop window, associated with the server computing system, each window being associated with a password, such that the step of moving the data from one window to the other causes the data to encrypted/re-encrypted from one associated password to the other.

Journal ArticleDOI
TL;DR: This work proposes a secure three-party EKE protocol without server public-keys, which is suitable for applications requiring secure communications between many light-weight clients (end users) and is impractical for some environments.
Abstract: Three-party key-exchange protocols with password authentication-clients share an easy-to-remember password with a trusted server only-are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. Steiner, Tsudik and Waidner (1995) proposed a realization of such a three-party protocol based on the encrypted key exchange (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to off-line and undetectable on-line guessing attacks. Lin, Sun and Hwang (see ACM Operating Syst. Rev., vol.34, no. 4, p.12-20, 2000) proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. We propose a secure three-party EKE protocol without server public-keys.

Patent
19 Oct 2001
TL;DR: A password interface application as discussed by the authors presents successive arrays of images or other sensory cues for display or playback on a client device, where a user selects, or simply recognizes, one object from each of the successively presented arrays, wherein after recognizing the object subsequent arrays are presented for defining a complete password.
Abstract: A password interface application (1) presents successive arrays of images or other sensory cues (4) for display or playback on a client device. A user selects, or simply recognizes, one object from each of the successively presented arrays, wherein after recognizing the object subsequent arrays are presented for defining a complete password. Unlike image based authentication systems in which a graphic method merely replaces original username/password pair authentication, a client system is used which helps a user to recall a forgotten password without requiring modification to server software, such as a secure web server (3). Thus existing ATMs (2), online or telephone banking services, and the like, can function as is. The system provides enhanced security because, although people can possibly eavesdrop on the images or sensory cues selected, they cannot see into the user's mind to comprehend the password that the user recognizes.

Patent
28 Jun 2001
TL;DR: In this paper, a method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communication channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, and the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form.
Abstract: A method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to the random password and the private key, and communicating the challenge response from the server to the authentication server via the first secure communications channel, wherein the random password is activated when the authentication server verifies the challenge response.

Patent
09 May 2001
TL;DR: In this article, a file encryption unit generates a file key arbitrarily, encrypts the file key using the key information and encrypts a plaintext using the encrypted file key to generate a ciphertext.
Abstract: A password registration unit encrypts key information using an input password, and stores the generated encrypted key as a file into a computer. A file encryption unit generates a file key arbitrarily, encrypts the file key using the key information, encrypts a plaintext using the file key to generate a ciphertext, and stores an encrypted file including the encrypted file key in its header part and the ciphertext in its data part. A file decryption unit decrypts the encrypted file key using the key information to obtain a file key, or receives an input of a password, decrypts the encrypted key using the password to obtain key information, and decrypts the encrypted file key using the key information to obtain a file key. The file decryption unit then decrypts the ciphertext using the obtained file key.

Patent
19 Mar 2001
TL;DR: A card settlement method using a mobile information terminal provided with an IC card read/write function and a wireless communication function for the settlement of a transaction in a business establishment is described in this paper.
Abstract: A card settlement method using a mobile information terminal provided with an IC card read/write function and a wireless communication function for the settlement of a transaction in a business establishment, comprising a step of having a customer using a business establishment wirelessly connect to an authorization server through a network by the mobile information terminal, a step of having the customer load his or her IC card in the mobile information terminal, read the information stored in this IC card, and send it to the authorization server, a step of having the authorization server decide on the authorization of the current transaction from authentication information stored in the IC card and proving the legitimacy of the card, settlement information containing at least a card number, and personal identification information input from the customer and proving the legitimacy of the customer, a step of sending a temporary password issued from a settlement server to the mobile information terminal for display after the authorization of the current transaction, a step of inputting the temporary password and the current transaction information from a business establishment side settlement terminal and sending it to the settlement server, and a step of having the settlement server settle the transaction with the password and the transaction information satisfying the settlement conditions.

Patent
23 Oct 2001
TL;DR: In this article, a trusted computer network is protected behind a gateway that includes a bastion host and screening router which blocks all URLs associated with the trusted network, and authentication is performed using one-time passwords that are stored on a portable storage device.
Abstract: The trusted computer network is protected behind a gateway that includes a bastion host and screening router which blocks all URLs associated with the trusted network. The bastion host includes a remote client authentication mechanism and web proxy component that verifies and translates incoming URL requests from authenticated remote clients. Authentication is performed using one-time passwords that are stored on a portable storage device. The user configures the portable storage device by operating configuration software from the protected side of the gateway. The portable storage device also stores plug-in software to enable the client computer to properly retrieve the one-time password and exchange authentication messages with the bastion host. Further security is obtained by basing the one-time password on an encrypted version of the user's PIN. A symmetric key used to encrypt the PIN is stored in a protected area within the portable storage device.

Book ChapterDOI
08 Apr 2001
TL;DR: This work presents a multi-server roaming protocol in a simpler model without this need for a prior secure channel, which requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry.
Abstract: Safe long-term storage of user private keys is a problem in client/server systems. The problem can be addressed with a roaming system that retrieves keys on demand from remote credential servers, using password authentication protocols that prevent password guessing attacks from the network. Ford and Kaliski's methods [11] use multiple servers to further prevent guessing attacks by an enemy that compromises all but one server. Their methods use a previously authenticated channel which requires client-stored keys and certificates, and may be vulnerable to offine guessing in server spoofing attacks when people must positively identify servers, but don't. We present a multi-server roaming protocol in a simpler model without this need for a prior secure channel. This system requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry.


Patent
04 Sep 2001
TL;DR: In this article, a computer system network over the internet to allow users to purchase and print instrument of entitlements for goods and services in one website such as a ticket is presented, where users are provided with the opportunity to protect their tickets using personal identification such as passwords to activate the tickets on presentation.
Abstract: A computer system network over the internet to allow users to purchase and print instrument of entitlements for goods and services in one website such as a ticket. Users can pay using credit cards or internet bank transfer which is automated by the host computer and causes the account to be debited and prints the said instrument. Users are provided with the opportunity to protect their tickets using personal identification such as passwords to activate the tickets on presentation. The host computer informs the merchants of the issued ticket which will be presented at their premises. Merchants can authenticate the ticket holder by reading the bar codes printed using a bar code reader and by inputting the identification number of the ticket which is linked to a personal identification password over the computer network. The ticket expires in full once activated by this password at the point of exchange for goods or services.

Patent
17 Dec 2001
TL;DR: In this article, a method, system, and program providing identification usage fraud protection are provided, where a context for a use of an identification via a communication line is detected at a fraud protection service.
Abstract: A method, system, and program providing identification usage fraud protection are provided. A context for a use of an identification via a communication line is detected at a fraud protection service. The context for use of the identification is analyzed in view of multiple previous uses of the identification. A level of suspicion of fraudulent use of the identification is specified according to the analysis of the context. Depending on the level of suspicion, further use of the identification may require additional authentication or may be barred. The identification may include a user name, an account number, a password, or other identifier that may be utilized to represent an individual in accessing products and services.

Patent
Jose F. Bravo1, Thomas A. Covalla1
24 May 2001
TL;DR: In this paper, a method and apparatus for preventing unauthorized access to a restricted item using a cellular telephone that has been previously associated with a user, for example, during a registration process is disclosed.
Abstract: A method and apparatus are disclosed for preventing unauthorized access to a restricted item using a cellular telephone that has been previously associated with a user, for example, during a registration process. The user is initially identified, for example, by entering a password, and a one-time pseudo-random token is provided to the user using a first communication channel. The user is requested to dial a telephone number associated with an access control service using a cellular telephone that has been previously associated with the user and enter the assigned token. The user obtains access to the restricted item if the assigned token is entered from a cellular telephone having a serial number that has been previously associated with the particular user.

Patent
05 Feb 2001
TL;DR: A loan application and payment system for lenders and builders uses the steps of: establishing an electronic database on a host server by a lender; obtaining credit approval by a builder from the lender; sending an account number and a password by the lender to the builder when the builder has been approved for credit; accessing a construction project account in the electronic database by entering the account number as discussed by the authors.
Abstract: A loan application and payment system for lenders and builders uses the steps of: establishing an electronic database on a host server by a lender; obtaining credit approval by a builder from the lender; sending an account number and a password by the lender to the builder when the builder has been approved for credit; accessing a construction project account in the electronic database by entering the account number and the password; entering and submitting electronically information related to the construction project; determination of approval of construction loan by the lender based on the information related to the construction project; applying for an application for payment if the construction loan is approved; and transferring monetary funds to the builder after application for payment is submitted and approved.