[go: up one dir, main page]

WO2013183010A1 - Auxiliary input device for encrypted data entry - Google Patents

Auxiliary input device for encrypted data entry Download PDF

Info

Publication number
WO2013183010A1
WO2013183010A1 PCT/IB2013/054626 IB2013054626W WO2013183010A1 WO 2013183010 A1 WO2013183010 A1 WO 2013183010A1 IB 2013054626 W IB2013054626 W IB 2013054626W WO 2013183010 A1 WO2013183010 A1 WO 2013183010A1
Authority
WO
WIPO (PCT)
Prior art keywords
input device
auxiliary input
user
user input
auxiliary
Prior art date
Application number
PCT/IB2013/054626
Other languages
French (fr)
Inventor
Horatio Nelson HUXHAM
Alan Joseph O'REGAN
Original Assignee
Fundamo (Pty) Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fundamo (Pty) Ltd filed Critical Fundamo (Pty) Ltd
Publication of WO2013183010A1 publication Critical patent/WO2013183010A1/en
Priority to ZA2014/07013A priority Critical patent/ZA201407013B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/02Input arrangements using manually operated switches, e.g. using keyboards or dials
    • G06F3/0202Constructional details or processes of manufacture of the input device
    • G06F3/0219Special purpose keyboards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/02Input arrangements using manually operated switches, e.g. using keyboards or dials
    • G06F3/023Arrangements for converting discrete items of information into a coded form, e.g. arrangements for interpreting keyboard generated codes as alphanumeric codes, operand codes or instruction codes
    • G06F3/0231Cordless keyboards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0487Interaction techniques based on graphical user interfaces [GUI] using specific features provided by the input device, e.g. functions controlled by the rotation of a mouse with dual sensing arrangements, or of the nature of the input device, e.g. tap gestures based on pressure sensed by a digitiser
    • G06F3/0488Interaction techniques based on graphical user interfaces [GUI] using specific features provided by the input device, e.g. functions controlled by the rotation of a mouse with dual sensing arrangements, or of the nature of the input device, e.g. tap gestures based on pressure sensed by a digitiser using a touch-screen or digitiser, e.g. input of commands through traced gestures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2203/00Indexing scheme relating to G06F3/00 - G06F3/048
    • G06F2203/048Indexing scheme relating to G06F3/048
    • G06F2203/04809Textured surface identifying touch areas, e.g. overlay structure for a virtual keyboard
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • Advances in mobile devices such as mobile phones have enabled users to conduct internet banking and payment transactions to be carried out from their web- enabled mobile devices.
  • a user can access an online banking website through the web-enabled mobile device and log onto the user's account to check the account balance, transfer money or make payments.
  • a user can also access a merchant's website through the web-enabled mobile device and purchase goods or services, such as mobile phone applications or other commodities, directly from the merchant.
  • the user In order to access a user's bank account or conduct a financial transaction with a merchant, the user will have to enter his or her bank credentials on the keypad of the mobile device, which may be in the form of a conventional keypad, such as that of a feature phone, or alternatively a touch-sensitive keypad on a display of a smart phone.
  • the keypad of the mobile device which may be in the form of a conventional keypad, such as that of a feature phone, or alternatively a touch-sensitive keypad on a display of a smart phone.
  • the operating system (OS) of the mobile device and software running on the OS often lack sufficient security measures to ensure adequate protection of sensitive data, such as a user's bank credentials.
  • OS operating system
  • mobile device anti-virus software, firewalls and the like may insufficiently protect mobile device users from malicious attacks by third parties.
  • these third parties may be able to compromise the OS of a mobile device and may gain access, without the user's knowledge, to confidential information such as a password or PIN entered by a user when the user conducts financial transactions or accesses his or her bank account.
  • Such attacks may be so- called “man-in-the-middle attacks" because the third party is able to access the information between the point at which it is input and the point at which it is transmitted through a secure channel. The third party may then be able to access the user's bank account or use the confidential information either without the user's knowledge or with the user becoming aware of the unauthorized use at a time where the transaction has already been concluded. There is therefore an inherent risk that a user's bank credentials will be compromised when using an unsecured device such as a mobile device to conduct financial transactions or access a bank account.
  • Other input devices such as the remote controls of web-enabled televisions, or the keyboards of desktop computers, may also be vulnerable to man-in-the-middle attacks.
  • an auxiliary input device for securely inputting data into an electronic device which has its own existing primary input device, comprising: a user interface configured to accept user input; a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
  • HSM hardware security module
  • the communication interface to be configured to transmit the encrypted user input to a secure processor of the electronic device which is capable of decrypting the encrypted user input; for the HSM to be configured to be paired with an HSM of the secure processor during transmission of the encrypted user input by the communication interface to the secure processor; for the encrypted user input to optionally be communicated onwards by the electronic device to a remote device or system capable of decrypting the encrypted user input; and for the electronic device to be configured to zone translate the encrypted user input before on-forwarding it to a secure gateway or bank server for decryption and authentication.
  • the auxiliary input device to be a thin multi-layer film configured to be adhered to a surface by means of an adhesive backing layer, and to include a touch-sensitive layer which forms the user interface; for the multi-layer film to be transparent and configured to overlay a display screen of the electronic device; for the touch-sensitive layer to be a quantum tunneling composite layer; for the multi-layer film to include a display layer which is configured to visually display keys, optionally in randomized fashion.
  • the auxiliary input device to include a power harvesting component; for the power harvesting component to be configured to utilize radio frequency signals from the electronic device to power the user interface, HSM and communication interface; and for the power harvesting component to include one or more photovoltaic cells.
  • the device to be configured to record behavioural characteristics with which the user input is entered; for the behavioural characteristics to include at least a pattern with which the user input has been entered; for the pattern to be used to authenticate the user input; for at least the user interface to be configured to enter a first, operative state upon receiving a first control signal, and a second, inoperative state upon receiving a second control signal; and for the user interface entering the operative state to correspond to the primary input device entering an inoperative state, and the user interface entering an inoperative state to correspond to the primary input device entering an operative state, so that only one of the user interface and primary user input is in an operative state at any given time.
  • One embodiment of the invention provides for the electronic device to be a mobile communication device, in which case the existing primary input device is a keypad or touch interface of the mobile communication device.
  • An alternative embodiment of the invention provides for the electronic device to be a personal computer, in which case the existing primary input device is a keyboard of the personal computer.
  • This embodiment further provides for the communication interface to be configured to communicate with a secure communication module of the personal computer over a wireless communication link; for the secure communication module to be a Bluetooth dongle operating with the personal computer; for the wireless communication link to be a Bluetooth link; and for the Bluetooth dongle to include an integrated HSM configured to at least partially decrypt the encrypted user input.
  • Still further embodiments of the invention provide for the auxiliary input device to be associated with a secondary electronic device which is in data communication with the electronic device; for the secondary electronic device to be an electronic wristwatch; or for the auxiliary input device to be incorporated in a protective housing of a mobile communication device.
  • the invention also provides a system for securely inputting and communicating user input, comprising: an electronic device which has its own existing primary input device; and an auxiliary input device including: a user interface configured to accept user input; a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
  • HSM hardware security module
  • a further feature of the invention provides for the system to include a remote device or system configured to decrypt the encrypted user input.
  • the invention still further provides a method for securely receiving and communicating user input comprising the steps of: receiving the user input at a user interface of an auxiliary input device; encrypting the received user input at a hardware security module (HSM) of the auxiliary input device before the user input is transmitted from the auxiliary input device; and transmitting the encrypted user input to an electronic device with a communication interface of the auxiliary input device, such that the encrypted user input bypasses an existing primary input device of the electronic device.
  • HSM hardware security module
  • a further feature of the invention provides for the method to include the step of on-forwarding the encrypted user input from the electronic device to a remote device or system configured to decrypt the encrypted user input.
  • the electronic device to be a mobile device, a web-enabled television or a computer; for the user input to include sensitive data such as bank credentials; and for the communication interface to be a wireless communication interface selected from: Wi-Fi, Bluetooth, RFI D, ANT+, global system for mobile telecommunications (GSM), universal mobile telecommunication system (UMTS) or any other such wireless communication signals.
  • GSM global system for mobile telecommunications
  • UMTS universal mobile telecommunication system
  • Figure 1 A illustrates a diagram of an exemplary auxiliary input device according to an embodiment of the invention, shown in communication with an electronic device;
  • Figure 1 B illustrates a diagram of an exemplary auxiliary input device according to an embodiment of the invention in communication with an alternative electronic device
  • Figure 2 illustrates a flow diagram of a method of using the auxiliary input device of the invention for secure data entry
  • Figure 3A illustrates an auxiliary input device formed as a multi-layer film according to one embodiment of the invention
  • Figure 3B illustrates the auxiliary input device of Figure 3A overlaying a display screen of a mobile device
  • Figure 3C illustrates an exploded plan view of the auxiliary input device of
  • Figure 3D illustrates the auxiliary input device of Figure 3B with the mobile device displaying keys on its display screen while an auxiliary input device is positioned over it;
  • Figure 4A illustrates an exploded plan view of an auxiliary input device formed as a multi-layer film according to another embodiment of the invention ;
  • Figure 4B illustrates the auxiliary input device of Figure 4A overlaying a display screen of a mobile device
  • Figure 5 illustrates a flow diagram of a method of using the auxiliary input device according to embodiments of the invention for secure transacting
  • Figure 6 illustrates a block diagram showing components of an exemplary mobile device with which various embodiments of the invention can be implemented
  • Figure 7 illustrates a diagram of an auxiliary input device according to the invention secured to an inside of a protective cover for a mobile device according to a further embodiment of the invention
  • Figure 8 illustrates a diagram showing an auxiliary input device secured over the screen of a wristwatch in accordance with an embodiment of the invention
  • Figure 9 illustrates a flow diagram showing communication between the auxiliary input device of Figure 8 and an electronic device; and [0031] Figure 10 illustrates a diagram showing an auxiliary input device in use with a personal computer as the electronic device in accordance with a further embodiment of the invention.
  • Embodiments of the invention provide an auxiliary input device for encrypted data entry.
  • the auxiliary input device includes a user interface to accept user input, a hardware security module (HSM) directly coupled to the user interface to encrypt the user input before it is transmitted from the device, and a communication module to send the encrypted user input to a device or system able to decrypt the encrypted user input.
  • HSM hardware security module
  • a user inputs data into the user interface, such as account credentials the data is encrypted by the HSM of the auxiliary input device before being processed by any other downstream software or hardware, thereby preventing the user input from being exposed or otherwise in the clear until it reaches the target device or system for decryption.
  • Figure 1 A illustrates a block diagram of an exemplary auxiliary input device (100) according to one embodiment of the invention.
  • the auxiliary input device (100) includes a user interface (102) in the form of a number of key-defining areas (104), an HSM (106), and a communication interface (108). While the user interface (102) of Figure 1 A is a numeric keypad, the user interface (102) can take any form including, for example, a full size QWERTY keyboard.
  • the HSM (106) is directly coupled between the user interface (102) and the communication interface (108) and is configured to encrypt user input received at the user interface (102) and output encrypted data.
  • the user input may include sensitive data such as bank account credentials, personal identification numbers (PINs), passwords or any message which the user wishes to keep confidential.
  • the HSM (106) may encrypt the user input using Advance Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard/Algorithm (TDES/TDEA), Secure Socket Layer (SSL), Blowfish, Serpent, Twofish, International Data Encryption Algorithm (IDEA), Rivest, Shamir, & Adleman (RSA), Digital Signature Algorithm (DSA), Tiny Encryption Algorithm (TEA), extended TEA (XTEA), and/or other encryption algorithms or protocols.
  • AES Advance Encryption Standard
  • DES Data Encryption Standard
  • TDES/TDEA Triple Data Encryption Standard/Algorithm
  • SSL Secure Socket Layer
  • Blowfish Serpent, Twofish
  • IDA International Data Encryption Algorithm
  • DSA Digital Signature Algorithm
  • TAA Tiny Encryption Algorithm
  • XTEA extended TEA
  • the HSM (106) provided in the auxiliary input device (100) is different from devices that may solely use software to encrypt input data.
  • a device that solely uses software to encrypt communications may comply with only a security level 1 of the Federal Information Processing Standard 140-2 (FIPS 140-2), which provides only a minimum level of security to protect sensitive information.
  • the HSM within an auxiliary input device according to embodiments of the invention is compliant with at least a security level 2 of the FIPS 140-2 standard.
  • the HSM within an auxiliary input device in embodiments of the invention is compliant with security level 3 or level 4 of FIPS 140-2.
  • the HSM (106) uses hardware to encrypt data instead of solely performing the encryption in software and, as mentioned, is directly coupled to the user interface (102) such that information entered into the user interface (102) may be encrypted immediately upon, or directly after, entry, before being transmitted from the device or otherwise passed to any downstream software or hardware.
  • the HSM (106) provides secure key management to generate cryptographic keys, sets the capabilities and security limits of keys, implements key backup and recovery, prepares keys for storage and performs key revocation and destruction.
  • the HSM (106) is implemented as a dual processor device that includes a secure processor with secure storage and a public processor with storage.
  • the secure processor may be a cryptoprocessor and may have a cryptographic arithmetic logic unit (ALU) which is optimized for performing certain cryptographic functions.
  • the HSM (106) may also include a physical or logical separation between interfaces that are used to communicate critical security parameters and other interfaces that are used to communicate other data.
  • the HSM (106) can also provide a tamper-proof mechanism that provides a high risk of destroying the HSM (106) and the cryptographic keys stored therein, if any attempt is made to remove or externally access the HSM (106).
  • the communication interface (108) is configured to send the encrypted data to an authorized device.
  • This communication interface may provide a wireless communication channel via, for example, Wi-Fi, Bluetooth, RFID, ANT+, global system for mobile telecommunications (GSM), universal mobile telecommunication system (UMTS) or any other such wireless communication protocol.
  • the communication channel may be a wired communication channel.
  • the communication interface (108) is paired to a hardware security module (HSM) of an electronic device via a wireless communication channel (1 16).
  • HSM hardware security module
  • the auxiliary input device (100) could, for example, be a full size QWERTY keyboard connected to an electronic device, such as a desktop PC, by a cable.
  • the HSM (106) and communication interface (108) could be a single unit, for example a wireless chip on board an HSM chip.
  • the electronic device illustrated in Figure 1 A is a mobile device (1 12), which may be any suitable mobile device, such as a mobile phone, smart phone, feature phone, tablet computer, personal digital assistant or the like. In other embodiments, the electronic device may be any other electronic device capable of wired or wireless communication, such as a web-enabled television, a laptop, desktop or other computer or device.
  • the electronic device may be a smart wrist-watch, in this embodiment referred to as a secondary electronic device, which is configured to communicate wirelessly with the electronic device (serving as a primary device) such as a mobile phone, smart phone, feature phone, tablet computer, personal digital assistant or the like.
  • a primary device such as a mobile phone, smart phone, feature phone, tablet computer, personal digital assistant or the like.
  • Embodiments of the invention provide for a software application to be resident on the electronic device which allows users to interface with the auxiliary input device (100) coupled thereto.
  • the software application may provide: a user interface to pair the auxiliary input device (100) to the electronic device (1 12); an option to enable and disable the auxiliary input device (100); initiate financial transactions, or the like.
  • the user interface may include a menu from which at least some of these communications can be initiated.
  • Embodiments of the invention further provide for such an interface to be provided by a SIM Application Toolkit protocol (commonly referred to as the STK protocol) implementation or the like.
  • SIM Application Toolkit protocol commonly referred to as the STK protocol
  • the mobile electronic device (1 12) illustrated in Figure 1 A does not have an integrated HSM. Instead, the HSM is implemented as a cryptographic expansion device which may be implemented as an adhesive label with embedded processors. Such a cryptographic expansion device (1 10) provides an HSM (1 1 1 ) to electronic devices, such as the mobile device (1 12) illustrated in Figure 1 A, which do not have an integrated HSM.
  • the cryptographic expansion device is applied directly to a SIM card (1 14) that can be inserted into the mobile device (1 12). Once fitted onto a SIM card, the combination of the cryptographic expansion device (1 10) adhering to the SIM card (1 14) can be inserted into a SIM card slot of the mobile device (1 12).
  • the cryptographic expansion device HSM (1 1 1 ) enables the phone (1 12) to send and receive encrypted messages by using the capabilities of the SIM card to transmit encrypted data.
  • the cryptographic expansion device HSM (1 1 1 ) includes a public section and a security section each of which corresponds to a processor on the adhesive label.
  • the operations of the security section are handled by a security processor and the operations of the public section will be handled by a public processor.
  • the security processor will only be exposed to the public processor which will act in strict accordance with HSM standards, i.e. the secure processor will only respond to encryption and decryption attempts; no further information will be offered to the public processor.
  • the cryptographic expansion device HSM (1 1 1 ) includes its own communication interface and is adapted to receive communication from the communication interface (108) of the auxiliary input device (100) by means of a communication channel (1 16) which is completely independent of any communication channel provided by the mobile device.
  • the communication channel (1 16) could be a wired channel
  • the communication channel is a wireless communication channel which may be a Wi-Fi, Bluetooth, RFID, ANT+, GSM, UMTS or any other such wireless communication channel.
  • the communication interface (108) may be capable of bi-directional communication with the paired cryptographic expansion device HSM (1 1 1 ) of the cryptographic expansion device (1 10).
  • the HSM (1 1 1 ) of the cryptographic expansion device is operable to perform zone translation of the encrypted user input (if required) and to forward the encrypted user input to a secure gateway or bank's server (120) where it is decrypted and the user input authenticated.
  • Communication between the HSM (1 1 1 ) of the cryptographic expansion device and the bank server (120) preferably takes place through a mobile telecommunication network (122).
  • an encrypted communication channel is therefore established from the point at which the user input is keyed into the user interface (102) of the auxiliary input device (100) until it reaches the secure gateway or bank's server (120).
  • Figure 1 B illustrates the same auxiliary input device (100) as in Figure 1 A.
  • the mobile device (1 13) in Figure 1 B differs from that of Figure 1 A in that it has an integrated HSM (1 15).
  • the auxiliary input device (100) is the same as that which has been previously described, and contains its own HSM (106) and communication component (108).
  • the HSM (106) of the auxiliary input device (100) is in communication with the HSM (1 15) of the mobile device (1 13) via a communication channel (1 17) between the communication component (108) of the auxiliary input device (100) and a communication component (not shown) of the mobile device (1 13).
  • the communication link (1 17) may, for example, be via Wi-Fi, NFC, Bluetooth, RFID, ANT+, Infrared, universal serial bus (USB), Ethernet, GSM, UMTS or any other such communication link.
  • the user input which is encrypted by the HSM (106) of the auxiliary input device (100) is thus communicated to the HSM (1 15) of the mobile device (1 13) from where it is communicated to a server of a bank (120), preferably over a mobile telecommunication network (122).
  • the mobile device (1 13) of Figure 1 B could be any suitable electronic device.
  • an electronic device with which the auxiliary input device (100) is in communication does not have its own HSM, but simply forwards the entered data encrypted by the auxiliary input device to, for example, a bank or financial institution sever (120).
  • the auxiliary input device (100) can take various forms.
  • the auxiliary input device is a handheld device which forms a secure personal pin entry device (PPED).
  • PPED personal pin entry device
  • a user is able to securely enter sensitive information by first pairing the auxiliary input device (100) with an electronic device such as a cryptographic expansion device-enabled mobile device (1 12) or an HSM enabled mobile device (1 13), and then entering the sensitive information on the auxiliary input device (100), rather than entering the information on an existing keypad of the mobile device (for example, the keypad provided on a touch-sensitive screen (1 18) of the mobile device) which may be vulnerable to man-in-the-middle attacks.
  • an electronic device such as a cryptographic expansion device-enabled mobile device (1 12) or an HSM enabled mobile device (1 13
  • the sensitive information on the auxiliary input device rather than entering the information on an existing keypad of the mobile device (for example, the keypad provided on a touch-sensitive screen (1 18) of the mobile device) which may be vulnerable to
  • the handheld auxiliary input device then communicates the encrypted sensitive information directly to the paired HSM (1 1 1 , 1 15) of the mobile device (1 12, 1 13), bypassing the primary input device (1 18, 1 19) and associated internal software of the mobile device (1 12, 1 13) and thereby circumventing a man-in-the-middle attack.
  • FIG. 2 illustrates a block diagram showing a method of using the auxiliary input device of the invention for secure data entry in a scenario in which a user (250), having an auxiliary input device (200) (in this embodiment a keypad) according to the foregoing description wishes to, for example, transact with a bank using his or her mobile phone (212).
  • a user 250
  • having an auxiliary input device (200) in this embodiment a keypad
  • the user selects an option to scan for and pair to any proximate auxiliary input devices.
  • the user (250) then enters a PIN on his or her mobile phone (212) at step (254).
  • step (256) the user (250) enters the same pairing PIN on the auxiliary input device (200) to pair it to the mobile phone (212).
  • the user then navigates to, for example, a mobile banking website of a bank through which the user (250) wishes to transact at step (258).
  • the banking website prompts the user for personal credentials, such as a user name, profile number, account number, PIN, password or the like at step (258).
  • the user (250) enters this information at step (260) using the auxiliary input device (200) which encrypts the information immediately after entry and then communicates the encrypted credentials to the mobile phone over the paired communication channel at step (262).
  • the mobile phone (212) in turn receives and communicates the encrypted credentials via, for example, a mobile telecommunications network, to a bank server (220) at step (264), which in turn receives and decrypts the encrypted credentials at step (266) and uses them to validate the user's session on the mobile phone (212) at step (268).
  • a bank server (220) at step (264)
  • receives and decrypts the encrypted credentials at step (266) and uses them to validate the user's session on the mobile phone (212) at step (268).
  • Figures 3A to 3D illustrate another embodiment of an auxiliary input device according to the invention in which the auxiliary input device is implemented as a multi-layer film (302).
  • the multi-layer film (302) includes an integrated circuit (304) and a power harvesting component (306).
  • the multi-layer film (302) can be attached to a surface of an electronic device.
  • the multi-layer film (302) is transparent and can be adhesively attached to a display screen (318) of a mobile device (312) so as to overlay the screen, in a manner similar to a transparent screen protector.
  • Figure 3A shows the multi-layer film (302) being brought into proximity with the display screen (318), while Figure 3B shows the multi-layer film (302) adhesively attached to and overlaying the display screen (318).
  • the integrated circuit (304) is embedded in the multi-layer film (302) and includes an HSM and a communication interface, as previously described with reference to Figure 1 A.
  • the power harvesting component (306) is also embedded in the multi-layer film (302).
  • the power harvesting component (306) is able to utilize signals emanating from the mobile device to provide power to the integrated circuit (304), and may operate by harvesting energy from wireless communication signals of the mobile device (318).
  • wireless communication signals may include Wi-Fi, Bluetooth, RFID, ANT+, GSM, UMTS or any other such wireless communication signals.
  • the power harvesting component (306) may harvest power from NFC communication signals provided by the mobile device (312).
  • the power harvesting component (306) could be a photovoltaic cell which is able to transform solar energy into stored electrical energy.
  • the power harvesting component (306) may be a kinetic power harvesting component, configured to harvest power from kinetic energy, or a piezoelectric power harvesting component.
  • the multi-layer film (302) may include a piezoelectric layer such that the power harvesting component (306) is able to harvest power from a user's key pressing action.
  • Figure 3C illustrates a block diagram of a deconstructed multi-layer film (302) illustrated in Figures 3A and 3B.
  • the multi-layer film (302) includes three layers: a first, adhesive layer (308), a second, touch-sensitive layer (310) and a third, protective layer (312).
  • the touch-sensitive layer (310) has the integrated circuit (304) and power harvesting component (306) embedded therein, and has a number of touch-sensitive zones (314) provided thereon.
  • the integrated circuit (304) is connected to each of the zones (314) by conductive paths formed in the multi-layer film.
  • the touch-sensitive layer (310) may be any appropriate touch-sensitive layer such as a capacitive or resistive touch-sensitive layer.
  • a resistive touch-sensitive layer for example, has two further layers, each of which is transparent and electrically resistive, separated by a space.
  • One such electrically resistive layer has conductive connections along, for example, its vertical sides, while the other has conductive connections along, for example, its horizontal sides.
  • a voltage is applied in quick succession to the conductive connections of a first electrically resistive layer and then to those of a second electrically resistive layer. At the same time, a voltage is sensed on the second electrically resistive layer and then on the first electrically resistive layer.
  • the touch-sensitive layer (31 0) may be a quantum tunneling composite (QTC) overlay.
  • QTC overlay is able to recognize user gestures or motions in three dimensions. For example, in addition to detecting a horizontal axis position and a vertical axis position, the QTC overlay can also detect a force with which the user presses the QTC overlay corresponding to a depth.
  • a QTC overlay consists of a plurality of transparent layers including two conductive layers, a quantum layer and glass layers. The quantum layer is typically sandwiched between the conductive layers and contains nanoparticles which, because of quantum tunneling effects, allow for charge to pass between the quantum layer from one conductive layer to another responsive to a compressive force.
  • the amount of charge which is able to pass through the quantum layer is related to the compressive force applied to the quantum layer.
  • QTC overlays can sense deflections through glass of just a few thousandths of a millimeter. Another advantage of a QTC overlay is that in an inactive state, no electrical power is consumed. Electrical power is only consumed by the QTC overlay when a compressive force is applied, for example when a user touches the QTC overlay.
  • the multi-layer film (302) is transparent and, when overlaying the display screen (318) of the mobile device (312), the images displayed on the screen (318) of the mobile device (312) are arranged to appear directly below the zones (314) of the touch-sensitive layer.
  • the images displayed on the screen may be images of keys (316) of a keypad, as shown in Figure 3D.
  • the images of keys (316) are displayed on the display (318) such that they correspond to the values allocated to zones (314) of the overlaid multi-layer film (302).
  • the user may be visually guided in pressing a zone (314) of the multi-layered film (302) which corresponds to a desired input value.
  • the touch-sensitive layer (310) of the multi-layer film (302) will detect a user's touch in a zone (314) and communicate a signal corresponding to the zone (314) to the integrated circuit (304).
  • the integrated circuit may interpret a signal received from the touch-sensitive layer (310) as corresponding to a user's touch in a predefined zone.
  • the integrated circuit will then encrypt the signals using the HSM and transmit the encrypted signal to a paired HSM using the communication interface as previously described.
  • the touch-sensitive layer (310) illustrated in Figure 3C has only a few, large touch-sensitive zones (314). In some embodiments of the invention the touch-sensitive layer (310) may have many very small zones which may be difficult to discern.
  • the zones may rather be defined by software running on the integrated circuit (304).
  • the zones (314) of Figure 3C are nevertheless provided for illustrative purposes.
  • the multi-layer film (302) can be sized differently for different mobile devices.
  • the integrated circuit (304), which houses the HSM and communication interface, as well as the power harvesting component (306) are shown in the corner of the film (302); in some embodiments the film can be slightly larger than the display screen of the mobile device so that the integrated circuit (304) and power harvesting component (306) (which may not be transparent) do not obstruct the display screen (318) but are located along its edge.
  • the integrated circuit (304) and power harvesting component (306) are not shown to scale in the drawings and can be made very small so that even in the event that they are positioned above the screen, any obstruction of the screen caused by them will be minimal.
  • the multi-layer film auxiliary input device may be configured so as not to interfere with the normal touch-sensitive operation of the display screen and to enable finger pressure and the necessary conductivity to be transmitted through it. It is envisaged that in such cases the multi-layer film may be switched to an operative mode or "state" only upon receiving a first, "wake” control signal from the paired HSM of the mobile device or from any other control unit on the auxiliary device or secondary device.
  • the wake instruction to the multi-layer film may be sent in conjunction with a second, "sleep" control signal to the primary touch- sensitive display of the mobile device so as to temporarily disable the primary touch- sensitive input device of the mobile device from receiving touch input.
  • the mobile device may not receive input signals from its primary, touch-sensitive display screen while the multi-layer film, which acts as the auxiliary input device, is in its operative state. Instead, the user's interaction is intercepted by the auxiliary input device adhered to the touch-sensitive display interface of the mobile device so that only the HSM of the auxiliary input device receives the user input.
  • the user input is then encrypted by the HSM of the auxiliary input device and communicated to the HSM of the mobile device.
  • the communication channel between the multi-layer film and the mobile device HSM (numeral 1 16 in Figure 1 A), will be a bidirectional communication channel so that the mobile device is able to instruct the user interface of the auxiliary input device to wake up and to go back to sleep as and when the input of sensitive information is required. It should be appreciated that in this way the auxiliary input device and primary input device of the electronic device may be operated so as not to be operative simultaneously.
  • FIG. 4A shows a different embodiment of an auxiliary input device in accordance with the invention, also in the form of a multi-layered film (400), which includes four layers: a first, adhesive layer (402), a second, display layer (404), a third, touch-sensitive layer (406) and a fourth, protective layer (408).
  • the multi-layered film (400) is itself able to display images on the display layer (404).
  • the image to be displayed may simply be images of keys as shown in Figure 4B, or may be more detailed graphics including images.
  • the keys may be displayed in a regular configuration, but in one embodiment the keys may be displayed in a randomized manner for increased security in the event that a user is being watched as he or she is entering sensitive information.
  • the display layer is not displaying images, it is preferably set to a transparent mode so that the entire multi-layered film is transparent and the screen of the mobile device is visible therethrough.
  • FIG. 5 illustrates a flow diagram of a method of securing and pairing the auxiliary input device with a mobile phone and using the auxiliary input device for a secure transaction.
  • the auxiliary input device is provided in the form of a multi-layer film (502) and is put in use by a user (550).
  • the user (550) fits the auxiliary input device in the form of a transparent multi-layer film (502) to the touch-sensitive display screen of the user's mobile phone (512) at step (552).
  • the multi-layer film (502) is fitted so that it overlays the touch-sensitive display screen of the mobile phone (512).
  • the user then launches a relevant software application on the mobile phone (512) and selects a 'pair device' option at step (554).
  • the mobile phone (512) prompts the user for a pair PIN which the user enters.
  • the touch- sensitive, primary input of the mobile phone is then set to an inoperative state and the touch-sensitive layer of the multi-layer film (502) is enabled.
  • the mobile phone (512) displays on the display screen a series of characters in the areas which correspond to touch-sensitive zones of the multi-layer film (502) having those characters assigned to them. In this manner, the user (550) is visually guided as to where on the multi-layer film (502) he should press in order to enter a specific character.
  • the user then enters the same pair PIN on the multi-layer film (502) at step (556). This time, however, the PIN is captured by the multi-layer film (502) instead of by the touch-sensitive primary input of the mobile phone. The two PINs are then compared and, if they match, the multi-layer film (502) and the mobile phone (512) are paired at step (556).
  • step (558) when the user wishes to transact, he or she launches the application resident on his or her mobile phone (512) at step (560) to initiate the transacting process.
  • the user may, for example, navigate to a 'transactions' menu, upon which the user is prompted for personal credentials at step (562) in order to authenticate the session.
  • the mobile phone (512) sends a "wake" instruction to the multi-layer film (502).
  • the multi-layer film (502) is then switched to an operative mode wherein it is operable to detect a user's gestures.
  • the multi-layer film (502) sends a "sleep" instruction to the touch-sensitive primary input screen of the mobile phone (512) at step (564), so that the touch-sensitive primary input screen becomes inoperable and hence insensitive to touch.
  • the user may then proceed to enter his or her personal credentials at step (566). These credentials are captured and encrypted by HSM of the multi-layer film (502) at step (568), before being transmitted to the mobile phone (502) by the device's communication interface.
  • the mobile phone (512) then transmits the encrypted credentials to the bank server (520) at step (570), via, for example, a mobile telecommunications network.
  • the bank server (520) Upon receipt of the encrypted credentials, the bank server (520) decrypts the credentials at step (572), and uses them to authenticate the user's session. If the credentials are correct and the session is authenticated, the bank server (520) transmits an authorization response message back to the mobile phone (512).
  • the mobile phone Upon receipt of the authorization response message at step (574), the mobile phone sends a sleep instruction to the multi-layer film (502) at step (576), which in turn sends a wake instruction to the touch-sensitive display screen of the mobile phone (512) at step (578).
  • the distinction between using the multi-layer film (502) and the touch-sensitive display screen of the mobile phone (512) may be subtle.
  • the above description is exemplary and it should be appreciated that there may be many other ways in with the auxiliary input device may be paired to and used with an electronic device for the purpose of accepting, encrypting and transmitting user data.
  • FIG. 6 shows a block diagram illustrating components of an exemplary mobile device (600) which acts as the electronic device with which various embodiments of the invention may be implemented.
  • the mobile device (600) includes a display (612), a primary input device (614), a speaker (618), microphone (622), computer readable medium (624) such as volatile and non-volatile memory, a processor (610) and at least one antenna (620).
  • the mobile device may include a dual interface including both contact (not shown) and contactless interface (616) for transferring information through direct contact or through an integrated chip, which may be coupled to a second antenna.
  • the mobile device (600) may be capable of communicating through a cellular network, such as GSM or UMTS through the antenna (620).
  • the mobile device (600) may be capable of transmitting and receiving information wirelessly through both short range NFC, radio frequency (RF) and cellular connections.
  • RF radio frequency
  • the multi-layer film may be configured for attachment to surfaces other than the display screen of an electronic device, such as the back of a mobile device, or the casing of a computer such as a laptop, or even to a desk or other flat surface such as a wall.
  • the film need not be transparent, but could have touch-sensitive zones that are marked with the particular keys they represent.
  • Figure 7 the auxiliary input device (702) is secured to, or integrated in, the inside cover (704) of a protective cover (706) of a mobile phone (708). While shown on the inside cover (704), it should be appreciated that it may equally be applied to an outer surface of the cover.
  • the auxiliary input device (702) may, as described above with reference to alternative embodiments of the invention, be configured to communicate with the mobile phone (708) over a wireless communication link, or, alternatively, the cover (706) and mobile phone (708) may be provided with complementary contact circuitry (not shown) through which communication as well as power transfer from the phone (708) to the cover (706) may be conducted. It should be appreciated that such contact circuitry may be embedded in the cover (704) at the time of manufacturing. As before, the user interface provided by the auxiliary input device (702) on the cover (706) will be touch sensitive and include its own HSM for encrypting the user input. In some embodiments the auxiliary input device may include an active display.
  • the user may be prompted to enter the data into the auxiliary input device provided on the cover (706).
  • the HSM of the device (702) will then encrypt the data as soon as it is entered by the user and before it is forwarded to the mobile phone (708).
  • an auxiliary input device according to the invention may be secured to a screen, or be provided by a secondary electronic device which is configured to wirelessly communicate with the electronic device, for the sake of clarity in this example referred to as the primary communication device.
  • An example of this embodiment the invention is shown in Figure 8.
  • an auxiliary input device (800) is provided on the display (802) of an electronic wristwatch (804), which acts as the secondary electronic device.
  • the auxiliary input device (800) again has its own HSM (806) and a communications module (808) by means of which it may communicate with the wristwatch (804).
  • the auxiliary input device (800) may either be provided as an integrated feature of the wristwatch (804), in which case the communication module (808) may be provided and powered by the wristwatch, or it may be provided as a multi-layered film as described above with reference to Figures 3 and 4, in which case the auxiliary input device (800) may be provided with a power harvesting component capable of harvesting power from the wristwatch (804) by means of a wireless or contact interface, or a kinetic power harvesting component.
  • the film may be configured to be adhesively secured to the screen of the wristwatch and the communication module (808) may be configured to relay encrypted personal data to a communication module of the wristwatch (804) for onward transmission to the primary communications device (810), in this example a mobile phone, or alternatively, directly to the primary communications device (810).
  • the communication between the wristwatch (804) and mobile phone (810) or between the auxiliary input device (800) and the mobile phone (810), as the case may be, may be conducted with any suitable close proximity wireless communication protocol such as, for example, Bluetooth.
  • an authorization request requiring a user to enter his or her personal information may be transmitted from an enquiring entity (814) at step (816) to the mobile phone (810) and received at the user's mobile phone (810) from where it is relayed to the wristwatch (804) at step (818).
  • the wristwatch (804) in turn passes the request on to the communication module (808) of the auxiliary input device (800) at step (820).
  • the auxiliary input device (800) then energizes a display of the device, allowing the user to enter the personal information on the auxiliary input device (800) at step (822), from where it is immediately encrypted by the HSM (706) of the device at step (824).
  • the primary electronic device is a personal computer (908).
  • the auxiliary input device (900) is provided as a thin multi-layer film as described above with reference to Figures 3 and 4, which is adhesively adhered to the touch-sensitive display of a mobile phone (904), which in this embodiment acts as the secondary electronic device.
  • the personal computer (908) is provided with a secure communication module in the form of a Bluetooth dongle (906) which has its own integrated HSM (not shown).
  • the communication module of the auxiliary input device (900) may be configured to communicate directly with the Bluetooth dongle (906) over a wireless Bluetooth link, or may utilize Bluetooth capabilities of the mobile phone (904) for this purpose. It should be appreciated that if the HSM of the Bluetooth dongle is paired with the HSM of the auxiliary input device, that secure data entry on the auxiliary device (900) and transmission to the personal computer (908) may be achieved. In this way a user may be able to authenticate transactions on the personal computer while again circumventing potential man-in-the-middle attacks.
  • the Bluetooth dongle (906) may provide a secure environment within which the personal computer may be booted and in which sensitive transactions may be conducted. In such an environment personal information entered by a user on the auxiliary input device and transmitted to the Bluetooth dongle will not be exposed in an unencrypted format and will provide secure data entry and transaction validation to users.
  • Embodiments of the invention provide for the auxiliary input device to be configured to monitor the behavioural characteristics, including a pattern with which data is input into the auxiliary input device and to compare the monitored pattern with an expected pattern for the specific data that is being entered. For example, a user may enter a specific PIN in a recognizable manner each time it is entered. For a given PIN the user may, for example, press the first digit with greater force, the second digit with lesser force, delay slightly before entering the third digit and then quickly enter the last digit. This pattern may be repeated each time the user enters that particular PIN and this information may be used by the auxiliary input device to further determine the validity of the PIN entered. Alternatively, this information may be encrypted by the HSM of the auxiliary input device and communicated to, for example a bank server, for further analysis or pattern recognition.
  • secure financial transactions such an online banking session or a payment transaction can be conducted through an electronic device which may otherwise be vulnerable to man- in-the-middle attacks because sensitive data such as a user's account credentials are encrypted and sent directly to a paired HSM while bypassing the electronic device's own primary input device and its related software.
  • This may generally be achieved by providing the electronic device with an auxiliary input device, or keypad, which has its own HSM which is configured to encrypt the sensitive data immediately upon entry and before it is passed on to the electronic device's own processors for onward transmission.
  • any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques.
  • the software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD- ROM.
  • RAM random access memory
  • ROM read only memory
  • magnetic medium such as a hard-drive or a floppy disk
  • optical medium such as a CD- ROM.
  • Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.
  • a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)

Abstract

An auxiliary input device (100) for encrypted data entry is described. The auxiliary input device (100) includes a user interface (102) to accept user input, an HSM (106) directly coupled to the user interface (102) to encrypt the user input before it is transmitted from the device (100), and a communication interface (108) to send the encrypted user input to an electronic device (112) for possible on- forwarding to a device or system able to decrypt the encrypted user input (120). In use, when a user inputs data into the user interface (102), such as account credentials, the data is encrypted by the HSM (106) of the auxiliary input device (100) before it is processed by any other downstream software or hardware not forming part of the device, thereby preventing the user input from being in the clear until it reaches the target device or system for decryption.

Description

AUXILIARY INPUT DEVICE FOR ENCRYPTED DATA ENTRY
CROSS-REFERENCES TO RELATED APPLICATIONS [0001] This application claims priority to South African provisional patent application number 2012/04088 filed on 5 June 2012.
BACKGROUND TO THE INVENTION
[0002] Advances in mobile devices such as mobile phones have enabled users to conduct internet banking and payment transactions to be carried out from their web- enabled mobile devices. For example, a user can access an online banking website through the web-enabled mobile device and log onto the user's account to check the account balance, transfer money or make payments. A user can also access a merchant's website through the web-enabled mobile device and purchase goods or services, such as mobile phone applications or other commodities, directly from the merchant. In order to access a user's bank account or conduct a financial transaction with a merchant, the user will have to enter his or her bank credentials on the keypad of the mobile device, which may be in the form of a conventional keypad, such as that of a feature phone, or alternatively a touch-sensitive keypad on a display of a smart phone.
[0003] Although conducting financial transactions or accessing a bank account from a mobile device without the use of a computer is convenient for a user, the operating system (OS) of the mobile device and software running on the OS often lack sufficient security measures to ensure adequate protection of sensitive data, such as a user's bank credentials. For example, mobile device anti-virus software, firewalls and the like may insufficiently protect mobile device users from malicious attacks by third parties. As a result, these third parties may be able to compromise the OS of a mobile device and may gain access, without the user's knowledge, to confidential information such as a password or PIN entered by a user when the user conducts financial transactions or accesses his or her bank account. Such attacks may be so- called "man-in-the-middle attacks" because the third party is able to access the information between the point at which it is input and the point at which it is transmitted through a secure channel. The third party may then be able to access the user's bank account or use the confidential information either without the user's knowledge or with the user becoming aware of the unauthorized use at a time where the transaction has already been concluded. There is therefore an inherent risk that a user's bank credentials will be compromised when using an unsecured device such as a mobile device to conduct financial transactions or access a bank account. Other input devices, such as the remote controls of web-enabled televisions, or the keyboards of desktop computers, may also be vulnerable to man-in-the-middle attacks.
BRIEF SUMMARY OF THE INVENTION
[0004] In accordance with the invention there is provided an auxiliary input device for securely inputting data into an electronic device which has its own existing primary input device, comprising: a user interface configured to accept user input; a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
[0005] Further features of the invention provide for the communication interface to be configured to transmit the encrypted user input to a secure processor of the electronic device which is capable of decrypting the encrypted user input; for the HSM to be configured to be paired with an HSM of the secure processor during transmission of the encrypted user input by the communication interface to the secure processor; for the encrypted user input to optionally be communicated onwards by the electronic device to a remote device or system capable of decrypting the encrypted user input; and for the electronic device to be configured to zone translate the encrypted user input before on-forwarding it to a secure gateway or bank server for decryption and authentication.
[0006] Still further features of the invention provide for the auxiliary input device to be a thin multi-layer film configured to be adhered to a surface by means of an adhesive backing layer, and to include a touch-sensitive layer which forms the user interface; for the multi-layer film to be transparent and configured to overlay a display screen of the electronic device; for the touch-sensitive layer to be a quantum tunneling composite layer; for the multi-layer film to include a display layer which is configured to visually display keys, optionally in randomized fashion. [0007] Yet further features of the invention provide for the auxiliary input device to include a power harvesting component; for the power harvesting component to be configured to utilize radio frequency signals from the electronic device to power the user interface, HSM and communication interface; and for the power harvesting component to include one or more photovoltaic cells. [0008] Still further features of the invention provide for the device to be configured to record behavioural characteristics with which the user input is entered; for the behavioural characteristics to include at least a pattern with which the user input has been entered; for the pattern to be used to authenticate the user input; for at least the user interface to be configured to enter a first, operative state upon receiving a first control signal, and a second, inoperative state upon receiving a second control signal; and for the user interface entering the operative state to correspond to the primary input device entering an inoperative state, and the user interface entering an inoperative state to correspond to the primary input device entering an operative state, so that only one of the user interface and primary user input is in an operative state at any given time.
[0009] One embodiment of the invention provides for the electronic device to be a mobile communication device, in which case the existing primary input device is a keypad or touch interface of the mobile communication device.
[0010] An alternative embodiment of the invention provides for the electronic device to be a personal computer, in which case the existing primary input device is a keyboard of the personal computer. This embodiment further provides for the communication interface to be configured to communicate with a secure communication module of the personal computer over a wireless communication link; for the secure communication module to be a Bluetooth dongle operating with the personal computer; for the wireless communication link to be a Bluetooth link; and for the Bluetooth dongle to include an integrated HSM configured to at least partially decrypt the encrypted user input.
[0011] Still further embodiments of the invention provide for the auxiliary input device to be associated with a secondary electronic device which is in data communication with the electronic device; for the secondary electronic device to be an electronic wristwatch; or for the auxiliary input device to be incorporated in a protective housing of a mobile communication device.
[0012] The invention also provides a system for securely inputting and communicating user input, comprising: an electronic device which has its own existing primary input device; and an auxiliary input device including: a user interface configured to accept user input; a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
[0013] A further feature of the invention provides for the system to include a remote device or system configured to decrypt the encrypted user input.
[0014] The invention still further provides a method for securely receiving and communicating user input comprising the steps of: receiving the user input at a user interface of an auxiliary input device; encrypting the received user input at a hardware security module (HSM) of the auxiliary input device before the user input is transmitted from the auxiliary input device; and transmitting the encrypted user input to an electronic device with a communication interface of the auxiliary input device, such that the encrypted user input bypasses an existing primary input device of the electronic device.
[0015] A further feature of the invention provides for the method to include the step of on-forwarding the encrypted user input from the electronic device to a remote device or system configured to decrypt the encrypted user input. [0016] Further features of the invention provide for the electronic device to be a mobile device, a web-enabled television or a computer; for the user input to include sensitive data such as bank credentials; and for the communication interface to be a wireless communication interface selected from: Wi-Fi, Bluetooth, RFI D, ANT+, global system for mobile telecommunications (GSM), universal mobile telecommunication system (UMTS) or any other such wireless communication signals.
BRI EF DESCRI PTION WITH REFERENCE TO THE DRAWINGS
[0017] Figure 1 A illustrates a diagram of an exemplary auxiliary input device according to an embodiment of the invention, shown in communication with an electronic device;
[0018] Figure 1 B illustrates a diagram of an exemplary auxiliary input device according to an embodiment of the invention in communication with an alternative electronic device; [0019] Figure 2 illustrates a flow diagram of a method of using the auxiliary input device of the invention for secure data entry;
[0020] Figure 3A illustrates an auxiliary input device formed as a multi-layer film according to one embodiment of the invention;
[0021 ] Figure 3B illustrates the auxiliary input device of Figure 3A overlaying a display screen of a mobile device;
[0022] Figure 3C illustrates an exploded plan view of the auxiliary input device of
Figures 3A and 3B;
[0023] Figure 3D illustrates the auxiliary input device of Figure 3B with the mobile device displaying keys on its display screen while an auxiliary input device is positioned over it;
[0024] Figure 4A illustrates an exploded plan view of an auxiliary input device formed as a multi-layer film according to another embodiment of the invention ;
[0025] Figure 4B illustrates the auxiliary input device of Figure 4A overlaying a display screen of a mobile device; [0026] Figure 5 illustrates a flow diagram of a method of using the auxiliary input device according to embodiments of the invention for secure transacting;
[0027] Figure 6 illustrates a block diagram showing components of an exemplary mobile device with which various embodiments of the invention can be implemented;
[0028] Figure 7 illustrates a diagram of an auxiliary input device according to the invention secured to an inside of a protective cover for a mobile device according to a further embodiment of the invention; [0029] Figure 8 illustrates a diagram showing an auxiliary input device secured over the screen of a wristwatch in accordance with an embodiment of the invention;
[0030] Figure 9 illustrates a flow diagram showing communication between the auxiliary input device of Figure 8 and an electronic device; and [0031] Figure 10 illustrates a diagram showing an auxiliary input device in use with a personal computer as the electronic device in accordance with a further embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION
[0032] Embodiments of the invention provide an auxiliary input device for encrypted data entry. The auxiliary input device includes a user interface to accept user input, a hardware security module (HSM) directly coupled to the user interface to encrypt the user input before it is transmitted from the device, and a communication module to send the encrypted user input to a device or system able to decrypt the encrypted user input. When a user inputs data into the user interface, such as account credentials, the data is encrypted by the HSM of the auxiliary input device before being processed by any other downstream software or hardware, thereby preventing the user input from being exposed or otherwise in the clear until it reaches the target device or system for decryption. [0033] Figure 1 A illustrates a block diagram of an exemplary auxiliary input device (100) according to one embodiment of the invention. The auxiliary input device (100) includes a user interface (102) in the form of a number of key-defining areas (104), an HSM (106), and a communication interface (108). While the user interface (102) of Figure 1 A is a numeric keypad, the user interface (102) can take any form including, for example, a full size QWERTY keyboard.
[0034] The HSM (106) is directly coupled between the user interface (102) and the communication interface (108) and is configured to encrypt user input received at the user interface (102) and output encrypted data. The user input may include sensitive data such as bank account credentials, personal identification numbers (PINs), passwords or any message which the user wishes to keep confidential. The HSM (106) may encrypt the user input using Advance Encryption Standard (AES), Data Encryption Standard (DES), Triple Data Encryption Standard/Algorithm (TDES/TDEA), Secure Socket Layer (SSL), Blowfish, Serpent, Twofish, International Data Encryption Algorithm (IDEA), Rivest, Shamir, & Adleman (RSA), Digital Signature Algorithm (DSA), Tiny Encryption Algorithm (TEA), extended TEA (XTEA), and/or other encryption algorithms or protocols.
[0035] The HSM (106) provided in the auxiliary input device (100) is different from devices that may solely use software to encrypt input data. A device that solely uses software to encrypt communications may comply with only a security level 1 of the Federal Information Processing Standard 140-2 (FIPS 140-2), which provides only a minimum level of security to protect sensitive information. In contrast, the HSM within an auxiliary input device according to embodiments of the invention is compliant with at least a security level 2 of the FIPS 140-2 standard. Preferably, the HSM within an auxiliary input device in embodiments of the invention is compliant with security level 3 or level 4 of FIPS 140-2.
[0036] The HSM (106) uses hardware to encrypt data instead of solely performing the encryption in software and, as mentioned, is directly coupled to the user interface (102) such that information entered into the user interface (102) may be encrypted immediately upon, or directly after, entry, before being transmitted from the device or otherwise passed to any downstream software or hardware. The HSM (106) provides secure key management to generate cryptographic keys, sets the capabilities and security limits of keys, implements key backup and recovery, prepares keys for storage and performs key revocation and destruction. In some embodiments, the HSM (106) is implemented as a dual processor device that includes a secure processor with secure storage and a public processor with storage. The secure processor may be a cryptoprocessor and may have a cryptographic arithmetic logic unit (ALU) which is optimized for performing certain cryptographic functions. The HSM (106) may also include a physical or logical separation between interfaces that are used to communicate critical security parameters and other interfaces that are used to communicate other data. The HSM (106) can also provide a tamper-proof mechanism that provides a high risk of destroying the HSM (106) and the cryptographic keys stored therein, if any attempt is made to remove or externally access the HSM (106).
[0037] The communication interface (108) is configured to send the encrypted data to an authorized device. This communication interface may provide a wireless communication channel via, for example, Wi-Fi, Bluetooth, RFID, ANT+, global system for mobile telecommunications (GSM), universal mobile telecommunication system (UMTS) or any other such wireless communication protocol. Alternatively, the communication channel may be a wired communication channel. In the illustrated embodiment, the communication interface (108) is paired to a hardware security module (HSM) of an electronic device via a wireless communication channel (1 16). In another embodiment the auxiliary input device (100) could, for example, be a full size QWERTY keyboard connected to an electronic device, such as a desktop PC, by a cable. In some embodiments, the HSM (106) and communication interface (108) could be a single unit, for example a wireless chip on board an HSM chip. [0038] The electronic device illustrated in Figure 1 A is a mobile device (1 12), which may be any suitable mobile device, such as a mobile phone, smart phone, feature phone, tablet computer, personal digital assistant or the like. In other embodiments, the electronic device may be any other electronic device capable of wired or wireless communication, such as a web-enabled television, a laptop, desktop or other computer or device. In a specific alternative embodiment, the electronic device may be a smart wrist-watch, in this embodiment referred to as a secondary electronic device, which is configured to communicate wirelessly with the electronic device (serving as a primary device) such as a mobile phone, smart phone, feature phone, tablet computer, personal digital assistant or the like.
[0039] Embodiments of the invention provide for a software application to be resident on the electronic device which allows users to interface with the auxiliary input device (100) coupled thereto. The software application may provide: a user interface to pair the auxiliary input device (100) to the electronic device (1 12); an option to enable and disable the auxiliary input device (100); initiate financial transactions, or the like. The user interface may include a menu from which at least some of these communications can be initiated. Embodiments of the invention further provide for such an interface to be provided by a SIM Application Toolkit protocol (commonly referred to as the STK protocol) implementation or the like.
[0040] The mobile electronic device (1 12) illustrated in Figure 1 A does not have an integrated HSM. Instead, the HSM is implemented as a cryptographic expansion device which may be implemented as an adhesive label with embedded processors. Such a cryptographic expansion device (1 10) provides an HSM (1 1 1 ) to electronic devices, such as the mobile device (1 12) illustrated in Figure 1 A, which do not have an integrated HSM. The cryptographic expansion device is applied directly to a SIM card (1 14) that can be inserted into the mobile device (1 12). Once fitted onto a SIM card, the combination of the cryptographic expansion device (1 10) adhering to the SIM card (1 14) can be inserted into a SIM card slot of the mobile device (1 12). The cryptographic expansion device HSM (1 1 1 ) enables the phone (1 12) to send and receive encrypted messages by using the capabilities of the SIM card to transmit encrypted data.
[0041] In one embodiment, the cryptographic expansion device HSM (1 1 1 ) includes a public section and a security section each of which corresponds to a processor on the adhesive label. The operations of the security section are handled by a security processor and the operations of the public section will be handled by a public processor. In one embodiment, the security processor will only be exposed to the public processor which will act in strict accordance with HSM standards, i.e. the secure processor will only respond to encryption and decryption attempts; no further information will be offered to the public processor. [0042] The cryptographic expansion device HSM (1 1 1 ) includes its own communication interface and is adapted to receive communication from the communication interface (108) of the auxiliary input device (100) by means of a communication channel (1 16) which is completely independent of any communication channel provided by the mobile device. Although in some embodiments the communication channel (1 16) could be a wired channel, in the illustrated embodiment the communication channel is a wireless communication channel which may be a Wi-Fi, Bluetooth, RFID, ANT+, GSM, UMTS or any other such wireless communication channel. In some embodiments, the communication interface (108) may be capable of bi-directional communication with the paired cryptographic expansion device HSM (1 1 1 ) of the cryptographic expansion device (1 10). Communication between the cryptographic expansion device HSM (1 1 1 ) and the HSM (106) of the auxiliary input device (100) only occurs once the HSM (106) of the auxiliary input device (100) and the HSM (1 1 1 ) of the cryptographic expansion device have been paired. Pairing is facilitated by either the auxiliary input device (100) or the mobile device (1 12) discovering available wireless devices and then prompting a user for a PIN which must be selected on one of the devices and then correctly entered on the other device. Once paired, all communication between the auxiliary input device (100) and the mobile device (1 12) is fully encrypted using the two HSMs (106, 1 1 1 ).
[0043] The HSM (1 1 1 ) of the cryptographic expansion device is operable to perform zone translation of the encrypted user input (if required) and to forward the encrypted user input to a secure gateway or bank's server (120) where it is decrypted and the user input authenticated. Communication between the HSM (1 1 1 ) of the cryptographic expansion device and the bank server (120) preferably takes place through a mobile telecommunication network (122). By using this system, an encrypted communication channel is therefore established from the point at which the user input is keyed into the user interface (102) of the auxiliary input device (100) until it reaches the secure gateway or bank's server (120). At no point is the user input exposed or otherwise in the clear, since the HSM (106) of the auxiliary input device (100) encrypts the user input before such input is processed by any other hardware or software. [0044] Figure 1 B illustrates the same auxiliary input device (100) as in Figure 1 A. The mobile device (1 13) in Figure 1 B, however, differs from that of Figure 1 A in that it has an integrated HSM (1 15). The auxiliary input device (100) is the same as that which has been previously described, and contains its own HSM (106) and communication component (108). In the illustrated embodiment, the HSM (106) of the auxiliary input device (100) is in communication with the HSM (1 15) of the mobile device (1 13) via a communication channel (1 17) between the communication component (108) of the auxiliary input device (100) and a communication component (not shown) of the mobile device (1 13). The communication link (1 17) may, for example, be via Wi-Fi, NFC, Bluetooth, RFID, ANT+, Infrared, universal serial bus (USB), Ethernet, GSM, UMTS or any other such communication link. The user input which is encrypted by the HSM (106) of the auxiliary input device (100) is thus communicated to the HSM (1 15) of the mobile device (1 13) from where it is communicated to a server of a bank (120), preferably over a mobile telecommunication network (122). It should be appreciated that the mobile device (1 13) of Figure 1 B could be any suitable electronic device. Furthermore, it is anticipated that there may be embodiments of the invention wherein an electronic device with which the auxiliary input device (100) is in communication does not have its own HSM, but simply forwards the entered data encrypted by the auxiliary input device to, for example, a bank or financial institution sever (120).
[0045] The auxiliary input device (100) according to the embodiments described above can take various forms. In one embodiment, the auxiliary input device is a handheld device which forms a secure personal pin entry device (PPED). In this embodiment, a user is able to securely enter sensitive information by first pairing the auxiliary input device (100) with an electronic device such as a cryptographic expansion device-enabled mobile device (1 12) or an HSM enabled mobile device (1 13), and then entering the sensitive information on the auxiliary input device (100), rather than entering the information on an existing keypad of the mobile device (for example, the keypad provided on a touch-sensitive screen (1 18) of the mobile device) which may be vulnerable to man-in-the-middle attacks. The handheld auxiliary input device then communicates the encrypted sensitive information directly to the paired HSM (1 1 1 , 1 15) of the mobile device (1 12, 1 13), bypassing the primary input device (1 18, 1 19) and associated internal software of the mobile device (1 12, 1 13) and thereby circumventing a man-in-the-middle attack.
[0046] Figure 2 illustrates a block diagram showing a method of using the auxiliary input device of the invention for secure data entry in a scenario in which a user (250), having an auxiliary input device (200) (in this embodiment a keypad) according to the foregoing description wishes to, for example, transact with a bank using his or her mobile phone (212). At a step (252), the user selects an option to scan for and pair to any proximate auxiliary input devices. The user (250) then enters a PIN on his or her mobile phone (212) at step (254). At step (256), the user (250) enters the same pairing PIN on the auxiliary input device (200) to pair it to the mobile phone (212). The user then navigates to, for example, a mobile banking website of a bank through which the user (250) wishes to transact at step (258). The banking website prompts the user for personal credentials, such as a user name, profile number, account number, PIN, password or the like at step (258). The user (250) enters this information at step (260) using the auxiliary input device (200) which encrypts the information immediately after entry and then communicates the encrypted credentials to the mobile phone over the paired communication channel at step (262). The mobile phone (212) in turn receives and communicates the encrypted credentials via, for example, a mobile telecommunications network, to a bank server (220) at step (264), which in turn receives and decrypts the encrypted credentials at step (266) and uses them to validate the user's session on the mobile phone (212) at step (268). The above description is exemplary and it should be appreciated that there may be many other ways in which the auxiliary input device of the invention is paired to and used with an electronic device for the purpose of accepting, encrypting and transmitting user data.
[0047] Figures 3A to 3D illustrate another embodiment of an auxiliary input device according to the invention in which the auxiliary input device is implemented as a multi-layer film (302). The multi-layer film (302) includes an integrated circuit (304) and a power harvesting component (306). The multi-layer film (302) can be attached to a surface of an electronic device. In the illustrated embodiment, the multi-layer film (302) is transparent and can be adhesively attached to a display screen (318) of a mobile device (312) so as to overlay the screen, in a manner similar to a transparent screen protector. Figure 3A shows the multi-layer film (302) being brought into proximity with the display screen (318), while Figure 3B shows the multi-layer film (302) adhesively attached to and overlaying the display screen (318).
[0048] The integrated circuit (304) is embedded in the multi-layer film (302) and includes an HSM and a communication interface, as previously described with reference to Figure 1 A. The power harvesting component (306) is also embedded in the multi-layer film (302). The power harvesting component (306) is able to utilize signals emanating from the mobile device to provide power to the integrated circuit (304), and may operate by harvesting energy from wireless communication signals of the mobile device (318). Such wireless communication signals may include Wi-Fi, Bluetooth, RFID, ANT+, GSM, UMTS or any other such wireless communication signals. Similarly, the power harvesting component (306) may harvest power from NFC communication signals provided by the mobile device (312). Alternatively, the power harvesting component (306) could be a photovoltaic cell which is able to transform solar energy into stored electrical energy. Furthermore, the power harvesting component (306) may be a kinetic power harvesting component, configured to harvest power from kinetic energy, or a piezoelectric power harvesting component. In some embodiments, the multi-layer film (302) may include a piezoelectric layer such that the power harvesting component (306) is able to harvest power from a user's key pressing action. [0049] Figure 3C illustrates a block diagram of a deconstructed multi-layer film (302) illustrated in Figures 3A and 3B. The multi-layer film (302) according to this embodiment includes three layers: a first, adhesive layer (308), a second, touch- sensitive layer (310) and a third, protective layer (312). The touch-sensitive layer (310) has the integrated circuit (304) and power harvesting component (306) embedded therein, and has a number of touch-sensitive zones (314) provided thereon. The integrated circuit (304) is connected to each of the zones (314) by conductive paths formed in the multi-layer film.
[0050] The touch-sensitive layer (310) may be any appropriate touch-sensitive layer such as a capacitive or resistive touch-sensitive layer. A resistive touch-sensitive layer, for example, has two further layers, each of which is transparent and electrically resistive, separated by a space. One such electrically resistive layer has conductive connections along, for example, its vertical sides, while the other has conductive connections along, for example, its horizontal sides. A voltage is applied in quick succession to the conductive connections of a first electrically resistive layer and then to those of a second electrically resistive layer. At the same time, a voltage is sensed on the second electrically resistive layer and then on the first electrically resistive layer. In this manner, when a user applies a force compressing the two electrically resistive layers together, two voltage dividers are formed one after the other in quick succession, the value of each voltage sensed corresponding to touch position on an axis corresponding to relevant layer on which the voltage was sensed.
[0051] In other embodiments, the touch-sensitive layer (31 0) may be a quantum tunneling composite (QTC) overlay. A QTC overlay is able to recognize user gestures or motions in three dimensions. For example, in addition to detecting a horizontal axis position and a vertical axis position, the QTC overlay can also detect a force with which the user presses the QTC overlay corresponding to a depth. A QTC overlay consists of a plurality of transparent layers including two conductive layers, a quantum layer and glass layers. The quantum layer is typically sandwiched between the conductive layers and contains nanoparticles which, because of quantum tunneling effects, allow for charge to pass between the quantum layer from one conductive layer to another responsive to a compressive force. The amount of charge which is able to pass through the quantum layer is related to the compressive force applied to the quantum layer. Unlike resistive touch-sensitive layers, which are often made of a soft polymer in order to provide sufficient deflection, QTC overlays can sense deflections through glass of just a few thousandths of a millimeter. Another advantage of a QTC overlay is that in an inactive state, no electrical power is consumed. Electrical power is only consumed by the QTC overlay when a compressive force is applied, for example when a user touches the QTC overlay.
[0052] The multi-layer film (302) is transparent and, when overlaying the display screen (318) of the mobile device (312), the images displayed on the screen (318) of the mobile device (312) are arranged to appear directly below the zones (314) of the touch-sensitive layer. The images displayed on the screen may be images of keys (316) of a keypad, as shown in Figure 3D. The images of keys (316) are displayed on the display (318) such that they correspond to the values allocated to zones (314) of the overlaid multi-layer film (302). Thus the user may be visually guided in pressing a zone (314) of the multi-layered film (302) which corresponds to a desired input value. The touch-sensitive layer (310) of the multi-layer film (302) will detect a user's touch in a zone (314) and communicate a signal corresponding to the zone (314) to the integrated circuit (304). Alternatively, the integrated circuit may interpret a signal received from the touch-sensitive layer (310) as corresponding to a user's touch in a predefined zone. The integrated circuit will then encrypt the signals using the HSM and transmit the encrypted signal to a paired HSM using the communication interface as previously described. The touch-sensitive layer (310) illustrated in Figure 3C has only a few, large touch-sensitive zones (314). In some embodiments of the invention the touch-sensitive layer (310) may have many very small zones which may be difficult to discern. The zones may rather be defined by software running on the integrated circuit (304). The zones (314) of Figure 3C are nevertheless provided for illustrative purposes.
[0053] The multi-layer film (302) can be sized differently for different mobile devices. In the illustrated embodiments, the integrated circuit (304), which houses the HSM and communication interface, as well as the power harvesting component (306) are shown in the corner of the film (302); in some embodiments the film can be slightly larger than the display screen of the mobile device so that the integrated circuit (304) and power harvesting component (306) (which may not be transparent) do not obstruct the display screen (318) but are located along its edge. The integrated circuit (304) and power harvesting component (306) are not shown to scale in the drawings and can be made very small so that even in the event that they are positioned above the screen, any obstruction of the screen caused by them will be minimal.
[0054] It will be appreciated that some mobile devices may already be fitted with touch-sensitive display screens which serve as their primary input devices. In the case of these mobile devices, the multi-layer film auxiliary input device may be configured so as not to interfere with the normal touch-sensitive operation of the display screen and to enable finger pressure and the necessary conductivity to be transmitted through it. It is envisaged that in such cases the multi-layer film may be switched to an operative mode or "state" only upon receiving a first, "wake" control signal from the paired HSM of the mobile device or from any other control unit on the auxiliary device or secondary device. The wake instruction to the multi-layer film may be sent in conjunction with a second, "sleep" control signal to the primary touch- sensitive display of the mobile device so as to temporarily disable the primary touch- sensitive input device of the mobile device from receiving touch input. Thus, the mobile device may not receive input signals from its primary, touch-sensitive display screen while the multi-layer film, which acts as the auxiliary input device, is in its operative state. Instead, the user's interaction is intercepted by the auxiliary input device adhered to the touch-sensitive display interface of the mobile device so that only the HSM of the auxiliary input device receives the user input. The user input is then encrypted by the HSM of the auxiliary input device and communicated to the HSM of the mobile device. In this case, the communication channel between the multi-layer film and the mobile device HSM (numeral 1 16 in Figure 1 A), will be a bidirectional communication channel so that the mobile device is able to instruct the user interface of the auxiliary input device to wake up and to go back to sleep as and when the input of sensitive information is required. It should be appreciated that in this way the auxiliary input device and primary input device of the electronic device may be operated so as not to be operative simultaneously.
[0055] Figure 4A shows a different embodiment of an auxiliary input device in accordance with the invention, also in the form of a multi-layered film (400), which includes four layers: a first, adhesive layer (402), a second, display layer (404), a third, touch-sensitive layer (406) and a fourth, protective layer (408). In this embodiment, the multi-layered film (400) is itself able to display images on the display layer (404). The image to be displayed may simply be images of keys as shown in Figure 4B, or may be more detailed graphics including images. The keys may be displayed in a regular configuration, but in one embodiment the keys may be displayed in a randomized manner for increased security in the event that a user is being watched as he or she is entering sensitive information. When the display layer is not displaying images, it is preferably set to a transparent mode so that the entire multi-layered film is transparent and the screen of the mobile device is visible therethrough.
[0056] Figure 5 illustrates a flow diagram of a method of securing and pairing the auxiliary input device with a mobile phone and using the auxiliary input device for a secure transaction. As described above with reference to Figures 3 and 4, the auxiliary input device is provided in the form of a multi-layer film (502) and is put in use by a user (550). As initial steps in this exemplary scenario, the user (550) fits the auxiliary input device in the form of a transparent multi-layer film (502) to the touch-sensitive display screen of the user's mobile phone (512) at step (552). The multi-layer film (502) is fitted so that it overlays the touch-sensitive display screen of the mobile phone (512). The user then launches a relevant software application on the mobile phone (512) and selects a 'pair device' option at step (554). The mobile phone (512) prompts the user for a pair PIN which the user enters. The touch- sensitive, primary input of the mobile phone is then set to an inoperative state and the touch-sensitive layer of the multi-layer film (502) is enabled. The mobile phone (512) then displays on the display screen a series of characters in the areas which correspond to touch-sensitive zones of the multi-layer film (502) having those characters assigned to them. In this manner, the user (550) is visually guided as to where on the multi-layer film (502) he should press in order to enter a specific character. The user then enters the same pair PIN on the multi-layer film (502) at step (556). This time, however, the PIN is captured by the multi-layer film (502) instead of by the touch-sensitive primary input of the mobile phone. The two PINs are then compared and, if they match, the multi-layer film (502) and the mobile phone (512) are paired at step (556).
[0057] At step (558), when the user wishes to transact, he or she launches the application resident on his or her mobile phone (512) at step (560) to initiate the transacting process. The user may, for example, navigate to a 'transactions' menu, upon which the user is prompted for personal credentials at step (562) in order to authenticate the session. Before the user can begin entering his or her personal credentials, the mobile phone (512) sends a "wake" instruction to the multi-layer film (502). The multi-layer film (502) is then switched to an operative mode wherein it is operable to detect a user's gestures. Furthermore, the multi-layer film (502) sends a "sleep" instruction to the touch-sensitive primary input screen of the mobile phone (512) at step (564), so that the touch-sensitive primary input screen becomes inoperable and hence insensitive to touch. The user may then proceed to enter his or her personal credentials at step (566). These credentials are captured and encrypted by HSM of the multi-layer film (502) at step (568), before being transmitted to the mobile phone (502) by the device's communication interface. The mobile phone (512) then transmits the encrypted credentials to the bank server (520) at step (570), via, for example, a mobile telecommunications network. Upon receipt of the encrypted credentials, the bank server (520) decrypts the credentials at step (572), and uses them to authenticate the user's session. If the credentials are correct and the session is authenticated, the bank server (520) transmits an authorization response message back to the mobile phone (512). Upon receipt of the authorization response message at step (574), the mobile phone sends a sleep instruction to the multi-layer film (502) at step (576), which in turn sends a wake instruction to the touch-sensitive display screen of the mobile phone (512) at step (578). To a user, the distinction between using the multi-layer film (502) and the touch-sensitive display screen of the mobile phone (512) may be subtle. The above description is exemplary and it should be appreciated that there may be many other ways in with the auxiliary input device may be paired to and used with an electronic device for the purpose of accepting, encrypting and transmitting user data.
[0058] Figure 6 shows a block diagram illustrating components of an exemplary mobile device (600) which acts as the electronic device with which various embodiments of the invention may be implemented. The mobile device (600) includes a display (612), a primary input device (614), a speaker (618), microphone (622), computer readable medium (624) such as volatile and non-volatile memory, a processor (610) and at least one antenna (620). In addition, the mobile device may include a dual interface including both contact (not shown) and contactless interface (616) for transferring information through direct contact or through an integrated chip, which may be coupled to a second antenna. In addition, the mobile device (600) may be capable of communicating through a cellular network, such as GSM or UMTS through the antenna (620). Thus, the mobile device (600) may be capable of transmitting and receiving information wirelessly through both short range NFC, radio frequency (RF) and cellular connections.
[0059] In alternative embodiments (not shown), the multi-layer film may be configured for attachment to surfaces other than the display screen of an electronic device, such as the back of a mobile device, or the casing of a computer such as a laptop, or even to a desk or other flat surface such as a wall. In these embodiments, the film need not be transparent, but could have touch-sensitive zones that are marked with the particular keys they represent. One such alternative embodiment is shown in Figure 7. In this embodiment the auxiliary input device (702) is secured to, or integrated in, the inside cover (704) of a protective cover (706) of a mobile phone (708). While shown on the inside cover (704), it should be appreciated that it may equally be applied to an outer surface of the cover. The auxiliary input device (702) may, as described above with reference to alternative embodiments of the invention, be configured to communicate with the mobile phone (708) over a wireless communication link, or, alternatively, the cover (706) and mobile phone (708) may be provided with complementary contact circuitry (not shown) through which communication as well as power transfer from the phone (708) to the cover (706) may be conducted. It should be appreciated that such contact circuitry may be embedded in the cover (704) at the time of manufacturing. As before, the user interface provided by the auxiliary input device (702) on the cover (706) will be touch sensitive and include its own HSM for encrypting the user input. In some embodiments the auxiliary input device may include an active display. Once an HSM inside the phone (or other secure element of the phone) requires secure data entry, the user may be prompted to enter the data into the auxiliary input device provided on the cover (706). The HSM of the device (702) will then encrypt the data as soon as it is entered by the user and before it is forwarded to the mobile phone (708).
[0060] It is also foreseen that an auxiliary input device according to the invention may be secured to a screen, or be provided by a secondary electronic device which is configured to wirelessly communicate with the electronic device, for the sake of clarity in this example referred to as the primary communication device. An example of this embodiment the invention is shown in Figure 8. In the figure, an auxiliary input device (800) is provided on the display (802) of an electronic wristwatch (804), which acts as the secondary electronic device. The auxiliary input device (800) again has its own HSM (806) and a communications module (808) by means of which it may communicate with the wristwatch (804). It should be appreciated that the auxiliary input device (800) may either be provided as an integrated feature of the wristwatch (804), in which case the communication module (808) may be provided and powered by the wristwatch, or it may be provided as a multi-layered film as described above with reference to Figures 3 and 4, in which case the auxiliary input device (800) may be provided with a power harvesting component capable of harvesting power from the wristwatch (804) by means of a wireless or contact interface, or a kinetic power harvesting component. [0061] In the case of it being implemented by way of a multi-layer film, the film may be configured to be adhesively secured to the screen of the wristwatch and the communication module (808) may be configured to relay encrypted personal data to a communication module of the wristwatch (804) for onward transmission to the primary communications device (810), in this example a mobile phone, or alternatively, directly to the primary communications device (810). The communication between the wristwatch (804) and mobile phone (810) or between the auxiliary input device (800) and the mobile phone (810), as the case may be, may be conducted with any suitable close proximity wireless communication protocol such as, for example, Bluetooth.
[0062] In use, and as shown in more detail in Figure 9, an authorization request requiring a user to enter his or her personal information may be transmitted from an enquiring entity (814) at step (816) to the mobile phone (810) and received at the user's mobile phone (810) from where it is relayed to the wristwatch (804) at step (818). The wristwatch (804) in turn passes the request on to the communication module (808) of the auxiliary input device (800) at step (820). The auxiliary input device (800) then energizes a display of the device, allowing the user to enter the personal information on the auxiliary input device (800) at step (822), from where it is immediately encrypted by the HSM (706) of the device at step (824). The encrypted personal information is then transmitted by the device (800) back to the wristwatch (804) at step (826), which in turn sends it to the mobile phone (810) over Bluetooth at step (828). The mobile phone (810) in turn sends the encrypted personal information back to the enquiring entity (814) at step (830), which decrypts and validates the information at step (832). [0063] In another embodiment of the invention, shown in Figure 10, the primary electronic device is a personal computer (908). The auxiliary input device (900) is provided as a thin multi-layer film as described above with reference to Figures 3 and 4, which is adhesively adhered to the touch-sensitive display of a mobile phone (904), which in this embodiment acts as the secondary electronic device. The personal computer (908) is provided with a secure communication module in the form of a Bluetooth dongle (906) which has its own integrated HSM (not shown). The communication module of the auxiliary input device (900) may be configured to communicate directly with the Bluetooth dongle (906) over a wireless Bluetooth link, or may utilize Bluetooth capabilities of the mobile phone (904) for this purpose. It should be appreciated that if the HSM of the Bluetooth dongle is paired with the HSM of the auxiliary input device, that secure data entry on the auxiliary device (900) and transmission to the personal computer (908) may be achieved. In this way a user may be able to authenticate transactions on the personal computer while again circumventing potential man-in-the-middle attacks. The Bluetooth dongle (906) may provide a secure environment within which the personal computer may be booted and in which sensitive transactions may be conducted. In such an environment personal information entered by a user on the auxiliary input device and transmitted to the Bluetooth dongle will not be exposed in an unencrypted format and will provide secure data entry and transaction validation to users.
[0064] Embodiments of the invention provide for the auxiliary input device to be configured to monitor the behavioural characteristics, including a pattern with which data is input into the auxiliary input device and to compare the monitored pattern with an expected pattern for the specific data that is being entered. For example, a user may enter a specific PIN in a recognizable manner each time it is entered. For a given PIN the user may, for example, press the first digit with greater force, the second digit with lesser force, delay slightly before entering the third digit and then quickly enter the last digit. This pattern may be repeated each time the user enters that particular PIN and this information may be used by the auxiliary input device to further determine the validity of the PIN entered. Alternatively, this information may be encrypted by the HSM of the auxiliary input device and communicated to, for example a bank server, for further analysis or pattern recognition.
[0065] Thus, according to embodiments of the invention, secure financial transactions such an online banking session or a payment transaction can be conducted through an electronic device which may otherwise be vulnerable to man- in-the-middle attacks because sensitive data such as a user's account credentials are encrypted and sent directly to a paired HSM while bypassing the electronic device's own primary input device and its related software. This may generally be achieved by providing the electronic device with an auxiliary input device, or keypad, which has its own HSM which is configured to encrypt the sensitive data immediately upon entry and before it is passed on to the electronic device's own processors for onward transmission. [0066] The foregoing description of the embodiments of the invention has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure.
[0067] Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD- ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.
[0068] Any of the steps, operations, or processes described herein may be performed or implemented with one or more hardware or software modules, alone or in combination with other devices. In one embodiment, a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.
[0069] Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims

WHAT IS CLAIMED IS: 1 . An auxiliary input device for securely inputting data into an electronic device which has its own existing primary input device, comprising:
a user interface configured to accept user input;
a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and
a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
2. The auxiliary input device of claim 1 , wherein the communication interface is configured to transmit the encrypted user input to a secure processor of the electronic device which is capable of decrypting the encrypted user input.
3. The auxiliary input device of claim 2, wherein the HSM of the auxiliary input device is configured to be paired with an HSM of the secure processor during transmission of the encrypted user input by the communication interface to the secure processor.
4. The auxiliary input device of claim 1 , wherein the encrypted user input is communicated onwards by the electronic device to a remote device or system capable of decrypting the encrypted user input.
5. The auxiliary input device of claim 4, wherein the HSM of the auxiliary input device is configured to be paired with an HSM of the electronic device during transmission of the encrypted user input and the HSM of the electronic device is configured to zone translate the encrypted user input before on-forwarding it to a secure gateway or bank server for decryption and authentication.
6. The auxiliary input device of any one of the preceding claims, which is a thin multi-layer film configured to be adhered to a surface by means of an adhesive backing layer, and includes a touch-sensitive layer which forms the user interface.
7. The auxiliary input device of claim 6, wherein the multi-layer film is transparent and is configured to overlay a display screen of the electronic device.
8. The auxiliary input device of claim 6 or claim 7, wherein the touch-sensitive layer is a quantum tunneling composite layer.
9. The auxiliary input device of claim 6 or claim 8, wherein the multi-layer film includes a display layer which is configured to visually display keys.
10. The auxiliary input device of claim 9, wherein the display layer is configured to visually display keys in a randomized fashion.
1 1 . The auxiliary input device of any one of the preceding claims, which includes a power harvesting component.
12. The auxiliary input device of claim 1 1 , wherein the power harvesting component is configured to utilize radio frequency signals from the electronic device to power the user interface, HSM and communication interface.
13. The auxiliary input device of claim 12, wherein the power harvesting component includes one or more photovoltaic cells.
14. The auxiliary input device of any one of the preceding claims, wherein the communication interface is a wireless communication interface.
15. The auxiliary input device of any one of the preceding claims, which is configured to record behavioural characteristics with which the user input is entered.
16. The auxiliary input device of claim 15, wherein the behavioural characteristics includes at least a pattern with which the user input has been entered.
17. The auxiliary input device as claimed in claim 16, wherein the pattern is used to authenticate the user input.
18. The auxiliary input device as claimed in any one of the preceding claims, wherein at least the user interface is configured to enter a first, operative state upon receiving a first control signal, and a second, inoperative state upon receiving a second control signal.
19. The auxiliary input device of claim 18, wherein the user interface entering the operative state corresponds to the primary input device entering an inoperative state, and the user interface entering an inoperative state corresponds to the primary input device entering an operative state so that only one of the user interface and primary user input is in an operative state at any given time.
20. The auxiliary input device of any one of the preceding claims, wherein the electronic device is a mobile communication device and the existing primary input device is a keypad or touch interface of the mobile communication device.
21 . The auxiliary input device of any one of claims 1 to 19, wherein the electronic device is a personal computer and the existing primary input device is a keyboard of the personal computer.
22. The auxiliary input device of claim 21 , wherein the communication interface is configured to communicate with a secure communication module of the personal computer over a wireless communication link.
23. The auxiliary input device of claim 22, wherein the secure communication module is a Bluetooth dongle operating with the personal computer and the wireless communication link is a Bluetooth link.
24. The auxiliary input device as claimed in claim 23, wherein the Bluetooth dongle includes an integrated HSM configured to at least partially decrypt the encrypted user input.
25. The auxiliary input device of any one of the preceding claims, which is associated with a secondary electronic device which is in data communication with the electronic device.
26. The auxiliary input device of claim 25, wherein the secondary electronic device is an electronic wristwatch.
27. The auxiliary input device of any one of claims 1 to 20, which is incorporated in a protective housing of a mobile communication device.
28. A system for securely inputting and communicating user input, comprising: an electronic device which has its own existing primary input device; and an auxiliary input device including : a user interface configured to accept user input; a hardware security module (HSM) in communication with the user interface and configured to encrypt the user input before it is transmitted from the auxiliary input device; and a communication interface configured to transmit the encrypted user input to the electronic device, such that the encrypted user input bypasses the existing primary input device.
29. The system of claim 28, which includes a remote device or system configured to decrypt the encrypted user input.
30. A method for securely receiving and communicating user input comprising the steps of : receiving the user input at a user interface of an auxiliary input device; encrypting the received user input at a hardware security module (HSM) of the auxiliary input device before the user input is transmitted from the auxiliary input device; and transmitting the encrypted user input to an electronic device with a communication interface of the auxiliary input device, such that the encrypted user input bypasses an existing primary input device of the electronic device.
31 . The method of claim 30, which includes the step of on- forwarding the encrypted user input from the electronic device to a remote device or system configured to decrypt the encrypted user input.
PCT/IB2013/054626 2012-06-05 2013-06-05 Auxiliary input device for encrypted data entry WO2013183010A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
ZA2014/07013A ZA201407013B (en) 2012-06-05 2014-09-26 Auxiliary input device for encrypted data entry

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA2012/04088 2012-06-05
ZA201204088 2012-06-05

Publications (1)

Publication Number Publication Date
WO2013183010A1 true WO2013183010A1 (en) 2013-12-12

Family

ID=49711489

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/054626 WO2013183010A1 (en) 2012-06-05 2013-06-05 Auxiliary input device for encrypted data entry

Country Status (2)

Country Link
WO (1) WO2013183010A1 (en)
ZA (1) ZA201407013B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109074156A (en) * 2016-09-21 2018-12-21 苹果公司 Haptic structures for providing localized tactile output
WO2021174299A1 (en) * 2020-03-04 2021-09-10 Simsec Hong Kong Limited Data encryption module, system and method
US12309128B2 (en) 2022-03-28 2025-05-20 George MARAVEYAS Auxiliary device for an electronic communication device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5768386A (en) * 1996-05-31 1998-06-16 Transaction Technology, Inc. Method and system for encrypting input from a touch screen
WO2002042891A2 (en) * 2000-11-21 2002-05-30 @Pos.Com, Inc. A touch pad that confirms its security
US6549194B1 (en) * 1999-10-01 2003-04-15 Hewlett-Packard Development Company, L.P. Method for secure pin entry on touch screen display
US7305565B1 (en) * 2000-05-31 2007-12-04 Symbol Technologies, Inc. Secure, encrypting pin pad

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5768386A (en) * 1996-05-31 1998-06-16 Transaction Technology, Inc. Method and system for encrypting input from a touch screen
US6549194B1 (en) * 1999-10-01 2003-04-15 Hewlett-Packard Development Company, L.P. Method for secure pin entry on touch screen display
US7305565B1 (en) * 2000-05-31 2007-12-04 Symbol Technologies, Inc. Secure, encrypting pin pad
WO2002042891A2 (en) * 2000-11-21 2002-05-30 @Pos.Com, Inc. A touch pad that confirms its security

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109074156A (en) * 2016-09-21 2018-12-21 苹果公司 Haptic structures for providing localized tactile output
WO2021174299A1 (en) * 2020-03-04 2021-09-10 Simsec Hong Kong Limited Data encryption module, system and method
US12309128B2 (en) 2022-03-28 2025-05-20 George MARAVEYAS Auxiliary device for an electronic communication device

Also Published As

Publication number Publication date
ZA201407013B (en) 2015-12-23

Similar Documents

Publication Publication Date Title
US11093932B2 (en) Mobile-merchant proximity solution for financial transactions
US10977642B2 (en) Apparatuses and methods for operating a portable electronic device to conduct mobile payment transactions
TWI576778B (en) Disabling mobile payments for lost electronic devices
US8996867B2 (en) Method and device for end-user verification of an electronic transaction
US20080148186A1 (en) Secure data entry device and method
AU2014222350B2 (en) Systems, methods and devices for performing passcode authentication
US20100180120A1 (en) Information protection device
US10332081B2 (en) Pin entry for internet banking on media device
CN105393569A (en) Systems and methods for verification conducted at a secure element
WO2016014346A1 (en) Point of sale system with secure and unsecure modes
CN101102194A (en) An OTP device and a method for identity authentication using the device
CA3188253A1 (en) Augmented reality information display and interaction via nfc based authentication
CN107562689A (en) A kind of system level chip and terminal
CN104866129A (en) Computing device and password input method thereof
US20120317410A1 (en) Protecting data from data leakage or misuse while supporting multiple channels and physical interfaces
WO2013183010A1 (en) Auxiliary input device for encrypted data entry
CN205334484U (en) Password safety input device based on touch -sensitive screen
CN101933315B (en) Encrypted and authenticated keyboard with disposable one-time key against Trojans
KR101361350B1 (en) Portable terminal, and method for securing of transmission data between hardware module of portable terminal
WO2024072911A1 (en) Securing browser extension crypto wallets using a hardware dongle
IL185795A (en) Authentication method and device with encryption capability against malicious access to local computer

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13800431

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13800431

Country of ref document: EP

Kind code of ref document: A1