SECURITY DEVICE
This invention relates to security apparatus and associated methods for use in internet transactions, and more specifically to apparatus and methods for encrypting keypress information.
The number of financial transactions undertaken using the Internet has increased dramatically and the value of those transactions is very considerable. Such transactions include on-line stores and banking.
The internet is also used to access and manage information of a personal nature that, should it be stolen, is of considerable value for criminal activities.
The value of these transactions and of the data transferred over the internet has attracted the attention of fraudsters such that there have been a great many software programs (threats such as spyware etc) that seek to intercept data and copy it to unauthorised recipients (data theft) for the purpose of fraudulent activities.
Security of web transactions relies on SSL encryption techniques employing public and private keys with verification which renders data secure as it is passed to and fro across the internet (where unencrypted data would be vulnerable). This protects users from data theft from servers, routers etc. However the SSL system does not protect the data within the user's computer as the data is not encrypted and is vulnerable. This weakness is targeted by many fraudsters. Hence security of data is reliant on the ability of the Operating System, with or without additional security software, to block threats.
Operating system vendors and third party security software providers expend considerable effort attempting to eliminate the risk of data theft but in general can only eliminate a problem after the security weakness has been identified. Frequently identification of weakness is only as a result of an actual threat having been released and subsequently analysed.
According to a first aspect of the invention, there is provided apparatus for use with a computer, the apparatus comprising: an input for receiving signals from a computer input device; an output for sending signals to the computer; and a processor for encrypting signals received from the input to produce encrypted signals, wherein the encrypted signals are sent to the output.
Such an apparatus allows the signals sent by a computer input device to be encrypted, so as to increase the security of information input to a computer. When the signals are encrypted, any interception of them by malicious software or hardware such as key loggers will not reveal the information that is contained within them in the absence of knowing the encryption key.
Preferably, the apparatus further comprises memory for storing the encrypted signals that are to be sent to the output. This allows the apparatus to retrieve previously input information.
Preferably, the apparatus further comprises a display means for displaying the stored signals. This enables a user to see the information they have input to the apparatus.
Preferably, the apparatus further comprises input means adapted to enable a user to select a signal stored in the memory, wherein the apparatus is adapted in use to enable the user to select a signal stored in the memory using the input means and display means, for sending to the computer.
Preferably, the apparatus is selectively switchable between a first mode and a second mode, such that in the first mode, signals received from the input are relayed to the output and in the second mode, signals received from the input are encrypted by the processor before the encrypted signals are sent to the output. This enables the computer input device to be used normally when security is not required, without having to re-wire the device.
Preferably, the computer input device is a computer keyboard. This allows the user to input any alphanumeric information.
According to a second aspect of the invention, there is provided a computer keyboard including the apparatus of the first aspect. This allows a user to make use of the security advantages of the first aspect of the invention without requiring an additional computer peripheral.
Alternatively, the computer input device is a mobile phone. This allows the user to input secure information to their computer using a device they carry around with them normally.
According to a third aspect of the invention, there is provided a mobile phone including the apparatus of the first aspect. This means that a user can use the enhanced security offered by the invention without having to carry around a new piece of equipment that they would not usually carry.
According to a fourth aspect of the invention, there is provided a method for increasing the security of information input to a computer, comprising receiving signals from a computer input device; encrypting the signals; and sending the encrypted signals to the computer.
This results in a method useful for hiding information input to a computer from spyware and the like on the computer.
Preferably, the method further comprises storing the encrypted signals, receiving input identifying a stored signal and sending the identified stored signal to the computer. This allows a user to retrieve previously input information.
Preferably, the method further comprises selectively receiving signals from the computer input device and sending the signals to the computer without encrypting the signals. This means that whatever device implements the method, the device does not need to be removed from a computer to carry out normal computing tasks.
Embodiments of the invention will now be described, by way of example, with reference to the drawings in which: Figure 1 is a schematic representation of a computer combined with the hardware according to an embodiment of the invention.
The present embodiments depict apparatus for use with a personal computer. However, the principles described may readily be adapted for use with other electronic devices that receive an input.
Referring now to Figure 1, computer 2, which has a screen and a processing unit, is connected to keyboard 4 via security module 6. Security module 6 comprises an input 8 for receiving signals from the keyboard 4, an output 10 for communicating with computer 2 and display 12. The security module also comprises a processor.
The security module 6 is selectively switchable between a normal operating mode and a secured operating mode. This switching may be by virtue of a switch or trigger on the security module itself, or may be triggered by signals from the computer or keyboard. When the security module is in a normal operating mode, it relays signals from the keyboard to the computer, and may relay signals from the computer to the keyboard. Accordingly, the security module does not make any functional difference to the interface between the keyboard and computer in the normal operating mode.
In contrast, when in secured operating mode, the signals received from the keyboard may be intercepted by the security module before they are relayed to the computer. These signals, either with or without interpretation are then encrypted or encoded in some way before they are sent to the computer using the output. This encryption step is carried out by the processor, and means that when the security module is in secured mode, any signals sent by the keyboard to the computer are obfuscated in some way such that the original signal generated by the keyboard cannot be determined by the computer without decoding the signal it receives from the security module. Accordingly, the keyboard is no longer operating as a conventional input device.
The signals sent by the keyboard will typically represent keypresses made by the user.
Advanced keyboards may support additional features beyond the basic keyboard, such as offering display screens to show information and providing buttons to control computer functions such as changing the volume, zooming a document or starting an instance of a web browser. In an optional modification, the security module may be adapted to only affect those signals sent by the keyboard which represent alphabetical, numeric, aphanumeric or symbolic characters, or the like in any combination, so as not to affect the other functions of the keyboard when in secured mode.
Display 12 on security module 6 is used to display to the user operating the keyboard what they have typed when using the security module in secured mode. This means that although the computer 2 itself is not able to display the original sequence of keypresses typed by the user, the user is still able to view what they have typed in the secured mode.
The security module 6 may optionally allow scrolling of the text displayed on the display by using e.g. the arrow keys on the connected keyboard, or alternatively using separate controls on the security unit.
In one implementation, the security module 6 may encode or encrypt each individual keypress and then send an appropriate signal to the computer. In an alternative implementation, the security module may store a sequence of keypresses before sending them as an encrypted group. In the latter implementation, the security module may be configured to recognise directional inputs from the arrow keys in order to move a cursor through the stored sequence of keypresses, and allow the deletion and insertion of characters before they are relayed.
By using the secure operating mode, the user of the computer 2 is able to protect the information they are entering from being available to the operating system, and so from malicious programs such as key loggers or other spyware. This secure operating mode may be desirable for use when e.g. carrying out online shopping transactions, in order to prevent malicious software from obtaining the user's credit card details or the like.
In one implementation, the computer 2 may be configured to simply receive the encrypted information from the security module and forward it to its destination, such as the website that is handling the transaction to be carried out. This has the advantage of the computer never decoding the actual keypresses made by the user, thus ensuring that any malicious software running on the computer is not able to access the protected information. In other implementations, the computer 2 may be programmed to decrypt the signals sent by the security module before re-encrypting them to be sent over the internet. Such an implementation has the advantage that normal internet protocols can be used without the requirement for additional software on the receiving server.
One implementation of the security module may be used as follows. A user is using the computer 2 to view a website, and security module 6 is operating in the normal operating mode and relaying their keypresses. The user may decide that they wish to purchase an item, and then be directed by the website from which they are purchasing the item to an on-line form to fill in information such as the delivery address and their credit card details. The user is then able to select one of the input fields of the form and mark it as "secure". This may be by virtue of selecting the field within their browser and marking it in some way, such as right clicking it and selecting an item from a menu. Alternatively, the user may navigate to the field and then indicate that it is to be a secure field by a certain combination of keypresses or pressing a button on security module 6. The skilled man will realise that there are a number of other ways that would serve to mark a field (or entire form) as secure.
Once a field is marked as secure it no longer functions in its normal manner. Instead, when the field is active and has the input focus, data relevant to that field is displayed on the visual display of the security module and is not displayed on the computer screen. For example, information input to that field may be displayed on the security module. This information may be retained by the security module so that receipt of a signal from the computer that the secure field is selected (e.g. has the input focus) may trigger the retrieval of the information at any time, allowing the user to check what they have input before finishing the transaction.
Alternatively, the computer may store the information in an encrypted format and relay it back to the security module when the field is selected.
Accordingly, Information input to the secure field is not shown on the computer display but is instead shown on the security module's display. This means spyware is unable to intercept meaningful text input to the secure field as these pass across a non-standard, protected and encrypted interface. In addition it is impossible for spy software to gather data from the screen (or its associated software or hardware) as the data is not printed to the computer screen.
As described above, the computer may be programmed in order to handle the encrypted information sent by the security module. This programming may be the result of stand-alone software on the computer, or alternatively software such as a plug-in that is designed to operate with a web browser. As mentioned above, it is possible that the computer may simply relay the encrypted signals sent by the security module to the server. In such an implementation, there is essentially a secure channel of communication between the security module and server which means that the computer cannot intercept the data. This may take the form of an SSL session between the server and security module, or any other appropriate encryption system. As the security module is a closed system that does not carry out the general functions of the computer, it is possible to make it much more secure against attacks from malware and accordingly the security of the system is improved.
Alternatively, the software may decrypt the information received from the security module before re-encrypting it for sending to the server of the website. This decryption is preferably transient to reduce chances of interception, and may involve using a secured area of memory to prevent detection of the information. It is preferable that the encrypted data is decrypted only by the security software designed for use with the security module so that the information encoded is not available to other software on the computer.
The encryption techniques that may be employed by the system include SSL and any other suitable technology. It is possible that the software on the computer 2 may further encrypt the encrypted data it receives from the hardware module before sending it over the internet for additional security. If the software on computer 2 is to decrypt the signals sent by the security module 6, then it will need to know the key or keys with which the information was encrypted. These are preferably unique to the individual security module, and may be pre-programmed at manufacture.
As mentioned above, the security module comprises a processor for encrypting the signals to be sent to the computer. The module may further comprise memory for storing encryption keys, the software (or firmware) that operates the security module and information that is to be encrypted. As a further adaptation, a portion of the memory may be accessible to the computer it is connected to, and this portion may be used to store the installation files or other data necessary to set up the software required on the computer. Accordingly, the module may be used to install the software it requires to operate, meaning that it is highly portable from computer to computer. The memory may optionally be read only, so that it is not possible to replace the encryption keys or to corrupt the software or firmware recorded in it.
The interface used on the security module in order to receive input from the keyboard and send output to the computer may be Universal Serial Bus (USB) interfaces, or alternatively any other suitable interface. Although wireless interfaces may be used, this may enable eavesdropping of the signals sent so this is not preferred. Preferably, the security device does not emit any significant radio signals.
The skilled man will realise that the features of security module 6 could conceivably be integrated into a keyboard, negating the need for an additional piece of hardware. In such an embodiment, the keyboard would then contain the processor for encrypting the information to be sent in secured mode and comprise an equivalent to display 12 for displaying the information in the secured mode. The security module 6 could be further integrated into a laptop keyboard, for providing the same functionality.
Furthermore, the skilled man will realise that the features of security module 6 could be integrated to any other piece of hardware that is capable of functioning in a way similar to a keyboard. For example, mobile phones and personal digital assistants (PDA5) may have keyboards or touch screens that allow a user to type information. These devices could therefore be used as keyboards, or combined security modules/keyboards as described above. In such implementations, it may be preferable to only use the input associated with the hardware for the secured fields, e.g. a normal keyboard may be used for non-secured fields. Accordingly, the security module may be used in conjunction with any computer input device that can produce alphabetic, numeric, alphanumeric or symbolic input, or anything of the sort.
As shown in figure 1, the security module 6 may have a further interface for receiving information module 14. In this implementation, the security module 6 has an additional mode of operation that may be used with financial institutions (or other organisations). In this mode the information module is pre-loaded with an agreed set of encryption keys (or other encryption definitions) that are distinctive to it and/or to the co-operating organisation and known only to the co-operating organisation. A mechanism is provided whereby the user and device can be identified and one of these encryption methods invoked, thus adding a layer of encryption that cannot be discovered and decoded even should the standard encryption between the security module and computer be compromised. When the security module is to be used with the website of a co-operating organisation, such as an online banking website, it is possible that some fields that are to be filled in could be pre-marked as secure, requiring that the security module work in the secure operating mode to fill them in. This would avoid potential user error of neglecting to mark important fields as secure.
This implementation provides a further degree of security as the codes present on the information module are unique to the module, and so can be used to confirm its identity.
Furthermore, the information module is portable so that the user may take it with them and use it on any appropriately configured security module or other hardware incorporating its functionality.
In one possible implementation, the information module may contain all or some of the software or firmware that runs the security module, including appropriate encryption keys, as well as the additional identifying codes and encryption keys described above. The skilled man will realise that the information module may be entirely integrated into the security module where the portability described above is not required.
As an optional addition, the security module may be able to communicate with the computer to check for the veracity of the software that is receiving the encrypted signals. This allows it to check that the software on the computer has not been corrupted or replaced by malware, and may take the form of exchanging codes or checking characteristics of the software such as checksums. It is preferable that any software or firmware stored on the security or information module is write protected to ensure it is not compromised.
The security module may also include audio for the assistance of visually impaired users, as in the absence of the information being displayed in a protected field as described above, assistance software running on the computer may be unable to indicate what information is located in the field. To ensure full data security is maintained the audio output may be routed to a headphone port on the hardware module and not to the host computer's audio system.
In a further optional addition, the security module may offer the facility to store and recall key data for rapid insertion of that information into relevant fields. All such data retention may be protected from unauthorised access through being saved in an encrypted form with access controlled by password protection. Alternatively, the data may be stored in an unencrypted form. As an option this data may be saved to the information module.
This leads to a possible further modification. It may be possible to use the keyboard to input user information, such as card details, address details and the like, into the security module.
If the security module is equipped with its own interface, such as buttons, this enables a user, at a later time, to selectively access their input details and relay them to the computer without having to type their details again. Optionally, the user may be able to use their normal keyboard to select a piece of information, for example by using the arrow keys. This may be a useful labour saving feature. Furthermore, this enables the security device to be used with laptops not having a built in security module without requiring an external keyboard. For example, a user could use an external keyboard once to program the security module with the required information, and then simply use the security module in combination with the laptop to select and enter the pre-loaded information.
Alternatively, rather than equipping the security module with its own buttons, and even display, it may be possible to use the computer's display and interface (e.g. buttons, mouse) to select the relevant recorded signal. In such an embodiment, it would be preferable that the user is only able to see displayed on the screen of the computer a representative label for the number (for example, "credit card number") without the data recorded being displayed.
The skilled man will realise that the above described optional modifications and implementations may be used in different combinations as required by a specific application.
Furthermore, the skilled man will realise that the signals recorded by the security module and sent to the computer could take a number of different forms. For example, the security module may simply record the actual signals received from the keyboard and then encrypt (or not encrypt) these signals for sending. Alternatively, the security module may interpret these signals to result in the characters represented by them, which may be preferable to simplify the stored information. In such an embodiment, the module may then convert this interpreted information back into standard signals as would be sent by a keyboard for sending to the computer, or optionally simply send the signals in interpreted form e.g. as text files or individual pieces of data.