1. Field of the Invention
This invention relates to a keypad and in particular to a keypad for input of data such as financial data to enable financial transactions such as eftpos transactions to take place. However, it should be understood that the keypad is not limited to such applications and could be used in other environments where secure input of data into a system is required.
2. Related Art
Keypads are used on almost all electronic devices which require some form of input. Often these keypads take the form of an electronic matrix of wires, the keys themselves bridging the horizontal and vertical lines of this matrix, and thus forming an electrical connection between a specific horizontal and a specific vertical wire when pressed. The device controlling the keypad (usually some form of computer, or CPU) can then ascertain the exact key pressed by determining which of the wires of the matrix are connected. A suitable analogy might be to imagine the use of a grid on a map to determine the exact location of a street.
The determination of keypresses via such a matrix of wires requires the active, and constant, “scanning” of the lines in the keypad. This is achieved by presenting a voltage signal on only one of the matrix lines, and testing the corresponding matrix lines to see if that voltage signal has appeared there as well. For example, if we assume a keypad that has a 4×4 matrix, to determine if any key has been pressed, a voltage signal (called a “logic high”) is presented on the first of the vertical lines of the matrix. All of the other vertical lines are left inactive (no voltage signal present, or a “logic low”). The voltage inputs at the horizontal lines of the matrix are now tested (“read”). If any of the keys that exist on the read line are currently pressed, the logic high presented on this line will be passed to the corresponding horizontal line, via the switch. Thus the state of all of the switches on the first vertical line has been determined by the “scanning” of this line with a logic high signal, and a corresponding read of the voltage levels of all of the horizontal lines. Any matching voltages indicate a key press (i.e. a short circuit between the horizontal and vertical lines that has been created via a keypress). This process is then continued with all of the subsequent vertical “scan” lines and reading back the state of the horizontal “read” lines after the setting of each single logic high. Once all of the scan lines have been checked, the whole process is repeated.
Thus it can be seen that the scanning of the keypad is both an active and continuous endeavour. An occasional alternative to this is that during periods of inactivity, all of the scan lines are set to a logic high, and a transition of any of the read lines to a high state is set to “wake-up” the computer/CPU to start scanning the keypad to determine the exact key pressed. This allows for a cessation of the scanning during periods of extended inactivity, and thus allows the device to reduce any processing overhead/power consumption caused by the continual scanning. Also it would be obvious to anyone skilled in the art that the state of the voltage signals may be swapped (scan with only one line low, instead of high), or altered in some other trivial way to better suit an individual situation.
This method of key press determination is preferably acceptable for most applications. However, for applications that have a requirement of security, it is often desirable to attempt different key scan regimes to prevent the determination of keypresses by an external party. The method by which an external party may ascertain the state of the keypad is simple: Given unrestricted access to the keypads, an external party may attach “probes” across each of the key-mats (matrix junctions, the points at which the keys form short circuits), and thus determine any key press by acting as a passive observer to the scanning of the computer/CPU to which the keypad is attached. If an observer knows that a logic high on both a scan and a read line indicate that key is pressed at the junction of these lines, it is a simple matter to observe the state of all of the scan and all of the read lines, and thereby determine the state of all of the keys of the keypad.
Many attempts have been made to prevent an external party from successfully performing such an observation of the keypad scanning signals. These attempts may be grouped under the heading of “scan obfuscation”, i.e. the technology used to confuse the scan line signals. The most common keypad obfuscation technique is to present “dummy” keypresses on the key matrix. “Dummy” keypresses are, in fact, false keypresses that are created by the controlling CPU to confuse any attempt to determine a real key depression. This may be achieved by a number of methods, such as using electronically controlled switches such as field effect transistors, or relays, to present a short circuit across the switch; or simply presenting the same voltage at both the read and the scan line. The general idea remains the same; before each keypad scan, a number of keys are selected to be “dummy” pressed for that scan, and the relevant circuitry activated to achieve this. Then, during the instant of the scan, these lines appear as valid keypresses (i.e., the voltage on the read line is the same as the scan line, simulating a short circuit caused by the pressing of the switch), and cannot be externally differentiated from any real keypresses that are detected during that scan period. Only the CPU “knows” which keypresses were dummies, and therefore which (if any) were the real keypresses. There is a major problem with this regime, however; as the voltage levels on either side of a dummy key press are the same, a real key press cannot be detected on any key that is dummy pressed. This is not so much of a problem provided that the dummy keypresses are moved around the keypad with no dummy press having duration on any key that is of comparable duration to a real keypress. If the dummy presses are moved around in such a manor, even if a dummy press exists on a key that has a real key press active on it, the dummy press will be moved from that key before the key is un-pressed, and thus the real key press will be detected. However, this presents an outside observer with a means to differentiate the dummy presses from the real presses; any key press that lasts for more than a certain duration must be real otherwise it would not be possible to scan that key. To put it another way, although a dummy press may be convincing during the instant of the scan, its ability to confuse real key presses is reduced when a large number of scans is observed. If a dummy key press lasts for only 10 ms, it will not hamper the detection of a real key press that lasts for >100 ms.
As it is not possible to “un-short circuit” a short circuit by a real key press (disregarding any mechanical means that may be used to physically un-press the switch), the use of dummy keypresses has been seriously hampered by this intrinsic problem of duration. This problem could be mitigated if it was possible to stop scanning once a real key press was detected, and only resume scanning once the key was un-pressed. The observer would then have to choose between the last dummy pressed keys, and the real key, and could not use the duration of the real key press to assist the choice, as no more key presses (real or dummy) would be visible until the real key was released, and scanning resumed. However, it is clear that the release of the key cannot be detected unless the scanning continues.