This invention relates generally to security of data terminals which utilize touch screens for data entry. This invention also relates to secure terminal systems which utilize a security processor to control access to data entry on a touch screen.
Touch screens for data entry on a computer terminal are well known in the art. A touch screen allows the user of a terminal to enter a menu selection or data by placing a finger or other object at a location on the display screen that corresponds to the menu item, function or data numeral to be entered. A touch sensitive element detects the coordinates of the touch event and the meaning of the touch event is determined by the coordinate location and the corresponding menu or data button displayed on the screen.
When a touch screen is utilized to enter data such as a secret PIN number, it is vital that the PIN number be protected by encryption prior to being communicated to any external resource. Entry of other data or menu selections on the same touch screen does not require encryption security. Accordingly, utilizing a touch screen for entry of both secret data and nonconfidential data presents a difficult technical challenge.
It is a principal object of this invention to provide an improved method and apparatus for operating a touch screen device.
It is another object of this invention to provide a method and apparatus for operating a touch screen device in a manner which provides security for confidential data entry and high flexibility for entry of general and nonconfidential data.
It is another object of this invention to provide a method and apparatus having improved logical security for sensitive data items entered on a touch screen.
In its broadest aspect, this invention features a method for operating a touch screen device (e.g. a combination touch pad and display screen) which involves displaying on the display screen a set of functional components. An additional step involves defining a plurality of touch pad hot spots corresponding in area and location to the functional components. The method further involves sensing a touch event on the touch pad corresponding to one of the touch pad hot spots and creating a touch event message identifying the touch pad hot spot corresponding to the touch event.
The touch event message is not the coordinates of the touch event, but rather an identification of which of the defined hot spots corresponds to the touch event.
In this aspect of the method of this invention the touch pad is controlled by a touch pad controller and the display screen is controlled by an application processor in communication with the touch pad controller and the display screen. These can be separate hardware modules or separate software modules in the same processor with a built in firewall between them.
The application processor carries out the step of displaying on the display screen the set of functional components and the step of defining hot spots is is carried out by the application processor by sending to the touch pad controller a hot spot command defining a plurality of touch pad hot spots corresponding in area and location to the set of functional components. The sensing step is carried out by the touch pad controller sensing a touch event on the touch pad corresponding to one of the touch pad hot spots and sending to the application processor a touch event message identifying the touch pad hot spot corresponding to the touch event. The touch event message is not the touch coordinates but rather an identification of the hot spot associated with the touch coordinates.
A variation of the invention features described in the preceding paragraph involves a method for operating a combination touch pad and display screen device as a secured data entry device in a point-of-sale transaction environment in which secret PIN entries are required. In this variation, the touch pad controller has an associated security processor and is located within a security module for protection against physical intrusion. The application processor displays on the display screen device a PIN data entry screen comprising at least a set of data entry buttons corresponding to PIN numerals and an xe2x80x9cENTERSxe2x80x9d command button. In addition, the application processor sends to the touch pad controller a PIN data entry command requesting execution of a PIN entry touch event routine.
The touch pad controller responds to the PIN data entry command by defining a prearranged set of hot spots corresponding to active data entry and command buttons in the PIN data entry screen, then responding to a sequence of touch events corresponding to active data entry buttons by storing each of the associated PIN numerals, and finally by responding to a touch event corresponding to the xe2x80x9cENTERxe2x80x9d command button by encrypting the stored PIN numerals using the security processor and sending the encrypted PIN data to the application processor.
In this secured data entry application of this invention, the touch pad hot spots associated with entry of general, nonconfidential data items are defined by the application processor whereas the touch pad hot spots associated with entry of confidential data items are predefined in touch pad controller itself to correlate with the data entry screen display set up by the application processor. In the former case, each touch event is returned to the application processor as an indication of one of the defined hot spot corresponding to the location of the touch event. In the latter case, each touch event is echoed in some fashion to the application processor, but the actual secret numerical data elements are stored in the touch pad controller and then encrypted in the security chip before being sent to the application processor.
In this secured data entry application, the invention preferably includes additional features which preclude hot spot definition commands from setting up a number and arrangement of hot spots that would permit entry of confidential data items without encryption. To achieve this the method of this invention further involves the touch pad controller determining if the number of hot spots defined in the data entry command is less than or equal to a predetermined hot spot limit less than the number of hot spots required for PIN entry. If the result of this step is positive, the touch pad controller directly executes the data entry command by responding to hot spot touch events and sending corresponding touch event messages to the application processor. If too many hot spots are defined, the touch pad controller declares a hot spot command error and processes a hot spot error routine.
Alternatively, the touch pad controller limits the number of touch events and touch event messages returned to a number less than that required for confidential data entry.
Instead of declaring a hot spot command error, this invention may include the feature of allowing the touch pad controller to execute a data entry command with more hot spots than the limit number if the data entry command includes one or more authentication parameters that permit the touch pad controller to authenticate the command before executing it. Such command authentication parameters would be added to data entry commands by a trusted agent after audit of the program routines to ensure that they didn""t violate data entry security protocols.
The use of command authentication parameters in accordance with this invention provided complete flexibility in use of hot spots for data entry routines without compromising security during entry of confidential data items.
Another variation of the method of this invention involves permitting the application processor to define a number of hot spots sufficient for entry of a PIN number, but to provide that the touch pad controller will limit the number of touch events returned during the processing of a single hot spot command to a number fewer than a minimum number of digits in a PIN code. This feature provides additional flexibility in use of hot spots for data entry or entry of menu items.
The use of hot spots under the control of the touch pad controller with its associated security chip as an aspect of data entry separate from the data screen content defined by the application processor provides the advantage of secure but flexible data entry via a single data entry resource.
Another variation of the broadest aspect of this invention described above is one in which the touch pad and the display screen are both controlled by an application processor comprising a touch pad controller module for controlling the touch pad and an application program processing module for executing application program commands including commands for displaying functional components on the display screen. The displaying step is carried out by the application program processing module displaying on the display screen a set of functional components.
The hot spot defining step is carried out by the application program processing module sending to the touch pad controller module a hot spot command defining a plurality of touch pad hot spots corresponding in area and location to the set of functional components. The touch event processing step is carried out by the touch pad controller module sensing a touch event on the touch pad corresponding to one of the touch pad hot spots and sending to the application program processing module a touch event message identifying the touch pad hot spot corresponding to the touch event.
By separating out the touch pad controller module of the application program processing, the logical security provided by hot spots for PIN entry and entry of other confidential data is preserved. The subsidiary method features discussed above are retained and that discussion need not be repeated here. Details will be clear from the description of invention embodiments provided below.
This invention also features data entry apparatus which comprises the combination of a display screen device, a touch pad mounted over the display screen device, a touch pad controller coupled to the touch pad; and an application processor coupled to the touch pad controller and to the display screen device. The application processor comprises means for displaying on the display screen a predefined data entry screen having a prearranged set of functional components and means for sending to the touch pad controller a hot spot command defining a plurality of touch pad hot spots corresponding in area and location to the set of functional components. The touch pad controller comprises means for sensing a touch event on the touch pad corresponding to one of the touch pad hot spots, and means for sending to the application processor a touch event message identifying the touch pad hot spot corresponding to the touch event.
The apparatus may further feature a security processor associated with the touch pad controller to enable secure PIN entry by carrying out the PIN entry command feature as discussed above relating to method features. Similarly, additional apparatus features can be employed to carry out other method features previously discussed.
A variation of such a data entry apparatus of this invention comprises the combination of a display screen device; a touch pad mounted over the display screen device; and an application processor coupled to the touch pad and to the display screen device. The application processor comprises separate application program processing module and touch pad controller module. The application program processing module includes means for displaying on the display screen a predefined data entry screen having a prearranged set of functional components; and means for sending to the touch pad controller module a hot spot command defining a plurality of touch pad hot spots corresponding in area and location to the set of functional components. The touch pad controller module includes means for sensing a touch event on the touch pad corresponding to one of the touch pad hot spots; and means for sending to the application processor a touch event message identifying the touch pad hot spot corresponding to the touch event.
In this variation, the functions of touch pad control and related security are carried out in the separate touch pad controller module of the application processor to achieve somewhat the same degree of logical security via the use of hot spots. Similar methodology of PIN entry and the limiting of defined hot spots by other application program commands may be carried out in this apparatus environment.
The use of defined hot spots according to this invention and the limitation on defined hot spots (except for authenticated commands as will be discussed below) provides for effective filtering of touch pad accesses in both high, medium and light security environments. Use of this invention in programmable terminals provides for assurance that security will not be compromised by allowing applications with unknown features to be loaded into the terminal.