This application claims priority under 35 U.S.C. xc2xa7xc2xa7119 and/or 365 to 9903036-3 filed in Sweden on Aug. 27, 1999; the entire content of which is hereby incorporated by reference.
The invention is directed to devices capable of communicating over a communication network and that can also effect remote secure transactions, such as electronic payment and the like. Such devices include mobile phones PCs, terminals laptop computers, personal data assistants and electronic organisers.
The use of open platforms such as PCs and terminals both fixed and mobile for communicating over public networks or the Internet and for executing secure transactions is becoming increasingly widespread with the expansion of internet commerce and the possibilities provided by electronic cash transactions and smart cards. For example, WO 96/25828 suggests a method for using a mobile phone for effecting financial transactions such as payments by providing financial applications on a smart card that can be inserted into the mobile phone. The application has two modes of operation; a first mode in which it is passive, and therefore receives instructions from the master controller of the mobile phone or other controlling applications, and a second mode in which it controls the operation of the mobile phone. This includes controlling the operation of a keypad and a display or status indicator of the phone.
While in the past mobile phones have been relatively safe from infiltration by malicious programs such as viruses, with the evolution of protocols such as wireless application protocol (WAP) and GPRS that enable a mobile phone user easy access to computer networks such as the internet, the security of data held and processed within a mobile phone can no longer be assured. In particular, there is a danger that data may be corrupted within the mobile phone or other device. This means that the user cannot be sure that the data he commits to when he confirms information on a screen, is indeed the data that is transmitted to the remote party. There is also a danger that confidential information such as financial data, keys, passwords or PIN-codes entered on the keypad or keyboard could be collected over the network. The same is true for any open platform such as a PC, terminal, laptop or electronic personal assistant that is connected to a network and open to malicious programs such as viruses and the like.
In view of this prior art, it is an object of the present invention to provide an arrangement that ensures an increased level of security for devices that interfaced with a communication network to enable the safe execution of sensitive transactions.
The invention resides in an arrangement for effecting secure transactions incorporated in a device having an interface to at least one communications network. The device has at least two modes of operation, and includes a controller that controls the device in a first mode of operation and a display which is coupled to the control means in the first mode of operation. The device further includes a secure part for controlling the device in a second, or secure mode of operation. This secure part has a secure memory, or memory area, for storing secure data. This memory is directly coupled to the display in the second or secure mode of operation. Preferably, the device also includes a keypad, keyboard or other input device, which is similarly coupled to the secure memory by a direct connection in the second mode of operation. The arrangement further includes a module for generating and storing secure data, such as keys, certificates and digital signatures, as well as encrypting and decrypting data and verifying signatures. This module is coupled to the secure memory. At least part of the secure part may be mounted on a carrier, such as a smart card.
In accordance with a further aspect, the invention resides in such a self-contained secure part arrangement that may be integrated on a carrier.
By providing a hardwired connection between the display and the secure memory and possibly also between the keyboard and secure memory, with both connections being utilised in the secure mode only, the user can be certain that data displayed on the screen of the device and input into the keypad is the data that will be processed and transmitted to a remote party. In particular, the user can be certain that data relating to a financial or other sensitive transaction shown on the display is indeed the data that he is committing himself to when he signs this off. Data is exchanged using the direct pathway between the display and the secure memory. Malicious programs, such as viruses, which may reach and corrupt the memory of the mobile phone when in its normal operating mode, for example using WAP or GPRS, will not be able to gain access to the secure memory. Thus information displayed on the display prior to its signing off by the cryptographic module cannot be tampered with.
Furthermore, by separating the two modes of operation, it is ensured that data contained in the secure memory cannot be accessed when the device is in the normal mode of operation. This ensures that data remaining in memory after termination of, for example, a financial transaction is safe.