The usage of mobile devices, including both mobile phones and tablet computers, for network communications as well as for the storage and processing of personal information is rapidly growing. Cryptography forms the basis for securing users' sensitive information as they are transmitted between or stored on such devices.
Currently, there are two broad approaches to securing user information on such devices. Conventionally, Hardware Security Modules (HSMs) that provide for secure, tamper-proof containers for cryptographic processing perform these operations in hardware, isolated from software applications. The first documented HSM was described in U.S. Pat. No. 4,168,396, Sep. 18, 1979, and was designed for copy protection of personal computer software. This concept was later extended to a hardware module providing data security (U.S. Pat. No. 4,352,952, Mar. 3, 1980). Examples of present HSMs include “smart cards” built into both contact cards (ISO/IEC 7810 and 7816 standards) as well as contactless cards (ISO/IEC 14443 standard).
In mobile phones and other computing devices, such HSMs are typically not present or not accessible to software applications, and cryptography is performed within the host operating system, isolated using operating system mechanisms. However, an attacker or hacker who has gained access to the operating system has many techniques available to overcome these mechanisms, and therefore gain access to the user's information.
Virtual machines have been used as a means to separate execution between a host computing device, and guest operating system within the virtual machine. This has been used for security in order to enforce security policies (US Patent 2005/0257243, Dec. 29, 2005), to prevent a compromised guest operating system from being able to affect the host (U.S. Pat. No. 7,409,719, Dec. 21, 2004), and to allow only trusted media player applications to access encrypted media on DVDs (U.S. Pat. No. 7,516,331, Nov. 26, 2003). However, none of these attempts to protect the information within the virtual machine when executed on an open software platform such as a mobile phone or desktop operating system.
Based on the above and foregoing, it can be appreciated that there is a need for a cryptosystem having methodology for securing software cryptography from an unauthorised observer or attacker who has gained access to the operating system of a computing device, particularly when the computing device does not have the means to secure cryptographic information in a separate Hardware Security Module. The present invention fulfils this and other needs in the art.