(19)
(11)EP 2 363 824 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
11.12.2019 Bulletin 2019/50

(21)Application number: 11305148.6

(22)Date of filing:  11.02.2011
(51)International Patent Classification (IPC): 
G06F 21/60(2013.01)
G06F 21/84(2013.01)
G06Q 30/06(2012.01)
G06F 21/83(2013.01)
G07F 17/42(2006.01)
G06Q 20/18(2012.01)

(54)

TRUSTED DISPLAY BASED ON DISPLAY DEVICE EMULATION.

VERTRAULICHE ANZEIGE BASIEREND AUF DER EMULATION DER ANZEIGEVORRICHTUNG

AFFICHAGE SÉCURISÉ BASÉ SUR UNE ÉMULATION DE DISPOSITIF D'AFFICHAGE


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 12.02.2010 US 337937 P
29.04.2010 US 799749

(43)Date of publication of application:
07.09.2011 Bulletin 2011/36

(73)Proprietor: Maxim Integrated Products, Inc.
San Jose, CA 95134 (US)

(72)Inventors:
  • Nativel J. Dany
    83270 Saint-Cyr sur Mer (FR)
  • Tremlet, J. Christophe
    13400 Aubagne (FR)

(74)Representative: Bergmeier, Werner et al
Canzler & Bergmeier Patentanwälte Partnerschaft mbB Friedrich-Ebert-Straße 84
85055 Ingolstadt
85055 Ingolstadt (DE)


(56)References cited: : 
EP-A1- 1 460 593
WO-A1-2006/034713
US-A1- 2010 020 971
EP-A2- 1 788 507
US-A1- 2009 254 986
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description


    [0001] The present disclosure relates to controlling access to a display.

    [0002] Several different types of electronic devices are usable to receive financial information and to engage in a financial transaction. Examples include Automatic Teller Machines (ATM), a Point-of-Sale (POS) terminals, unattended vending machines and ticket machines. A POS terminal, for example, is an electronic device used for processing sales transactions at a location of sale. A POS terminal typically has a mechanism for electronically reading in financial payment information (for example, a magnetic stripe reader or a smart card reader), a display, a keypad or touchscreen or other mechanism for receiving manually entered information from the user, and a communication mechanism for communicating electronically in a secure fashion with a remote financial institution. In one situation, a customer who wants to make a purchase swipes a credit card or debit card through the magnetic stripe reader on a POS terminal or inserts a smart card into a smart card reader slot on a POS terminal. The POS terminal is located at the point of sale such as in a retail establishment. The POS terminal combines the entered credit card or debit card information or smart card information with information on the amount of the transaction, and this information is sent in encrypted form from the POS terminal to a financial institution. The customer may authorize the transaction by signing a signature capture device or by providing a fingerprint or personal identification number. How the transaction takes place differs depending on the type of transaction, but in all cases sensitive financial information is entered into the POS terminal. This sensitive information in the POS terminal, if it were to fall into the wrong hands, could be used in unauthorized ways such as to steal money and/or merchandise. Great care is therefore expended in designing a POS terminal to ensure that the POS terminal cannot be used for illicit purposes and that the sensitive financial information and encryption keys stored in the POS terminal cannot be extracted by thieves.

    [0003] One way that a POS terminal can be used to steal financial information is to load rogue software into the POS terminal. This software may be present without the merchant or customer knowing of its existence. In one attack, the rogue software causes an instruction to be displayed on the screen of the POS terminal prompting a customer to enter the customer's personal identification number (PIN). If the customer complies, then the rogue software receives the PIN from the keypad interface. The customer may not realize that the PIN has been stolen, and in some attacks the customer is able to conclude the intended transaction. Information presented to the user on the screen during the time the POS terminal is processing a transaction must therefore be trusted or must come from a trusted source. WO2006/034713 A1 and EP 1 460 593 A1 disclose prior art methods for protecting POS terminals against faulty or fraudulent software. In particular EP 1460593 discloses that to secure the POS terminal, input by a keyboard may be blocked while messages are displayed on the display and that, conversely, output to the display may be blocked when input by the keyboard is allowed.

    [0004] Complicating this issue is the fact that displays on POS terminals are an increasingly valuable resource. Larger and larger displays are being used. Color Liquid Crystal Displays (LCDs) capable of displaying video are sometimes used. Accordingly, it may be desired to use this large color display for uses other than just the secure POS terminal financial transaction application. In one example, a display is usable in combination with a POS terminal to carry out financial sales transactions as described above. At other times, however, the same display is usable as part of a cash register. When being used as part of the cash register, the display is used to display a price or other transaction information to a customer. Alternatively, or in addition, advertising information may be displayed on the display. It is therefore desired that a third party (for example, an advertiser or the merchant) be allowed to display information on the display of the terminal without the display of that information causing a security risk.

    [0005] Two architectures may be employed to realize a POS terminal that can display third party images and messages on a display: 1) a one-chip architecture, and 2) a two-chip architecture.

    [0006] Figure 1 (Prior Art) is a diagram that illustrates the one-chip architecture. A single microcontroller 1 handles both security functions (such as encryption key storage, PIN management, display control, keypad management) and also handles network communication and non-critical functions, such as printer management. The integrated circuit receives information via communication interface 2 from another source such as from an advertiser or a cash register functionality. The integrated circuit checks every image or frame of the incoming information to confirm authenticity, and only if an image or frame is authenticated does the integrated circuit output it via display control functionality 3 to the display 4. The semiconductor fabrication processes required to realize such a secure microcontroller are generally compatible with making security circuitry and FLASH memory, but these semiconductor processes are generally not compatible with making state-of-the-art high performance Central Processing Units (CPU), high-performance video decoders, or high-performance authentication circuitry. Accordingly, if the one-chip architecture is used in a low-cost application, then the microcontroller (that needs to handle security functions) does not generally have enough performance to decode and decompress, authenticate, and display high resolution video at a high frame rate.

    [0007] Figure 2 (Prior Art) is a diagram that illustrates the two-chip architecture. This approach splits the terminal into two portions: a non-secure portion and a secure portion. The non-secure portion is realized using an often expensive, complex, mass-produced, high-performance, general purpose microcontroller 4. Microcontroller 4 can be realized using semiconductor fabrication processes that lend themselves to making high performance Central Processing Units (CPU), high-performance video decoders, and high-performance authentication circuitry. The video could be authenticated statically, but this is too demanding even for the most powerful processors. This microcontroller is used to handle all non-security related functions such as network management, battery charging and monitoring, dialup modem control, printer management. The two-chip architecture allows the POS terminal manufacturer to select from among many general purpose microcontrollers available on the market. The choice of the non-secure microcontroller can be tailored depending on the targeted market and overall networking capabilities. The processing capability of the secure microcontroller does not need to scale with the complexity of the POS/ATM whereas the processing capability of the general purpose microcontroller does.

    [0008] The secure portion of the two-chip architecture is realized using a relatively low-cost, smaller, and lower-volume microcontroller integrated circuit 5. Security functions include secure key storage, keypad management, LCD control, smart card control, and magnetic stripe reader circuitry. This low-cost microcontroller is realized using a semiconductor fabrication process more suitable for realizing security circuitry and FLASH memory.

    [0009] Unfortunately, a decoded video stream that is decoded on the non-secure general purpose microcontroller 4 still passes through the secure microcontroller 5 on its way to the display. The secure microcontroller 5 should verify each image or frame before it is forwarded on to the display 6 via a display controller 7. This authentication also can take considerable processing power, especially in the situation of high resolution video. For performance reasons, the checking of each image or frame of decoded video on a low-cost implementation of the two-chip architecture is generally not possible.

    [0010] In a first aspect, the invention provides a method according to Claim 1 and an apparatus, e.g., an integrated circuit, according to claim 9.

    [0011] A secure integrated circuit has a keypress entry interface and a pass-through data path.

    [0012] In a first mode, the keypress entry interface is disabled and the pass-through data path is enabled such that untrusted information (for example, video) from an external untrusted source can be driven into the secure integrated circuit, through the pass-through data path, and out of the secure integrated circuit and to a display. The untrusted source can essentially drive the display through the secure integrated circuit. The input of the pass-through data path appears from the outside of the secure integrated circuit as the display. In this sense, the input of the pass-though data path of the secure integrated circuit emulates the input of the display. In this first mode, the keypress entry interface of the integrated circuit is disabled and cannot be used to receive keypress information. The keypress entry interface cannot, for example, be used to receive a PIN number entered by a user of a POS terminal that includes the integrated circuit and the display.

    [0013] In a second mode, the keypress entry interface is enabled and is usable to receive keypress information onto the secure integrated circuit from a keypad. The pass-though data path is, however, disabled in that information cannot pass from the unauthorized source, through the pass-though data path, and to the display. In one example, previously loaded images for use in a financial transaction are stored in the secure integrated circuit along with corresponding digital cryptographic signatures. Encryption keys are stored in a secure fashion in non-volatile memory within the secure integrated circuit. In the second mode, the encryption keys are used to verify the digital signature of each image. A display controller within the integrated circuit then drives the display such that the verified and authenticated images are displayed on the display. These verified images may, for example, prompt a user through various steps of carrying out a financial transaction. The same output interface of the secure integrated circuit is used to drive the display regardless of whether the information is untrusted information being displayed in the first mode or whether the information is verified and authenticated images being displayed in the second mode. In addition to such images being authenticated and output in the second mode, the second integrated circuit may also generate additional images locally and output those images without the locally-generated images being authenticated using any digital signature.

    [0014] Means, e.g., a control circuit, are provided to disable the keypad entry interface and enable the data path in the first mode, and enable the keypad entry interface and disable the data path in the second mode.

    [0015] In a POS terminal application, the secure integrated circuit can be used in the second mode to receive a PIN number from a user via the keypad interface. During this time, unauthorized prompts from an unauthorized source cannot be driven through the pass-through data path of the integrated circuit and to the display because the pass-through data path is disabled. On the other hand, when the POS terminal is not being used to carry out a financial transaction, then the secure integrated circuit operates in the first mode such that the display is freely usable to display untrusted information. In situations where the display is a high resolution color display with a touchscreen capability located in a well-trafficked area, the display may be a valuable resource for advertising or other uses. Better use of the provided resource of the display is afforded. In a two-chip POS terminal architecture, a general purpose microcontroller having a relatively powerful video decoding capability can decode video and then drive the video through the pass-through data path of the secure integrated circuit to the display. Video can be displayed on the display without the secure integrated circuit having to include video decoding capabilities. The architecture of the secure integrated circuit is flexible in that the same secure integrated circuit design is usable in both low-cost POS terminal applications where video is not to be displayed on the display as well as in higher-cost POS terminal applications where video is to be displayed of the display.

    [0016] The mechanism and method involving the first mode (the pass-through mode) and the second mode (the trusted mode) are not limited to use in POS terminals but rather have general applicability and can be used to control the data path to any display. The trusted mode need not involve a financial transaction.

    [0017] Further details and embodiments and techniques are described in the detailed description below. This summary does not purport to define the invention. The invention is defined by the claims.

    [0018] The accompanying drawings, where like numerals indicate like components, illustrate exemplary embodiments of the invention.

    Figure 1 (Prior Art) is a block diagram of a one-chip POS terminal architecture.

    Figure 2 (Prior Art) is a block diagram of a two-chip POS terminal architecture.

    Figure 3 is a view of the front of a POS terminal in accordance with one novel aspect.

    Figure 4 is a block diagram of the POS terminal of Figure 3.

    Figure 5 is a simplified diagram that illustrates how images and corresponding digital signatures are loaded into the POS terminal of Figure 4.

    Figure 6 is a simplified diagram that illustrates the operation of the POS terminal in the pass-through mode.

    Figure 7 is a diagram of the configurable a display input interface of a pass-through data path of the second integrated circuit of the POS terminal.

    Figure 8 is a simplified diagram that illustrates operation of the POS terminal in the trusted mode.

    Figure 9 is a flowchart that illustrates a method of operating the POS terminal.



    [0019] Reference will now be made in detail to background examples and some embodiments of the invention, examples of which are illustrated in the accompanying drawings.

    [0020] Figure 3 is a diagram of a POS terminal 50. In the case of Figure 3, POS terminal 50 is, or is part of, an unattended train station kiosk that a person can use to plan a train trip and to purchase train tickets. POS terminal 50 includes a touchscreen color TFT (Thin Film Transistor) display 51, a magnetic stripe reader and smart card reader 52, a mechanical numerical keypad 53, and a printer 55. In one use scenario, the person views video and/or still images on the display 51 and thereby obtains schedules and prices, and learns about offerings available on the train and elsewhere, and plans a train route. The user interacts with the POS terminal using the touchscreen of display 51 so that information of interest is presented to the user. The user generally concludes this interactive viewing session by selecting a ticket to be purchased. The user then pays for the ticket using the POS terminal. In one example, the user swipes a credit card or debit card through reader 52, or enters a smart card into reader 52. Reader 52 contains electronics for reading both magnetic strip cards as well as smart cards. The user is prompted through the financial transaction process by prompts displayed on display 51. In particular, a prompt is displayed that instructs the user to enter a PIN or to otherwise to verify the upcoming transaction. In response, the user enters a Personal Identification Number (PIN) via secure keypad 53. Although there is a touchscreen, the only way to enter the PIN is through the secure keypad 53.

    [0021] There are several different ways the financial transaction can be conducted, but in each case sensitive financial information is entered into the POS terminal. The POS terminal then typically communicates by a secure network communication with a financial institution to complete the transaction. Encryption keys stored on the POS terminal are used to encrypt and decrypt these network transactions so that the network communications are secure. The network communications typically occur via a hardwired network connection indicated in Figure 4 by reference numeral 56. As explained in the background section above, the sensitive financial information entered into the POS terminal and the encryption keys stored on the POS terminal cannot be allowed to fall into the hands of thieves. Once the financial transaction is concluded, POS terminal 50 typically prints a ticket for the person using printer 55. POS terminal 50 may also print a receipt or provide other printed materials to the person.

    [0022] Figure 4 is a more detailed diagram of POS terminal 50. In addition to keypad 53, display 51, magnetic stripe/smart card reader 52, and printer 55 described above, the POS terminal 50 includes a first integrated circuit 57 and a second integrated circuit 58 and anti-tamper switches and anti-tamper meshes 74. First integrated circuit 57 includes a network communication interface 59, a memory controller 60, a Central Processing Unit (CPU) 61, a display controller 62, a video decoder 63, a Universal Serial Bus (USB) bus interface 64, a Serial Peripheral Interface (SPI) bus interface 65, and a printer interface 66. Network communications are communicated into and out of integrated circuit 57 via a physical layer circuitry 67, and communication interface 59. Memory controller 60 reads from, and writes to, external memory integrated circuit 68. First integrated circuit in this particular example is a general purpose, relatively-complex, mass-produced, microcontroller that has substantial processing power.

    [0023] Second integrated circuit 58, in comparison, is a relatively small, special-purpose, microcontroller that has substantial anti-tamper capabilities and features. Second integrated circuit 58 has processing capabilities, but these are not as substantial as the processing capabilities of the first integrated circuit 57.

    [0024] Second integrated circuit 58 includes, among other parts not illustrated, a CPU subsystem 69, a USB bus interface 70, an SPI bus interface 71, a keypress information entry mechanism, e.g. a keypress entry interface 72, a pass-through data path 73, a secure Static Random Access Memory (SRAM) 75, a secure Non-Volatile SRAM (NVSRAM) 76, external anti-tamper sensor control circuitry 77, environmental sensors 78, a cryptographic circuit block 79, a secure Real Time Clock (RTC) 80, a hardware True Random Number Generator (TRNG) 81, a smart card controller 82, and a magnetic stripe reader control circuit 83. Secure SRAM is used to store credit card numbers, bank account information, and PIN numbers and other sensitive financial information entered in the POS terminal during a financial transaction. Secure NVSRAM is used to store encryption keys usable to engage in secure network communications (for example, with a bank or other financial institution). The first and second integrated circuits 57 and 58 intercommunicate with one another via USB bus 84 and USB interfaces 64 and 70. Second integrated circuit 58 receives information to be displayed on display 51 from the first integrated circuit 57 via LCD bus 93.

    [0025] Keypress interface 72 is the mechanism by which user keypress information can be entered into second integrated circuit 58 in a financial transaction. Keypress interface 72 includes a keyboard interface 85, a keypad interface 86, and a touchscreen interface 87. In the illustrated example, display 51 is a touchscreen display. The touchscreen interface 87 is therefore coupled to touchscreen terminals on the display 51 via connections 88 so that touchscreen interface 87 can drive signals out to the touchscreen portion of the display and can read information back from the touchscreen portion of the display. The keypad interface 86 is connected to keypad 53 by connections 89. Keypad interface may, for example, perform a special form of secure randomized keyscanning whereby keypad interface 86 detects when a key on keypad 53 is pressed and detects which particular key it was that was pressed. In the event information is to be entered via a remote keyboard, then keyboard interface 85 is connected to that remote keyboard. The keyboard interface 85 may, for example, communicate with such an external keyboard by a standard serial bus protocol used to connect keyboards to personal computers. Each of the interfaces 85, 86 and 87 is configurable under software control so that it can be made to interface to a selected one several external devices and protocols.

    [0026] POS terminal 50 is operable in one of two modes. In the first mode, the keypress entry interface 72 is disabled such that key press information from keypad 53 cannot be read back into second integrated circuit 58. The pass-though data path 73 causes a data path to extend from input terminals 90 of pass-through data path 73, through the pass-through data path 73, and to output terminals 91 of the pass-through data path 73. In this mode, display controller 62 of first integrated circuit 57 drives terminals 90 in the same way as if it were driving terminals 92 of display 51. The interface that display controller 62 sees looking into second integrated circuit 58 looks the same as the interface looking into display 51. The input interface involving terminals 90 of the pass-through data path 73 is said to emulate the input interface of display 51. Signals that display controller 62 drives via LCD bus 93 onto the input terminals 90 of pass-through data path 73 pass through the pass-through data path 73 substantially unchanged (they are buffered) and exit out the output of pass-through data path 73 via output terminals 91, and are conducted via LCD bus 94 to the input interface of display 51. In this first mode, a device (for example, display controller 62) can control display 51 through second integrated circuit 58, but during this time the keypress entry interface 72 (including the keypad interface 86) is disabled such that keypress information cannot be entered into the second integrated circuit 58. If rogue software were somehow to cause a prompt to be displayed to the user to enter a PIN, for example, it would be impossible for use to enter the PIN because the keypress entry interface 72 would be disabled. The circuitry is hardwired such that if pass-though data path 73 is enabled, then the keypress entry interface 72 is disabled.

    [0027] In the second mode, keypress entry interface 72 is enabled but the pass-through data path 73 is disabled in the sense that information received onto input terminals 90 cannot pass through the data path 73 to the output terminals 91 and to display 51. In this mode, keypress information from keypad 53 can be entered into second integrated circuit 58 via keypad interface 86, but in this mode the information driven onto output terminals 91 for presentation to display 51 is controlled by, and is verified and authenticated by, second integrated circuit 58 as will be explained in further detail below. At a time when a user may successfully enter a PIN due to keypad interface 86 being enabled it is impossible for a source of unauthorized video or graphics to drive display 51 and to cause a false prompt to be displayed to the user.

    [0028] Figure 5 is a simplified diagram of an initialization step in operation of POS terminal 50 of Figure 4. Many of the components and connections of Figure 4 are not shown in Figure 5 in order to facilitate showing more detail regarding the pass-through data path in Figure 5. Information to be displayed on display 51 in the second mode is loaded into secure SRAM 75. This information can be video, still images, bitmaps, icons, and/or other graphic or textual information, in either compressed or uncompressed form. In the illustrated example, the information involves a set of bitmap images, and for each image a digital signature is also loaded. Arrow 96 illustrates this loading. The images and corresponding digital signatures are loaded from first integrated circuit 57, via USB bus 84, via USB bus interface 70, via a security supervisor portion 95 of CPU subsystem 69, and to secure SRAM 75. During this time, security supervisor 95 disables the keypress entry interface 72 (including the keypad interface 86) by a DISABLE signal on conductor 97. The disabling of the keypad interface 86 is indicated by the cross symbol 107 in Figure 5. The DISABLE signal on conductor 97 also disables a display controller 98 of the pass-through data path 73. The DISABLE signal on conductor 97 also selects multiplexer 99 such that information from LCD bus 93 can pass through display information input interface 100, across conductors 101, through multiplexer 99, through display information output interface 102, and across LCD bus 94, to display 51.

    [0029] Figure 6 is a diagram of operation in the first mode (the pass-through mode). Security supervisor 95 asserts the DISABLE signal on conductor 97 such that keypad interface 86 is disabled, such that display controller 98 is disabled, and such that the pass-though data path 73 is enabled. The display information input interface 100, the internal LCD bus 101, the multiplexer 99, the display controller 98, as well as other circuitry not illustrated, are parts of the pass-through data path 73. In this first mode, the display controller 62 in first integrated circuit 57 can drive untrusted information to display 51 through the enabled pass-through data path 73 of second integrated circuit 58. The untrusted information passes across LCD bus 93, through input terminals 90, through display information input interface 100, across conductors 101, through multiplexer 99, through display information output interface 102, through output terminals 91, and across LCD bus 94, to display 51. Untrusted video or images or other information can be displayed on display 51 by first integrated circuit 57, but during this time a user cannot enter a PIN number into the POS terminal because keypad interface 86 of the second integrated circuit 58 is disabled.

    [0030] Figure 7 is a more detailed diagram that shows the input terminals 90 of the display information input interface 100 of the pass-through data path 73. In this example, the display 51 has an input interface involving eight terminals for receiving an 8-bit red pixel value, eight terminals for receiving an 8-bit green pixel value, eight terminals for receiving an 8-bit blue pixel value, and terminals for receiving clock and control signals. Accordingly, the display information input interface 100 is configured by configuration information 103 so that display information input interface mimics the input interface of the display. There is a one-to-one correspondence in structure and function between the various terminals 90 of the display input interface 100 and various terminals of the input interface of display 51. Display information input interface 100 is configurable, under control of software executing on CPU subsystem 69, so that display information input interface 100 can be made to emulate a selected one of a plurality of different display input interfaces.

    [0031] Figure 8 is a diagram of operation in the second mode (the trusted mode). Security supervisor 95 disables the pass-through data path 73 such that information cannot pass from the input terminals 90 of display information input interface 100, through second integrated circuit 58, out of display information output interface 102, and to display 51. Security supervisor 95 uses an encryption key stored in secure NVSRAM 76 to check an image with its corresponding digital signature. If the digital signature is correct, then display controller 98 reads the image, and drives the LCD 51 via multiplexer 99, display information interface 102, and LCD bus 94. In this way, display controller 98 can cause verified images to be displayed on display 51, but untrusted information from display information input interface 100 is prevented from passing through the pass-through data path 73. In the second mode, security supervisor 95 via conductor 97 also enables keypress entry interface 72 (including keypad interface 86) such that user keypress information from keypad 53 can be entered into second integrated circuit 58. Whereas the first mode is used when untrusted information such as video and images on train routes and schedules and advertisements are driven through the second integrated circuit and to display 51 in the first mode, the second mode is used when a financial transaction is to be performed. In the second mode (trusted mode), additional locally-generated images and information that might be generated on the second integrated circuit 58 can also be output onto output terminals 91 without these additional locally-generated images and information being authenticated (for example, be using a digital signature) prior to their being output.

    [0032] Figure 9 is a flowchart of a method 200 of operating POS terminal 50. Initially, the keypad interface is disabled and the second integrated circuit is made to operate (step 201) in the first mode (the pass-through mode). In one example, streaming video may be received via network interface 59 and may be stored in a video file portion 104. The video then read out is decompressed and decoded by MPEG4 video decoder 63, and the resulting frames are stored in frame buffer 105. The frames are then read out of frame buffer 105 one by one and are supplied to display controller 62. Display controller 62 causes the images to be displayed by driving signals onto the input terminals 90 of the second integrated circuit 58 as if display controller 62 were driving display 51 directly. Due to the pass-through mode operation, the information passes through the second integrated circuit 58, and is supplied onto the input interface of display 51. In this way, video or other information from a network can be streamed into, or be otherwise be loaded into, the POS terminal 50 and can be displayed on display 51. A video decoder of a relatively powerful, general purpose microcontroller is used to drive the display. The images displayed are said to be untrusted because they are not verified by the second integrated circuit 58. The keypad is disabled during the time display 51 is open to display untrusted content.

    [0033] Second integrated circuit 58 remains in this mode until the second integrated circuit receives a request to start a secure transaction. The request is received from first integrated circuit 57 via USB bus 84. The request is interpreted by a command interpreter portion of the CPU subsystem 89. When the second integrated circuit 58 determines that such a command has been received, then the second integrated circuit starts operating in the second mode (the trusted mode) in step 203. An image and its corresponding digital signature is retrieved (step 204) from memory 75. Encryption keys stored in secure NVSRAM are used to check the digital signature. If the signature is not verified, then a security policy is applied (for example, an alarm is sounded) and a negative acknowledge (NAK) is returned (step 206) to the first integrated circuit 57 via USB bus 84. If the digital signature is verified (step 205), then display controller 98 drives the input interface of display 51 via multiplexer 99, display information output interface 102, and LCD bus 94 so that the signed image is displayed (step 207). The keypad interface 86 is enabled (step 207). In this mode, various verified images may be displayed, and the financial transaction is carried out. When the financial transaction is concluded, then secure supervisor 95 sends an acknowledgment (ACK) back to the first integrated circuit 57 via USB bus 84 (step 208). The keypad interface 86 is disabled (step 209). If a second request for a secure transaction is received via USB bus 84 (step 210), then processing returns to step 204. The second integrated circuit 58 continues to operate in the trusted mode. If, however, there is no new request for a secure transaction (step 210), then processing returns to step 201. The keypad interface is disabled and the second integrated circuit is made to operate in the pass-through mode so display 51 can again be used to display untrusted content.

    [0034] Although certain specific embodiments are described above for instructional purposes, the teachings of this patent document have general applicability and are not limited to the specific embodiments described above. A POS terminal application is described above, but the mechanism and method involving a pass-through mode and a trusted mode are not limited to use in POS terminals but rather have general applicability and can be used in the data path to any display. The trusted mode need not involve a financial transaction. The mechanism and trusted mode can restrict access to a display for other purposes in other non-financial transaction applications in a wide variety of electronic consumer devices. Accordingly, various modifications, adaptations, and combinations of various features of the described embodiments can be practiced without departing from the scope of the invention as set forth in the claims.


    Claims

    1. A method comprising:

    (a) in a first mode disabling (201) a keypress entry interface (72) of an integrated circuit (58) and enabling a data path (73), wherein the data path (73) extends from a display information input interface (100) of the integrated circuit (58) and passes through the integrated circuit (58) and to a display information output interface (102) of the integrated circuit (58), such that the keypress entry interface (72) of the integrated circuit (58) cannot be used to receive keypress information when untrusted information from an external source is driven into the secure integrated circuit (58), through the data path, and out of the secure integrated circuit (58) and to a display (51); and

    (b) in a second mode disabling the data path and enabling (207) the keypress entry interface (72), which is then usable to receive keypress information onto the secure integrated circuit (58) from a keypad (53), wherein the data path (73) is disabled in that information received onto the display information input interface (100) cannot pass from an unauthorized source, through the data path, to the display information output interface (102),

    characterized in that in the second mode, additional locally-generated images and information generated on the integrated circuit (58) are enabled to be output to the display information output interface (102), and wherein the first and second modes are two modes of operation of the integrated circuit (58).
     
    2. The method of claim 1, wherein the data path is adapted to communicate information from the display information input interface (100) to the display information output interface (102), and wherein the information is taken from the group consisting of: a bitmap image, video information, textual information, compressed image information, and compressed video information.
     
    3. The method of any one of claims 1 to 2, wherein the locally-generated images and information is output onto the display information output interface (102) in the second mode without using any digital signature to authenticate the image.
     
    4. The method of any one of claims 1 to 3, further comprising:
    (c) receiving an image and an associated digital signature (204) onto the integrated circuit (58), and wherein in the second mode in (b) the image is authenticated (205) by the integrated circuit (58) using the digital signature and the authenticated image is output (207) onto the display information output interface (102).
     
    5. The method of claim 4, wherein the integrated circuit (58) generates a second image locally and outputs the second image onto the display information output interface (102) in the second mode without using any digital signature to authenticate the second image.
     
    6. The method of any one of claims 1 to 5, further comprising:
    (c) receiving a command onto the integrated circuit (58), wherein the command causes the integrated circuit (58) to switch from operating in the first mode to operating in the second mode.
     
    7. The method of any one of claims 1 to 6, further comprising:
    (c) in the second mode using the display information output interface (102) to communicate information to a display (51) such that the information is displayed on the display (51), wherein the information displayed prompts a user to enter key press information into a keypress capture device, and receiving the key press information from the keypress capture device onto the keypress entry interface (72).
     
    8. The method of any one of claims 1 to 7, further comprising: (c) receiving financial information onto the integrated circuit (58), wherein the financial information is taken from the group consisting of: a credit card number, a bank account number, a personal identification number, a transaction amount, an encryption key, fingerprint information.
     
    9. An integrated circuit (58) comprising:

    a keypress information entry interface (72);

    a display information input interface (100);

    a display information output interface (102); and

    means (95) for, in a first mode, disabling the keypress information entry interface (72) and for causing a data path (73) to extend from the display information input interface (100), through the apparatus, and to the display information output interface (102), such that the keypress entry interface of the integrated circuit (58) cannot be used to receive keypress information when untrusted information from an external source is driven into the secure integrated circuit (58), through the data path (73), and out of the secure integrated circuit (58) and to a display (51), and for, in a second mode, disabling the data path (73) and for enabling the keypress information entry interface (72), which is then usable to receive keypress information onto the secure integrated circuit (58) from a keypad (53), wherein the data path (73) is disabled in that information received onto the display information input interface (100) cannot pass from an unauthorized source, through the data path to the display information output interface (102) characterized in that in the second mode, additional locally-generated images and information generated on the integrated circuit (58) are enabled to be output to the display information output interface (102).


     
    10. The integrated circuit of claim 9, further comprising:

    a memory (75) that stores an image, wherein the means is also for, in the second mode, reading the image out of the memory (75) and

    authenticating the image and outputting the image from the display information output interface (102).


     
    11. The integrated circuit of any one of claims 9 to 10, wherein the display information input interface (100) is configurable to emulate a selectable one of a plurality of display input interfaces.
     
    12. The integrated circuit of any one of claims 9 to 11, wherein the display information input interface (100) includes a first group of terminals for receiving red pixel information, a second group of terminals for receiving green pixel information, and a third group of terminals for receiving blue pixel information.
     
    13. The integrated circuit of any one of claims 9 to 12, wherein the keypress information entry interface (72) is taken from the group consisting of: a keypad interface (86), a keyboard interface (85), and a touchscreen interface (87).
     
    14. The integrated circuit of any one of claims 9 to 13, wherein the display information output interface (102) is coupled to an input interface of a display (51), wherein the display information input interface (100) is substantially functionally identical to the input interface of the display.
     
    15. The integrated circuit of any one of claims 9 to 14, wherein the keypress information entry interface (72) can be disabled during a portion of time that the apparatus is operating in the second mode, but wherein the keypress information entry interface (72) cannot be enabled during any portion of time that the apparatus is operating in the first mode.
     


    Ansprüche

    1. Verfahren, umfassend:

    (a) in einem ersten Modus ein Deaktivieren (201) einer Tastendruck-Eingabeschnittstelle (72) einer integrierten Schaltung (58) und ein Aktivieren eines Datenpfades (73), wobei der Datenpfad (73) von einer Anzeigeinformations-Eingabeschnittstelle (100) der integrierten Schaltung (58) ausgeht und durch die integrierte Schaltung (58) und zu einer Anzeigeinformations-Ausgabeschnittstelle (102) der integrierten Schaltung (58) verläuft, sodass die Tastendruck-Eingabeschnittstelle (72) der integrierten Schaltung (58) nicht benutzt werden kann, um Tastendruckinformationen zu empfangen, wenn nichtvertrauenswürdige Informationen von einer externen Quelle über den Datenpfad in die sichere integrierte Schaltung (58) und aus der sicheren integrierten Schaltung (58) und zu einer Anzeigevorrichtung (51) geleitet werden; und

    (b) in einem zweiten Modus ein Deaktivieren des Datenpfades und ein Aktivieren (207) der Tastendruck-Eingabeschnittstelle (72), die dann nutzbar ist, um Tastendruckinformationen auf der sicheren integrierten Schaltung (58) von einem Tastenfeld (53) zu empfangen, wobei der Datenpfad (73) insofern deaktiviert ist, als auf der Anzeigeinformations-Eingabeschnittstelle (100) empfangene Informationen nicht von einer nicht berechtigten Quelle über den Datenpfad zur Anzeigeinformations-Ausgabeschnittstelle (102) gelangen können,

    dadurch gekennzeichnet, dass im zweiten Modus zusätzliche, örtlich erzeugte Bilder und in der integrierten Schaltung (58) erzeugte Informationen zur Anzeigeinformations-Ausgabeschnittstelle (102) ausgegeben werden können, und wobei der erste und der zweite Modus zwei Betriebsmodi der integrierten Schaltung (58) sind.
     
    2. Verfahren nach Anspruch 1, wobei der Datenpfad in der Lage ist, Informationen von der Anzeigeinformations-Eingabeschnittstelle (100) zur Anzeigeinformations-Ausgabeschnittstelle (102) zu kommunizieren, und wobei die Informationen entnommen sind aus der Gruppe, bestehend aus: einem Bitmap-Bild, Videoinformationen, Textinformationen, komprimierten Bildinformationen und komprimierten Videoinformationen.
     
    3. Verfahren nach einem beliebigen der Ansprüche 1 bis 2, wobei die örtlich erzeugten Bilder und Informationen im zweiten Modus auf die Anzeigeinformations-Ausgabeschnittstelle (102) ohne die Verwendung irgendeiner digitalen Signatur zum Beglaubigen des Bildes ausgegeben werden.
     
    4. Verfahren nach einem beliebigen der Ansprüche 1 bis 3, weiter umfassend:
    (c) ein Empfangen eines Bildes und einer zugehörigen digitalen Signatur (204) auf der integrierten Schaltung (58), und wobei im zweiten Modus in (b) das Bild durch die integrierte Schaltung (58) unter Verwendung der digitalen Signatur beglaubigt (205) wird und das beglaubigte Bild auf die Anzeigeinformations-Ausgabeschnittstelle (102) ausgegeben (207) wird.
     
    5. Verfahren nach Anspruch 4, wobei die integrierte Schaltung (58) ein zweites Bild örtlich erzeugt und das zweite Bild im zweiten Modus auf die Anzeigeinformations-Ausgabeschnittstelle (102) ohne die Verwendung irgendeiner digitalen Signatur zum Beglaubigen des zweiten Bildes ausgibt.
     
    6. Verfahren nach einem beliebigen der Ansprüche 1 bis 5, weiter umfassend:
    (c) ein Empfangen eines Befehls auf der integrierten Schaltung (58), wobei der Befehl die integrierte Schaltung (58) veranlasst, vom Betrieb im ersten Modus zum Betrieb im zweiten Modus umzuschalten.
     
    7. Verfahren nach einem beliebigen der Ansprüche 1 bis 6, weiter umfassend:
    (c) im zweiten Modus ein Verwenden der Anzeigeinformations-Ausgabeschnittstelle (102), um Informationen zu einer Anzeigevorrichtung (51) zu kommunizieren, sodass die Informationen auf der Anzeigevorrichtung (51) angezeigt werden, wobei die angezeigten Informationen einen Benutzer auffordern, Tastendruckinformationen in eine Tastendruckaufnahmevorrichtung einzugeben, und ein Empfangen der Tastendruckinformationen von der Tastendruckaufnahmevorrichtung auf der Tastendruck-Eingabeschnittstelle (72).
     
    8. Verfahren nach einem beliebigen der Ansprüche 1 bis 7, weiter umfassend:
    (c) ein Empfangen von finanziellen Informationen auf der integrierten Schaltung (58), wobei die finanziellen Informationen entnommen sind aus der Gruppe, bestehend aus: einer Kreditkartennummer, einer Bankkontonummer, einer persönlichen Identifikationsnummer, einem Transaktionsbetrag, einem Chiffrierschlüssel, Fingerabdruckinformationen.
     
    9. Integrierte Schaltung (58), umfassend:

    eine Tastendruckinformations-Eingabeschnittstelle (72);

    eine Anzeigeinformations-Eingabeschnittstelle (100);

    eine Anzeigeinformations-Ausgabeschnittstelle (102); und

    Mittel (95), um in einem ersten Modus die Tastendruckinformations-Eingabeschnittstelle (72) zu deaktivieren und zu bewirken, dass sich ein Datenpfad (73) von der Anzeigeinformations-Eingabeschnittstelle (100), durch die Vorrichtung und zur Anzeigeinformations-Ausgabeschnittstelle (102) erstreckt, sodass die Tastendruck-Eingabeschnittstelle der integrierten Schaltung (58) nicht benutzt werden kann, um Tastendruckinformationen zu empfangen, wenn nichtvertrauenswürdige Informationen aus einer externen Quelle in die sichere integrierte Schaltung (58), über den Datenpfad (73) und aus der sicheren integrierten Schaltung (58) und zu einer Anzeigevorrichtung (51) geleitet werden, und um in einem zweiten Modus den Datenpfad (73) zu deaktivieren und die Tastendruckinformations-Eingabeschnittstelle (72) zu aktivieren, die dann nutzbar ist, um Tastendruckinformationen auf der sicheren integrierten Schaltung (58) von einem Tastenfeld (53) zu empfangen, wobei der Datenpfad (73) insofern deaktiviert ist, als auf der Anzeigeinformations-Eingabeschnittstelle (100) empfangene Informationen nicht von einer nicht berechtigten Quelle über den Datenpfad zur Anzeigeinformations-Ausgabeschnittstelle (102) gelangen können,

    dadurch gekennzeichnet, dass im zweiten Modus zusätzliche, örtlich erzeugte Bilder und in der integrierten Schaltung (58) erzeugte Informationen zur Anzeigeinformations-Ausgabeschnittstelle (102) ausgegeben werden können.
     
    10. Integrierte Schaltung nach Anspruch 9, weiter umfassend:
    einen Speicher (75), der ein Bild speichert, wobei die Einrichtung auch dazu dient, im zweiten Modus das Bild aus dem Speicher (75) zu lesen und das Bild zu beglaubigen und das Bild aus der Anzeigeinformations-Ausgabeschnittstelle (102) auszugeben.
     
    11. Integrierte Schaltung nach einem beliebigen der Ansprüche 9 bis 10, wobei die Anzeigeinformations-Eingabeschnittstelle (100) konfigurierbar ist, eine aus einer Vielzahl von Anzeigeeingabeschnittstellen auswählbare zu emulieren.
     
    12. Integrierte Schaltung nach einem beliebigen der Ansprüche 9 bis 11, wobei die Anzeigeinformations-Eingabeschnittstelle (100) eine erste Gruppe von Anschlüssen zum Empfangen von roten Pixelinformationen, eine zweite Gruppe von Anschlüssen zum Empfangen von grünen Pixelinformationen und eine dritte Gruppe von Anschlüssen zum Empfangen von blauen Pixelinformationen enthält.
     
    13. Integrierte Schaltung nach einem beliebigen der Ansprüche 9 bis 12, wobei die Tastendruckinformations-Eingabeschnittstelle (72) entnommen ist aus der Gruppe, bestehend aus: einer Tastenfeldschnittstelle (86), einer Tastaturschnittstelle (85) und einer Berührungsbildschirmschnittstelle (87).
     
    14. Integrierte Schaltung nach einem beliebigen der Ansprüche 9 bis 13, wobei die Anzeigeinformations-Ausgabeschnittstelle (102) mit einer Eingabeschnittstelle einer Anzeigevorrichtung (51) gekoppelt ist, wobei die Anzeigeinformations-Eingabeschnittstelle (100) im Wesentlichen funktionsmäßig identisch ist mit der Eingabeschnittstelle der Anzeigevorrichtung.
     
    15. Integrierte Schaltung nach einem beliebigen der Ansprüche 9 bis 14, wobei die Tastendruckinformations-Eingabeschnittstelle (72) während eines Zeitabschnitts deaktiviert sein kann, in dem die Vorrichtung im zweiten Modus arbeitet, aber wobei die Tastendruckinformations-Eingabeschnittstelle (72) während eines beliebigen Zeitabschnitts nicht aktiviert sein kann, in dem die Vorrichtung im ersten Modus arbeitet.
     


    Revendications

    1. Méthode comprenant les étapes suivantes :

    (a) dans un premier mode, désactiver (201) une interface d'entrée (72) par pression de touche d'un circuit intégré (58) et activer un chemin de données (73), dans laquelle le chemin de données (73) s'étend depuis une interface d'entrée (100) d'informations d'affichage du circuit intégré (58) et passe à travers le circuit intégré (58) et vers une interface de sortie (102) des informations d'affichage du circuit intégré (58), de telle sorte que l'interface d'entrée (72) par pression de touche du circuit intégré (58) ne puisse pas être utilisée pour recevoir des informations de pression de touche lorsque des informations non sécurisées provenant d'une source externe sont envoyées dans le circuit intégré sécurisé (58), par le chemin de données, et hors du circuit intégré sécurisé (58) et vers un affichage (51) ; et

    (b) dans un second mode, désactiver le chemin de données et activer (207) l'interface d'entrée (72) par pression de touche, qui peut ensuite être utilisée pour recevoir des informations de pression de touche sur le circuit intégré sécurisé (58) depuis un pavé numérique (53), dans laquelle le chemin de données (73) est désactivé en ce sens que des informations reçues sur l'interface d'entrée (100) d'informations d'affichage ne peuvent pas passer depuis une source non autorisée, via le chemin de données, vers l'interface de sortie (102) des informations d'affichage,

    caractérisée en ce que dans le second mode, des images supplémentaires générées localement et des informations générées sur le circuit intégré (58) peuvent être sorties vers l'interface de sortie (102) d'informations d'affichage, et dans laquelle les premier et second modes sont deux modes de fonctionnement du circuit intégré (58).
     
    2. Méthode selon la revendication 1, dans laquelle le chemin de données est adapté pour communiquer des informations depuis l'interface d'entrée (100) d'informations d'affichage à l'interface de sortie (102) d'informations d'affichage, et dans laquelle les informations sont prises du groupe constitué par : une image par points, des informations vidéo, des informations textuelles, des informations d'image compressées et des informations vidéo compressées.
     
    3. Méthode selon l'une quelconque des revendications 1 à 2, dans laquelle les images et les informations générées localement sont sorties sur l'interface de sortie (102) des informations d'affichage dans le second mode sans utiliser une quelconque signature numérique pour authentifier l'image.
     
    4. Méthode selon l'une quelconque des revendications 1 à 3, comprenant en outre les étapes suivantes :
    (c) recevoir une image et une signature numérique associée (204) sur le circuit intégré (58), et dans laquelle, dans le second mode, à l'étape (b), l'image est authentifiée (205) par le circuit intégré (58) en utilisant la signature numérique et l'image authentifiée est sortie (207) sur l'interface de sortie (102) des informations d'affichage.
     
    5. Méthode selon la revendication 4, dans laquelle le circuit intégré (58) génère localement une seconde image et délivre la seconde image sur l'interface de sortie (102) des informations d'affichage dans le second mode sans utiliser une quelconque signature numérique pour authentifier la seconde image.
     
    6. Méthode selon l'une quelconque des revendications 1 à 5, comprenant en outre les étapes suivantes :
    (c) recevoir une commande sur le circuit intégré (58), dans laquelle la commande fait à ce que le circuit intégré (58) commute du fonctionnement dans le premier mode au fonctionnement dans le second mode.
     
    7. Méthode selon l'une quelconque des revendications 1 à 6, comprenant en outre les étapes suivantes :
    (c) dans le second mode, utiliser l'interface de sortie (102) des informations d'affichage pour communiquer des informations à un affichage (51) de sorte que les informations soient affichées sur l'affichage (51), dans laquelle les informations affichées invitent un utilisateur à saisir des informations par pression de touche dans un dispositif de capture de pressions de touche et à recevoir les informations de pression de touche depuis le dispositif de capture de pressions de touche sur l'interface d'entrée (72) par pression de touche.
     
    8. Méthode selon l'une quelconque des revendications 1 à 7, comprenant en outre les étapes suivantes :
    (c) recevoir des informations financières sur le circuit intégré (58), dans laquelle les informations financières proviennent du groupe constitué par : un numéro de carte de crédit, un numéro de compte bancaire, un numéro d'identification personnel, un montant de transaction, une clé de cryptage, des informations d'empreintes digitales.
     
    9. Circuit intégré (58) comprenant :

    une interface d'entrée (72) d'informations par pression de touche ;

    une interface d'entrée (100) d'informations d'affichage ;

    une interface de sortie (102) d'informations d'affichage ; et

    moyens (95) pour, dans un premier mode, désactiver l'interface d'entrée (72) d'informations par pression de touche et pour faire à ce qu'un chemin de données (73) s'étende depuis l'interface d'entrée (100) d'informations d'affichage, à travers l'appareil, et à l'interface de sortie (102) d'informations d'affichage, de sorte que l'interface d'entrée par pression de touche du circuit intégré (58) ne puisse pas être utilisée pour recevoir des informations de pression de touche lorsque des informations non sécurisées provenant d'une source externe sont envoyées dans le circuit intégré sécurisé (58), à travers le chemin de données (73) et hors du circuit intégré sécurisé (58) et vers un affichage (51), et pour, dans un second mode, désactiver le chemin de données (73) et pour activer l'interface d'entrée (72) d'informations par pression de touche,

    qui peut ensuite être utilisé pour recevoir des informations de pression de touche sur le circuit intégré sécurisé (58) depuis un pavé numérique (53), dans lequel le chemin de données (73) est désactivé en ce sens que des informations reçues sur l'interface d'entrée (100) d'informations d'affichage ne peuvent pas passer depuis une source non autorisée, via le chemin de données, vers l'interface de sortie (102) des informations d'affichage,

    caractérisé en ce que dans le second mode, des images supplémentaires générées localement et des informations générées sur le circuit intégré (58) peuvent être sorties vers l'interface de sortie (102) d'informations d'affichage.


     
    10. Circuit intégré selon la revendication 9, comprenant en outre :
    une mémoire (75) qui stocke une image, dans lequel le moyen est également destiné à, dans le second mode, lire l'image depuis la mémoire (75) et authentifier l'image et sortir l'image depuis l'interface de sortie (102) des informations d'affichage.
     
    11. Circuit intégré selon l'une quelconque des revendications 9 à 10, dans lequel l'interface d'entrée (100) d'informations d'affichage peut être configurée pour émuler une interface sélectionnable parmi une multitude d'interfaces d'entrée d'affichage.
     
    12. Circuit intégré selon l'une quelconque des revendications 9 à 11, dans lequel l'interface d'entrée (100) d'informations d'affichage comprend un premier groupe de terminaux pour recevoir des informations de pixels rouges, un second groupe de terminaux pour recevoir des informations de pixels verts et un troisième groupe de terminaux pour recevoir des informations de pixels bleus.
     
    13. Circuit intégré selon l'une quelconque des revendications 9 à 12, dans lequel l'interface d'entrée (72) d'informations par pression de touche est prise dans le groupe constitué par : une interface de pavé numérique (86), une interface de clavier (85) et une interface d'écran tactile (87).
     
    14. Circuit intégré selon l'une quelconque des revendications 9 à 13, dans lequel l'interface de sortie (102) d'informations d'affichage est couplée à une interface d'entrée d'un affichage (51), dans lequel l'interface d'entrée (100) d'informations d'affichage est sensiblement identique sur le plan fonctionnel à l'interface d'entrée de l'affichage.
     
    15. Circuit intégré selon l'une quelconque des revendications 9 à 14, dans lequel l'interface d'entrée (72) d'informations par pression de touche peut être désactivée durant une partie de temps pendant laquelle l'appareil fonctionne dans le second mode, mais dans lequel l'interface d'entrée (72) d'informations par pression de touche ne peut pas être activée pendant une quelconque partie de temps pendant laquelle l'appareil fonctionne dans le premier mode.
     




    Drawing
































    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description