WO2016091645A1 - Method, apparatus and system for processing a user input - Google Patents

Method, apparatus and system for processing a user input Download PDF

Info

Publication number
WO2016091645A1
WO2016091645A1 PCT/EP2015/078134 EP2015078134W WO2016091645A1 WO 2016091645 A1 WO2016091645 A1 WO 2016091645A1 EP 2015078134 W EP2015078134 W EP 2015078134W WO 2016091645 A1 WO2016091645 A1 WO 2016091645A1
Authority
WO
WIPO (PCT)
Prior art keywords
initial state
randomised
user input
user
environment
Prior art date
Application number
PCT/EP2015/078134
Other languages
French (fr)
Inventor
Hendrik Jan Jozef Hubertus Schepers
Paulus Mathias Hubertus Mechtildis Antonius Gorissen
Original Assignee
Koninklijke Philips N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips N.V. filed Critical Koninklijke Philips N.V.
Publication of WO2016091645A1 publication Critical patent/WO2016091645A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha

Definitions

  • the invention relates to a method, apparatus and system for receiving and processing a user input.
  • the user input is vulnerable to attackers.
  • An attacker that intercepts the user input at the user interface before it has reached the encrypted domain is able to obtain the user input.
  • output from the encrypted domain that is sent to the user interface can also be obtained by attacker interception.
  • the attacker is able to intercept the user input and/or output, it is possible that the attacker will obtain enough information to allow a determination to be made of the encryption that is used. For example, the attacker may intercept and modify the user input. This leaves the private data vulnerable to attack as well.
  • SVM Secure Virtual Machine
  • computation is performed using encrypted values instead of operators that would reveal their functionality.
  • the operators are hidden through use of tables comprising anonymous operators and are applied to encrypted data to provide an encrypted result.
  • the approach still requires data input by the user to be processed and, ultimately, some result is output to the user.
  • the input and the output are plain (i.e. the input and the output are not encrypted) and can thus be intercepted by an attacker.
  • This same problem arises in many other approaches outside the SVM context that require user input.
  • the problem described is particularly apparent on devices that do not have an exclusive purpose. For example, a smart phone may host many applications from arbitrary origins that may be allowed to subscribe to keyboard or touch screen events. This provides an attacker with an easy way to intercept user input obtained from such events. The same problem is also apparent on many other devices.
  • An existing method that aims to overcome these disadvantages involves the user entering a certain input on a separate device which then performs encryption and presents the user with a secure result that can then be input by the user into the user interface itself.
  • This method is currently popular in banking applications.
  • the method requires the user to carry a separate device with them since the user is unable to access their private information without this separate device.
  • EP 2597590 A2 discloses a method for processing a user input, that comprises rendering a randomised initial state on a user interface, and authenticating the user when the user has rearranged it to match a previously set authentication arrangement.
  • the aim of this method is to protect against "shoulder surfing", EP 2597590A2 is not concerned with protecting against attackers that run their own applications on the device to try to intercept the user input.
  • the invention provides this by obtaining a user input from a user interface in an indirect way that is not easily intercepted or interpreted by an attacker (whether that be a person or a machine).
  • a method for processing a user input comprising the steps of: a) rendering a randomised initial state on a user interface;
  • Statement 2 A method as defined in statement 1, wherein steps (a), (b) and (c) are performed in a first environment and wherein step (d) is performed in a second environment different to the first environment.
  • Statement 3 A method as defined in statement 2, the method further comprising the step of: providing a randomised initial state prior to the step of rendering said randomised initial state on the user interface;
  • step of providing the randomised initial state is performed in the second environment.
  • Statement 4 A method as defined in statement 2 or 3, wherein the second environment is more secure than the first environment.
  • Statement 5 A method as defined in statement 2, 3 or 4, wherein the first environment and the second environment are located in a single device.
  • Statement 6 A method as defined in statement 2, 3 or 4, wherein the first environment is located in a first device and the second environment is located in a second device different to the first device.
  • Statement 7 A method as defined in statement 5 or 6, wherein the single device, the first device or the second device is a mobile terminal, a personal computer, an automated teller machine, a payment terminal or a server.
  • Statement 8 A method as defined in any of statements 2 to 7, the method further comprising the step of:
  • Statement 11 A method as defined in statement 10, wherein the predetermined user input comprises a password or a personal identification number (PIN).
  • Statement 12 A method as defined in statement 10 or 11, the method further comprising the step of:
  • Statement 13 A method as defined in any preceding statement, wherein the randomised initial state and the new state each comprise a random arrangement of input options for the user.
  • Statement 14 A method as defined in statement 13, wherein the input options comprise one or more characters, numerical digits, symbols, pictures, film and/or blanks.
  • Statement 15 A method as defined in any preceding statement, wherein the randomised initial state is unconventional, disordered and/or incomplete.
  • Statement 16 A method as defined in any preceding statement, wherein the user interface comprises at least one physical component and/or at least one software component for receiving the user input.
  • Statement 17 A method as defined in statement 16, wherein the at least one physical component comprises at least one of a keyboard, mouse, camera, microphone, handle, slider and button and wherein the at least one software component comprises at least one of a touchpad, keypad, keyboard, a scroll bar, a scroll wheel, a rotating dial, a reel, or
  • Statement 18 A method as defined in any preceding statement, wherein the user input comprises one or more instructions and wherein the difference between the initial state and the new state comprises at least one of a particular instruction, a total number of instructions and/or a particular order of instructions.
  • Statement 19 A method as defined in statement 18, wherein the one or more instructions comprise at least one of a gesture on a touch screen, a gesture in front of a camera and a voice control into a microphone.
  • Statement 20 A method as defined in statement 19, wherein the gesture on the touch screen comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, and a tracking operation.
  • Statement 21 A method as defined in statement 19, wherein the gesture in front of the camera comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right.
  • Statement 22 A method as defined in any preceding statement, wherein the step of receiving a user input to change the randomised initial state to a new state comprises receiving a plurality of user inputs to change the randomised initial state to a new state.
  • Statement 23 A method as defined in statement 22, wherein steps (b) to (d) are repeated for each of the plurality of user inputs.
  • Statement 24 A method as defined in any preceding statement, wherein the step of rendering a randomised initial state on a user interface comprises rendering a randomised initial state on a plurality of user interfaces.
  • Statement 26 A method as defined in statement 25, the method further comprising the step of: for each of said at least one user inputs received, rendering a different randomised initial state until receipt of a user input indicating acceptance of the randomised initial state.
  • Statement 27 A method as defined in statement 26, wherein the user input indicating acceptance of the randomised initial state is a user input to change the randomised initial state to a new state.
  • An apparatus for processing a user input comprising a user interface and one or more processors configured to:
  • Statement 29 An apparatus as defined in statement 28, the apparatus comprising a first processor configured according to (a), (b) and (c) and a second processor configured according to step (d).
  • Statement 30 An apparatus as defined in statement 29, wherein the second processor is further configured to provide the randomised initial state for rendering by the first processor on the user interface.
  • Statement 31 An apparatus as defined in statement 29 or 30, wherein the second processor is more secure than the first processor.
  • Statement 32 An apparatus as defined in statement 29, 30 or 31, wherein the first processor and the second processor are located in a single device.
  • Statement 33 An apparatus as defined in statement 29, 30 or 31, wherein the first processor is located in a first device and the second processor is located in a second device different to the first device.
  • Statement 34 An apparatus as defined in statement 32 or 33, wherein the single device, the first device or the second device is a mobile terminal, a personal computer, an automated teller machine, a payment terminal or a server.
  • Statement 35 An apparatus as defined in any of statements 29 to 34, the apparatus further comprising:
  • a communication unit configured to transmit the determined difference between the initial state and the new state from the first environment to the second environment.
  • Statement 36 An apparatus as defined in any of statements 28 to 35, the apparatus further comprising:
  • a storage unit configured to store the determined difference between the initial state and the new state.
  • Statement 37 An apparatus as defined in any of statements 28 to 35, wherein the processor configured to process the user input based on the determined difference is configured to:
  • Statement 38 An apparatus as defined in statement 37, wherein the predetermined user input comprises a password or a personal identification number (PIN).
  • PIN personal identification number
  • Statement 39 An apparatus as defined in statement 37 or 38, the apparatus further comprising:
  • an authentication unit configured to authenticate the user based on the comparison.
  • Statement 40 An apparatus as defined in any of statements 28 to 39, wherein the randomised initial state and the new state each comprise a random arrangement of input options for the user.
  • Statement 41 An apparatus as defined in statement 40, wherein the input options comprise one or more characters, numerical digits, symbols, pictures, film and/or blanks.
  • Statement 42 An apparatus as defined in any of statements 28 to 41, wherein the randomised initial state is unconventional, disordered and/or incomplete.
  • Statement 43 An apparatus as defined in any of statements 28 to 42, wherein the user interface comprises at least one physical component and/or at least one software component for receiving the user input.
  • Statement 44 An apparatus as defined in statement 43, wherein the at least one physical component comprises at least one of a keyboard, mouse, camera, microphone, handle, slider and button and wherein the at least one software component comprises at least one of a touchpad, keypad, keyboard, a scroll bar, a scroll wheel, a rotating dial, a reel, or
  • Statement 45 An apparatus as defined in any of statements 28 to 44, wherein the user input comprises one or more instructions and wherein the difference between the initial state and the new state comprises at least one of a particular instruction, a total number of instructions and/or a particular order of instructions.
  • Statement 46 An apparatus as defined in statement 45, wherein the one or more instructions comprise at least one of a gesture on a touch screen, a gesture in front of a camera and a voice control into a microphone.
  • Statement 47. An apparatus as defined in statement 46, wherein the gesture on the touch screen comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, and a tracking operation.
  • Statement 48 An apparatus as defined in statement 46, wherein the gesture in front of the camera comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right.
  • Statement 49 An apparatus as defined in any of statements 28 to 48, wherein the processor configure to receive a user input to change the randomised initial state to a new state is configured to receive a plurality of user inputs to change the randomised initial state to a new state.
  • Statement 50 An apparatus as defined in statement 49, wherein the one or more processors are configured to repeat steps (b) to (d) for each of the plurality of user inputs.
  • Statement 51 An apparatus as defined in any of statements 28 to 50, wherein the processor configured to render a randomised initial state on the user interface is configured to render the randomised initial state on a plurality of user interfaces.
  • Statement 52 An apparatus as defined in any of statements 28 to 51, wherein the processor configured to receive a user input to change the randomised initial state to a new state is configured to receive at least one user input to render a different randomised initial state on the user interface.
  • Statement 53 An apparatus as defined in statement 52, wherein for each of said at least one user inputs received, the processor is configured to render a different randomised initial state on the user interface until receipt of a user input indicating acceptance of the randomised initial state.
  • Statement 54 A method as defined in statement 53, wherein the user input indicating acceptance of the randomised initial state is a user input to change the randomised initial state to a new state.
  • a computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer, processor or control unit, the computer, processor or control unit is caused to perform the method of any of statements 1 to 27.
  • Figure 1 is a schematic block diagram of a system 300 in accordance with an aspect of the invention.
  • Figure 2 is a schematic block diagram of a system 400 in accordance with an embodiment of the invention
  • Figure 3 is schematic block diagram of a system 500 in accordance with another embodiment of the invention
  • Figure 4 is a schematic block diagram of a first environment 100
  • Figure 5 is a schematic block diagram of a second environment 200
  • Figure 6 is a schematic flow chart of a method 800 in accordance with an embodiment of the invention.
  • FIGS. 7 to 9 are schematic block diagrams of a user interface 600 in accordance with various embodiments of the invention.
  • FIG. 1 is a schematic block diagram of a system 300 in accordance with an aspect of the invention.
  • the system 300 comprises a first environment 100 and a second environment 200.
  • the first environment 100 and the second environment 200 are able to communicate with one another via a communication link 302.
  • the communication link 302 may be a wireless communication link such as a Wi-Fi, Near Field Communication (NFC) or Bluetooth connection.
  • the communication link 302 may be a wired
  • the second environment 200 may be more secure than the first environment 100.
  • the first environment 100 may be an environment in which data is plain (i.e. unencrypted) and thus potentially susceptible to interception and
  • the second environment 200 may be an environment in which data is encrypted and thus more difficult or impossible for an attacker to intercept or interpret.
  • FIG. 2 is a schematic block diagram of a system 400 in accordance with an embodiment of the invention in which the first environment 100 and the second environment 200 are located in a single device 402.
  • the device 402 may be, for example, a mobile terminal, a personal computer, an automated teller machine, a payment terminal, a server, etc.
  • the first environment 100 of the device 400 is the potentially unsecure environment in that data is plain (i.e. unencrypted) and the second environment 200 of the device 400 is the secure environment in that data is encrypted.
  • the device 400 may be a mobile terminal where the first environment 100 represents the application level and the second environment 200 represents the secure element (SE) level.
  • SE secure element
  • Figure 3 is a schematic block diagram of a system 500 in accordance with an alternative embodiment of the invention in which the first environment 100 is located in a first device 502 and the second environment 200 is located in a second device 504, which is different from the first device 502.
  • the first device 502 and the second device 504 may be, for example, a mobile terminal, a personal computer, an automated teller machine, a payment terminal, a server, etc.
  • the first device 502 is a mobile terminal and the second device 504 is a server.
  • the first device 502 and the second device 504 are different mobile terminals.
  • any mobile terminal for example, a mobile terminal, a personal computer, an automated teller machine, a payment terminal, a server, etc.
  • the first device 502 is a mobile terminal and the second device 504 is a server.
  • the first device 502 and the second device 504 are different mobile terminals.
  • any combination of the first device 502 and the second device 504 are different mobile terminals.
  • FIG 4 is a schematic block diagram of the first environment 100 in accordance with an embodiment of the invention.
  • the first environment 100 comprises a user interface 600 for receiving a user input and a first processor 602 for processing the user input.
  • the first environment 100 also optionally comprises a storage unit 604 and a communication unit 606 for communicating with the second environment 200 via the communication link 302.
  • FIG. 5 is a schematic block diagram of the second environment 200 in accordance with an embodiment of the invention.
  • the second environment 200 comprises a second processor 702 for processing a user input.
  • the second environment 200 also optionally comprises a storage unit 704, an authentication unit 706 for authenticating a user and a communication unit 708 for communicating with the first environment 100 via the communication link 302.
  • FIG 6 is a schematic flow chart of a method 800 in accordance with an embodiment of the invention.
  • the method 800 will be described with reference to the first environment 100 illustrated in Figure 5 and the second environment 200 illustrated in Figure 6. It will be understood that the method 800 is applicable to any of the systems 300, 400 and 500 shown in Figures 1, 2 and 3. However, for the purposes of this description, the method will be described generally. Any references to the first environment 100 will be understood to apply to the first environment 100 in the single device 402 of Figure 2 or the first device 502 of Figure 3. Similarly, any references to the second environment 200 will be understood to apply to the second environment 200 in the single device 402 of Figure 2 or the second device 504 of Figure 3.
  • the second processor 702 in the second environment 200 provides a randomised initial state to be rendered on the user interface 600 in the first environment 100 (step 802).
  • the randomised initial state may comprise a random arrangement of options or functions.
  • the random arrangement may comprise one or more characters, numerical digits, symbols, pictures, films and/or a blank (i.e. where there is no option or function rendered).
  • the randomised initial state may be unconventional, disordered and/or incomplete.
  • the randomised initial state may be unconventional in the fact that it does not directly correlate with a standard arrangement of options or functions (such as the arrangement presented on a standardised keyboard).
  • the randomised initial state may be disordered in the fact that one option may not logically follow on from the next.
  • the randomised initial state may provide the characters in a non-sequential order (such as A... F... B... T... etc, as opposed to A... B... C... D... etc).
  • the randomised initial state may be incomplete in the fact that there may be certain options or functions missing (i.e. options or functions that do not appear). Furthermore, it is
  • the randomized initial state is described in a format that is not easily interpretable, such that any difference to this state is not easily interpretable.
  • the character "A” may be presented as a bitmap instead of an ASCII character, or it may be described by a CAPTCHA - a image or animation that is designed to be human readable, but hard to analyse using computer programs.
  • the storage unit 704 in the second environment 200 may optionally store the provided randomised initial state (step 804).
  • the storage unit 704 may store the randomised initial state securely through encryption by any suitable cryptographic protocol.
  • the storage unit 704 may only store the randomised initial state for a predetermined amount of time for added security.
  • the storage unit 704 may be a temporal storage, say a volatile memory, such as RAM.
  • the user interface 600 in the first environment 100 renders the randomised initial state for the user (step 806).
  • the user provides an input to change the randomised initial state rendered on the user interface 600 to a new state.
  • the user input may be provided in a number of ways, some of which will be described here. However, it will be understood that any suitable user input device could be used to provide the user input.
  • the user interface may comprise one or more components that the user is able to operate to provide a user input.
  • the one or more components will have a different semantic meaning depending on a particular option or function to which they relate.
  • the particular option or function to which the one or more components relate is determined by the randomised initial state.
  • Each component is temporarily mapped to a particular option or function that is determined by the randomised initial state.
  • a user input is received to change the randomised initial state rendered on the user interface 600 to a new state
  • one or more of the components will be provided with a different semantic meaning and thus relate to a different option or function than they did in the randomised initial state. This different option or function is determined by the new state.
  • the user interface 600 may include software components that the user accesses to provide the user input.
  • the user interface 600 may be a touch screen and the user input could be provided directly to the touch screen by way of virtually displayed operation tools such as one or more touchpads, keypads, keyboards, scroll bars, scroll wheels, rotating dials, reels, buttons, sliders, and/or predetermined locations on the screen, etc.
  • the user interface 600 may include physical components that the user operates to provide the user input.
  • the user input could be provided to one or more of a physical keyboard, mouse, camera, microphone, handle, slider, and/or button, etc.
  • more than one user interface 600 may be provided to render the randomised initial state.
  • the user interface 600 may comprise a combination of one or more software and/or physical components.
  • the user is able to provide one or more instructions to the user interface 600 to change the randomised initial state to a new state.
  • the user may provide one or more instructions by providing a gesture on a touch screen, a gesture in front of a camera, a voice control into a microphone, or a change in the orientation of the user interface.
  • the gesture on the touch screen may be an acceleration detected in any direction.
  • the gesture may comprise an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, a tracking operation, etc, or any combination of gestures.
  • the gesture in front of the camera may be an acceleration detected in any direction.
  • the gesture may comprise an upward movement, a downward movement, a movement to the left, a movement to the right, etc, or any combination of gestures.
  • the voice control into the microphone may, for example, be the user speaking instructions to implement the change from the randomised initial state to the new state that they require.
  • the change in orientation of the user interface may involve one or more actions such as tilting, shaking, flipping, etc.
  • this may be achieved by performing the action on the device 402 or 502 comprising the interface 600.
  • certain examples for the type of user input are provided, it will be understood that the input is not limited to these examples and that any other suitable input may be used.
  • the change from the randomised initial state to the new state could involve any number of changes.
  • some possible examples are a change in the order of the options or functions rendered, an addition of an option or function to those rendered, the removal of an option or function from those rendered, entering a blank (i.e. where there is no option or function rendered), or similar.
  • the user input may simply be an input to render a different randomised initial state.
  • the user may request a different randomised initial state where the option or function that the user requires is not present in the current randomised initial state.
  • the user input to render a different randomised initial state may be received by any suitable form of input device. For example, there may be a designated button that the user can operate to instruct that the initial state is randomised again.
  • a different randomised initial state may be provided to and rendered on the user interface 600 until receipt of a user input indicating acceptance of the randomised initial state.
  • the user input indicating acceptance of the randomised initial state may, for example, be a user input to change the randomised initial state rendered on the user interface 600 to a new state (which will be explained in more detail below).
  • the user input indicating acceptance of the randomised initial state may simply be the user selecting an input that indicates that the state is to be used.
  • the user input indicating acceptance of the randomised initial state may involve a separate command.
  • the first processor 602 in the first environment 100 receives the user input to change the randomised initial state rendered on the user interface 600 to a new state (step 808). Example embodiments of the change in the randomised initial state to the new state will also be provided later.
  • the first processor 602 in the first environment 100 determines the difference between the initial state and the new state following receipt of the user input to change the initial state to the new state (step 810).
  • the difference may comprise a particular instruction (such as dragging operation), a total number of instructions (such as three upwards movements) and/or a particular order of instructions (such as an upward movement followed by a dragging operation).
  • the difference may include a sequence of indicated changes.
  • the storage unit 604 in the first environment 100 may optionally store the determined difference between the initial state and the new state (step 812).
  • the stored determined difference between the initial state and the new state may be encrypted by any suitable cryptographic protocol to increase security.
  • the storage unit 704 may only store the determined difference between the initial state and the new state for a predetermined amount of time for added security.
  • the storage unit 704 may be a temporal storage, say a volatile memory, such as RAM.
  • the communication unit 606 in the first environment 100 may transmit the determined difference between the initial state and the new state to the second environment 200 via the communication link 302 (step 814).
  • the communication unit 708 in the second environment 200 then receives the determined difference between the initial state and the new state from the first environment 100 (step 816).
  • the storage unit 704 in the second environment 200 may optionally store the determined difference between the initial state and the new state (step 818).
  • the stored determined difference between the initial state and the new state may be encrypted by any suitable cryptographic protocol to increase security.
  • the storage unit 704 may only store the determined difference between the initial state and the new state for a predetermined amount of time for added security.
  • the second processor 702 in the second environment 200 processes the user input based on the determined difference to determine intended user information (step 820). For example, the second processor 702 in the second environment 200 may processes the user input by comparing the determined difference between the initial state and the new state to a difference between the randomised initial state and a predetermined user input.
  • the predetermined user input may, for example, be a password, a personal identification number (PIN) or the like.
  • the second processor 702 in the second environment 200 may use the determined difference between the initial state and the new state to determine an amount that the user wishes to pay in a transaction or a telephone number that the user wishes to communicate.
  • intended user information that the user wishes to securely pass to a selected system or application (here, in the second environment 200) is obtained from the user interface and provided to the system or application in an indirect way that is not easily intercepted or interpreted by an attacker (whether that be a person or a machine). It is the determined difference that is processed at the selected system or application to determine the intended user information and thus it is not necessary to construct the intended user information prior to this, meaning that the intended user information is kept private and provided securely to the selected system or application.
  • an initial state consisting of a number of preferably hard to interpret bitmaps is rendered to a user in a first environment.
  • the user rearranges the bitmaps, and the rearranging steps (the difference) are provided to a second environment.
  • the bitmaps are not interpreted, and differences to the randomized initial states carry no information without this interpretation, an attacker that observes the first environment does not learn the intended user information that is provided to the second environment without obtaining and interpreting the bitmaps.
  • the authentication unit 706 in the second environment 200 authenticates the user based on the comparison of the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input (step 822).
  • the authentication unit 706 in the second environment 200 may transmit a notification to the first environment 100 to be provided to the user indicating whether the authentication has been successful or has failed (step 824). For example, if the authentication unit 706 in the second environment 200 determines from the comparison that the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input are consistent, the authentication unit 706 will indicate that authentication has been successful.
  • the authentication unit 706 in the second environment 200 determines from the comparison that the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input are inconsistent, the authentication unit 706 will indicate that authentication has failed.
  • the authentication procedure may be repeated for each user input that is received and thus each corresponding difference between the initial state and the new state that is determined.
  • the communication unit 606 in the first environment 100 may receive the notification from the second environment 200 via the communication link 302 (step 826).
  • the notification may be, for example, a message for display on a screen, an audio sound for rendering by a speaker, or similar.
  • the use of the invention in authentication is merely one example of its application and is not restrictive in any way. It will be understood that the invention also has application in other areas. Other examples may include, a payment system in which the determined difference between the initial state and the new state is used to determine an amount that the user wishes to pay, a messaging system in which the determined difference between the initial state and the new state is used to determine a telephone number that the user wishes to communicate.
  • the first processor 602 in the first environment 100 may receive multiple user inputs to change the randomised initial state rendered on the user interface 600 to a new state and that one or more of the steps 802 to 826 of the method 800 would then be repeated for each of the multiple user inputs that are received.
  • FIG. 7a illustrates an example user interface 600 in a randomised initial state comprising a keyboard type of arrangement.
  • the user interface 600 comprises a display 900 that displays intended user input, a plurality of operator buttons 902, 906 associated with different options for selection by the user and a randomisation button 910 to randomise the interface 600.
  • Some of the operator buttons are blank 902, some of the operator buttons comprise a number 906 and some operator buttons include the same option as another operator button.
  • a user may select an option by dragging the associated operator button 902, 906 into the required position 904, 908. For example, by dragging the blank operator button 902 into the first position 904, the number two on the display 900 may be replaced with a zero.
  • the number two may on the display 900 may be completely removed and the number 3 shifted into that position.
  • the operator button 906 By dragging the operator button 906 into the second position 908, the number three associated with that option 906 will be inserted between the number two and the zero on the display 900.
  • Figure 7b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state.
  • This user input may be the user input received to select one of the operator buttons 902, 906 as described above.
  • the user input was to drag the operator button 906 into the first position 902 such that the two on the display 900 was replaced with the three associated with the operator button 906 and the randomised initial state was changed to the new state.
  • the user input may be selection of the randomisation button 910 to randomise the interface 600, i.e. to provide a different randomised initial state.
  • the display 900 would remain unchanged.
  • the operator buttons 902 and 906 are associated with different options in the new state.
  • Figure 8a illustrates an example user interface 600 in a randomised initial state comprising a scroll bar type of arrangement.
  • the user interface 600 comprises a plurality of predetermined locations 913 associated with different options for selection by the user and operator buttons 912, 914 for use by the user to change the randomised initial state to a new state.
  • a user may select an option by tapping the predetermined location 913 associated with the intended option. For example, by tapping the predetermined location 913, the letter A would be selected.
  • Figure 8b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state.
  • the randomised initial state was changed to the new state as a result of the user selecting the left operator button 912 once.
  • Figure 8c illustrates the example user interface 600 in a further new state following receipt of another user input to change the current randomised initial state of Figure 8b to a new state.
  • the current randomised initial state is changed to the new state as a result of the user selecting the left operator button 912 three times.
  • there the predetermined locations 913 are associated with different options in each new state. The user may continually use the operator buttons 912, 914 until an intended user input becomes available for selection.
  • Figure 9a illustrates an example user interface 600 in a randomised initial state comprising a reel type of arrangement.
  • the user interface 600 comprises a plurality of reels 926 associated with different options for selection by the user, a plurality of operator buttons 924 that each operate a particular reel 926 and a randomisation button 922 to randomise the interface 600.
  • a user may select an option by tapping the associated reel 926. For example, by tapping the reel 926, the number 4 would be selected.
  • Figure 9b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state.
  • the randomised initial state is changed to the new state as a result of the user selecting the operator button 924 that corresponds to the reel 926.
  • the reel 926 is associated with a different option (i.e. the number 7) in the new state.
  • Figure 9c illustrates the example user interface 600 in a further new state following receipt of another user input to change the current randomised initial state of Figure 9b to a new state.
  • the current randomised initial state is changed to the new state as a result of the user selecting the randomisation button 922 to randomise the interface 600, i.e. to provide a different randomised initial state.
  • each of the reels 926 are associated with different options in this new state. The user may continually use the operator buttons 924 and/or the randomisation button 922 until an intended user input becomes available for selection.
  • a method according to the invention may be executed using software, which comprises instructions for causing a processor system to perform the method.
  • Software may only include those steps taken by a particular sub-entity of the system.
  • the software may be stored in a suitable storage medium, such as a hard disk, a floppy, a memory etc.
  • the software may be sent as a signal along a wire, or wireless, or using a data network, e.g., the Internet.
  • the software may be made available for download and/or for remote usage on a server.
  • a computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems. Any reference signs in the claims should not be construed as limiting the scope.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

There is provided a method, apparatus and system for processing a user input. A randomised initial state is rendered (806)on a user interface(600). A user input is received (808)to change the randomised initial state to a new state. The difference between the initial state and the new state is determined (810) and the user input is processed (820) based on the determined difference.

Description

Method, apparatus and system for processing a user input
TECHNICAL FIELD OF THE INVENTION
The invention relates to a method, apparatus and system for receiving and processing a user input. BACKGROUND OF THE INVENTION
In view of the advances in electronic communications, there are currently many situations that require user input to be retrieved securely from a user interface. The processing of a user input is generally carried out in an encrypted domain to prevent attackers accessing private data. However, even in the case where a user input is processed in an encrypted domain or where encrypted values are used, it is difficult to obtain the user input securely at the user interface.
In particular, before the user input reaches the encrypted domain where it is processed, the user input is vulnerable to attackers. An attacker that intercepts the user input at the user interface before it has reached the encrypted domain is able to obtain the user input. Similarly, output from the encrypted domain that is sent to the user interface can also be obtained by attacker interception. As the attacker is able to intercept the user input and/or output, it is possible that the attacker will obtain enough information to allow a determination to be made of the encryption that is used. For example, the attacker may intercept and modify the user input. This leaves the private data vulnerable to attack as well.
One example of this type of security breach can be observed in an approach such as the Secure Virtual Machine (SVM). In this approach, computation is performed using encrypted values instead of operators that would reveal their functionality. The operators are hidden through use of tables comprising anonymous operators and are applied to encrypted data to provide an encrypted result. However, the approach still requires data input by the user to be processed and, ultimately, some result is output to the user. For practical purposes, the input and the output are plain (i.e. the input and the output are not encrypted) and can thus be intercepted by an attacker. This same problem arises in many other approaches outside the SVM context that require user input. The problem described is particularly apparent on devices that do not have an exclusive purpose. For example, a smart phone may host many applications from arbitrary origins that may be allowed to subscribe to keyboard or touch screen events. This provides an attacker with an easy way to intercept user input obtained from such events. The same problem is also apparent on many other devices.
An existing method that aims to overcome these disadvantages involves the user entering a certain input on a separate device which then performs encryption and presents the user with a secure result that can then be input by the user into the user interface itself. This method is currently popular in banking applications. However, the method requires the user to carry a separate device with them since the user is unable to access their private information without this separate device.
Therefore, it would be advantageous to provide an improved method, apparatus and system for receiving and processing a user input that maintains a high level of security.
EP 2597590 A2 discloses a method for processing a user input, that comprises rendering a randomised initial state on a user interface, and authenticating the user when the user has rearranged it to match a previously set authentication arrangement. The aim of this method is to protect against "shoulder surfing", EP 2597590A2 is not concerned with protecting against attackers that run their own applications on the device to try to intercept the user input.
SUMMARY OF THE INVENTION
It would be advantageous to provide a secure method, apparatus and system for receiving and processing a user input received from a user interface that overcomes the disadvantageous mentioned above. The invention provides this by obtaining a user input from a user interface in an indirect way that is not easily intercepted or interpreted by an attacker (whether that be a person or a machine).
Various aspects and embodiments of the invention are set out in the following statements.
Statement 1. A method for processing a user input, the method comprising the steps of: a) rendering a randomised initial state on a user interface;
b) receiving a user input to change the randomised initial state to a new state;
c) determining the difference between the initial state and the new state; and d) processing the user input based on the determined difference.
Statement 2. A method as defined in statement 1, wherein steps (a), (b) and (c) are performed in a first environment and wherein step (d) is performed in a second environment different to the first environment.
Statement 3. A method as defined in statement 2, the method further comprising the step of: providing a randomised initial state prior to the step of rendering said randomised initial state on the user interface; and
wherein the step of providing the randomised initial state is performed in the second environment.
Statement 4. A method as defined in statement 2 or 3, wherein the second environment is more secure than the first environment.
Statement 5. A method as defined in statement 2, 3 or 4, wherein the first environment and the second environment are located in a single device.
Statement 6. A method as defined in statement 2, 3 or 4, wherein the first environment is located in a first device and the second environment is located in a second device different to the first device.
Statement 7. A method as defined in statement 5 or 6, wherein the single device, the first device or the second device is a mobile terminal, a personal computer, an automated teller machine, a payment terminal or a server.
Statement 8. A method as defined in any of statements 2 to 7, the method further comprising the step of:
transmitting the determined difference between the initial state and the new state from the first environment to the second environment.
Statement 9. A method as defined in any preceding statement, the method further comprising the step of:
storing the determined difference between the initial state and the new state. Statement 10. A method as defined in any preceding statement, wherein the step of processing the user input based on the determined difference comprises:
comparing the determined difference to a difference between the randomised initial state and a predetermined user input.
Statement 11. A method as defined in statement 10, wherein the predetermined user input comprises a password or a personal identification number (PIN). Statement 12. A method as defined in statement 10 or 11, the method further comprising the step of:
authenticating the user based on the comparison.
Statement 13. A method as defined in any preceding statement, wherein the randomised initial state and the new state each comprise a random arrangement of input options for the user.
Statement 14. A method as defined in statement 13, wherein the input options comprise one or more characters, numerical digits, symbols, pictures, film and/or blanks. Statement 15. A method as defined in any preceding statement, wherein the randomised initial state is unconventional, disordered and/or incomplete.
Statement 16. A method as defined in any preceding statement, wherein the user interface comprises at least one physical component and/or at least one software component for receiving the user input.
Statement 17. A method as defined in statement 16, wherein the at least one physical component comprises at least one of a keyboard, mouse, camera, microphone, handle, slider and button and wherein the at least one software component comprises at least one of a touchpad, keypad, keyboard, a scroll bar, a scroll wheel, a rotating dial, a reel, or
predetermined locations displayed on a touch screen.
Statement 18. A method as defined in any preceding statement, wherein the user input comprises one or more instructions and wherein the difference between the initial state and the new state comprises at least one of a particular instruction, a total number of instructions and/or a particular order of instructions.
Statement 19. A method as defined in statement 18, wherein the one or more instructions comprise at least one of a gesture on a touch screen, a gesture in front of a camera and a voice control into a microphone.
Statement 20. A method as defined in statement 19, wherein the gesture on the touch screen comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, and a tracking operation.
Statement 21. A method as defined in statement 19, wherein the gesture in front of the camera comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right.
Statement 22. A method as defined in any preceding statement, wherein the step of receiving a user input to change the randomised initial state to a new state comprises receiving a plurality of user inputs to change the randomised initial state to a new state.
Statement 23. A method as defined in statement 22, wherein steps (b) to (d) are repeated for each of the plurality of user inputs.
Statement 24. A method as defined in any preceding statement, wherein the step of rendering a randomised initial state on a user interface comprises rendering a randomised initial state on a plurality of user interfaces.
Statement 25. A method as defined in any preceding statement, wherein the step of receiving a user input to change the randomised initial state to a new state comprises:
receiving at least one user input to render a different randomised initial state.
Statement 26. A method as defined in statement 25, the method further comprising the step of: for each of said at least one user inputs received, rendering a different randomised initial state until receipt of a user input indicating acceptance of the randomised initial state. Statement 27. A method as defined in statement 26, wherein the user input indicating acceptance of the randomised initial state is a user input to change the randomised initial state to a new state.
Statement 28. An apparatus for processing a user input, the apparatus comprising a user interface and one or more processors configured to:
a) render a randomised initial state on a user interface;
b) receive a user input to change the randomised initial state to a new state;
c) determine the difference between the initial state and the new state; and
d) process the user input based on the determined difference.
Statement 29. An apparatus as defined in statement 28, the apparatus comprising a first processor configured according to (a), (b) and (c) and a second processor configured according to step (d).
Statement 30. An apparatus as defined in statement 29, wherein the second processor is further configured to provide the randomised initial state for rendering by the first processor on the user interface.
Statement 31. An apparatus as defined in statement 29 or 30, wherein the second processor is more secure than the first processor.
Statement 32. An apparatus as defined in statement 29, 30 or 31, wherein the first processor and the second processor are located in a single device.
Statement 33. An apparatus as defined in statement 29, 30 or 31, wherein the first processor is located in a first device and the second processor is located in a second device different to the first device.
Statement 34. An apparatus as defined in statement 32 or 33, wherein the single device, the first device or the second device is a mobile terminal, a personal computer, an automated teller machine, a payment terminal or a server. Statement 35. An apparatus as defined in any of statements 29 to 34, the apparatus further comprising:
a communication unit configured to transmit the determined difference between the initial state and the new state from the first environment to the second environment.
Statement 36. An apparatus as defined in any of statements 28 to 35, the apparatus further comprising:
a storage unit configured to store the determined difference between the initial state and the new state.
Statement 37. An apparatus as defined in any of statements 28 to 35, wherein the processor configured to process the user input based on the determined difference is configured to:
compare the determined difference to a difference between the randomised initial state and a predetermined user input.
Statement 38. An apparatus as defined in statement 37, wherein the predetermined user input comprises a password or a personal identification number (PIN).
Statement 39. An apparatus as defined in statement 37 or 38, the apparatus further comprising:
an authentication unit configured to authenticate the user based on the comparison.
Statement 40. An apparatus as defined in any of statements 28 to 39, wherein the randomised initial state and the new state each comprise a random arrangement of input options for the user.
Statement 41. An apparatus as defined in statement 40, wherein the input options comprise one or more characters, numerical digits, symbols, pictures, film and/or blanks.
Statement 42. An apparatus as defined in any of statements 28 to 41, wherein the randomised initial state is unconventional, disordered and/or incomplete. Statement 43. An apparatus as defined in any of statements 28 to 42, wherein the user interface comprises at least one physical component and/or at least one software component for receiving the user input. Statement 44. An apparatus as defined in statement 43, wherein the at least one physical component comprises at least one of a keyboard, mouse, camera, microphone, handle, slider and button and wherein the at least one software component comprises at least one of a touchpad, keypad, keyboard, a scroll bar, a scroll wheel, a rotating dial, a reel, or
predetermined locations displayed on a touch screen.
Statement 45. An apparatus as defined in any of statements 28 to 44, wherein the user input comprises one or more instructions and wherein the difference between the initial state and the new state comprises at least one of a particular instruction, a total number of instructions and/or a particular order of instructions.
Statement 46. An apparatus as defined in statement 45, wherein the one or more instructions comprise at least one of a gesture on a touch screen, a gesture in front of a camera and a voice control into a microphone. Statement 47. An apparatus as defined in statement 46, wherein the gesture on the touch screen comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, and a tracking operation. Statement 48. An apparatus as defined in statement 46, wherein the gesture in front of the camera comprises at least one of an upward movement, a downward movement, a movement to the left, a movement to the right.
Statement 49. An apparatus as defined in any of statements 28 to 48, wherein the processor configure to receive a user input to change the randomised initial state to a new state is configured to receive a plurality of user inputs to change the randomised initial state to a new state. Statement 50. An apparatus as defined in statement 49, wherein the one or more processors are configured to repeat steps (b) to (d) for each of the plurality of user inputs.
Statement 51. An apparatus as defined in any of statements 28 to 50, wherein the processor configured to render a randomised initial state on the user interface is configured to render the randomised initial state on a plurality of user interfaces.
Statement 52. An apparatus as defined in any of statements 28 to 51, wherein the processor configured to receive a user input to change the randomised initial state to a new state is configured to receive at least one user input to render a different randomised initial state on the user interface.
Statement 53. An apparatus as defined in statement 52, wherein for each of said at least one user inputs received, the processor is configured to render a different randomised initial state on the user interface until receipt of a user input indicating acceptance of the randomised initial state.
Statement 54. A method as defined in statement 53, wherein the user input indicating acceptance of the randomised initial state is a user input to change the randomised initial state to a new state.
Statement 55. A computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer, processor or control unit, the computer, processor or control unit is caused to perform the method of any of statements 1 to 27.
BRIEF DESCRIPTION OF THE DRAWINGS
Exemplary embodiments of the invention will now be described, by way of example only, with reference to the following drawings, in which:
Figure 1 is a schematic block diagram of a system 300 in accordance with an aspect of the invention;
Figure 2 is a schematic block diagram of a system 400 in accordance with an embodiment of the invention; Figure 3 is schematic block diagram of a system 500 in accordance with another embodiment of the invention;
Figure 4 is a schematic block diagram of a first environment 100;
Figure 5 is a schematic block diagram of a second environment 200;
Figure 6 is a schematic flow chart of a method 800 in accordance with an embodiment of the invention; and
Figures 7 to 9 are schematic block diagrams of a user interface 600 in accordance with various embodiments of the invention.
It should be noted that items which have the same reference numbers in different Figures, have the same structural features and the same functions, or are the same signals. Where the function and/or structure of such an item has been explained, there is no necessity for repeated explanation thereof in the detailed description.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Figure 1 is a schematic block diagram of a system 300 in accordance with an aspect of the invention. The system 300 comprises a first environment 100 and a second environment 200. The first environment 100 and the second environment 200 are able to communicate with one another via a communication link 302. The communication link 302 may be a wireless communication link such as a Wi-Fi, Near Field Communication (NFC) or Bluetooth connection. Alternatively, the communication link 302 may be a wired
communication link. The second environment 200 may be more secure than the first environment 100. For example, the first environment 100 may be an environment in which data is plain (i.e. unencrypted) and thus potentially susceptible to interception and
interpretation by an attacker, whereas the second environment 200 may be an environment in which data is encrypted and thus more difficult or impossible for an attacker to intercept or interpret.
Figure 2 is a schematic block diagram of a system 400 in accordance with an embodiment of the invention in which the first environment 100 and the second environment 200 are located in a single device 402. The device 402 may be, for example, a mobile terminal, a personal computer, an automated teller machine, a payment terminal, a server, etc. With reference to Figure 2, the first environment 100 of the device 400 is the potentially unsecure environment in that data is plain (i.e. unencrypted) and the second environment 200 of the device 400 is the secure environment in that data is encrypted. For example, the device 400 may be a mobile terminal where the first environment 100 represents the application level and the second environment 200 represents the secure element (SE) level.
Figure 3 is a schematic block diagram of a system 500 in accordance with an alternative embodiment of the invention in which the first environment 100 is located in a first device 502 and the second environment 200 is located in a second device 504, which is different from the first device 502. The first device 502 and the second device 504 may be, for example, a mobile terminal, a personal computer, an automated teller machine, a payment terminal, a server, etc. In one embodiment, the first device 502 is a mobile terminal and the second device 504 is a server. In another embodiment, the first device 502 and the second device 504 are different mobile terminals. However, it will be understood that any
combination of first and second devices are possible.
It will be understood that the invention can be implemented in either of the embodiments shown in Figures 2 and 3 and they will not be described separately.
Figure 4 is a schematic block diagram of the first environment 100 in accordance with an embodiment of the invention. The first environment 100 comprises a user interface 600 for receiving a user input and a first processor 602 for processing the user input. The first environment 100 also optionally comprises a storage unit 604 and a communication unit 606 for communicating with the second environment 200 via the communication link 302.
Figure 5 is a schematic block diagram of the second environment 200 in accordance with an embodiment of the invention. The second environment 200 comprises a second processor 702 for processing a user input. The second environment 200 also optionally comprises a storage unit 704, an authentication unit 706 for authenticating a user and a communication unit 708 for communicating with the first environment 100 via the communication link 302.
Figure 6 is a schematic flow chart of a method 800 in accordance with an embodiment of the invention. The method 800 will be described with reference to the first environment 100 illustrated in Figure 5 and the second environment 200 illustrated in Figure 6. It will be understood that the method 800 is applicable to any of the systems 300, 400 and 500 shown in Figures 1, 2 and 3. However, for the purposes of this description, the method will be described generally. Any references to the first environment 100 will be understood to apply to the first environment 100 in the single device 402 of Figure 2 or the first device 502 of Figure 3. Similarly, any references to the second environment 200 will be understood to apply to the second environment 200 in the single device 402 of Figure 2 or the second device 504 of Figure 3.
With reference to Figures 4, 5, and 6, the second processor 702 in the second environment 200 provides a randomised initial state to be rendered on the user interface 600 in the first environment 100 (step 802). However, it will be understood that the randomised initial state to be rendered on the user interface 600 may alternatively be provided by any other environment. The randomised initial state may comprise a random arrangement of options or functions. For example, the random arrangement may comprise one or more characters, numerical digits, symbols, pictures, films and/or a blank (i.e. where there is no option or function rendered).
The randomised initial state may be unconventional, disordered and/or incomplete. For example, the randomised initial state may be unconventional in the fact that it does not directly correlate with a standard arrangement of options or functions (such as the arrangement presented on a standardised keyboard). The randomised initial state may be disordered in the fact that one option may not logically follow on from the next. For example, if the options include characters, the randomised initial state may provide the characters in a non-sequential order (such as A... F... B... T... etc, as opposed to A... B... C... D... etc). The randomised initial state may be incomplete in the fact that there may be certain options or functions missing (i.e. options or functions that do not appear). Furthermore, it is
advantageous if the randomized initial state is described in a format that is not easily interpretable, such that any difference to this state is not easily interpretable. For example the character "A" may be presented as a bitmap instead of an ASCII character, or it may be described by a CAPTCHA - a image or animation that is designed to be human readable, but hard to analyse using computer programs.
The storage unit 704 in the second environment 200 may optionally store the provided randomised initial state (step 804). The storage unit 704 may store the randomised initial state securely through encryption by any suitable cryptographic protocol. The storage unit 704 may only store the randomised initial state for a predetermined amount of time for added security. For example, the storage unit 704 may be a temporal storage, say a volatile memory, such as RAM.
Example embodiments of the types of randomised initial states will be provided later.
The user interface 600 in the first environment 100 renders the randomised initial state for the user (step 806). The user provides an input to change the randomised initial state rendered on the user interface 600 to a new state. The user input may be provided in a number of ways, some of which will be described here. However, it will be understood that any suitable user input device could be used to provide the user input.
For example, the user interface may comprise one or more components that the user is able to operate to provide a user input. The one or more components will have a different semantic meaning depending on a particular option or function to which they relate.
The particular option or function to which the one or more components relate is determined by the randomised initial state. Each component is temporarily mapped to a particular option or function that is determined by the randomised initial state. Where a user input is received to change the randomised initial state rendered on the user interface 600 to a new state, one or more of the components will be provided with a different semantic meaning and thus relate to a different option or function than they did in the randomised initial state. This different option or function is determined by the new state.
In one embodiment, the user interface 600 may include software components that the user accesses to provide the user input. For example, the user interface 600 may be a touch screen and the user input could be provided directly to the touch screen by way of virtually displayed operation tools such as one or more touchpads, keypads, keyboards, scroll bars, scroll wheels, rotating dials, reels, buttons, sliders, and/or predetermined locations on the screen, etc. Alternatively, the user interface 600 may include physical components that the user operates to provide the user input. For example, the user input could be provided to one or more of a physical keyboard, mouse, camera, microphone, handle, slider, and/or button, etc.
In some embodiments, more than one user interface 600 may be provided to render the randomised initial state. For example, the user interface 600 may comprise a combination of one or more software and/or physical components.
The user is able to provide one or more instructions to the user interface 600 to change the randomised initial state to a new state. For example, the user may provide one or more instructions by providing a gesture on a touch screen, a gesture in front of a camera, a voice control into a microphone, or a change in the orientation of the user interface.
The gesture on the touch screen may be an acceleration detected in any direction. For example, the gesture may comprise an upward movement, a downward movement, a movement to the left, a movement to the right, a dragging operation, a swiping operation, a tapping operation, a tracking operation, etc, or any combination of gestures. Similarly, the gesture in front of the camera may be an acceleration detected in any direction. For example, the gesture may comprise an upward movement, a downward movement, a movement to the left, a movement to the right, etc, or any combination of gestures. The voice control into the microphone may, for example, be the user speaking instructions to implement the change from the randomised initial state to the new state that they require. The change in orientation of the user interface may involve one or more actions such as tilting, shaking, flipping, etc. For example, in the embodiments shown in Figures 2 and 3, this may be achieved by performing the action on the device 402 or 502 comprising the interface 600. Although certain examples for the type of user input are provided, it will be understood that the input is not limited to these examples and that any other suitable input may be used.
It will be understood that the change from the randomised initial state to the new state could involve any number of changes. However, some possible examples are a change in the order of the options or functions rendered, an addition of an option or function to those rendered, the removal of an option or function from those rendered, entering a blank (i.e. where there is no option or function rendered), or similar.
In the case of an incomplete randomised initial state (for example, where certain options or functions do not appear), the user input may simply be an input to render a different randomised initial state. For example, the user may request a different randomised initial state where the option or function that the user requires is not present in the current randomised initial state. The user input to render a different randomised initial state may be received by any suitable form of input device. For example, there may be a designated button that the user can operate to instruct that the initial state is randomised again.
The user may continue this process until the required options or functions are present in the randomised initial state. Thus, for each user input that is received to render a different randomised initial state, a different randomised initial state may be provided to and rendered on the user interface 600 until receipt of a user input indicating acceptance of the randomised initial state. The user input indicating acceptance of the randomised initial state may, for example, be a user input to change the randomised initial state rendered on the user interface 600 to a new state (which will be explained in more detail below). In other words, the user input indicating acceptance of the randomised initial state may simply be the user selecting an input that indicates that the state is to be used. Alternatively, the user input indicating acceptance of the randomised initial state may involve a separate command. For example, there may be a designated virtual or physical button that the user can operate to indicate acceptance of the randomised initial state. Each randomised initial state generated may be at least partially different from previous state. The first processor 602 in the first environment 100 receives the user input to change the randomised initial state rendered on the user interface 600 to a new state (step 808). Example embodiments of the change in the randomised initial state to the new state will also be provided later.
The first processor 602 in the first environment 100 determines the difference between the initial state and the new state following receipt of the user input to change the initial state to the new state (step 810). For example, the difference may comprise a particular instruction (such as dragging operation), a total number of instructions (such as three upwards movements) and/or a particular order of instructions (such as an upward movement followed by a dragging operation). Thus, it is possible that the difference may include a sequence of indicated changes. Although examples have been provided for the difference between the initial state and the new state that may be determined, it will be understood that any other differences may be realised.
The storage unit 604 in the first environment 100 may optionally store the determined difference between the initial state and the new state (step 812). The stored determined difference between the initial state and the new state may be encrypted by any suitable cryptographic protocol to increase security. Alternatively or in addition, the storage unit 704 may only store the determined difference between the initial state and the new state for a predetermined amount of time for added security. For example, the storage unit 704 may be a temporal storage, say a volatile memory, such as RAM.
The communication unit 606 in the first environment 100 may transmit the determined difference between the initial state and the new state to the second environment 200 via the communication link 302 (step 814). The communication unit 708 in the second environment 200 then receives the determined difference between the initial state and the new state from the first environment 100 (step 816).
The storage unit 704 in the second environment 200 may optionally store the determined difference between the initial state and the new state (step 818). The stored determined difference between the initial state and the new state may be encrypted by any suitable cryptographic protocol to increase security. Alternatively or in addition, the storage unit 704 may only store the determined difference between the initial state and the new state for a predetermined amount of time for added security.
The second processor 702 in the second environment 200 processes the user input based on the determined difference to determine intended user information (step 820). For example, the second processor 702 in the second environment 200 may processes the user input by comparing the determined difference between the initial state and the new state to a difference between the randomised initial state and a predetermined user input. The predetermined user input may, for example, be a password, a personal identification number (PIN) or the like. Alternatively, the second processor 702 in the second environment 200 may use the determined difference between the initial state and the new state to determine an amount that the user wishes to pay in a transaction or a telephone number that the user wishes to communicate.
In this way, intended user information that the user wishes to securely pass to a selected system or application (here, in the second environment 200) is obtained from the user interface and provided to the system or application in an indirect way that is not easily intercepted or interpreted by an attacker (whether that be a person or a machine). It is the determined difference that is processed at the selected system or application to determine the intended user information and thus it is not necessary to construct the intended user information prior to this, meaning that the intended user information is kept private and provided securely to the selected system or application.
For example, an initial state consisting of a number of preferably hard to interpret bitmaps is rendered to a user in a first environment. The user rearranges the bitmaps, and the rearranging steps (the difference) are provided to a second environment. As in the first environment the bitmaps are not interpreted, and differences to the randomized initial states carry no information without this interpretation, an attacker that observes the first environment does not learn the intended user information that is provided to the second environment without obtaining and interpreting the bitmaps.
A particular example will now be described where the invention is applied in an authentication application. However, it will be understood that this example is not restrictive and the invention has application in other areas, as mentioned earlier.
In this example, the authentication unit 706 in the second environment 200 authenticates the user based on the comparison of the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input (step 822). The authentication unit 706 in the second environment 200 may transmit a notification to the first environment 100 to be provided to the user indicating whether the authentication has been successful or has failed (step 824). For example, if the authentication unit 706 in the second environment 200 determines from the comparison that the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input are consistent, the authentication unit 706 will indicate that authentication has been successful. On the other hand, if the authentication unit 706 in the second environment 200 determines from the comparison that the determined difference between the initial state and the new state and the difference between the randomised initial state and a predetermined user input are inconsistent, the authentication unit 706 will indicate that authentication has failed.
As discussed previously, there may be a plurality of user inputs received to change the randomised initial state. In this case, the authentication procedure may be repeated for each user input that is received and thus each corresponding difference between the initial state and the new state that is determined.
The communication unit 606 in the first environment 100 may receive the notification from the second environment 200 via the communication link 302 (step 826). The notification may be, for example, a message for display on a screen, an audio sound for rendering by a speaker, or similar.
As mentioned previously, the use of the invention in authentication is merely one example of its application and is not restrictive in any way. It will be understood that the invention also has application in other areas. Other examples may include, a payment system in which the determined difference between the initial state and the new state is used to determine an amount that the user wishes to pay, a messaging system in which the determined difference between the initial state and the new state is used to determine a telephone number that the user wishes to communicate.
It will be understood that the first processor 602 in the first environment 100 may receive multiple user inputs to change the randomised initial state rendered on the user interface 600 to a new state and that one or more of the steps 802 to 826 of the method 800 would then be repeated for each of the multiple user inputs that are received.
Some example embodiments of the types of randomised initial states and the change in the randomised initial state to the new state will now be provided with reference to Figures 7 to 9. However, it will be understood that many other embodiments are possible.
Figure 7a illustrates an example user interface 600 in a randomised initial state comprising a keyboard type of arrangement. The user interface 600 comprises a display 900 that displays intended user input, a plurality of operator buttons 902, 906 associated with different options for selection by the user and a randomisation button 910 to randomise the interface 600. Some of the operator buttons are blank 902, some of the operator buttons comprise a number 906 and some operator buttons include the same option as another operator button. In this example embodiment, a user may select an option by dragging the associated operator button 902, 906 into the required position 904, 908. For example, by dragging the blank operator button 902 into the first position 904, the number two on the display 900 may be replaced with a zero. Alternatively, the number two may on the display 900 may be completely removed and the number 3 shifted into that position. By dragging the operator button 906 into the second position 908, the number three associated with that option 906 will be inserted between the number two and the zero on the display 900.
Figure 7b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state. This user input may be the user input received to select one of the operator buttons 902, 906 as described above. In the illustrated case, the user input was to drag the operator button 906 into the first position 902 such that the two on the display 900 was replaced with the three associated with the operator button 906 and the randomised initial state was changed to the new state.
Alternatively, the user input may be selection of the randomisation button 910 to randomise the interface 600, i.e. to provide a different randomised initial state. In this case, the display 900 would remain unchanged. As shown in Figure 7b, the operator buttons 902 and 906 are associated with different options in the new state.
Figure 8a illustrates an example user interface 600 in a randomised initial state comprising a scroll bar type of arrangement. The user interface 600 comprises a plurality of predetermined locations 913 associated with different options for selection by the user and operator buttons 912, 914 for use by the user to change the randomised initial state to a new state. In this example embodiment, a user may select an option by tapping the predetermined location 913 associated with the intended option. For example, by tapping the predetermined location 913, the letter A would be selected.
Figure 8b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state. In Figure 8b, the randomised initial state was changed to the new state as a result of the user selecting the left operator button 912 once.
Figure 8c illustrates the example user interface 600 in a further new state following receipt of another user input to change the current randomised initial state of Figure 8b to a new state. In Figure 8c, the current randomised initial state is changed to the new state as a result of the user selecting the left operator button 912 three times. As shown in Figure 8c, there the predetermined locations 913 are associated with different options in each new state. The user may continually use the operator buttons 912, 914 until an intended user input becomes available for selection. Figure 9a illustrates an example user interface 600 in a randomised initial state comprising a reel type of arrangement. The user interface 600 comprises a plurality of reels 926 associated with different options for selection by the user, a plurality of operator buttons 924 that each operate a particular reel 926 and a randomisation button 922 to randomise the interface 600. In this example embodiment, a user may select an option by tapping the associated reel 926. For example, by tapping the reel 926, the number 4 would be selected.
Figure 9b illustrates the example user interface 600 in a new state following receipt of a user input to change the randomised initial state to the new state. In Figure 9b, the randomised initial state is changed to the new state as a result of the user selecting the operator button 924 that corresponds to the reel 926. As shown in Figure 9b, the reel 926 is associated with a different option (i.e. the number 7) in the new state.
Figure 9c illustrates the example user interface 600 in a further new state following receipt of another user input to change the current randomised initial state of Figure 9b to a new state. In Figure 9c, the current randomised initial state is changed to the new state as a result of the user selecting the randomisation button 922 to randomise the interface 600, i.e. to provide a different randomised initial state. As shown in Figure 9c, each of the reels 926 are associated with different options in this new state. The user may continually use the operator buttons 924 and/or the randomisation button 922 until an intended user input becomes available for selection.
The embodiments described with reference to Figures 7, 8 and 9 are provided for illustrative purpose only and it will be understood that other features described above may be applied to those embodiments alone or in combination.
Many different ways of executing the method are possible, as will be apparent to a person skilled in the art. For example, the order of the steps can be varied or some steps may be executed in parallel. Moreover, in between steps other method steps may be inserted. The inserted steps may represent refinements of the method such as described herein, or may be unrelated to the method. Moreover, a given step may not have finished completely before a next step is started.
A method according to the invention may be executed using software, which comprises instructions for causing a processor system to perform the method. Software may only include those steps taken by a particular sub-entity of the system. The software may be stored in a suitable storage medium, such as a hard disk, a floppy, a memory etc. The software may be sent as a signal along a wire, or wireless, or using a data network, e.g., the Internet. The software may be made available for download and/or for remote usage on a server.
While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive; the invention is not limited to the disclosed embodiments. Variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims.
In the claims, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality. A single processor or other unit may fulfil the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
A computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems. Any reference signs in the claims should not be construed as limiting the scope.

Claims

CLAIMS:
1. A method for processing a user input, the method comprising the steps of:
a) rendering (806) a randomised initial state on a user interface (600);
b) receiving (808) a user input to change the randomised initial state to a new state;
c) determining (810) the difference between the initial state and the new state; and
d) processing (820) the user input based on the determined difference.
2. A method as claimed in claim 1, wherein steps (a), (b) and (c) are performed in a first environment (100) and wherein step (d) is performed in a second environment (200) different to the first environment (100).
3. A method as claimed in claim 2, the method further comprising the step of: providing (802) a randomised initial state prior to the step of rendering said randomised initial state on the user interface (600); and
wherein the step of providing (802) the randomised initial state is performed in the second environment (200).
4. A method as claimed in claim 2 or 3, wherein the first environment (100) and the second environment (200) are located in a single device (402) or wherein the first environment (100) is located in a first device (502) and the second environment (200) is located in a second device (504) different to the first device.
5. A method as claimed in any preceding claim, wherein the step of processing the user input based on the determined difference comprises:
comparing the determined difference to a difference between the randomised initial state and a predetermined user input, and
authenticating (822) the user based on the comparison.
6. A method as claimed in any preceding claim, wherein the randomised initial state and the new state each comprise a random arrangement of input options for the user.
7. A method as claimed in any preceding claim, wherein the step of receiving a user input to change the randomised initial state to a new state comprises receiving a plurality of user inputs to change the randomised initial state to a new state and wherein steps (b) to (d) are repeated for each of the plurality of user inputs.
8. A method as claimed in any preceding claim, wherein the step of receiving a user input to change the randomised initial state to a new state comprises:
receiving at least one user input to render a different randomised initial state.
9. A method as claimed in claim 8, the method further comprising the step of: for each of said at least one user inputs received, rendering a different randomised initial state until receipt of a user input indicating acceptance of the randomised initial state.
10. An apparatus for processing a user input, the apparatus comprising a user interface (600) and one or more processors (602, 702) configured to:
a) render a randomised initial state on a user interface (600);
b) receive a user input to change the randomised initial state to a new state; c) determine the difference between the initial state and the new state; and d) process the user input based on the determined difference.
11. An apparatus as claimed in claim 10, the apparatus comprising a first processor (602) configured according to (a), (b) and (c) and a second processor (702) configured according to step (d).
12. An apparatus as claimed in claim 11, wherein the second processor (702) is further configured to provide (802) the randomised initial state for rendering by the first processor on the user interface (600).
13. An apparatus as claimed in claim 11 or 12, wherein the first processor (602) and the second processor (702) are located in a single device (402) or wherein the first processor (602) is located in a first device (502) and the second processor (702) is located in a second device (504) different to the first device.
14. A computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer, processor or control unit, the computer, processor or control unit is caused to perform the method of any of claims 1 to 9.
PCT/EP2015/078134 2014-12-08 2015-12-01 Method, apparatus and system for processing a user input WO2016091645A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP14196758 2014-12-08
EP14196758.8 2014-12-08

Publications (1)

Publication Number Publication Date
WO2016091645A1 true WO2016091645A1 (en) 2016-06-16

Family

ID=52101064

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/078134 WO2016091645A1 (en) 2014-12-08 2015-12-01 Method, apparatus and system for processing a user input

Country Status (1)

Country Link
WO (1) WO2016091645A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120272311A1 (en) * 2009-11-06 2012-10-25 Christoph Althammer Method for authenticating a user on a computing unit
WO2012152995A1 (en) * 2011-05-06 2012-11-15 Nokia Corporation Method and apparatus for navigation-based authentication
EP2597590A2 (en) 2011-11-28 2013-05-29 Samsung Electronics Co., Ltd Method of authenticating password and portable device thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120272311A1 (en) * 2009-11-06 2012-10-25 Christoph Althammer Method for authenticating a user on a computing unit
WO2012152995A1 (en) * 2011-05-06 2012-11-15 Nokia Corporation Method and apparatus for navigation-based authentication
EP2597590A2 (en) 2011-11-28 2013-05-29 Samsung Electronics Co., Ltd Method of authenticating password and portable device thereof

Similar Documents

Publication Publication Date Title
US9760707B2 (en) Unlocking electronic devices using touchscreen input gestures
EP3443724B1 (en) Web service picture passwords
KR101175042B1 (en) Method and apparatus for authenticating password of user device
US7149899B2 (en) Establishing a secure channel with a human user
EP3252637B1 (en) Mobile terminal privacy protection method, protection apparatus, and mobile terminal
CN106888202B (en) Authorized login method and device
US9430144B1 (en) Unlocking electronic devices with touchscreen input gestures
EP2443579A1 (en) Computing device with graphical authentication interface
CN108229956A (en) Network bank business method, apparatus, system and mobile terminal
EP3132621B1 (en) Mobile terminal control method, apparatus and system
US10846412B2 (en) Electronic device including display and method of encrypting and decrypting information
US10075430B2 (en) Method and system for efficient password input
GB2599057A (en) Terminal for conducting electronic transactions
CN107194268A (en) A kind of information processing method, device, computer installation and readable storage medium storing program for executing
CN108027853B (en) Multi-user strong authentication token
EP2466513B1 (en) Visual or touchscreen password entry
US20190377863A1 (en) Password input method, computer device and storage medium
US9667784B2 (en) Methods and devices for providing information in voice service
CN111679781A (en) Verification processing method, device, equipment and medium
CN104346161A (en) Information processing method and electronic equipment
US10803155B2 (en) Method and system for preventing unauthorized computer processing
CN103810415B (en) A kind of graphical passwords guard method
WO2016091645A1 (en) Method, apparatus and system for processing a user input
CN111279339B (en) Application locking method, terminal equipment and computer readable medium
KR101648779B1 (en) Method for secure text input in information terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15802106

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15802106

Country of ref document: EP

Kind code of ref document: A1