WO2017059396A1 - Computer and method for transmitting confidential information in a network - Google Patents

Computer and method for transmitting confidential information in a network Download PDF

Info

Publication number
WO2017059396A1
WO2017059396A1 PCT/US2016/055066 US2016055066W WO2017059396A1 WO 2017059396 A1 WO2017059396 A1 WO 2017059396A1 US 2016055066 W US2016055066 W US 2016055066W WO 2017059396 A1 WO2017059396 A1 WO 2017059396A1
Authority
WO
WIPO (PCT)
Prior art keywords
ftof
data
input data
ipom
client computer
Prior art date
Application number
PCT/US2016/055066
Other languages
French (fr)
Inventor
Jonathan A. Clark
Ruth XOVOX
Original Assignee
Clark Jonathan A
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Clark Jonathan A filed Critical Clark Jonathan A
Publication of WO2017059396A1 publication Critical patent/WO2017059396A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • This disclosure relates generally to the technical field of data security, and in one example embodiment, this disclosure relates to a method, apparatus and system for use of token to process confidential information in a system.
  • PAN primary account number
  • SSN social security numbers
  • PCI Payment Card Industry
  • a security application (“SA") in the CC receives confidential data in a first type of field (“FTOF") designated as unsavable, which data is only temporary stored in an isolated portion of the memory (“IPOM”) while in secure transit to the server, and which data is purged from IPOM after SA session termination, to comply with a security standard ("SS").
  • the FTOF is disabled from receiving input data from the input/output devices "(IODs) coupled to the CC, except from an analog device.
  • the SA quashes any unauthorized attempt to access the IPOM and the SA will terminate if the quash fails.
  • IPOM Upon terminating any SA session, IPOM is purged.
  • Insecure applications can operate simultaneously with the SA, with no access to IPOM.
  • the CC optionally includes a randomizer module for a virtual keyboard GUI. Optional tokens are available from the token server.
  • Figures 1A-1B are functional block diagrams, according to one or more embodiments.
  • Figure 2A and 2B are block diagrams of a network with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
  • Figure 3A-3B are block diagrams of a computer and mobile device, respectively, for implementing the security application, according to one or more embodiments.
  • Figure 4 is an illustration of the display device of the client computer accepting savable and unsavable data via a keyboard and an analog I/O device and virtual keyboard GUI, respectively, for secure communication to a server using the security application, according to one or more embodiments.
  • Figures 5A-5B are an illustration of the virtual keyboard GUI in a client computer, and the memory space in the server computer, respectively, for the entry of unsavable data via the analog I/O device, according to one or more embodiments.
  • FIG. 6 is a flowchart of the security application for receiving savable and unsavable data via a keyboard and an analog I/O device of a client computer, for transmitting these data to a server, and for purging memory after terminating the security application session, according to one or more embodiments.
  • FIG. 1A-1B functional block diagrams are shown, according to one or more embodiments. Subsequent figures embody these functions, as subsequently described.
  • function block 110 selectively detunes a (client) computer to be a virtual dumb terminal, for at least a security application operation of secure and sensitive data entry of a particularly protected nature, whilst not actually rendering it 'dumb' but isolating activities protected by certain regulations and laws so that sophisticated and graphical implementations can be used by users, transparently with no additional hardware or other encumbrances whilst still achieving a 'dumb terminal' separation from other non protected network activities.
  • other solutions statically lock out the use of a computer for any other function or application other than secure data input, thus rendering a sophisticated and powerful computer unusable for many other tasks.
  • a secure application 102 software affectuates the selective detune function 110.
  • Trigger info 104 is provided by an administrator, a corporate end user, or a security standard.
  • Client computer ID 106 is input to provide security identification.
  • a standard compliant output 108 preventing the impermissible save of designated data is accomplished.
  • FIG. 2A a block diagram is shown of a network 200-A with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
  • Network 200 includes a client computer (“CC") 300 coupled to a local database 256, to a proxy server 202, and an optional subsequent processor 230, with an optional token server/ service 220 coupled to either the processor 230 or proxy server 202, and coupled via network 220 connections.
  • CC 300 can be a typical personal computer ("PC"), a workstation ("WS”), a mobile device, or a terminal coupled to a mainframe (not shown) at the customer site (e.g., a mail order telephone order ("MOTO”) call center).
  • Proxy server 202 can be either a dedicated server from a third -party remotely connected to a given client, or can be a software as a service (“SaaS”) server operated by a third-party with multiple unrelated clients being serviced thereon.
  • SaaS software as a service
  • CC 300 includes insecure applications (APPS) 260 and a security application (“SA”) 354 that operates on the processor, memory, and other components of the computer 300, as detailed in subsequent Figures 3A-3B.
  • Insecure apps 260 can be a browser 264, email (separate application or on browser 264), office productivity applications, other proprietary software applications, etc.
  • the SA 354 allows for the input of data that is permissible to be saved at the CC or at a downstream device (“Savable”), such as the proxy server 202.
  • Savable downstream device
  • the SA 354 also allows for the input of data that is impermissible to be saved at the CC or at a downstream device (“Unsavable”), such as the proxy server 202.
  • the exception to the unsavable data being recorded downstream is when an optional token server/ service 220 saves the unsavable data for an extended period of time, e.g., even after the SA is terminated, and renders a token back into system 200 for CC 300, database 256, proxy server 202, optional subsequent processor 230, etc. to use.
  • Randomized keypad entry (“RKE”) 310 is an analog input device (“AID”) that does not produce discrete ASCII digits that can be hacked, intercepted, reverse engineered, etc.
  • An example of the RKE 310 is provided in subsequent Figures 3-5, and in US patent application Ser. No. 15/272,427, filed September 21, 2016, entitled “Secure Electronic Keypad Entry,” by a same inventor in the current application, which said application is incorporated herein by reference in its entirety.
  • Proxy server 202 includes web pages and graphical user interfaces ("GUIs") for products and services 206, and also includes confidential information (INFO) requests 208 that would provide data entry pages, and defined fields in the data entry page.
  • GUIs graphical user interfaces
  • INFO confidential information
  • the fields can be defined as either a savable field (for data that can be saved locally), or an unsavable field (data that cannot be saved locally, e.g., after SA termination).
  • Communication channel 211 is for unsavable data to be communicated only from SA 354 in client 300 to proxy server 202. It is a one-way communication; and no unsavable data shall be returned to the client 300.
  • a communication channel 209 for a token and savable data can be passed between proxy server 202 and database 256 of CC 300, since neither the token nor the savable data contain the actual unsavable data itself.
  • Another channel for savable data is shown as 207, but it can be combined in one embodiment with the unsavable data 211. For example, a webpage form is populated in CC 300 via SA 354.
  • a communication link 205 for pass/ fail messaging is provided from optional subsequent processor 230 and CC 300. Communication links are shown travelling through the Internet 221, which also may be a local area network (“LAN”), Metro area network (“MAN”), etc.
  • LAN local area network
  • MAN Metro area network
  • FIG. 2B a block diagram is shown of a network 200-B with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
  • a consumer computer 300A with a browser 300 and an ASCII PAN 310 block therein communicates confidential information via CI channel to exchange 220 and to a proxy service 260 with an IP address PS of 260, which then exchanges a PAN CI with token service 262 for a token in return. Token service then passes PAN to merchant 264. Token is also communicated to website 201 with products and services page 262 and confidential information request 262 with an IP address of Ws of 260.
  • FIG. 3A-3B block diagrams are shown of a computer 300-A and a mobile device 300-B, respectively, for implementing the security application, according to one or more embodiments.
  • Computing device 300 includes components such as a processor 302 coupled to a memory 400, 305, and/or 312.
  • processor 302 can be a single or multiprocessor core, for processing data and instructions.
  • Memory 400, 305, and/or 312 are used for storing and providing information, data, and instructions, including in particular computer usable volatile memory 400, e.g. random access memory (RAM), and/or computer usable non-volatile memory 305 , e.g. read only memory (ROM), and/or a data storage 312, e.g., flash memory, or magnetic or optical disk or drive.
  • a security application (“SA") 354-A module, and an optional randomizer module 352 boht utilize instructions from memory 400 that are operated on processor 302.
  • Memory 400 includes an isolated portion of memory (“IPOM”) 452 that is designated for use by the FTOF in the SA for temporary storage of the input data received in a FTOF, and for any other unsavable information, whether it be parameter settings, buffers, data from other peripherals, such as touch screen 311, etc.
  • IPOM isolated portion of memory
  • the IPOM By having the IPOM as the one location (though it may be distributed physically around the PC, and in different types of memory in one embodiment, such as ROM 305 and data storage unit 312? , it is still a memory location and range of addresses that is designated and honored for being used for unsavable data associated with the FTOF. In this manner, it becomes easier to police the known IPOM memory locations from unauthorized access and to purge them when appropriate, e.g., upon SA termination.
  • Computing device 300- A also includes optional inputs, such as: alphanumeric input device 308, such as: a keyboard or touch screen with alphanumeric, function keys, object driven menus; a keypad button, a microphone with voice recognition software running on a processor, or any device allowing a player to respond to an input; or an optional cursor control device 310, aka analog input device ("AID”), such as a roller ball, trackball, mouse, etc., (a positional input/ output device (“PIOD”) for communicating user input information and command selections to processor 302; or an optional display device 350 coupled to bus 316 for displaying information, including a touch screen portion 311 for I/O; and an optional transmit (“Tx”) / receive (“Rx”) unit, aka transceiver, 314 for coupling system with external entities, such as a modem for enabling wired or wireless communications between system and an external network such as the Internet, a local area network (LAN), wide area network (WAN), virtual private network (VPN), etc.
  • AID analog
  • Coupling medium 316 of components can be any medium that communicates information, e.g., wired or wireless connections, electrical or optical, parallel or serial bus, etc.
  • Cursor control devices 310 and input devices 308 and like devices, while not an exhaustive list, are together referred to as I O devices ("IOD").
  • electronic device 300- A is used as a standalone device, e.g., for randomizing the security data interface ("SDI") and for accepting user ID and PW to access the electronic device 300-A itself, then randomizer 352, parameter registers 450, and display drivers 309, along with the aforementioned components of the device 300-A, are used to implement the display of the SDI via Tx/Rx device 314 (e.g., a display device output to display the SDI), and a similar or different Tx/Rx device 314 (via a touch screen input or a mouse input for a non-touch screen) to enter confidential information via the SDL displayed on the display.
  • Tx/Rx device 314 e.g., a display device output to display the SDI
  • Tx/Rx device 314 via a touch screen input or a mouse input for a non-touch screen
  • the computing device is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology.
  • electronic device 300-A can be a thin client, e.g., a dumb device, which only has a capability or is only used to a capability of displaying results and accepting inputs, e.g., not requiring comparator 342, randomizer 35, and parameter registers 450.
  • device 300-A would receive randomized SDI that was generated by enterprise server 201 of Figure 2, and display same on Tx/Rx device 314 (display device) as previously described.
  • Tx/Rx device 314 display device
  • the present technology may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
  • program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types.
  • the present technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer-storage media including memory-storage devices.
  • Electronic device 300 can be any device with an interface for displaying an SDI and receiving an input, including a wireless portable device, a mobile communication device, a mobile phone, or computer screen, a dumb terminal, a thin client, a watch, a server, etc.
  • Device 300-B is shown for implementing a randomizer module for the secure entry of data, according to one or more embodiments.
  • Device 300-B is a personal communication device in one embodiment that includes operational hardware such as a rake receiver 303 to receive signals from antennae 338 and communicate both the voice and DTMF 331 to baseband processor 306 with digital signal processing (DSP) 307, which provide the CODEC/MODEM functions for signal processing.
  • DSP digital signal processing
  • one or more signals may be provided by wired connection 336, such as Ethernet, coaxial, or optical cable, etc.
  • Baseband processor 306 is configured to provide only recognizable voice output 332 to audio amplifier 315, coupled thereto, in order to be compliant with not providing any incoming caller DTMF confidential information to the listener/ agent of communication device 300. This can be implemented in one of multiple methods. First, if the DTMF confidential information is provided via a separate channel from voice data to device 300, then the baseband processor can be configured either permanently or selectively to not combine the demodulated and/or decoded signals from the DTMF confidential information signal with the voice signal. If selectively done, then an application processor or other means could be programmed to allow only a company or person with administrative authorization to change.
  • the application processor can contain authorization and password protected software that configures the baseband processor to perform alternative techniques to render the DTMF tones unusable as previously described, such as tone flattening, superposition of random or superset of tones, etc.
  • SIMcard/ caller identification block 320 provides the identification features used by entity 160 of Figure IB-IE, via transmitter 304 and antennae 338 or cable 336, to verify the identity of the agent providing the service for the caller.
  • Keypad / display 500 coupled to baseband processor and application processor allows the agent / user of device 300 to input data and instructions to configure the system, open secure channel for completing the transaction.
  • randomizer 352 parameter registers 450, and display drivers 309, along with the aforementioned components of the device 300-B, are used to implement the display of the SDI via keypad display 500 (e.g., a display device output to display the SDI), and a similar or different I/O device 500 (via a touch screen input or a mouse or arrow buttons for a non-touch screen) to enter confidential information via the SDL displayed on the display.
  • keypad display 500 e.g., a display device output to display the SDI
  • I/O device 500 via a touch screen input or a mouse or arrow buttons for a non-touch screen
  • the computing device 300-B is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology.
  • electronic device 300-B can be a thin client, e.g., a dumb device, which only has a capability or is only used to a capability of displaying results and accepting inputs, e.g., not requiring comparator 342, randomizer 35, and parameter registers 450.
  • device 300-B would receive randomized SDI that was generated by enterprise server 201 of Figure 2, and display it on keypad / display 500 (display device) as previously described.
  • mobile device 300-B can use a standalone device that implements a randomized SDI to login to the device 300-B for accessing a WiFi Internet browser. Thereafter, device 300-B is used as a thin client to receive a randomized SDI from an external source, such as enterprise server 201 of Figure 2, to validate the user to access a financial account, or to purchase products at a website.
  • the randomized SDI can be very different for the standalone device versus the external server 201, based on the programmable variable randomization settings selected by the user or the host. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system.
  • FIG 4 an illustration is shown of the display device of the client computer accepting savable and unsavable data via a keyboard and an analog I/O device and virtual keyboard GUI, respectively, for secure communication to a server using the security application, according to one or more embodiments.
  • the GUI 400 is operated on SA 354 of Figure 2 to include FTOF 406 for unsavable data, e.g., social security number, primary account number ("PAN”) like a credit card number, medical information, etc.
  • FTOF 406 typically will use an analog input device, such as those specified in Figures 3 A and 3B. Shown here is a keypad for secure entry, which is a GUI itself.
  • the secure keypad 501 can move about the display window 310- A, move digits randomly that do not changed the rotation or shape of the keypad and therefore not be trackable, which is a condensed browser window in one embodiment.
  • Input to the secure keypad can be by a user's digit 413 on a touch screen, e.g., 311 of Figures 3A or 3B, or via an analog input such as a mouse 310-A. Because the input to the FTOF is by analog means and by a secure keypad, it is as good as impossible mathematically (according to standards that apply to something such as a token) for an unauthorized party to hack, reverse engineer, keystroke record, sniff, etc. any information from the data input operation by the user into form 400.
  • Input to the GUI 400 also includes second type of fields ("STOF") 404 for savable data, such as name, address, order, etc. Data entry into these fields can be form traditional I/O devices such as the keyboard 308-A and be transmitted to the SA by the RA.
  • STOF second type of fields
  • FIGS 5A-5B are an illustration of the virtual keyboard GUI in a client computer, and the memory space in the server computer, respectively, for the entry of unsaveable data via the analog I/O device, according to one or more embodiments.
  • Figure 5A shows a circular layout keypad 501-Cl operating per the secure keypad application 310 that couples to the SA 354, as shown in Figure 2A.
  • the digits are shown with anchor position 502-Cl for digit ⁇ ', with subsequent digits arranged in a clockwise ("CW") fashion.
  • the keypad 501-Cl embodiment of randomized SDIs remains static until a given quantity of digits, e.g., a first four digit sequence of a credit card (“CC”) PAN, which is entered via a mouse or touch screen.
  • CC credit card
  • the keypad moves to a new location, shown as dashed buttons, with anchor position 502-C2 disposed lower and further to the right on the screen 310-B. While the sequence direction remains the same (CW), and the starting point is the same, these variable can be programmed by the user to be different, as described in the "Secure Electronic Keypad Entry” case.
  • the enter (ENT) key is selected when complete.
  • Figure 5B shows a memory with randomized display data entries for SDI data components, according to one or more embodiment.
  • Memory 400-A1 disposed in another device such as the proxy server 202 of Figure 2, indicates the location in column (404) for a data component in column 406.
  • a value of "(X0, Y0) al” is shown for creating a button with the value of "0" on a display device, e.g., 350 of Figure 3A, to create a SDI image on a window, such as shown in Figures 5A.
  • the 'al' value denotes a given time or position, i.e., an initial anchor position of the '0' data component of the SDI (wherein '0' happens to be the anchor digit for the SDI), and other parameters for the data component, such as a key size created for the display of value ⁇ ' .
  • the same description applies to the balance of the data component population (1-9) for this particular choice of numbers as the data component for the SDI, to create a SDI image on a display device, as mentioned above.
  • the dashed table 410 behind table columns 404 and 406, illustrates the updated X, Y locations of the SDI and digits for the secure keypad.
  • both the CC 300 and the proxy server 202 of Figure 2 are synchronized, with the keypad only moving at designated times, between key entries.
  • Another embodiment will allow key entries on the secure keypad while in motion, however this would utilize a time-stamp or similar method to ensure the X, Y coordinates in the CC when a digit is entered, can be accurately mapped to the proxy server, which is also tracking the movement of the secure keypad location.
  • one of the secure keypads is slaved to the other, so that both know the location of the digits, especially when the movement of the keypads is truly random, and cannot be predicted.
  • the proxy server 202 could be driving the image of the secure keypad and transmit it to the CC 300, which then returns coordinates X, Y, as selected by a cursor controlled device, such as a mouse.
  • FIG. 6 is a flowchart 600 of the security application for receiving savable and unsavable data via a keyboard and an analog I/O device of a client computer, for transmitting these data to a server, and for purging memory after terminating the security application session, according to one or more embodiments.
  • Operation 602 instantiates a security application (“SA") 354 on the CC 300 of Figure 2.
  • SA includes a remote application (“RA") for the secure keypad entry to be used for a FTOF data entry in one embodiment.
  • the RA is configured to operate in conjunction with an opened browser 602-A shown as browser 264 in Figure 2, which then acts as the gateway to communication links 207 and 211 to reach proxy server 202.
  • the RA can be a plug-in, an add-on, or a browser help object (“BHO”) that is an extension for any of a wide variety of browser applications.
  • Operation 602 also implies that a SA 207' is opened in proxy server 202, in order to communicate with the SA 354 in CC 300, as exemplified by the secure keypad entry 310-B in Figure 5A in CC 300, corresponding to the memory locations 400- A 1 of the keypad digits for proxy server, as shown in Figure 5B.
  • nonsecure applications can be initiated, or continue to run, despite the SA being operational on CC 300, as shown in operations 602 through pointer B pointing to operation 628.
  • productivity of CC 300 is much higher than an application that effectively disables operation of many peripherals and other software for fear of compromising confidential data.
  • the operations herein of creating the IPOM, policing it, and purging it, for FTOF data entries, are referred to a zero day defense ("ZDD").
  • ZDD zero day defense
  • the ZDD allows the present disclosure to run both the secure and nonsecure applications with confidence. However, it remains that the IPOM is never accessible in the present embodiment to nonsecure applications 604-A.
  • an optional pull of data from the customer database (“DB"), e.g., 256 in Figure 2 with a token can be performed.
  • the token is originally generated and populated from a prior session and data gathering operation for a given customer or entity, as shown in step 624 and 624-A, described hereinafter.
  • the token refers to the unsavable and typically confidential information of a customer, such as a PAN or a SSN.
  • Other savable data such as customer address, or product preferences, may be saved with and associated with the token, in the DB 256 for faster processing by a client computer.
  • a field is identified for which a user is accessing.
  • a user, administrator, or standard champion has indicated what fields for a given data input form/ window will be unsavable or savable.
  • PCI Payment Card Industry
  • SSC Payment Card Industry Security Standards Council
  • Another example of field definition would be various medical conditions and patient identification per the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996.
  • HIPAA Health Insurance Portability and Accountability Act
  • operation 610 in inquiry determines whether an attempt to enter data in a FTOF, which is impermissible to save, has occurred. IF an attempt was not made to enter data in an FTOF, then operation 611 allows the input of data in a STOF (savable), which allows full access to non-FTOF memory.
  • the identification of the fields for unsaved data is defined in the SA software, and manifest their category when a user attempts to enter data, either by effectively accepting the input for a savable data field via keyboard 308-A, or by being ineffective by trying to use keyboard 308-A for entry in an unsavable field 406, such as credit card number (NO.), which would then prompt the appearance of a window 301-A with the secure keypad entry .
  • an unsavable field 406 such as credit card number (NO.)
  • the operation 614 creates an IPOM for the FTOF to reside temporarily, until it can be transmitted out of CC and to its destination, e.g., proxy server 202.
  • the IPOM can also be created in one embodiment upon instantiation of the SA in operation 602.
  • the IPOM can be a segregated physical memory in CC 300 architecture.
  • Operation 616 disables the FTOF in the SA from receiving data from an I O device except an analog input (IP) device, such as the secure keypad entry 301-A with mouse 310-A or touch screen entry, as shown in Figure 4.
  • IP analog input
  • other types of I/O device such as alphanumeric input 3087 of Figure 3A are not enabled to enter data into the FTOF. This is to prevent digital forms of data from being reverse engineered, sniffed, detected, etc., and then comprising confidential information deemed unsavable data.
  • data is received in the FTOF from the AID, as shown in Figure 4 and Figures 5A and 5B.
  • the information received can be either be confidential information 618-A or non-confidential information 618-B.
  • the SA or other application will police the CC for unauthorized attempts to access the IPOM, either to retrieve data, or to overwrite data.
  • the unauthorized accesses could be via the memory access controller, or by sniffing requests received at the CC 300.
  • the source of an unauthorized attempt to access FTOF unsavable data which is temporarily stored in memory, is an external threat, from an IP address outside of the known network with authorized communications, such as that shown in network 200 of Figure 2.
  • an unauthorized access can also be internal, e.g., malware or physical tracker devices coupled to the CC 300.
  • Operation 620 is constantly being monitored and executed during operation of the SA and entry of data into the FTOF.
  • operation 622 inquires whether more entries are desired. If more entries exist, either an incomplete form shown in Figure 4, or a new customer or transaction, then pointer A proceeds to operation 608 of identifying the field the user is accessing.
  • operation 624 transmits the data from CC 300 to proxy server 202 in Figure 2.
  • Operation 624-A provides an optional push of savable data to the customer DB 256 with a token, via channel 209, after being processed by optional token server/ service 220 coupled to either optional subsequent processor 230 or to proxy server 202.
  • the SA session with a given agent ID who is operating CC 300 is closed out or terminated, and the IPOM for the FTOF is purged. While the SA session is open, multiple customer entries can be performed. However, each customer or transaction entry proceeds until completion with the entry of an order or information into the proxy, and a pass/ fail message is communicated to the CC 300, per channel 205, shown in Figure 2. Only after a pass/fail message is received at the CC 300 can a subsequent customer or order be processed by the SA 354. During the time while the SA session is open, it can remain passively in the background, while nonsecure applications 604 are operated in the foreground. Thus, the present disclosure provides more efficient use of CC resources, while maintaining the security requirements of PCI or other standards' regarding confidential and unsavable data on the CC.
  • operation 628 allows no further access to the IPOM, regardless of the source, and despite the fact that IPOM has been purged. This is an additional and duplicative layer of security protection to ensure standards' compliance.
  • the prohibiting of access can arise from masking the IPOM addresses so they don't even appear visible to the memory access controller ("MAC") unless those addresses, which are disposed in the SA in one embodiment, are shared with the MAC when the SA is operational.
  • Functions or operations may include receiving, intercepting, processing, encoding, decoding, transmitting, converting, communicating, transforming, synchronizing, calculating, terminating, compiling, associating, and the like.
  • machine-readable medium includes any medium that is capable of storing, encoding, and/or carrying a set of instructions for execution by the computer or machine and that causes the computer or machine to perform any one or more of the methodologies of the various embodiments.
  • the “machine-readable medium” shall accordingly be taken to include, but not limited to, solid-state memories, optical and magnetic media, compact disc and any other storage device that can retain or store the instructions and information, e.g., only non-transitory tangible medium.
  • the present disclosure is capable of implementing methods and processes described herein using transitory signals as well, e.g., electrical, optical, and other signals in any format and protocol that convey the instructions, algorithms, etc. to implement the present processes and methods.
  • Exemplary computing systems such as a personal computer, minicomputer, mainframe, server, etc. that are capable of executing instructions to accomplish any of the functions described herein include components such as a processor, e.g., single or multiprocessor core, for processing data and instructions, coupled to memory for storing information, data, and instructions, where the memory can be computer usable volatile memory, e.g. random access memory (RAM), and/or computer usable non-volatile memory , e.g. read only memory (ROM), and/or data storage, e.g., a magnetic or optical disk and disk drive).
  • RAM random access memory
  • ROM read only memory
  • data storage e.g., a magnetic or optical disk and disk drive
  • Computing system also includes optional inputs, such as alphanumeric input device including alphanumeric and function keys, or cursor control device for communicating user input information and command selections to processor, an optional display device coupled to bus for displaying information, an optional input/output (I/O) device for coupling system with external entities, such as a modem for enabling wired or wireless communications between system and an external network such as, but not limited to, the Internet. Coupling of components can be accomplished by any method that communicates information, e.g., wired or wireless connections, electrical or optical, address/data bus or lines, etc.
  • I/O input/output
  • the computing system is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system.
  • the present technology may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
  • program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types.
  • the present technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer- storage media including memory- storage devices.
  • the present disclosure is applicable to any type of network including the Internet, an intranet, and other networks such as local are network (LAN); home area network (HAN), virtual private network (VPN), campus area network (CAN), metropolitan area network (MAN), wide area network (WAN), backbone network (BN), global area network (GAN), or an interplanetary Internet.
  • Communication media in the system can include wired, optical, wireless and other communication systems, e.g., voice over internet protocol (VOIP) that conveys data.
  • VOIP voice over internet protocol
  • the various devices, modules, encoders, decoders, receivers, transmitters, servers, wireless devices, internal commutation systems, computers, etc. described herein may be enabled and operated using hardware circuitry (e.g., CMOS based logic circuitry), firmware, software and/or any combination of hardware, firmware, and/or software (e.g., embodied in a machine readable medium).
  • the modules disclosed herein may be enabled using software programming techniques.
  • the various electrical structure and methods may be embodied using transistors, logic gates, and electrical circuits (e.g., application specific integrated ASIC circuitry and/or in Digital Signal; Processor DSP circuitry).

Abstract

A client computer ("CC") for securely routing confidential information ("CI") to a server. A security application ("SA") in CC receives confidential data in a first type of field ("FTOF") designated as unsavable, which data is only temporary stored in an isolated portion of the memory ("IPOM") while in secure transit to the server, and which data is purged from IPOM after SA session termination, to comply with a security standard ("SS"). The FTOF is disabled from receiving input data from the input/output devices "(IODs") coupled to the CC, except from an analog device. The SA quashes any unauthorized attempt to access the IPOM and the SA will terminate if the quash fails. Upon terminating any SA session, IPOM is purged. Insecure applications can operate simultaneously with the SA, with no access to IPOM. The CC optionally includes a randomizer module for a virtual keyboard GUI. Optional tokens available at server.

Description

Computer and Method for Transmitting Confidential Information In A Network
Jonathan A Clark and Ruth Xovox
FIELD OF TECHNOLOGY
[0001] This disclosure relates generally to the technical field of data security, and in one example embodiment, this disclosure relates to a method, apparatus and system for use of token to process confidential information in a system.
BACKGROUND
[0002] It is necessary to communicate confidential or private information electronically for an increasing number of personal and financial matters. For example, the Internet is used for purchasing products, executing investment decisions, checking status of financial accounts, accessing and entering data for health care and medical needs, etc. To access these accounts or to make purchases, secure data is entered in the form of primary account number ("PAN"), credit card information, social security numbers ("SSN") and other personal information. With the increase of privacy theft, and with the ability of hackers to compromise accounts seemingly quicker and easier, there is an increase in the need for reliable systems and methods for entering secure information.
[0003] One of the ways a local system can be compromised is with a keystroke recorder and other device that records the data being entered by the user at their home or office. Thus, even before the data enters the Internet via a Wi-Fi hotspot, or an edge server, the data may be already compromised. In fact, the Payment Card Industry (PCI) has banned use of keyboards and keypads for entry of sensitive and confidential information.
[0004] xxx
SUMMARY [0005] An electronic device, method, and system for securely routing confidential information ("CI") from a client computer ("CC") to a server. A security application ("SA") in the CC receives confidential data in a first type of field ("FTOF") designated as unsavable, which data is only temporary stored in an isolated portion of the memory ("IPOM") while in secure transit to the server, and which data is purged from IPOM after SA session termination, to comply with a security standard ("SS"). The FTOF is disabled from receiving input data from the input/output devices "(IODs") coupled to the CC, except from an analog device. The SA quashes any unauthorized attempt to access the IPOM and the SA will terminate if the quash fails. Upon terminating any SA session, IPOM is purged. Insecure applications can operate simultaneously with the SA, with no access to IPOM. The CC optionally includes a randomizer module for a virtual keyboard GUI. Optional tokens are available from the token server.
BRIEF DESCRIPTION OF THE VIEW OF DRAWINGS
[0006] Example embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
[0007] Figures 1A-1B are functional block diagrams, according to one or more embodiments.
[0008] Figure 2A and 2B are block diagrams of a network with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
[0009] Figure 3A-3B are block diagrams of a computer and mobile device, respectively, for implementing the security application, according to one or more embodiments.
[0010] Figure 4 is an illustration of the display device of the client computer accepting savable and unsavable data via a keyboard and an analog I/O device and virtual keyboard GUI, respectively, for secure communication to a server using the security application, according to one or more embodiments. [0011] Figures 5A-5B are an illustration of the virtual keyboard GUI in a client computer, and the memory space in the server computer, respectively, for the entry of unsavable data via the analog I/O device, according to one or more embodiments.
[0012] Figure 6 is a flowchart of the security application for receiving savable and unsavable data via a keyboard and an analog I/O device of a client computer, for transmitting these data to a server, and for purging memory after terminating the security application session, according to one or more embodiments.
[0001] Other features of the present embodiments will be apparent from the accompanying drawings and from the detailed description that follows.
DETAILED DESCRIPTION
[0013] A method, apparatus and system for the secure entry of confidential information on an electronic keypad is disclosed. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the various embodiments. It will be evident, however to one skilled in the art that various embodiments may be practiced without these specific details.
[0014] Referring now to Figures 1A-1B, functional block diagrams are shown, according to one or more embodiments. Subsequent figures embody these functions, as subsequently described.
[0015] In Figure 1A, function block 110 selectively detunes a (client) computer to be a virtual dumb terminal, for at least a security application operation of secure and sensitive data entry of a particularly protected nature, whilst not actually rendering it 'dumb' but isolating activities protected by certain regulations and laws so that sophisticated and graphical implementations can be used by users, transparently with no additional hardware or other encumbrances whilst still achieving a 'dumb terminal' separation from other non protected network activities. In comparison, other solutions statically lock out the use of a computer for any other function or application other than secure data input, thus rendering a sophisticated and powerful computer unusable for many other tasks. In comparison, the present disclosure only selectively detunes portions of the computer over a given period of time, thus rendering the computer much more useful to a user and the company and ensuring individuals with specifically high risk functions maintain both a better response time, user experience and the company is only required to maintain and purchase a single device. Specifically, a secure application 102 software affectuates the selective detune function 110. Trigger info 104 is provided by an administrator, a corporate end user, or a security standard. Client computer ID 106 is input to provide security identification. As a result of using the present function, a standard compliant output 108 preventing the impermissible save of designated data is accomplished.
[0016] Referring now to Figure 2A, a block diagram is shown of a network 200-A with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
[0017] Network 200 includes a client computer ("CC") 300 coupled to a local database 256, to a proxy server 202, and an optional subsequent processor 230, with an optional token server/ service 220 coupled to either the processor 230 or proxy server 202, and coupled via network 220 connections. CC 300 can be a typical personal computer ("PC"), a workstation ("WS"), a mobile device, or a terminal coupled to a mainframe (not shown) at the customer site (e.g., a mail order telephone order ("MOTO") call center). Proxy server 202 can be either a dedicated server from a third -party remotely connected to a given client, or can be a software as a service ("SaaS") server operated by a third-party with multiple unrelated clients being serviced thereon.
[0018] CC 300 includes insecure applications (APPS) 260 and a security application ("SA") 354 that operates on the processor, memory, and other components of the computer 300, as detailed in subsequent Figures 3A-3B. Insecure apps 260 can be a browser 264, email (separate application or on browser 264), office productivity applications, other proprietary software applications, etc. The SA 354 allows for the input of data that is permissible to be saved at the CC or at a downstream device ("Savable"), such as the proxy server 202. The SA 354 also allows for the input of data that is impermissible to be saved at the CC or at a downstream device ("Unsavable"), such as the proxy server 202. The exception to the unsavable data being recorded downstream is when an optional token server/ service 220 saves the unsavable data for an extended period of time, e.g., even after the SA is terminated, and renders a token back into system 200 for CC 300, database 256, proxy server 202, optional subsequent processor 230, etc. to use.
[0019] Randomized keypad entry ("RKE") 310 is an analog input device ("AID") that does not produce discrete ASCII digits that can be hacked, intercepted, reverse engineered, etc. An example of the RKE 310 is provided in subsequent Figures 3-5, and in US patent application Ser. No. 15/272,427, filed September 21, 2016, entitled "Secure Electronic Keypad Entry," by a same inventor in the current application, which said application is incorporated herein by reference in its entirety.
[0020] Proxy server 202 includes web pages and graphical user interfaces ("GUIs") for products and services 206, and also includes confidential information (INFO) requests 208 that would provide data entry pages, and defined fields in the data entry page. The fields can be defined as either a savable field (for data that can be saved locally), or an unsavable field (data that cannot be saved locally, e.g., after SA termination).
[0021] Communication channel 211 is for unsavable data to be communicated only from SA 354 in client 300 to proxy server 202. It is a one-way communication; and no unsavable data shall be returned to the client 300. A communication channel 209 for a token and savable data can be passed between proxy server 202 and database 256 of CC 300, since neither the token nor the savable data contain the actual unsavable data itself. Another channel for savable data is shown as 207, but it can be combined in one embodiment with the unsavable data 211. For example, a webpage form is populated in CC 300 via SA 354. After the form with both savable and unsavable data fields is populated, then the sum of the results is communicated to proxy server 202. A communication link 205 for pass/ fail messaging is provided from optional subsequent processor 230 and CC 300. Communication links are shown travelling through the Internet 221, which also may be a local area network ("LAN"), Metro area network ("MAN"), etc.
[0022] Referring now to Figure 2B, a block diagram is shown of a network 200-B with a client computer, a proxy computer, and optional processor computer, according to one or more embodiments.
[0023] A consumer computer 300A with a browser 300 and an ASCII PAN 310 block therein communicates confidential information via CI channel to exchange 220 and to a proxy service 260 with an IP address PS of 260, which then exchanges a PAN CI with token service 262 for a token in return. Token service then passes PAN to merchant 264. Token is also communicated to website 201 with products and services page 262 and confidential information request 262 with an IP address of Ws of 260.
[0024] Referring now to Figure 3A-3B, block diagrams are shown of a computer 300-A and a mobile device 300-B, respectively, for implementing the security application, according to one or more embodiments.
[0025] Computing device 300 includes components such as a processor 302 coupled to a memory 400, 305, and/or 312. In particular, processor 302 can be a single or multiprocessor core, for processing data and instructions. Memory 400, 305, and/or 312 are used for storing and providing information, data, and instructions, including in particular computer usable volatile memory 400, e.g. random access memory (RAM), and/or computer usable non-volatile memory 305 , e.g. read only memory (ROM), and/or a data storage 312, e.g., flash memory, or magnetic or optical disk or drive. A security application ("SA") 354-A module, and an optional randomizer module 352 boht utilize instructions from memory 400 that are operated on processor 302. Memory 400 includes an isolated portion of memory ("IPOM") 452 that is designated for use by the FTOF in the SA for temporary storage of the input data received in a FTOF, and for any other unsavable information, whether it be parameter settings, buffers, data from other peripherals, such as touch screen 311, etc. By having the IPOM as the one location (though it may be distributed physically around the PC, and in different types of memory in one embodiment, such as ROM 305 and data storage unit 312? , it is still a memory location and range of addresses that is designated and honored for being used for unsavable data associated with the FTOF. In this manner, it becomes easier to police the known IPOM memory locations from unauthorized access and to purge them when appropriate, e.g., upon SA termination. [0026] Computing device 300- A also includes optional inputs, such as: alphanumeric input device 308, such as: a keyboard or touch screen with alphanumeric, function keys, object driven menus; a keypad button, a microphone with voice recognition software running on a processor, or any device allowing a player to respond to an input; or an optional cursor control device 310, aka analog input device ("AID"), such as a roller ball, trackball, mouse, etc., (a positional input/ output device ("PIOD") for communicating user input information and command selections to processor 302; or an optional display device 350 coupled to bus 316 for displaying information, including a touch screen portion 311 for I/O; and an optional transmit ("Tx") / receive ("Rx") unit, aka transceiver, 314 for coupling system with external entities, such as a modem for enabling wired or wireless communications between system and an external network such as the Internet, a local area network (LAN), wide area network (WAN), virtual private network (VPN), etc. via standards such as SONET and Ethernet. Coupling medium 316 of components can be any medium that communicates information, e.g., wired or wireless connections, electrical or optical, parallel or serial bus, etc. Cursor control devices 310 and input devices 308 and like devices, while not an exhaustive list, are together referred to as I O devices ("IOD").
[0027] If electronic device 300- A is used as a standalone device, e.g., for randomizing the security data interface ("SDI") and for accepting user ID and PW to access the electronic device 300-A itself, then randomizer 352, parameter registers 450, and display drivers 309, along with the aforementioned components of the device 300-A, are used to implement the display of the SDI via Tx/Rx device 314 (e.g., a display device output to display the SDI), and a similar or different Tx/Rx device 314 (via a touch screen input or a mouse input for a non-touch screen) to enter confidential information via the SDL displayed on the display. The implementation of these components with the same name as described for Figure 2.
[0028] The computing device is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology. Alternatively, electronic device 300-A can be a thin client, e.g., a dumb device, which only has a capability or is only used to a capability of displaying results and accepting inputs, e.g., not requiring comparator 342, randomizer 35, and parameter registers 450. As a thin client, device 300-A would receive randomized SDI that was generated by enterprise server 201 of Figure 2, and display same on Tx/Rx device 314 (display device) as previously described. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system. The present technology may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types. The present technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer-storage media including memory-storage devices.
[0029] Electronic device 300 can be any device with an interface for displaying an SDI and receiving an input, including a wireless portable device, a mobile communication device, a mobile phone, or computer screen, a dumb terminal, a thin client, a watch, a server, etc.
[0030] Referring now to Figure 3B, a mobile electronic device 300-B is shown for implementing a randomizer module for the secure entry of data, according to one or more embodiments. Device 300-B is a personal communication device in one embodiment that includes operational hardware such as a rake receiver 303 to receive signals from antennae 338 and communicate both the voice and DTMF 331 to baseband processor 306 with digital signal processing (DSP) 307, which provide the CODEC/MODEM functions for signal processing. Alternatively one or more signals may be provided by wired connection 336, such as Ethernet, coaxial, or optical cable, etc. Baseband processor 306 is configured to provide only recognizable voice output 332 to audio amplifier 315, coupled thereto, in order to be compliant with not providing any incoming caller DTMF confidential information to the listener/ agent of communication device 300. This can be implemented in one of multiple methods. First, if the DTMF confidential information is provided via a separate channel from voice data to device 300, then the baseband processor can be configured either permanently or selectively to not combine the demodulated and/or decoded signals from the DTMF confidential information signal with the voice signal. If selectively done, then an application processor or other means could be programmed to allow only a company or person with administrative authorization to change. Alternatively, the application processor can contain authorization and password protected software that configures the baseband processor to perform alternative techniques to render the DTMF tones unusable as previously described, such as tone flattening, superposition of random or superset of tones, etc. SIMcard/ caller identification block 320 provides the identification features used by entity 160 of Figure IB-IE, via transmitter 304 and antennae 338 or cable 336, to verify the identity of the agent providing the service for the caller. Keypad / display 500 coupled to baseband processor and application processor allows the agent / user of device 300 to input data and instructions to configure the system, open secure channel for completing the transaction.
[0031] If electronic device 300-B is used as a standalone device, e.g., for randomizing the SDI and for accepting user ID and PW to access the electronic device 300-A itself, i.e., to turn on and operate the cell phone, then randomizer 352, parameter registers 450, and display drivers 309, along with the aforementioned components of the device 300-B, are used to implement the display of the SDI via keypad display 500 (e.g., a display device output to display the SDI), and a similar or different I/O device 500 (via a touch screen input or a mouse or arrow buttons for a non-touch screen) to enter confidential information via the SDL displayed on the display. The implementation of these components is similar to those components with the same name as described for Figure 2.
[0032] The computing device 300-B is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology. Alternatively, and in addition to a standalone embodiment, electronic device 300-B can be a thin client, e.g., a dumb device, which only has a capability or is only used to a capability of displaying results and accepting inputs, e.g., not requiring comparator 342, randomizer 35, and parameter registers 450. As a thin client, device 300-B would receive randomized SDI that was generated by enterprise server 201 of Figure 2, and display it on keypad / display 500 (display device) as previously described. Thus, mobile device 300-B can use a standalone device that implements a randomized SDI to login to the device 300-B for accessing a WiFi Internet browser. Thereafter, device 300-B is used as a thin client to receive a randomized SDI from an external source, such as enterprise server 201 of Figure 2, to validate the user to access a financial account, or to purchase products at a website. The randomized SDI can be very different for the standalone device versus the external server 201, based on the programmable variable randomization settings selected by the user or the host. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system.
[0033] Referring now to Figure 4, an illustration is shown of the display device of the client computer accepting savable and unsavable data via a keyboard and an analog I/O device and virtual keyboard GUI, respectively, for secure communication to a server using the security application, according to one or more embodiments. The GUI 400 is operated on SA 354 of Figure 2 to include FTOF 406 for unsavable data, e.g., social security number, primary account number ("PAN") like a credit card number, medical information, etc. FTOF 406, typically will use an analog input device, such as those specified in Figures 3 A and 3B. Shown here is a keypad for secure entry, which is a GUI itself. As described above, the secure keypad 501 can move about the display window 310- A, move digits randomly that do not changed the rotation or shape of the keypad and therefore not be trackable, which is a condensed browser window in one embodiment. Input to the secure keypad can be by a user's digit 413 on a touch screen, e.g., 311 of Figures 3A or 3B, or via an analog input such as a mouse 310-A. Because the input to the FTOF is by analog means and by a secure keypad, it is as good as impossible mathematically (according to standards that apply to something such as a token) for an unauthorized party to hack, reverse engineer, keystroke record, sniff, etc. any information from the data input operation by the user into form 400. If a user attempts to input data into a FTOF 406 via a non-approved I/O device, such as a physical keyboard or keypad, no data will appear because the SA has already disabled the FTOF from receiving input from those types of devices. Input to the GUI 400 also includes second type of fields ("STOF") 404 for savable data, such as name, address, order, etc. Data entry into these fields can be form traditional I/O devices such as the keyboard 308-A and be transmitted to the SA by the RA.
[0034] Referring now to Figures 5A-5B are an illustration of the virtual keyboard GUI in a client computer, and the memory space in the server computer, respectively, for the entry of unsaveable data via the analog I/O device, according to one or more embodiments.
[0035] Figure 5A shows a circular layout keypad 501-Cl operating per the secure keypad application 310 that couples to the SA 354, as shown in Figure 2A. The digits are shown with anchor position 502-Cl for digit Ό', with subsequent digits arranged in a clockwise ("CW") fashion. In the present embodiment, the keypad 501-Cl embodiment of randomized SDIs, remains static until a given quantity of digits, e.g., a first four digit sequence of a credit card ("CC") PAN, which is entered via a mouse or touch screen. After a period of time, or quantity of digit entry, the keypad moves to a new location, shown as dashed buttons, with anchor position 502-C2 disposed lower and further to the right on the screen 310-B. While the sequence direction remains the same (CW), and the starting point is the same, these variable can be programmed by the user to be different, as described in the "Secure Electronic Keypad Entry" case. The enter (ENT) key is selected when complete.
[0036] Figure 5B shows a memory with randomized display data entries for SDI data components, according to one or more embodiment. Memory 400-A1, disposed in another device such as the proxy server 202 of Figure 2, indicates the location in column (404) for a data component in column 406. Thus, for data component "0" of the SDI, a value of "(X0, Y0) al" is shown for creating a button with the value of "0" on a display device, e.g., 350 of Figure 3A, to create a SDI image on a window, such as shown in Figures 5A. The 'al' value denotes a given time or position, i.e., an initial anchor position of the '0' data component of the SDI (wherein '0' happens to be the anchor digit for the SDI), and other parameters for the data component, such as a key size created for the display of value Ό' . The same description applies to the balance of the data component population (1-9) for this particular choice of numbers as the data component for the SDI, to create a SDI image on a display device, as mentioned above. The dashed table 410, behind table columns 404 and 406, illustrates the updated X, Y locations of the SDI and digits for the secure keypad. In this manner, both the CC 300 and the proxy server 202 of Figure 2, are synchronized, with the keypad only moving at designated times, between key entries. Another embodiment will allow key entries on the secure keypad while in motion, however this would utilize a time-stamp or similar method to ensure the X, Y coordinates in the CC when a digit is entered, can be accurately mapped to the proxy server, which is also tracking the movement of the secure keypad location. In one embodiment, one of the secure keypads is slaved to the other, so that both know the location of the digits, especially when the movement of the keypads is truly random, and cannot be predicted. Thus, for example, the proxy server 202 could be driving the image of the secure keypad and transmit it to the CC 300, which then returns coordinates X, Y, as selected by a cursor controlled device, such as a mouse.
[0037] Referring now to Figure 6 is a flowchart 600 of the security application for receiving savable and unsavable data via a keyboard and an analog I/O device of a client computer, for transmitting these data to a server, and for purging memory after terminating the security application session, according to one or more embodiments.
[0038] Operation 602 instantiates a security application ("SA") 354 on the CC 300 of Figure 2. SA The SA includes a remote application ("RA") for the secure keypad entry to be used for a FTOF data entry in one embodiment. The RA is configured to operate in conjunction with an opened browser 602-A shown as browser 264 in Figure 2, which then acts as the gateway to communication links 207 and 211 to reach proxy server 202. The RA can be a plug-in, an add-on, or a browser help object ("BHO") that is an extension for any of a wide variety of browser applications. Operation 602 also implies that a SA 207' is opened in proxy server 202, in order to communicate with the SA 354 in CC 300, as exemplified by the secure keypad entry 310-B in Figure 5A in CC 300, corresponding to the memory locations 400- A 1 of the keypad digits for proxy server, as shown in Figure 5B.
[0039] In operation 604, nonsecure applications can be initiated, or continue to run, despite the SA being operational on CC 300, as shown in operations 602 through pointer B pointing to operation 628. In this manner, the productivity of CC 300 is much higher than an application that effectively disables operation of many peripherals and other software for fear of compromising confidential data. The operations herein of creating the IPOM, policing it, and purging it, for FTOF data entries, are referred to a zero day defense ("ZDD"). The ZDD allows the present disclosure to run both the secure and nonsecure applications with confidence. However, it remains that the IPOM is never accessible in the present embodiment to nonsecure applications 604-A.
[0040] .In operation 606, an optional pull of data from the customer database ("DB"), e.g., 256 in Figure 2, with a token can be performed. The token is originally generated and populated from a prior session and data gathering operation for a given customer or entity, as shown in step 624 and 624-A, described hereinafter. The token refers to the unsavable and typically confidential information of a customer, such as a PAN or a SSN. Other savable data, such as customer address, or product preferences, may be saved with and associated with the token, in the DB 256 for faster processing by a client computer.
[0041] In operation 608, a field is identified for which a user is accessing. Prior to that, a user, administrator, or standard champion, has indicated what fields for a given data input form/ window will be unsavable or savable. For example, the Payment Card Industry ("PCI") Data Security Standard, version 3.2, is released by the Payment Card Industry Security Standards Council ("SSC") for implementation by the various credit card providers. Another example of field definition would be various medical conditions and patient identification per the Health Insurance Portability and Accountability Act ("HIPAA") of 1996. Many other financial transactions and exchanges on the Internet would lend themselves the benefit of the present disclosure.
[0042] In operation 610, in inquiry determines whether an attempt to enter data in a FTOF, which is impermissible to save, has occurred. IF an attempt was not made to enter data in an FTOF, then operation 611 allows the input of data in a STOF (savable), which allows full access to non-FTOF memory. Figure 4, the identification of the fields for unsaved data (shown with thicker borders) is defined in the SA software, and manifest their category when a user attempts to enter data, either by effectively accepting the input for a savable data field via keyboard 308-A, or by being ineffective by trying to use keyboard 308-A for entry in an unsavable field 406, such as credit card number (NO.), which would then prompt the appearance of a window 301-A with the secure keypad entry .
[0043] If an attempt was made to access FTOF, then the operation 614 creates an IPOM for the FTOF to reside temporarily, until it can be transmitted out of CC and to its destination, e.g., proxy server 202. The IPOM can also be created in one embodiment upon instantiation of the SA in operation 602. Alternatively, in another embodiment, the IPOM can be a segregated physical memory in CC 300 architecture.
[0044] Operation 616 disables the FTOF in the SA from receiving data from an I O device except an analog input (IP) device, such as the secure keypad entry 301-A with mouse 310-A or touch screen entry, as shown in Figure 4. Thus, other types of I/O device such as alphanumeric input 3087 of Figure 3A are not enabled to enter data into the FTOF. This is to prevent digital forms of data from being reverse engineered, sniffed, detected, etc., and then comprising confidential information deemed unsavable data.
[0045] In operation 618, data is received in the FTOF from the AID, as shown in Figure 4 and Figures 5A and 5B. The information received can be either be confidential information 618-A or non-confidential information 618-B.
[0046] In operation 620, the SA or other application will police the CC for unauthorized attempts to access the IPOM, either to retrieve data, or to overwrite data. The unauthorized accesses could be via the memory access controller, or by sniffing requests received at the CC 300. Typically, the source of an unauthorized attempt to access FTOF unsavable data, which is temporarily stored in memory, is an external threat, from an IP address outside of the known network with authorized communications, such as that shown in network 200 of Figure 2. However, an unauthorized access can also be internal, e.g., malware or physical tracker devices coupled to the CC 300. If an unauthorized operation 620 is detected, then the SA in operation 620-A will quash the unauthorized attempt, e.g., invalidate, cancel, ignore, and /or report it. If that fails, then the SA will terminate the SA session, thereby interrupting a data entry of a user, but also foiling any attempted retrieval of unsavable data before it can be completed. Operation 620 is constantly being monitored and executed during operation of the SA and entry of data into the FTOF.
[0047] If no attempts of unauthorized access occur, then operation 622 inquires whether more entries are desired. If more entries exist, either an incomplete form shown in Figure 4, or a new customer or transaction, then pointer A proceeds to operation 608 of identifying the field the user is accessing.
[0048] If no additional entries are required, then operation 624 transmits the data from CC 300 to proxy server 202 in Figure 2. Operation 624-A provides an optional push of savable data to the customer DB 256 with a token, via channel 209, after being processed by optional token server/ service 220 coupled to either optional subsequent processor 230 or to proxy server 202.
[0049] In operation 626, the SA session with a given agent ID who is operating CC 300 is closed out or terminated, and the IPOM for the FTOF is purged. While the SA session is open, multiple customer entries can be performed. However, each customer or transaction entry proceeds until completion with the entry of an order or information into the proxy, and a pass/ fail message is communicated to the CC 300, per channel 205, shown in Figure 2. Only after a pass/fail message is received at the CC 300 can a subsequent customer or order be processed by the SA 354. During the time while the SA session is open, it can remain passively in the background, while nonsecure applications 604 are operated in the foreground. Thus, the present disclosure provides more efficient use of CC resources, while maintaining the security requirements of PCI or other standards' regarding confidential and unsavable data on the CC.
[0050] After closing of the session, operation 628 allows no further access to the IPOM, regardless of the source, and despite the fact that IPOM has been purged. This is an additional and duplicative layer of security protection to ensure standards' compliance. The prohibiting of access can arise from masking the IPOM addresses so they don't even appear visible to the memory access controller ("MAC") unless those addresses, which are disposed in the SA in one embodiment, are shared with the MAC when the SA is operational.
APPLICATIONS [0051] References to methods, operations, processes, systems, and apparatuses disclosed herein that are implementable in any means for achieving various aspects, and may be executed in a form of a machine-readable medium, e.g., computer readable medium, embodying a set of instructions that, when executed by a machine such as a processor in a computer, server, etc. cause the machine to perform any of the operations or functions disclosed herein. Functions or operations may include receiving, intercepting, processing, encoding, decoding, transmitting, converting, communicating, transforming, synchronizing, calculating, terminating, compiling, associating, and the like.
[0052] The term "machine-readable" medium includes any medium that is capable of storing, encoding, and/or carrying a set of instructions for execution by the computer or machine and that causes the computer or machine to perform any one or more of the methodologies of the various embodiments. The "machine-readable medium" shall accordingly be taken to include, but not limited to, solid-state memories, optical and magnetic media, compact disc and any other storage device that can retain or store the instructions and information, e.g., only non-transitory tangible medium. The present disclosure is capable of implementing methods and processes described herein using transitory signals as well, e.g., electrical, optical, and other signals in any format and protocol that convey the instructions, algorithms, etc. to implement the present processes and methods.
[0053] Exemplary computing systems, such as a personal computer, minicomputer, mainframe, server, etc. that are capable of executing instructions to accomplish any of the functions described herein include components such as a processor, e.g., single or multiprocessor core, for processing data and instructions, coupled to memory for storing information, data, and instructions, where the memory can be computer usable volatile memory, e.g. random access memory (RAM), and/or computer usable non-volatile memory , e.g. read only memory (ROM), and/or data storage, e.g., a magnetic or optical disk and disk drive). Computing system also includes optional inputs, such as alphanumeric input device including alphanumeric and function keys, or cursor control device for communicating user input information and command selections to processor, an optional display device coupled to bus for displaying information, an optional input/output (I/O) device for coupling system with external entities, such as a modem for enabling wired or wireless communications between system and an external network such as, but not limited to, the Internet. Coupling of components can be accomplished by any method that communicates information, e.g., wired or wireless connections, electrical or optical, address/data bus or lines, etc.
[0054] The computing system is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the present technology. Neither should the computing environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary computing system. The present technology may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types. The present technology may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer- storage media including memory- storage devices.
[0055] The present disclosure is applicable to any type of network including the Internet, an intranet, and other networks such as local are network (LAN); home area network (HAN), virtual private network (VPN), campus area network (CAN), metropolitan area network (MAN), wide area network (WAN), backbone network (BN), global area network (GAN), or an interplanetary Internet. Communication media in the system can include wired, optical, wireless and other communication systems, e.g., voice over internet protocol (VOIP) that conveys data.
[0056] Methods and operations described herein can be in different sequences than the exemplary ones described herein, e.g., in a different order. Thus, one or more additional new operations may be inserted within the existing operations or one or more operations may be abbreviated or eliminated, according to a given application, so long as substantially the same function, way and result is obtained. [0057] Although the present embodiments have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the various embodiments.
[0058] For example, the various devices, modules, encoders, decoders, receivers, transmitters, servers, wireless devices, internal commutation systems, computers, etc. described herein may be enabled and operated using hardware circuitry (e.g., CMOS based logic circuitry), firmware, software and/or any combination of hardware, firmware, and/or software (e.g., embodied in a machine readable medium). Similarly, the modules disclosed herein may be enabled using software programming techniques. For example, the various electrical structure and methods may be embodied using transistors, logic gates, and electrical circuits (e.g., application specific integrated ASIC circuitry and/or in Digital Signal; Processor DSP circuitry).
[0059] The foregoing descriptions of specific embodiments of the present disclosure have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in light of the above teaching without departing from the broader spirit and scope of the various embodiments. The embodiments were chosen and described in order to explain best the principles of the invention and its practical application, and to enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the Claims appended hereto and their equivalents.

Claims

I claim:
1. A client computer ("CC") for securely routing confidential information ("CI") on a communication channel to a server computer ("SC"), wherein the CC comprises:
a processor;
a memory coupled to the processor; and wherein:
the CC is configured to accept data at the CC but not to save the data on the CC, by programming the CC to:
instantiate a security application ("SA");
receive input data from a user in a first type of field ("FTOF") in the SA, wherein the input data entered into the FTOF is impermissible to be saved at the CC after session termination per an administrator; create an isolated portion of the memory ("IPOM") designated for use by the
FTOF in the SA for temporary storage of the input data received in the FTOF; and
securely communicate the input data received in the FTOF from the CC to the
SC via the communication channel.
The client computer of claim 1 wherein the CC further comprises:
one or more input/output devices ("IODs"), including an analog input device
("AID"); and wherein:
the CC is further programmed to:
disable the FTOF of the SA from receiving input data from the IODs coupled to the CC, except from the AID; and
receive the input data in the FTOF of the SA from the user via the AID.
The client computer of claim 2 wherein:
the CC is further configured to receive data that is permissible to be saved on the
CC, by programming the CC to:
enable the memory used by the SA to store inputs received on the SA in a second type of field ("STOF") that is permissible to save to at least one of the CC and the SC per the administrator;
enable the STOF of the SA to receive input from any of the IODs, including those other than an AID.
4. The client computer of claim 1 wherein the CC is further configured to: instantiate a secure connection between the CC and the SC; and
securely communicate the data in the FTOF to the SC via the communication channel.
5. The client computer of claim 1 wherein the CC is further programmed to:
transmit the FTOF only in a single direction out of the CC; and
not receive the FTOF at the CC after it is transmitted.
6. The client computer of claim 1 wherein:
the SA is instantiated upon login by the user; and
the FTOF is initiated by a trigger mechanism of a user selecting the FTOF via an IOD.
7. The client computer of claim 1, wherein:
the CC is further programmed to:
purge the IPOM used by the FTOF in the SA upon at least one of the following events including a logoff of the user of the SA at the CC and a termination of the communication channel to the SC.
8. The client computer of claim 1, wherein:
the CC is further programmed to:
quash any external attempt to access IPOM used by the FTOF in the SA; and terminate the SA if the operation to quash the external attempt to access the
IPOM used by the FTOF fails.
9. The client computer of claim 1, further comprising:
a receiver; and wherein:
the receiver is configured to evaluate incoming data on the communication
channel; and
the receiver will invalidate any incoming data other than a regular expression, in order to prevent data that is impermissible to be saved on the CC from entering the CC.
10. The client computer of claim 1, further comprising:
one or more insecure applications ("IAs") operating in the CC; and wherein: the IAs are operable on the CC at the same time the SA is operating on the
CC.
11. The client computer of claim 1, wherein the CC further comprises:
a randomizer module communicatively coupled to the SA; and wherein:
the randomizer module randomizes a virtual keyboard entry interface in the SA to allow data entry using an AID.
12. A method for securely routing confidential information ("CI") on a communication channel from a client computer ("CC") to a server computer ("SC"), wherein the method comprises:
the CC is configured to accept data at the CC but not to save the data on the CC, by programming the CC to:
instantiate a security application ("SA");
receive input data from a user in a first type of field ("FTOF") in the SA, wherein the input data entered into the FTOF is impermissible to be saved at the CC after session termination per an administrator; create an isolated portion of the memory ("IPOM") designated for use by the
FTOF in the SA for temporary storage of the input data received in the FTOF; and
securely communicate the input data received in the FTOF from the CC to the
SC via the communication channel.
12. The method of claim 12, wherein the CC is further configured to:
disable the FTOF of the SA from receiving input data from the IODs coupled to the CC, except from the AID; and
receive the input data in the FTOF of the SA from the user via the AID.
13. The method of claim 12, further comprising:
configuring the CC to receive data that is permissible to be saved on the CC, by programming the CC to:
enable the memory used by the SA to store inputs received on the SA in a second type of field ("STOF") that is permissible to save to at least one of the CC and the SC per the administrator;
enable the STOF of the SA to receive input from any of the IODs, including those other than an AID.
14. The method of claim 12, further comprising:
instantiate a secure connection between the CC and the SC; and
securely communicate the data in the FTOF to the SC via the communication channel.
15. A system for communicating confidential information ("CI") between via a
communication channel, wherein the system comprises:
a client computer ("CC"); and
a server computer ("SC"); and wherein:
the CC comprises:
a processor;
a memory coupled to the processor; and
the CC is configured to accept data that is impermissible to save, by programming the CC to:
instantiate a security application ("SA");
receive input data from a user in a first type of field ("FTOF") in the SA, wherein the input data entered into the FTOF is impermissible to be saved at the CC per an administrator;
create an isolated portion of the memory ("IPOM") used by the FTOF in the
SA from storing the input data it receives in the FTOF; and securely communicate the input data received in the FTOF from the CC to the
SC via the communication channel,
the SC comprises:
a processor;
a memory coupled to the processor; and wherein:
the SC is configured to accept the FTOF from the CC, by programming the SC to:
instantiate a security application ("SA"):
receive input data from the CC that was entered into a FTOF at the
CC; and
send a confirmation message from the SC to the CC acknowledging a successful receipt of data from the CC.
16. The system of claim 15, wherein:
the CC and the SC are further configured to
isolate all memory space disposed in the CC and in the CS, and in between the CC and the CS so that data received from the FTOF of the CC is not saved to the CC or the CS and so that the data received from the FTOF of the CC is not ex tractable from the CC or the CS by any means.
The system of claim 15 wherein the SC is further configured to accept data not permitted to be save by programming the SC to:
delete the IPOM in the SC used by the SA for storing inputs received from the CC protected memory space upon logoff of SA.
18. The system of claim 15 wherein:
the CC and the SC are further configured to
synchronize a position of the AID in the CC with a position of a virtual AID in the CS to enable the CS to recover the input data provided in the CC.
19. The system of claim 18 wherein:
the SC is further configured to
transmit the recovered input data received from the CC to a another machine for processing,
re-transmit the data received from the CC to a sub
transmit to a 3 party (acquirer) ...
20. The system of claim 18 further comprising:
a proxy server coupled to the CC and the CS; and wherein:
the proxy server receiving all of the FTOF from the CC and routing the FTOF to the CS.
21. One or more non-transitory computer readable media storing executable instructions that, when executed by an EPD implemented by one or more processors, cause the EPD to perform acts comprising:
instantiate a security application ("SA");
receive input data from a user in a first type of field ("FTOF") in the SA, wherein the input data entered into the FTOF is impermissible to be saved at the CC after session termination per an administrator;
create an isolated portion of the memory ("IPOM") designated for use by the FTOF in the SA for temporary storage of the input data received in the FTOF; and
securely communicate the input data received in the FTOF from the CC to the SC via the communication channel.
PCT/US2016/055066 2015-09-30 2016-09-30 Computer and method for transmitting confidential information in a network WO2017059396A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562234838P 2015-09-30 2015-09-30
US62/234,838 2015-09-30

Publications (1)

Publication Number Publication Date
WO2017059396A1 true WO2017059396A1 (en) 2017-04-06

Family

ID=58427998

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/055066 WO2017059396A1 (en) 2015-09-30 2016-09-30 Computer and method for transmitting confidential information in a network

Country Status (1)

Country Link
WO (1) WO2017059396A1 (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825875A (en) * 1994-10-11 1998-10-20 Cp8 Transac Process for loading a protected storage zone of an information processing device, and associated device
US20020172222A1 (en) * 2001-03-29 2002-11-21 International Business Machines Corporation Method and system for network management providing access to application bandwidth usage calculations
US20070058499A1 (en) * 2005-09-09 2007-03-15 Seigo Suguta Audio player
US20090132950A1 (en) * 2007-11-20 2009-05-21 International Business Machines Corporation Solution for providing real-time validation of text input fields using regular expression evaluation during text entry
US20100011219A1 (en) * 2006-07-28 2010-01-14 Hewlett-Packard Development Company, L.P. Secure Use of User Secrets on a Computing Platform
US20100299493A1 (en) * 2009-05-22 2010-11-25 Raytheon Company Multi-Level Security Computing System
US20130031597A1 (en) * 2011-07-25 2013-01-31 Da Silveira Jorni Santana Method and equipment for security isolation of a client computer
US20130275772A1 (en) * 2003-11-26 2013-10-17 Scott H. Robinson Accessing private data about the state of a data processing machine from storage that is publicly accessible

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825875A (en) * 1994-10-11 1998-10-20 Cp8 Transac Process for loading a protected storage zone of an information processing device, and associated device
US20020172222A1 (en) * 2001-03-29 2002-11-21 International Business Machines Corporation Method and system for network management providing access to application bandwidth usage calculations
US20130275772A1 (en) * 2003-11-26 2013-10-17 Scott H. Robinson Accessing private data about the state of a data processing machine from storage that is publicly accessible
US20070058499A1 (en) * 2005-09-09 2007-03-15 Seigo Suguta Audio player
US20100011219A1 (en) * 2006-07-28 2010-01-14 Hewlett-Packard Development Company, L.P. Secure Use of User Secrets on a Computing Platform
US20090132950A1 (en) * 2007-11-20 2009-05-21 International Business Machines Corporation Solution for providing real-time validation of text input fields using regular expression evaluation during text entry
US20100299493A1 (en) * 2009-05-22 2010-11-25 Raytheon Company Multi-Level Security Computing System
US20130031597A1 (en) * 2011-07-25 2013-01-31 Da Silveira Jorni Santana Method and equipment for security isolation of a client computer

Similar Documents

Publication Publication Date Title
JP2022524709A (en) Second element of customer support calls Systems and methods for authentication
US8938784B2 (en) Authorization of server operations
US20170193236A1 (en) Data security processing method and apparatus based on switch in dual system
CN102469080B (en) Method for pass user to realize safety login application client and system thereof
US10445487B2 (en) Methods and apparatus for authentication of joint account login
EP3230917B1 (en) System and method for enabling secure authentication
CN103930899B (en) Method for the management public data of input and private data at equipment
CN109416722B (en) Secure collection of sensitive data
US9621344B2 (en) Method and system for recovering a security credential
WO2021016275A1 (en) Systems and methods of gesture triggered automatic erasure on a private network
JP2014529964A (en) System and method for secure transaction processing via a mobile device
JP2006294035A (en) Method and system for authentication service using mobile device
US20210234850A1 (en) System and method for accessing encrypted data remotely
US11757867B2 (en) System and method for implementing hacker traffic barriers
JP2022525840A (en) Systems and methods for pre-authentication of customer support calls
US9984217B2 (en) Electronic authentication of an account in an unsecure environment
US9398450B2 (en) Mobile survey tools with added security
US20230362018A1 (en) System and Method for Secure Internet Communications
WO2017059396A1 (en) Computer and method for transmitting confidential information in a network
US8826028B1 (en) Cryptography secure input device
WO2013043943A2 (en) Secure processing of confidential information on a network
CN105430150A (en) Method and device for implementing secure call
US20080263189A1 (en) Secure identification of intranet network
CN107318148A (en) WLAN access information storage method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16852805

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 08/06/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 16852805

Country of ref document: EP

Kind code of ref document: A1