WO2003003170A1 - Personal user device and method for selecting a secured user input/ output mode in a personal user device - Google Patents

Personal user device and method for selecting a secured user input/ output mode in a personal user device Download PDF

Info

Publication number
WO2003003170A1
WO2003003170A1 PCT/EP2001/007331 EP0107331W WO03003170A1 WO 2003003170 A1 WO2003003170 A1 WO 2003003170A1 EP 0107331 W EP0107331 W EP 0107331W WO 03003170 A1 WO03003170 A1 WO 03003170A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
output mode
user device
secured
personal
Prior art date
Application number
PCT/EP2001/007331
Other languages
French (fr)
Inventor
Nadarajah Asokan
Valtteri Niemi
Janne MÄNTYLÄ
Jaakko Lipasti
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Priority to PCT/EP2001/007331 priority Critical patent/WO2003003170A1/en
Publication of WO2003003170A1 publication Critical patent/WO2003003170A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices

Definitions

  • the invention relates to a personal user device with a user interface and with selection means for selecting a secured user input/output mode, which secured user input/output mode enables a transfer of data between said user interface and at least one trusted component of said personal user device or connected to said personal user device, wherein said data is protected from an access by an unauthorised application.
  • the invention equally relates to a method for selecting a secured user input/output mode in a personal user device.
  • the term personal user device denotes any end user terminal like a mobile phone, a personal computer or a hand-held computer.
  • a personal user device can be designed to provide a rich functionality by employing a general-purpose operating system which can run applications from different sources.
  • a personal user device can be operating as a personal trusted device.
  • Such a trusted device can be used for example for mobile commerce and other security-sensitive applications over an open network.
  • a personal user devices is equipped for both aspects.
  • a personal user device In its function as a trusted device, a personal user device has to be able to exchange sensitive data with other units over open networks in a protected way.
  • a protected transfer can be achieved e.g. by encrypting sensitive data with cryptographic algorithms and protocols using secret cryptographic keys before they are transmitted.
  • Different known communication security protocols, security mechanisms and cryptographic algorithms that can be employed for exchanging sensitive data are mentioned for example in "Development of a Secure Electronic Marketplace for Europe"; in the proceedings of ESORICS '96 (4th European Symposium on Research in Computer Security) , Rome, LNCS 1146, Springer- Verlag, Berlin 1996, 1-14, by Michael Waidner.
  • a common protection against such threats is to keep the cryptographic keys and functionality in tamper-evident devices which thus can constitute a trusted component.
  • An example for such a trusted component is a smartcard.
  • a smartcards can store a secret key and can be connected to a personal user device, e.g. a PC or a mobile phone.
  • the personal user device to which a smartcard is connected cannot access the stored secret keys, but it can ask the smartcart to perform a cryptographic function for which the key is needed, like calculating a digital signature or decrypting a message.
  • the access to smartcards is moreover protected by personal identification numbers (PINs) .
  • PINs personal identification numbers
  • smartcards do not alleviate the problem entirely either. For example, a malicious payment application could ask the user to approve a payment of $10 by typing in the PIN, but once the PIN is available, ask the smartcard to sign a payment message for $100.
  • This inadequacy of smartcards has been pointed out in several documents, e.g. in the above cited document "Development of a Secure Electronic Marketplace for Europe", and in “Hand-held computers can be better smart cards", Usenix security symposium, 1999, by Dirk Balfanz and Edward W. Felten.
  • a solution to such problems involving smartcards or other trusted components storing secret data is a personal user device with a trusted input/output path to the user, which trusted input/output path cannot be accessed by any unauthorised application.
  • trusted devices can be implemented on PDAs (personal digital assistant) or Communicator type combined PDA/phones.
  • the trusted device is preferably combined with a general personal user device with a rich functionality as mentioned above, the personal user devices usually runs extensible operating systems like EPOC, Windows CE or Palm OS. Therefore, the trusted user input/output path has to be able to work in conjunction with a general-purpose operating system.
  • the trusted user input/output path cannot be used exclusively, since many applications which are not security sensitive require a direct access to a user input/output interface.
  • SEMPER project described in the cited document "Development of a Secure Electronic Marketplace for Europe” therefore a trusted user interface was suggested.
  • a trusted user interface runs as a high priority component in a general personal user device. Only this high priority component has access to critical resources like cryptographic keys, while ordinary applications wishing to use the critical resources have to make their requests via this component. In a secure mode, the high priority component has moreover control of the user input/output devices, and no other ordinary application can access the same input/output devices. Therefore, when the personal user device is in secure mode, a user of the personal user device can safely enter sensitive information, such as PINs, and/or be guaranteed that the information displayed on the screen or on another output device is trustworthy.
  • sensitive information such as PINs
  • the trusted user interface can be implemented as a separate operating system. In this case, the hardware should ensure the above features. Alternatively, it can be implemented as a separate process in the same operating system. In this case, the operating system should ensure these features.
  • a problem with this architecture is how to ensure that the user clearly knows when the trusted user interface is active.
  • a personal user device with a user interface and with selection means for selecting a secured user input/output mode.
  • the secured user input/output mode enables a transfer of data protected from an access by an unauthorised application between said user interface and at least one trusted component of said personal user device or connected to said personal user device.
  • the personal user device further includes activating means which enable a user of said personal user device to cause said selection means to select said secured user input/output mode.
  • activating means which enable a user of said personal user device to cause said selection means to select said secured user input/output mode.
  • the stated object is reached with a method for selecting a secured user input/output mode in a personal user device, which secured user input/output mode enables a transfer of data protected from an access by an unauthorised application between a user interface of said personal user device and at least one trusted component of said personal user device or connected to said personal user device.
  • the secured user input/output mode is selected according to the invention upon request by a user.
  • the invention proceeds from the idea that the most reliable way to ensure that a user knows whether a secured input/output mode has been selected or not is to let this mode be activated by the user himself.
  • a human user can activate the selection of the secured input/output mode which provides a trusted input/output path between the user and trusted components of the system.
  • a user In order to guarantee a maximum protection, at least for certain actions, like e.g. a digital signing of messages, exclusively a user should be able to activate the selection of the secured user input/output mode. In these cases, activating the secured input/output mode should not be possible for normal and potentially untrusted applications on the device, which makes the device more secure.
  • the personal user device can select the secured user input/output mode by informing the operating system and/or the hardware of the personal user device about the requested change of mode.
  • the activating means preferably include a dedicated security button on the personal user device that has to be pressed by a user in order to cause a selection of the secured input/output mode.
  • a security button should be clearly identifiable by a user.
  • a security button can moreover be provided with a dedicated driver which is completely unaccessible through user-level programs. If the driver is residing in a flash memory, it is preferably signed by a root key. It is further preferred that the security is based on signed ROM (Read Only Memory) images and keys residing on CPU-ASICs (Central Processing Unit - Application Specific Integrated Circuits) .
  • the security button could be for example the power button or a similarly implemented button that does not utilise the keyboard driver. With a security button as activating means, it is thus possible to achieve a particularly high security.
  • the activating means can be based on existing devices. It can be requested, e.g. that a specific sequence of keys is pressed, or an option is popping up on the display of the personal user device forming part of the user input/output interface when a predetermined button like a power on/off button is pressed.
  • the display of such an option may also be caused by an application requesting an action that requires a secured input/output mode.
  • the option can be selected by the user again using either a dedicated security button, one or more of regular keys or any other suitable input means .
  • che secured input/output mode can only be activated by the user for predetermined actions requested by an application.
  • predetermined actions can be for example signing or decrypting a received message.
  • deactivating means enabling a user to deactivate a secured input/output mode in order to prevent that the user thinks he is still in the secured input/output mode, even though all actions for which the secured input/output mode was selected have been completed and the personal user device has already switched back to a normal mode.
  • the personal user device indicates in addition in some way to the user that a secure mode is active.
  • a secure mode may be achieved either by hardware, for example by a special LED of the personal user device, or by software.
  • a background pattern may be displayed, or colours etc . which are recognisable by the user and not available to untrusted applications. Such a background may even be selectable by the user.
  • the secured user input/output mode is realised similar as described in the background of the invention, i.e. a dedicated process is run by the selection means.
  • This dedicated process corresponds to the mentioned high priority component run by the trusted user interface.
  • only the dedicated process is considered to be authorised, while all other applications are considered to be unauthorised.
  • only the dedicated process has access to a user interface while the secured user input/output mode is activated.
  • any application may be considered authorised, as long as it can be identified by some characteristic to be authorised, e.g. by a code signing and/or by the location from which the application is loaded, like an integrated disk of a personal user device, a CD-ROM, or some external server.
  • code signing it can be checked in particular whether there is any signing at all and, in addition, whether the code signature matches to a specific memory- image text segmen .
  • Some check sum can moreover be checked for determining whether the binary image of the executable program of an application was changed compared to the original binary image, e.g. because they contain a virus.
  • Applications with a changed binary image of their executable program should be considered to be unauthorised regardless of other criteria.
  • a secured user input/output mode is then guaranteed by preventing the secured input/output mode to be selected when any unauthorised application is running. All unauthorised applications detected to be active might be terminated in order to be able to select said secured user input/output mode.
  • the executable programs of all applications currently running in the personal user device are first checked for determining whether there is a change in the binary image of the respective executable program, before a secure mode can be selected.
  • the user can then be offered that all applications of which the executable program is considered to have changed are terminated.
  • all or selected ones of these applications are terminated.
  • a change of the binary image can be detected e.g. by comparing a disk image check sum or signature with a memory image check sum or signature.
  • the invention can be used in all end user terminals which support security features for which an interaction by the user is needed, like e.g. for e-payments.
  • Such terminals may be for example mobile phones or PCs.
  • the only figure depicts components of a personal user device that can be used equally for general purposes and for security sensitive transactions. Moreover, the figure shows a user U of this personal user device.
  • the personal user device includes a general purpose operating system 1, a hardware 2 and a trusted user interface 3 comprising a security button.
  • the personal user device includes a regular user interface comprising a display and different keys, which is not depicted in the figure. Some elements of the trusted user device 3 and the regular user device are used in common by both devices, e.g. the display. Further, a first application 4 and other applications 5 are installed on the personal user device.
  • a smart card with critical resources 6 like cryptographic keys has been detachably connected to the personal user device by the user U.
  • Operating system 1 hardware 2 and critical resources 6 are connected to the trusted user interface 3, to the regular user interface and to the applications 4, 5 via a kernel interface 7. Only a high priority component run by the trusted user interface 3, however, has access to connected critical resources 6.
  • the regular and the trusted user interface 3 are further connected with the installed applications 4, 5 via an application program interface 8.
  • the personal user device has access to other devices, servers or any other kind of systems via an open network.
  • the interface of the personal user device to the open network is not depicted in the figure.
  • the operating system 1 of the personal user device is a general-purpose operating system which can run applications from different sources, i.e. either from the personal user device itself or from some remote location connected to the personal user device via the open network.
  • applications 4, 5 are able to exchange data directly with the input/output means of the regular user interface via the application program interface 8.
  • the application program interface 8 comprises several functions that are responsible for initiating a secured user input/output mode for different security sensitive actions that may be requested by one of the applications 4, 5.
  • One of these functions is for example a sign() function, which initiates a secured user input/output mode, in case an application 4, 5 requests a message to be signed by the user U.
  • Another function may be a decrypt () function, which initiates a secured user input/output mode, in case an application 4, 5 provides an encrypted message that has to be decrypted before it can be read by the user U.
  • the first application 4 invokes the sign() function in the application program interface 8 with the message that is to be signed as a parameter.
  • the application program interface 8 knows now that a secured user input/output mode might be about to be selected by the user U. Invoking the sign() function in the application program interface 8 automatically results in two different actions.
  • the implementation of the sign() primitive displays an information to the user U on the display of the regular user interface via a mailbox type messaging mechanism. The information states that a signature request was received from an application 4 and that signing requires the user U to activate a trusted mode.
  • the function call is registered with the trusted user interface 3, which is implemented in this example as a separate operating system.
  • the user U does not want to sign the message, he presses some predetermined key or keys of the regular user interface. As a result, the application program interface 8 is informed that the requested secured user input/output mode was not selected by the user U and that the normal mode operation continues. The function call registered with the trusted user interface 3 is cancelled. If, in contrast, the user U considers signing the message, he now has to press the security button of the trusted user interface 3 on the personal user device. In an alternative implementation, he might have to press a predetermined sequence of the regular keys of the regular user interface.
  • the trusted user interface 3 of the personal user device is informed. To this end, a message including information about the requesting application and about the purpose of the requested secure mode could be written for example to a predetermined location to which the trusted user interface has access. Possibly, the trusted user interface 3 has to be activated first. The trusted user interface 3 now switches to the secured input/output mode. In this mode, only the high priority component of the trusted user interface 3 has control of the user input/output means, as indicated by the dashed line between the user U and the trusted user interface 3. None of the applications 4, 5 can access the user input/output means until the normal input/output mode is re-established.
  • the secured input/output mode is further indicated to the user U by activating the LED included for this purpose in the personal user device.
  • the high priority component of the trusted user interface 3 handles the registered function call by displaying the message that is to be signed to the user U on the display now forming part of the trusted user interface, and by asking the user U whether the message should be signed.
  • the user U checks the message and if he decides to sign it, presses a key in the standard user interface indicated in the display together with the message and enters a specific password chosen by the user U at an earlier point of time.
  • the high priority component of the trusted user interface 3 then invokes a sign() system call on the kernel interface 7, including as parameter the message that is to be signed and the password entered by the user U.
  • the kernel interface 7 comprises several such system functions corresponding to the functions of the application programme interface.
  • the smartcard with the critical resources 6 checks the password and, if the password turns out to be correct, calculates the digital signature of the user U for the received message.
  • the high priority component of the trusted user interface 3 receives this digital signature as return value from the critical resources 6 and passes it on to the first application 4 via the application program interface 8. Dashed lines between the critical resources 6 and the first application 4 in the figure indicate the indirect access of the application 4 to the critical resources 6 that was thus realised via the trusted user interface 3.
  • the high priority component of the trusted user interface 3 moreover indicates to the application program interface 8 that the secure mode operation has been completed.
  • the personal user device turns off the LED indicating the secure mode and re-activates the access of the applications 4, 5 to the regular user interface.
  • the first application 4 and the other applications 5 can now proceed with their normal operation.
  • the activating means are realised in this example by the security button and functions in the trusted user interface that are able to interpret a pressing of this button.
  • the selection means are realised by the trusted user interface, which informs the operating system and the hardware about the trusted mode activated by the user.
  • the secure input/output mode can also be activated by a user, but the selection of the secure user input/output mode is realised in a different way.
  • the personal user device of the second embodiment has a similar design as the personal user device of the first embodiment.
  • a user wants to set the personal user device into the secure input/output mode he presses the security button.
  • the operating system checks whether any unauthorised applications are currently active. This is done by checking, whether the application has a code signing that can be verified by the personal user device.
  • the operating systems presents an option to the user on a display to terminate all unauthorised applications. In case the user selects this option, all unauthorised applications are terminated.
  • the operating system turns on a green LED indicating to the user that the secured input/output mode was selected. While the green LED is on, the operating software prevents that any unauthorised application starts.
  • the green LED is not turned on. Thereby, the user knows that the device is in unsecure mode, and that he should not make any payments with the personal user device or carry out any other security sensitive actions.
  • the user can be given a list of detected unauthorised applications that might contain viruses on the display.
  • An option is presented to the user to erase all or selected ones of these listed applications.
  • the user decides to erase one or several of the listed applications, he chooses the presented option indicating the applications selected for erasure, and as consequence, the applications are erased.
  • the security button Before choosing the option, however, he should again press the security button in order to activate the secure input/output mode, since otherwise, the kill prompt windows might be captured.
  • the first and the second presented embodiments of the invention therefore both enable a selection of a secured input/output mode upon request of a user of a personal user device, only the realisation of the secured input/output mode is different.

Abstract

The invention relates to a personal user device with a user interface and with selection means (3) for selecting a secured user input/output mode. The secured user input/output mode enables a transfer of data between said user interface and at least one trusted component (6) of said personal user device or connected to said personal user device, during which transfer the data is protected from an access by an unauthorized application (4, 5). In order to ensure that a user (U) of a personal user device clearly knows when a secured user input/output mode is selected, it is proposed that activating means (3) included in the personal user device enable a user (U) of said personal user device to cause said selection means (3) to select said secured user input/output mode. The invention equally relates to a corresponding method.

Description

Personal user device and method for selecting a secured user input/output mode in a personal user device
FIELD OF THE INVENTION
The invention relates to a personal user device with a user interface and with selection means for selecting a secured user input/output mode, which secured user input/output mode enables a transfer of data between said user interface and at least one trusted component of said personal user device or connected to said personal user device, wherein said data is protected from an access by an unauthorised application. The invention equally relates to a method for selecting a secured user input/output mode in a personal user device.
BACKGROUND OF THE INVENTION
The term personal user device denotes any end user terminal like a mobile phone, a personal computer or a hand-held computer. A personal user device can be designed to provide a rich functionality by employing a general-purpose operating system which can run applications from different sources. On the other hand, a personal user device can be operating as a personal trusted device. Such a trusted device can be used for example for mobile commerce and other security-sensitive applications over an open network. In order to provide a maximum of comfort to a user, a personal user devices is equipped for both aspects.
In its function as a trusted device, a personal user device has to be able to exchange sensitive data with other units over open networks in a protected way. A protected transfer can be achieved e.g. by encrypting sensitive data with cryptographic algorithms and protocols using secret cryptographic keys before they are transmitted. Different known communication security protocols, security mechanisms and cryptographic algorithms that can be employed for exchanging sensitive data are mentioned for example in "Development of a Secure Electronic Marketplace for Europe"; in the proceedings of ESORICS '96 (4th European Symposium on Research in Computer Security) , Rome, LNCS 1146, Springer- Verlag, Berlin 1996, 1-14, by Michael Waidner. The security of an encrypted transmission does not only rely on the quality of the used cryptographic techniques, but in addition on an adequate protection of the employed cryptographic keys. However, standard operating systems are vulnerable to viruses and Trojan horses. A Trojan horse can steal a user's secret keys or use them in ways the user did not intend.
A common protection against such threats is to keep the cryptographic keys and functionality in tamper-evident devices which thus can constitute a trusted component. An example for such a trusted component is a smartcard. A smartcards can store a secret key and can be connected to a personal user device, e.g. a PC or a mobile phone. The personal user device to which a smartcard is connected cannot access the stored secret keys, but it can ask the smartcart to perform a cryptographic function for which the key is needed, like calculating a digital signature or decrypting a message. The access to smartcards is moreover protected by personal identification numbers (PINs) .
But smartcards do not alleviate the problem entirely either. For example, a malicious payment application could ask the user to approve a payment of $10 by typing in the PIN, but once the PIN is available, ask the smartcard to sign a payment message for $100. This inadequacy of smartcards has been pointed out in several documents, e.g. in the above cited document "Development of a Secure Electronic Marketplace for Europe", and in "Hand-held computers can be better smart cards", Usenix security symposium, 1999, by Dirk Balfanz and Edward W. Felten.
A solution to such problems involving smartcards or other trusted components storing secret data is a personal user device with a trusted input/output path to the user, which trusted input/output path cannot be accessed by any unauthorised application. It has been suggested that trusted devices can be implemented on PDAs (personal digital assistant) or Communicator type combined PDA/phones. However, since the trusted device is preferably combined with a general personal user device with a rich functionality as mentioned above, the personal user devices usually runs extensible operating systems like EPOC, Windows CE or Palm OS. Therefore, the trusted user input/output path has to be able to work in conjunction with a general-purpose operating system. That is, the trusted user input/output path cannot be used exclusively, since many applications which are not security sensitive require a direct access to a user input/output interface. In the SEMPER project described in the cited document "Development of a Secure Electronic Marketplace for Europe" therefore a trusted user interface was suggested.
The basic idea for a trusted user interface is that it runs as a high priority component in a general personal user device. Only this high priority component has access to critical resources like cryptographic keys, while ordinary applications wishing to use the critical resources have to make their requests via this component. In a secure mode, the high priority component has moreover control of the user input/output devices, and no other ordinary application can access the same input/output devices. Therefore, when the personal user device is in secure mode, a user of the personal user device can safely enter sensitive information, such as PINs, and/or be guaranteed that the information displayed on the screen or on another output device is trustworthy.
The trusted user interface can be implemented as a separate operating system. In this case, the hardware should ensure the above features. Alternatively, it can be implemented as a separate process in the same operating system. In this case, the operating system should ensure these features. A problem with this architecture is how to ensure that the user clearly knows when the trusted user interface is active.
The cited document "Development of a Secure Electronic Marketplace for Europe" proposes to employ a trusted interactive graphical user interface (TINGUIN) which is clearly distinguishable from the graphical user-interface of other applications. The disadvantage with such a secure mode indicator is that an application could put the device into the secure mode without the user being aware of it, and if the user then accidentally makes some input, such as pressing a key, before having noticed the secure mode, the device may consider this input as the user's approval for a sensitive task.
SUMMARY OF THE INVENTION
It is an object of the invention to ensure that a user of a personal user device clearly knows when a secured user input/output mode is selected.
This object is reached on the one hand with a personal user device with a user interface and with selection means for selecting a secured user input/output mode. The secured user input/output mode enables a transfer of data protected from an access by an unauthorised application between said user interface and at least one trusted component of said personal user device or connected to said personal user device. According to the invention, the personal user device further includes activating means which enable a user of said personal user device to cause said selection means to select said secured user input/output mode. On the other hand, the object is reached with such activating means.
In addition, the stated object is reached with a method for selecting a secured user input/output mode in a personal user device, which secured user input/output mode enables a transfer of data protected from an access by an unauthorised application between a user interface of said personal user device and at least one trusted component of said personal user device or connected to said personal user device. The secured user input/output mode is selected according to the invention upon request by a user.
The invention proceeds from the idea that the most reliable way to ensure that a user knows whether a secured input/output mode has been selected or not is to let this mode be activated by the user himself. Thus it is proposed with the personal user device and the method of the invention that a human user can activate the selection of the secured input/output mode which provides a trusted input/output path between the user and trusted components of the system. In order to guarantee a maximum protection, at least for certain actions, like e.g. a digital signing of messages, exclusively a user should be able to activate the selection of the secured user input/output mode. In these cases, activating the secured input/output mode should not be possible for normal and potentially untrusted applications on the device, which makes the device more secure.
The personal user device can select the secured user input/output mode by informing the operating system and/or the hardware of the personal user device about the requested change of mode.
Preferred embodiments of the invention become apparent from the subclaims.
The activating means preferably include a dedicated security button on the personal user device that has to be pressed by a user in order to cause a selection of the secured input/output mode. Such a security button should be clearly identifiable by a user. A security button can moreover be provided with a dedicated driver which is completely unaccessible through user-level programs. If the driver is residing in a flash memory, it is preferably signed by a root key. It is further preferred that the security is based on signed ROM (Read Only Memory) images and keys residing on CPU-ASICs (Central Processing Unit - Application Specific Integrated Circuits) . The security button could be for example the power button or a similarly implemented button that does not utilise the keyboard driver. With a security button as activating means, it is thus possible to achieve a particularly high security.
Alternatively, the activating means can be based on existing devices. It can be requested, e.g. that a specific sequence of keys is pressed, or an option is popping up on the display of the personal user device forming part of the user input/output interface when a predetermined button like a power on/off button is pressed. The display of such an option may also be caused by an application requesting an action that requires a secured input/output mode. The option can be selected by the user again using either a dedicated security button, one or more of regular keys or any other suitable input means .
Preferably, che secured input/output mode can only be activated by the user for predetermined actions requested by an application. Such predetermined actions can be for example signing or decrypting a received message.
In addition to including activating means for enabling a user to determine the beginning of a secured input/output mode, there may also be deactivating means enabling a user to deactivate a secured input/output mode in order to prevent that the user thinks he is still in the secured input/output mode, even though all actions for which the secured input/output mode was selected have been completed and the personal user device has already switched back to a normal mode.
Preferably, the personal user device indicates in addition in some way to the user that a secure mode is active. This may be achieved either by hardware, for example by a special LED of the personal user device, or by software. In the latter case, e.g. a background pattern may be displayed, or colours etc . which are recognisable by the user and not available to untrusted applications. Such a background may even be selectable by the user.
There are several possibilities of realising the secured user input/output mode and, depending on this realisation, different kinds of applications have to be considered to be unauthorised.
In one preferred embodiment, the secured user input/output mode is realised similar as described in the background of the invention, i.e. a dedicated process is run by the selection means. This dedicated process corresponds to the mentioned high priority component run by the trusted user interface. In this case, preferably only the dedicated process is considered to be authorised, while all other applications are considered to be unauthorised. As a consequence, only the dedicated process has access to a user interface while the secured user input/output mode is activated.
In another preferred realisation, however, any application may be considered authorised, as long as it can be identified by some characteristic to be authorised, e.g. by a code signing and/or by the location from which the application is loaded, like an integrated disk of a personal user device, a CD-ROM, or some external server. With respect to a required code signing, it can be checked in particular whether there is any signing at all and, in addition, whether the code signature matches to a specific memory- image text segmen . Some check sum can moreover be checked for determining whether the binary image of the executable program of an application was changed compared to the original binary image, e.g. because they contain a virus. Applications with a changed binary image of their executable program should be considered to be unauthorised regardless of other criteria. A secured user input/output mode is then guaranteed by preventing the secured input/output mode to be selected when any unauthorised application is running. All unauthorised applications detected to be active might be terminated in order to be able to select said secured user input/output mode. Advantageously, however, it is left to the user to decide, whether the unauthorised applications are actually terminated or not, and therefore, whether the secured user input/output mode is to be entered.
In addition it should be prevented in this embodiment of the invention that any unauthorised application is activated as long as the secured input/output mode is selected. Thus a secure runtime environment has to be implemented. With the same effort, an always-on security-mode approach could be realised. All authorised applications, on the other hand, can directly access the user input/output means even during the secured user input/output mode.
In a further preferred embodiment of the invention, when a user actuates the activating means, the executable programs of all applications currently running in the personal user device are first checked for determining whether there is a change in the binary image of the respective executable program, before a secure mode can be selected. The user can then be offered that all applications of which the executable program is considered to have changed are terminated. In case the user signals to terminate all or selected applications of which the executable program is considered to have changed, all or selected ones of these applications are terminated. A change of the binary image can be detected e.g. by comparing a disk image check sum or signature with a memory image check sum or signature.
The invention can be used in all end user terminals which support security features for which an interaction by the user is needed, like e.g. for e-payments. Such terminals may be for example mobile phones or PCs.
BRIEF DESCRIPTION OF THE FIGURES
In the following, the invention is explained in more detail with reference to a drawing which shows schematically an architecture of a personal user device to which the invention is applied.
DETAILED DESCRIPTION OF THE INVENTION
The only figure depicts components of a personal user device that can be used equally for general purposes and for security sensitive transactions. Moreover, the figure shows a user U of this personal user device. The personal user device includes a general purpose operating system 1, a hardware 2 and a trusted user interface 3 comprising a security button. Moreover, the personal user device includes a regular user interface comprising a display and different keys, which is not depicted in the figure. Some elements of the trusted user device 3 and the regular user device are used in common by both devices, e.g. the display. Further, a first application 4 and other applications 5 are installed on the personal user device. Finally, a smart card with critical resources 6 like cryptographic keys has been detachably connected to the personal user device by the user U. Operating system 1, hardware 2 and critical resources 6 are connected to the trusted user interface 3, to the regular user interface and to the applications 4, 5 via a kernel interface 7. Only a high priority component run by the trusted user interface 3, however, has access to connected critical resources 6. The regular and the trusted user interface 3 are further connected with the installed applications 4, 5 via an application program interface 8.
The personal user device has access to other devices, servers or any other kind of systems via an open network. The interface of the personal user device to the open network is not depicted in the figure.
The operating system 1 of the personal user device is a general-purpose operating system which can run applications from different sources, i.e. either from the personal user device itself or from some remote location connected to the personal user device via the open network. During normal operation, applications 4, 5 are able to exchange data directly with the input/output means of the regular user interface via the application program interface 8.
The functioning of the personal user device in accordance with the invention will now be explained for an exemplary situation, in which the first application 4 requests that the user U digitally signs a message received from some other device via the open network.
The application program interface 8 comprises several functions that are responsible for initiating a secured user input/output mode for different security sensitive actions that may be requested by one of the applications 4, 5. One of these functions is for example a sign() function, which initiates a secured user input/output mode, in case an application 4, 5 requests a message to be signed by the user U. Another function may be a decrypt () function, which initiates a secured user input/output mode, in case an application 4, 5 provides an encrypted message that has to be decrypted before it can be read by the user U.
In a first step, the first application 4 invokes the sign() function in the application program interface 8 with the message that is to be signed as a parameter. The application program interface 8 knows now that a secured user input/output mode might be about to be selected by the user U. Invoking the sign() function in the application program interface 8 automatically results in two different actions. On the one hand, the implementation of the sign() primitive displays an information to the user U on the display of the regular user interface via a mailbox type messaging mechanism. The information states that a signature request was received from an application 4 and that signing requires the user U to activate a trusted mode. On the other hand, the function call is registered with the trusted user interface 3, which is implemented in this example as a separate operating system.
In case the user U does not want to sign the message, he presses some predetermined key or keys of the regular user interface. As a result, the application program interface 8 is informed that the requested secured user input/output mode was not selected by the user U and that the normal mode operation continues. The function call registered with the trusted user interface 3 is cancelled. If, in contrast, the user U considers signing the message, he now has to press the security button of the trusted user interface 3 on the personal user device. In an alternative implementation, he might have to press a predetermined sequence of the regular keys of the regular user interface.
As soon as the user U presses the security button, the trusted user interface 3 of the personal user device is informed. To this end, a message including information about the requesting application and about the purpose of the requested secure mode could be written for example to a predetermined location to which the trusted user interface has access. Possibly, the trusted user interface 3 has to be activated first. The trusted user interface 3 now switches to the secured input/output mode. In this mode, only the high priority component of the trusted user interface 3 has control of the user input/output means, as indicated by the dashed line between the user U and the trusted user interface 3. None of the applications 4, 5 can access the user input/output means until the normal input/output mode is re-established. Since moreover only the high priority component of the trusted user interface 3 has access to the critical resources 6 of the connected smartcard, a trusted transfer path has thus been established between the user U and the critical resources 6 via the trusted user interface 3. The secured input/output mode is further indicated to the user U by activating the LED included for this purpose in the personal user device.
The high priority component of the trusted user interface 3 handles the registered function call by displaying the message that is to be signed to the user U on the display now forming part of the trusted user interface, and by asking the user U whether the message should be signed. The user U checks the message and if he decides to sign it, presses a key in the standard user interface indicated in the display together with the message and enters a specific password chosen by the user U at an earlier point of time. In order to obtain a digital signature for the requesting user U from the critical resources 6, the high priority component of the trusted user interface 3 then invokes a sign() system call on the kernel interface 7, including as parameter the message that is to be signed and the password entered by the user U. The kernel interface 7 comprises several such system functions corresponding to the functions of the application programme interface. The smartcard with the critical resources 6 checks the password and, if the password turns out to be correct, calculates the digital signature of the user U for the received message. The high priority component of the trusted user interface 3 receives this digital signature as return value from the critical resources 6 and passes it on to the first application 4 via the application program interface 8. Dashed lines between the critical resources 6 and the first application 4 in the figure indicate the indirect access of the application 4 to the critical resources 6 that was thus realised via the trusted user interface 3. The high priority component of the trusted user interface 3 moreover indicates to the application program interface 8 that the secure mode operation has been completed.
The personal user device turns off the LED indicating the secure mode and re-activates the access of the applications 4, 5 to the regular user interface. The first application 4 and the other applications 5 can now proceed with their normal operation. Thus, the activating means are realised in this example by the security button and functions in the trusted user interface that are able to interpret a pressing of this button. The selection means are realised by the trusted user interface, which informs the operating system and the hardware about the trusted mode activated by the user.
In a second embodiment of a personal user device according to the invention, the secure input/output mode can also be activated by a user, but the selection of the secure user input/output mode is realised in a different way. The personal user device of the second embodiment has a similar design as the personal user device of the first embodiment.
In case a user wants to set the personal user device into the secure input/output mode, he presses the security button. The operating system checks whether any unauthorised applications are currently active. This is done by checking, whether the application has a code signing that can be verified by the personal user device.
If any unauthorised application is found to be running, the operating systems presents an option to the user on a display to terminate all unauthorised applications. In case the user selects this option, all unauthorised applications are terminated.
If no unauthorised application is found to be running or if all unauthorised applications were terminated, the operating system turns on a green LED indicating to the user that the secured input/output mode was selected. While the green LED is on, the operating software prevents that any unauthorised application starts.
Therefore, it is guaranteed that during the secure input/output mode, only authorised applications can access the input/output terminal of the personal user device, since only authorised applications are allowed to be or to start running in this mode.
If any unauthorised application was found to be running and the user does not select the displayed option to terminate all found unauthorised applications, the green LED is not turned on. Thereby, the user knows that the device is in unsecure mode, and that he should not make any payments with the personal user device or carry out any other security sensitive actions.
When the user completed all actions for which he activated the secure input/output mode, he has to press the security button again to terminate the secure input/output mode and to enable unauthorised applications to be run again.
In addition, the user can be given a list of detected unauthorised applications that might contain viruses on the display. An option is presented to the user to erase all or selected ones of these listed applications. In case the user decides to erase one or several of the listed applications, he chooses the presented option indicating the applications selected for erasure, and as consequence, the applications are erased. Before choosing the option, however, he should again press the security button in order to activate the secure input/output mode, since otherwise, the kill prompt windows might be captured.
The first and the second presented embodiments of the invention therefore both enable a selection of a secured input/output mode upon request of a user of a personal user device, only the realisation of the secured input/output mode is different.
In the first embodiment, exclusively a high priority component run by the trusted user interface for any application for which a secure input/output mode is required, has control of the user input/output means during a secured input/output mode. Only this high priority component can therefore be or contain an authorised application, while all other applications are considered as unauthorised applications, which may at the most request the selection of the secured input/output mode via the API.
In the second embodiment, in contrast, there is not necessarily a high priority component run by a trusted user interface. Rather, any application that contains a code signing that proves to be acceptable can have access to the user input/output means during a secured input/output mode. It is only ensured that at this time, all other applications not comprising such a code signature are not allowed to be running by the operating system.

Claims

C l a i s
1. Personal user device with a user interface, with selection means (3) for selecting a secured user input/output mode, which secured user input/output mode enables a transfer of data protected from an access by an unauthorised application (4,5) between said user interface and at least one trusted component (6) of said personal user device or connected to said personal user device, and with activating means (3) which enable a user (U) of said personal user device to cause said selection means (3) to select said secured user input/output mode.
2. Personal user device according to claim 1, wherein said activating means (3) include a dedicated security button and wherein said selection means (3) are designed to select said secured user input/output mode upon pressing of said security button (3) by a user (U) of said personal user device.
3. Personal user device according to claim 1, wherein said activating means (3) are designed to cause said selection means (3) to select a secured user input/output mode upon pressing of a predetermined sequence of buttons belonging to said user interface by a user (U) of said personal user device.
4. Personal user device according to one of claims 1 to 3 , wherein said activating means (3) include displaying means for displaying an option to a user (U) of said personal user device to choose a secured user input/output mode, said selection means (3) selecting said secured user input/output mode when a user (U) chooses upon a display of said option said secured user input/output mode.
5. Personal user device according to one of claims 1 to 4, further including deactivating means which enable a user (U) of said personal user device to cause said selection means (3) to terminate said secured user input/output mode.
6. Personal user device according to one of claims 1 to 5, further including indicating means for indicating to a user (U) of said personal user device that a secured user input/output mode is selected.
7. Personal user device according to one of claims 1 to 6, further including a dedicated process for communicating with the user input/output means during a secured user input/output mode, which dedicated process is run by the selecting means, wherein exclusively said dedicated process is considered an authorised application.
8. Personal user device according to one of claims 1 to 6, further including means for checking, when a user activates said activating means, whether any application currently run by said personal user device has to be considered to be an unauthorised application, wherein said selection means are only enabled to select said secured user input/output mode after receiving an indication from said means for checking that no unauthorised application is currently active.
9. Personal user device according to claim 8, wherein the means for checking whether any application currently run by said personal user device has to be considered to be an unauthorised application consider an application to be unauthorised in case it does not contain a required code signature and/or in case its executable program is not located at a requested location and/or it is determined that the binary image of its executable program was changed.
10. Personal user device according to one of claims 8 to 9, further including terminating means for terminating all active unauthorised applications, wherein the means for checking whether any application currently run by said personal user device has to be considered to be an unauthorised application indicates after termination of all active unauthorised applications to the selection means that no unauthorised application is currently active.
11. Personal user device according to claim 10„ wherein the terminating means only terminate active unauthorised applications upon a request by a user of the personal user device.
12. Personal user device according to one of claims 8 to 11, further including controlling means for preventing unauthorised applications to be activated during a secured user input/output mode.
13. Personal user device according to one of claims 1 to 12, further including detection means for detecting whether the binary image of an executable program of applications running on the personal user device has been changed when a user actuates said activating means, and for presenting an option to the user to terminate all applications of which the executable program is considered to contain a changed binary image, and terminating means for terminating all or selected ones of said applications of which the executable program is considered to contain a changed binary image.
14. Activating means for a personal user device according to one of claims 1 to 13.
15. A method for selecting a secured user input/output mode in a personal user device, which secured user input/output mode enables a transfer of data protected from an access by an unauthorised application (4,5) between a user interface of said personal user device and at least one trusted component (6) of said personal user device or connected to said personal user device, wherein said secured user input/output mode is selected upon request by a user (U) .
16. Method according to claim 15, wherein said secured user input/output mode can be requested by a user (U) by pressing a dedicated security button (3) .
17. Method according to claim 16, wherein said secured user input/output mode can be requested by a user (3) by pressing a predetermined sequence of buttons of said user interface.
18. Method according to one of claims 15 to 17, wherein said secured user input/output mode can be requested by a user (3) by selecting a displayed option.
19. Method according to one of claims 15 to 18, wherein said secured user input/output mode is allowed to be requested by a user (U) only when an applications (4) requests an action for which said secured user input/output mode is predetermined to be required.
20. Method according to one of claims 15 to 19, wherein said secured user input/output mode is terminated upon request by a user (U) .
21. Method according to one of claims 15 to 20, wherein while said secured user input/output mode is selected, the selection of said secured user input/output mode is indicated by indicating means.
22. Method according to one of claims 15 to 21, wherein exclusively a dedicated process for communicating with the user input/output means during a secured user input/output mode, which dedicated process is run by the selecting means, is considered as authorised application.
23. Method according to one of claims 15 to 21, further including upon a request by a user to select a secured input/output mode determining whether any unauthorised application is currently active, said secured user input/output mode being selected only in case no unauthorised application is determined to be currently active.
24. Method according to claim 23, wherein each application which does not comprise a required code signature and/or which was not loaded from a predetermined location is considered to be unauthorised.
25. Method according to claim 23 to 24, wherein each active application for which it is determined that the binary image of its executable program has been changed is considered to be unauthorised.
26. Method according to one of claims 23 to 25, wherein all unauthorised applications detected to be active after a request by a user to select a secure input/output mode are terminated in order to be able to select said secured user input/output mode .
27. Method according to claim 26, wherein all unauthorised applications detected to be active after a request by a user to select a secure input/output mode are terminated upon a request by a user to terminate said applications.
28. Method according to one of claims 23 to 27, wherein, while a secured user input/output mode is selected, all applications considered to be unauthorised are prevented from being activated.
29. Method according to one of claims 15 to 28, wherein the binary image of the executable programs of all currently running applications in the personal user device is checked for changes upon a request by a user to select the secured user input/output mode, and wherein the user is being offered that all checked applications of which the binary image of the executable program was determined to be changed terminated, and wherein in case the user requests to terminate all or selected applications of which the binary image of the executable program was determined to be changed, terminating all or selected applications of which the binary image of the executable program was determined to be changed.
PCT/EP2001/007331 2001-06-27 2001-06-27 Personal user device and method for selecting a secured user input/ output mode in a personal user device WO2003003170A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2001/007331 WO2003003170A1 (en) 2001-06-27 2001-06-27 Personal user device and method for selecting a secured user input/ output mode in a personal user device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2001/007331 WO2003003170A1 (en) 2001-06-27 2001-06-27 Personal user device and method for selecting a secured user input/ output mode in a personal user device

Publications (1)

Publication Number Publication Date
WO2003003170A1 true WO2003003170A1 (en) 2003-01-09

Family

ID=8164470

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2001/007331 WO2003003170A1 (en) 2001-06-27 2001-06-27 Personal user device and method for selecting a secured user input/ output mode in a personal user device

Country Status (1)

Country Link
WO (1) WO2003003170A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003100580A1 (en) * 2002-05-28 2003-12-04 Symbian Limited Trusted user interface for a secure mobile wireless device
WO2005106679A1 (en) 2004-04-30 2005-11-10 Research In Motion Limited System and method for content protection on a computing device
WO2008012567A1 (en) 2006-07-28 2008-01-31 Hewlett-Packard Development Company, L.P. Secure use of user secrets on a computing platform
JP2008546288A (en) * 2005-05-25 2008-12-18 クゥアルコム・インコーポレイテッド Apparatus and method for protecting data on a wireless device
GB2453518A (en) * 2007-08-31 2009-04-15 Vodafone Plc Telecommunications device security
JP2010118010A (en) * 2008-11-14 2010-05-27 Nomura Research Institute Ltd Information acquisition mediating program, operating system, and information acquisition mediating method
US7831840B1 (en) * 2005-01-28 2010-11-09 Novell, Inc. System and method for codifying security concerns into a user interface
US8156488B2 (en) 2004-10-20 2012-04-10 Nokia Corporation Terminal, method and computer program product for validating a software application
US9734313B2 (en) 2014-06-16 2017-08-15 Huawei Technologies Co., Ltd. Security mode prompt method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0587375A2 (en) * 1992-09-04 1994-03-16 ALGORITHMIC RESEARCH Ltd. Security unit for data processor systems
US5822435A (en) * 1992-07-10 1998-10-13 Secure Computing Corporation Trusted path subsystem for workstations
WO2001010079A1 (en) * 1999-07-29 2001-02-08 Safe Technology Co., Ltd. Adapter having secure function and computer secure system using it

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5822435A (en) * 1992-07-10 1998-10-13 Secure Computing Corporation Trusted path subsystem for workstations
EP0587375A2 (en) * 1992-09-04 1994-03-16 ALGORITHMIC RESEARCH Ltd. Security unit for data processor systems
WO2001010079A1 (en) * 1999-07-29 2001-02-08 Safe Technology Co., Ltd. Adapter having secure function and computer secure system using it

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003100580A1 (en) * 2002-05-28 2003-12-04 Symbian Limited Trusted user interface for a secure mobile wireless device
US8190913B2 (en) 2004-04-30 2012-05-29 Research In Motion Limited System and method for content protection on a computing device
WO2005106679A1 (en) 2004-04-30 2005-11-10 Research In Motion Limited System and method for content protection on a computing device
EP1743246A1 (en) * 2004-04-30 2007-01-17 Research In Motion Limited System and method for content protection on a computing device
EP1743246A4 (en) * 2004-04-30 2007-11-07 Research In Motion Ltd System and method for content protection on a computing device
US8700920B2 (en) 2004-04-30 2014-04-15 Blackberry Limited System and method for content protection on a computing device
US8584118B2 (en) 2004-10-20 2013-11-12 Nokia Corporation Terminal, method and computer program product for validating a software application
US8156488B2 (en) 2004-10-20 2012-04-10 Nokia Corporation Terminal, method and computer program product for validating a software application
US7831840B1 (en) * 2005-01-28 2010-11-09 Novell, Inc. System and method for codifying security concerns into a user interface
JP2008546288A (en) * 2005-05-25 2008-12-18 クゥアルコム・インコーポレイテッド Apparatus and method for protecting data on a wireless device
WO2008012567A1 (en) 2006-07-28 2008-01-31 Hewlett-Packard Development Company, L.P. Secure use of user secrets on a computing platform
US8332930B2 (en) 2006-07-28 2012-12-11 Hewlett-Packard Development Company, L.P. Secure use of user secrets on a computing platform
CN101523401B (en) * 2006-07-28 2013-03-06 惠普开发有限公司 Secure use of user secrets on a computing platform
GB2453518A (en) * 2007-08-31 2009-04-15 Vodafone Plc Telecommunications device security
US9049597B2 (en) 2007-08-31 2015-06-02 Vodafone Group Plc Telecommunications device security
JP2010118010A (en) * 2008-11-14 2010-05-27 Nomura Research Institute Ltd Information acquisition mediating program, operating system, and information acquisition mediating method
US9734313B2 (en) 2014-06-16 2017-08-15 Huawei Technologies Co., Ltd. Security mode prompt method and apparatus
US9892246B2 (en) 2014-06-16 2018-02-13 Huawei Technologies Co., Ltd. Security mode prompt method and apparatus

Similar Documents

Publication Publication Date Title
US7313705B2 (en) Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
US10229410B2 (en) Method and device for end-user verification of an electronic transaction
US7366916B2 (en) Method and apparatus for an encrypting keyboard
US6581162B1 (en) Method for securely creating, storing and using encryption keys in a computer system
EP1159662B2 (en) Smartcard user interface for trusted computing platform
US9336393B2 (en) System and method for protecting files stored on an electronic device
EP2648129B1 (en) Method and apparatus for securing touch input
EP1085396A1 (en) Operation of trusted state in computing platform
US20030200445A1 (en) Secure computer system using SIM card and control method thereof
JP2006179011A (en) Data processing device, communication terminal apparatus, and data processing method using data processor
WO2005101977A2 (en) Multi-factor security system with portable devices and security kernels
EP1789873A2 (en) Non-intrusive trusted user interface
US8135383B2 (en) Information security and delivery method and apparatus
CN116097692A (en) Augmented reality information display and interaction via NFC-based authentication
EP1331600A2 (en) Memory card
WO2003003170A1 (en) Personal user device and method for selecting a secured user input/ output mode in a personal user device
Spalka et al. Protecting the creation of digital signatures with trusted computing platform technology against attacks by trojan horse programs
WO2005119397A1 (en) Controlling access to a secure service by means of a removable security device.
US20230020873A1 (en) Device driver for contactless payments
US10845990B2 (en) Method for executing of security keyboard, apparatus and system for executing the method
WO2023040451A1 (en) Resource transfer
CN114219055B (en) Bar code generation method, bar code verification method and payment system
US11507958B1 (en) Trust-based security for transaction payments
Jansen et al. A Unified Framework for Mobile Device Security.
US20080276094A1 (en) Communication terminal device, server apparatus, data management method and recording medium

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP