CA1238716A - Security device for the secure storage of sensitive data - Google Patents
Security device for the secure storage of sensitive dataInfo
- Publication number
- CA1238716A CA1238716A CA000496860A CA496860A CA1238716A CA 1238716 A CA1238716 A CA 1238716A CA 000496860 A CA000496860 A CA 000496860A CA 496860 A CA496860 A CA 496860A CA 1238716 A CA1238716 A CA 1238716A
- Authority
- CA
- Canada
- Prior art keywords
- signal
- responsive
- memory
- housing
- sensitive data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Classifications
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L23/00—Details of semiconductor or other solid state devices
- H01L23/57—Protection from inspection, reverse engineering or tampering
- H01L23/576—Protection from inspection, reverse engineering or tampering using active circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/86—Secure or tamper-resistant housings
- G06F21/87—Secure or tamper-resistant housings by means of encapsulation, e.g. for integrated circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L2924/00—Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
- H01L2924/0001—Technical content checked by a classifier
- H01L2924/0002—Not covered by any one of groups H01L24/00, H01L24/00 and H01L2224/00
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S257/00—Active solid-state devices, e.g. transistors, solid-state diodes
- Y10S257/922—Active solid-state devices, e.g. transistors, solid-state diodes with means to prevent inspection of or tampering with an integrated circuit, e.g. "smart card", anti-tamper
Abstract
SECURITY DEVICE FOR THE SECURE
STORAGE OF SENSITIVE DATA
Abstract of the Disclosure A device is disclosed for securely housing and protecting microelectronic circuitry in order to prevent external access to sensitive data stored therein. In a preferred embodiment of the invention, the device includes a ceramic housing which encases electronic circuitry. The ceramic housing is com-prised of a plurality of individual parts selectively connected together, with each of the parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon. The electronic circuitry includes a memory for storing sensitive data therein and a tamper detection circuit. The tamper detection circuit includes a conductive path selec-tively provided through the plurality of ceramic layers of each of the plurality of individual parts and is responsive to any attempt to penetrate the ceramic housing which damages the conductive path for clearing the memory of any sensitive data stored therein. The tamper detection circuit further in-cludes a low temperature sensing circuit which is responsive to a decrease in temperature in the ceramic housing below a preselected reference temperature for causing the tamper detection circuit to also clear the memory of any sensitive data stored therein.
STORAGE OF SENSITIVE DATA
Abstract of the Disclosure A device is disclosed for securely housing and protecting microelectronic circuitry in order to prevent external access to sensitive data stored therein. In a preferred embodiment of the invention, the device includes a ceramic housing which encases electronic circuitry. The ceramic housing is com-prised of a plurality of individual parts selectively connected together, with each of the parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon. The electronic circuitry includes a memory for storing sensitive data therein and a tamper detection circuit. The tamper detection circuit includes a conductive path selec-tively provided through the plurality of ceramic layers of each of the plurality of individual parts and is responsive to any attempt to penetrate the ceramic housing which damages the conductive path for clearing the memory of any sensitive data stored therein. The tamper detection circuit further in-cludes a low temperature sensing circuit which is responsive to a decrease in temperature in the ceramic housing below a preselected reference temperature for causing the tamper detection circuit to also clear the memory of any sensitive data stored therein.
Description
~3~37~;
SECURITY DEVICE FOR THE SF.CUP~E
S'rORAGE OF SENSIT_VE DPITP.
BACKGROUND OF THE INVENTION
1. Field of the Invention The present invention relates to various means for housing and protecting microelectronic circuitry in order to prevent external access to sensitive data stored therein.
SECURITY DEVICE FOR THE SF.CUP~E
S'rORAGE OF SENSIT_VE DPITP.
BACKGROUND OF THE INVENTION
1. Field of the Invention The present invention relates to various means for housing and protecting microelectronic circuitry in order to prevent external access to sensitive data stored therein.
2. ~escription o~ the Prior Art Several known prior art techniques have been proposed for providing a housing for microelectronic circuitry.
British Paten~ Specification No. 1, 245,710 discloses a case containing a semiconductor integrated element. The case is comprised of a bottom plate, a middle plate and an upper or sealing plate. The integrated element is disposed in a recess in the bottom plate, which bottom plate is comprised of a plurality of ceramic sheets having preselected conduc-tive leads and conducting layers selectively provided thereon. Connections between the paths on the ceramic sheets are selectively made by way of preselected perforated holes through the sheets to the conducting layers and conductiny leads. The middle plate is ~ixed between the bottom plate and the upper or seal-ing plate to complete the enclosure of the semiconduc-tor integrated elements. The conductive leads are fed out of the case for external connections.
British Patent Specification 2,077,036A
discloses a multi-layer ceramic package comprised of multi-layers o~ ceramic substrate on which conductive patterns are selectively placed. The conducti~e patterns on the various ceramic layers are selectively connected to each other by plated through holes or tunnels. An array of chips, bonded on one o~ the ceramic substrates, is interconnected by way of wire -` " ;
, 12;~7~6 bondings through lands disposed between and separating the chips.
Neither of the two above-identified British Patent Specifications l,245,710 and 2,077,036A provides any protection from the unauthorized access of sensi-tive data that may be stored in the microelectronics circuitry located in its associated housing. To solve this problem, the following known prior art techniques have been proposed.
Ericsson, a company located in Sweden, has proposed a security module to physically protect electronic components, and information stored in such electronic components, from unauthorized analysis and manipulation by physically encapsulating such electronic components. These encapsulated blocks are called Ericsson SEC modules. Ericsson states that such SEC modules effectively protect algorithm sequences, semi-processed data and algorithm keys used in PIN
(personal identification number) verification by storing certain information in a volatile RAM (random access memory). Ericsson further states that the encapsulation of the SEC module and a key pad is designed in sueh a way that it is impossible, even by a combination of chemical and physical attacks, to gain access to the secret data (i.e., algorithm keys) stored in the volatile RAM because this information would be destroyed if the SEC module were attacked.
Eurther information on the SEC module and how such protection of the secret data is achieved is unavailable to the applicant of the instant invention, since Eriesson has internally classified the design drawings and documentation for the sensitive parts of the SEC module and has only allowed authorized persons to have access to such information.
~, ' ~3~
- 2a -PCT Application No. WO84/04614, published November 22, 1984, discloses a data security device which includes a closed prestressed glass container within which are a data ".~ .
.
. ~
~.
~Z3~7~t;
processor and a volatile memory for storing encryption key data. A power supply for the memory is connected to the memory by way of one or more conductors which wind over the entire inside surface of the closed container. As a result, a breaking into the closed container will break a conductor, removing power from the memory and thereby destroying the data stored in the memory.
German Offenlegungsschrift No. 3~023,427 discloses a secure mobile data storage unit which includes solid state electronic memories contained within a tamperproof housing and pressure difference sensors built into the housing to detect any unauthor-ized entry into the housing and to initiate the era-sure of data stored in thP memories after such detec-tion.
The background art known to applicant at the time of the filing of this application is as follows:
British PatPnt Specification 1,245,710, Case For Containing A Semiconductor Element;
British Patent Specification 2,077,036A, Multi-Layer Ceramic Package For Semiconductor Chip;
A publication on the Ericsson SEC module;
PCT Application No. WO84/04614, Data Security Device; and German Offenlegungsschrift No. 3,023,427, Mobile Data Storage Unit.
Summary of the Invention Briefly, a device is disclosed for providing secure storage of sensitive data and preventing any attempt to read that sensitive data out after it has been stored.
In accordance with one aspect of the invention, there is provided a device ~or the secure s~ora~e of sensitive data, said device comprising, in combination, an enclosed housing, a memory contained .
.
.
within said housing for storing sensitive data there-in; low temperature sensing means contained within said housing and being responsive to a decrease in temperature in said housing below a preselected refer-ence temperature for developing a first signal; and means contained within said housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
In accordance with another aspect of the invention, there is provided a device for the secure storage of sensitive data, said device comprising, in combination, a ceramic housing comprised of a plurali-ty of individual parts selectively connected together, each of said parts being comprised of a ceramic sub-strate and a plurality of ceramic layers disposed thereon; and electronic circuitry contained within said ceramic housing, said electronic circuitry in-cluding a memory for storing sensitive data therein and a tamper detection circuit, said tamper detection circuit including a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es said first conductive path for clearing said memory of any sensitive data stored therein.
In accordance with another aspect of the invention, there is provided a device for the secure storage of sensitive data, said device comprising in combination, a ceramic housing comprised of a plurali-ty of individual parts selectively connected together into a preselected configuration, each of said parts being comprised of a ceramic substrate and a plurality of ceramlc layers disposed thereon; a memory contained within said ceramic housing for storing sensitive da a therein; a first conductive pa~h selectively provided through said plurality of ceramic layers of each of : : ' ~87~
- s said plurality of individual parts; sensing means contained within said ceramic housing and being cou-pled to said first conductive path, said sensing means being responsive to any attemp~ to penetrate said ceramic housing which damages said first conductive path for generating a irst signal; and means con-tained within said ceramic housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
Brief Description of the Drawin~s Various objects, features and advantages of the invention, as well as the invention itself, will become more apparent to those skilled in the art in the light of the following de~ailed description taken in consideration with the accompanying drawings where-in like reference numerals indicate like or corre-sponding part.s throughout the several views and where-in:
FIG. 1 is an illustration of the assembled device or module of the invention;
FIG. 2 is an exploded perspective view of the various parts of the housing of the device of FIG. 1;
FIGS. 3A, :~Al, 3B, 3Bl, 3B2, 3C, 3Cl, 3C2 and 3D are exemplary illustrations of how three conductive layers separated by two insulating layers are selec-tively deposited on a ceramic substrate and connected together to form any one of the parts Pl-P6 of FI~. 2;
FIG. 4 is a partial sectional view of the housing 17 of Fig. l;
FIGS. 5A and 5B together show the islands and conductive paths in conductive layer 3 for each of the parts shown in FIG. 2;
FIGS. 6A and 6B together show the conductive paths in conductive layer 2 for each of the parts shown in FIG. 2;
.' ~3~
FIGS. 7A and 7B together show the conductive paths in conductive layer 1 for each of the parts shown in FIG. 2;
FIG. 8 shows the connections of the conductive paths in FIGS. 7A and 7B by way of pre-selec~ed connections and islands in FIGS. 5A and 5B to form a first conductive path designated as WMI, and further shows the conn~ctions of the conductive paths in FIGS. 6A and 6B by way of preselected connections and islands in FIGS. 5A and 5B to form a second con-ductive path designated as WM2;
FIG. 9 is a schematic block diagram of the electronic circuitry contained within the device of FIGo l;
FIG. 10 is a functional block diagram illus~rating how the key storage key (RSK) is generat-ed and how the KSK is utilized in loading REYS and in encrypting and decrypting data;
FIG~ 11 is a schematic block diagram of the tamper detection circuitry of. FIG. 9.
Description of the Preferred Embodiment Referriny now to the drawings, Fig. 1 illustrates an exemplary form of a security device 11 of the invention. A plurality of conductors 12 con-nected to a plurality of pins 13 are shown on both sides of a bottom part 15 of a housing 17 of the device 11 for connecting the device 11 to external electronic equipment ~not shown). The housing 17 is preferably comprised of ceramic, since a ceramic housing cannot be penetrated by chemicals due to the fact ceramic will not dissolve.
An exploded perspective view of the various parts of the housing 17 o the device 11 is illustrat-ed in Fig. 2. As shown~ the housing 17 is comprised of a top part or cover Pl, side parts P2 through P5 and a bottom part P6r Coupled to the bot~om part P6 .
:
.. .
, -.
.
.
'~ ~ 3 ~
by way of surface mounting pins (not shown) is elec tronic circuitry 19 which is encased within the hous-ing 17 for security and protection.
Each of the parts Pl-56 is comprised of a ceramic substrate having three conductive layers separated by two nonconductive or insulating layers, with all layers being deposited on the ceramic sub-strate by a conventional screening technique using conventional thick film techniques~ Figs. 3A, 3Al, 3B, 3Bl, 3B2, 3C, 3Cl, 3C2 and 3D illustrate how three conductive layers separated by two insulating layers are selectively deposited on a ceramic substrate and connected together to form any one of the parts Pl-P6.
Scre~ns tFIGS. 3Al, 3Bl, 3B2, 3Cl and 3C2) with very small holes (where the diameter of a hole may be equal to approximately 300 micrometers) are used to deposit conductive or insulating paste on a ceramic substrate 20 (Fig. 3D). For every conductive layer and insulating layer a different screen is prepared. After each screening the layered ceramic part 20 is heated up to 800 degrees centigrade to harden ~he just deposited paste.
FIG. 3A illustrates the first conductlve layer Ll to be deposited on the ceramic substrate 20.
As shown in FIG. 3A, Ll is comprised of one track 21.
FIG. 3Al illustrates the screen that is plac~d on the ceramic substrate 20 and used to deposit the layer Ll on the ceramic substrate 20. The screen of FI~. 3Al is the negative of the required layer Ll. The shaded area 22 in FIG. 3Al is blocked off with a polymer (not shown) so ~hat a conductive paste (not shown) can only pass through an open area 211 to form the track 21 of the layer Ll on the ceramic substrate 20. Layer Ll is then hardened at 800 degrees centigrade in an oven.
The thickness of the track 21 of layer Ll is about 10 micrometers.
. , , . ' ~2~37~
Points or areas 1.1, 1.2 and 1~3 on layer Ll of FIG. 3A are then blocked off with a polymer using the screen shown in FIG. 3B, because these areas have to be selectively connected later to subsequently laid conductive layers (L2 and L3)o Insulating paste is now screened over the assembly of FIG. 3A and the assembly of FIG. 3A is heated up again to 800 degrees centigrade to harden it.
FIG. 3B illustrates the second conductive layer (L2) to be deposited on the hardened assembly of FIG. 3A by using the screen shown in FIG. 3B2. As shown in FIG. 3B layer L2 is comprised of two tracks 23 and 24. The screen of FIG. 3B2 is the negative of the pattern of FIG. 3B. The shaded area 25 of FIG. 3B
is blocked off again with a polymer. After screening with conductive paste throu~h open areas 231 and 241 and heating the hardened assembly of FIG. 3B, connec-tions are made between points lol of FIG. 3A and 2~1 of FIG. 3B and between points 1.2 of FIG. 3A and 2.2 of FIG. 3B. Note that the track 23 of FIG. 3B ~rosses over the track 21 of FIG. 3A.
Insula~ing layer two (FIG. 3D) is needed to enable the deposition of the third conductive layer L3. The laying of these two layers is accomplished by using the screens of FIGS. 3Cl and 3C2 in a manner similar to that previously described with respect to FIGS. 3Bl and 3B2. After the insulating layer two and layer L3 are laid or deposited, the pattern of ~3 results, as shown in FIG. 3C. As shown in FIG. 3C, L3 is comprised of two tracks 26 and 27 which are respec-tively connected to square islands 3.6 and 3.7.
Island 3.6 in layer L3 of FIG. 3C is connected to point 1.3 of Ll in FI5. 3A through the hole 31 in insulating layer 2 and the hole 28 in insulating layer one. On the other hand, island 3.7 in layer L3 of FIG. 3C iS connected via point 3.5 in layer L3 of FIG.
3C to point 2.5 in layer L2 of FIG. 3B. In addition, :, .
.
.
- . .
~3~6 g island 3.7 in layer L3 oE FIG. 3C is also connected via point 3.4 in layer L3 to point 2.~ in layer L2 of FIG. 3B.
FIG. 3D illustrates a sectional view of connections between layers or tracks L3 and Ll and between layers or tracks L2 and Ll. The ceramic substrate 20 is approximately 700 micrometers thick and each of the conductive and insulatin~ layers is only about 10 micrometers thick. The width of each of the tracks ~1, L2 and L3 is about 300 micrometers.
Figs. 5A and 5B illustrate the conductive layer 3 patterns of the respective parts Pl-P6r which patterns are deæigned as L3Pl-~3P6. The conductive layers 1, 2 and 3 are selectively connected together at preselected islands or connection points. ~or example, islands 33 and 35 of conductive layer 3 are resp~ctively connected to conductive layers 2 and 1 by conductive epoxy 31. The assembly of Fig. 3E is then put into an oven (not shown) and heated to a~out 800 degrees-C for the proper duration of time in order to harden the conductive layer 3 and the conductive epoxy 31.
Referring now back to Fig. 2, the parts Pl-P6 are assembled together into the housing 17 of Fig~ 1 in the following manner. Initially the top part Pl is sequentially glued to side parts P2-P5. E~irst, ex-posed islands on part P~ are respectively electrically connected to associated exposed islands on part Pl with conductive epoxy. In a similar manner, exposed islands on part P3 are respectively electrically connected to associated exposed islands on part Pl with conductive epoxy; exposed islands on part P4 are xespectively electrically connected to associated exposed islands on part Pl with conductive epoxy; and exposed islands on part P5 are respectively electri-cally connected to associated exposed islands o~ part Pl with conductive epoxy. Conductive epoxy is next - . .
. .
. ~ , , ', ~ ' ' ~23~7~t~
p].aced on the remaining exposed islands on the assem-bly of parts Pl-P5~ Then the assembly of parts Pl-P5 is properly oriented with respect to part P6 and gently placed onto part P6 to electrically connect the remaining lslands on part P6 with the remaining uncon-nected islands on the assembly of parts Pl-P5. After the assembly of parts Pl-P6 is electrically connected together at associated islands to form the housing 17 (FIG~ 1~, as described above, nonconductive epo~y is applied along the lines between adjacent pairs of the parts Pl-P6 to seal any gaps between adjacent pairs of the parts Pl-P6 and to provide additional strength for the housing 17.
Fig~ 4 is a partial sectional view of the completed housing 17 showing the connection of an island 37 on layer 3 of part 2 tL3P2) with an island 39 on layer 3 of part 1 (L3Pl) by means of conductive epoxy 31, and the further gluiny of the parts Pl and P2 together with nonconductive epoxy 41.
An additional layer of ceramic (not shown) is mounted onto the bottom part P6 to hold the electronic circuitry l9o The electronic circuitry 19 is then mounted on~o this additional layer of ceramic by way of surface mounting pins (not shown). Any necessary contacts between the conductive layer 3 and the elec-tronic circuitry 19 are connected together with sur-face mounting pins (not shown)O Then the assembled structure of parts Pl-P5 is glued to bottom part P6, with the associated exposed islands between the assem-bly of parts Pl-P5 and the bottom part P6 being con-nected together with conductive epoxy before the entire assembly of parts Pl-P6 is sealed all over with nonconductive epoxy, as discussed before~ As men-tioned before, the plurality of leads 12 and plurality of contacts 13 (shown in Fig. 1) are all on part P6.
The formation of first and second continuous conductive paths ~M1 (wire mesh 1~ and WM2 (wire mesh ~238~
2) through the parts Pl-P6 of the ceramic housing 17 (Fig. 1) will be explained ~y now referring to Figs.
5A, 5B, 6A, 6B, 7A, 7B and 8.
Figs. 5A and 5B together show the islands and conductive paths in conductive layer 3 ~L3) for each of the parts Pl-P6 shown in Fig. 2. The Figs. 6A and 6B together show the conductive paths in conductive layer 2 (L2) for each of the parts Pl-P6 shown in Fig.
2. Similarly, Figs~ 7 A and 7B together show the conductiYe paths in conductive layer 1 (Ll) for each of the parts Pl-P6 shown in Fig. 2. Finally, Fig. 8 shows the connections of the conductive paths in Figs.
7A and 7s by way of preselected connections and is-lands in Figs. 5A and SB to form the first continuous conductive path WMl and also shows the connections of the conductive paths in Figs. 6A and 6B by way o~
preselected connections and islands in Figs. 5A and 5B
to form the second continuous conductive path WM2.
As shown in Figs. 5B and 8, pins A and C are respectively the input and output pins of WM2. Simi-larly, pins B and D are respectively the input and output pins of WMl. These pins A, B, C and D are internally connected to leads (not shown) which are coupled through surface mounting pins (not shown) to the group of pins 13 (Fig. 1).
The alphanumerically identified squares in Figs. 5 A and 5B (such as BDl in Fig. 5A3 represent islands to be connected~ while the alphanumerically identified circles in Figs. 5A, 5B, 6A, 6B, 7A and 7B
(suh as ACl in Fig. 5A) represent connection points.
By using Fig. 8 as a guide it can be readily seen in Figs. 5A, 5B, 7A and 7B that the line BD (or continuous conductive path WMl) from pin B (Fig. 5A) to pin D (Fig. 5A) sequentially passes through a zig-zag conductive path through the conductive layers LlP2 (Fig. 7B), LlP3 (Fig. 7B), LlPl ~Fi~. 7B), LlP5 (Fig.
7B), LlP4 (Fig. 7B) and LlP6 (Fig. 7A) via the islands , .
'. ~ .
,. . . ~ . .
. , : :' .
and connection points BDl-BD30 and lines 43-47.
5imilarly, by using Fig. B as a guide, it can be readily seen in ~i~s. 5A, 5B, 6~ and 6B that the line AC (or continuous conductive path WM2) from pin A
(Fig. 5A~ to pin C (Fig. 5A~ sequentially passes through a zig-zag conductive path through the ~onduc-tive layers L2P6 ~Fig. 6A~, L2P4 (Fig. 6B), L2P5 (Fig.
6B), L2Pl ~Fig. 6B), L2P3 (Fig. 6B) and L2P2 (Fig. 6B) via the islands and connection points ACl-AC39 and lines 51-64.
Referring to Fig. 9, the electronic circuitry 19 of Fig. 2 will now be discussed in more detail.
The electronic circuitry 19 includes data processing circuitry 67 and tamper detection circuitry 69.
The data processing circuitry 67 can be utilized to perform any desired data processing opera-tion in such applications as, for example, electronic payment systems, electronic fund transfers, data encryption/decryption, PIN (personal identification number) verification, data transmission/reception, access control and home banking. The data proce~sing circuitry 67 includes a processor 71 for selectiv~ly controlling the operation of the electronic circuitry 19 in resporlse to input data and instructions, a timing and control circuik 73 for controlling the operation of the processor 71, a programmable read only memory (PROM) 75 for storing the software progr~
to be executed by the processor 71, a random access memory (RAM) 77 for providing a temporary memory storage, a volatile memory 79 for permanently storin~
the most sensitive or secure data such as a key stor-age key (~SK~ (to be explained)l a random number generator 81 and an input/output (I/O) unit 83.
A data, control and address bus 85, bidirectional I/O bus 87 and I/O lines 89 and 91 are coupled to the processor 71, timing and control cir-cuit 73, PROM 75~ RAM 77 and I/O unit B3 to enable the , ,:
' ' ' ' . ' . ' , ~
.
.~
British Paten~ Specification No. 1, 245,710 discloses a case containing a semiconductor integrated element. The case is comprised of a bottom plate, a middle plate and an upper or sealing plate. The integrated element is disposed in a recess in the bottom plate, which bottom plate is comprised of a plurality of ceramic sheets having preselected conduc-tive leads and conducting layers selectively provided thereon. Connections between the paths on the ceramic sheets are selectively made by way of preselected perforated holes through the sheets to the conducting layers and conductiny leads. The middle plate is ~ixed between the bottom plate and the upper or seal-ing plate to complete the enclosure of the semiconduc-tor integrated elements. The conductive leads are fed out of the case for external connections.
British Patent Specification 2,077,036A
discloses a multi-layer ceramic package comprised of multi-layers o~ ceramic substrate on which conductive patterns are selectively placed. The conducti~e patterns on the various ceramic layers are selectively connected to each other by plated through holes or tunnels. An array of chips, bonded on one o~ the ceramic substrates, is interconnected by way of wire -` " ;
, 12;~7~6 bondings through lands disposed between and separating the chips.
Neither of the two above-identified British Patent Specifications l,245,710 and 2,077,036A provides any protection from the unauthorized access of sensi-tive data that may be stored in the microelectronics circuitry located in its associated housing. To solve this problem, the following known prior art techniques have been proposed.
Ericsson, a company located in Sweden, has proposed a security module to physically protect electronic components, and information stored in such electronic components, from unauthorized analysis and manipulation by physically encapsulating such electronic components. These encapsulated blocks are called Ericsson SEC modules. Ericsson states that such SEC modules effectively protect algorithm sequences, semi-processed data and algorithm keys used in PIN
(personal identification number) verification by storing certain information in a volatile RAM (random access memory). Ericsson further states that the encapsulation of the SEC module and a key pad is designed in sueh a way that it is impossible, even by a combination of chemical and physical attacks, to gain access to the secret data (i.e., algorithm keys) stored in the volatile RAM because this information would be destroyed if the SEC module were attacked.
Eurther information on the SEC module and how such protection of the secret data is achieved is unavailable to the applicant of the instant invention, since Eriesson has internally classified the design drawings and documentation for the sensitive parts of the SEC module and has only allowed authorized persons to have access to such information.
~, ' ~3~
- 2a -PCT Application No. WO84/04614, published November 22, 1984, discloses a data security device which includes a closed prestressed glass container within which are a data ".~ .
.
. ~
~.
~Z3~7~t;
processor and a volatile memory for storing encryption key data. A power supply for the memory is connected to the memory by way of one or more conductors which wind over the entire inside surface of the closed container. As a result, a breaking into the closed container will break a conductor, removing power from the memory and thereby destroying the data stored in the memory.
German Offenlegungsschrift No. 3~023,427 discloses a secure mobile data storage unit which includes solid state electronic memories contained within a tamperproof housing and pressure difference sensors built into the housing to detect any unauthor-ized entry into the housing and to initiate the era-sure of data stored in thP memories after such detec-tion.
The background art known to applicant at the time of the filing of this application is as follows:
British PatPnt Specification 1,245,710, Case For Containing A Semiconductor Element;
British Patent Specification 2,077,036A, Multi-Layer Ceramic Package For Semiconductor Chip;
A publication on the Ericsson SEC module;
PCT Application No. WO84/04614, Data Security Device; and German Offenlegungsschrift No. 3,023,427, Mobile Data Storage Unit.
Summary of the Invention Briefly, a device is disclosed for providing secure storage of sensitive data and preventing any attempt to read that sensitive data out after it has been stored.
In accordance with one aspect of the invention, there is provided a device ~or the secure s~ora~e of sensitive data, said device comprising, in combination, an enclosed housing, a memory contained .
.
.
within said housing for storing sensitive data there-in; low temperature sensing means contained within said housing and being responsive to a decrease in temperature in said housing below a preselected refer-ence temperature for developing a first signal; and means contained within said housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
In accordance with another aspect of the invention, there is provided a device for the secure storage of sensitive data, said device comprising, in combination, a ceramic housing comprised of a plurali-ty of individual parts selectively connected together, each of said parts being comprised of a ceramic sub-strate and a plurality of ceramic layers disposed thereon; and electronic circuitry contained within said ceramic housing, said electronic circuitry in-cluding a memory for storing sensitive data therein and a tamper detection circuit, said tamper detection circuit including a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es said first conductive path for clearing said memory of any sensitive data stored therein.
In accordance with another aspect of the invention, there is provided a device for the secure storage of sensitive data, said device comprising in combination, a ceramic housing comprised of a plurali-ty of individual parts selectively connected together into a preselected configuration, each of said parts being comprised of a ceramic substrate and a plurality of ceramlc layers disposed thereon; a memory contained within said ceramic housing for storing sensitive da a therein; a first conductive pa~h selectively provided through said plurality of ceramic layers of each of : : ' ~87~
- s said plurality of individual parts; sensing means contained within said ceramic housing and being cou-pled to said first conductive path, said sensing means being responsive to any attemp~ to penetrate said ceramic housing which damages said first conductive path for generating a irst signal; and means con-tained within said ceramic housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
Brief Description of the Drawin~s Various objects, features and advantages of the invention, as well as the invention itself, will become more apparent to those skilled in the art in the light of the following de~ailed description taken in consideration with the accompanying drawings where-in like reference numerals indicate like or corre-sponding part.s throughout the several views and where-in:
FIG. 1 is an illustration of the assembled device or module of the invention;
FIG. 2 is an exploded perspective view of the various parts of the housing of the device of FIG. 1;
FIGS. 3A, :~Al, 3B, 3Bl, 3B2, 3C, 3Cl, 3C2 and 3D are exemplary illustrations of how three conductive layers separated by two insulating layers are selec-tively deposited on a ceramic substrate and connected together to form any one of the parts Pl-P6 of FI~. 2;
FIG. 4 is a partial sectional view of the housing 17 of Fig. l;
FIGS. 5A and 5B together show the islands and conductive paths in conductive layer 3 for each of the parts shown in FIG. 2;
FIGS. 6A and 6B together show the conductive paths in conductive layer 2 for each of the parts shown in FIG. 2;
.' ~3~
FIGS. 7A and 7B together show the conductive paths in conductive layer 1 for each of the parts shown in FIG. 2;
FIG. 8 shows the connections of the conductive paths in FIGS. 7A and 7B by way of pre-selec~ed connections and islands in FIGS. 5A and 5B to form a first conductive path designated as WMI, and further shows the conn~ctions of the conductive paths in FIGS. 6A and 6B by way of preselected connections and islands in FIGS. 5A and 5B to form a second con-ductive path designated as WM2;
FIG. 9 is a schematic block diagram of the electronic circuitry contained within the device of FIGo l;
FIG. 10 is a functional block diagram illus~rating how the key storage key (RSK) is generat-ed and how the KSK is utilized in loading REYS and in encrypting and decrypting data;
FIG~ 11 is a schematic block diagram of the tamper detection circuitry of. FIG. 9.
Description of the Preferred Embodiment Referriny now to the drawings, Fig. 1 illustrates an exemplary form of a security device 11 of the invention. A plurality of conductors 12 con-nected to a plurality of pins 13 are shown on both sides of a bottom part 15 of a housing 17 of the device 11 for connecting the device 11 to external electronic equipment ~not shown). The housing 17 is preferably comprised of ceramic, since a ceramic housing cannot be penetrated by chemicals due to the fact ceramic will not dissolve.
An exploded perspective view of the various parts of the housing 17 o the device 11 is illustrat-ed in Fig. 2. As shown~ the housing 17 is comprised of a top part or cover Pl, side parts P2 through P5 and a bottom part P6r Coupled to the bot~om part P6 .
:
.. .
, -.
.
.
'~ ~ 3 ~
by way of surface mounting pins (not shown) is elec tronic circuitry 19 which is encased within the hous-ing 17 for security and protection.
Each of the parts Pl-56 is comprised of a ceramic substrate having three conductive layers separated by two nonconductive or insulating layers, with all layers being deposited on the ceramic sub-strate by a conventional screening technique using conventional thick film techniques~ Figs. 3A, 3Al, 3B, 3Bl, 3B2, 3C, 3Cl, 3C2 and 3D illustrate how three conductive layers separated by two insulating layers are selectively deposited on a ceramic substrate and connected together to form any one of the parts Pl-P6.
Scre~ns tFIGS. 3Al, 3Bl, 3B2, 3Cl and 3C2) with very small holes (where the diameter of a hole may be equal to approximately 300 micrometers) are used to deposit conductive or insulating paste on a ceramic substrate 20 (Fig. 3D). For every conductive layer and insulating layer a different screen is prepared. After each screening the layered ceramic part 20 is heated up to 800 degrees centigrade to harden ~he just deposited paste.
FIG. 3A illustrates the first conductlve layer Ll to be deposited on the ceramic substrate 20.
As shown in FIG. 3A, Ll is comprised of one track 21.
FIG. 3Al illustrates the screen that is plac~d on the ceramic substrate 20 and used to deposit the layer Ll on the ceramic substrate 20. The screen of FI~. 3Al is the negative of the required layer Ll. The shaded area 22 in FIG. 3Al is blocked off with a polymer (not shown) so ~hat a conductive paste (not shown) can only pass through an open area 211 to form the track 21 of the layer Ll on the ceramic substrate 20. Layer Ll is then hardened at 800 degrees centigrade in an oven.
The thickness of the track 21 of layer Ll is about 10 micrometers.
. , , . ' ~2~37~
Points or areas 1.1, 1.2 and 1~3 on layer Ll of FIG. 3A are then blocked off with a polymer using the screen shown in FIG. 3B, because these areas have to be selectively connected later to subsequently laid conductive layers (L2 and L3)o Insulating paste is now screened over the assembly of FIG. 3A and the assembly of FIG. 3A is heated up again to 800 degrees centigrade to harden it.
FIG. 3B illustrates the second conductive layer (L2) to be deposited on the hardened assembly of FIG. 3A by using the screen shown in FIG. 3B2. As shown in FIG. 3B layer L2 is comprised of two tracks 23 and 24. The screen of FIG. 3B2 is the negative of the pattern of FIG. 3B. The shaded area 25 of FIG. 3B
is blocked off again with a polymer. After screening with conductive paste throu~h open areas 231 and 241 and heating the hardened assembly of FIG. 3B, connec-tions are made between points lol of FIG. 3A and 2~1 of FIG. 3B and between points 1.2 of FIG. 3A and 2.2 of FIG. 3B. Note that the track 23 of FIG. 3B ~rosses over the track 21 of FIG. 3A.
Insula~ing layer two (FIG. 3D) is needed to enable the deposition of the third conductive layer L3. The laying of these two layers is accomplished by using the screens of FIGS. 3Cl and 3C2 in a manner similar to that previously described with respect to FIGS. 3Bl and 3B2. After the insulating layer two and layer L3 are laid or deposited, the pattern of ~3 results, as shown in FIG. 3C. As shown in FIG. 3C, L3 is comprised of two tracks 26 and 27 which are respec-tively connected to square islands 3.6 and 3.7.
Island 3.6 in layer L3 of FIG. 3C is connected to point 1.3 of Ll in FI5. 3A through the hole 31 in insulating layer 2 and the hole 28 in insulating layer one. On the other hand, island 3.7 in layer L3 of FIG. 3C iS connected via point 3.5 in layer L3 of FIG.
3C to point 2.5 in layer L2 of FIG. 3B. In addition, :, .
.
.
- . .
~3~6 g island 3.7 in layer L3 oE FIG. 3C is also connected via point 3.4 in layer L3 to point 2.~ in layer L2 of FIG. 3B.
FIG. 3D illustrates a sectional view of connections between layers or tracks L3 and Ll and between layers or tracks L2 and Ll. The ceramic substrate 20 is approximately 700 micrometers thick and each of the conductive and insulatin~ layers is only about 10 micrometers thick. The width of each of the tracks ~1, L2 and L3 is about 300 micrometers.
Figs. 5A and 5B illustrate the conductive layer 3 patterns of the respective parts Pl-P6r which patterns are deæigned as L3Pl-~3P6. The conductive layers 1, 2 and 3 are selectively connected together at preselected islands or connection points. ~or example, islands 33 and 35 of conductive layer 3 are resp~ctively connected to conductive layers 2 and 1 by conductive epoxy 31. The assembly of Fig. 3E is then put into an oven (not shown) and heated to a~out 800 degrees-C for the proper duration of time in order to harden the conductive layer 3 and the conductive epoxy 31.
Referring now back to Fig. 2, the parts Pl-P6 are assembled together into the housing 17 of Fig~ 1 in the following manner. Initially the top part Pl is sequentially glued to side parts P2-P5. E~irst, ex-posed islands on part P~ are respectively electrically connected to associated exposed islands on part Pl with conductive epoxy. In a similar manner, exposed islands on part P3 are respectively electrically connected to associated exposed islands on part Pl with conductive epoxy; exposed islands on part P4 are xespectively electrically connected to associated exposed islands on part Pl with conductive epoxy; and exposed islands on part P5 are respectively electri-cally connected to associated exposed islands o~ part Pl with conductive epoxy. Conductive epoxy is next - . .
. .
. ~ , , ', ~ ' ' ~23~7~t~
p].aced on the remaining exposed islands on the assem-bly of parts Pl-P5~ Then the assembly of parts Pl-P5 is properly oriented with respect to part P6 and gently placed onto part P6 to electrically connect the remaining lslands on part P6 with the remaining uncon-nected islands on the assembly of parts Pl-P5. After the assembly of parts Pl-P6 is electrically connected together at associated islands to form the housing 17 (FIG~ 1~, as described above, nonconductive epo~y is applied along the lines between adjacent pairs of the parts Pl-P6 to seal any gaps between adjacent pairs of the parts Pl-P6 and to provide additional strength for the housing 17.
Fig~ 4 is a partial sectional view of the completed housing 17 showing the connection of an island 37 on layer 3 of part 2 tL3P2) with an island 39 on layer 3 of part 1 (L3Pl) by means of conductive epoxy 31, and the further gluiny of the parts Pl and P2 together with nonconductive epoxy 41.
An additional layer of ceramic (not shown) is mounted onto the bottom part P6 to hold the electronic circuitry l9o The electronic circuitry 19 is then mounted on~o this additional layer of ceramic by way of surface mounting pins (not shown). Any necessary contacts between the conductive layer 3 and the elec-tronic circuitry 19 are connected together with sur-face mounting pins (not shown)O Then the assembled structure of parts Pl-P5 is glued to bottom part P6, with the associated exposed islands between the assem-bly of parts Pl-P5 and the bottom part P6 being con-nected together with conductive epoxy before the entire assembly of parts Pl-P6 is sealed all over with nonconductive epoxy, as discussed before~ As men-tioned before, the plurality of leads 12 and plurality of contacts 13 (shown in Fig. 1) are all on part P6.
The formation of first and second continuous conductive paths ~M1 (wire mesh 1~ and WM2 (wire mesh ~238~
2) through the parts Pl-P6 of the ceramic housing 17 (Fig. 1) will be explained ~y now referring to Figs.
5A, 5B, 6A, 6B, 7A, 7B and 8.
Figs. 5A and 5B together show the islands and conductive paths in conductive layer 3 ~L3) for each of the parts Pl-P6 shown in Fig. 2. The Figs. 6A and 6B together show the conductive paths in conductive layer 2 (L2) for each of the parts Pl-P6 shown in Fig.
2. Similarly, Figs~ 7 A and 7B together show the conductiYe paths in conductive layer 1 (Ll) for each of the parts Pl-P6 shown in Fig. 2. Finally, Fig. 8 shows the connections of the conductive paths in Figs.
7A and 7s by way of preselected connections and is-lands in Figs. 5A and SB to form the first continuous conductive path WMl and also shows the connections of the conductive paths in Figs. 6A and 6B by way o~
preselected connections and islands in Figs. 5A and 5B
to form the second continuous conductive path WM2.
As shown in Figs. 5B and 8, pins A and C are respectively the input and output pins of WM2. Simi-larly, pins B and D are respectively the input and output pins of WMl. These pins A, B, C and D are internally connected to leads (not shown) which are coupled through surface mounting pins (not shown) to the group of pins 13 (Fig. 1).
The alphanumerically identified squares in Figs. 5 A and 5B (such as BDl in Fig. 5A3 represent islands to be connected~ while the alphanumerically identified circles in Figs. 5A, 5B, 6A, 6B, 7A and 7B
(suh as ACl in Fig. 5A) represent connection points.
By using Fig. 8 as a guide it can be readily seen in Figs. 5A, 5B, 7A and 7B that the line BD (or continuous conductive path WMl) from pin B (Fig. 5A) to pin D (Fig. 5A) sequentially passes through a zig-zag conductive path through the conductive layers LlP2 (Fig. 7B), LlP3 (Fig. 7B), LlPl ~Fi~. 7B), LlP5 (Fig.
7B), LlP4 (Fig. 7B) and LlP6 (Fig. 7A) via the islands , .
'. ~ .
,. . . ~ . .
. , : :' .
and connection points BDl-BD30 and lines 43-47.
5imilarly, by using Fig. B as a guide, it can be readily seen in ~i~s. 5A, 5B, 6~ and 6B that the line AC (or continuous conductive path WM2) from pin A
(Fig. 5A~ to pin C (Fig. 5A~ sequentially passes through a zig-zag conductive path through the ~onduc-tive layers L2P6 ~Fig. 6A~, L2P4 (Fig. 6B), L2P5 (Fig.
6B), L2Pl ~Fig. 6B), L2P3 (Fig. 6B) and L2P2 (Fig. 6B) via the islands and connection points ACl-AC39 and lines 51-64.
Referring to Fig. 9, the electronic circuitry 19 of Fig. 2 will now be discussed in more detail.
The electronic circuitry 19 includes data processing circuitry 67 and tamper detection circuitry 69.
The data processing circuitry 67 can be utilized to perform any desired data processing opera-tion in such applications as, for example, electronic payment systems, electronic fund transfers, data encryption/decryption, PIN (personal identification number) verification, data transmission/reception, access control and home banking. The data proce~sing circuitry 67 includes a processor 71 for selectiv~ly controlling the operation of the electronic circuitry 19 in resporlse to input data and instructions, a timing and control circuik 73 for controlling the operation of the processor 71, a programmable read only memory (PROM) 75 for storing the software progr~
to be executed by the processor 71, a random access memory (RAM) 77 for providing a temporary memory storage, a volatile memory 79 for permanently storin~
the most sensitive or secure data such as a key stor-age key (~SK~ (to be explained)l a random number generator 81 and an input/output (I/O) unit 83.
A data, control and address bus 85, bidirectional I/O bus 87 and I/O lines 89 and 91 are coupled to the processor 71, timing and control cir-cuit 73, PROM 75~ RAM 77 and I/O unit B3 to enable the , ,:
' ' ' ' . ' . ' , ~
.
.~
3 ~7 data processing circuitry 67 to perform its data processing operations~ ~ata may be passed over bi-directional I/O bus 87 to or from the processor 71 and over I/O lines ~9 and 91 to or from the I/O unit 83.
The right-hand ends of the I/O bus 87 and I/O lines 8~
and 91 (as shown in Fig. 9) may be selectively coupled to, for example, another data processor (not shown), a main computer (not shown) and a peripheral (such as a keyboard) (not shown) via the pins 13 (Fig~ 1) in order to enable the data processing circuitry 67 to perform its preselected operations.
Power to operate the electronic circuitry 19 is preferably supplied from external power sources (not shown), such as power supplies and batteries, connected to preselected ones of the pins 13 (Fig. 1).
An initialization subroutine, contained in the software program stored in the PROM 75, is execut-ed in a special mode of operation controlled by an authorized person. Preferably, this initialization su~routine can only be executed once after the securi-ty device 11 (Fig. 1) has been completely assambled.
For purposes of additional security it is preferable that the volatile memory 79 be, for exam-ple, a resettable memory such as a 64-bit shift regis-ter memory.
During the execu~ion of an I~ITIALIZ~
subroutine the processor 71 applies an INITIA~IZ~
signal to the random number generator 81 to enable the generator 81 to generate a random number whi~h is stored in the memory 79 as an exemplary sequence of 64 random bits. This sequence of 64 random bits is the KSK (key storage key), which is the most sensitive or secure data contained in the data processing circuitry 67. Referring to the functional block diagram of Fig.
109 it will now be explained how the sensi~ive RSK
data is generated and then utilized by the da~a proc-essing circuitry 67 in the loading or storage of ~ .
. ' ' '. ' ~' . ', ~, ~z~
subsequently entexed KEYS and in all subsequent en-cryption and decryption operations of output and input data, respectively.
IN ITIAL IZ E KSK
In eesponse to the INITIALIZE signal from the processor 71, the random number generator 81 generates the random 64-bit KSK. This KSK is then permanently stored in the resettable shift register 79. The invention prevents this ~SK from being externally accessed.
LOAD KEYS
After KSK has been generated, a person can store 64-bit REYS in the RAM 77 . Each KEY to be entered is an exemplary sequence of 64 bits of clear da~a (hereinafter designated as KEYX CLEAR) that can be entered into the data processing circuitry 67 by way of, for example, a keyboard (not shown) connected to pins 13 (Fig. 1). For added security each KEYX
CLEAR is encrypted with KSK by exclusive-ORing them together in an exclusive-OR (EX-OR) gate 93 to develop a KEYX ENCR signal that is also 64 bits in length.
Thi~ KEYX ENCR signal is then stored in the RAM 77.
_NCRYPT/DEÇRYPT DATA
To encrypt outgoing clear data or decrypt incomin~ encrypted data, a desired KEYX ENCR signal is extracted from the RAM 77 while the RSK is extracted from the resettable shift register 79 by well-known read-out techniques. The KEYX ENCR signal and the KSR
are then exclusive-ORed together in an EX-OR gate 95 to recover the associated KEYX CLEAR signal.
In a data encryption opera~ion, the KEYX
CLEAR signal is routed to a data encryption device 97 where it is used to encrypt clear data entered into the data processing circuitry 67 ~Pig. 9) by way of .
.
- . ~
~;~3~6 one of the I/O buses 87, 89 and 91. Encrypted data from the device 97 is then outputted from the security device 11 (Fig. 1) by way of the pins 13 (Fig. 1).
In a data decryption operation, encrypted data entered into the data processing circuitry 67 (Fig. 9) by way of the pins 13 (Fig. 1) is applied to a data decryption device 99. The KEYX CLEAR signal, which is routed from the EX-OR gate 95 to the data decryption device 99, is used by the data d~cryption device 99 to develop clear data which can then be utilized by the data processing circuit 67.
The EX-OR gates 93 and 95, the data encryption device 97 and the data decryption device 99 can be implemented in hardware or the operations performed by those units can be performed as a unc-tion of software subroutines of the program contained in the PROM 75.
Referrinq back to Fig. 9, it should be noted that the above-described implementation for generating the KSR is for illustrative purposes only and does not form any part of the invention. Any other suitable implementation could there~ore be used to generate the KSK. The important things to consider are that the resettable memory 79 stores the KSK, that the contents of the memory 79 cannot be altered, (if the securlty device 11 was programmed to run the initiali~ation program only once), that the KSK is never outputted to the outside world from the security device 11, and that for purposes of security external access to the KSK contents of the memory 79 by various means must be prevented.
Tamper detection circuitry 69 is included in the electronic circuitry 19 to specifically actively destroy the KSK in the resettable memory 79 if there is any attempt to penetrate the ceramic housing 17 to gain access to the KSK stored in the memory 79. It should be realized that if the RSK is destroyed, any .
.' ' . .
~3~
- 16 ~
data stored in RAM 77 becomes meaningless or useless.
Two principal ways that someone could employ to at~
tempt to gain access to the XSK stored in the reset-table memory 7~, as well as the reaction of the tamper d~tection circuitry 69 to such attempts, are discussed below.
An attempt to penetrate the ceramic housing 17 may be made by drilling into or cracking the hous-ing 17. To protect against this possibility, wire mesh 2 (WM2) of Fig. 8 is connected between a supply voltage Vc and a sense circuit 101, while wire mesh 1 (WMl~ of Fig. 8 is connected between a reference potential such as ground and a sense circuit 103. It will be recalled that WMl and WM2 are different con-ductive paths on different levels or layers of each of the parts Pl-P6 of the housing 17, as shown in Figs.
1-8.
An attempt to drill inko or crack the housing 17 that damages either or both of WMl and WM2 will be readily sensed. I WM2 is broken or shorted to either WMl or ground by such an attempt, sense circuit 101 will generate a low voltage signal at point 105.
Similarly, if WMl is broken or shorted to either WM2 or Vc by such an attempt, the sense circuit will generate a low voltage signal at point 105. In re-sponse to a low voltage signal at point 105, a low voltage detector 107 generates a RESE~ signal which resets the memory 79 to actively clear or destroy the KSK in the resettable memory 79.
ATTEMPT 1'0 FREEZE RSR CONTENT OF MEMORY 79 BEFORE
BREARING INTO ~IOUSING 17 It is known that it is possible to retain data in static CMOS cells of a memory in an unpowered state (no supply voltage or battery voltage present), :~23~
~ 17 -if those cells are initially frozen below -90 degrees centigrade before power is removed from the memory.
A low temperature sensor 109 is therefore needed in the tamper detection circuitry 69 to protect the security device 11 ~Fig. 1) against the above-described tampering at extremely low temperatures.
The sensor lQ9 is also connected to point 105. Sensor 109 is so implemented that when the temperature within the housing 17 ~Fig. 1) falls to, for example, -25 degrees centigrade, the sensor 109 generates and applies a low voltage signal to point 105~ Thi~ low voltage signal applied from sensor 109 to point 105 will also cause the low voltage detector 107 to yener-ate a RESET signal to reset the memory 79 to actively clear or destroy ~he RSK in the memory 79.
Referring now to Fig. 11, the tamper detec~ion circuitry 69 will be described in more detail.
The tamper detection circuitry 69 is essentially comprised of four parts~ A first part includes WM2 and sense circuit 101. A second part includes WMl and sense circuit 103. A third part includes the low temperature sensor 109. All of the first, second and third parts are connected to a common output at point 105 which, in turn, is connect-ed to the fourth part which includes the low voltage detector 107. Consequently, if any o the first, second or third parts detects any attempt to gain access to the KSK in memory 79 (Fig. 9) a low output is developed at point 105. As mentioned before, such a low output at point 10~ will cause the low voltage detector 107 to actively reset the memory 79 to de-stroy the KSR stored therein~
In the first part, pin C of WM2 is coupled to sense cixcuit 101. A high or po~itive supply voltage VC is applied to pin A of WM2 and to each of cascaded inverters 111 and 113 in sense circuit 101. For ..
-~Z3~ L6 purposes of this discussivn assume that Vc = ~4 5 volts. A one megohm ~lM ) resistor 115 is connected between pin C of WM2 and a low reference potential such as ground. Pin C is also connected to the input of inverter 111. The output of inverter 113 is ap-plied through a 120 kilohm resistor 117 to point 105.
When WM2 is undamaged ~not broken or shorted to either ground or ~M1), the input to inverter 111 is high, the output of inverter 111 is low and the output of inverter 113 is high.
In the second part, pin D of WMl is coupled to sense circuit 1~3 and pin B of WMl is connected to the low reference potential or ground. A one megohm resistor 119 is connected between pin D of WMl and Vc.
The supply voltage Vc is also applied to cascaded inverters 121, 123 and 125. Pin D is also connected to the input of inverter 121 which, in turn, has its output connected to the input of inverter 123. The output of inverter 123 is then connected to the input of inverter 125. The output of inverter 125 is ap-plied through a 120 kilohm resistor 127 to point 105.
A 30 kilohm resistor 129 is connected be~ween point 105 and grvund to develop a common output for the sense circuits 101 and 103, as well as to the low temperature sensor 109 (to be explained).
When WMl is undamaged (not broken or shorted to either Vc or WM2), the input to inverter 121 is high, the output of inverter 123 is low and the output of inverter 125 is high.
Part 3 includes the low temperature sensor 109 (Fig. 9). The low temperature sensor 109 compris-es: a negative temperature coefficient (NTC) bridge circuit 131 which includes serially connected resis-tors 133 and 134 respectively coupled betw~en Vc and ground, and serially-connected resistors 135 and 136 respectively coupled between Vc and ground; an opera-tional amplifier 137 having its non-inverting input 3~7~6 (+) connected to the junction of resistors 133 and 134 and its inverting input (-) connected to the junction of resistors 135 and 136; an inverter 139 for invert-ing the output of the operational amplifier 137; and a diode coupled between the output of inverter 139 and point 105.
The resistors 133 and 136 may be 800 kilohm resistorsr while the resistors 134 and 135 may be 68 kilohm resistors having negative temperature coeffi-cients (NTC~. With this implementation the bridge circuit 131 would be unbalanced until the temperature inside the housing 17 reaches approximately -25 de-grees C. It can be readily seen that when the bridge circuit 131 is unbalanced, the operational amplifier 137 develops a low output which is inverted by inver-ter 139 to backbias the diode 141. Thereforel when the temperature inside the housing 17 (Fig. 1) is above -25 degrees centigrade, the low temperature sensor 109 is effectively disconnected by the back-biased diode 141 from the point 105.
Part 4 includes a low voltage detector 107 connected to point 105 for developing a RE5ET signal when the potential across resistor 129 is below a preselected threshold voltage of, for example, +1.15 volts when Vc = +4.5 volts), a capacitor 145 connected between point 105 and ground for retaining the input potential ~voltaye developed across resistor 129) to the deteGtor 107 for a suffizient time to enable the detector 107 to generate a RESET signal when the potential across resistor 129 falls below ~1.15 volts.
The low voltage detector 107 may be a voltage comparator which develops a low output when the voltage across resistor 129 falls below an internal reference potential ~f ~1.15 voltsO
Various conditions will now be discussed.
, .
.
.
-, . . . . .
:1 ~,3~
NO ATTEMPT_MADE TO GAIN ACCESS TO KSE~
When no attempt has been made to freeze and/or penetrate the housing 17 to gain access to the RSK in the resettable memory 79 (Fig. 9) the tempera-ture in the housing 17 (Fig. 1) will be high enough not to trigger the low temperature sensor 109 and both WMl and WM2 will be undamaged. As a result, the outputs of inverters 113 and 125 will both be high.
Therefore, the voltage developed across resistor 129 (approximately ~1.5 vol~s) will be above the 1.15 volt threshold of the low voltage detector 107. Conse-quently, the low voltage detector 107 will not develop the RESET signal.
A~TEMPTED PENETRATION OF HOUSIN~ 17 BREAKS WM2 OR
SE~ORTS WM2 EITHER T5:) GROUND OR WMl When WM2 is broken or shorted either to ground or WMl, pin C goes to a low potential, causing the input to inverter 111 to go low. This low input is inverted to a high signal by inv~rter 111. The high signal (~4.5 volt ) from inverter 111 is inverted by inverter 113 to a low signal (0 volts). Assume that WMl is not broken at this time and therefo~e that inverter 125 develops a high output (~4.5 volts). As a result, a voltage divider comprised of resistors 117, 127 and 129 will cause point 105 to fall to approximately +0.9 volts. Since +0.9 volts is below the +1.15 volt threshold of the low voltage detector 107, the low vo~tage detector 107 will develop the RESET signal to actively reset memory 79 (Fiy. 9).
ATTEMPTED PENETRATION OF HOUSING 17 BREAKS WMl OR
SHORTS WMl EITHER TO Vc OR WM2 _ When WMl is broken or shorted either to Vc or WM2, pin D goes high (~4 .5V). This high signal is ~ '" ' . ' :, . ' .'' :
inverted by inverter 121~ The low signal (0 volts~
from inverter 121 is inverted by inv~rter 123. The high signal from inverter 123 is inverted by inverter 125. Assume that WM2 is not broken at this time and therefore that inverter 113 develops a high output (+4.5 volts). As a result, the voltage divider com-prised of resistors 117~ 127 and 129 will cause point 105 to fall to appro~imately +0.9 volts. This will then cause the lo~ voltage detector 107 to develop the RESET signal to reset memory 79 (Fig. 9).
If both WMl and WM2 are broken, the inverters 113 and 125 will both go low, causing the charge across capacitor 145 to fal~ toward 0 volts. ~owever, as soon as the voltage across capacitor 145 falls below +1.15 volts, the low voltage detector 107 will generate the RESET signal.
VC FALLS BELOW +3.5 VOLTS
If Vc falls below ~3.5 volts, the voltage across capacitor 145 will fall below ~1.15 volts.
This again will cause the low voltage detector 107 to generate the RESET signal.
EMPERATURE IN HOUSING 17 FALhS BE~OW ~25 DEGREES
CENT IGRADE
When the temperature in the housing falls below -25 degrees centigrade, the bridge circuit 131 in the low temperature sensor 109 becomes either balanced or unbalanced in the opposite direction. In either eventt the operational amplifier 137 develops a high output which is inverted by inver~er 139. The low output ~0 volts) from inverter 139 forward biases diode 14~ cau ing point 105 to fall toward 0 volts.
This will cause the charge across capacitor 145 to fall toward 0 volts. However, as soon as the voltage across capacitor 145 alls below ~1.15 volts, the low 3~73~;
voltage detector 107 generates the RESET signal to clear the memory 79.
The invention thus provides a security device 11 for the secure storage of sensitive data. It provides protec~ion or the device ll against chemical attack, physical attack, and tampering at extremely low temperature. The ceramic housing cannot be pene-trated by chemicals, since ceramics will not dissolve.
Physical attack by cutting or drill.ing will result in ~he ceramic housing 17 cracking or breaking, thus breaking or damaging at least one of the two conduc tive paths W~l and WM2. This will cause the tamper detection circuitry 69 to actively reset the reset-table memory 79 to destroy the sensitive data stored therein~ Similarly, any attempt to tamper with the security device 11 at an extremely low temperature will also cause the tamper detection circuitry 69 to actively reset the memory 79.
While the salient features of the invention have been illustrated and described, it should be readily apparent to those skilled in the art that many changes and modifications can be made in the invention presented without departing from the spirit and true scope of the invention. Accordingly, the present invention should be considered as encompassing all such changes and modifications of the invention that fall within the broad scope of the invention as de-fined by the appended claims.
..:
.: , .: , ~,
The right-hand ends of the I/O bus 87 and I/O lines 8~
and 91 (as shown in Fig. 9) may be selectively coupled to, for example, another data processor (not shown), a main computer (not shown) and a peripheral (such as a keyboard) (not shown) via the pins 13 (Fig~ 1) in order to enable the data processing circuitry 67 to perform its preselected operations.
Power to operate the electronic circuitry 19 is preferably supplied from external power sources (not shown), such as power supplies and batteries, connected to preselected ones of the pins 13 (Fig. 1).
An initialization subroutine, contained in the software program stored in the PROM 75, is execut-ed in a special mode of operation controlled by an authorized person. Preferably, this initialization su~routine can only be executed once after the securi-ty device 11 (Fig. 1) has been completely assambled.
For purposes of additional security it is preferable that the volatile memory 79 be, for exam-ple, a resettable memory such as a 64-bit shift regis-ter memory.
During the execu~ion of an I~ITIALIZ~
subroutine the processor 71 applies an INITIA~IZ~
signal to the random number generator 81 to enable the generator 81 to generate a random number whi~h is stored in the memory 79 as an exemplary sequence of 64 random bits. This sequence of 64 random bits is the KSK (key storage key), which is the most sensitive or secure data contained in the data processing circuitry 67. Referring to the functional block diagram of Fig.
109 it will now be explained how the sensi~ive RSK
data is generated and then utilized by the da~a proc-essing circuitry 67 in the loading or storage of ~ .
. ' ' '. ' ~' . ', ~, ~z~
subsequently entexed KEYS and in all subsequent en-cryption and decryption operations of output and input data, respectively.
IN ITIAL IZ E KSK
In eesponse to the INITIALIZE signal from the processor 71, the random number generator 81 generates the random 64-bit KSK. This KSK is then permanently stored in the resettable shift register 79. The invention prevents this ~SK from being externally accessed.
LOAD KEYS
After KSK has been generated, a person can store 64-bit REYS in the RAM 77 . Each KEY to be entered is an exemplary sequence of 64 bits of clear da~a (hereinafter designated as KEYX CLEAR) that can be entered into the data processing circuitry 67 by way of, for example, a keyboard (not shown) connected to pins 13 (Fig. 1). For added security each KEYX
CLEAR is encrypted with KSK by exclusive-ORing them together in an exclusive-OR (EX-OR) gate 93 to develop a KEYX ENCR signal that is also 64 bits in length.
Thi~ KEYX ENCR signal is then stored in the RAM 77.
_NCRYPT/DEÇRYPT DATA
To encrypt outgoing clear data or decrypt incomin~ encrypted data, a desired KEYX ENCR signal is extracted from the RAM 77 while the RSK is extracted from the resettable shift register 79 by well-known read-out techniques. The KEYX ENCR signal and the KSR
are then exclusive-ORed together in an EX-OR gate 95 to recover the associated KEYX CLEAR signal.
In a data encryption opera~ion, the KEYX
CLEAR signal is routed to a data encryption device 97 where it is used to encrypt clear data entered into the data processing circuitry 67 ~Pig. 9) by way of .
.
- . ~
~;~3~6 one of the I/O buses 87, 89 and 91. Encrypted data from the device 97 is then outputted from the security device 11 (Fig. 1) by way of the pins 13 (Fig. 1).
In a data decryption operation, encrypted data entered into the data processing circuitry 67 (Fig. 9) by way of the pins 13 (Fig. 1) is applied to a data decryption device 99. The KEYX CLEAR signal, which is routed from the EX-OR gate 95 to the data decryption device 99, is used by the data d~cryption device 99 to develop clear data which can then be utilized by the data processing circuit 67.
The EX-OR gates 93 and 95, the data encryption device 97 and the data decryption device 99 can be implemented in hardware or the operations performed by those units can be performed as a unc-tion of software subroutines of the program contained in the PROM 75.
Referrinq back to Fig. 9, it should be noted that the above-described implementation for generating the KSR is for illustrative purposes only and does not form any part of the invention. Any other suitable implementation could there~ore be used to generate the KSK. The important things to consider are that the resettable memory 79 stores the KSK, that the contents of the memory 79 cannot be altered, (if the securlty device 11 was programmed to run the initiali~ation program only once), that the KSK is never outputted to the outside world from the security device 11, and that for purposes of security external access to the KSK contents of the memory 79 by various means must be prevented.
Tamper detection circuitry 69 is included in the electronic circuitry 19 to specifically actively destroy the KSK in the resettable memory 79 if there is any attempt to penetrate the ceramic housing 17 to gain access to the KSK stored in the memory 79. It should be realized that if the RSK is destroyed, any .
.' ' . .
~3~
- 16 ~
data stored in RAM 77 becomes meaningless or useless.
Two principal ways that someone could employ to at~
tempt to gain access to the XSK stored in the reset-table memory 7~, as well as the reaction of the tamper d~tection circuitry 69 to such attempts, are discussed below.
An attempt to penetrate the ceramic housing 17 may be made by drilling into or cracking the hous-ing 17. To protect against this possibility, wire mesh 2 (WM2) of Fig. 8 is connected between a supply voltage Vc and a sense circuit 101, while wire mesh 1 (WMl~ of Fig. 8 is connected between a reference potential such as ground and a sense circuit 103. It will be recalled that WMl and WM2 are different con-ductive paths on different levels or layers of each of the parts Pl-P6 of the housing 17, as shown in Figs.
1-8.
An attempt to drill inko or crack the housing 17 that damages either or both of WMl and WM2 will be readily sensed. I WM2 is broken or shorted to either WMl or ground by such an attempt, sense circuit 101 will generate a low voltage signal at point 105.
Similarly, if WMl is broken or shorted to either WM2 or Vc by such an attempt, the sense circuit will generate a low voltage signal at point 105. In re-sponse to a low voltage signal at point 105, a low voltage detector 107 generates a RESE~ signal which resets the memory 79 to actively clear or destroy the KSK in the resettable memory 79.
ATTEMPT 1'0 FREEZE RSR CONTENT OF MEMORY 79 BEFORE
BREARING INTO ~IOUSING 17 It is known that it is possible to retain data in static CMOS cells of a memory in an unpowered state (no supply voltage or battery voltage present), :~23~
~ 17 -if those cells are initially frozen below -90 degrees centigrade before power is removed from the memory.
A low temperature sensor 109 is therefore needed in the tamper detection circuitry 69 to protect the security device 11 ~Fig. 1) against the above-described tampering at extremely low temperatures.
The sensor lQ9 is also connected to point 105. Sensor 109 is so implemented that when the temperature within the housing 17 ~Fig. 1) falls to, for example, -25 degrees centigrade, the sensor 109 generates and applies a low voltage signal to point 105~ Thi~ low voltage signal applied from sensor 109 to point 105 will also cause the low voltage detector 107 to yener-ate a RESET signal to reset the memory 79 to actively clear or destroy ~he RSK in the memory 79.
Referring now to Fig. 11, the tamper detec~ion circuitry 69 will be described in more detail.
The tamper detection circuitry 69 is essentially comprised of four parts~ A first part includes WM2 and sense circuit 101. A second part includes WMl and sense circuit 103. A third part includes the low temperature sensor 109. All of the first, second and third parts are connected to a common output at point 105 which, in turn, is connect-ed to the fourth part which includes the low voltage detector 107. Consequently, if any o the first, second or third parts detects any attempt to gain access to the KSK in memory 79 (Fig. 9) a low output is developed at point 105. As mentioned before, such a low output at point 10~ will cause the low voltage detector 107 to actively reset the memory 79 to de-stroy the KSR stored therein~
In the first part, pin C of WM2 is coupled to sense cixcuit 101. A high or po~itive supply voltage VC is applied to pin A of WM2 and to each of cascaded inverters 111 and 113 in sense circuit 101. For ..
-~Z3~ L6 purposes of this discussivn assume that Vc = ~4 5 volts. A one megohm ~lM ) resistor 115 is connected between pin C of WM2 and a low reference potential such as ground. Pin C is also connected to the input of inverter 111. The output of inverter 113 is ap-plied through a 120 kilohm resistor 117 to point 105.
When WM2 is undamaged ~not broken or shorted to either ground or ~M1), the input to inverter 111 is high, the output of inverter 111 is low and the output of inverter 113 is high.
In the second part, pin D of WMl is coupled to sense circuit 1~3 and pin B of WMl is connected to the low reference potential or ground. A one megohm resistor 119 is connected between pin D of WMl and Vc.
The supply voltage Vc is also applied to cascaded inverters 121, 123 and 125. Pin D is also connected to the input of inverter 121 which, in turn, has its output connected to the input of inverter 123. The output of inverter 123 is then connected to the input of inverter 125. The output of inverter 125 is ap-plied through a 120 kilohm resistor 127 to point 105.
A 30 kilohm resistor 129 is connected be~ween point 105 and grvund to develop a common output for the sense circuits 101 and 103, as well as to the low temperature sensor 109 (to be explained).
When WMl is undamaged (not broken or shorted to either Vc or WM2), the input to inverter 121 is high, the output of inverter 123 is low and the output of inverter 125 is high.
Part 3 includes the low temperature sensor 109 (Fig. 9). The low temperature sensor 109 compris-es: a negative temperature coefficient (NTC) bridge circuit 131 which includes serially connected resis-tors 133 and 134 respectively coupled betw~en Vc and ground, and serially-connected resistors 135 and 136 respectively coupled between Vc and ground; an opera-tional amplifier 137 having its non-inverting input 3~7~6 (+) connected to the junction of resistors 133 and 134 and its inverting input (-) connected to the junction of resistors 135 and 136; an inverter 139 for invert-ing the output of the operational amplifier 137; and a diode coupled between the output of inverter 139 and point 105.
The resistors 133 and 136 may be 800 kilohm resistorsr while the resistors 134 and 135 may be 68 kilohm resistors having negative temperature coeffi-cients (NTC~. With this implementation the bridge circuit 131 would be unbalanced until the temperature inside the housing 17 reaches approximately -25 de-grees C. It can be readily seen that when the bridge circuit 131 is unbalanced, the operational amplifier 137 develops a low output which is inverted by inver-ter 139 to backbias the diode 141. Thereforel when the temperature inside the housing 17 (Fig. 1) is above -25 degrees centigrade, the low temperature sensor 109 is effectively disconnected by the back-biased diode 141 from the point 105.
Part 4 includes a low voltage detector 107 connected to point 105 for developing a RE5ET signal when the potential across resistor 129 is below a preselected threshold voltage of, for example, +1.15 volts when Vc = +4.5 volts), a capacitor 145 connected between point 105 and ground for retaining the input potential ~voltaye developed across resistor 129) to the deteGtor 107 for a suffizient time to enable the detector 107 to generate a RESET signal when the potential across resistor 129 falls below ~1.15 volts.
The low voltage detector 107 may be a voltage comparator which develops a low output when the voltage across resistor 129 falls below an internal reference potential ~f ~1.15 voltsO
Various conditions will now be discussed.
, .
.
.
-, . . . . .
:1 ~,3~
NO ATTEMPT_MADE TO GAIN ACCESS TO KSE~
When no attempt has been made to freeze and/or penetrate the housing 17 to gain access to the RSK in the resettable memory 79 (Fig. 9) the tempera-ture in the housing 17 (Fig. 1) will be high enough not to trigger the low temperature sensor 109 and both WMl and WM2 will be undamaged. As a result, the outputs of inverters 113 and 125 will both be high.
Therefore, the voltage developed across resistor 129 (approximately ~1.5 vol~s) will be above the 1.15 volt threshold of the low voltage detector 107. Conse-quently, the low voltage detector 107 will not develop the RESET signal.
A~TEMPTED PENETRATION OF HOUSIN~ 17 BREAKS WM2 OR
SE~ORTS WM2 EITHER T5:) GROUND OR WMl When WM2 is broken or shorted either to ground or WMl, pin C goes to a low potential, causing the input to inverter 111 to go low. This low input is inverted to a high signal by inv~rter 111. The high signal (~4.5 volt ) from inverter 111 is inverted by inverter 113 to a low signal (0 volts). Assume that WMl is not broken at this time and therefo~e that inverter 125 develops a high output (~4.5 volts). As a result, a voltage divider comprised of resistors 117, 127 and 129 will cause point 105 to fall to approximately +0.9 volts. Since +0.9 volts is below the +1.15 volt threshold of the low voltage detector 107, the low vo~tage detector 107 will develop the RESET signal to actively reset memory 79 (Fiy. 9).
ATTEMPTED PENETRATION OF HOUSING 17 BREAKS WMl OR
SHORTS WMl EITHER TO Vc OR WM2 _ When WMl is broken or shorted either to Vc or WM2, pin D goes high (~4 .5V). This high signal is ~ '" ' . ' :, . ' .'' :
inverted by inverter 121~ The low signal (0 volts~
from inverter 121 is inverted by inv~rter 123. The high signal from inverter 123 is inverted by inverter 125. Assume that WM2 is not broken at this time and therefore that inverter 113 develops a high output (+4.5 volts). As a result, the voltage divider com-prised of resistors 117~ 127 and 129 will cause point 105 to fall to appro~imately +0.9 volts. This will then cause the lo~ voltage detector 107 to develop the RESET signal to reset memory 79 (Fig. 9).
If both WMl and WM2 are broken, the inverters 113 and 125 will both go low, causing the charge across capacitor 145 to fal~ toward 0 volts. ~owever, as soon as the voltage across capacitor 145 falls below +1.15 volts, the low voltage detector 107 will generate the RESET signal.
VC FALLS BELOW +3.5 VOLTS
If Vc falls below ~3.5 volts, the voltage across capacitor 145 will fall below ~1.15 volts.
This again will cause the low voltage detector 107 to generate the RESET signal.
EMPERATURE IN HOUSING 17 FALhS BE~OW ~25 DEGREES
CENT IGRADE
When the temperature in the housing falls below -25 degrees centigrade, the bridge circuit 131 in the low temperature sensor 109 becomes either balanced or unbalanced in the opposite direction. In either eventt the operational amplifier 137 develops a high output which is inverted by inver~er 139. The low output ~0 volts) from inverter 139 forward biases diode 14~ cau ing point 105 to fall toward 0 volts.
This will cause the charge across capacitor 145 to fall toward 0 volts. However, as soon as the voltage across capacitor 145 alls below ~1.15 volts, the low 3~73~;
voltage detector 107 generates the RESET signal to clear the memory 79.
The invention thus provides a security device 11 for the secure storage of sensitive data. It provides protec~ion or the device ll against chemical attack, physical attack, and tampering at extremely low temperature. The ceramic housing cannot be pene-trated by chemicals, since ceramics will not dissolve.
Physical attack by cutting or drill.ing will result in ~he ceramic housing 17 cracking or breaking, thus breaking or damaging at least one of the two conduc tive paths W~l and WM2. This will cause the tamper detection circuitry 69 to actively reset the reset-table memory 79 to destroy the sensitive data stored therein~ Similarly, any attempt to tamper with the security device 11 at an extremely low temperature will also cause the tamper detection circuitry 69 to actively reset the memory 79.
While the salient features of the invention have been illustrated and described, it should be readily apparent to those skilled in the art that many changes and modifications can be made in the invention presented without departing from the spirit and true scope of the invention. Accordingly, the present invention should be considered as encompassing all such changes and modifications of the invention that fall within the broad scope of the invention as de-fined by the appended claims.
..:
.: , .: , ~,
Claims (23)
1. A device for the secure storage of sensitive data, said device comprising:
an enclosed housing;
a memory contained within said housing for storing sensitive data therein;
low temperature sensing means contained within said housing and being responsive to a decrease in temperature in said housing below a preselected reference temperature for developing a first signal;
and means contained within said housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
an enclosed housing;
a memory contained within said housing for storing sensitive data therein;
low temperature sensing means contained within said housing and being responsive to a decrease in temperature in said housing below a preselected reference temperature for developing a first signal;
and means contained within said housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
2. The device of claim 1 wherein said low temperature sensing means includes:
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said housing is at or above a preselected reference temperature and a second opera-tional state when the temperature within said housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said first signal.
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said housing is at or above a preselected reference temperature and a second opera-tional state when the temperature within said housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said first signal.
3. The device of claim 1 wherein said housing is comprised of a plurality of individual parts selectively connected together, each of said individual parts being comprised of a ceramic sub-strate and a plurality of ceramic layers disposed thereon, said device further including:
a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts; and sensing means contained within said housing and being coupled to said first conductive path, said sensing means being responsive to any attempt to penetrate said housing which damages said first conductive path for generating a second signal;
said clearing means being responsive to said first signal or said second signal for clearing said memory of any sensitive data stored therein.
a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts; and sensing means contained within said housing and being coupled to said first conductive path, said sensing means being responsive to any attempt to penetrate said housing which damages said first conductive path for generating a second signal;
said clearing means being responsive to said first signal or said second signal for clearing said memory of any sensitive data stored therein.
4. The device of claim 3 further including:
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said sensing means further coupled to said second conduc-tive path and being responsive to any attempt to penetrate said housing which damages said second conductive path for generating a third signal, said clearing means being responsive to any of said first, second or third signals for applying a fourth signal to said memory to clear said memory of any sensitive data stored therein.
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said sensing means further coupled to said second conduc-tive path and being responsive to any attempt to penetrate said housing which damages said second conductive path for generating a third signal, said clearing means being responsive to any of said first, second or third signals for applying a fourth signal to said memory to clear said memory of any sensitive data stored therein.
5. The device of claim 4 wherein said memory includes:
a resettable shift register which is reset by said fourth signal to clear any sensitive data stored therein.
a resettable shift register which is reset by said fourth signal to clear any sensitive data stored therein.
6. The device of claim 4 wherein said low temperature sensing means includes:
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said housing is at or above a preselected reference temperature and a second opera-tional state when the temperature within said housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said first signal.
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said housing is at or above a preselected reference temperature and a second opera-tional state when the temperature within said housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said first signal.
7. A device for the secure storage of sensitive data, said device comprising:
a ceramic housing comprised of a plurality of individual parts selectively connected together, each of said parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon; and electronic circuitry contained within said ceramic housing, said electronic circuitry in-cluding a memory for storing sensitive data therein and a tamper detection circuit, said tamper detection circuit including a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es said first conductive path for clearing said memory of any sensitive data stored therein.
a ceramic housing comprised of a plurality of individual parts selectively connected together, each of said parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon; and electronic circuitry contained within said ceramic housing, said electronic circuitry in-cluding a memory for storing sensitive data therein and a tamper detection circuit, said tamper detection circuit including a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es said first conductive path for clearing said memory of any sensitive data stored therein.
8. The device of claim 7 wherein said tamper detection circuit further includes:
sensing means coupled to said first conductive path and being responsive to damage to said first conductive path for generating a first signal;
and means responsive to said first signal from said sensing means for clearing said memory of any sensitive data stored therein.
sensing means coupled to said first conductive path and being responsive to damage to said first conductive path for generating a first signal;
and means responsive to said first signal from said sensing means for clearing said memory of any sensitive data stored therein.
9. The device of claim 8 wherein said tamper detection circuit further includes:
low temperature sensing means responsive to a decrease in temperature within said ceramic housing below a preselected reference temperature for developing a second signal, said clearing means being responsive to said first signal or said second signal for applying a third signal to said memory to clear said memory of any sensitive data stored therein.
low temperature sensing means responsive to a decrease in temperature within said ceramic housing below a preselected reference temperature for developing a second signal, said clearing means being responsive to said first signal or said second signal for applying a third signal to said memory to clear said memory of any sensitive data stored therein.
10. The device of claim 9 wherein said memory includes:
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
11. The device of claim 9 wherein said low temperature sensing means includes:
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said ceramic housing is at or above a preselected reference temperature and a second operational state when the temperature within said ceramic housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said second signal,
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said ceramic housing is at or above a preselected reference temperature and a second operational state when the temperature within said ceramic housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said second signal,
12. The device of claim 11 wherein said memory includes:
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
13. The device of claim 7 wherein said tamper detection circuit further includes:
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es either of said first and second conductive paths for clearing and memory of any sensitive data stored therein.
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said tamper detection circuit being responsive to any attempt to penetrate said ceramic housing which damag-es either of said first and second conductive paths for clearing and memory of any sensitive data stored therein.
14. The device of claim 13 wherein said tamper detection circuit further includes:
a first sensing circuit coupled to said first conductive path and being responsive to damage to said first conductive path for generating a first signal;
a second sensing circuit coupled to said second conductive path and being responsive to damage to said second conductive path for generating a second signal and clearing means responsive to said first signal or said second signal for applying a third signal to said memory to clear any sensitive data stored therein.
a first sensing circuit coupled to said first conductive path and being responsive to damage to said first conductive path for generating a first signal;
a second sensing circuit coupled to said second conductive path and being responsive to damage to said second conductive path for generating a second signal and clearing means responsive to said first signal or said second signal for applying a third signal to said memory to clear any sensitive data stored therein.
15. The device of claim 14 wherein said tamper detection circuit further includes:
a third sensing circuit responsive to a decrease in temperature in said ceramic housing below a preselected reference temperature for developing a fourth signal, said clearing means being responsive to any of said first, second and fourth signals for applying said third signal to said memory to clear said memory of any sensitive data stored therein.
a third sensing circuit responsive to a decrease in temperature in said ceramic housing below a preselected reference temperature for developing a fourth signal, said clearing means being responsive to any of said first, second and fourth signals for applying said third signal to said memory to clear said memory of any sensitive data stored therein.
16. The device of claim 15 wherein said memory includes:
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
17. The device of claim 15 wherein said third sensing circuit includes:
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said ceramic housing is at or above a preselected reference temperature and a second operational state when the temperature within said ceramic housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said fourth signal.
a temperature sensitive bridge circuit for producing a first operational state when the temperature within said ceramic housing is at or above a preselected reference temperature and a second operational state when the temperature within said ceramic housing is below said preselected reference temperature; and amplifier means responsive to said second operational state of said temperature sensitive bridge circuit for developing said fourth signal.
18. The device of claim 17 wherein said memory includes:
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
a resettable shift register which is reset by said third signal to clear any sensitive data stored therein.
19. A device for the secure storage of sensitive data, said device comprising:
a ceramic housing comprised of a plurality of individual parts selectively connected together into a preselected configuration, each of said parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon;
a memory contained within said ceramic housing for storing sensitive data therein;
a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts;
(sensing means) contained within said ceramic housing and being coupled to said first con-ductive path, said sensing means being responsive to any attempt to penetrate said ceramic housing which damages said first conductive path for generating a first signal; and means contained within said ceramic housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
a ceramic housing comprised of a plurality of individual parts selectively connected together into a preselected configuration, each of said parts being comprised of a ceramic substrate and a plurality of ceramic layers disposed thereon;
a memory contained within said ceramic housing for storing sensitive data therein;
a first conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts;
(sensing means) contained within said ceramic housing and being coupled to said first con-ductive path, said sensing means being responsive to any attempt to penetrate said ceramic housing which damages said first conductive path for generating a first signal; and means contained within said ceramic housing being responsive to said first signal for clearing said memory of any sensitive data stored therein.
20. The device of claim 19 further including:
low temperature sensing means contained within said ceramic housing and being responsive to a decrease in temperature in said ceramic housing below a preselected reference temperature for developing a second signal, said clearing means being responsive to said first signal or said second signal for applying a third signal to aid memory to clear said memory of any sensitive data stored therein.
low temperature sensing means contained within said ceramic housing and being responsive to a decrease in temperature in said ceramic housing below a preselected reference temperature for developing a second signal, said clearing means being responsive to said first signal or said second signal for applying a third signal to aid memory to clear said memory of any sensitive data stored therein.
21. The device of claim 19 further including:
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said sensing means further coupled to said second conduc-tive path and being responsive to any attempt to penetrate said ceramic housing which damages said second conductive path for generating a second signal, said clearing means being responsive to said first signal or said second signal for clearing said memory of any sensitive data stored therein.
a second conductive path selectively provided through said plurality of ceramic layers of each of said plurality of individual parts, said sensing means further coupled to said second conduc-tive path and being responsive to any attempt to penetrate said ceramic housing which damages said second conductive path for generating a second signal, said clearing means being responsive to said first signal or said second signal for clearing said memory of any sensitive data stored therein.
22. The device of claim 21 wherein said sensing means includes:
a first sensing circuit coupled to said first conductive path and being responsive to damage to said first conductive path for generating said first signal; and a second sensing circuit coupled to said second conductive path and being responsive to damage to said second conductive path for generating said second signal.
a first sensing circuit coupled to said first conductive path and being responsive to damage to said first conductive path for generating said first signal; and a second sensing circuit coupled to said second conductive path and being responsive to damage to said second conductive path for generating said second signal.
23. The device of claim 22 further including:
a third sensing circuit contained within said ceramic housing being responsive to a decrease in temperature in said ceramic housing below a preselec-ted reference temperature for developing a third signal, said clearing means being responsive to any of said first, second and third signals for applying a fourth signal to said memory to clear said memory of any sensitive data stored therein.
a third sensing circuit contained within said ceramic housing being responsive to a decrease in temperature in said ceramic housing below a preselec-ted reference temperature for developing a third signal, said clearing means being responsive to any of said first, second and third signals for applying a fourth signal to said memory to clear said memory of any sensitive data stored therein.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US684,637 | 1984-12-21 | ||
| US06/684,637 US4593384A (en) | 1984-12-21 | 1984-12-21 | Security device for the secure storage of sensitive data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1238716A true CA1238716A (en) | 1988-06-28 |
Family
ID=24748906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000496860A Expired CA1238716A (en) | 1984-12-21 | 1985-12-04 | Security device for the secure storage of sensitive data |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US4593384A (en) |
| EP (1) | EP0207126B1 (en) |
| JP (1) | JPS62501242A (en) |
| CA (1) | CA1238716A (en) |
| DE (1) | DE3576006D1 (en) |
| WO (1) | WO1986003861A1 (en) |
Families Citing this family (172)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3347483A1 (en) * | 1983-12-29 | 1985-07-11 | GAO Gesellschaft für Automation und Organisation mbH, 8000 München | DEVICE FOR SECURING SECRET INFORMATION |
| DK190784D0 (en) * | 1984-04-12 | 1984-04-12 | Pengeinst Koebe Kreditkort | METHOD AND APPARATUS FOR DATA TRANSMISSION |
| EP0207320B1 (en) * | 1985-07-03 | 1990-05-09 | Siemens Aktiengesellschaft | Integrated circuit and method to protect secret data |
| GB2182176B (en) * | 1985-09-25 | 1989-09-20 | Ncr Co | Data security device for protecting stored data |
| US5175840A (en) * | 1985-10-02 | 1992-12-29 | Hitachi, Ltd. | Microcomputer having a PROM including data security and test circuitry |
| GB2182467B (en) * | 1985-10-30 | 1989-10-18 | Ncr Co | Security device for stored sensitive data |
| DE3602960C1 (en) * | 1986-01-31 | 1987-02-19 | Philips Patentverwaltung | Thick film circuit arrangement with a ceramic substrate plate |
| USRE38419E1 (en) | 1986-05-13 | 2004-02-10 | Ncr Corporation | Computer interface device |
| US4882752A (en) * | 1986-06-25 | 1989-11-21 | Lindman Richard S | Computer security system |
| US4875486A (en) * | 1986-09-04 | 1989-10-24 | Advanced Techtronics, Inc. | Instrument and method for non-invasive in vivo testing for body fluid constituents |
| GB2195478B (en) * | 1986-09-24 | 1990-06-13 | Ncr Co | Security device for sensitive data |
| US5117457A (en) * | 1986-11-05 | 1992-05-26 | International Business Machines Corp. | Tamper resistant packaging for information protection in electronic circuitry |
| US4860351A (en) * | 1986-11-05 | 1989-08-22 | Ibm Corporation | Tamper-resistant packaging for protection of information stored in electronic circuitry |
| GB2205667B (en) * | 1987-06-12 | 1991-11-06 | Ncr Co | Method of controlling the operation of security modules |
| FR2617976B1 (en) * | 1987-07-10 | 1989-11-10 | Thomson Semiconducteurs | BINARY LOGIC LEVEL ELECTRIC DETECTOR |
| US5239664A (en) * | 1988-12-20 | 1993-08-24 | Bull S.A. | Arrangement for protecting an electronic card and its use for protecting a terminal for reading magnetic and/or microprocessor cards |
| US4933898A (en) * | 1989-01-12 | 1990-06-12 | General Instrument Corporation | Secure integrated circuit chip with conductive shield |
| DE58907852D1 (en) * | 1989-08-03 | 1994-07-14 | Scheidt & Bachmann Gmbh | Device for entering data. |
| US5027397A (en) * | 1989-09-12 | 1991-06-25 | International Business Machines Corporation | Data protection by detection of intrusion into electronic assemblies |
| CA2067331A1 (en) * | 1989-10-03 | 1991-04-04 | Joseph Unsworth | Electro-active cradle circuits for the detection of access or penetration |
| US5228084A (en) * | 1991-02-28 | 1993-07-13 | Gilbarco, Inc. | Security apparatus and system for retail environments |
| US6782479B1 (en) * | 1991-04-26 | 2004-08-24 | Raytheon Company | Apparatus and method for inhibiting analysis of a secure circuit |
| US5343524A (en) * | 1991-06-21 | 1994-08-30 | Mu Xiao Chun | Intelligent security device |
| KR940005696B1 (en) * | 1991-11-25 | 1994-06-22 | 현대전자산업 주식회사 | Rom device with security |
| JP3305737B2 (en) * | 1991-11-27 | 2002-07-24 | 富士通株式会社 | Confidential information management method for information processing equipment |
| US5389738A (en) * | 1992-05-04 | 1995-02-14 | Motorola, Inc. | Tamperproof arrangement for an integrated circuit device |
| DE4243888A1 (en) * | 1992-12-23 | 1994-06-30 | Gao Ges Automation Org | Data carrier and method for checking the authenticity of a data carrier |
| DE59409949D1 (en) * | 1993-04-28 | 2001-12-20 | Fujitsu Siemens Computers Gmbh | Protection device for circuit parts and / or data of an electrotechnical device |
| US5533123A (en) * | 1994-06-28 | 1996-07-02 | National Semiconductor Corporation | Programmable distributed personal security |
| FR2723806A1 (en) * | 1994-08-17 | 1996-02-23 | Schlumberger Ind Sa | SECURE KEYBOARD DEVICE |
| FR2727227B1 (en) * | 1994-11-17 | 1996-12-20 | Schlumberger Ind Sa | ACTIVE SECURITY DEVICE WITH ELECTRONIC MEMORY |
| JPH08263438A (en) | 1994-11-23 | 1996-10-11 | Xerox Corp | Distribution and use control system of digital work and access control method to digital work |
| US5715403A (en) † | 1994-11-23 | 1998-02-03 | Xerox Corporation | System for controlling the distribution and use of digital works having attached usage rights where the usage rights are defined by a usage rights grammar |
| US6963859B2 (en) * | 1994-11-23 | 2005-11-08 | Contentguard Holdings, Inc. | Content rendering repository |
| US5629980A (en) † | 1994-11-23 | 1997-05-13 | Xerox Corporation | System for controlling the distribution and use of digital works |
| DE19536477C2 (en) * | 1995-09-29 | 1997-10-23 | Siemens Nixdorf Inf Syst | Circuit arrangement for securing electronic components |
| JP3627384B2 (en) * | 1996-01-17 | 2005-03-09 | 富士ゼロックス株式会社 | Information processing apparatus with software protection function and information processing method with software protection function |
| US5956415A (en) * | 1996-01-26 | 1999-09-21 | Harris Corporation | Enhanced security fingerprint sensor package and related methods |
| US5861652A (en) * | 1996-03-28 | 1999-01-19 | Symbios, Inc. | Method and apparatus for protecting functions imbedded within an integrated circuit from reverse engineering |
| JP3440763B2 (en) * | 1996-10-25 | 2003-08-25 | 富士ゼロックス株式会社 | Encryption device, decryption device, confidential data processing device, and information processing device |
| US5880523A (en) * | 1997-02-24 | 1999-03-09 | General Instrument Corporation | Anti-tamper integrated circuit |
| US6356704B1 (en) * | 1997-06-16 | 2002-03-12 | Ati Technologies, Inc. | Method and apparatus for detecting protection of audio and video signals |
| AU690058B3 (en) * | 1997-07-22 | 1998-04-09 | James Edward Green | Security system |
| US20090043907A1 (en) * | 1997-09-11 | 2009-02-12 | Digital Delivery Networks, Inc. | Local portal |
| US6163154A (en) | 1997-12-23 | 2000-12-19 | Magnetic Diagnostics, Inc. | Small scale NMR spectroscopic apparatus and method |
| KR100396064B1 (en) * | 1998-08-18 | 2003-08-27 | 인피니언 테크놀로지스 아게 | Semiconductor chip with surface coating |
| US6556681B2 (en) * | 1998-08-26 | 2003-04-29 | Lear Corporation | Reconfigurable universal trainable transmitter |
| CN1214304C (en) | 1998-11-05 | 2005-08-10 | 因芬尼昂技术股份公司 | Protection circuit for integrated circuit |
| TW460846B (en) * | 1998-12-10 | 2001-10-21 | Toshiba Corp | Data recording media having certification information |
| US6501390B1 (en) * | 1999-01-11 | 2002-12-31 | International Business Machines Corporation | Method and apparatus for securely determining aspects of the history of a good |
| US6690880B1 (en) * | 1999-05-21 | 2004-02-10 | Ati International, Srl | Method and apparatus for copy protection detection in a video signal |
| US7005733B2 (en) * | 1999-12-30 | 2006-02-28 | Koemmerling Oliver | Anti tamper encapsulation for an integrated circuit |
| AU2001253818A1 (en) * | 2000-02-14 | 2001-08-20 | Christina Alvarez | Security module system, apparatus and process |
| US6646565B1 (en) | 2000-06-01 | 2003-11-11 | Hewlett-Packard Development Company, L.P. | Point of sale (POS) terminal security system |
| US6775776B1 (en) * | 2000-06-27 | 2004-08-10 | Intel Corporation | Biometric-based authentication in a nonvolatile memory device |
| US6895509B1 (en) | 2000-09-21 | 2005-05-17 | Pitney Bowes Inc. | Tamper detection system for securing data |
| US6892305B1 (en) * | 2000-10-12 | 2005-05-10 | International Business Machines Corporation | Method and system for booting up a computer system in a secure fashion |
| US7302703B2 (en) * | 2000-12-20 | 2007-11-27 | Aol, Llc A Delaware Limited Liability Company | Hardware token self enrollment process |
| US6686539B2 (en) * | 2001-01-03 | 2004-02-03 | International Business Machines Corporation | Tamper-responding encapsulated enclosure having flexible protective mesh structure |
| US6901343B2 (en) * | 2001-01-10 | 2005-05-31 | Matsushita Electric Industrial Co., Ltd. | Multilayer board in which wiring of signal line that requires tamper-resistance is covered by component or foil, design apparatus, method, and program for the multilayer board, and medium recording the program |
| US7200759B2 (en) * | 2001-06-08 | 2007-04-03 | Safenet B.V. | Method and device for making information contents of a volatile semiconductor memory irretrievable |
| US20060174352A1 (en) * | 2001-07-25 | 2006-08-03 | Seagate Technology Llc | Method and apparatus for providing versatile services on storage devices |
| US7925894B2 (en) * | 2001-07-25 | 2011-04-12 | Seagate Technology Llc | System and method for delivering versatile security, digital rights management, and privacy services |
| JPWO2003015169A1 (en) | 2001-08-07 | 2004-12-02 | 株式会社ルネサステクノロジ | Semiconductor device and IC card |
| US20030131255A1 (en) * | 2002-01-10 | 2003-07-10 | Youngtack Shim | Secure data storage systems |
| JP2003288573A (en) * | 2002-03-27 | 2003-10-10 | Seiko Epson Corp | Ic card and manufacturing method therefor |
| US6782477B2 (en) * | 2002-04-16 | 2004-08-24 | Song Computer Entertainment America Inc. | Method and system for using tamperproof hardware to provide copy protection and online security |
| US7121639B2 (en) * | 2002-12-02 | 2006-10-17 | Silverbrook Research Pty Ltd | Data rate equalisation to account for relatively different printhead widths |
| US6853093B2 (en) * | 2002-12-20 | 2005-02-08 | Lipman Electronic Engineering Ltd. | Anti-tampering enclosure for electronic circuitry |
| US7180008B2 (en) * | 2004-01-23 | 2007-02-20 | Pitney Bowes Inc. | Tamper barrier for electronic device |
| US6996953B2 (en) * | 2004-01-23 | 2006-02-14 | Pitney Bowes Inc. | System and method for installing a tamper barrier wrap in a PCB assembly, including a PCB assembly having improved heat sinking |
| US7274289B2 (en) * | 2004-05-27 | 2007-09-25 | Eastman Kodak Company | System and device for detecting object tampering |
| US7156233B2 (en) * | 2004-06-15 | 2007-01-02 | Pitney Bowes Inc. | Tamper barrier enclosure with corner protection |
| US7343496B1 (en) * | 2004-08-13 | 2008-03-11 | Zilog, Inc. | Secure transaction microcontroller with secure boot loader |
| US7323986B2 (en) * | 2004-09-03 | 2008-01-29 | Gore Enterprise Holdings, Inc. | Reusable tamper respondent enclosure |
| US8099783B2 (en) * | 2005-05-06 | 2012-01-17 | Atmel Corporation | Security method for data protection |
| FR2888975B1 (en) * | 2005-07-21 | 2007-09-07 | Atmel Corp | SECURITY METHOD FOR DATA PROTECTION |
| US8028166B2 (en) * | 2006-04-25 | 2011-09-27 | Seagate Technology Llc | Versatile secure and non-secure messaging |
| US7539890B2 (en) * | 2006-04-25 | 2009-05-26 | Seagate Technology Llc | Hybrid computer security clock |
| US8429724B2 (en) * | 2006-04-25 | 2013-04-23 | Seagate Technology Llc | Versatile access control system |
| GB0618521D0 (en) * | 2006-09-20 | 2006-11-01 | Sb Business Consultancy Ltd | Improvements relating to data security |
| US9015075B2 (en) * | 2006-09-29 | 2015-04-21 | Oracle America, Inc. | Method and apparatus for secure information distribution |
| US7760086B2 (en) * | 2006-11-03 | 2010-07-20 | Gore Enterprise Holdings, Inc | Tamper respondent sensor and enclosure |
| US7352203B1 (en) | 2006-12-26 | 2008-04-01 | Atmel Corporation | Method to reduce power in active shield circuits that use complementary traces |
| US7898413B2 (en) * | 2007-01-25 | 2011-03-01 | Verifone, Inc. | Anti-tamper protected enclosure |
| FR2915054B1 (en) * | 2007-04-12 | 2009-06-26 | Sagem Monetel Soc Par Actions | DEVICE FOR PROTECTING AN ELECTRONIC COMPONENT |
| US7787256B2 (en) * | 2007-08-10 | 2010-08-31 | Gore Enterprise Holdings, Inc. | Tamper respondent system |
| US7843339B2 (en) | 2007-08-27 | 2010-11-30 | Verifone, Inc. | Secure point of sale device employing capacitive sensors |
| US8112807B2 (en) * | 2007-11-07 | 2012-02-07 | Qualcomm Incorporated | Systems, methods, and apparatuses for erasing memory on wireless devices |
| US7812428B2 (en) * | 2007-12-05 | 2010-10-12 | Atmel Rousset S.A.S. | Secure connector grid array package |
| US7772514B2 (en) * | 2007-12-20 | 2010-08-10 | Verifone, Inc. | Capacitive user-interface switches |
| US8595514B2 (en) | 2008-01-22 | 2013-11-26 | Verifone, Inc. | Secure point of sale terminal |
| US9013336B2 (en) | 2008-01-22 | 2015-04-21 | Verifone, Inc. | Secured keypad devices |
| US8201267B2 (en) * | 2008-10-24 | 2012-06-12 | Pitney Bowes Inc. | Cryptographic device having active clearing of memory regardless of state of external power |
| FR2938953B1 (en) * | 2008-11-21 | 2011-03-11 | Innova Card | DEVICE FOR PROTECTING AN ELECTRONIC INTEGRATED CIRCUIT BOX FROM PHYSICAL OR CHEMICAL INTRUSIONS. |
| JP5338306B2 (en) * | 2008-12-26 | 2013-11-13 | 富士通株式会社 | Data storage device and data management method in data storage device |
| US20100171202A1 (en) * | 2009-01-07 | 2010-07-08 | Tian Weicheng | Method of securely data protecting arrangement for electronic device |
| WO2010111655A1 (en) * | 2009-03-26 | 2010-09-30 | Hypercom Corporation | Keypad membrane security |
| JP5378076B2 (en) * | 2009-06-11 | 2013-12-25 | 東プレ株式会社 | Data safety case |
| US8358218B2 (en) | 2010-03-02 | 2013-01-22 | Verifone, Inc. | Point of sale terminal having enhanced security |
| US8330606B2 (en) | 2010-04-12 | 2012-12-11 | Verifone, Inc. | Secure data entry device |
| US8405506B2 (en) | 2010-08-02 | 2013-03-26 | Verifone, Inc. | Secure data entry device |
| JP5761947B2 (en) * | 2010-09-02 | 2015-08-12 | キヤノン株式会社 | Semiconductor integrated circuit device |
| JP2012053788A (en) * | 2010-09-02 | 2012-03-15 | Canon Inc | Semiconductor integrated circuit device |
| US8938624B2 (en) * | 2010-09-15 | 2015-01-20 | Lsi Corporation | Encryption key destruction for secure data erasure |
| US8593824B2 (en) | 2010-10-27 | 2013-11-26 | Verifone, Inc. | Tamper secure circuitry especially for point of sale terminal |
| US8621235B2 (en) | 2011-01-06 | 2013-12-31 | Verifone, Inc. | Secure pin entry device |
| CN102324139A (en) * | 2011-03-30 | 2012-01-18 | 青岛海信智能商用设备有限公司 | Bank card payment terminal equipment with liquid crystal data anti-tampering protection device |
| US8884757B2 (en) | 2011-07-11 | 2014-11-11 | Verifone, Inc. | Anti-tampering protection assembly |
| DE102011117214B4 (en) * | 2011-10-28 | 2016-06-16 | Stepover Gmbh | A method for detecting an unauthorized opening of a signature device, signature device and computer system with the same |
| US8730715B2 (en) * | 2012-03-26 | 2014-05-20 | Honeywell International Inc. | Tamper-resistant MRAM utilizing chemical alteration |
| US9618635B2 (en) | 2012-06-21 | 2017-04-11 | Honeywell International Inc. | Integrated radiation sensitive circuit |
| US8575560B1 (en) | 2012-06-21 | 2013-11-05 | Honeywell International Inc. | Integrated circuit cumulative dose radiation sensor |
| US8933412B2 (en) | 2012-06-21 | 2015-01-13 | Honeywell International Inc. | Integrated comparative radiation sensitive circuit |
| US9691066B2 (en) | 2012-07-03 | 2017-06-27 | Verifone, Inc. | Location-based payment system and method |
| US9122937B2 (en) | 2012-07-23 | 2015-09-01 | Fci Americas Technology Llc | Tamper-resistant housing assembly |
| US9452570B2 (en) * | 2012-11-07 | 2016-09-27 | Dell Products L.P. | Information handling system ceramic chassis |
| JP5622341B2 (en) * | 2013-09-25 | 2014-11-12 | 東プレ株式会社 | Data safety case |
| US9213869B2 (en) | 2013-10-04 | 2015-12-15 | Verifone, Inc. | Magnetic stripe reading device |
| US9246501B2 (en) | 2014-04-29 | 2016-01-26 | Honeywell International Inc. | Converter for analog inputs |
| WO2015196450A1 (en) | 2014-06-27 | 2015-12-30 | Microsoft Technology Licensing, Llc | System for data protection in power off mode |
| EP3161701B1 (en) | 2014-06-27 | 2020-06-17 | Microsoft Technology Licensing, LLC | Data protection system based on user input patterns on device |
| CN105519038B (en) | 2014-06-27 | 2020-03-17 | 微软技术许可有限责任公司 | User input data protection method and system |
| US20160026275A1 (en) | 2014-07-23 | 2016-01-28 | Verifone, Inc. | Data device including ofn functionality |
| US10540907B2 (en) | 2014-07-31 | 2020-01-21 | Intelligent Technologies International, Inc. | Biometric identification headpiece system for test taking |
| US9959777B2 (en) | 2014-08-22 | 2018-05-01 | Intelligent Technologies International, Inc. | Secure testing device, system and method |
| US10410535B2 (en) | 2014-08-22 | 2019-09-10 | Intelligent Technologies International, Inc. | Secure testing device |
| JP5774177B2 (en) * | 2014-09-20 | 2015-09-02 | 東プレ株式会社 | Data safety case |
| EP3210087A4 (en) | 2014-10-20 | 2018-03-07 | Bedrock Automation Platforms Inc. | Tamper resistant module for industrial control system |
| US10438106B2 (en) | 2014-11-04 | 2019-10-08 | Intellignet Technologies International, Inc. | Smartcard |
| US9560737B2 (en) | 2015-03-04 | 2017-01-31 | International Business Machines Corporation | Electronic package with heat transfer element(s) |
| US9595174B2 (en) | 2015-04-21 | 2017-03-14 | Verifone, Inc. | Point of sale terminal having enhanced security |
| US10426037B2 (en) | 2015-07-15 | 2019-09-24 | International Business Machines Corporation | Circuitized structure with 3-dimensional configuration |
| US9959496B2 (en) * | 2015-08-18 | 2018-05-01 | Franklin J. Camper | Microprocessor-controlled tamper detection system |
| US10140570B2 (en) * | 2015-08-18 | 2018-11-27 | William P Gulas | Microprocessor-controlled tamper detection system |
| US9591776B1 (en) | 2015-09-25 | 2017-03-07 | International Business Machines Corporation | Enclosure with inner tamper-respondent sensor(s) |
| US9894749B2 (en) | 2015-09-25 | 2018-02-13 | International Business Machines Corporation | Tamper-respondent assemblies with bond protection |
| US10098235B2 (en) | 2015-09-25 | 2018-10-09 | International Business Machines Corporation | Tamper-respondent assemblies with region(s) of increased susceptibility to damage |
| US9924591B2 (en) | 2015-09-25 | 2018-03-20 | International Business Machines Corporation | Tamper-respondent assemblies |
| US10175064B2 (en) | 2015-09-25 | 2019-01-08 | International Business Machines Corporation | Circuit boards and electronic packages with embedded tamper-respondent sensor |
| US10172239B2 (en) | 2015-09-25 | 2019-01-01 | International Business Machines Corporation | Tamper-respondent sensors with formed flexible layer(s) |
| US9578764B1 (en) | 2015-09-25 | 2017-02-21 | International Business Machines Corporation | Enclosure with inner tamper-respondent sensor(s) and physical security element(s) |
| US9911012B2 (en) | 2015-09-25 | 2018-03-06 | International Business Machines Corporation | Overlapping, discrete tamper-respondent sensors |
| US10143090B2 (en) | 2015-10-19 | 2018-11-27 | International Business Machines Corporation | Circuit layouts of tamper-respondent sensors |
| US9978231B2 (en) | 2015-10-21 | 2018-05-22 | International Business Machines Corporation | Tamper-respondent assembly with protective wrap(s) over tamper-respondent sensor(s) |
| US9913389B2 (en) | 2015-12-01 | 2018-03-06 | International Business Corporation Corporation | Tamper-respondent assembly with vent structure |
| US10327343B2 (en) | 2015-12-09 | 2019-06-18 | International Business Machines Corporation | Applying pressure to adhesive using CTE mismatch between components |
| US9555606B1 (en) | 2015-12-09 | 2017-01-31 | International Business Machines Corporation | Applying pressure to adhesive using CTE mismatch between components |
| US9554477B1 (en) | 2015-12-18 | 2017-01-24 | International Business Machines Corporation | Tamper-respondent assemblies with enclosure-to-board protection |
| US10678958B2 (en) | 2015-12-28 | 2020-06-09 | Intelligent Technologies International, Inc. | Intrusion-protected memory component |
| US9916744B2 (en) | 2016-02-25 | 2018-03-13 | International Business Machines Corporation | Multi-layer stack with embedded tamper-detect protection |
| US9904811B2 (en) | 2016-04-27 | 2018-02-27 | International Business Machines Corporation | Tamper-proof electronic packages with two-phase dielectric fluid |
| US9881880B2 (en) | 2016-05-13 | 2018-01-30 | International Business Machines Corporation | Tamper-proof electronic packages with stressed glass component substrate(s) |
| US9913370B2 (en) | 2016-05-13 | 2018-03-06 | International Business Machines Corporation | Tamper-proof electronic packages formed with stressed glass |
| US9858776B1 (en) | 2016-06-28 | 2018-01-02 | International Business Machines Corporation | Tamper-respondent assembly with nonlinearity monitoring |
| US10321589B2 (en) | 2016-09-19 | 2019-06-11 | International Business Machines Corporation | Tamper-respondent assembly with sensor connection adapter |
| US10299372B2 (en) | 2016-09-26 | 2019-05-21 | International Business Machines Corporation | Vented tamper-respondent assemblies |
| US10271424B2 (en) | 2016-09-26 | 2019-04-23 | International Business Machines Corporation | Tamper-respondent assemblies with in situ vent structure(s) |
| US9999124B2 (en) | 2016-11-02 | 2018-06-12 | International Business Machines Corporation | Tamper-respondent assemblies with trace regions of increased susceptibility to breaking |
| JP6818345B2 (en) * | 2016-11-15 | 2021-01-20 | 株式会社リニア・サーキット | An alarm sensor for detecting fraudulent attacks and a safe that uses it |
| US10327329B2 (en) | 2017-02-13 | 2019-06-18 | International Business Machines Corporation | Tamper-respondent assembly with flexible tamper-detect sensor(s) overlying in-situ-formed tamper-detect sensor |
| DE102017217494A1 (en) * | 2017-09-29 | 2019-04-04 | Micro-Epsilon Messtechnik Gmbh & Co. Kg | Contactless working displacement sensor |
| US10306753B1 (en) | 2018-02-22 | 2019-05-28 | International Business Machines Corporation | Enclosure-to-board interface with tamper-detect circuit(s) |
| US11122682B2 (en) | 2018-04-04 | 2021-09-14 | International Business Machines Corporation | Tamper-respondent sensors with liquid crystal polymer layers |
| US10544923B1 (en) | 2018-11-06 | 2020-01-28 | Verifone, Inc. | Devices and methods for optical-based tamper detection using variable light characteristics |
| US11493565B2 (en) * | 2019-12-03 | 2022-11-08 | International Business Machines Corporation | Leakage characterization and management for electronic circuit enhancement |
| US10810475B1 (en) | 2019-12-20 | 2020-10-20 | Capital One Services, Llc | Systems and methods for overmolding a card to prevent chip fraud |
| US10817768B1 (en) | 2019-12-20 | 2020-10-27 | Capital One Services, Llc | Systems and methods for preventing chip fraud by inserts in chip pocket |
| US10977539B1 (en) | 2019-12-20 | 2021-04-13 | Capital One Services, Llc | Systems and methods for use of capacitive member to prevent chip fraud |
| US11049822B1 (en) | 2019-12-20 | 2021-06-29 | Capital One Services, Llc | Systems and methods for the use of fraud prevention fluid to prevent chip fraud |
| US10888940B1 (en) | 2019-12-20 | 2021-01-12 | Capital One Services, Llc | Systems and methods for saw tooth milling to prevent chip fraud |
| US11715103B2 (en) | 2020-08-12 | 2023-08-01 | Capital One Services, Llc | Systems and methods for chip-based identity verification and transaction authentication |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS5332233B1 (en) * | 1968-12-25 | 1978-09-07 | ||
| US3882323A (en) * | 1973-12-17 | 1975-05-06 | Us Navy | Method and apparatus for protecting sensitive information contained in thin-film microelectonic circuitry |
| CH640971A5 (en) * | 1979-06-28 | 1984-01-31 | Kurt Ehrat | Mobile data container secured against unauthorised access |
| US4320438A (en) * | 1980-05-15 | 1982-03-16 | Cts Corporation | Multi-layer ceramic package |
| SE425705B (en) * | 1980-12-23 | 1982-10-25 | Ericsson Telefon Ab L M | DEVICE FOR AUTOMATICALLY ENHANCING THE INFORMATION CONTENT IN THE COMPUTER AND THE PROGRAMMING IN A DATABASE |
| EP0128672A1 (en) * | 1983-05-13 | 1984-12-19 | Ira Dennis Gale | Data security device |
-
1984
- 1984-12-21 US US06/684,637 patent/US4593384A/en not_active Expired - Lifetime
-
1985
- 1985-12-04 CA CA000496860A patent/CA1238716A/en not_active Expired
- 1985-12-06 EP EP86900446A patent/EP0207126B1/en not_active Expired
- 1985-12-06 DE DE8686900446T patent/DE3576006D1/en not_active Expired - Lifetime
- 1985-12-06 WO PCT/US1985/002412 patent/WO1986003861A1/en not_active Application Discontinuation
- 1985-12-06 JP JP61500480A patent/JPS62501242A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| DE3576006D1 (en) | 1990-03-15 |
| WO1986003861A1 (en) | 1986-07-03 |
| EP0207126A1 (en) | 1987-01-07 |
| US4593384A (en) | 1986-06-03 |
| EP0207126B1 (en) | 1990-02-07 |
| JPS62501242A (en) | 1987-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA1238716A (en) | Security device for the secure storage of sensitive data | |
| CA1265245A (en) | Data security device for protecting stored data | |
| US4691350A (en) | Security device for stored sensitive data | |
| US6414884B1 (en) | Method and apparatus for securing electronic circuits | |
| US4807284A (en) | Security device for sensitive data | |
| TWI388048B (en) | Integrated circuit security device and method | |
| US7898413B2 (en) | Anti-tamper protected enclosure | |
| US5998858A (en) | Microcircuit with memory that is protected by both hardware and software | |
| US7005733B2 (en) | Anti tamper encapsulation for an integrated circuit | |
| US5389738A (en) | Tamperproof arrangement for an integrated circuit device | |
| CN100501992C (en) | Method and structure for implementing secure multichip modules for encryption applications | |
| US6929900B2 (en) | Tamper-responding encapsulated enclosure having flexible protective mesh structure | |
| US5159629A (en) | Data protection by detection of intrusion into electronic assemblies | |
| US5117457A (en) | Tamper resistant packaging for information protection in electronic circuitry | |
| JPH05502956A (en) | Electronically actuated cradle circuit for access or intrusion detection | |
| EP0509567A2 (en) | Device with protection against access to secure information | |
| EP0268882B1 (en) | Tamper resistant package for protecting electronic circuitry | |
| WO2007018761A2 (en) | Security method for data protection | |
| EP0495645B1 (en) | Data security device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |