CA2162287C - A secure memory card - Google Patents
A secure memory cardInfo
- Publication number
- CA2162287C CA2162287C CA002162287A CA2162287A CA2162287C CA 2162287 C CA2162287 C CA 2162287C CA 002162287 A CA002162287 A CA 002162287A CA 2162287 A CA2162287 A CA 2162287A CA 2162287 C CA2162287 C CA 2162287C
- Authority
- CA
- Canada
- Prior art keywords
- memory
- microprocessor
- lock
- card
- volatile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
- G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
- G06K19/073—Special arrangements for circuits, e.g. for protecting identification code in memory
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
A secure memory card includes a microprocessor on a single semiconductor chip and one or more non-volatile addressable memory chips. The microprocessor chip and non-volatile memory chips connect in common to an internal card bus for transmitting address, data and control information to such non-volatile memory chips. The microprocessor includes an addressable non-volatile memory for storing information including a number of key values, application specific configuration information and program instruction information. Each chip's memory is organized into a number of blocks or banks and each memory chip is constructed to include security control logic circuits. These circuits include a number of non-volatile and volatile memory devices of which are loaded with key and configuration information under the control of the microprocessor only after the microprocessor has determined that the user has sucessfully performed a predetermined authentication procedure with a host computer. Thereafter. the user is allowed to read out information from blocks only as defined by the configuration information.
Description
~W095/24698 ~162287 r~ r J
A SECURE MEMORY CARD
~Ac~GRO~ OF ~R l~l v r _ .
hn~ r~l FinlC
This invention relates to the ~ield of portable personal computers and more particularly to T~-int~ining systems f or data security in a portable digital information environment.
D~¢ril~tion o~ th~ Prior ~-t The security of personal inform2tion has forever been a concern. It has been ensured by locks, codes and secret pockets. As information has taken new forms, new methods have been required to meet the changed situations .
Historically, security of information has been adlLc:~sed by use of siy~laLuL~s~ credentials and photographs. Electronic devices such as automatic banking r - -h i n~-c have added encoded card5 and p~-r~nn~ ~
nti f;~ ation numbers (PINs) to the repertoire of security tools. C ~ systems cnntim~ to use p? C'--~JL~15, More recently the H5mart Card" has been used as a security tool. The "Smart Card" is a small mi~;L. _Ler with writable, non-volatile memory and a simple input/output interface, fabricated as a single chip and ~ in a plastic "credit card". It has exterior pads to allow it to be cnnn~rted to specially desiy-ned ~T~ i . The program contained in the card ' s mi- ~. _Ler interacts with this eq--i ~ and allows its nonvolatile memory data to be read or modified according to the desired algorithm which may optionally include a password eYchange . Special t~hn i qll~C have been ; rrl Led to protect the memory inf ormation and to allow varied F~rm;Cs;rnC according to the si uation.
_, .
Wogsl24698 2 1 62287 For example, U.S. Patent No. 4,382,279 entitled, "Single Chip Mi~:~u~rv~ ssoL with On-Chip Modifiable Nemory"
rl ~ crloc~.: an architecture which permits automatic pLu~r in~ of a non-volatile memory which is included on the ~ame chip as a proc~cin~ and control unit. As in other systems, the mil;L U~ll OCe_auL only protects memory on the same chip.
The "Smart Card" has been used both to facilitate the process of iden~l ~icati nn and to be the actual site lo of the valued information. In this 6ituation, as in most past situations, physical pL~ c-: of a "key" as well as some special knowledge has been used as part of the verif ication or authentication process . In such above cases, i~nt~ficat~nn has been a dialog between the person desiring access and a fixed agency such as a security guard or an automatic teller machine.
The current state of portability of ~L_3_Lal~ding computing devices makes it pnCsihle for both the physical key and the authentication agent to be small, portable and hence more subject to loss or theft.
Further, computing devices make it possible to perform L~_Al~,d ~L ~ L,. to guess or deduce the special knowledge or ~ L~ associated with the identification process. This is ~p~ci~lly true if the al~th~ntir~tion agent or device i5 also in the control of the thief or burglar. To make matters worse, t~ hnnlo~y now allows and e,.~-,UUL_, - the carrying of ~ amounts Or sensitive information in a pocket or handbag where it is subject to mishap.
Today, notebook qd subnotebook sized computers provide a capable ~L- er-LdAding environment which allows for sirific~nt in~ power and thus creates a need for additional data storage . c~r~hi 1 i ty. This has in1~ially been met by m~niature hard disk devices which ,, ~
J
~W09s/~4698 2 1 62287-hold both ~L~J~LOL._. and data. While pa__ JL~ protection is often used in the5e systems, it does not completely protect sensitive data because, first, the authentication agent is itself vulnerable. However, more significantly, the disk drive cnn~:lining the data can be physically removed and al cPced in a setting more conducive to data analysis. In this case, only some form of encryption is capable of protecting t_e data.
The nature of disk access makes this pncc~h1e without undue ~_L r~ L~.ll~ae or cost barriers . An example Or this type of system is described in U.S. Patent No. 4,985,920 entitled, "Integrated Circuit Card. "
The recent ~ c of the flash memory and removable "memory cards" has allowed major re~ ;nnc in size and power requirements of t_e portable ~ .
~he ~lash memory ;nPc the flPY1h~1 ity of random access memory (RAN) with the pc~ r~ of disks.
Today, the co~rl ;n~ of these te--hnnlsqiPs allows up to 20 million bytes of data to be C~n~inPA, without need of power, in a credit card size, removable package.
This data can be made to appear to a host system either as if it were cnnt5~; nP~7 in a conventional disk drive or as if it were an P~pnc; nn of the host ' 5 memory. These te~ hnn~og;~l devPl 5 have made further rP~ ;nn in system size pOcc; hl e to the extent that it may be carried in a pocket rather than in a handbag or brie~case .
Thus, the data and its host system have become more vulnerable to 1088 or theft and simul~ ~n~n--cl y more ~7~ f~ t to protect memory data by encryption as this pL._3~ major cost and p 1 r~ r- e barriers.
Accordin~ly, it is a primary object of the invention to provide a portable. digital system with a secure memory ~,uL., 2~ ~s ~_. . .
I ~,11~, 1.1 I
Wo 9~/24698 2 1 6 2 2 ~ 7 It is another object of the invention to provide a memory card which can be protected ir removed from a portable digital system.
It is still a further object of the present invention to provide a memory card in which the chips of the card are protected ir removed rrom such card.
~m~o~r OF ~R ~ v~ __ The above objects are achieved in the secure card o~ a ~LefeLLad; ~'i- L of the present invention. The secure memory card inrlu~ a mi_L~Lu~nuL on a single chip and one or more non-volatile Z:.1dL~ hle memory chips. me mi~L-,~.ocea c,~ chip and nonvolatile memory chips connect in common to an int-~rn~-l card bus for trangmitting address, data and control inrormation to such non-volatile memory chips.
The mi~u~LuU~5~uL inrl~ an ~ddL~=nnable non-volatile memory rOr storing information including a nuuber of key values, rrnfilrlration information and program instruction information for controlling the transrer of address, data and control information on the int~rnAl bus. The chip memory is organized into a number of blocks or banks, each block having a plurality Or ad-lL~ -nable locations.
According to the present invention, each memory chip is cu..nLL.l~;Led to include security control logic circuit6. In the preferred: -'i L, these circuits include a non-volatile lock memory, a non-volatile lock storage enable element and a volatile access control memory, each being lr,~ hlf~ under the control of the mi-LU~LUC~LLor. More nr~rifi~r~lly~ the mi~LU~LU''~3rJL
first loads a lock value into. the non-volatile lûck memory and resets the lock storage enable element ._1,~, L' I
~W09517A698 2 1 622 87 inhibiting access. mereafter, the mi~Lupzuces~u~ loads the access control memory as crPri fied by the configuration information. Such information is loaded only after the mi~Lu~.oces~or has detP-^m; nPd that the user has ~ cr~rL.lly peL rl ' a pL~r'~t P ~ i nD,~
authentication pruceduL : with a host _ Ler . The security logic circuits of each memory enable the reading of information stored in selected ad~ s~d blocks of the flash memory as a function of the c~nf;~lrs~tion information loaded into the memory chip's access control memory . pPr; r~r7; r, 57 1 1 y, the user is required to s~rce~cfl-lly perform an ~ thPntjrs~lt jon Pl UU6:dUL ~: with the host , and the user is allowed to cn~77-;n--Q reading illruLL~c-tion as allowed by the access control memory. In the pL~=feLL~d -; , the host _ _~eI is coupled to the memory card through a standard inter~ace such as the ; ntorf~re which to the Personal C Memory Card International Association (PCNCIA) ~L~d~Ld~.
The present invention melds the ~S~L LC~Ld" and "memory card" t~orhn~lo~J; Pc which is key to allowing the protection of the large amounts of data made possihl e by the flash memory terhnsls7y in the "security hs~rsh"
enviL. which electronic miniaturization ha~i 2S created. Purther, the present invention is able to take a.lvar.La~e of ; u~ and S~a~ in both 7-Prhnglogies .
Additionally, the security logic circuits of the present invention are ir-.uL~vLaLed into and operate in conjunction with the flash memory in a way that m;n;m;70C the amount of changes required to be made to the basic logic circuits of the rla~h memory. Nore creci-~;cs~lly, the flash memory can be operated in a secure mode and in a nun 5~_UL ~: mode wherein the r~
Wo 95l24698 2 l 6 2~87 6ecurity logic circuit5 are by~5~2d onAhl in~ the flash memory to operate as i~ such circuits had not been installed. The nv~ L~ mode is normally entered when the contents of the flash memory ' s non-volatile lock memory are cleared. This is generally indicative of an Ul~L~.yL~ 1 or fully erased rlash memory which naturally erases to a predetorminD~l state (i.e. an all ONES state).
With the addition of a small amount of logic to the rlash memory and an ~Access Control P~V~ L ~ (ACP), the c^ntant~ of the flash memory is made secure without reyuiring data encryption. ~eL-:rVL~:, the invention eliminates the v.~ ` ~' of encrypting and decry-pting data which can be yuite ti~ - c ; n~ for large blocks o~ data.
In operation, the ACP pert n~; CA 1 1 y prompts the user of t_e ~y2item for entry of some form of authentication.
This may be a r~ JLd~ a PIN, a ~reCl f t C! pen I e~
UL-=" perrormed at a ~per;f;C point on the writing surface, a spoken command or a "voiceprint" or the user.
The method varies with the system. The ~LV~ hl e ACP
allows tlte user to alter the speciric content of the Allthont; ration and the ~,, yu_l~ y Or prompting . The code for ~A~tl~honticat;~n and the data res~uired by the lock and access control memories are stored within thte ACP ' s non-volatile memory which is on the same chip as the ACP
and, hence, are protected.
As ; ~-nacl, a _ _ : ~ r~l authentification cau5es the ACP to enable, or r-)nt;n--o to enable, all or sol prto~ blocks of the flagh memory for access. Failure causes access to the flash memory to be ~iicAhlocl. Thus, the operation is similar to a "dead man throttle" in that any failure to,, _o~rUlly complete ~ hontiration will cause the flash memory's data to be ~,LvLe.;Lad. In Wo95l24698 . ~ or addition, a command initiated by the user can also cause access to be ~i e~hl~rl Further, upon first application of power from a powered off condition, access is blocked to protected memory ~ until the f irst authentication i8 8~1rC"C':fUlly p r~ ~
Thus, if either the memory card or its host p~ OC23.0I is lost, stolen, powered off or left unattended, the memory's data is protected from access, either ; ~ t~l y or as soon as the current periodic Allth~ntiratirn expire5. In the event of theft, the memory data is ~L~,Le..Le~ from access even if the memory card is opened and probed electronically or the memory chips are removed and placed in another device.
The above objects and æ.lv , - of the present invention will be better ~eL~ood from the following description when taken in ~ .; u..~;L~ on with the y ing drawings .
P~Tll!V L~ OF
Figure 1 shows an overall block diagram of a system which ir~L~L~- 3 the memory card ao.. i~LueLed according to the present invention.
Figure 2 shows in greater detail, the access control l Luce S ,vr (ACP) of Figure 1 inrl--A;n~ a layout of its non-volatile memory.
Figure 3 shows a ~l~t~ block diagram of a ~Lt~ al-l flash memory of Figure 1 ';fi~d according to the present imention.
Figures 4 and 5 are ~low charts used to explain the operation of the memory card of the present invention in - carrying out various authentication ~LU~ eduL- s.
w0 95/24698 2 1 622~7 ~
. IU_ OF T~ ~ r" ~ ~ _ Figure 1 is a block diagram of a secure portable hand-held computing system 1 usable as a personal computer or as a transaction ~LUC~.. D~)L. System 1 1 nrlU~ C a memory card 3 constructed according to the present invention which ~ ~ L~; to a host ~Lu~.eCc~ 5 by a bus 102. The host ~LU~_ ur 5 may take the form of a palm top personal ~, such as the HP 9 5LX
r-ml r ~ . .1 by Hewlett-Packard. The host ~LUU~__JL 5 ~ n~ a liguid crystal display (LCD) 5-2, a keyboard 5-4, a mi~;LU~L~I~ C__~IL 5-6, a memory 5-8 and a serial interface 5-10 all coupled in common to a bus 106. The memory 5-8 ; nrl l-A~-: a one megabyte read only memory (ROM) and a 512 Rbyte random access ~emory (RAM).
T_e Cnnn~ct 1 l~n between t_e memory card 3 and host uue~8uL 5 is esl-Ahl ~2h~ through a DLal~.laL.l bus i-lL.:Lrace. In the ~L~r~LL~:d . ~'~ , the bus 102 c f to the Personal r _L~- Memory Card Internation~l Association (PCMCIAI aL~ -Ll. The i,.LeL~a~e 102 provides a path ~or LLar~..L~:LLing address, control and data information between host ~LUU___O~ 5 and the memory card system 3 via a DLàndaL~ .L~L~
chip 104 and a memory card bus 105. Each of the ~U8Q8 102, 105 and 106 include a data bus, a control bus and an address bus and provide cnnti mln~ signal pathDs t_rough all like buses. For example, bus 105 inrl~
address bus 105a, data bus 105b, and control bus 105c.
The PCMCIA bus D~d~ld~Ld has evolved from a standard which DU~ ILLD disk emulation on memory cards to a suL~I-. l ;Ally different DLall.l-L.l which allows random acces6 to memory data. The memory card of the present invention provides a protection~t~-hnic[~l~ which DU~yULLD
this new ~, Lal~da~ d by providing rapid access to random ~WO 9~/24698 g memory locations without resort to encryption t~rhn~ P~. 8y controlling the data paths which carry the data from the memory array to the host, the memory card of the present invention ~L.,~e~ ~5 the data without i --inAj any ti~ --inAj burferinq, decryption or other serial prorPC~i nj in this pat_.
Typically, a user ~ raL~ system 1 from the keyboard 5-4 to perform the typical operations such as spreAA~h~et and database f~lnrtirnA which display information on display 5-2 and update information stored in files in ~emory card 3. The host ~L~c~ ,r 5 sends address inff~rr~ti ~n over bus 102 to retrieve information and if desired, update5 the information and send~s it, along with t_e n~ A r y address and control information back to memory card 3 .
As shown in Figure 1, the memory card 3 of the present invention in~ an access control pL~ce.-_ ~L
(ACP) 10 coupled to bus 105 and a number (n) of CMOS
flash memory chips 103a through lOjn, each coupled to bus 105. ACP 10 is typically the same type Or prOcPsFi nj element as used in the "Smart Card" . The CNOS
flash memories 103a through 103n may take the form of flash memory chips ~ Arl ,d by Intel Corporation.
For example, they make take the form of the Intel flash memory chip ~ iAjnAt~cl as Intel 28FOOlBX lM which 1nr~ eight 128RBYTE: Y 8 CMOS flash memories. Thus, a 4-l~BYl~ flash memory card could include 32 - C~OS
flash memories, that i8 'n' 3 32.
Wogs/24698 21622g7 r ~
ACCE88 CONT~OI~ 10 Figure 2 sho~.7s in block diagram i~orm, the access control yLuue~--~L (ACP) 10 o~ the ~L~f~rL7 d . i ~ .
As shown, ACP 10 ;nrl ~ a ~JLUt__' !' non-Yolatile memory 10-2, a random access memory ~RAII) 10-4, a mi~Lu~LUcL3s~r 10-6, an interYal counter 10-8 and an rL__~ block 10-10 ~I e~7, to bus 10~. Non-Yolatile memory 10-2 ~o~;r~t~ a numi~er of addL. ~' locations in which to store A~lthnr~tjca~;nn; - tion and p.u~,. . Xore sr^-;ft~lly, memory locations 10-2a store one or more po-snnAl identlfication numbers ~PINs), protocol 8, ~ or other ; rlPnt; f ; cati nn information ~or verifying that the user has acc~ss to the system, and for identi~ying the blocks in ~lash a~ 103a through 103n that the user may access in t; nn to a time interval value uged ~or re-Atlthont j r~t; on .
Nemory Inr~t;nn~ 10-2 ~ store the key values used for protecting each of the flash Pa 103a thro~ gh 103n or the codes used to protect the individual block8 of each of the flash memories 103a through 103n.
Memory 1 ncat; nn~ 10-2c store the program instruction , ~ ~or perf orming the required authPnt;C~7t;rn nro~at;nn~ and for cl~oAr;ng the sy8tem if the pre8et r,nn~ltt; nn~ for failure are met. Certain program instructions enable the user to control the ~etting of the interval comter 10-8 which e5tl~hl; ~ho~
when user ~ ..1; r~tion tak~s, place. The r -A-7thont;cation interval defines the t~me be~ween il.L(:L-u~-ions and for sending an illLeLLU~ to t'.~e host ~L~ _ 5 requiring vPr;ftrAt;nn of the u~er's identity ~y having the user reenter the PIN or other Ld. The interval counter 10-8 receiYes clock L ~ L ~ I
_~WO 95124698 ~! 2 1 62287 pulses from the host ~Luce4sol 5 over bus 102 and can be set by the user according to the work environment. For example, at home, the user may turn the timer off (i.e., set it to a maximum value), or set the time interval to one hour. ûn an airplane the user may set it for ten minutes for increased protection. As described herein, the user is ~L~, L~ed to 1~ ~uine the setting of this interval at every "power on" thereoy forcing peri~dic re~ th~n~ i cations to enforce security.
Fr'~ Y~Yn~Tv-o 103~ ~h--oucrh 103n Figure 3 is a rlPt~ i 1 DCl block diagram of flash memories 103a through 103n. Only the detailed logic circuits of memory 103a are shown since memories 103b through 103n are cu-._LL~_Led i~Pn~ lly to memory 103a.
The flash memory 103a b~ l l y ' ~es two sect; t~n~, a section -r nt-~l; n; n~ the security access control circuits of the present invention and another section c~nt~nin~ the basic or ~La~lda~d logic circuits of the flash memory.
~-cllritY Acc0~3 Control 8Oction As seen from Figure 3, the security control circuits of the present invention include a 32-bit key register, a 32-bit volatile lock register 33, a 12-bit delay counter 32, a ~tOI circuit 39, an all ONES
~tect~cl signal circuit 38, a non-volatile lock memory 35, a one-bit non-volatile lock storage enable element 36, a volatile access control memory 43, an access i f iC~tion allow AND gate 34 and an output OR gate 45 A~ d as shown. It will be noted that this _ection receives command control signals designated by various hPv~ lp~ l values (e.g. 31H through 38H) from a command r~
WO95/24698 2l 62287 - ~
register 50 included in the basic logic section. These signals indicate the di~ferent data values of the set of , nl4c received by the command register 50 from the ACP lO via data bus 105b. These . ' are an important aYtan~i~n to the sets of ~ ` normally u~ed by the flash memory. The standard flash memory - ' - take the form o~ the r - ~t; 1 i 70d by the 28FOOlBX flash memory. Those ' are described in the publication entitled, "Memory Products,~ pllhli~:
by Intel Cu.~uL~tion, ~ eL. .~.~d herein. The used by the present invention are described in Table 1.
Referring to Table 1, the first command shown is a load lock memory command which is used to initially load a random number ~ Le~l lock value into non-volatile lock memory (LM~ 35 in each memory 103a through 103n.
Each memory 103a through 103n may have a different lock value or the same lock value ~opan~l i n~ on the security needs of the users. The lock value is loaded into LM 35 through key (K) register 31 under control of the one bit, non-volatile storage element 36. The reset lock storage enable command of Table 1 is used to resQt storage element 36. This ~L.: ..Ls the lock value stored in LM 35 from being changed since storage element 36 once reset by the reset lock ~torage enable command 25 cannot be set. The non-volatile L.u.. L-.. t~ of LM 35 are L.~ re--,d to the L register 33 on F--- -u~. It will be noted that the location or site of lock memory 35 is design ~ L. For example, memory 35 could ~e ted as an eYt an~ n to memory array 54.
The load key register command of Table 1 is used to load the key register 31 and set the delay counter 32.
The de- !L . L delay counter command is used by the ACP
lO to de_L- by one, the content8 of the delay counter 32. The read allow memory bank and read disable Wo 95/2 i698 1 ~ "~ I. . J
memory bank ~ nric are used by the ACP lO to enable or disaole access to the different memory blocks of memory array 54 during loading of the access control memory 43.
S T bl~ 1 Co_~rd Fir~t Bus Cyc~- ~ecomi llus Cyrle Oper-tior Ad~ir-s- D-t- Op-r-tlor, Ad~re~- D-t-10 Lo d Lor~ llr~te 31N ~Irit- R~
~le~ry 2~t Lor,i~
15 Stor ~ ENble ~Ir~te 33N R/A R/A
Loe~i Key Re~i-t~r llrite 32N i~rlt- Key D-t-Decre~ent De-20 I-y cOu,te, ~ t~ 35N R/A R/A
l~ee~i-Allo~l lle~rr ory B-nr l~rit~ IiBA 34N llrlt- tlBA
2S R--~i-Dl--blo Ihn~ry B~nk llr~te MBA 3BN llrlte IIBA
Load Lock Memory (31H) This command copies the ~ 5 of the key register 31 into the non-volatile lock memory 35 if and only if the lock storage enable 36 output signal i5 TRUE.
Reset Lock storage Enable (33H) This command resets the lock storage enable logic element 36, thus inhibiting loading or l-h~n~ing the lock storage memory 3 5 .
Load Key Register ( 3 2H) This command shifts the prior ~ of the key regis_er 31, one byte (LSB toward MSB) and loads "Key Value" from ACP 10 into the key register LSB.
Wos5l24698 2 1 6 2287 Further, it sets the Delay Counter 32 to its maximum value, e.g., all ONES.
D~UL~ ~ Delay Counter (35H) This command deuL~ the delay counter 32 by ONE. The delay counter must equal ZERO to allow 2, ~ se~ reading of the memory array 54.
Read-Allow Memory Bank (34H) This command sets the bit UULL 7L~ ~l;n~ to the memory bank address (MBA) in the access control memory 43 if and only if the access -ifir~tion allowed signal 37 is TRUE. This allows read access to the selected bank.
Read-Disable Memory Bank (38H) This command resets the bit ~ULLe7~ .8in~ to the memory bank address in the access control memory 43 .
rr~nc~ ring Table 1 in greater detail, it is seen that Table 1 also shows the bus cycle operations for each of the added '~. For each command roT~;rin~
two bus cycles, during each first bus cycle, the command register 50 receives an 8-bit command ~ L~Læd by ACP
10, sent via the data bus 105a of bus 105 and an input buffer 51. Command register 50 conditions the 8Ql ectecl logic element to receive ~rom data bus ~OSb, the information required to execute the command during a second bus cycle. As indicated, the second bus cycle is designated not Arpl; CAhl ~ (N/A) since the reset lock storage enable and deuL~ delay counter '~ need only one cycle for execution.
~uring normal operation, the ~ register 31 is loaded with the key value received from memory locations 10-2b by a load key register command and delay counter 32 is set to its maximum value. Delay counter 32 is WO 95/24698 r~, ~".,, L'Jlll I
decremented to all ZEROS in L~ ,on~e to s~l~ cPc~ive decrement delay counter, ~ ~ received from the ACP
10 and qenerates a zero count output signal 41 which is applied as an input to AND 34.
Each delay counter 32 limits the number of tries or attempts which can be made to access the flash memories 103a through 103n in the case where a thief removes the chips and places them upon the "outlaw card" and ~LV~, a p~o~;e~.sc,L or PT~ L to repeatedly try to guess each memory chip's key. Stated differently, counter 32 ensures that a ~ign~fir~nt number of tries or attempts must be made in order to gain illegal access to the flash memories. The key and delay counter sizes are salecto~ to require such testing to take an u~r- ~ hl e amount of time.
Nore cpprifi~ ~l ly~ the Key Register 31 stores approYimately 4 bill}on 1232) different combinations.
In the ~L~feLL~ L, the delay counter 32 is a twelve-bit counter. Ac~llm; n~ the delay counter 32 is de~L~ e once each mi~L~,sec~ , it will require 212 or 4 m;ll;~secnn~cl per attempt at gllpcc~;n1 the key value.
The ACP 10, knowing the correct key value, incurs only a four m;11;~Pcnn~l delay in the initial setup. Random ~LL L ~ to guess the key value will require 231 tries for a 50% chance of success. This would reS~uire 231 x 212 mi.~ P~ l or 102 days to guess the key value.
This time is s~ fi~iPnt to deter most thieves. of course, a longer or shorter time could be provided by modifying the sizes of the key and delay counter 32.
In the case where the memory card of the pr~sent invention is stolen and is put into an "outlaw host, "
the ACP 10 limits the number of ,ries by the thief to guess the PIN by known terhniq~lpc. Such tachniqtlPc may Wo 95l24698 2 t 6 2 2 8 7 ~ c- I--include locking access or destroying data if a threshold of ih-,ULL__L guesses is ~
During an initial authentication operation for flash memory 103a, a key value is loaded into the 32 bit K register 31 in Le. ~V~Se to four S~rrD~ ~ive load key register ~ ' ( i . e ., data bus 105b is a byte wide bus). Delay counter 32 i8 forced to its maximum count of (ALL ONE's) and d~vL- L- l by the ACP 10 sending d~.;L. ~ d~lay counter _ '- on ~llrc P~ive first bus cycles. When the delay counter 32 is de-_L- :~ ' to ZERO, it y- .~_LC~t~ the zero count signal 41 which is applied to one input of AND gate 34.
I~ the key value stored in the R register 31 equals the lock value stored in the ..VLL.-lJ l;n~ L L. '~tDr 33 indicating that the user provided the proper i~nti~ir~t;nn to the host ~Lu.esfiv~ 5, then compare logic 39 applies an equals compare signal 42 to another input of AND gate 34. This causes AND gate 34 to generate an access if iration allowed signal 37 at its output, which ena~les writing to access control memory 43, under the control of ACP 10. This, in turn, 6"~ " ` t 1 y allows the reading of memory array 54 .
The access control memory 43 ~mt:-inl: volatile storage of one bit for each block/bank of the memory array 54. 'rhese bits are cleared to ZERO as part of the flash memory's power up ~, . In ordèr for data to be r~ad ~rom the ~emory 103a, the bit ~_VLL- l.. ling to the -~ _ ' memory block must be At logical ONE.
These bits are set by the ACP 10 issuing read-allow memory bank ir and only if the access 'ifi~ation allowed signal 37 is l~JE.
As shown in Table 1, during the second bus cycle of the read-allow memory bank command, the three ( 3 ) high order address bits of the 8D7 DrtP~ memory bank of memory _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . ... _ .... . _ _ _ _ _ _ .
-- P~ l/L.., L'~ ~ I
V~O 951~4698 array 54 are sent over address bus 105c as well as a repeat of the h~Y;~c;r-l command identi~ier being sent over the data bus 105a to command register 50. This results in a ONE being written into the a-llL-J~d bit location in access control memory 43. In the preferred L, the read-allow memory bank command seq~n~e is repeated eight times since the memory array 54 is organized into eight banks of 16K bytes each. The ACP
10 may restrict access to s~ ct~ banks by issuing a 0 Sf, : of read-disahle memory bank in a similar manner.
The output of the access control memory 43 of the present invention is applied as an en~hl in~ input to output buffer 52 during each flash memory read cycle when the c ~ L~ of a location o~ any bank of memory array 54 is being read out. That is, a read cycle may occur, however, the data read out is inhibited ~rom passing through output bu~fer 52 in the ahsence of the L~,~Liate bank's access control memory gating signal.
More Fr~C;1'ir~l1y, in the case of the ~L~Ce:LL~
i - , acc~ss control memory 43 l nrl uA~c eight individually ~dlL- ~:,able bit storage Dl ~ an input address 3 to 8-bit decoder c~nnn~ t~d to the input of each storage element and a 1 to 8 output mult ~ rl ~Y~r circuit connected to the output of each storage ~l .
The three high order address bits of each address are decoded and used to select the storage element for the block whose c-v~ are to be changed. Similarly, the same three bits are used to select the output of the storage element for the block containing the flash memory location being read.
If the lock memory 35 is fully erased, i.e., at ALL
ONES as indicated by the cont~ntC of the L register 33 being at all ONES, then the output bu~fer 52 is always S.'~_ I
WO95J24698 2~ 62287 ^ ~ - ~
enabled. That is, when lock register 33 cr~nt~inc nAEL
ONES, " this generates a signal from ALL ONES detector element 38 to the OR gate 45 to enable the output burfer 52. This effectively places flash memory 103a in non-s secure mode. ~his allows all of the security logic circuits of the present invention to be bypassed.
~ence, the same flash memory chip ean be used for both secure and r~ e__uL~ applications, thus resulting in pro~ ctirn ~e i~.
Jl~h 21~mor~r P-~ ~ n oai¢ r~ r~-~ t~
As ~hown in Figure 3, ~ueh eireuits inelude a memory array 54, a eommand register 50, input/output logic circuits 60, an address latch 56, a write state machine 61, erase voltage system 62, an output multir~Y~r 53, a data register 55, input burfer 51, output buffer 52 and a status register 58, as shown.
The basic logic eireuits of rlash memory 103a as ~ cCllcced above, takes the form of the type of eircuits included in the fla~;h memory de6ignated aC 28FOOlBX
m~mufactured by Intel Corporation. Since sueh eireuits are eonv~nt i nn~ l, they will only be deseribed to the extent n~rG ~ r y . For furt_er information regarding sueh eireuit~;, L~:fe~ e may be made to pages 3-109 through 3-134 of the pllhl tcatin~ entitled, "Memory Produets," Order Number 210830, p--hl i-lh~d by Intel Corporation, dated 1992. As shown in Figure 3, the flash memory baQie eireuitS reeeive a number of input signals (A0-A16), address, data signals (D00-D07) and eontrol signals (CE, WE, OE, PWD and VPP). mese signals are deseribed below in Table 2.
~ WO 95124698 ~ r - ~
Table 2. Signal Descriptions Symbol Name and Function A0-A16 ADDRESS INPUTS for memory adl~ .55es.
~d 1- ~ses are i nt~rnA 1 1 y latched during a write cycle.
DOO-DO7 DATA INPUTS/OUTPUTS: Inputs data and during memory write cycles; outputs data during memory and status reAd cycles. The data pins are active high and float to tri-state of~ when the chip is ~ a~ ct~ or the outputs are ~l;aAhl~d. Data is int~rnAlly latched during a write cycle.
CE CHIP ENABLE: Activates the device ' s control logic, input bu~_ers, ~r~ and sense 11 f ~ ~~a. OE is active low, OE high .l~q~ ~ct~ the memory device and reduces power Lion to standby levels.
PWD P~ : Puts the device in deep p _.' mode. PWD 8 active low; PWD high gates normal operation. PWD=VHH allows ~JL~L n~ oI~ the memory blocks. PWD also loclcs out erase or write operations when active low, providing data protection during power transitions.
OE OUTPUT ENA~3LE: Gates the device's outputs through the data bu~fers during a read cycle.
OE is active low.
Wo 95/24698 r WE WRITE ENABLE. Controls writes to the command register and array blocks. WE is active low.
Ad.lr._33~ and data are latched on the rising edge o~ the WE pulse.
Vpp ERASE/PROGRAM POWER SUPPLY for erasing blocXs of the array or ~J~u~L_ irg bytes of each block. Note: With Vpp ~ Vppl llax, memory cr~ntont~ cannot be altered.
As shown in TablQ 2 , the Chip Enable (CE), Write Enable ~Lvve~ (WE) and Output Enable (OE) ) signals are applied to command register 50 and I/O logic 60 from host ~ 5, via bus 102 and control bus 105b and are dispersed to control ~F"''~ f i ~d logic blocks . A
p_._L~ (PWD) signal i8 also applied to command register 50 for enAhl in~ the flash memory to perform the operations ~p~ 1 f ~ in Table 2 . This signal can be used to clear the volatile storage -1- of the flash memory's security control ~ection as desired thereby Qnforcing user ~ "Li--~Ati~n when normal operation is again L~ ~_ Generally, the basic logic ~1- of the ~lash memory operate in the following manner. Information is stored in memory array 54 via data bus 105a, input burfer 51 and d~ta register 55 at an all~e~lLQ~ location of one of the memory blocks ~re/~i ~i od by the address received by an address logic 56 ~rom address bus 105c.
Information is read from a 13re-tf~d address location of a bank of memory array 5~ and is sent to host ~.
5 via an output mul~ i rl~Y~r 53, output bur~er 52, data bus 105a and bus 102. Status register 58 is used for storing the status o~ the write state machine, the error ~wossl246s8 P~l,~ ll suspend status, the erase status, the program status and the Vpp status.
The write state machine 61 controls the block erase and controls program algorithms. The program/erase voltage system 62 is used for erasing blocks of the memory array 54 or the ~tv~L ;n~ bytes of each block as a fllnr~irn of the level of Vpp (i.e., when Vpp is at a high level ~L-~yL in~ can take place; if Vpp is at a low level, memory array 54 fllnrt-iAn~ ~8 a read only memory).
OF OPl~l~ION
The operation of the secure memory card of the present invention will now be de6cribed with particular reference to the flow diagram of Figur~s 4 and 5.
Before describing such operations in detail, the steps involved in the fAh~ir~ti~n, .__~ 7~tion and operation of the memory card will first be described.
As a ~ir6t step, at card fahrication, the ACP 10 sets the lock value for each of the memory chips on the memory card. It does this by loading the key value into the lock memory of Pigure 3. These values are stored in the ACP's pLV~V~d non-volatile memory 10-2 (i.e., keys l-n in Figure 2). The lock storage enable ~ 36 are then set to ZEROs to inhibit further changing or reading of lock memory ~ . As these ~1 ~ are nonvolatile, they cannot be changed unless the entire flash memory chip is cleared.
As a second step, at application ~;ua~ i 7~tion, since writing is not affected by the protection functionality, the memory card can then be loaded with its data or SV~ ILC application. The ACP 10 is then loaded with information pertaining to the memory's bank Wo 95/24698 2 1 6 2 2 8 7 ~--ucLu--: and the degrees of protection which are to be applied to each memory bank.
As a third step, at user ;u~ tion, the user est ~Ihlichoc parameters ~or the r.c~ and mode o~
5authentication and cpecif{c data required (e.g., pPrsnn~l iclontification numbers (PINs)). This information is stored in the ACP's memory.
As a fourth step, at power on, the "key register", "access if1ration All~ " signal and "access control memory" are initi~l ~ 1 80 as to inhibit access to data or writing to access control memory 43. The first authentication dialog i8 initiated.
4~t ~irst authentication dialog, the ACP 10, using the service~ o~ its host ]?lvv_5~. 5~ prompts the user and receives aU~hDn~io~tion i-- ~ion. Ir authentication is ~ r~l, no operation is .fl ; if ~..c ~-rul, the key register of each memory chip is loaded with the value stored in the ACP ' s memory. During this operation, the delay counter 32 i8 used to inhibit chip operation for a period o~ time rollowing loading to make random tries an u~Lv-lu~ ~ive process. Loading of the key registers causes the "access ~ f i ~ation allowed" signal to be true in each chip. The ACP lo then octAhl i choc access by loading the access control memories according to the stored information rnnf 1 ~ation .
As a sixth step, at s-~h~Soq~ont auth~n~ tion dialog, periotlir~l ly, according to the user's con~iguration, the ACP lO prompts an additional user authentication (ro~thont ir~tion) . In the event of failure, the ACP 10 forces all memory chips to their power on states, thus inhibiting any access to the memories ' data by clearing the access control memory 43 and clearing the ~ q of the key register 31. Now, WO 9512~i698 P~ 'or. I
- the operation of the system of Figure 1 will be described with reference to Figures 4 and 5.
First omerati nnc of the Dav Figure 4 shows in block diagram form, the various modes of opDr;~tinn Blocks 402 and 401 show the two startup conditions. In block 402, the user inserts the memory card 3 in the previously F - - d 1l~ host ~L~a~ur 5. In block 401, the user powers up host PL~ 6~II 5 with memory card 3 alrendy installed.
In either of the above startup operations, during block 402, the ACP 10 and its i..L-- r~r~ are ini~Al i -in a conventinn~l manner, and block 403 clears all of the ' n ' K registers 31 and the ' n ' access control memories 43 as part o~ the flash memories 103a through 103n intDrn~l initialization s=~ æ. This yLe~ Ld any data from being read out of memories 103a through 103n since output buffer 52, in each memory, is h3 ~A . The lock value is loaded into the ' n ' L
registers 33 from the I-_- L-_- I ive L~s 35 as a result of power on.
Now in block 404, ACP 10 sends an interrupt signal to host I~L~_ 5 which ~ c by requesting the PIN
or other identifying; e Lion from the user. In block 405, ACP 10, by means o~ the program stored in memory locations 10-2a, checks that the PIN or other identifying information matches the information stored in memory locations 10-2a. Ir no match, then A ,DC; ~; nn block 406 counts an error and ACP 10 ,h,r~.. 7.~ to block 404 to repeat the test. If the test fails a preset number of times, then A~ icinn block 406 bL. ~ I r5 to block 407 to cause ACP 10 to either lock up or destroy the /-On~Dn~c of the memories 103a through 103n.
W095l24698 2 l 62287 Fi rst User Authentication Successflll If in ,laril:irn block 406 there is a match in~iratin; a . ~ec~r l authentication then in block 408, the ACP 10 via a load key register command loads esch }~ register 31 from memory locations 10-2b with the appropriate key value. Also block 409 ~t p~_Ledly dc_r~ the c ~ l c of delay counter 32 issuing 8~ rP~ive the dL_L- delay counter toward a binary zero count which causes the generation of the lo zero count signal 41 in Figure 3.
In block 410, each access control memory 43 location is ioaded with information by mesns of the read-allow memory bank command to allow access to the -1 t~-' banks of the ~;ULL' "~.\.lin; ~lagh memory 103a through 103n.
Int Prm i ttent Re--authPnticA t; rn In block 411, the ACP 10 awaits the end of the preset time interval e8t~hl ich~rl by information stor~d in memory locations 10-2a si~llPd by interval counter 10-8 before reyuesting user re-authentication. Then, in block 412, the ACP 10 i~ LL~Ls the host pLU~ L 5 to reyuest the user to L-_ _..Le~ the PIN or other re~uired nt i f i ~ ~tion.
~eri ~ion block 413 checks the PIN or other information received ~rom the host ~LI 5 against the information stored in memory locations 10-2a and the interval timer 10-8 output is L~._uLd~d. The user has a preset time interval of typically 30 seconds in which to enter the AllthPnt-ir~tion information into host pLUU~ ~SUL
5. While the clock is running, if the dpri~ion block 413 test fails, then block 414 records the test as an error. At that time, it checXs if a maximum nurber of errors was received and ~ to repeat blocks 412 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ r ~
~Wo 95/2~698 and 413. If the number of errors equals the maximum - number, then in block 415, APC 10 clears the flash memory K register 31 by means of s~ cive load key register n-lc~ and clears t_e access control memories 43 with ~ A~ive read-disable memory -` . Block 415 then ~~ '7 to block 404 to allow a new "First Authentication" op~ra~ ion to take place.
If the test in rl~ci ~ n block 413 is ~ c-f rul, the K register 31 remains ~ j !t' (i.e., -rn~inC the key value previously loaded by the ACP) ~nAhl i nq the user to Cnnt- i n--e to operate the system 1. In the event that the 30 seconds elapsed without ~ ci Aion block 413 receiving the PIN or other infnr~ n, the ACP 10 clears the K register 31 and the access control memory 43 as before.
Figure 5 i8 a flow diagram which illustrates how host ~)LUI~ JL 5 rG~ to an i..LeL~uyt reguest rrOm APC 10 for authentication in L.~ 6C to blocks 404 and 412 Or Figure 4 . As shown, dQ~i Ainn block 501 is waiting for an il-Le:LLu~t rrom the ACP 10 requesting that the user re-enter the PIN or other 1 nforr-t jrn.
Decision block 501 hrAnrh~ to block 502 when it receives the interrupt from blocks 404 or 412. Block 502 displays the reque8t for t_e PIN or other information on host display 5-2. Block 503 accepts the information from the k~ O,Ld and block 504 interrupts ACP 10. Block 5 sends the PIN to ACP 10.
It will be appreciated by those skilled in the art that many changes may be made to the ~Lare-L ~d : i of the present invention without departing from its t~ hinqc. For example, the invention may be used with different types of non-volatile memories and dif f erent interf aces, etc .
W095,24698 21 62287 l~l ~
While in accordance with the provisions and statutes there has been illustrated and described the best form of the invention, certain changes may be made without departing from the spirit of the invention as aet forth in the i.r~ Pd claims and that in some cases, certain ~eal,~L... of the invention may be used to ad~all~a~- without a "~ U8~1 of other features.
What i6 claimed is:
;
A SECURE MEMORY CARD
~Ac~GRO~ OF ~R l~l v r _ .
hn~ r~l FinlC
This invention relates to the ~ield of portable personal computers and more particularly to T~-int~ining systems f or data security in a portable digital information environment.
D~¢ril~tion o~ th~ Prior ~-t The security of personal inform2tion has forever been a concern. It has been ensured by locks, codes and secret pockets. As information has taken new forms, new methods have been required to meet the changed situations .
Historically, security of information has been adlLc:~sed by use of siy~laLuL~s~ credentials and photographs. Electronic devices such as automatic banking r - -h i n~-c have added encoded card5 and p~-r~nn~ ~
nti f;~ ation numbers (PINs) to the repertoire of security tools. C ~ systems cnntim~ to use p? C'--~JL~15, More recently the H5mart Card" has been used as a security tool. The "Smart Card" is a small mi~;L. _Ler with writable, non-volatile memory and a simple input/output interface, fabricated as a single chip and ~ in a plastic "credit card". It has exterior pads to allow it to be cnnn~rted to specially desiy-ned ~T~ i . The program contained in the card ' s mi- ~. _Ler interacts with this eq--i ~ and allows its nonvolatile memory data to be read or modified according to the desired algorithm which may optionally include a password eYchange . Special t~hn i qll~C have been ; rrl Led to protect the memory inf ormation and to allow varied F~rm;Cs;rnC according to the si uation.
_, .
Wogsl24698 2 1 62287 For example, U.S. Patent No. 4,382,279 entitled, "Single Chip Mi~:~u~rv~ ssoL with On-Chip Modifiable Nemory"
rl ~ crloc~.: an architecture which permits automatic pLu~r in~ of a non-volatile memory which is included on the ~ame chip as a proc~cin~ and control unit. As in other systems, the mil;L U~ll OCe_auL only protects memory on the same chip.
The "Smart Card" has been used both to facilitate the process of iden~l ~icati nn and to be the actual site lo of the valued information. In this 6ituation, as in most past situations, physical pL~ c-: of a "key" as well as some special knowledge has been used as part of the verif ication or authentication process . In such above cases, i~nt~ficat~nn has been a dialog between the person desiring access and a fixed agency such as a security guard or an automatic teller machine.
The current state of portability of ~L_3_Lal~ding computing devices makes it pnCsihle for both the physical key and the authentication agent to be small, portable and hence more subject to loss or theft.
Further, computing devices make it possible to perform L~_Al~,d ~L ~ L,. to guess or deduce the special knowledge or ~ L~ associated with the identification process. This is ~p~ci~lly true if the al~th~ntir~tion agent or device i5 also in the control of the thief or burglar. To make matters worse, t~ hnnlo~y now allows and e,.~-,UUL_, - the carrying of ~ amounts Or sensitive information in a pocket or handbag where it is subject to mishap.
Today, notebook qd subnotebook sized computers provide a capable ~L- er-LdAding environment which allows for sirific~nt in~ power and thus creates a need for additional data storage . c~r~hi 1 i ty. This has in1~ially been met by m~niature hard disk devices which ,, ~
J
~W09s/~4698 2 1 62287-hold both ~L~J~LOL._. and data. While pa__ JL~ protection is often used in the5e systems, it does not completely protect sensitive data because, first, the authentication agent is itself vulnerable. However, more significantly, the disk drive cnn~:lining the data can be physically removed and al cPced in a setting more conducive to data analysis. In this case, only some form of encryption is capable of protecting t_e data.
The nature of disk access makes this pncc~h1e without undue ~_L r~ L~.ll~ae or cost barriers . An example Or this type of system is described in U.S. Patent No. 4,985,920 entitled, "Integrated Circuit Card. "
The recent ~ c of the flash memory and removable "memory cards" has allowed major re~ ;nnc in size and power requirements of t_e portable ~ .
~he ~lash memory ;nPc the flPY1h~1 ity of random access memory (RAN) with the pc~ r~ of disks.
Today, the co~rl ;n~ of these te--hnnlsqiPs allows up to 20 million bytes of data to be C~n~inPA, without need of power, in a credit card size, removable package.
This data can be made to appear to a host system either as if it were cnnt5~; nP~7 in a conventional disk drive or as if it were an P~pnc; nn of the host ' 5 memory. These te~ hnn~og;~l devPl 5 have made further rP~ ;nn in system size pOcc; hl e to the extent that it may be carried in a pocket rather than in a handbag or brie~case .
Thus, the data and its host system have become more vulnerable to 1088 or theft and simul~ ~n~n--cl y more ~7~ f~ t to protect memory data by encryption as this pL._3~ major cost and p 1 r~ r- e barriers.
Accordin~ly, it is a primary object of the invention to provide a portable. digital system with a secure memory ~,uL., 2~ ~s ~_. . .
I ~,11~, 1.1 I
Wo 9~/24698 2 1 6 2 2 ~ 7 It is another object of the invention to provide a memory card which can be protected ir removed from a portable digital system.
It is still a further object of the present invention to provide a memory card in which the chips of the card are protected ir removed rrom such card.
~m~o~r OF ~R ~ v~ __ The above objects are achieved in the secure card o~ a ~LefeLLad; ~'i- L of the present invention. The secure memory card inrlu~ a mi_L~Lu~nuL on a single chip and one or more non-volatile Z:.1dL~ hle memory chips. me mi~L-,~.ocea c,~ chip and nonvolatile memory chips connect in common to an int-~rn~-l card bus for trangmitting address, data and control inrormation to such non-volatile memory chips.
The mi~u~LuU~5~uL inrl~ an ~ddL~=nnable non-volatile memory rOr storing information including a nuuber of key values, rrnfilrlration information and program instruction information for controlling the transrer of address, data and control information on the int~rnAl bus. The chip memory is organized into a number of blocks or banks, each block having a plurality Or ad-lL~ -nable locations.
According to the present invention, each memory chip is cu..nLL.l~;Led to include security control logic circuit6. In the preferred: -'i L, these circuits include a non-volatile lock memory, a non-volatile lock storage enable element and a volatile access control memory, each being lr,~ hlf~ under the control of the mi-LU~LUC~LLor. More nr~rifi~r~lly~ the mi~LU~LU''~3rJL
first loads a lock value into. the non-volatile lûck memory and resets the lock storage enable element ._1,~, L' I
~W09517A698 2 1 622 87 inhibiting access. mereafter, the mi~Lupzuces~u~ loads the access control memory as crPri fied by the configuration information. Such information is loaded only after the mi~Lu~.oces~or has detP-^m; nPd that the user has ~ cr~rL.lly peL rl ' a pL~r'~t P ~ i nD,~
authentication pruceduL : with a host _ Ler . The security logic circuits of each memory enable the reading of information stored in selected ad~ s~d blocks of the flash memory as a function of the c~nf;~lrs~tion information loaded into the memory chip's access control memory . pPr; r~r7; r, 57 1 1 y, the user is required to s~rce~cfl-lly perform an ~ thPntjrs~lt jon Pl UU6:dUL ~: with the host , and the user is allowed to cn~77-;n--Q reading illruLL~c-tion as allowed by the access control memory. In the pL~=feLL~d -; , the host _ _~eI is coupled to the memory card through a standard inter~ace such as the ; ntorf~re which to the Personal C Memory Card International Association (PCNCIA) ~L~d~Ld~.
The present invention melds the ~S~L LC~Ld" and "memory card" t~orhn~lo~J; Pc which is key to allowing the protection of the large amounts of data made possihl e by the flash memory terhnsls7y in the "security hs~rsh"
enviL. which electronic miniaturization ha~i 2S created. Purther, the present invention is able to take a.lvar.La~e of ; u~ and S~a~ in both 7-Prhnglogies .
Additionally, the security logic circuits of the present invention are ir-.uL~vLaLed into and operate in conjunction with the flash memory in a way that m;n;m;70C the amount of changes required to be made to the basic logic circuits of the rla~h memory. Nore creci-~;cs~lly, the flash memory can be operated in a secure mode and in a nun 5~_UL ~: mode wherein the r~
Wo 95l24698 2 l 6 2~87 6ecurity logic circuit5 are by~5~2d onAhl in~ the flash memory to operate as i~ such circuits had not been installed. The nv~ L~ mode is normally entered when the contents of the flash memory ' s non-volatile lock memory are cleared. This is generally indicative of an Ul~L~.yL~ 1 or fully erased rlash memory which naturally erases to a predetorminD~l state (i.e. an all ONES state).
With the addition of a small amount of logic to the rlash memory and an ~Access Control P~V~ L ~ (ACP), the c^ntant~ of the flash memory is made secure without reyuiring data encryption. ~eL-:rVL~:, the invention eliminates the v.~ ` ~' of encrypting and decry-pting data which can be yuite ti~ - c ; n~ for large blocks o~ data.
In operation, the ACP pert n~; CA 1 1 y prompts the user of t_e ~y2item for entry of some form of authentication.
This may be a r~ JLd~ a PIN, a ~reCl f t C! pen I e~
UL-=" perrormed at a ~per;f;C point on the writing surface, a spoken command or a "voiceprint" or the user.
The method varies with the system. The ~LV~ hl e ACP
allows tlte user to alter the speciric content of the Allthont; ration and the ~,, yu_l~ y Or prompting . The code for ~A~tl~honticat;~n and the data res~uired by the lock and access control memories are stored within thte ACP ' s non-volatile memory which is on the same chip as the ACP
and, hence, are protected.
As ; ~-nacl, a _ _ : ~ r~l authentification cau5es the ACP to enable, or r-)nt;n--o to enable, all or sol prto~ blocks of the flagh memory for access. Failure causes access to the flash memory to be ~iicAhlocl. Thus, the operation is similar to a "dead man throttle" in that any failure to,, _o~rUlly complete ~ hontiration will cause the flash memory's data to be ~,LvLe.;Lad. In Wo95l24698 . ~ or addition, a command initiated by the user can also cause access to be ~i e~hl~rl Further, upon first application of power from a powered off condition, access is blocked to protected memory ~ until the f irst authentication i8 8~1rC"C':fUlly p r~ ~
Thus, if either the memory card or its host p~ OC23.0I is lost, stolen, powered off or left unattended, the memory's data is protected from access, either ; ~ t~l y or as soon as the current periodic Allth~ntiratirn expire5. In the event of theft, the memory data is ~L~,Le..Le~ from access even if the memory card is opened and probed electronically or the memory chips are removed and placed in another device.
The above objects and æ.lv , - of the present invention will be better ~eL~ood from the following description when taken in ~ .; u..~;L~ on with the y ing drawings .
P~Tll!V L~ OF
Figure 1 shows an overall block diagram of a system which ir~L~L~- 3 the memory card ao.. i~LueLed according to the present invention.
Figure 2 shows in greater detail, the access control l Luce S ,vr (ACP) of Figure 1 inrl--A;n~ a layout of its non-volatile memory.
Figure 3 shows a ~l~t~ block diagram of a ~Lt~ al-l flash memory of Figure 1 ';fi~d according to the present imention.
Figures 4 and 5 are ~low charts used to explain the operation of the memory card of the present invention in - carrying out various authentication ~LU~ eduL- s.
w0 95/24698 2 1 622~7 ~
. IU_ OF T~ ~ r" ~ ~ _ Figure 1 is a block diagram of a secure portable hand-held computing system 1 usable as a personal computer or as a transaction ~LUC~.. D~)L. System 1 1 nrlU~ C a memory card 3 constructed according to the present invention which ~ ~ L~; to a host ~Lu~.eCc~ 5 by a bus 102. The host ~LU~_ ur 5 may take the form of a palm top personal ~, such as the HP 9 5LX
r-ml r ~ . .1 by Hewlett-Packard. The host ~LUU~__JL 5 ~ n~ a liguid crystal display (LCD) 5-2, a keyboard 5-4, a mi~;LU~L~I~ C__~IL 5-6, a memory 5-8 and a serial interface 5-10 all coupled in common to a bus 106. The memory 5-8 ; nrl l-A~-: a one megabyte read only memory (ROM) and a 512 Rbyte random access ~emory (RAM).
T_e Cnnn~ct 1 l~n between t_e memory card 3 and host uue~8uL 5 is esl-Ahl ~2h~ through a DLal~.laL.l bus i-lL.:Lrace. In the ~L~r~LL~:d . ~'~ , the bus 102 c f to the Personal r _L~- Memory Card Internation~l Association (PCMCIAI aL~ -Ll. The i,.LeL~a~e 102 provides a path ~or LLar~..L~:LLing address, control and data information between host ~LUU___O~ 5 and the memory card system 3 via a DLàndaL~ .L~L~
chip 104 and a memory card bus 105. Each of the ~U8Q8 102, 105 and 106 include a data bus, a control bus and an address bus and provide cnnti mln~ signal pathDs t_rough all like buses. For example, bus 105 inrl~
address bus 105a, data bus 105b, and control bus 105c.
The PCMCIA bus D~d~ld~Ld has evolved from a standard which DU~ ILLD disk emulation on memory cards to a suL~I-. l ;Ally different DLall.l-L.l which allows random acces6 to memory data. The memory card of the present invention provides a protection~t~-hnic[~l~ which DU~yULLD
this new ~, Lal~da~ d by providing rapid access to random ~WO 9~/24698 g memory locations without resort to encryption t~rhn~ P~. 8y controlling the data paths which carry the data from the memory array to the host, the memory card of the present invention ~L.,~e~ ~5 the data without i --inAj any ti~ --inAj burferinq, decryption or other serial prorPC~i nj in this pat_.
Typically, a user ~ raL~ system 1 from the keyboard 5-4 to perform the typical operations such as spreAA~h~et and database f~lnrtirnA which display information on display 5-2 and update information stored in files in ~emory card 3. The host ~L~c~ ,r 5 sends address inff~rr~ti ~n over bus 102 to retrieve information and if desired, update5 the information and send~s it, along with t_e n~ A r y address and control information back to memory card 3 .
As shown in Figure 1, the memory card 3 of the present invention in~ an access control pL~ce.-_ ~L
(ACP) 10 coupled to bus 105 and a number (n) of CMOS
flash memory chips 103a through lOjn, each coupled to bus 105. ACP 10 is typically the same type Or prOcPsFi nj element as used in the "Smart Card" . The CNOS
flash memories 103a through 103n may take the form of flash memory chips ~ Arl ,d by Intel Corporation.
For example, they make take the form of the Intel flash memory chip ~ iAjnAt~cl as Intel 28FOOlBX lM which 1nr~ eight 128RBYTE: Y 8 CMOS flash memories. Thus, a 4-l~BYl~ flash memory card could include 32 - C~OS
flash memories, that i8 'n' 3 32.
Wogs/24698 21622g7 r ~
ACCE88 CONT~OI~ 10 Figure 2 sho~.7s in block diagram i~orm, the access control yLuue~--~L (ACP) 10 o~ the ~L~f~rL7 d . i ~ .
As shown, ACP 10 ;nrl ~ a ~JLUt__' !' non-Yolatile memory 10-2, a random access memory ~RAII) 10-4, a mi~Lu~LUcL3s~r 10-6, an interYal counter 10-8 and an rL__~ block 10-10 ~I e~7, to bus 10~. Non-Yolatile memory 10-2 ~o~;r~t~ a numi~er of addL. ~' locations in which to store A~lthnr~tjca~;nn; - tion and p.u~,. . Xore sr^-;ft~lly, memory locations 10-2a store one or more po-snnAl identlfication numbers ~PINs), protocol 8, ~ or other ; rlPnt; f ; cati nn information ~or verifying that the user has acc~ss to the system, and for identi~ying the blocks in ~lash a~ 103a through 103n that the user may access in t; nn to a time interval value uged ~or re-Atlthont j r~t; on .
Nemory Inr~t;nn~ 10-2 ~ store the key values used for protecting each of the flash Pa 103a thro~ gh 103n or the codes used to protect the individual block8 of each of the flash memories 103a through 103n.
Memory 1 ncat; nn~ 10-2c store the program instruction , ~ ~or perf orming the required authPnt;C~7t;rn nro~at;nn~ and for cl~oAr;ng the sy8tem if the pre8et r,nn~ltt; nn~ for failure are met. Certain program instructions enable the user to control the ~etting of the interval comter 10-8 which e5tl~hl; ~ho~
when user ~ ..1; r~tion tak~s, place. The r -A-7thont;cation interval defines the t~me be~ween il.L(:L-u~-ions and for sending an illLeLLU~ to t'.~e host ~L~ _ 5 requiring vPr;ftrAt;nn of the u~er's identity ~y having the user reenter the PIN or other Ld. The interval counter 10-8 receiYes clock L ~ L ~ I
_~WO 95124698 ~! 2 1 62287 pulses from the host ~Luce4sol 5 over bus 102 and can be set by the user according to the work environment. For example, at home, the user may turn the timer off (i.e., set it to a maximum value), or set the time interval to one hour. ûn an airplane the user may set it for ten minutes for increased protection. As described herein, the user is ~L~, L~ed to 1~ ~uine the setting of this interval at every "power on" thereoy forcing peri~dic re~ th~n~ i cations to enforce security.
Fr'~ Y~Yn~Tv-o 103~ ~h--oucrh 103n Figure 3 is a rlPt~ i 1 DCl block diagram of flash memories 103a through 103n. Only the detailed logic circuits of memory 103a are shown since memories 103b through 103n are cu-._LL~_Led i~Pn~ lly to memory 103a.
The flash memory 103a b~ l l y ' ~es two sect; t~n~, a section -r nt-~l; n; n~ the security access control circuits of the present invention and another section c~nt~nin~ the basic or ~La~lda~d logic circuits of the flash memory.
~-cllritY Acc0~3 Control 8Oction As seen from Figure 3, the security control circuits of the present invention include a 32-bit key register, a 32-bit volatile lock register 33, a 12-bit delay counter 32, a ~tOI circuit 39, an all ONES
~tect~cl signal circuit 38, a non-volatile lock memory 35, a one-bit non-volatile lock storage enable element 36, a volatile access control memory 43, an access i f iC~tion allow AND gate 34 and an output OR gate 45 A~ d as shown. It will be noted that this _ection receives command control signals designated by various hPv~ lp~ l values (e.g. 31H through 38H) from a command r~
WO95/24698 2l 62287 - ~
register 50 included in the basic logic section. These signals indicate the di~ferent data values of the set of , nl4c received by the command register 50 from the ACP lO via data bus 105b. These . ' are an important aYtan~i~n to the sets of ~ ` normally u~ed by the flash memory. The standard flash memory - ' - take the form o~ the r - ~t; 1 i 70d by the 28FOOlBX flash memory. Those ' are described in the publication entitled, "Memory Products,~ pllhli~:
by Intel Cu.~uL~tion, ~ eL. .~.~d herein. The used by the present invention are described in Table 1.
Referring to Table 1, the first command shown is a load lock memory command which is used to initially load a random number ~ Le~l lock value into non-volatile lock memory (LM~ 35 in each memory 103a through 103n.
Each memory 103a through 103n may have a different lock value or the same lock value ~opan~l i n~ on the security needs of the users. The lock value is loaded into LM 35 through key (K) register 31 under control of the one bit, non-volatile storage element 36. The reset lock storage enable command of Table 1 is used to resQt storage element 36. This ~L.: ..Ls the lock value stored in LM 35 from being changed since storage element 36 once reset by the reset lock ~torage enable command 25 cannot be set. The non-volatile L.u.. L-.. t~ of LM 35 are L.~ re--,d to the L register 33 on F--- -u~. It will be noted that the location or site of lock memory 35 is design ~ L. For example, memory 35 could ~e ted as an eYt an~ n to memory array 54.
The load key register command of Table 1 is used to load the key register 31 and set the delay counter 32.
The de- !L . L delay counter command is used by the ACP
lO to de_L- by one, the content8 of the delay counter 32. The read allow memory bank and read disable Wo 95/2 i698 1 ~ "~ I. . J
memory bank ~ nric are used by the ACP lO to enable or disaole access to the different memory blocks of memory array 54 during loading of the access control memory 43.
S T bl~ 1 Co_~rd Fir~t Bus Cyc~- ~ecomi llus Cyrle Oper-tior Ad~ir-s- D-t- Op-r-tlor, Ad~re~- D-t-10 Lo d Lor~ llr~te 31N ~Irit- R~
~le~ry 2~t Lor,i~
15 Stor ~ ENble ~Ir~te 33N R/A R/A
Loe~i Key Re~i-t~r llrite 32N i~rlt- Key D-t-Decre~ent De-20 I-y cOu,te, ~ t~ 35N R/A R/A
l~ee~i-Allo~l lle~rr ory B-nr l~rit~ IiBA 34N llrlt- tlBA
2S R--~i-Dl--blo Ihn~ry B~nk llr~te MBA 3BN llrlte IIBA
Load Lock Memory (31H) This command copies the ~ 5 of the key register 31 into the non-volatile lock memory 35 if and only if the lock storage enable 36 output signal i5 TRUE.
Reset Lock storage Enable (33H) This command resets the lock storage enable logic element 36, thus inhibiting loading or l-h~n~ing the lock storage memory 3 5 .
Load Key Register ( 3 2H) This command shifts the prior ~ of the key regis_er 31, one byte (LSB toward MSB) and loads "Key Value" from ACP 10 into the key register LSB.
Wos5l24698 2 1 6 2287 Further, it sets the Delay Counter 32 to its maximum value, e.g., all ONES.
D~UL~ ~ Delay Counter (35H) This command deuL~ the delay counter 32 by ONE. The delay counter must equal ZERO to allow 2, ~ se~ reading of the memory array 54.
Read-Allow Memory Bank (34H) This command sets the bit UULL 7L~ ~l;n~ to the memory bank address (MBA) in the access control memory 43 if and only if the access -ifir~tion allowed signal 37 is TRUE. This allows read access to the selected bank.
Read-Disable Memory Bank (38H) This command resets the bit ~ULLe7~ .8in~ to the memory bank address in the access control memory 43 .
rr~nc~ ring Table 1 in greater detail, it is seen that Table 1 also shows the bus cycle operations for each of the added '~. For each command roT~;rin~
two bus cycles, during each first bus cycle, the command register 50 receives an 8-bit command ~ L~Læd by ACP
10, sent via the data bus 105a of bus 105 and an input buffer 51. Command register 50 conditions the 8Ql ectecl logic element to receive ~rom data bus ~OSb, the information required to execute the command during a second bus cycle. As indicated, the second bus cycle is designated not Arpl; CAhl ~ (N/A) since the reset lock storage enable and deuL~ delay counter '~ need only one cycle for execution.
~uring normal operation, the ~ register 31 is loaded with the key value received from memory locations 10-2b by a load key register command and delay counter 32 is set to its maximum value. Delay counter 32 is WO 95/24698 r~, ~".,, L'Jlll I
decremented to all ZEROS in L~ ,on~e to s~l~ cPc~ive decrement delay counter, ~ ~ received from the ACP
10 and qenerates a zero count output signal 41 which is applied as an input to AND 34.
Each delay counter 32 limits the number of tries or attempts which can be made to access the flash memories 103a through 103n in the case where a thief removes the chips and places them upon the "outlaw card" and ~LV~, a p~o~;e~.sc,L or PT~ L to repeatedly try to guess each memory chip's key. Stated differently, counter 32 ensures that a ~ign~fir~nt number of tries or attempts must be made in order to gain illegal access to the flash memories. The key and delay counter sizes are salecto~ to require such testing to take an u~r- ~ hl e amount of time.
Nore cpprifi~ ~l ly~ the Key Register 31 stores approYimately 4 bill}on 1232) different combinations.
In the ~L~feLL~ L, the delay counter 32 is a twelve-bit counter. Ac~llm; n~ the delay counter 32 is de~L~ e once each mi~L~,sec~ , it will require 212 or 4 m;ll;~secnn~cl per attempt at gllpcc~;n1 the key value.
The ACP 10, knowing the correct key value, incurs only a four m;11;~Pcnn~l delay in the initial setup. Random ~LL L ~ to guess the key value will require 231 tries for a 50% chance of success. This would reS~uire 231 x 212 mi.~ P~ l or 102 days to guess the key value.
This time is s~ fi~iPnt to deter most thieves. of course, a longer or shorter time could be provided by modifying the sizes of the key and delay counter 32.
In the case where the memory card of the pr~sent invention is stolen and is put into an "outlaw host, "
the ACP 10 limits the number of ,ries by the thief to guess the PIN by known terhniq~lpc. Such tachniqtlPc may Wo 95l24698 2 t 6 2 2 8 7 ~ c- I--include locking access or destroying data if a threshold of ih-,ULL__L guesses is ~
During an initial authentication operation for flash memory 103a, a key value is loaded into the 32 bit K register 31 in Le. ~V~Se to four S~rrD~ ~ive load key register ~ ' ( i . e ., data bus 105b is a byte wide bus). Delay counter 32 i8 forced to its maximum count of (ALL ONE's) and d~vL- L- l by the ACP 10 sending d~.;L. ~ d~lay counter _ '- on ~llrc P~ive first bus cycles. When the delay counter 32 is de-_L- :~ ' to ZERO, it y- .~_LC~t~ the zero count signal 41 which is applied to one input of AND gate 34.
I~ the key value stored in the R register 31 equals the lock value stored in the ..VLL.-lJ l;n~ L L. '~tDr 33 indicating that the user provided the proper i~nti~ir~t;nn to the host ~Lu.esfiv~ 5, then compare logic 39 applies an equals compare signal 42 to another input of AND gate 34. This causes AND gate 34 to generate an access if iration allowed signal 37 at its output, which ena~les writing to access control memory 43, under the control of ACP 10. This, in turn, 6"~ " ` t 1 y allows the reading of memory array 54 .
The access control memory 43 ~mt:-inl: volatile storage of one bit for each block/bank of the memory array 54. 'rhese bits are cleared to ZERO as part of the flash memory's power up ~, . In ordèr for data to be r~ad ~rom the ~emory 103a, the bit ~_VLL- l.. ling to the -~ _ ' memory block must be At logical ONE.
These bits are set by the ACP 10 issuing read-allow memory bank ir and only if the access 'ifi~ation allowed signal 37 is l~JE.
As shown in Table 1, during the second bus cycle of the read-allow memory bank command, the three ( 3 ) high order address bits of the 8D7 DrtP~ memory bank of memory _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . ... _ .... . _ _ _ _ _ _ .
-- P~ l/L.., L'~ ~ I
V~O 951~4698 array 54 are sent over address bus 105c as well as a repeat of the h~Y;~c;r-l command identi~ier being sent over the data bus 105a to command register 50. This results in a ONE being written into the a-llL-J~d bit location in access control memory 43. In the preferred L, the read-allow memory bank command seq~n~e is repeated eight times since the memory array 54 is organized into eight banks of 16K bytes each. The ACP
10 may restrict access to s~ ct~ banks by issuing a 0 Sf, : of read-disahle memory bank in a similar manner.
The output of the access control memory 43 of the present invention is applied as an en~hl in~ input to output buffer 52 during each flash memory read cycle when the c ~ L~ of a location o~ any bank of memory array 54 is being read out. That is, a read cycle may occur, however, the data read out is inhibited ~rom passing through output bu~fer 52 in the ahsence of the L~,~Liate bank's access control memory gating signal.
More Fr~C;1'ir~l1y, in the case of the ~L~Ce:LL~
i - , acc~ss control memory 43 l nrl uA~c eight individually ~dlL- ~:,able bit storage Dl ~ an input address 3 to 8-bit decoder c~nnn~ t~d to the input of each storage element and a 1 to 8 output mult ~ rl ~Y~r circuit connected to the output of each storage ~l .
The three high order address bits of each address are decoded and used to select the storage element for the block whose c-v~ are to be changed. Similarly, the same three bits are used to select the output of the storage element for the block containing the flash memory location being read.
If the lock memory 35 is fully erased, i.e., at ALL
ONES as indicated by the cont~ntC of the L register 33 being at all ONES, then the output bu~fer 52 is always S.'~_ I
WO95J24698 2~ 62287 ^ ~ - ~
enabled. That is, when lock register 33 cr~nt~inc nAEL
ONES, " this generates a signal from ALL ONES detector element 38 to the OR gate 45 to enable the output burfer 52. This effectively places flash memory 103a in non-s secure mode. ~his allows all of the security logic circuits of the present invention to be bypassed.
~ence, the same flash memory chip ean be used for both secure and r~ e__uL~ applications, thus resulting in pro~ ctirn ~e i~.
Jl~h 21~mor~r P-~ ~ n oai¢ r~ r~-~ t~
As ~hown in Figure 3, ~ueh eireuits inelude a memory array 54, a eommand register 50, input/output logic circuits 60, an address latch 56, a write state machine 61, erase voltage system 62, an output multir~Y~r 53, a data register 55, input burfer 51, output buffer 52 and a status register 58, as shown.
The basic logic eireuits of rlash memory 103a as ~ cCllcced above, takes the form of the type of eircuits included in the fla~;h memory de6ignated aC 28FOOlBX
m~mufactured by Intel Corporation. Since sueh eireuits are eonv~nt i nn~ l, they will only be deseribed to the extent n~rG ~ r y . For furt_er information regarding sueh eireuit~;, L~:fe~ e may be made to pages 3-109 through 3-134 of the pllhl tcatin~ entitled, "Memory Produets," Order Number 210830, p--hl i-lh~d by Intel Corporation, dated 1992. As shown in Figure 3, the flash memory baQie eireuitS reeeive a number of input signals (A0-A16), address, data signals (D00-D07) and eontrol signals (CE, WE, OE, PWD and VPP). mese signals are deseribed below in Table 2.
~ WO 95124698 ~ r - ~
Table 2. Signal Descriptions Symbol Name and Function A0-A16 ADDRESS INPUTS for memory adl~ .55es.
~d 1- ~ses are i nt~rnA 1 1 y latched during a write cycle.
DOO-DO7 DATA INPUTS/OUTPUTS: Inputs data and during memory write cycles; outputs data during memory and status reAd cycles. The data pins are active high and float to tri-state of~ when the chip is ~ a~ ct~ or the outputs are ~l;aAhl~d. Data is int~rnAlly latched during a write cycle.
CE CHIP ENABLE: Activates the device ' s control logic, input bu~_ers, ~r~ and sense 11 f ~ ~~a. OE is active low, OE high .l~q~ ~ct~ the memory device and reduces power Lion to standby levels.
PWD P~ : Puts the device in deep p _.' mode. PWD 8 active low; PWD high gates normal operation. PWD=VHH allows ~JL~L n~ oI~ the memory blocks. PWD also loclcs out erase or write operations when active low, providing data protection during power transitions.
OE OUTPUT ENA~3LE: Gates the device's outputs through the data bu~fers during a read cycle.
OE is active low.
Wo 95/24698 r WE WRITE ENABLE. Controls writes to the command register and array blocks. WE is active low.
Ad.lr._33~ and data are latched on the rising edge o~ the WE pulse.
Vpp ERASE/PROGRAM POWER SUPPLY for erasing blocXs of the array or ~J~u~L_ irg bytes of each block. Note: With Vpp ~ Vppl llax, memory cr~ntont~ cannot be altered.
As shown in TablQ 2 , the Chip Enable (CE), Write Enable ~Lvve~ (WE) and Output Enable (OE) ) signals are applied to command register 50 and I/O logic 60 from host ~ 5, via bus 102 and control bus 105b and are dispersed to control ~F"''~ f i ~d logic blocks . A
p_._L~ (PWD) signal i8 also applied to command register 50 for enAhl in~ the flash memory to perform the operations ~p~ 1 f ~ in Table 2 . This signal can be used to clear the volatile storage -1- of the flash memory's security control ~ection as desired thereby Qnforcing user ~ "Li--~Ati~n when normal operation is again L~ ~_ Generally, the basic logic ~1- of the ~lash memory operate in the following manner. Information is stored in memory array 54 via data bus 105a, input burfer 51 and d~ta register 55 at an all~e~lLQ~ location of one of the memory blocks ~re/~i ~i od by the address received by an address logic 56 ~rom address bus 105c.
Information is read from a 13re-tf~d address location of a bank of memory array 5~ and is sent to host ~.
5 via an output mul~ i rl~Y~r 53, output bur~er 52, data bus 105a and bus 102. Status register 58 is used for storing the status o~ the write state machine, the error ~wossl246s8 P~l,~ ll suspend status, the erase status, the program status and the Vpp status.
The write state machine 61 controls the block erase and controls program algorithms. The program/erase voltage system 62 is used for erasing blocks of the memory array 54 or the ~tv~L ;n~ bytes of each block as a fllnr~irn of the level of Vpp (i.e., when Vpp is at a high level ~L-~yL in~ can take place; if Vpp is at a low level, memory array 54 fllnrt-iAn~ ~8 a read only memory).
OF OPl~l~ION
The operation of the secure memory card of the present invention will now be de6cribed with particular reference to the flow diagram of Figur~s 4 and 5.
Before describing such operations in detail, the steps involved in the fAh~ir~ti~n, .__~ 7~tion and operation of the memory card will first be described.
As a ~ir6t step, at card fahrication, the ACP 10 sets the lock value for each of the memory chips on the memory card. It does this by loading the key value into the lock memory of Pigure 3. These values are stored in the ACP's pLV~V~d non-volatile memory 10-2 (i.e., keys l-n in Figure 2). The lock storage enable ~ 36 are then set to ZEROs to inhibit further changing or reading of lock memory ~ . As these ~1 ~ are nonvolatile, they cannot be changed unless the entire flash memory chip is cleared.
As a second step, at application ~;ua~ i 7~tion, since writing is not affected by the protection functionality, the memory card can then be loaded with its data or SV~ ILC application. The ACP 10 is then loaded with information pertaining to the memory's bank Wo 95/24698 2 1 6 2 2 8 7 ~--ucLu--: and the degrees of protection which are to be applied to each memory bank.
As a third step, at user ;u~ tion, the user est ~Ihlichoc parameters ~or the r.c~ and mode o~
5authentication and cpecif{c data required (e.g., pPrsnn~l iclontification numbers (PINs)). This information is stored in the ACP's memory.
As a fourth step, at power on, the "key register", "access if1ration All~ " signal and "access control memory" are initi~l ~ 1 80 as to inhibit access to data or writing to access control memory 43. The first authentication dialog i8 initiated.
4~t ~irst authentication dialog, the ACP 10, using the service~ o~ its host ]?lvv_5~. 5~ prompts the user and receives aU~hDn~io~tion i-- ~ion. Ir authentication is ~ r~l, no operation is .fl ; if ~..c ~-rul, the key register of each memory chip is loaded with the value stored in the ACP ' s memory. During this operation, the delay counter 32 i8 used to inhibit chip operation for a period o~ time rollowing loading to make random tries an u~Lv-lu~ ~ive process. Loading of the key registers causes the "access ~ f i ~ation allowed" signal to be true in each chip. The ACP lo then octAhl i choc access by loading the access control memories according to the stored information rnnf 1 ~ation .
As a sixth step, at s-~h~Soq~ont auth~n~ tion dialog, periotlir~l ly, according to the user's con~iguration, the ACP lO prompts an additional user authentication (ro~thont ir~tion) . In the event of failure, the ACP 10 forces all memory chips to their power on states, thus inhibiting any access to the memories ' data by clearing the access control memory 43 and clearing the ~ q of the key register 31. Now, WO 9512~i698 P~ 'or. I
- the operation of the system of Figure 1 will be described with reference to Figures 4 and 5.
First omerati nnc of the Dav Figure 4 shows in block diagram form, the various modes of opDr;~tinn Blocks 402 and 401 show the two startup conditions. In block 402, the user inserts the memory card 3 in the previously F - - d 1l~ host ~L~a~ur 5. In block 401, the user powers up host PL~ 6~II 5 with memory card 3 alrendy installed.
In either of the above startup operations, during block 402, the ACP 10 and its i..L-- r~r~ are ini~Al i -in a conventinn~l manner, and block 403 clears all of the ' n ' K registers 31 and the ' n ' access control memories 43 as part o~ the flash memories 103a through 103n intDrn~l initialization s=~ æ. This yLe~ Ld any data from being read out of memories 103a through 103n since output buffer 52, in each memory, is h3 ~A . The lock value is loaded into the ' n ' L
registers 33 from the I-_- L-_- I ive L~s 35 as a result of power on.
Now in block 404, ACP 10 sends an interrupt signal to host I~L~_ 5 which ~ c by requesting the PIN
or other identifying; e Lion from the user. In block 405, ACP 10, by means o~ the program stored in memory locations 10-2a, checks that the PIN or other identifying information matches the information stored in memory locations 10-2a. Ir no match, then A ,DC; ~; nn block 406 counts an error and ACP 10 ,h,r~.. 7.~ to block 404 to repeat the test. If the test fails a preset number of times, then A~ icinn block 406 bL. ~ I r5 to block 407 to cause ACP 10 to either lock up or destroy the /-On~Dn~c of the memories 103a through 103n.
W095l24698 2 l 62287 Fi rst User Authentication Successflll If in ,laril:irn block 406 there is a match in~iratin; a . ~ec~r l authentication then in block 408, the ACP 10 via a load key register command loads esch }~ register 31 from memory locations 10-2b with the appropriate key value. Also block 409 ~t p~_Ledly dc_r~ the c ~ l c of delay counter 32 issuing 8~ rP~ive the dL_L- delay counter toward a binary zero count which causes the generation of the lo zero count signal 41 in Figure 3.
In block 410, each access control memory 43 location is ioaded with information by mesns of the read-allow memory bank command to allow access to the -1 t~-' banks of the ~;ULL' "~.\.lin; ~lagh memory 103a through 103n.
Int Prm i ttent Re--authPnticA t; rn In block 411, the ACP 10 awaits the end of the preset time interval e8t~hl ich~rl by information stor~d in memory locations 10-2a si~llPd by interval counter 10-8 before reyuesting user re-authentication. Then, in block 412, the ACP 10 i~ LL~Ls the host pLU~ L 5 to reyuest the user to L-_ _..Le~ the PIN or other re~uired nt i f i ~ ~tion.
~eri ~ion block 413 checks the PIN or other information received ~rom the host ~LI 5 against the information stored in memory locations 10-2a and the interval timer 10-8 output is L~._uLd~d. The user has a preset time interval of typically 30 seconds in which to enter the AllthPnt-ir~tion information into host pLUU~ ~SUL
5. While the clock is running, if the dpri~ion block 413 test fails, then block 414 records the test as an error. At that time, it checXs if a maximum nurber of errors was received and ~ to repeat blocks 412 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ r ~
~Wo 95/2~698 and 413. If the number of errors equals the maximum - number, then in block 415, APC 10 clears the flash memory K register 31 by means of s~ cive load key register n-lc~ and clears t_e access control memories 43 with ~ A~ive read-disable memory -` . Block 415 then ~~ '7 to block 404 to allow a new "First Authentication" op~ra~ ion to take place.
If the test in rl~ci ~ n block 413 is ~ c-f rul, the K register 31 remains ~ j !t' (i.e., -rn~inC the key value previously loaded by the ACP) ~nAhl i nq the user to Cnnt- i n--e to operate the system 1. In the event that the 30 seconds elapsed without ~ ci Aion block 413 receiving the PIN or other infnr~ n, the ACP 10 clears the K register 31 and the access control memory 43 as before.
Figure 5 i8 a flow diagram which illustrates how host ~)LUI~ JL 5 rG~ to an i..LeL~uyt reguest rrOm APC 10 for authentication in L.~ 6C to blocks 404 and 412 Or Figure 4 . As shown, dQ~i Ainn block 501 is waiting for an il-Le:LLu~t rrom the ACP 10 requesting that the user re-enter the PIN or other 1 nforr-t jrn.
Decision block 501 hrAnrh~ to block 502 when it receives the interrupt from blocks 404 or 412. Block 502 displays the reque8t for t_e PIN or other information on host display 5-2. Block 503 accepts the information from the k~ O,Ld and block 504 interrupts ACP 10. Block 5 sends the PIN to ACP 10.
It will be appreciated by those skilled in the art that many changes may be made to the ~Lare-L ~d : i of the present invention without departing from its t~ hinqc. For example, the invention may be used with different types of non-volatile memories and dif f erent interf aces, etc .
W095,24698 21 62287 l~l ~
While in accordance with the provisions and statutes there has been illustrated and described the best form of the invention, certain changes may be made without departing from the spirit of the invention as aet forth in the i.r~ Pd claims and that in some cases, certain ~eal,~L... of the invention may be used to ad~all~a~- without a "~ U8~1 of other features.
What i6 claimed is:
;
Claims (26)
1. A secure memory card for use with a host portable computer, said memory card comprising:
a microprocessor connected for transmitting and receiving address, data and control information to and from said host computer and said microprocessor including:
an addressable non-volatile memory for storing information including a number of key values and configuration information;
an internal bus connected to said microprocessor fir transmitting address, data and control information defining memory operations to be performed by said card; and, at least one non-volatile addressable memory being connected to said internal bus in common with said microprocessor for receiving said address, data and control information, said memory including a non-volatile memory section and a security control section, said memory section containing a memory array organized into a number of blocks, each block having a plurality of addressable locations and control logic means for performing said memory operations and said security control section being connected to said internal bus, to said control logic means and to said memory array, said security control section; including:
a number of non volatile and volatile storage devices for storing at least one of said key values and configuration information associated with said blocks; and, access control logic means connected to said control logic means and to said storage devices, said access control logic means enabling reading of information stored in addressed ones of said blocks of said memory array as specified by said configuration information only after said microprocessor has determined that a predetermined authentication procedures has been performed with said host computer and has enabled said access control logic means for allowing reading of said information from said memory array according to said configuration information.
a microprocessor connected for transmitting and receiving address, data and control information to and from said host computer and said microprocessor including:
an addressable non-volatile memory for storing information including a number of key values and configuration information;
an internal bus connected to said microprocessor fir transmitting address, data and control information defining memory operations to be performed by said card; and, at least one non-volatile addressable memory being connected to said internal bus in common with said microprocessor for receiving said address, data and control information, said memory including a non-volatile memory section and a security control section, said memory section containing a memory array organized into a number of blocks, each block having a plurality of addressable locations and control logic means for performing said memory operations and said security control section being connected to said internal bus, to said control logic means and to said memory array, said security control section; including:
a number of non volatile and volatile storage devices for storing at least one of said key values and configuration information associated with said blocks; and, access control logic means connected to said control logic means and to said storage devices, said access control logic means enabling reading of information stored in addressed ones of said blocks of said memory array as specified by said configuration information only after said microprocessor has determined that a predetermined authentication procedures has been performed with said host computer and has enabled said access control logic means for allowing reading of said information from said memory array according to said configuration information.
2. The memory card of claim 1 wherein said microprocessor and said non-volatile memory are included on separate semiconductor chips.
3. The memory card of claim 1 wherein said card further includes interface circuit means coupling said card to said host computer and wherein said interface circuit means and said microprocessor are included on the same semiconductor chip.
4. The memory card of claim 1 wherein said non-volatile memory and said non-volatile storage devices are flash memories.
5. The memory card of claim 1 wherein one of said non-volatile storage devices is a lock memory for storing a lock value corresponding to said one key values and a second one of said non-volatile devices is a lock storage enable element which connects to said lock memory, said lock memory being initially loaded with said lock value and said lock storage enable element being switched to a state which inhibits modification of said lock value under control of said microprocessor.
6. The memory card of claim 2 wherein storage of said lock value and switching of said lock storage enable element takes place during initial fabrication of said memory card.
7. The memory card of claim 5 wherein one of said volatile storage devices is addressable access control memory having a plurality of locations corresponding in number to said number of blocks of said memory array for storing said configuration information, said access control memory being connected to said internal bus and to said access control logic means, said access control memory being loaded under control of said microprocessor only after said microprocessor has determined that said predetermined authentication procedure initially has been successfully performed with said host computer causing enabling of said access control memory by said access control logic means.
8. The memory card of claim 7 wherein said lock value loaded into said lock memory is all ONES and wherein said security control section further includes an all ONES detector circuit connected to said lock memory, said detector circuit in response to said lock value of all ONES generating a signal which effectively bypasses said security control section enabling said non-volatile memory to operate as if said security control section had not been included.
9. The memory card of claim 7 wherein performance of said predetermined authentication procedure initially takes place when said memory card is first connected to communicate with said host computer.
10. The memory card of claim 9 wherein said access control means includes a lock register connected to receive said lock value from said lock memory, a comparator circuit, a key register for storing a key value transferred to said key register by said microprocessor, a delay counter for storing a count defining a predetermined time interval and gating means connected to said access control memory, to said comparator and to said delay counter, said comparator circuit being connected to said lock and key registers and to said gating means and said gating means being connected to said delay counter for generating an access modification allowed signal in response to said comparator circuit signalling an identical comparison between said lock code value loaded into said lock register when said delay counter has signalled an end of said predetermined time interval, said access modification allow signal conditioning said access control memory for loading said configuration information.
11. The memory card of claim 10 wherein said control logic means includes for generating command signals in response to a predetermined set of commands used by said microprocessor controlling the operation of said security control section of each memory chip.
12. The memory card of claim 11 wherein said control logic means in response to a first one of said predetermined set of commands generated by said microprocessor, generates a first signal for loading said lock code value into said lock memory, said first one of said [redetermined commands being generated during initial fabrication of said card.
13. The memory card of claim 12 wherein said control logic means in response to a second one of said predetermined set of commands generated by said microprocessor generates a second signal for switching said lock storage enable element to a predetermined state which inhibits said reading or said modification to said lock value stored in said lock memory.
14. The memory card of claim 12 wherein said control logic means in response to a third one of said predetermined set of commands generated by said microprocessor, generated a third signal for loading said key register with a predetermined one of said key values, said third one of said predetermined set of commands being generated by said microprocessor only after said microprocessor has determined that said predetermined authentication procedure has been successfully performed.
15. The memory card of claim 14 wherein said third signal generated by said control logic means simultaneously forces said delay counter to a predetermined count for establishing a start of said predetermined time interval and wherein said control logic means in response to each fourth one of said predetermined set of commands generated by said microprocessor decrements by one, said predetermined count, said delay counter signaling said end of said time interval following execution of a predetermined number of said fourth ones of said set of predetermined commands.
16. The memory card of claim 11 wherein said control logic means in response to a number of fifth and sixth ones of said predetermined set of commands by said microprocessor, generates fifth and sixth signals for setting and resetting locations in said access control memory according to said configuration information for defining which ones of said blocks from which information is allowed to be read out.
17. A secure memory card installable in a host portable computer for establishing communication with said host computer, said memory card comprising:
a microprocessor contained on a single semiconductor chip, said microprocessor being connected for transmitting and receiving address, data and control information to and from said host computer and said microprocessor including:
an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas, and memory configuration information defining memory read out accessibility to said memory areas;
an internal bus for transmitting address, data and control information defining memory operations to be performed by said card; and, at least one non-volatile addressable memory chip being connected to said internal bus in common with said microprocessor for receiving said address, data and control information, said memory chip including a memory section and a security section, said memory section containing a non-volatile memory array having a data output and being organized into a number of blocks, each having a plurality of addressable locations and control logic means for performing said memory operations, said security section being connected to said internal bus, to said control logic means and to said data output and said security section including:
a non-volatile lock memory coupled to said internal bus for initially receiving and permanently storing a predetermined lock value which matches one of said number of key values;
access control logic means connected to said control logic means and to said lock memory for generating an enabling signal upon detecting when said predetermined lock code value identically matches a selected one of said key values applied by said microprocessor to said internal bus; and, an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks of said memory array for storing said memory configuration information defining said read out accessibility, said access control memory being connected to said control logic means, to said memory array data output, to said internal bus, and to said access control logic means, said access control logic means enabling reading of information stored in addressed ones of said blocks of said memory array as specified by said memory configuration only after said microprocessor has determined that a predetermined authentication procedures has been successfully performed with said host computer and has transferred said predetermined one of said memory key codes causing said access control logic means to generate said enabling signal for application to said data output for enabling reading out said information to said data output as specified by said access control memory configuration information.
a microprocessor contained on a single semiconductor chip, said microprocessor being connected for transmitting and receiving address, data and control information to and from said host computer and said microprocessor including:
an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas, and memory configuration information defining memory read out accessibility to said memory areas;
an internal bus for transmitting address, data and control information defining memory operations to be performed by said card; and, at least one non-volatile addressable memory chip being connected to said internal bus in common with said microprocessor for receiving said address, data and control information, said memory chip including a memory section and a security section, said memory section containing a non-volatile memory array having a data output and being organized into a number of blocks, each having a plurality of addressable locations and control logic means for performing said memory operations, said security section being connected to said internal bus, to said control logic means and to said data output and said security section including:
a non-volatile lock memory coupled to said internal bus for initially receiving and permanently storing a predetermined lock value which matches one of said number of key values;
access control logic means connected to said control logic means and to said lock memory for generating an enabling signal upon detecting when said predetermined lock code value identically matches a selected one of said key values applied by said microprocessor to said internal bus; and, an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks of said memory array for storing said memory configuration information defining said read out accessibility, said access control memory being connected to said control logic means, to said memory array data output, to said internal bus, and to said access control logic means, said access control logic means enabling reading of information stored in addressed ones of said blocks of said memory array as specified by said memory configuration only after said microprocessor has determined that a predetermined authentication procedures has been successfully performed with said host computer and has transferred said predetermined one of said memory key codes causing said access control logic means to generate said enabling signal for application to said data output for enabling reading out said information to said data output as specified by said access control memory configuration information.
18. A secure memory card including a number of non-volatile memory chips, each memory chip including a memory array organized into blocks of addressable locations, having a capability of operating in a number of modes, said card comprising:
a lock memory for storing a lock value;
control means for generating first and second commands and a predetermined key value;
a key register coupled to said control means and responsive to said first command for storing said predetermined key value;
a comparator coupled to said lock memory and to said key register, said comparator generating a compare signal whenever said lock value and said predetermined key value are equal;
a delay counter coupled to said generating means and responsive to said first command for setting said counter to a maximum count value, and responsive to a sequence of successive second commands for generating a zero count signal when said delay counter has been decremented to zero;
logic circuit means coupled to said comparator and to said delay counter, said logic circuit means responsive to said compare signal and said zero count signal for generating an access modification allowed signal;
said control means generating a third command, and first address signals and subsequent address signals identifying a first of said blocks and subsequent blocks respectively; and, access control memory means being coupled to said logic means and to said control means, said access control memory and responsive to said access memory enable signal, said address signals and said third command for storing indications signifying when said one of said blocks and said subsequent blocks are enabled for reading.
a lock memory for storing a lock value;
control means for generating first and second commands and a predetermined key value;
a key register coupled to said control means and responsive to said first command for storing said predetermined key value;
a comparator coupled to said lock memory and to said key register, said comparator generating a compare signal whenever said lock value and said predetermined key value are equal;
a delay counter coupled to said generating means and responsive to said first command for setting said counter to a maximum count value, and responsive to a sequence of successive second commands for generating a zero count signal when said delay counter has been decremented to zero;
logic circuit means coupled to said comparator and to said delay counter, said logic circuit means responsive to said compare signal and said zero count signal for generating an access modification allowed signal;
said control means generating a third command, and first address signals and subsequent address signals identifying a first of said blocks and subsequent blocks respectively; and, access control memory means being coupled to said logic means and to said control means, said access control memory and responsive to said access memory enable signal, said address signals and said third command for storing indications signifying when said one of said blocks and said subsequent blocks are enabled for reading.
19. The system of claim 18 wherein said predetermined value and maximum values are selected to be sufficiently large so as to prevent ease of access to said information stored in said non-volatile memory when said memory card is placed in an unauthorized host computer.
20. The card of claim 18 wherein said control means includes a microprocessor which couples to said memory which, upon successfully performing a first user authentication operation, generates said first, second and third commands.
21. The card of claim 20 wherein said first command is a load key command, said second command is a decrementing command and said third command is a read allow block command.
22 The card of claim 18 wherein said memory further includes command control means for decoding a predetermined set of commands for conditioning said card to perform normal memory operations, and said command control means including means for decoding an additional set of commands including said first, second and third commands for providing security for information stored in said memory.
23. A method of constructing a secure memory card installable in a host computer which includes a number of non-volatile memory chips, each memory chip including a memory array organized into blocks of addressable locations and control logic circuits for generating command signals for performing memory operations, said method comprising the steps of:
(a) incorporating a microprocessor into said card which is connected to communicate with said host computer when installed therein, said microprocessor including an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas and memory configuration information defining accessibility to said memory areas;
(b) incorporating security logic circuits into each non-volatile memory chip, said security logic circuits including a non-volatile lock memory for storing a predetermined lock value, access control logic means connected to said lock memory and an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks for storing accessibility bit information according to said configuration information;
(c) interconnecting said microprocessor to each memory chip transferring address, data and control information to said each memory chip;
(d) modifying said control logic circuits to be responsive to a plurality of commands for operating said security logic circuits;
(e) performing an initial preestablished user authentication operation by said microprocessor with said host computer; and, (f) enabling said security logic circuits by said microprocessor transferring specific ones of said plurality of commands to said each chip only when said authentication operation in step (e) has been successfully performed for allowing said information stored in different ones of said blocks to be read out according to said accessibility bit information stored in said access control memory.
(a) incorporating a microprocessor into said card which is connected to communicate with said host computer when installed therein, said microprocessor including an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas and memory configuration information defining accessibility to said memory areas;
(b) incorporating security logic circuits into each non-volatile memory chip, said security logic circuits including a non-volatile lock memory for storing a predetermined lock value, access control logic means connected to said lock memory and an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks for storing accessibility bit information according to said configuration information;
(c) interconnecting said microprocessor to each memory chip transferring address, data and control information to said each memory chip;
(d) modifying said control logic circuits to be responsive to a plurality of commands for operating said security logic circuits;
(e) performing an initial preestablished user authentication operation by said microprocessor with said host computer; and, (f) enabling said security logic circuits by said microprocessor transferring specific ones of said plurality of commands to said each chip only when said authentication operation in step (e) has been successfully performed for allowing said information stored in different ones of said blocks to be read out according to said accessibility bit information stored in said access control memory.
24. The method or claim 23 wherein said microprocessor non-volatile memory has a number of sections and wherein step (a) further includes the steps of generating random values for said key values and loading said key values into a first one of said number of sections.
25. The method of claim 24 wherein said microprocessor further includes an interval counter coupled to said microprocessor non-volatile memory and wherein step (a) further include the steps of generating a user selected time interval and loading a value corresponding to said user selected time interval value into said interval counter and wherein said method further includes the steps of:
(g) periodically initiating said user authentication operation of step (e) at said user selected time interval; and, (h) continuing to allow said information stored in said blocks to be read out according to said accessibility bit information as long as said authentication operation of step (b) is successfully performed.
(g) periodically initiating said user authentication operation of step (e) at said user selected time interval; and, (h) continuing to allow said information stored in said blocks to be read out according to said accessibility bit information as long as said authentication operation of step (b) is successfully performed.
26. A method of constructing a secure memory card which includes a number of non-volatile memory chips for storing large quantities of information, each memory chip including memory array organized into blocks of addressable locations and control logic circuits for generating command signals for performing memory operations, said method comprising the steps of:
(a) incorporating a microprocessor into said card, said microprocessor including an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas and memory configuration information defining accessibility to said memory areas:
(b) incorporating security logic circuits into each non-volatile memory chip, said security logic circuits including a non-volatile lock memory for storing a predetermined lock value, access control logic means connected to said lock memory and an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks for storing user accessibility bit information in accordance with said configuration information;
(c) interconnecting said microprocessor to each memory chip for transferring address, data and control information to said each memory chip; and, (d) modifying said control logic circuits to incorporate a plurality of commands for operating said security logic circuits as an extension to a set of commands normally provided by said control logic circuits whereby said security logic circuits protect said information contained in said number of chips from being read out in an unauthorized manner even when said chips are removed from said memory card.
(a) incorporating a microprocessor into said card, said microprocessor including an addressable non-volatile memory for storing information including a number of key values defining user accessibility to memory areas and memory configuration information defining accessibility to said memory areas:
(b) incorporating security logic circuits into each non-volatile memory chip, said security logic circuits including a non-volatile lock memory for storing a predetermined lock value, access control logic means connected to said lock memory and an addressable volatile access control memory having a plurality of locations corresponding in number to said number of blocks for storing user accessibility bit information in accordance with said configuration information;
(c) interconnecting said microprocessor to each memory chip for transferring address, data and control information to said each memory chip; and, (d) modifying said control logic circuits to incorporate a plurality of commands for operating said security logic circuits as an extension to a set of commands normally provided by said control logic circuits whereby said security logic circuits protect said information contained in said number of chips from being read out in an unauthorized manner even when said chips are removed from said memory card.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002162287A CA2162287C (en) | 1994-03-07 | 1994-03-07 | A secure memory card |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002162287A CA2162287C (en) | 1994-03-07 | 1994-03-07 | A secure memory card |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2162287C true CA2162287C (en) | 1997-01-21 |
Family
ID=4156913
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002162287A Expired - Fee Related CA2162287C (en) | 1994-03-07 | 1994-03-07 | A secure memory card |
Country Status (1)
Country | Link |
---|---|
CA (1) | CA2162287C (en) |
-
1994
- 1994-03-07 CA CA002162287A patent/CA2162287C/en not_active Expired - Fee Related
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5293424A (en) | Secure memory card | |
CA2158265C (en) | A secure application card for sharing application data and procedures among a plurality of microprocessors | |
CA2158264C (en) | A secure memory card with programmed controlled security access control | |
US6032858A (en) | Electronic money storing apparatus and IC card control method | |
JPS6049942B2 (en) | data processing equipment | |
JPH0365589B2 (en) | ||
TW502166B (en) | Apparatus and method for accessing secured data stored in a portable data carrier | |
JPH0682405B2 (en) | Test program start method | |
KR20090043823A (en) | Memory system for sensing external attack | |
US5442165A (en) | Secure IC card system with reusable prototype IC card | |
US4819204A (en) | Method for controlling memory access on a chip card and apparatus for carrying out the method | |
CN1326051C (en) | Method and device for controlling EEPROM access, computer software product and readable storage medium | |
CA2162287C (en) | A secure memory card | |
WO1995024698A1 (en) | A secure memory card | |
EP1074951B1 (en) | Settlement system and card | |
US20030140236A1 (en) | Method and arrangement for preventing unauthorized execution of computer programs and a corresponding software product and a corresponding computer-legible storage medium | |
KR100232086B1 (en) | A secure memory card | |
JPH0449147B2 (en) | ||
JP2002024785A (en) | Ic card and reader/writer | |
JP2000259801A (en) | Memory device for ic card with initialization function | |
JPS6376035A (en) | Ic card | |
JPS62212792A (en) | Personal information management system | |
JPS62221753A (en) | Illegal access preventing system | |
JPH0693254B2 (en) | Portable electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |