US20200074120A1 - Anti-tamper circuitry - Google Patents
Anti-tamper circuitry Download PDFInfo
- Publication number
- US20200074120A1 US20200074120A1 US16/293,543 US201916293543A US2020074120A1 US 20200074120 A1 US20200074120 A1 US 20200074120A1 US 201916293543 A US201916293543 A US 201916293543A US 2020074120 A1 US2020074120 A1 US 2020074120A1
- Authority
- US
- United States
- Prior art keywords
- circuitry
- component
- external component
- tamper
- external
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims description 72
- 230000006870 function Effects 0.000 claims description 55
- 238000000926 separation method Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 description 25
- 238000012795 verification Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 14
- 238000009434 installation Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000002591 computed tomography Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 230000008439 repair process Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 238000003384 imaging method Methods 0.000 description 3
- 230000005291 magnetic effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101100498818 Arabidopsis thaliana DDR4 gene Proteins 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003213 activating effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000003990 capacitor Substances 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000000994 depressogenic effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000004146 energy storage Methods 0.000 description 1
- 239000003302 ferromagnetic material Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000009607 mammography Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000009420 retrofitting Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/86—Secure or tamper-resistant housings
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/81—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Definitions
- Systems may be formed from a variety of different devices. Manufacturers, system integrators, or the like may design and install a particular system with authorized components. However, a third-party supplier may swap devices on similar systems, install used components, or third-party components that may lead to performance issues and/or damage to components of the system.
- FIGS. 1A-1C are block diagrams of systems including a device with anti-tamper circuitry according to some embodiments.
- FIG. 2 is a block diagram of a device with anti-tamper circuitry according to some embodiments.
- FIGS. 3A-3C are block diagrams of circuitry of devices with anti-tamper circuitry according to some embodiments.
- FIG. 4A-4B are cross-sectional diagrams illustrating mounting a device with anti-tamper circuitry on an external component according to some embodiments.
- FIGS. 5A-5D are schematic diagrams of circuitry of anti-tamper circuitry according to some embodiments.
- FIGS. 6A and 6B are flowcharts showing techniques of operating a device with anti-tamper circuitry according to some embodiments.
- FIG. 7 is a block diagram of an x-ray system according to some embodiments.
- FIG. 8A-8B are block diagrams of systems including an authorization system according to some embodiments.
- FIGS. 9A-10C are flowcharts showing examples of techniques of operating an authorization system according to some embodiments.
- Some embodiments relate generally to mechanisms, methods, and systems to disable component authentication system when removed from a component. Some embodiments relate generally to switches and disabling components and/or circuitry.
- Electronic devices may be used in an attempt to block the use of third-party components in systems such as computed tomography (CT) and x-ray systems.
- CT computed tomography
- x-ray systems such as computed tomography
- Such electronic devices may be removed from systems including old, broken, worn out components, such as x-ray tubes.
- the electronic devices may then be installed on third-party or used tubes to be sold for use in an original equipment manufacturer (OEM) system.
- OEM original equipment manufacturer
- a third-party may access an old, used, or broken x-ray tube from which the electronic devices can be removed.
- the electronic device can then be installed on a new, used, or third-party tube to enable the tube to simulate a genuine tube in the system.
- anti-tamper circuitry may not prevent the removal of the components or the electronic devices themselves but may disable at least some to all of the functionality of the device such as disabling authentication or other functions, deleting configuration information, or the like. As a result, the electronic device may not be able to perform those functions without having a manufacturer or authorized service representative reprogram the device. Thus, an unauthorized party may no longer be able to reuse the electronic device and access some to all of the functionality. As will be described in further detail below, the effect of the loss of some to all of the functionality may result in a range of effects from a warning message to disabling of the electronic device or a system including the electronic device.
- an x-ray tubes designed and built by the manufacturer may include tube specific information to be used in conjunction with a tube auxiliary unit (TAU) to function with proper imaging and without damage to the tube.
- That tube specific information may reside in non-volatile random-access memory (NVRAM), such as flash memory or solid-state storage, of the TAU. Since some of the information stored in the TAU is tube specific, if its TAU were to be swapped to a different tube, its tube specific information would no longer match the specific x-ray tube. The mismatch could cause image quality issues and/or irreparable x-ray tube damage if used.
- the anti-tamper circuitry may reduce or eliminate a chance that the TAU is swapped between different x-ray tubes and providing the incorrect tube specific information to a system.
- FIGS. 1A-1C are block diagrams of systems including a device with anti-tamper circuitry according to some embodiments.
- FIG. 2 is a block diagram of a device with anti-tamper circuitry according to some embodiments.
- the system 100 a includes a device 102 configured to be mounted to an external component 104 .
- the device 102 includes anti-tamper circuitry 110 and circuitry 112 .
- Examples of the device 102 include devices with circuitry 112 that may include customized components, firmware, software, data or the like.
- the firmware or software may include instructions that implement proprietary communication and/or control techniques with other circuitry 122 or circuitry 120 of the external component 104 .
- the data may include authentication information, cryptographic information, performance data, or the like.
- Particular examples of the device 102 include an authentication circuit for a system, a control circuitry for an x-ray tube, or the like.
- the external component 104 may include a purely structural component and/or a circuitry with some functional capabilities.
- the external component 104 is a housing of a system that includes the device 102 .
- the device 102 may be mounted to that housing and hence, mounted to the external component 104 .
- the device 102 includes a housing 116 configured to restrict access to disarm the disarm the anti-tamper circuitry 110 when the device 102 is mounted to the external component 104 .
- the housing 116 may include a sealed case surrounding the anti-tamper circuitry 110 and the circuitry 112 .
- the combination of the housing 116 and the external component 104 such as a wall 124 of the external component 104 , may completely enclose the anti-tamper circuitry 110 and the circuitry 112 .
- the combination may enclose the anti-tamper circuitry 110 and the circuitry 112 sufficiently to prevent access to the anti-tamper circuitry 110 or the circuitry 112 without significantly modifying or destroying the housing 116 .
- the combination of the housing 116 and the external component 104 may be configured such that accessing the anti-tamper circuitry 110 or the circuitry 112 is significantly more difficult than removing the device 102 from the external component 104 .
- the device 102 includes anti-tamper circuitry 110 electrically connected to circuitry 112 .
- the anti-tamper circuitry 110 is configured to disable at least one function of the circuitry 112 when the device 102 is removed from the external component 104 .
- the anti-tamper circuitry 110 is coupled to the external component 104 through coupling 114 .
- This coupling 114 may be a mechanical, electrical, optical, magnetic, other similar couplings, or a combination of such couplings.
- a switch may be switched when the device 102 is mounted on the external component 104 . Switched can refer to either toggling from an on state to an off state or toggling from an off state to an on state.
- the switch may have a mechanically or magnetically switchable pole.
- a state of the switch may change depending on whether the device 102 is a mounted on the external component 104 or if it is being removed from the external component. In other embodiments, the switch may change state when a fastener that is used to mount the device 102 on the external component is removed. In other embodiments, an electrical circuit may be created through a portion of the external component 104 , such as through a metallic portion of the wall 124 . Removal of the device 102 from the external component may be detected by a break in that circuit. Although some circuits and structures have been used as examples of configurations by which the anti-tamper circuitry 110 may sense the removal of the device 102 from the external component 104 , the anti-tamper circuitry 110 may sense the removal in other ways.
- Embodiments described herein may be used anywhere where a device 102 should stay physically paired to the system 100 a , the external component circuitry 120 , the other circuitry 122 , or another component or device to which they are mounted and/or associated. Paired in this sense could mean physically in touch, in proximity, in communication with, integrated into the device, or the like.
- the anti-tamper circuitry 110 may be configured to disable at least one function of the circuitry 112 .
- the particular function of the circuitry 112 may include a capability of general processing, the use of particular data, the ability to properly respond to authentication challenges, or the like.
- data stored in the circuitry 112 may be erased.
- the data may include cryptographic information, authentication information, identification information, operational information, firmware, software, or the like.
- non-volatile memory of the circuitry 112 may be erased to disable at least one function.
- fuses that affect operation of the circuitry 112 may be blown to disable at least one function. While some embodiments may disable at least one function, in other embodiments, the anti-tamper circuitry 110 may be configured to disable all functions of the circuitry 112 or the entire device 102 .
- the circuitry 112 is configured to control the external component.
- the circuitry 112 may be coupled to the external component circuitry 120 .
- the circuitry 112 may include control circuitry for an x-ray tube.
- the external component circuitry 120 may include an anode, cathode, filament, emitter, motor, steering electronics, focusing electronics, or other circuitry that may be part of an x-ray tube.
- RFID radio-frequency identification sensors
- light sensors proximity sensors
- bar code readers cameras that process the tube serial number or other identifying features
- trip wires trip wires
- tamper resistant mounting or any combination of such techniques.
- the external component 104 may be another device 106 .
- the device 106 may be an interface circuit board configured to provide an interface between a system control component and other components of the system.
- the device 106 may be an interface board that converts controls and/or communication between the system controller for an x-ray system and particular sub-systems, such as an x-ray generation subsystem, a power sub-system, a detector sub-system, a cooling subsystem, a user interface sub-system, or the like.
- the device 102 may be an authentication daughter board (ADB) configured to store authentication information, perform authentication functions, negotiate authentication between a system controller and the device 106 or other sub-systems of the system 100 b , or the like.
- ADB authentication daughter board
- more than one device 102 may be mounted on the external component 104 .
- N devices 102 are mounted on the external component 104 .
- the devices 102 - 1 to 102 -N may be the same, similar, or different. However, some to all of the devices 102 - 1 to 102 -N may include the anti-tamper circuitry 110 described herein.
- the anti-tamper circuitry 110 prevents the reuse, modification, tampering, replacement, or reinstallation of the device 102 , by a third-party or onto a third-party component.
- the device 102 may be part of an authentication system.
- the authentication system may be configured to determine whether or not a component in the system, which may be the device 102 , the external component 104 , or another component, is a genuine manufacturer or OEM component by issuing an encrypted challenge question to a cryptographic electronic device on the component.
- the device 102 may include the cryptographic electronic device as part of the circuitry 112 .
- the device 102 includes the circuitry that controls the external component 104 . If the cryptographic electronic device can be removed from the genuine component and installed on a counterfeit component, then the authentication system can be defeated. However, the anti-tamper circuitry 110 is triggered upon removal of the device 102 .
- the at least one function of the circuitry 112 that is disabled may include the authentication functions, authentication information, or the like. After the anti-tamper circuitry 110 is triggered, the cryptographic electronic device would no longer respond properly to authentication requests. As a result, the system 100 would have an indication that the device 102 and/or external component 104 can no longer be trusted to be a genuine manufacturer or OEM component.
- service contracts may be a large source of revenue for an OEM.
- Anti-tamper circuitry 110 as described herein may be used by the OEM to reduce or eliminate an ability of third-party manufacturers or resellers to install competing or replacement products, or incompatible components that can result in performance and patient safety issues.
- FIGS. 3A-3C are block diagrams of circuitry of devices with anti-tamper circuitry according to some embodiments.
- the circuitry includes anti-tamper circuitry 110 similar to that described above, a processor 113 , and a memory 118 .
- the processor 113 and memory 118 are examples of circuitry 112 described above.
- the processor 113 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit, a microcontroller, a programmable logic device, discrete circuits, a combination of such devices, or the like.
- the processor 113 may include internal portions, such as registers, cache memory, volatile memory, non-volatile memory, processing cores, or the like, and may also include external interfaces, such as address and data bus interfaces, interrupt interfaces, or the like. Although only one processor 113 is illustrated, multiple processors 113 may be present. In addition, other interface devices, such as logic chipsets, hubs, memory controllers, communication interfaces, or the like may be included to connect the processor 113 to internal and external components.
- the processor 113 is coupled to the memory 118 .
- the memory 118 includes data such as cryptographic information, authentication information, identification information, operational information, firmware, software, or the like as described above.
- the anti-tamper circuitry 110 is configured to erase at least a portion of the memory 118 used by the processor 113 when the device 102 is removed from the external component 104 .
- the erasure may be of all of such data.
- the erasure may be of a sufficient quantity and quality of the data to render the device 102 inoperable, such as the erasure of secret information such as cryptographic keys.
- the processor 113 includes on-chip or otherwise integrated memory 118 a .
- the memory erased is memory integrated with the processor 113 .
- the anti-tamper circuitry 110 is coupled to the processor 113 .
- the processor 113 is coupled to external memory 118 b .
- the anti-tamper circuitry 110 may be configured to activate the processor 113 and cause the processor 113 to execute commands to erase the at least a portion of the external memory 118 b .
- the anti-tamper circuitry 110 may cause the processor to execute an interrupt service routine that erases the portion of the memory 118 b .
- the anti-tamper circuitry 110 may be configured to boot the processor 113 in a mode specifically designed to erase the portion of the memory 118 b .
- the processor 113 is illustrated as being directly coupled to the memory 118 b , in other embodiments, other intervening circuitry may be present, such as a memory controller.
- the anti-tamper circuitry 110 may be configured to access the memory 118 c without accessing the processor 113 . Accordingly, the anti-tamper circuitry 110 may be configured to erase the portion of the memory by controlling the memory 118 c.
- the anti-tamper circuitry 110 may be coupled in any manner such that the anti-tamper circuitry 110 may cause the portion of the memory 118 used by the processor 113 to be erased.
- FIG. 4A-4B are cross-sectional diagrams illustrating mounting a device with anti-tamper circuitry on an external component according to some embodiments.
- FIG. 4A illustrates a state of a device 102 and an external component 104 before the device 102 is mounted to the external component 104 or after the device 102 is removed from the external component 104 .
- FIG. 4B illustrates a state of the device 102 and the external component 104 when the device 102 is mounted to the external component 104 .
- the device 102 includes a housing 116 .
- the device 102 includes a switch 220 .
- the switch 220 is coupled to the housing 116 .
- the housing 116 is illustrated as an example of a mounting structure of the device 102 , in other embodiments, the mounting structure may be a structure other than the housing 116 .
- the mounting structure may be any structure, board, component, or the like that remains with the device 102 when the device is moved relative to the external component 104 .
- the housing includes a flange 212 .
- a fastener 214 may be used to attach the housing 116 to the wall 124 of the external component 104 . While mounting components such as the flange 212 and fastener 214 have been used as examples, in other embodiments, different mounting techniques may be used.
- the switch 220 is configured to switch when the device 102 is removed from the external component 104 .
- the switch 220 has a pole 222 in a first state.
- the switch 220 may be a momentary normally closed switch. Thus, in the state illustrated in FIG. 4A , the switch 220 is closed.
- a structure 204 of the external component 104 causes the pole 222 of the switch 220 to switch.
- the switch 220 is opened.
- the structure 204 is a protrusion, wall, rib, gusset, fastener, or the like.
- the structure 204 disposed on the external component 104 such that when the device 102 is mounted on the external component 104 , the structure 204 toggles the state of the switch 220 .
- any mechanism and associated structures may be used that causes the switch 220 to be in a first state when mounted and in a second state when removed.
- the mechanism and associated structures may be formed such that the switch 220 changes state before the anti-tamper circuitry 110 may be accessed to disable the anti-tamper circuitry 110 or otherwise prevent it from disabling at least one function of the circuitry 112 as described above.
- the switch 220 need not be mechanically switched.
- the switch 220 may be magnetically switched.
- the structure 204 may include a magnet or a ferromagnetic material according to the structure of the switch 220 such that the switch 220 changes state as the device 102 is mounted to or removed from the external component 104 .
- any one of these switches 220 may be used by the anti-tamper circuitry 110 to disable at least one function of the circuitry 112 .
- FIGS. 5A-5D are schematic diagrams of circuitry of anti-tamper circuitry according to some embodiments.
- the anti-tamper circuitry 110 a includes a power supply 502 and a disable circuit 504 .
- the power supply 502 is configured to generate power that may be used by the disable circuit 504 and potentially a portion of the circuitry 112 .
- the power supply 502 is disposed within the device 102 .
- the power supply 502 is configured to supply power after detecting removal of the device 102 from the external component 104 .
- the power supply 502 may include a battery, a capacitor, a supercapacitor, or any other energy storage device that may be disposed within the device 102 .
- the power supply 502 may be charged by an external power source 506 .
- the power supply 502 may include switches that connect the power supply 502 to other components of the anti-tamper circuitry 110 when the device 102 is removed from the external component 104 .
- the disable circuit 504 is a circuit configured to disable the at least one function of the circuitry 112 .
- the disable circuit 504 includes an ERASE output.
- the ERASE output is a signal coupled to an ERASE input on a processor, memory, or the like of the circuitry 112 that would initiate an erase command to erase memory or otherwise disable the at least one function.
- power PWR may also be provided to some components of the circuitry 112 .
- the device 102 may not be connected to an external power source or the external power source may be disabled when the device 102 is being removed from the external component 104 .
- the power supply 502 may instead supply the power needed to allow the disable circuit 504 to disable the at least one function of the circuitry 112 .
- the anti-tamper circuitry 110 b includes battery B 1 and switch SW 1 .
- a single battery B 1 is illustrated; however, in other embodiments, multiple batteries may be used.
- the switch SW 1 is a double-pole double-throw switch (DPDT).
- the switch SW 1 is coupled such that in the illustrated state, 3.3V is coupled to VDD_CPU and no connection is made to ERASE-CPU. In the other state, both VDD_CPU and ERASE_CPU are coupled to the battery B 1 .
- VDD_CPU is a power supply for a processor that may be part of the circuitry 112 .
- ERASE_CPU is a signal that commands the processor of the circuitry 112 to erase some or all of its memory. As a result, the at least one function of the circuitry 112 may be disabled.
- the switch SW 1 is illustrated in the state when the corresponding device 102 is mounted to the external component 104 . When removed, the switch SW 1 will transition to the other state, which will supply power to the processor through VDD_CPU and supply the erase signal through ERASE_CPU.
- the isolator I is a removable structure configured to disconnect the battery B 1 from the switch. When in place, the battery B 1 be disconnected and will not supply power to the switch SW 1 . Thus, ERASE_CPU will not be activated.
- the isolator I may be in place during installation to disable the anti-tamper circuitry 110 b.
- R 1 is coupled to VDD_CPU and pulls down the input to AND gate U 1 .
- the other input to AND gate U 1 is an error signal ERROR_N.
- ERROR_N error signal
- the switch SW 1 When the device 102 is being installed and the 3.3V power is applied, the switch SW 1 will be in the opposite state. However, as the isolator I is present, the battery will not enable ERASE_CPU. VDD_CPU will not be coupled to 3.3V and will be pulled down by R 1 . Thus, the output of AND gate U 1 will be low, turning on LED D 1 . Once the device 102 is properly installed, the switch SW 1 will change to the illustrated state and VDD_CPU will be set to 3.3V.
- the AND gate U 1 output will switch to high, assuming there is no error indicated by a low on ERROR_N.
- the high output will cause the LED D 1 to turn off.
- an installer will receive a visual indication that the device 102 is installed such that the switch SW 1 is in the illustrated state.
- the isolator I may be removed. ERROR_N will control the output of the AND gate U 1 and whether LED D 1 is on. Thus, the LED D 1 will act as an error indicator. However, if the device 102 is removed, the switch SW 1 will change state, activating VDD_CPU and ERASE_CPU.
- the SW 1 switch is a normally closed (NC) double pole, double throw (DPDT) switch where the closed state couples the battery B 1 to ERASE_CPU.
- the switch can be normally closed (NC) and open when the switch is depressed, such as when the device 102 is installed and a feature of the external component 104 presses on the switch.
- VCC_INSTALL is a power voltage supplied during installation when 3.3V may not be active.
- Resistors R 3 and R 4 are in series with LED D 2 for either VCC_INSTALL or 3.3V.
- Buffer U 2 is an open-drain buffer.
- Inverter U 3 is an open-drain inverter. Thus, if the input to U 2 is low or if the input to U 3 is high, the LED D 2 will be turned on.
- switch SW 1 When the switch is in the installed state, ERASE_CPU and the nodes coupled to resistors R 5 , R 6 , R 7 , and Q 1 are pulled to ground and transistor Q 1 is off. However, once the device 102 is removed from the external component 104 , switch SW 1 changes state, increasing the voltage of node N 1 , pulsing ERASE_CPU until C 1 charges. R 5 and C 1 are selected to provide a sufficient pulse to erase a portion of the memory to disable the at least one function.
- the operation of U 2 , U 3 , resistors R 8 , R 9 , and R 10 , diodes D 3 and D 4 , and LED D 5 may be similar to that of FIG. 5C .
- diodes D 3 and D 4 may isolate VCC_INSTALL from 3.3V.
- the operation of the anti-tamper circuitry 110 d may be similar to that of anti-tamper circuitry 110 c of FIG. 5C .
- 3.3V has been used as an example of a power supply voltage
- the power supply voltage may be different.
- FIGS. 6A and 6B are flowcharts showing techniques of operating a device with anti-tamper circuitry according to some embodiments.
- the removal of a device 102 from an external component 104 is detected.
- a variety of techniques may be used to detect the removal of the device 102 .
- the change in the state of a switch, the change in a magnetic field, the breaking of a circuit or the like may provide an indication of whether the device 102 is being removed from the external component 104 .
- At least one function of the device 102 is disabled.
- the at least one function may be disabled by erasing data, disabling components, such as a processor, or the like.
- Various forms of the anti-tamper circuitry 110 may be used to perform the disabling.
- the detecting of the removal of the device 102 may include detecting the physical separation of structure of the device 102 and a structure of the external component 104 .
- the switch 220 may detect when device 102 is moved relative to the external component 104 .
- the device 102 is installed on the external component 104 .
- a device 102 may be prepared and mounted on the external component 104 .
- the anti-tamper circuitry 110 may be disarmed.
- a removable isolator I such as an insulating tape may be disposed between the power supply 502 contacts and the disable circuit 504 .
- the anti-tamper circuitry 110 may be armed. For example, once the device 102 is installed, the insulating tape may be removed, arming the anti-tamper circuitry 110 . Before the insulating tape is removed, the device 102 may be mounted and removed repeatedly without engaging the anti-tamper circuitry 110 . However, once removed, the anti-tamper circuitry 110 is armed and any attempt to remove the device 102 from the external component 104 may be detected and used to disable at least on function of the circuitry 112 of the device 102 in operations 604 and 606 .
- the device 102 may be reset in 608 .
- Resetting the device 102 includes operations that return the device 102 to a state where it may again be installed or operated in an authorized manner. For example, the device 102 may be returned to an authorized repair facility.
- the erased data may be restored to the device 102 , the disabled components may be reenabled, disabled components may be replaced, the isolator I described above may be reinstalled, or the like such that the device 102 is in a state similar to a device 102 that had not had the at least one function of the circuitry 112 disabled.
- the resetting of the device 102 may be performed by an authorized repair technician with the appropriate data and/or components.
- An unauthorized party may not have the appropriate data and/or components and would not be able to restore the device 102 to an operating condition.
- FIG. 7 is a block diagram of an x-ray system according to some embodiments.
- the x-ray system 700 includes a host controller 702 , an interface board (IFB) 704 , and tube auxiliary unit (TAU) 732 , and an x-ray tube 736 . These components may be mounted on a rotatable gantry 710 .
- IOB interface board
- TAU tube auxiliary unit
- a device 102 is the IFB 704 or is part of the IFB 704 .
- the external component 104 may be the gantry 710 .
- at least one function of the IFB 704 may be disabled if the interface board is removed from the gantry 710 .
- the IFB 704 may include firmware, software, calibration data, secret information such as keys, IDs, or other cryptographic information, or the like that may be erased to disable at least one function.
- a device 102 is an authentication daughter board (ADB) 703 that is mounted on the IFB 704 .
- the external component 104 may be the IFB 704 .
- Information such as that described above may be erased if the ADB 703 is removed from the IFB 704 .
- a device 102 is the TAU 732 .
- the TAU 732 may be mounted on the x-ray tube 736 .
- the external component 104 may be the x-ray tube 736 .
- the TAU 732 may include data or firmware that may be erased similar to the IFB 704 or ADB 703 .
- the host controller 702 is configured to control operations of components such as the gantry 710 , the IFB 704 , the x-ray tube 736 though the TAU 732 . While these components are used as examples, other components may be present such as an image detector, a high voltage (HV) generator, a heat exchanger, or the like.
- the host controller 702 may also be configured to communicate with the IFB 704 and perform various actions such as identification, authentication, or the like in addition to directing control of the system 700 .
- the IFB 704 includes the ADB 703 .
- This configuration may allow for easier retrofitting of the ADB 703 to existing CT systems.
- the IFB 704 has a communication link to the host controller 702 and another communication link to the TAU 732 .
- the ADB 703 contains cryptographic authentication hardware/firmware that allows for encrypted communication with both the host controller 702 and the TAU 732 .
- the IFB 704 is a device that holds the ADB 703 and supplies power to it and translates the communications to the ADB's 703 native communication protocol.
- the TAU 732 contains cryptographic authentication hardware/firmware that allows for encrypted communication with the IFB 704 /ADB 703 and is attached to the x-ray tube 736 .
- the IFB 704 /ADB 703 may challenge the TAU 732 to see if it is a genuine manufacturer or OEM x-ray tube.
- the authentication unit of the TAU 732 is mounted to the x-ray tube 736 , but the authentication unit could also be an integral part of the x-ray tube 736 .
- the anti-tamper circuitry 110 would be part of that authentication unit.
- other components such as an x-ray detector or imager, accelerator, or other device where it may be beneficial to render the unusable after its removal from its original installation location may include a device 102 . Each of those may have associated anti-tamper circuitry 110 .
- the removal of a used x-ray tube, x-ray detector, or imager from an x-ray or mammography system for the purpose of resale into another system may be prevented.
- a switch in the anti-tamper circuitry 110 would trigger and could disable the authentication function, render the firmware unusable, prevent communication, or any other essential function that would allow further usage of the device 102 .
- the anti-tamper circuitry 110 could also be used to reinforce software/firmware (SW/FW) licensing of TAU 732 , x-ray tube 736 , detector, or other device software that was sold to a specific customer under a license agreement that would only allow the original buyer to utilize the firmware/software (FW/SW) or hardware.
- SW/FW software/firmware
- the respective FW/SW would be automatically erased when the device is removed.
- x-ray system 700 may take other forms.
- Some embodiments relate generally to mechanisms, methods, and systems using a system identifier (ID) (or a device ID) in an encrypted form to a component.
- ID system identifier
- the mechanisms, methods, and systems described herein allows manufacturers or OEMs to detect unauthorized installation of components into their system.
- third-party suppliers can swap components on a system against used OEM components or third-party components which can lead to warranty issues, quality issues, and, in the case of an imaging system, image quality issues, diagnostic issues, and misdiagnosis.
- Embodiments described herein allow for the detection of such unauthorized component changes to ensure the integrity of the system.
- embodiments described herein allow OEM host systems to determine if their components are being swapped without their permission and/or prevent installation of old, outdated or compromised component into a system that may affect operation, such as replacing a component in an imaging system that will affect the diagnosis of patients. Defective or not optimally functional components can lead to misdiagnosis and in extreme case can cause permanent harm to the patient and even death.
- FIG. 8A-8B are block diagrams of systems including an authorization system according to some embodiments.
- the system 800 a includes a first device 802 and a second device 804 .
- the devices 802 and 804 are coupled through a communication link 806 .
- the communication link may be any medium that allows the devices 802 and 804 to communication.
- the communication link 806 may include a serial link, a parallel link, and automation communication link such as Modbus, CANbus, or the like, a computer bus such as peripheral component interconnect express (PCIe), nonvolatile memory express (NVMe), or the like, and/or a network such as an Ethernet network, a Fibre Channel network, or the like.
- PCIe peripheral component interconnect express
- NVMe nonvolatile memory express
- the second device 804 includes a non-volatile memory 808 .
- the memory 808 may include any variety of non-volatile memory such as static random access memory (SRAM), flash memory, electrically erasable programmable read only memory (EEPROM), magnetic storage, or the like.
- the memory 808 includes at least a portion that is operable in a one-time-write manner.
- the memory 808 may include other non-volatile memory that is not configured for one-time-writes and/or volatile memory such as a dynamic random access memory (DRAM), a double data rate synchronous dynamic random access memory (DDR SDRAM) according to various standards such as DDR, DDR2, DDR3, DDR4.
- DRAM dynamic random access memory
- DDR SDRAM double data rate synchronous dynamic random access memory
- the portion of the memory 808 is writable once in a normal write operation.
- the one-time write memory 808 may not be erased by other means. As a result, to change a value stored in the memory 808 would require replacing the memory 808 .
- the portion of the memory 808 may be erased by erasing the entire memory 808 .
- the memory 808 is configured to store a system identifier (ID) in the one-time-write portion.
- the system ID is an identifier associated with the system 800 a .
- the system ID may be unique to the system 800 a such as by being a universally unique ID (UUID) or globally unique ID (GUID).
- UUID universally unique ID
- GUID globally unique ID
- the system ID for all devices 804 and 812 may be the same. However, in other embodiments, the system ID for a particular device 804 or 812 may be unique to both the system 800 a and that device 804 or 812 .
- the system ID may include a portion unique to the system 800 a and a portion unique to the particular device 804 or 812 , the particular type of device 804 or 812 , or the like.
- the value of the system ID may take a variety of forms.
- the system ID may exist in an original form where the stored data is the system ID.
- an encrypted form of the system ID, a hash of the system ID, or other representations of the system ID may be stored as the system ID and treated as such with appropriate decoding or other manipulation.
- a system ID can be stored on devices 804 in a system 800 a .
- the first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800 a .
- a match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800 a . If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected.
- the first device 802 may be coupled to multiple second devices 804 - 1 to 804 -N.
- Each second device 804 may be coupled to zero to multiple third devices 812 - 1 to 812 -M.
- FIGS. 9A-10C are flowcharts showing examples of techniques of operating an authorization system according to some embodiments.
- operations of a first device 802 , a second device 804 , and a third device 812 of FIG. 8A will be used as examples.
- the first device 802 transmits a request for a system ID stored on the second device 804 to the second device.
- the second device 804 receives the request in 903 . This transmission and other similar operations may occur over the communication link 806 .
- the second device 804 determines if the system ID stored on the second device has an empty value.
- the empty value represents a state where the second device 804 has not stored a system ID in the memory 808 .
- An actual value may not be stored in the memory 808 . Instead, a flag, register, state, or the like may indicate that the system ID has not been programmed into the memory 808 . Checking such an indicator may be part of determining if the system ID has the empty value.
- a processor of the second device 804 may be configured to attempt to read the system ID, flag, register, state, or the like to make the determination.
- a response based on the empty value is transmitted to the first device 802 .
- the response may be a system ID that has a specific meaning. For example, all zeros or all ones may be designated as an empty value for the system ID. In other embodiments, a particular value or values of the system ID may be designated as the empty value. That specific value may be specific to the second device 804 or the type of the second device 804 , specific to the system 800 a or the type of the system 800 a , or the like. Regardless, it is a value that the first device 802 will recognize as indicating that the second device 804 does not store a system ID or that the system ID is the empty value.
- the empty value response may be a different type of message from that used to transmit an actual system ID.
- the empty value response may be an error message.
- the error message may have an error number or code that indicates that the system ID is empty.
- the empty value response is received by the first device 802 .
- the first device 802 transmits the system ID to the second device 804 in 910 .
- the second device 804 receives the system ID in 912 and stores it in the one-time write portion of the memory 808 . Once the system ID is stored, the memory 808 cannot be reprogrammed with a different system ID without extraordinary steps as described above. As a result, the second device 804 is paired with the system 800 a . If the second device 804 is removed from the system 800 a and placed in another system, even an identical system, the system ID may not match.
- the second device 804 may read the system ID, encrypt it, and transmit the encrypted system ID to the first device 802 .
- the first device 802 receives the response based on the system ID stored at the second device 804 in 916 and determines if the response indicates that the system ID stored at the second device 804 matches the actual system ID in 918 .
- the first device 802 may extract the system ID by reading it from the response, decoding an encrypted response, or the like and comparing it to the system ID stored on the first device 802 .
- the system ID may be stored or encoded in a variety of formats. The comparison may be performed in a manner appropriate to the different formats.
- counter measures may be performed in 920 .
- the counter measures may take a variety of forms.
- the system 800 a may be shutdown, the devices 802 , 804 , 816 , or the like may be disabled temporarily or permanently, particular functions may be disabled, ranges of operation may be reduced or limited, or the like.
- a notification, a warning, or other communication of the mismatched system IDs may be presented to a user of the system 800 a , reported over a network, or the like.
- information related to the mismatching system IDs may be recorded in memory 808 of the first device 802 and/or the second device 804 .
- the related information may include a timestamp, model numbers and/or serial numbers of the first device 802 and/or the second device 804 , number of times the system IDs had not matched, the mismatched system ID, the entire response received in 916 , or the like.
- the communication when response based on the system ID is transmitted to the first device 802 from the second device 804 in 914 , the communication may be encrypted.
- a secure communication link may be established between the first and second devices 802 and 804 , the response or portions of it may be encrypted, the system ID stored on the second device 804 may be encrypted, or the like.
- it may be more difficult for an eavesdropper to obtain the correct system ID response from the second device 804 .
- the system 800 a may be a hierarchical system that includes a third device or devices 812 that are downstream from an associated second device 804 .
- some or all communication between the first device 802 and the third device 812 may pass through or be manipulated by the associated second device 804 .
- only the communications related to the system ID may pass through or be manipulated by the associated second device 804 .
- the interactions between the second device 804 and the third device 812 may be the same or similar to the operations described with respect to the first device 802 and the second device 804 . That is, once the second device 804 stores the system ID, the requesting, storing if empty, and verifying of the system ID may be performed between the second and third devices 804 and 812 .
- the second device 804 may begin the operations described above with respect to FIG. 9B .
- a request for the system ID stored on the third device 812 may be transmitted in 922 from the second device 804 to the third device 812 .
- the third device 812 may receive the request for the system ID stored on the third device 812 in 924 .
- the third device 812 may determine if the system ID is the empty value or has not been stored and, if so, return the empty value response. Similar to the operations in 908 and 910 of FIG.
- the second device 803 receives the response indicating that the system ID stored on the third device 812 has the empty value and transmits the system ID in response.
- the third device 812 stores the system ID in the memory 808 . Similar to the operations in 914 and 916 , in 936 and 938 , the third device 812 may transmit a response based on the system ID stored on the third device 812 and that response is received by the second device 804 .
- the operations of the second device 804 and the third device 812 have been described as being similar to those of the first device 802 and second device 804 , in other embodiments, the operations may be different. For example, different encodings of the system ID, encryption used in transmission, format of responses, particular protocol, or the like may be used.
- the second device 804 may prepare a verification response based on the responses from the third device 812 .
- the verification response may include the system ID response from the third device 812 itself.
- the second device 804 may determine if the system ID stored on the third device 812 matches the system ID stored on the second device 804 similar to the interaction of the first device 802 in 918 of FIG. 9A .
- the verification response may include an indication of whether the system ID stored on the third device 812 is the correct system ID.
- the first device 802 may transmit a verification request to the second device 804 in 941 .
- the second device 804 receives the verification request.
- the second device 804 may prepare a verification response in 940 .
- This verification response may be transmitted by the second device 804 to the first device 802 in 944 .
- the first device 802 receives the verification response and determines if the verification was successful in 948 based on the response. If the verification was successful, operations continue in 952 .
- counter measures may be performed in 950 .
- the counter measures may be similar to those described with respect to 920 .
- the counter measures may also apply to the third device 812 .
- the third device 812 may be disabled, a notification may be presented identifying the third device 812 , or the like.
- the second device 804 may transmit the verification response in 944 to the first device 802 without waiting for the request transmitted in 941 .
- the operations of the first device 802 in 946 , 948 , 950 , and 952 may be similar to those described above.
- the operations of the first device 802 and second device 804 have been described in the context of communications between the first device 802 and one second device, the same or similar communications may occur between the first device 802 and multiple second devices 804 - 1 to 804 -N. That is, the first device 802 may request the system ID for each of the second devices 804 - 1 to 804 -N and perform operations similar to those described above. The operations for different second devices 804 - 1 to 804 -N may be performed serially or in parallel. Decisions may be based on responses of only one of the second devices 804 - 1 to 804 -N, some of the second devices 804 - 1 to 804 -N, or all of the second devices 804 - 1 to 804 -N.
- the results of matching or mismatching system IDs may be the same, similar, or different for different second devices 803 - 1 to 804 -N.
- the operations described between a second device 804 and a third device 812 may similarly be performed with multiple third devices 812 .
- a three-tier hierarchy has been used as an example, and hierarchy of devices may be part of the system 800 a where the first device 802 queries other devices for a system ID.
- an x-ray system 800 b includes a host controller 822 , an ADB 824 , a TAU 832 , and an x-ray tube 836 .
- the host controller 822 may be a system controller for the x-ray system 800 b .
- the host controller 822 may act as the first device 802 of FIG. 8A and perform the associated operations described in FIGS. 9A-D .
- the ADB 824 may be a circuit that manages the system ID and authentication operations of the system 800 b .
- the ADB 824 may include a memory 808 .
- the ADB 824 may act as the second device 804 of FIG. 8A and perform the associated operations described in FIGS. 9A-D .
- the TAU 832 is a circuit configured to control the operation of the x-ray tube 836 .
- the TAU 832 may be configured to control cathode voltages/currents, anode voltages/currents, filament voltages/currents, focusing electronics, steering electronics, motors, or the like depending on the particular x-ray tube 836 .
- the TAU 832 includes a memory 808 and may act as the third device 812 of FIG. 8A and perform the associated operations described in FIGS. 9A-D .
- TAU 832 has been used as an example of a device in an x-ray system 800 b that may operate using a system ID as described herein, other devices in an x-ray system 800 b may operate similarly.
- a heat exchanger 840 , detector 842 , high voltage (HV) power supply, 844 , accelerator 846 , or the like may operate using a system ID as described herein.
- a system ID may be transmitted from the host controller 822 to the ADB 824 and stored in memory 808 .
- the ADB 824 may similarly propagate the system ID to the other devices 832 , 840 , 842 , 844 , 846 , 848 , or the like for storage in corresponding memory 808 of those devices.
- the devices of the system 800 b may be paired with that system 800 b . In normal operation, the devices will report the correct system ID and the system 800 b may continue operation. However, if a part is replaced in an unauthorized manner with a different, existing system ID, the counter measures described above may be performed.
- the host controller uses the ADB 824 to communicate with the rest of the manufacturer or OEM's components in the system 800 b .
- the only components that are paired with the system 800 b are the ADB 824 and the TAU 832 .
- the use of the system ID as described herein in an x-ray system 800 b may improve safety and/or longevity of the system 800 b .
- the components of the system 800 b may be aligned, calibrated, or otherwise configured for that specific x-ray system 800 b .
- the empty system IDs in the various devices of the x-ray system 800 b may be initialized to a system ID unique to that particular x-ray system 800 b . If a device in the x-ray system 800 b is replaced by a device from another system with a different system ID, the operation of the x-ray system 800 b may not be the same and, with devices such as the x-ray tube 836 , may become dangerous.
- the x-ray system 800 b may take counter measures when such a situation is detected, notifying a user, shutting down the x-ray system 800 b or a component, or the like. As a result, a chance that the x-ray system 800 b will be operated in a manner that may lead to erroneous results and/or dangerous operating conditions may be reduced or eliminated.
- the storage and verification of the system ID as described herein may limit a manufacturer or vendor's customers ability to swap components themselves or through a third party.
- the verification process checks to see if the ADB 824 , TAU 832 , or the like is a genuine manufacturer or OEM product and that it hasn't been swapped to/from other x-ray systems. It prevents third party service organizations buying used x-ray tubes on the open market, refurbishing them and then selling them back to customers such as hospitals.
- a manufacturer, vendor, system integrator, or the like may reduce a chance that their system is modified with devices from other systems, which may lead to undesirable or dangerous results.
- use of the system ID as described herein may reduce a chance that a reworked device is installed in a system for which it was not intended.
- a device that has been paired with a system and has a system ID may returned for repair, updates, or the like.
- the device may be programmed with the original system ID or the system ID may be left intact.
- the system ID will match the system ID of the original system. If the device is installed in a different system, even if a similar system or the same type of system, the system ID will not match and the counter measures described above may be performed.
- the system ID may be left unprogrammed if a known customer or installer will reinstall the device in the same system.
- authentication operations may be performed after successful verification in 948 described above.
- the first device 802 transmits an authentication request to the second device 804 .
- the authentication request is received by the second device 804 .
- the second device 804 transmits an authentication request to the third device 812 in 1006 .
- the third device 812 receives the authentication request in 1008 .
- the third device generates an authentication response and transmits that authentication response to the second device 804 in 1012 .
- the second device 804 receives the authentication response from the third device 812 in 1014 .
- the second device 804 analyzes the authentication response 1016 , logs failures in 1018 , and generates its own authentication response in 1020 .
- the authentication response generated in 1020 may aggregate the authentication response or responses received from one or more third devices 812 and the second device's 804 own authentication response.
- the first device 802 may transmit a request for the authentication status that is received by the second device in 1024 as illustrated in FIG. 10B .
- the second device 804 transmits the authentication response to the first device 802 in 1026 .
- the second device 804 may transmit the authentication response to the first device 802 in 1026 after generating it in 1020 as illustrated in FIGS. 10A and 10C .
- the response may be analyzed to determine if the authentication is successful in 1030 . If so, the operations may continue in 1034 . If not, counter measures make be performed in 1032 similar to the counter measures described above.
- a variety of different techniques may be used to authenticate the devices 804 and 812 .
- the authentication may be performed using a challenge using hidden numbers.
- An encryption algorithm may use an initialization vector (IV) and an encryption key (key).
- the first device 802 and/or the second device 804 may create a challenge (math problem) using its IV and key and sends it the downstream second device 804 or third device 812 . If that device has the same key and IV then it may do the same math problem and get the same result.
- the second device 804 or third device 812 that was “challenged” may then send back the “answer” to that math problem in an encrypted form and the original component can make sure that it answered the challenge correctly. If it responded with the correct answer then the first device 802 and/or the second device 804 may treat the corresponding second device 804 or third device 812 as a genuine part.
- the IV and the key are maintained in restricted memory of a cryptographic authentication integrated circuit.
- an ATSHA integrated circuit may include such restricted memory and may be capable of performing calculations related to encrypted communications. The authentication operations may be more secure if the IV and key are stored in such restricted memory.
- the authentication process may be used to ensure that all required components are in the system, are designed for the particular customer, and/or are genuine manufacturer or OEM components. Different customers may have customer specific encryption keys so that a third party cannot take a component designed for one customer and sell it to another. Any missing components will fail the authentication process as they will not authenticate if they are not present.
- the authentication process may prevent a third party from supplying part of the system. If the full computed tomography (CT) system is designed to have 5 manufacturer or OEM components but only 4 of them are genuine and the fifth was sourced from a third party, the authentication process would identify that fifth component as not genuine.
- CT computed tomography
- more than one second device 804 and more than one third device 812 may be present in the system 800 a .
- FIG. 8A While the system 800 a of FIG. 8A was used as an example, the authentication operation operations described above with respect to FIGS. 10A-C may be implemented by other systems, such as the x-ray system 800 b of FIG. 8B .
- Some embodiments include a device 102 , comprising: a mounting structure configured to mount the device 102 to an external component 104 ; first circuitry 112 ; and anti-tamper circuitry electrically connected to the first circuitry 112 and configured to disable at least one function of the first circuitry 112 when the device 102 is removed from the external component 104 .
- the external component 104 may include a wall, housing, or other structure that is not controlled by the first circuitry 112 .
- the first circuitry 112 is configured to control the external component 104 .
- the at least one function of the first circuitry 112 include functions that are not related to the control of the external component 104 .
- the at least one function of the first circuitry 112 comprises functions of the first circuitry 112 that control the external component 104 .
- the device 102 further comprises: a housing 116 coupled to the mounting structure wherein the housing 116 is configured to restrict access to disarm the anti-tamper circuitry when the device 102 is mounted to the external component 104 .
- the anti-tamper circuitry 110 comprises: a switch 220 or SW 1 coupled to the mounting structure 116 and configured to switch when the device 102 is removed from the external component 104 .
- the switch 220 or SW 1 is configured to switch by a structure of the external component 104 when mounted on the external component 104 .
- the anti-tamper circuitry 110 comprises: a power supply 502 disposed within the device 102 and configured to supply power after detecting removal of the device 102 from the external component 104 ; and a disable circuit 504 configured to disable the at least one function of the first circuitry 112 ; wherein the switch 220 or SW 1 is configured to electrically connect the power supply 502 to the disable circuit 504 when the device 102 is removed from the external component 104 .
- the first circuitry 112 includes a processor 113 ; and the anti-tamper circuitry 110 is configured to erase at least a portion of memory 118 or 808 used by the processor 113 when the device 102 is removed from the external component 104 .
- the at least a portion of memory 118 or 808 used by the processor 113 comprises memory 118 or 808 integrated with the processor 113 .
- the at least a portion of memory 118 or 808 used by the processor 113 stores cryptographic information.
- the device 102 is part of electronics associated with an x-ray system; and the external component 104 is an x-ray tube 736 or 836 of the x-ray system 700 or 800 b.
- the device 102 is part of a component authentication system associated with an x-ray system 700 or 800 b.
- Some embodiments include a method, comprising: detecting, by a device 102 , removal of the device 102 from a component 104 external to the device 102 ; and disabling at least one function of circuitry 112 of the device 102 in response to detecting the removal of the device 102 from the component 104 .
- the detecting, by the device 102 , removal of the device 102 from the component 104 comprises detecting physical separation of a structure of the device 102 and a structure of the component 104 external to the device 102 .
- the disabling of at least one function of the circuitry 112 of the device 102 comprises: powering a disable circuit 504 from an internal power supply 502 ; and disabling the at least one function of the circuitry of the device 102 using the disable circuit 504 .
- the detecting, by the device 102 , removal of the device 102 from the component 104 comprises detecting physical separation of a structure of the device 102 and a structure of the component 104 external to the device 102 .
- the method further comprises: installing the device 102 on the component 104 ; and arming anti-tamper circuitry 110 configured to disable to at least one function of the circuitry of the device 102 .
- the method further comprises: resetting anti-tamper circuitry 110 configured to disable to at least one function of the circuitry 112 of the device 102 .
- Some embodiments include a device, comprising: means for detecting, by a device, removal of the device from a component external to the device; and means for disabling at least one function of circuitry of the device in response to the means for detecting the removal of the device from the component.
- the means for detecting include the anti-tamper circuitry 110 , switch 220 or SW 1 , or the like.
- Examples of the means for disabling at least one function of circuitry of the device include the anti-tamper circuitry 110 , the processor 113 , the memory 118 or 808 , or the like.
- the device further comprises: means for detecting physical separation of the device from the component; and means for erasing at least part of memory of the circuitry in response to the means for detecting physical separation of the device 102 from the component.
- the means for detecting physical separation of the device from the component include the anti-tamper circuitry 110 , switch 220 or SW 1 , or the like.
- the means for erasing at least part of memory of the circuitry comprise the anti-tamper circuitry 110 , the processor 113 , the memory 118 or 808 , or the like.
- Some embodiments include a method, comprising: receiving from a first device 802 at a second device 804 , a request for a system identifier (ID) stored on the second device 804 ; determining, by the second device 804 , if the system ID stored on the second device 804 has an empty value; and when the system ID stored on the second device 804 does not have the empty value, transmitting, by the second device 804 to the first device 802 , a response based on the system ID stored on the second device 804 .
- ID system identifier
- the method further comprises: when the system ID stored on the second device 804 has the empty value, communicating, by the second device 804 to the first device 802 , that the system ID stored on the second device 804 has the empty value.
- the method further comprises: receiving, from the first device 802 by the second device 804 , the system ID; and storing, by the second device 804 , the system ID received from the first device 802 as the system ID stored on the second device 804 .
- storing, by the second device 804 , the system ID received from the first device 802 as the system ID stored on the second device 804 comprises storing, by the second device 804 , the system ID received from the first device 802 in one-time-write memory 808 .
- transmitting, by the second device 804 to the first device 802 , the response based on the system ID stored on the second device 804 comprises encrypting the system ID stored on the second device 804 and transmitting, by the second device 804 to the first device 802 , the encrypted system ID.
- the method further comprises: transmitting, by the second device 804 to a third device 812 , a request for a system ID stored on the third device 812 ; and receiving, by the second device 804 from the third device 812 , a response to the request for the system ID stored on the third device 812 .
- the method further comprises: transmitting, by the second device 804 to the first device 802 , a response based on the response to the request for the system ID stored on the third device 812 .
- the method further comprises: determining, by the third device 812 , if the system ID stored on the third device 812 has the empty value; and when the system ID stored on the third device 812 has the empty value, communicating, by the third device 812 to the second device 804 , that the system ID stored on the third device 812 has the empty value.
- the method further comprises: storing, by the third device 812 , the system ID received from the second device 804 as the system ID stored on the third device 812 .
- the second device 804 is an authentication device for an x-ray system 800 b ; and the third device 812 is a control device for an x-ray tube 836 of the x-ray system 800 b.
- Some embodiments include a method, comprising: transmitting, from a first device 802 to a second device 804 , a request for a system identifier (ID) stored on the second device 804 ; receiving, from the second device 804 by the first device 802 , a response to the request for the system ID stored on the second device 804 ; determining, by the first device 802 , if the system ID stored on the second device 804 is a correct system ID for a system including the second device 804 ; and operating the system including the second device 804 , by the first device 802 , based on whether the system ID stored on the second device 804 is the correct system ID for the system including the second device 804 .
- ID system identifier
- operating the system including the second device 804 comprises enabling counter measures when the system ID stored on the second device 804 is not the correct system ID for the system including the second device 804 .
- the counter measures comprise at least one of disabling the second device 804 , disabling the system including the second device 804 , presenting a warning that the system ID stored on the second device 804 and the correct system ID for the system including the second device 804 do not match to a user.
- operating the system including the second device 804 comprises, when the system ID stored on the second device 804 matches the correct system ID for the system including the second device 804 , transmitting, by the first device 802 to the second device 804 , a request for verification of devices subordinate to the second device 804 .
- the method further comprises: receiving, by the first device 802 from the second device 804 , a response to the request for verification of devices subordinate to the second device 804 ; wherein operating the system including the second device 804 comprises operating the system based on the response to the request for verification of at least one device subordinate to the second device 804 .
- the second device 804 is an authentication device for an x-ray system 800 b ; and the at least one device subordinate to the second device 804 is a control device for an x-ray tube 836 of the x-ray system 800 b.
- the method further comprises: transmitting, from the first device 802 to the second device 804 , a request for authentication of the second device 804 ; and receiving, by the first device 802 from the second device 804 , a response to the request for authentication of the second device 804 ; wherein operating the system including the second device 804 comprises operating the system including the second device 804 based on the response to the request for authentication of the second device 804 .
- Some embodiments include a device, comprising: means for receiving, from a first external device, a request for a system identifier (ID) stored on the device; means for determining if the system ID stored on the device has an empty value; and means for transmitting, to the first device, a response based on the system ID stored on the device when the system ID stored on the device does not have the empty value.
- Examples of the means for receiving, from a first external device, a request for a system identifier and the means for transmitting, to the first device, a response based on the system ID include the second device 804 , the third device 812 or the like.
- the device further comprises: means for transmitting, to a second external device, a request for a system ID stored on the second external device; and means for receiving, from the third device, a response to the request for the system ID stored on the second external device.
- the means for transmitting, to a second external device, a request for a system ID and the means for receiving, from the third device, a response to the request for the system ID include the second device 804 , the third device 812 or the like.
- Some embodiments include at least one non-transitory machine-readable storage medium comprising a plurality of instructions adapted to be executed to implement the method described above.
- Circuitry can include hardware, firmware, program code, executable code, computer instructions, and/or software.
- a non-transitory computer readable storage medium can be a computer readable storage medium that does not include a signal.
- the operations described above may be implemented in various circuitry.
- the operations may be implemented as a hardware circuit comprising custom very-large-scale integration (VLSI) circuits or gate arrays, including but not limited to logic chips, transistors, or other components.
- VLSI very-large-scale integration
- the operations may also be implemented in programmable hardware devices, including but not limited to field programmable gate arrays (FPGA), programmable array logic, programmable logic devices or similar devices.
- FPGA field programmable gate arrays
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Microcomputers (AREA)
Abstract
Description
- Systems may be formed from a variety of different devices. Manufacturers, system integrators, or the like may design and install a particular system with authorized components. However, a third-party supplier may swap devices on similar systems, install used components, or third-party components that may lead to performance issues and/or damage to components of the system.
-
FIGS. 1A-1C are block diagrams of systems including a device with anti-tamper circuitry according to some embodiments. -
FIG. 2 is a block diagram of a device with anti-tamper circuitry according to some embodiments. -
FIGS. 3A-3C are block diagrams of circuitry of devices with anti-tamper circuitry according to some embodiments. -
FIG. 4A-4B are cross-sectional diagrams illustrating mounting a device with anti-tamper circuitry on an external component according to some embodiments. -
FIGS. 5A-5D are schematic diagrams of circuitry of anti-tamper circuitry according to some embodiments. -
FIGS. 6A and 6B are flowcharts showing techniques of operating a device with anti-tamper circuitry according to some embodiments. -
FIG. 7 is a block diagram of an x-ray system according to some embodiments. -
FIG. 8A-8B are block diagrams of systems including an authorization system according to some embodiments. -
FIGS. 9A-10C are flowcharts showing examples of techniques of operating an authorization system according to some embodiments. - Before any embodiments of the invention are explained in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of components set forth in the following description or illustrated in the following drawings. The invention is capable of other embodiments and of being practiced or of being carried out in various ways. Numbers provided in flow charts and processes are provided for clarity in illustrating steps and operations and do not necessarily indicate a particular order or sequence. Unless otherwise defined, the term “or” can refer to a choice of alternatives (e.g., a disjunction operator, or an exclusive or) or a combination of the alternatives (e.g., a conjunction operator, and/or, a logical or, or a Boolean OR).
- Some embodiments relate generally to mechanisms, methods, and systems to disable component authentication system when removed from a component. Some embodiments relate generally to switches and disabling components and/or circuitry.
- Electronic devices may be used in an attempt to block the use of third-party components in systems such as computed tomography (CT) and x-ray systems. However, such electronic devices may be removed from systems including old, broken, worn out components, such as x-ray tubes. The electronic devices may then be installed on third-party or used tubes to be sold for use in an original equipment manufacturer (OEM) system. For example, a third-party may access an old, used, or broken x-ray tube from which the electronic devices can be removed. The electronic device can then be installed on a new, used, or third-party tube to enable the tube to simulate a genuine tube in the system.
- As described herein, anti-tamper circuitry may not prevent the removal of the components or the electronic devices themselves but may disable at least some to all of the functionality of the device such as disabling authentication or other functions, deleting configuration information, or the like. As a result, the electronic device may not be able to perform those functions without having a manufacturer or authorized service representative reprogram the device. Thus, an unauthorized party may no longer be able to reuse the electronic device and access some to all of the functionality. As will be described in further detail below, the effect of the loss of some to all of the functionality may result in a range of effects from a warning message to disabling of the electronic device or a system including the electronic device.
- In some embodiments, in an x-ray system, an x-ray tubes designed and built by the manufacturer may include tube specific information to be used in conjunction with a tube auxiliary unit (TAU) to function with proper imaging and without damage to the tube. That tube specific information may reside in non-volatile random-access memory (NVRAM), such as flash memory or solid-state storage, of the TAU. Since some of the information stored in the TAU is tube specific, if its TAU were to be swapped to a different tube, its tube specific information would no longer match the specific x-ray tube. The mismatch could cause image quality issues and/or irreparable x-ray tube damage if used. The anti-tamper circuitry may reduce or eliminate a chance that the TAU is swapped between different x-ray tubes and providing the incorrect tube specific information to a system.
-
FIGS. 1A-1C are block diagrams of systems including a device with anti-tamper circuitry according to some embodiments.FIG. 2 is a block diagram of a device with anti-tamper circuitry according to some embodiments. - Referring to
FIGS. 1A and 2 , thesystem 100 a includes adevice 102 configured to be mounted to anexternal component 104. Thedevice 102 includesanti-tamper circuitry 110 andcircuitry 112. - Examples of the
device 102 include devices withcircuitry 112 that may include customized components, firmware, software, data or the like. The firmware or software may include instructions that implement proprietary communication and/or control techniques withother circuitry 122 orcircuitry 120 of theexternal component 104. In other embodiments, the data may include authentication information, cryptographic information, performance data, or the like. Particular examples of thedevice 102 include an authentication circuit for a system, a control circuitry for an x-ray tube, or the like. - The
external component 104 may include a purely structural component and/or a circuitry with some functional capabilities. For example, in some embodiments, theexternal component 104 is a housing of a system that includes thedevice 102. Thedevice 102 may be mounted to that housing and hence, mounted to theexternal component 104. - The
device 102 includes ahousing 116 configured to restrict access to disarm the disarm theanti-tamper circuitry 110 when thedevice 102 is mounted to theexternal component 104. For example, thehousing 116 may include a sealed case surrounding theanti-tamper circuitry 110 and thecircuitry 112. When thehousing 116 is mounted to theexternal component 104, the combination of thehousing 116 and theexternal component 104, such as awall 124 of theexternal component 104, may completely enclose theanti-tamper circuitry 110 and thecircuitry 112. In some embodiments, the combination may enclose theanti-tamper circuitry 110 and thecircuitry 112 sufficiently to prevent access to theanti-tamper circuitry 110 or thecircuitry 112 without significantly modifying or destroying thehousing 116. The combination of thehousing 116 and theexternal component 104 may be configured such that accessing theanti-tamper circuitry 110 or thecircuitry 112 is significantly more difficult than removing thedevice 102 from theexternal component 104. - The
device 102 includesanti-tamper circuitry 110 electrically connected tocircuitry 112. Theanti-tamper circuitry 110 is configured to disable at least one function of thecircuitry 112 when thedevice 102 is removed from theexternal component 104. In particular, theanti-tamper circuitry 110 is coupled to theexternal component 104 throughcoupling 114. Thiscoupling 114 may be a mechanical, electrical, optical, magnetic, other similar couplings, or a combination of such couplings. For example, a switch may be switched when thedevice 102 is mounted on theexternal component 104. Switched can refer to either toggling from an on state to an off state or toggling from an off state to an on state. The switch may have a mechanically or magnetically switchable pole. A state of the switch may change depending on whether thedevice 102 is a mounted on theexternal component 104 or if it is being removed from the external component. In other embodiments, the switch may change state when a fastener that is used to mount thedevice 102 on the external component is removed. In other embodiments, an electrical circuit may be created through a portion of theexternal component 104, such as through a metallic portion of thewall 124. Removal of thedevice 102 from the external component may be detected by a break in that circuit. Although some circuits and structures have been used as examples of configurations by which theanti-tamper circuitry 110 may sense the removal of thedevice 102 from theexternal component 104, theanti-tamper circuitry 110 may sense the removal in other ways. - Embodiments described herein may be used anywhere where a
device 102 should stay physically paired to thesystem 100 a, theexternal component circuitry 120, theother circuitry 122, or another component or device to which they are mounted and/or associated. Paired in this sense could mean physically in touch, in proximity, in communication with, integrated into the device, or the like. - In response to sensing the removal of the
anti-tamper circuitry 110 from theexternal component 104, theanti-tamper circuitry 110 may be configured to disable at least one function of thecircuitry 112. The particular function of thecircuitry 112 may include a capability of general processing, the use of particular data, the ability to properly respond to authentication challenges, or the like. In some embodiments, data stored in thecircuitry 112 may be erased. The data may include cryptographic information, authentication information, identification information, operational information, firmware, software, or the like. In some embodiments, non-volatile memory of thecircuitry 112 may be erased to disable at least one function. In other embodiments, fuses that affect operation of thecircuitry 112 may be blown to disable at least one function. While some embodiments may disable at least one function, in other embodiments, theanti-tamper circuitry 110 may be configured to disable all functions of thecircuitry 112 or theentire device 102. - In some embodiments, the
circuitry 112 is configured to control the external component. Thecircuitry 112 may be coupled to theexternal component circuitry 120. In a particular example, thecircuitry 112 may include control circuitry for an x-ray tube. Theexternal component circuitry 120 may include an anode, cathode, filament, emitter, motor, steering electronics, focusing electronics, or other circuitry that may be part of an x-ray tube. - In some embodiments, other techniques for preventing reuse could be triggered by radio-frequency identification sensors (RFID), light sensors, proximity sensors, bar code readers, cameras that process the tube serial number or other identifying features, trip wires, tamper resistant mounting, or any combination of such techniques. These techniques could be paired with the ability of the
anti-tamper circuitry 110 to disable at least one function of thecircuitry 112 as described herein. - Referring to
FIGS. 1B and 2 , in some embodiments, theexternal component 104 may be anotherdevice 106. For example, thedevice 106 may be an interface circuit board configured to provide an interface between a system control component and other components of the system. In a particular example, thedevice 106 may be an interface board that converts controls and/or communication between the system controller for an x-ray system and particular sub-systems, such as an x-ray generation subsystem, a power sub-system, a detector sub-system, a cooling subsystem, a user interface sub-system, or the like. - The
device 102 may be an authentication daughter board (ADB) configured to store authentication information, perform authentication functions, negotiate authentication between a system controller and thedevice 106 or other sub-systems of thesystem 100 b, or the like. - Referring to
FIG. 1C , in some embodiments, more than onedevice 102 may be mounted on theexternal component 104. In this example,N devices 102 are mounted on theexternal component 104. The devices 102-1 to 102-N may be the same, similar, or different. However, some to all of the devices 102-1 to 102-N may include theanti-tamper circuitry 110 described herein. - In some embodiments, the
anti-tamper circuitry 110 prevents the reuse, modification, tampering, replacement, or reinstallation of thedevice 102, by a third-party or onto a third-party component. As described above, thedevice 102 may be part of an authentication system. The authentication system may be configured to determine whether or not a component in the system, which may be thedevice 102, theexternal component 104, or another component, is a genuine manufacturer or OEM component by issuing an encrypted challenge question to a cryptographic electronic device on the component. - In a particular example, the
device 102 may include the cryptographic electronic device as part of thecircuitry 112. Thedevice 102 includes the circuitry that controls theexternal component 104. If the cryptographic electronic device can be removed from the genuine component and installed on a counterfeit component, then the authentication system can be defeated. However, theanti-tamper circuitry 110 is triggered upon removal of thedevice 102. The at least one function of thecircuitry 112 that is disabled may include the authentication functions, authentication information, or the like. After theanti-tamper circuitry 110 is triggered, the cryptographic electronic device would no longer respond properly to authentication requests. As a result, the system 100 would have an indication that thedevice 102 and/orexternal component 104 can no longer be trusted to be a genuine manufacturer or OEM component. - In some embodiments, service contracts may be a large source of revenue for an OEM.
Anti-tamper circuitry 110 as described herein may be used by the OEM to reduce or eliminate an ability of third-party manufacturers or resellers to install competing or replacement products, or incompatible components that can result in performance and patient safety issues. -
FIGS. 3A-3C are block diagrams of circuitry of devices with anti-tamper circuitry according to some embodiments. In these embodiments, the circuitry includesanti-tamper circuitry 110 similar to that described above, aprocessor 113, and a memory 118. Theprocessor 113 and memory 118 are examples ofcircuitry 112 described above. - The
processor 113 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit, a microcontroller, a programmable logic device, discrete circuits, a combination of such devices, or the like. Theprocessor 113 may include internal portions, such as registers, cache memory, volatile memory, non-volatile memory, processing cores, or the like, and may also include external interfaces, such as address and data bus interfaces, interrupt interfaces, or the like. Although only oneprocessor 113 is illustrated,multiple processors 113 may be present. In addition, other interface devices, such as logic chipsets, hubs, memory controllers, communication interfaces, or the like may be included to connect theprocessor 113 to internal and external components. - The
processor 113 is coupled to the memory 118. The memory 118 includes data such as cryptographic information, authentication information, identification information, operational information, firmware, software, or the like as described above. Theanti-tamper circuitry 110 is configured to erase at least a portion of the memory 118 used by theprocessor 113 when thedevice 102 is removed from theexternal component 104. In some embodiments, the erasure may be of all of such data. In other embodiments, the erasure may be of a sufficient quantity and quality of the data to render thedevice 102 inoperable, such as the erasure of secret information such as cryptographic keys. - Referring to
FIG. 3A , in some embodiments, theprocessor 113 includes on-chip or otherwise integratedmemory 118 a. As a result, when theanti-tamper circuitry 110 erases at least a portion of thememory 118 a, the memory erased is memory integrated with theprocessor 113. - Referring to
FIG. 3B , in some embodiments, theanti-tamper circuitry 110 is coupled to theprocessor 113. Theprocessor 113 is coupled toexternal memory 118 b. Theanti-tamper circuitry 110 may be configured to activate theprocessor 113 and cause theprocessor 113 to execute commands to erase the at least a portion of theexternal memory 118 b. For example, theanti-tamper circuitry 110 may cause the processor to execute an interrupt service routine that erases the portion of thememory 118 b. In another example, theanti-tamper circuitry 110 may be configured to boot theprocessor 113 in a mode specifically designed to erase the portion of thememory 118 b. Although theprocessor 113 is illustrated as being directly coupled to thememory 118 b, in other embodiments, other intervening circuitry may be present, such as a memory controller. - Referring to
FIG. 3C , in some embodiments, theanti-tamper circuitry 110 may be configured to access thememory 118 c without accessing theprocessor 113. Accordingly, theanti-tamper circuitry 110 may be configured to erase the portion of the memory by controlling thememory 118 c. - While a variety of configurations of the
anti-tamper circuitry 110,processor 113, and memory 118 have been described above, in other embodiments, theanti-tamper circuitry 110,processor 113, and memory 118 may be coupled in any manner such that theanti-tamper circuitry 110 may cause the portion of the memory 118 used by theprocessor 113 to be erased. -
FIG. 4A-4B are cross-sectional diagrams illustrating mounting a device with anti-tamper circuitry on an external component according to some embodiments.FIG. 4A illustrates a state of adevice 102 and anexternal component 104 before thedevice 102 is mounted to theexternal component 104 or after thedevice 102 is removed from theexternal component 104.FIG. 4B illustrates a state of thedevice 102 and theexternal component 104 when thedevice 102 is mounted to theexternal component 104. - Referring to
FIGS. 4A and 4B , in some embodiments, thedevice 102 includes ahousing 116. Thedevice 102 includes aswitch 220. Theswitch 220 is coupled to thehousing 116. Although thehousing 116 is illustrated as an example of a mounting structure of thedevice 102, in other embodiments, the mounting structure may be a structure other than thehousing 116. The mounting structure may be any structure, board, component, or the like that remains with thedevice 102 when the device is moved relative to theexternal component 104. The housing includes aflange 212. Afastener 214 may be used to attach thehousing 116 to thewall 124 of theexternal component 104. While mounting components such as theflange 212 andfastener 214 have been used as examples, in other embodiments, different mounting techniques may be used. - The
switch 220 is configured to switch when thedevice 102 is removed from theexternal component 104. When thedevice 102 is in the state illustrated inFIG. 4A , theswitch 220 has apole 222 in a first state. In a particular example, theswitch 220 may be a momentary normally closed switch. Thus, in the state illustrated inFIG. 4A , theswitch 220 is closed. - As the
device 102 is mounted on theexternal component 104 as illustrated inFIG. 4B , astructure 204 of theexternal component 104 causes thepole 222 of theswitch 220 to switch. Thus, theswitch 220 is opened. - In some embodiments, the
structure 204 is a protrusion, wall, rib, gusset, fastener, or the like. Thestructure 204 disposed on theexternal component 104 such that when thedevice 102 is mounted on theexternal component 104, thestructure 204 toggles the state of theswitch 220. - Although a particular structure of the
device 102,external component 104, and switch 220 has been used as an example, any mechanism and associated structures may be used that causes theswitch 220 to be in a first state when mounted and in a second state when removed. In particular, the mechanism and associated structures may be formed such that theswitch 220 changes state before theanti-tamper circuitry 110 may be accessed to disable theanti-tamper circuitry 110 or otherwise prevent it from disabling at least one function of thecircuitry 112 as described above. - In addition, the
switch 220 need not be mechanically switched. For example, theswitch 220 may be magnetically switched. Thestructure 204 may include a magnet or a ferromagnetic material according to the structure of theswitch 220 such that theswitch 220 changes state as thedevice 102 is mounted to or removed from theexternal component 104. - While a
single switch 220 has been used as an example, in other embodiments,multiple switches 220 in different locations and/or different configurations may be used. In some embodiments, any one of theseswitches 220 may be used by theanti-tamper circuitry 110 to disable at least one function of thecircuitry 112. -
FIGS. 5A-5D are schematic diagrams of circuitry of anti-tamper circuitry according to some embodiments. Referring toFIG. 5A , theanti-tamper circuitry 110 a includes apower supply 502 and a disablecircuit 504. Thepower supply 502 is configured to generate power that may be used by the disablecircuit 504 and potentially a portion of thecircuitry 112. - The
power supply 502 is disposed within thedevice 102. Thepower supply 502 is configured to supply power after detecting removal of thedevice 102 from theexternal component 104. Thepower supply 502 may include a battery, a capacitor, a supercapacitor, or any other energy storage device that may be disposed within thedevice 102. In some embodiments, thepower supply 502 may be charged by anexternal power source 506. - In some embodiments, the
power supply 502 may include switches that connect thepower supply 502 to other components of theanti-tamper circuitry 110 when thedevice 102 is removed from theexternal component 104. - The disable
circuit 504 is a circuit configured to disable the at least one function of thecircuitry 112. In this example, the disablecircuit 504 includes an ERASE output. The ERASE output is a signal coupled to an ERASE input on a processor, memory, or the like of thecircuitry 112 that would initiate an erase command to erase memory or otherwise disable the at least one function. - In some embodiments, power PWR may also be provided to some components of the
circuitry 112. In particular, thedevice 102 may not be connected to an external power source or the external power source may be disabled when thedevice 102 is being removed from theexternal component 104. Thepower supply 502 may instead supply the power needed to allow the disablecircuit 504 to disable the at least one function of thecircuitry 112. - Referring to
FIG. 5B , theanti-tamper circuitry 110 b includes battery B1 and switch SW1. A single battery B1 is illustrated; however, in other embodiments, multiple batteries may be used. The switch SW1 is a double-pole double-throw switch (DPDT). The switch SW1 is coupled such that in the illustrated state, 3.3V is coupled to VDD_CPU and no connection is made to ERASE-CPU. In the other state, both VDD_CPU and ERASE_CPU are coupled to the battery B1. - VDD_CPU is a power supply for a processor that may be part of the
circuitry 112. ERASE_CPU is a signal that commands the processor of thecircuitry 112 to erase some or all of its memory. As a result, the at least one function of thecircuitry 112 may be disabled. The switch SW1 is illustrated in the state when thecorresponding device 102 is mounted to theexternal component 104. When removed, the switch SW1 will transition to the other state, which will supply power to the processor through VDD_CPU and supply the erase signal through ERASE_CPU. - The isolator I is a removable structure configured to disconnect the battery B1 from the switch. When in place, the battery B1 be disconnected and will not supply power to the switch SW1. Thus, ERASE_CPU will not be activated. The isolator I may be in place during installation to disable the
anti-tamper circuitry 110 b. - Other circuitry illustrated may provide a status indicator for a variety of states. R1 is coupled to VDD_CPU and pulls down the input to AND gate U1. The other input to AND gate U1 is an error signal ERROR_N. When the
device 102 is being installed and the 3.3V power is applied, the switch SW1 will be in the opposite state. However, as the isolator I is present, the battery will not enable ERASE_CPU. VDD_CPU will not be coupled to 3.3V and will be pulled down by R1. Thus, the output of AND gate U1 will be low, turning on LED D1. Once thedevice 102 is properly installed, the switch SW1 will change to the illustrated state and VDD_CPU will be set to 3.3V. The AND gate U1 output will switch to high, assuming there is no error indicated by a low on ERROR_N. The high output will cause the LED D1 to turn off. As a result, an installer will receive a visual indication that thedevice 102 is installed such that the switch SW1 is in the illustrated state. - Once installed, the isolator I may be removed. ERROR_N will control the output of the AND gate U1 and whether LED D1 is on. Thus, the LED D1 will act as an error indicator. However, if the
device 102 is removed, the switch SW1 will change state, activating VDD_CPU and ERASE_CPU. - In an example, the SW1 switch is a normally closed (NC) double pole, double throw (DPDT) switch where the closed state couples the battery B1 to ERASE_CPU. The switch can be normally closed (NC) and open when the switch is depressed, such as when the
device 102 is installed and a feature of theexternal component 104 presses on the switch. - Referring to
FIG. 5C , the operation may be similar to that ofFIG. 5B . However, VCC_INSTALL is a power voltage supplied during installation when 3.3V may not be active. Resistors R3 and R4 are in series with LED D2 for either VCC_INSTALL or 3.3V. Thus, when the cathode of LED D2 is pulled low, LED D2 will turn on. Buffer U2 is an open-drain buffer. Inverter U3 is an open-drain inverter. Thus, if the input to U2 is low or if the input to U3 is high, the LED D2 will be turned on. - When the switch is in the installed state, ERASE_CPU and the nodes coupled to resistors R5, R6, R7, and Q1 are pulled to ground and transistor Q1 is off. However, once the
device 102 is removed from theexternal component 104, switch SW1 changes state, increasing the voltage of node N1, pulsing ERASE_CPU until C1 charges. R5 and C1 are selected to provide a sufficient pulse to erase a portion of the memory to disable the at least one function. - Referring to
FIG. 5D , the operation of U2, U3, resistors R8, R9, and R10, diodes D3 and D4, and LED D5 may be similar to that ofFIG. 5C . Here diodes D3 and D4 may isolate VCC_INSTALL from 3.3V. The operation of the anti-tamper circuitry 110 d may be similar to that of anti-tamper circuitry 110 c ofFIG. 5C . - Although 3.3V has been used as an example of a power supply voltage, in other embodiments, the power supply voltage may be different.
-
FIGS. 6A and 6B are flowcharts showing techniques of operating a device with anti-tamper circuitry according to some embodiments. Referring toFIG. 6A , in 604 the removal of adevice 102 from anexternal component 104 is detected. As described above, a variety of techniques may be used to detect the removal of thedevice 102. For example, the change in the state of a switch, the change in a magnetic field, the breaking of a circuit or the like may provide an indication of whether thedevice 102 is being removed from theexternal component 104. - In 606, at least one function of the
device 102 is disabled. As described above, the at least one function may be disabled by erasing data, disabling components, such as a processor, or the like. Various forms of theanti-tamper circuitry 110 may be used to perform the disabling. - In some embodiments, the detecting of the removal of the
device 102 may include detecting the physical separation of structure of thedevice 102 and a structure of theexternal component 104. For example, theswitch 220 may detect whendevice 102 is moved relative to theexternal component 104. - Referring to
FIG. 6B , in 600, thedevice 102 is installed on theexternal component 104. For example, during authorized installation, replacement of a part, and/or maintenance of a system, adevice 102 may be prepared and mounted on theexternal component 104. During installation, theanti-tamper circuitry 110 may be disarmed. For example, as described above, a removable isolator I such as an insulating tape may be disposed between thepower supply 502 contacts and the disablecircuit 504. - In 602, the
anti-tamper circuitry 110 may be armed. For example, once thedevice 102 is installed, the insulating tape may be removed, arming theanti-tamper circuitry 110. Before the insulating tape is removed, thedevice 102 may be mounted and removed repeatedly without engaging theanti-tamper circuitry 110. However, once removed, theanti-tamper circuitry 110 is armed and any attempt to remove thedevice 102 from theexternal component 104 may be detected and used to disable at least on function of thecircuitry 112 of thedevice 102 inoperations - Once the
anti-tamper circuitry 110 has been triggered and at least one function of thecircuitry 112 has been disabled, thedevice 102 may be reset in 608. Resetting thedevice 102 includes operations that return thedevice 102 to a state where it may again be installed or operated in an authorized manner. For example, thedevice 102 may be returned to an authorized repair facility. The erased data may be restored to thedevice 102, the disabled components may be reenabled, disabled components may be replaced, the isolator I described above may be reinstalled, or the like such that thedevice 102 is in a state similar to adevice 102 that had not had the at least one function of thecircuitry 112 disabled. Although returning thedevice 102 to an authorized repair facility has been used as an example, the resetting of thedevice 102 may be performed by an authorized repair technician with the appropriate data and/or components. An unauthorized party may not have the appropriate data and/or components and would not be able to restore thedevice 102 to an operating condition. -
FIG. 7 is a block diagram of an x-ray system according to some embodiments. Thex-ray system 700 includes ahost controller 702, an interface board (IFB) 704, and tube auxiliary unit (TAU) 732, and anx-ray tube 736. These components may be mounted on arotatable gantry 710. - In some embodiments, a
device 102 is theIFB 704 or is part of theIFB 704. Theexternal component 104 may be thegantry 710. Thus, if theIFB 704 is removed from the gantry, at least one function of theIFB 704 may be disabled if the interface board is removed from thegantry 710. TheIFB 704 may include firmware, software, calibration data, secret information such as keys, IDs, or other cryptographic information, or the like that may be erased to disable at least one function. - In some embodiments, a
device 102 is an authentication daughter board (ADB) 703 that is mounted on theIFB 704. Theexternal component 104 may be theIFB 704. Information such as that described above may be erased if theADB 703 is removed from theIFB 704. - In some embodiments, a
device 102 is theTAU 732. TheTAU 732 may be mounted on thex-ray tube 736. Theexternal component 104 may be thex-ray tube 736. Thus, if theTAU 732 is removed from thex-ray tube 736, at least on function of theTAU 732 may be disabled. TheTAU 732 may include data or firmware that may be erased similar to theIFB 704 orADB 703. - In some embodiments, the
host controller 702 is configured to control operations of components such as thegantry 710, theIFB 704, thex-ray tube 736 though theTAU 732. While these components are used as examples, other components may be present such as an image detector, a high voltage (HV) generator, a heat exchanger, or the like. Thehost controller 702 may also be configured to communicate with theIFB 704 and perform various actions such as identification, authentication, or the like in addition to directing control of thesystem 700. - As described above, in some embodiments the
IFB 704 includes theADB 703. This configuration may allow for easier retrofitting of theADB 703 to existing CT systems. TheIFB 704 has a communication link to thehost controller 702 and another communication link to theTAU 732. TheADB 703 contains cryptographic authentication hardware/firmware that allows for encrypted communication with both thehost controller 702 and theTAU 732. TheIFB 704 is a device that holds theADB 703 and supplies power to it and translates the communications to the ADB's 703 native communication protocol. - The
TAU 732 contains cryptographic authentication hardware/firmware that allows for encrypted communication with theIFB 704/ADB 703 and is attached to thex-ray tube 736. When a hospital installs a new x-ray tube with its attachedTAU 732 theIFB 704/ADB 703 may challenge theTAU 732 to see if it is a genuine manufacturer or OEM x-ray tube. - In some embodiments, the authentication unit of the
TAU 732 is mounted to thex-ray tube 736, but the authentication unit could also be an integral part of thex-ray tube 736. Theanti-tamper circuitry 110 would be part of that authentication unit. Similarly, with other components such as an x-ray detector or imager, accelerator, or other device where it may be beneficial to render the unusable after its removal from its original installation location may include adevice 102. Each of those may have associatedanti-tamper circuitry 110. - In a particular example, the removal of a used x-ray tube, x-ray detector, or imager from an x-ray or mammography system for the purpose of resale into another system may be prevented. Upon removal of the
device 102, a switch in theanti-tamper circuitry 110 would trigger and could disable the authentication function, render the firmware unusable, prevent communication, or any other essential function that would allow further usage of thedevice 102. - In some embodiments, the
anti-tamper circuitry 110 could also be used to reinforce software/firmware (SW/FW) licensing ofTAU 732,x-ray tube 736, detector, or other device software that was sold to a specific customer under a license agreement that would only allow the original buyer to utilize the firmware/software (FW/SW) or hardware. In such an embodiment, the respective FW/SW would be automatically erased when the device is removed. - While a CT system with a
rotatable gantry 710 has been used as an example of anx-ray system 700, thex-ray system 700 may take other forms. - Some embodiments relate generally to mechanisms, methods, and systems using a system identifier (ID) (or a device ID) in an encrypted form to a component.
- In some embodiments, the mechanisms, methods, and systems described herein allows manufacturers or OEMs to detect unauthorized installation of components into their system. Currently, third-party suppliers can swap components on a system against used OEM components or third-party components which can lead to warranty issues, quality issues, and, in the case of an imaging system, image quality issues, diagnostic issues, and misdiagnosis. Embodiments described herein allow for the detection of such unauthorized component changes to ensure the integrity of the system.
- Without a system such as those described herein, third parties can buy used components and sell them back to customers and undercut OEM service contracts. In contrast, embodiments described herein allow OEM host systems to determine if their components are being swapped without their permission and/or prevent installation of old, outdated or compromised component into a system that may affect operation, such as replacing a component in an imaging system that will affect the diagnosis of patients. Defective or not optimally functional components can lead to misdiagnosis and in extreme case can cause permanent harm to the patient and even death.
-
FIG. 8A-8B are block diagrams of systems including an authorization system according to some embodiments. Referring toFIG. 8A , thesystem 800 a includes afirst device 802 and asecond device 804. Thedevices communication link 806. The communication link may be any medium that allows thedevices communication link 806 may include a serial link, a parallel link, and automation communication link such as Modbus, CANbus, or the like, a computer bus such as peripheral component interconnect express (PCIe), nonvolatile memory express (NVMe), or the like, and/or a network such as an Ethernet network, a Fibre Channel network, or the like. - The
second device 804 includes anon-volatile memory 808. Thememory 808 may include any variety of non-volatile memory such as static random access memory (SRAM), flash memory, electrically erasable programmable read only memory (EEPROM), magnetic storage, or the like. In particular, thememory 808 includes at least a portion that is operable in a one-time-write manner. Thememory 808 may include other non-volatile memory that is not configured for one-time-writes and/or volatile memory such as a dynamic random access memory (DRAM), a double data rate synchronous dynamic random access memory (DDR SDRAM) according to various standards such as DDR, DDR2, DDR3, DDR4. - Being one-time-write means that the portion of the
memory 808 is writable once in a normal write operation. In some embodiments, the one-time write memory 808 may not be erased by other means. As a result, to change a value stored in thememory 808 would require replacing thememory 808. However, in other embodiments, the portion of thememory 808 may be erased by erasing theentire memory 808. - The
memory 808 is configured to store a system identifier (ID) in the one-time-write portion. The system ID is an identifier associated with thesystem 800 a. The system ID may be unique to thesystem 800 a such as by being a universally unique ID (UUID) or globally unique ID (GUID). The system ID for alldevices particular device system 800 a and thatdevice system 800 a and a portion unique to theparticular device device - The value of the system ID may take a variety of forms. For example, the system ID may exist in an original form where the stored data is the system ID. However, in other examples, an encrypted form of the system ID, a hash of the system ID, or other representations of the system ID may be stored as the system ID and treated as such with appropriate decoding or other manipulation.
- As will be described in further detail below, a system ID can be stored on
devices 804 in asystem 800 a. Thefirst device 802 can verify that the system ID stored on thesecond device 804 orthird device 812 matches the expected system ID such as a system ID associated with thesystem 800 a. A match of the system ID may indicate that thesecond device 804 orthird device 812 is a genuine component intended and originally installed on thesystem 800 a. If the system ID does not match, thedevice - In some embodiments, the
first device 802 may be coupled to multiple second devices 804-1 to 804-N. Eachsecond device 804 may be coupled to zero to multiple third devices 812-1 to 812-M. -
FIGS. 9A-10C are flowcharts showing examples of techniques of operating an authorization system according to some embodiments. In the following descriptions of techniques of operating the system, operations of afirst device 802, asecond device 804, and athird device 812 ofFIG. 8A will be used as examples. - Referring to
FIGS. 8A and 9A , in 902, thefirst device 802 transmits a request for a system ID stored on thesecond device 804 to the second device. Thesecond device 804 receives the request in 903. This transmission and other similar operations may occur over thecommunication link 806. - In 904, the
second device 804 determines if the system ID stored on the second device has an empty value. The empty value represents a state where thesecond device 804 has not stored a system ID in thememory 808. An actual value may not be stored in thememory 808. Instead, a flag, register, state, or the like may indicate that the system ID has not been programmed into thememory 808. Checking such an indicator may be part of determining if the system ID has the empty value. A processor of thesecond device 804 may be configured to attempt to read the system ID, flag, register, state, or the like to make the determination. - In 906, a response based on the empty value is transmitted to the
first device 802. In some embodiments, the response may be a system ID that has a specific meaning. For example, all zeros or all ones may be designated as an empty value for the system ID. In other embodiments, a particular value or values of the system ID may be designated as the empty value. That specific value may be specific to thesecond device 804 or the type of thesecond device 804, specific to thesystem 800 a or the type of thesystem 800 a, or the like. Regardless, it is a value that thefirst device 802 will recognize as indicating that thesecond device 804 does not store a system ID or that the system ID is the empty value. - In other embodiments, the empty value response may be a different type of message from that used to transmit an actual system ID. For example, the empty value response may be an error message. The error message may have an error number or code that indicates that the system ID is empty.
- In 908, the empty value response is received by the
first device 802. In response, thefirst device 802 transmits the system ID to thesecond device 804 in 910. Thesecond device 804 receives the system ID in 912 and stores it in the one-time write portion of thememory 808. Once the system ID is stored, thememory 808 cannot be reprogrammed with a different system ID without extraordinary steps as described above. As a result, thesecond device 804 is paired with thesystem 800 a. If thesecond device 804 is removed from thesystem 800 a and placed in another system, even an identical system, the system ID may not match. - If the system ID is determined to be stored at the
second device 804 in 904, a response based on the system ID is returned to thefirst device 802 in 914. For example, thesecond device 804 may read the system ID, encrypt it, and transmit the encrypted system ID to thefirst device 802. - The
first device 802 receives the response based on the system ID stored at thesecond device 804 in 916 and determines if the response indicates that the system ID stored at thesecond device 804 matches the actual system ID in 918. For example, thefirst device 802 may extract the system ID by reading it from the response, decoding an encrypted response, or the like and comparing it to the system ID stored on thefirst device 802. As described above, the system ID may be stored or encoded in a variety of formats. The comparison may be performed in a manner appropriate to the different formats. - If the system ID indicated by the response from the
second device 804 is not correct, if thesecond device 804 does not respond or times out, if thesecond device 804 returns an improper response, or the like, counter measures may be performed in 920. The counter measures may take a variety of forms. For example, in some embodiments, thesystem 800 a may be shutdown, thedevices system 800 a, reported over a network, or the like. In other embodiments, information related to the mismatching system IDs may be recorded inmemory 808 of thefirst device 802 and/or thesecond device 804. The related information may include a timestamp, model numbers and/or serial numbers of thefirst device 802 and/or thesecond device 804, number of times the system IDs had not matched, the mismatched system ID, the entire response received in 916, or the like. - In some embodiments, when response based on the system ID is transmitted to the
first device 802 from thesecond device 804 in 914, the communication may be encrypted. For example, a secure communication link may be established between the first andsecond devices second device 804 may be encrypted, or the like. As a result, it may be more difficult for an eavesdropper to obtain the correct system ID response from thesecond device 804. - The
system 800 a may be a hierarchical system that includes a third device ordevices 812 that are downstream from an associatedsecond device 804. In some embodiments, some or all communication between thefirst device 802 and thethird device 812 may pass through or be manipulated by the associatedsecond device 804. However, in other embodiments, only the communications related to the system ID may pass through or be manipulated by the associatedsecond device 804. - In some embodiments, the interactions between the
second device 804 and thethird device 812 may be the same or similar to the operations described with respect to thefirst device 802 and thesecond device 804. That is, once thesecond device 804 stores the system ID, the requesting, storing if empty, and verifying of the system ID may be performed between the second andthird devices - Referring to
FIGS. 8A, 9A, and 9B , in some embodiments, once thesecond device 804 has transmitted the system ID response in 914, thesecond device 804 may begin the operations described above with respect toFIG. 9B . A request for the system ID stored on thethird device 812 may be transmitted in 922 from thesecond device 804 to thethird device 812. Thethird device 812 may receive the request for the system ID stored on thethird device 812 in 924. Similar to the operations in 904 and 906 ofFIG. 9A , in 926 and 928, thethird device 812 may determine if the system ID is the empty value or has not been stored and, if so, return the empty value response. Similar to the operations in 908 and 910 ofFIG. 9A , in 930 and 932, the second device 803 receives the response indicating that the system ID stored on thethird device 812 has the empty value and transmits the system ID in response. In 934, thethird device 812 stores the system ID in thememory 808. Similar to the operations in 914 and 916, in 936 and 938, thethird device 812 may transmit a response based on the system ID stored on thethird device 812 and that response is received by thesecond device 804. Although the operations of thesecond device 804 and thethird device 812 have been described as being similar to those of thefirst device 802 andsecond device 804, in other embodiments, the operations may be different. For example, different encodings of the system ID, encryption used in transmission, format of responses, particular protocol, or the like may be used. - In 940, the
second device 804 may prepare a verification response based on the responses from thethird device 812. In some embodiments, the verification response may include the system ID response from thethird device 812 itself. In other embodiments, thesecond device 804 may determine if the system ID stored on thethird device 812 matches the system ID stored on thesecond device 804 similar to the interaction of thefirst device 802 in 918 ofFIG. 9A . The verification response may include an indication of whether the system ID stored on thethird device 812 is the correct system ID. - Referring to
FIGS. 8A, and 9A-9C , in some embodiments, if the system ID stored on thesecond device 804 is determined to be the correct system ID in 918, thefirst device 802 may transmit a verification request to thesecond device 804 in 941. In 942, thesecond device 804 receives the verification request. As described above, thesecond device 804 may prepare a verification response in 940. This verification response may be transmitted by thesecond device 804 to thefirst device 802 in 944. In 946, thefirst device 802 receives the verification response and determines if the verification was successful in 948 based on the response. If the verification was successful, operations continue in 952. - However, if the verification was not successful, counter measures may be performed in 950. The counter measures may be similar to those described with respect to 920. However, as the verification response may be associated with the
third device 812, the counter measures may also apply to thethird device 812. For example, thethird device 812 may be disabled, a notification may be presented identifying thethird device 812, or the like. - Referring to
FIGS. 8A, 9A, 9B, and 9D , in some embodiments, once thesecond device 804 has prepared the verification response in 940, thesecond device 804 may transmit the verification response in 944 to thefirst device 802 without waiting for the request transmitted in 941. The operations of thefirst device 802 in 946, 948, 950, and 952 may be similar to those described above. - Although the operations of the
first device 802 andsecond device 804 have been described in the context of communications between thefirst device 802 and one second device, the same or similar communications may occur between thefirst device 802 and multiple second devices 804-1 to 804-N. That is, thefirst device 802 may request the system ID for each of the second devices 804-1 to 804-N and perform operations similar to those described above. The operations for different second devices 804-1 to 804-N may be performed serially or in parallel. Decisions may be based on responses of only one of the second devices 804-1 to 804-N, some of the second devices 804-1 to 804-N, or all of the second devices 804-1 to 804-N. The results of matching or mismatching system IDs may be the same, similar, or different for different second devices 803-1 to 804-N. The operations described between asecond device 804 and athird device 812 may similarly be performed with multiplethird devices 812. Moreover, although a three-tier hierarchy has been used as an example, and hierarchy of devices may be part of thesystem 800 a where thefirst device 802 queries other devices for a system ID. - Referring to
FIG. 8B , in some embodiments, anx-ray system 800 b includes ahost controller 822, anADB 824, aTAU 832, and anx-ray tube 836. Thehost controller 822 may be a system controller for thex-ray system 800 b. Thehost controller 822 may act as thefirst device 802 ofFIG. 8A and perform the associated operations described inFIGS. 9A-D . - The
ADB 824 may be a circuit that manages the system ID and authentication operations of thesystem 800 b. TheADB 824 may include amemory 808. TheADB 824 may act as thesecond device 804 ofFIG. 8A and perform the associated operations described inFIGS. 9A-D . - The
TAU 832 is a circuit configured to control the operation of thex-ray tube 836. For example, theTAU 832 may be configured to control cathode voltages/currents, anode voltages/currents, filament voltages/currents, focusing electronics, steering electronics, motors, or the like depending on theparticular x-ray tube 836. TheTAU 832 includes amemory 808 and may act as thethird device 812 ofFIG. 8A and perform the associated operations described inFIGS. 9A-D . - While the
TAU 832 has been used as an example of a device in anx-ray system 800 b that may operate using a system ID as described herein, other devices in anx-ray system 800 b may operate similarly. For example, aheat exchanger 840,detector 842, high voltage (HV) power supply, 844,accelerator 846, or the like may operate using a system ID as described herein. - In some embodiments, at initialization or installation, a system ID may be transmitted from the
host controller 822 to theADB 824 and stored inmemory 808. TheADB 824 may similarly propagate the system ID to theother devices corresponding memory 808 of those devices. Thus, the devices of thesystem 800 b may be paired with thatsystem 800 b. In normal operation, the devices will report the correct system ID and thesystem 800 b may continue operation. However, if a part is replaced in an unauthorized manner with a different, existing system ID, the counter measures described above may be performed. - In some embodiments, the host controller uses the
ADB 824 to communicate with the rest of the manufacturer or OEM's components in thesystem 800 b. In some embodiments the only components that are paired with thesystem 800 b are theADB 824 and theTAU 832. - The use of the system ID as described herein in an
x-ray system 800 b may improve safety and/or longevity of thesystem 800 b. In particular, the components of thesystem 800 b may be aligned, calibrated, or otherwise configured for thatspecific x-ray system 800 b. When thesystem 800 b is initially installed, the empty system IDs in the various devices of thex-ray system 800 b may be initialized to a system ID unique to thatparticular x-ray system 800 b. If a device in thex-ray system 800 b is replaced by a device from another system with a different system ID, the operation of thex-ray system 800 b may not be the same and, with devices such as thex-ray tube 836, may become dangerous. As described above, thex-ray system 800 b may take counter measures when such a situation is detected, notifying a user, shutting down thex-ray system 800 b or a component, or the like. As a result, a chance that thex-ray system 800 b will be operated in a manner that may lead to erroneous results and/or dangerous operating conditions may be reduced or eliminated. - In some embodiments, the storage and verification of the system ID as described herein may limit a manufacturer or vendor's customers ability to swap components themselves or through a third party. The verification process checks to see if the
ADB 824,TAU 832, or the like is a genuine manufacturer or OEM product and that it hasn't been swapped to/from other x-ray systems. It prevents third party service organizations buying used x-ray tubes on the open market, refurbishing them and then selling them back to customers such as hospitals. A manufacturer, vendor, system integrator, or the like may reduce a chance that their system is modified with devices from other systems, which may lead to undesirable or dangerous results. - In some embodiments, use of the system ID as described herein may reduce a chance that a reworked device is installed in a system for which it was not intended. For example, a device that has been paired with a system and has a system ID may returned for repair, updates, or the like. The device may be programmed with the original system ID or the system ID may be left intact. As a result, when that device is supplied to a customer or installer, the system ID will match the system ID of the original system. If the device is installed in a different system, even if a similar system or the same type of system, the system ID will not match and the counter measures described above may be performed. In some embodiments, the system ID may be left unprogrammed if a known customer or installer will reinstall the device in the same system.
- Referring to
FIGS. 8A and 9A-10C , in some embodiments, authentication operations may be performed after successful verification in 948 described above. For example, in 1002, thefirst device 802 transmits an authentication request to thesecond device 804. In 1004, the authentication request is received by thesecond device 804. Thesecond device 804 transmits an authentication request to thethird device 812 in 1006. - The
third device 812 receives the authentication request in 1008. In 1010, the third device generates an authentication response and transmits that authentication response to thesecond device 804 in 1012. - The
second device 804 receives the authentication response from thethird device 812 in 1014. Thesecond device 804 analyzes theauthentication response 1016, logs failures in 1018, and generates its own authentication response in 1020. The authentication response generated in 1020 may aggregate the authentication response or responses received from one or morethird devices 812 and the second device's 804 own authentication response. - In 1022, the
first device 802 may transmit a request for the authentication status that is received by the second device in 1024 as illustrated inFIG. 10B . In response, thesecond device 804 transmits the authentication response to thefirst device 802 in 1026. Alternatively, thesecond device 804 may transmit the authentication response to thefirst device 802 in 1026 after generating it in 1020 as illustrated inFIGS. 10A and 10C . - Once the authentication response is received in 1028, the response may be analyzed to determine if the authentication is successful in 1030. If so, the operations may continue in 1034. If not, counter measures make be performed in 1032 similar to the counter measures described above.
- A variety of different techniques may be used to authenticate the
devices first device 802 and/or thesecond device 804 may create a challenge (math problem) using its IV and key and sends it the downstreamsecond device 804 orthird device 812. If that device has the same key and IV then it may do the same math problem and get the same result. Thesecond device 804 orthird device 812 that was “challenged” may then send back the “answer” to that math problem in an encrypted form and the original component can make sure that it answered the challenge correctly. If it responded with the correct answer then thefirst device 802 and/or thesecond device 804 may treat the correspondingsecond device 804 orthird device 812 as a genuine part. - In some embodiments, the IV and the key are maintained in restricted memory of a cryptographic authentication integrated circuit. For example, an ATSHA integrated circuit may include such restricted memory and may be capable of performing calculations related to encrypted communications. The authentication operations may be more secure if the IV and key are stored in such restricted memory.
- In some embodiments, the authentication process may be used to ensure that all required components are in the system, are designed for the particular customer, and/or are genuine manufacturer or OEM components. Different customers may have customer specific encryption keys so that a third party cannot take a component designed for one customer and sell it to another. Any missing components will fail the authentication process as they will not authenticate if they are not present. The authentication process may prevent a third party from supplying part of the system. If the full computed tomography (CT) system is designed to have 5 manufacturer or OEM components but only 4 of them are genuine and the fifth was sourced from a third party, the authentication process would identify that fifth component as not genuine.
- As described above, more than one
second device 804 and more than onethird device 812 may be present in thesystem 800 a. The authentication with each of these as described with respect to the singlesecond device 804 and singlethird device 812. - While the
system 800 a ofFIG. 8A was used as an example, the authentication operation operations described above with respect toFIGS. 10A-C may be implemented by other systems, such as thex-ray system 800 b ofFIG. 8B . - Some embodiments include a
device 102, comprising: a mounting structure configured to mount thedevice 102 to anexternal component 104;first circuitry 112; and anti-tamper circuitry electrically connected to thefirst circuitry 112 and configured to disable at least one function of thefirst circuitry 112 when thedevice 102 is removed from theexternal component 104. In some embodiments, theexternal component 104 may include a wall, housing, or other structure that is not controlled by thefirst circuitry 112. - In some embodiments, the
first circuitry 112 is configured to control theexternal component 104. In some embodiments, the at least one function of thefirst circuitry 112 include functions that are not related to the control of theexternal component 104. - In some embodiments, the at least one function of the
first circuitry 112 comprises functions of thefirst circuitry 112 that control theexternal component 104. - In some embodiments, the
device 102 further comprises: ahousing 116 coupled to the mounting structure wherein thehousing 116 is configured to restrict access to disarm the anti-tamper circuitry when thedevice 102 is mounted to theexternal component 104. - In some embodiments, the
anti-tamper circuitry 110 comprises: aswitch 220 or SW1 coupled to the mountingstructure 116 and configured to switch when thedevice 102 is removed from theexternal component 104. - In some embodiments, the
switch 220 or SW1 is configured to switch by a structure of theexternal component 104 when mounted on theexternal component 104. - In some embodiments, the
anti-tamper circuitry 110 comprises: apower supply 502 disposed within thedevice 102 and configured to supply power after detecting removal of thedevice 102 from theexternal component 104; and a disablecircuit 504 configured to disable the at least one function of thefirst circuitry 112; wherein theswitch 220 or SW1 is configured to electrically connect thepower supply 502 to the disablecircuit 504 when thedevice 102 is removed from theexternal component 104. - In some embodiments, the
first circuitry 112 includes aprocessor 113; and theanti-tamper circuitry 110 is configured to erase at least a portion ofmemory 118 or 808 used by theprocessor 113 when thedevice 102 is removed from theexternal component 104. - In some embodiments, the at least a portion of
memory 118 or 808 used by theprocessor 113 comprisesmemory 118 or 808 integrated with theprocessor 113. - In some embodiments, the at least a portion of
memory 118 or 808 used by theprocessor 113 stores cryptographic information. - In some embodiments, the
device 102 is part of electronics associated with an x-ray system; and theexternal component 104 is anx-ray tube x-ray system - In some embodiments, the
device 102 is part of a component authentication system associated with anx-ray system - Some embodiments include a method, comprising: detecting, by a
device 102, removal of thedevice 102 from acomponent 104 external to thedevice 102; and disabling at least one function ofcircuitry 112 of thedevice 102 in response to detecting the removal of thedevice 102 from thecomponent 104. - In some embodiments, the detecting, by the
device 102, removal of thedevice 102 from thecomponent 104 comprises detecting physical separation of a structure of thedevice 102 and a structure of thecomponent 104 external to thedevice 102. - In some embodiments, the disabling of at least one function of the
circuitry 112 of thedevice 102 comprises: powering a disablecircuit 504 from aninternal power supply 502; and disabling the at least one function of the circuitry of thedevice 102 using the disablecircuit 504. - In some embodiments, the detecting, by the
device 102, removal of thedevice 102 from thecomponent 104 comprises detecting physical separation of a structure of thedevice 102 and a structure of thecomponent 104 external to thedevice 102. - In some embodiments, the method further comprises: installing the
device 102 on thecomponent 104; and arminganti-tamper circuitry 110 configured to disable to at least one function of the circuitry of thedevice 102. - In some embodiments, the method further comprises: resetting
anti-tamper circuitry 110 configured to disable to at least one function of thecircuitry 112 of thedevice 102. - Some embodiments include a device, comprising: means for detecting, by a device, removal of the device from a component external to the device; and means for disabling at least one function of circuitry of the device in response to the means for detecting the removal of the device from the component. Examples of the means for detecting include the
anti-tamper circuitry 110, switch 220 or SW1, or the like. Examples of the means for disabling at least one function of circuitry of the device include theanti-tamper circuitry 110, theprocessor 113, thememory 118 or 808, or the like. - In some embodiments, the device further comprises: means for detecting physical separation of the device from the component; and means for erasing at least part of memory of the circuitry in response to the means for detecting physical separation of the
device 102 from the component. Examples of the means for detecting physical separation of the device from the component include theanti-tamper circuitry 110, switch 220 or SW1, or the like. Examples of the means for erasing at least part of memory of the circuitry comprise theanti-tamper circuitry 110, theprocessor 113, thememory 118 or 808, or the like. - Some embodiments include a method, comprising: receiving from a
first device 802 at asecond device 804, a request for a system identifier (ID) stored on thesecond device 804; determining, by thesecond device 804, if the system ID stored on thesecond device 804 has an empty value; and when the system ID stored on thesecond device 804 does not have the empty value, transmitting, by thesecond device 804 to thefirst device 802, a response based on the system ID stored on thesecond device 804. - In some embodiments, the method further comprises: when the system ID stored on the
second device 804 has the empty value, communicating, by thesecond device 804 to thefirst device 802, that the system ID stored on thesecond device 804 has the empty value. - In some embodiments, the method further comprises: receiving, from the
first device 802 by thesecond device 804, the system ID; and storing, by thesecond device 804, the system ID received from thefirst device 802 as the system ID stored on thesecond device 804. - In some embodiments, storing, by the
second device 804, the system ID received from thefirst device 802 as the system ID stored on thesecond device 804 comprises storing, by thesecond device 804, the system ID received from thefirst device 802 in one-time-write memory 808. - In some embodiments, transmitting, by the
second device 804 to thefirst device 802, the response based on the system ID stored on thesecond device 804 comprises encrypting the system ID stored on thesecond device 804 and transmitting, by thesecond device 804 to thefirst device 802, the encrypted system ID. - In some embodiments, the method further comprises: transmitting, by the
second device 804 to athird device 812, a request for a system ID stored on thethird device 812; and receiving, by thesecond device 804 from thethird device 812, a response to the request for the system ID stored on thethird device 812. - In some embodiments, the method further comprises: transmitting, by the
second device 804 to thefirst device 802, a response based on the response to the request for the system ID stored on thethird device 812. - In some embodiments, the method further comprises: determining, by the
third device 812, if the system ID stored on thethird device 812 has the empty value; and when the system ID stored on thethird device 812 has the empty value, communicating, by thethird device 812 to thesecond device 804, that the system ID stored on thethird device 812 has the empty value. - In some embodiments, the method further comprises: storing, by the
third device 812, the system ID received from thesecond device 804 as the system ID stored on thethird device 812. - In some embodiments, the
second device 804 is an authentication device for anx-ray system 800 b; and thethird device 812 is a control device for anx-ray tube 836 of thex-ray system 800 b. - Some embodiments include a method, comprising: transmitting, from a
first device 802 to asecond device 804, a request for a system identifier (ID) stored on thesecond device 804; receiving, from thesecond device 804 by thefirst device 802, a response to the request for the system ID stored on thesecond device 804; determining, by thefirst device 802, if the system ID stored on thesecond device 804 is a correct system ID for a system including thesecond device 804; and operating the system including thesecond device 804, by thefirst device 802, based on whether the system ID stored on thesecond device 804 is the correct system ID for the system including thesecond device 804. - In some embodiments, operating the system including the
second device 804 comprises enabling counter measures when the system ID stored on thesecond device 804 is not the correct system ID for the system including thesecond device 804. - In some embodiments, the counter measures comprise at least one of disabling the
second device 804, disabling the system including thesecond device 804, presenting a warning that the system ID stored on thesecond device 804 and the correct system ID for the system including thesecond device 804 do not match to a user. - In some embodiments, operating the system including the
second device 804 comprises, when the system ID stored on thesecond device 804 matches the correct system ID for the system including thesecond device 804, transmitting, by thefirst device 802 to thesecond device 804, a request for verification of devices subordinate to thesecond device 804. - In some embodiments, the method further comprises: receiving, by the
first device 802 from thesecond device 804, a response to the request for verification of devices subordinate to thesecond device 804; wherein operating the system including thesecond device 804 comprises operating the system based on the response to the request for verification of at least one device subordinate to thesecond device 804. - In some embodiments, the
second device 804 is an authentication device for anx-ray system 800 b; and the at least one device subordinate to thesecond device 804 is a control device for anx-ray tube 836 of thex-ray system 800 b. - In some embodiments, the method further comprises: transmitting, from the
first device 802 to thesecond device 804, a request for authentication of thesecond device 804; and receiving, by thefirst device 802 from thesecond device 804, a response to the request for authentication of thesecond device 804; wherein operating the system including thesecond device 804 comprises operating the system including thesecond device 804 based on the response to the request for authentication of thesecond device 804. - Some embodiments include a device, comprising: means for receiving, from a first external device, a request for a system identifier (ID) stored on the device; means for determining if the system ID stored on the device has an empty value; and means for transmitting, to the first device, a response based on the system ID stored on the device when the system ID stored on the device does not have the empty value. Examples of the means for receiving, from a first external device, a request for a system identifier and the means for transmitting, to the first device, a response based on the system ID include the
second device 804, thethird device 812 or the like. - In some embodiments, the device further comprises: means for transmitting, to a second external device, a request for a system ID stored on the second external device; and means for receiving, from the third device, a response to the request for the system ID stored on the second external device. Examples of the means for transmitting, to a second external device, a request for a system ID and the means for receiving, from the third device, a response to the request for the system ID include the
second device 804, thethird device 812 or the like. - Some embodiments include at least one non-transitory machine-readable storage medium comprising a plurality of instructions adapted to be executed to implement the method described above.
- The summary provided above is illustrative and is not intended to be in any way limiting. In addition to the examples described above, further aspects, features, and advantages of the invention will be made apparent by reference to the drawings, the following detailed description, and the appended claims.
- Circuitry can include hardware, firmware, program code, executable code, computer instructions, and/or software. A non-transitory computer readable storage medium can be a computer readable storage medium that does not include a signal.
- The operations described above may be implemented in various circuitry. For example, the operations may be implemented as a hardware circuit comprising custom very-large-scale integration (VLSI) circuits or gate arrays, including but not limited to logic chips, transistors, or other components. The operations may also be implemented in programmable hardware devices, including but not limited to field programmable gate arrays (FPGA), programmable array logic, programmable logic devices or similar devices.
- Reference throughout this specification to an “example” or an “embodiment” means that a particular feature, structure, or characteristic described in connection with the example is included in at least one embodiment of the invention. Thus, appearances of the words an “example” or an “embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment.
- Furthermore, the described features, structures, or characteristics may be combined in a suitable manner in one or more embodiments. In the following description, numerous specific details are provided (e.g., examples of layouts and designs) to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, layouts, etc. In other instances, well-known structures, components, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
- Elements specifically recited in means-plus-function format, if any, are intended to be construed to cover the corresponding structure, material, or acts described herein and equivalents thereof in accordance with 35 U.S.C. § 112 ¶6.
- While the forgoing examples are illustrative of the principles of the invention in one or more particular applications, it will be apparent to those of ordinary skill in the art that numerous modifications in form, usage and details of implementation can be made without the exercise of inventive faculty, and without departing from the principles and concepts of the invention. Accordingly, it is not intended that the invention be limited. Various features and advantages of the invention are set forth in the following claims.
Claims (20)
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/293,543 US20200074120A1 (en) | 2018-08-29 | 2019-03-05 | Anti-tamper circuitry |
CN202010245574.0A CN112115526A (en) | 2018-08-29 | 2019-08-27 | Method and device for transmitting system identifier and method for operating with authorization means |
PCT/US2019/048258 WO2020046875A1 (en) | 2018-08-29 | 2019-08-27 | Anti-tamper circuitry |
EP19853512.2A EP3844658A4 (en) | 2018-08-29 | 2019-08-27 | Anti-tamper circuitry |
CN201980003466.8A CN111386528A (en) | 2018-08-29 | 2019-08-27 | Tamper-resistant circuit |
JP2019156394A JP7395285B2 (en) | 2018-08-29 | 2019-08-29 | Tamper resistant circuit |
JP2023202112A JP2024019410A (en) | 2018-08-29 | 2023-11-29 | Anti-tamper circuitry |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862724581P | 2018-08-29 | 2018-08-29 | |
US16/293,543 US20200074120A1 (en) | 2018-08-29 | 2019-03-05 | Anti-tamper circuitry |
Publications (1)
Publication Number | Publication Date |
---|---|
US20200074120A1 true US20200074120A1 (en) | 2020-03-05 |
Family
ID=69641263
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/293,572 Pending US20200074123A1 (en) | 2018-08-29 | 2019-03-05 | Detection of unauthorized components |
US16/293,543 Pending US20200074120A1 (en) | 2018-08-29 | 2019-03-05 | Anti-tamper circuitry |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/293,572 Pending US20200074123A1 (en) | 2018-08-29 | 2019-03-05 | Detection of unauthorized components |
Country Status (5)
Country | Link |
---|---|
US (2) | US20200074123A1 (en) |
EP (1) | EP3844658A4 (en) |
JP (2) | JP7395285B2 (en) |
CN (2) | CN112115526A (en) |
WO (1) | WO2020046875A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220249051A1 (en) * | 2019-07-12 | 2022-08-11 | Shandong Dacheng Medical Technology Co., Ltd. | Computed tomography (ct) device with energy storage system |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11263308B2 (en) * | 2019-03-25 | 2022-03-01 | Micron Technology, Inc. | Run-time code execution validation |
DE102019211570A1 (en) * | 2019-08-01 | 2021-02-04 | Robert Bosch Gmbh | Method and device for treating an anomaly in a control unit |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3842280A (en) * | 1970-12-23 | 1974-10-15 | Picker Corp | Protective circuit for limiting the input power applied to an x-ray tube and method of operation |
US3838285A (en) * | 1973-05-10 | 1974-09-24 | Cgr Medical Corp | X-ray tube anode protective circuit |
US3968372A (en) * | 1975-11-24 | 1976-07-06 | Cgr Medical Corporation | Tube protection circuit for X-ray generators |
US4035648A (en) * | 1976-09-02 | 1977-07-12 | Cgr Medical Corporation | X-ray tube protection circuit |
US4811374A (en) * | 1986-11-13 | 1989-03-07 | Medicor Usa Ltd. | Apparatus for setting exposure parameters of an X-ray generator |
JPH0351976A (en) * | 1989-07-19 | 1991-03-06 | Nippon Kaade Center Kk | Control method for card reader |
US5880523A (en) * | 1997-02-24 | 1999-03-09 | General Instrument Corporation | Anti-tamper integrated circuit |
JP4033310B2 (en) * | 1997-12-16 | 2008-01-16 | 富士通株式会社 | Auxiliary storage device for information equipment and information equipment |
JP2006229667A (en) * | 2005-02-18 | 2006-08-31 | Matsushita Electric Ind Co Ltd | Tamper-resistant device, and tamper-resistant method |
JP4721766B2 (en) * | 2005-05-11 | 2011-07-13 | 日本特殊陶業株式会社 | Thin battery for card |
JP2007018401A (en) * | 2005-07-11 | 2007-01-25 | Hitachi Ltd | Storage control apparatus, upper interface control part of storage control device, and information protection method of storage control device |
EP1840964A1 (en) * | 2006-03-31 | 2007-10-03 | Irvine Sensors Corp. | Semiconductor device with protected access |
JP5412644B2 (en) * | 2008-04-30 | 2014-02-12 | 日本電産サンキョー株式会社 | Detecting unauthorized removal of electronic equipment |
JP5421679B2 (en) * | 2009-07-09 | 2014-02-19 | 日本電産サンキョー株式会社 | Detection method to detect fraud |
KR20130126804A (en) * | 2012-04-24 | 2013-11-21 | 이철재 | Coverage for detecting illegal opening for electronic device |
JP6195344B2 (en) * | 2012-06-08 | 2017-09-13 | キヤノン株式会社 | X-ray imaging system, control method of X-ray imaging system, and program |
WO2015047283A2 (en) * | 2013-09-27 | 2015-04-02 | Empire Technology Development Llc | Information protection method and system |
EP3061116B1 (en) * | 2013-10-21 | 2018-08-01 | YXLON International GmbH | Target and/or filament for an x-ray tube, x-ray tube, method for identifying a target and/or a filament and method for setting the characteristics of a target and/or a filament |
US10297414B2 (en) * | 2016-09-20 | 2019-05-21 | Varex Imaging Corporation | X-ray tube devices and methods for imaging systems |
JP2018055598A (en) * | 2016-09-30 | 2018-04-05 | 日本電産サンキョー株式会社 | Information processing apparatus and information processing method |
-
2019
- 2019-03-05 US US16/293,572 patent/US20200074123A1/en active Pending
- 2019-03-05 US US16/293,543 patent/US20200074120A1/en active Pending
- 2019-08-27 EP EP19853512.2A patent/EP3844658A4/en active Pending
- 2019-08-27 CN CN202010245574.0A patent/CN112115526A/en active Pending
- 2019-08-27 CN CN201980003466.8A patent/CN111386528A/en active Pending
- 2019-08-27 WO PCT/US2019/048258 patent/WO2020046875A1/en unknown
- 2019-08-29 JP JP2019156394A patent/JP7395285B2/en active Active
-
2023
- 2023-11-29 JP JP2023202112A patent/JP2024019410A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220249051A1 (en) * | 2019-07-12 | 2022-08-11 | Shandong Dacheng Medical Technology Co., Ltd. | Computed tomography (ct) device with energy storage system |
Also Published As
Publication number | Publication date |
---|---|
EP3844658A4 (en) | 2022-05-04 |
EP3844658A1 (en) | 2021-07-07 |
CN112115526A (en) | 2020-12-22 |
JP7395285B2 (en) | 2023-12-11 |
CN111386528A (en) | 2020-07-07 |
JP2020077368A (en) | 2020-05-21 |
JP2024019410A (en) | 2024-02-09 |
WO2020046875A1 (en) | 2020-03-05 |
US20200074123A1 (en) | 2020-03-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105122258B (en) | Method, computing system and the article that system is configured | |
CN105308609B (en) | The system and method for storing event data | |
CN112042151B (en) | Secure distribution of secret keys using monotonic counters | |
US11995182B2 (en) | Baseboard management controller to perform security action based on digital signature comparison in response to trigger | |
JP2024019410A (en) | Anti-tamper circuitry | |
CN105144185B (en) | Access control device code and system start code | |
US11556490B2 (en) | Baseboard management controller-based security operations for hot plug capable devices | |
US20040170068A1 (en) | Anti-theft system and method for semiconductor devices and other electronic components | |
CN109313690A (en) | Self-contained encryption boot policy verifying | |
CN105122214B (en) | Reparation to the system data damaged in nonvolatile memory | |
CN101116070A (en) | System and method to lock tpm always 'on' using a monitor | |
US10742412B2 (en) | Separate cryptographic keys for multiple modes | |
US20220327249A1 (en) | Systems and methods for chassis intrusion detection | |
US11003801B2 (en) | Functional device and control apparatus | |
US20210208797A1 (en) | Methods for restricting read access to supply chips | |
US20210232688A1 (en) | Determine whether to perform action on computing device based on analysis of endorsement information of a security co-processor | |
US11816252B2 (en) | Managing control of a security processor in a supply chain | |
US20230010319A1 (en) | Deriving independent symmetric encryption keys based upon a type of secure boot using a security processor | |
Peterson | Developing tamper-resistant designs with Zynq ULTRASCALE+ devices | |
US11023591B2 (en) | Data processing system having distributed security controller with local control and method for securing the data processing system | |
JP6657166B2 (en) | Storage control device and storage control method | |
US11977639B2 (en) | Indicating a type of secure boot to endpoint devices by a security processor | |
US20230015334A1 (en) | Deriving dependent symmetric encryption keys based upon a type of secure boot using a security processor | |
US12067155B2 (en) | Fuse-based system on a chip disconnection in a storage device | |
US8943327B2 (en) | Apparatus and method to enable operation between a main assembly and a sub-assembly that are cryptographically related |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: VAREX IMAGING CORPORATION, UTAH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MEILER, MICHAEL RUDOLF, MR.;YOON, INWOO, MR.;JOLLEY, LINCOLN C., MR.;AND OTHERS;SIGNING DATES FROM 20190301 TO 20190305;REEL/FRAME:050671/0051 |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., AS AGENT, CALIFORNIA Free format text: SECURITY INTEREST;ASSIGNOR:VAREX IMAGING CORPORATION;REEL/FRAME:053945/0137 Effective date: 20200930 |
|
AS | Assignment |
Owner name: WELLS FARGO BANK, NATIONAL ASSOCIATION, AS AGENT, MINNESOTA Free format text: SECURITY INTEREST;ASSIGNOR:VAREX IMAGING CORPORATION;REEL/FRAME:054240/0123 Effective date: 20200930 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS |
|
AS | Assignment |
Owner name: ZIONS BANCORPORATION, N.A. DBA ZIONS FIRST NATIONAL BANK, AS ADMINISTRATIVE AGENT, UTAH Free format text: SECURITY INTEREST;ASSIGNOR:VAREX IMAGING CORPORATION;REEL/FRAME:066949/0657 Effective date: 20240326 Owner name: VAREX IMAGING CORPORATION, UTAH Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:BANK OF AMERICA, N.A.;REEL/FRAME:066950/0001 Effective date: 20240326 |