1. Field of the Invention
The present invention is directed to an arrangement for the power supply for a security domain of a device. Such a security domain can be realized in the form of a postal security module that, in particular, is suitable for use in a postage meter machine or a mail processing machine or computer with mail processing function.
2. Description of the Prior Art
A variety of security measures are known for protecting against outages or, respectively, malfunctions of intelligent electronic systems.
European Application 417 447 discloses the use of special modules in electronic data processing systems equipped with means to protect against unauthorized tampering with electronics. Such modules are called security modules below.
Modern postage meter machines or other devices for franking postal items are equipped with a printer for printing the postage stamp on the postal matter, a controller for controlling the printing and the peripheral components of the postage meter machine, an accounting unit for debiting postage fees that are stored in non-volatile memories, and a unit for cryptographically securing the postage fee data. A security module (European Application 789 333) can include a hardware accounting unit and/or the unit for securing the printing of the postage fee data. For example, the former can be realized as application specific integrated circuit (ASIC) and the latter can be realized an OTP (One-Time Programmable) processor. An internal OTP memory stores sensitive data (cryptographic keys) protected against readout; such data being required, for example, for replenishing a credit. Encapsulation by a security housing offers further protection.
Further measures for the protection of a security module against tampering with the data stored therein it are disclosed in German OS 198 16 572 and German OS 198 16 571, German OS 199 12 780 (corresponding to co-pending application Ser. No. 09/522,621, filed Mar. 10, 2000), German OS 199 12 781 (corresponding to co-pending application Ser. No. 09/522,620 filed Mar. 10, 2000) and German Utility Model 299 05 219 U1 (corresponding to co-pending application Ser. No. 09/524,118 filed Mar. 13, 2000)
For example, the security module is plugged onto the motherboard of the meter in the postage meter machine JetMail®. The meter housing is preferably fashioned as a security housing but nonetheless is designed such that the user can see the status display of the security module from the outside through an opening. Applying the system voltage to the module processor of the security module at a sufficient level activates the display in order to be able to read the module status. Whether the security module is operational or out of service thus can be determined. Even when the security module is functioning, a signal can be emitted when a service technician should be called or when a restart of the system is implemented. The security module can assume various statuses in its life cycle that, however, are displayed only in the operating status of the meter, i.e. when system voltage is present at the security module. Otherwise, the battery of the security module would be quickly drained. The service life of the battery should be appropriate for the life cycle and be as long as possible. Postal register data, cryptographic keys and other sensitive data must be preserved and the real-time clock must also continue to run when the postage meter machine is turned off, given power interruptions or outage of the system voltage. Also circuit elements for permanent monitoring functions must continue to run without interruption. The need for available battery current rises as a result, with the consequence that the service life of the battery is decreased.
According to German OS 199 12 780, a replaceable battery was therefore arranged on the security module. Of course, this battery can only be replaced when system voltage is present. A voltage monitoring unit with resettable self-holding detects a voltage outage or a drop of the voltage below a prescribed threshold. Brief-duration outages of the battery voltage lasting fractions of a second also lead to the immediate blocking of the security module and the postage meter machine thus becomes unusable.
Heretofore, the batteries have been accommodated directly on the printed circuit board of the postage meter machine computer or of the security module. This means that the postally secured part of the postage meter machine must be opened for changing batteries. In many countries, the machine must be unsealed at the post office for this purpose and must then be resealed after the battery has been changed. The security module of the postage meter machine JetMail® is accessible only when the meter housing is destroyed. This procedure is even difficult for a service technician or not possible at all on site. The meter must be returned to the manufacturer and the user needs a replacement machine with a different security module. This causes considerable outlay when, for example, a battery replacement is implemented at time intervals of 5 years. Even the duration of 5 years can be realized only with large and expensive lithium batteries for the security module. A lengthening of the service life to, preferably, 12 years would be desirable.