Secure communication systems are well known. Police and public safety personnel, for example, often require secure voice and/or data communications between mobile transmitters and receivers, such as in-car mobile or hand-held portable radios (mobiles) as well as fixed transmitters and receivers, such as a central dispatch station. The communication paths between the mobiles and the fixed end are typically wireless links, such as radio frequency (RF) channels. The communication paths between fixed transmitters and receivers are typically wireline links, such as land-based phone lines. Secure communication is made possible by designated transmitters and receivers (hereinafter “encryption devices”) sharing an encryption key that uniquely specifies an encryption algorithm for the communication. Only encryption devices having identical keys are capable of intelligibly reproducing the communication.
Encryption keys and other sensitive data are usually stored in memory components in the encryption device and need to be protected carefully from unwanted inspection or tampering. Software control and protection methods may be not enough to stop an experienced person from bypassing these protections and tampering with the device, e.g. by direct interrogation of memory components such as integrated circuit memory. A possible protection from the above physical attacks is to provide some kind of detecting means which detects an attempted intrusion within a protected sensitive area and reacts by giving an alarm or even by destroying any sensitive information (e.g., an encryption key) to avoid the loss of secrecy.
If an encryption key is erased upon unwanted inspection or tampering, the encryption device may be disabled. However, an attacker with access to a key loader could reload the keys. The process of reloading encryption keys into an encryption device is called rekeying. For instance, in a law enforcement context, the key loader is often a priori configured by a security officer and then placed in the hands of a field operator to carry out the rekeying process. The field operator is then able to download the key into the memory of the encryption device.
Once the encryption device has been rekeyed, no permanent record remains of the tampering. Without a permanent record in the encryption device itself, the encryption device cannot report the tampering event to an appropriate party or take other actions to thwart the intruder, such as causing itself to permanently cease operation.