1. Field of the Invention
This invention relates to a venting device for tamper resistant electronic modules, and more specifically to a venting device for electronic communications encryption modules that comply with Federal Information Processing Standards 140-2 (FIPS 140-2), Level 4, security requirements.
2. Background Information
Federal Information Processing Standards 140-2 (FIPS 140-2) is a standard that describes U.S. federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The Standard was published by the National Institute of Standards and Technology (NIST) in May 2001, and succeeds FIPS 140-1 published by NIST in Jan. 1994. It has been adopted by the Canadian government's Communication Security Establishment (CSE), and is likely to be adopted by the financial community through the American National Standards Institute (ANSI). This technology has become of particular interest in the wake of growing threats to security both at home and abroad.
The standard defines security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed.
Security level 4 provides the highest level of security defined in the standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate nullification of all critical security parameters stored in the module. Security level 4 cryptographic modules are useful for operation in physically unprotected environments.
The principal features of a typical electronic communications encryption module designed to meet the requirements of FIPS 140-2, Level 4, are illustrated in the cross-sectional view of FIG. 1. At the heart of the encryption module is a circuit card 3 on which are mounted a number of integrated circuit chips (not shown) that provide the functionality of the encryption module. The circuit card 3 is enclosed in a copper inner case 2. Rivets 4 align the circuit card 3 and hold the cover of the inner case in place. The inner case 2 is wrapped in a tamper sensing resistive mesh 5. To assure complete coverage, the edges of the tamper sensing mesh 5 are overlapped on a portion 7 of the inner case 2. The inner case 2 wrapped in the mesh 5 is encapsulated with polyurethane 6, and the encapsulated assembly placed in a copper outer case 1. The complete enclosure is airtight.
FIG. 2 shows further details of the outside of inner case 2. Windows 12 are openings provided for flex cables connecting the circuit card 3 to a PCI printed circuit assembly or similar interface. Windows 22 are openings through which the tamper sensing mesh 5 will be connected to the circuit card 3.
FIG. 3a shows the encryption module at the stage where flex cables 31 are connected to the circuit board 3, and the mesh 5 is in the process of being wrapped around the inner case 2. As noted above, flex cables 31 connect the circuit card 3 to a PCI printed circuit assembly or similar interface through windows 12. Mesh cables 15 connect the tamper sensing resistive mesh 5 to the circuit card 3 through windows 22. This connection is illustrated in further detail in FIG. 3b. Through this connection, the circuit board 3 can sense when an attempt is made to gain access to the communications encryption module. If the tamper sensing resistive mesh 5 is damaged, the hardware on the circuit card 3 is programmed to nullify all of the encryption technology within the module.
The hermetically sealed assembly illustrated in FIGS. 1–3 has exhibited failure when exposed to reliability testing conditions that include temperature cycling, and when used in high temperature applications. FIGS. 4a–e show the sequence of events leading to mesh damage and failure. As temperature increases in FIG. 4a over room temperature, pressure of the trapped air 8 on the enclosing mesh 5 increases in accordance with the ideal gas law. This causes the mesh to tent in the vicinity of the window 22 through which the mesh enters the inner case 2, as shown in FIG. 4b. Air pressure and polyurethane expansion in the confined space, as shown in FIG. 4c, cause deformation of the copper outer case 1. Case deformation allows delamination between the primary layer and the overlap layer of the mesh 5, as shown in FIG. 4d. The mesh 5 can fail at this point or when, as shown in FIG. 4e, the case deformation is large enough that the mesh-to-mesh delamination reaches the mesh-to-polyurethane interface.
The use of a vent to relieve internal air pressure in the communications encryption module has been considered, but the concern is that even a small vent would allow access inside the enclosure and therefore violate FIPS 140-2, Level 4 requirements. Moreover it is believed that the manufacture of a tamper sensing resistive mesh allowing for such a vent would fail independent testing for FIPS compliance due the breach in protection of the package.