The invention concerns a method and system to ensure that modules to be connected to an apparatus comprising a processor are of a specific type, wherein modules of the specific type are provided with a code circuit capable of outputting one or more code words on request, and wherein the processor of the apparatus, when a module has been connected to the system, reads one or more of said code words from the code circuit of the apparatus, compares the read code word or words with reference code words stored in the apparatus, and rejects the module if the read code word or words do not correspond to the reference code words.
The invention also concerns a module capable of being connected to such an apparatus, and a code circuit as well as a storage medium for storage of data and for use in such a system.
Many technical systems comprise an apparatus to which a plurality of modules may be connected. Typically, it may e.g. be an electronic device comprising a central control unit to which a plurality of external printed circuit cards may be connected depending on the use. The electronic device may e.g. be a network element in a telecommunications network or a control system for a manufacturing process.
Other examples of such modules may be battery packet for a mobile telephone a component or a spare part which may be connected to the electrical system in a car or to the car in general, or a probe for a measuring instrument.
Such systems have the advantage that the technical solution may be composed of individually selected modules.
For several reasons, when a module is connected to the system, it may be expedient to be able to detect whether the other module is a specific type. It may e.g. be a matter of checking that the connected module is supplied by the supplier who has also supplied the main system, since this is the only way to ensure that the system operates as specified by the supplier. This may e.g. be the case where problems for measuring instrument, are calibrated for each individual measuring instrument, and where it may thus be essential to ensure that the correct probe is connected.
In respect of high-technology products, extension modules and spare parts for the products are produced in large numbers. However, it happens frequently that other suppliers make copies having the same function as the original products, but at a lower price. It may be expedient for a manufacturer of the original products to protect himself against copy products, partly because reliability and quality might be impaired when the original modules are replaced by copy modules, and partly because of the loss of earnings from the sale of the original products.
It is known to prevent interconnection of such elements by various physical obstacles, which, however, are generally easy to imitate by a copy manufacturer.
Further, the art in the software field includes a large number of methods for access control and limitation of copying of e.g. discs or CD-ROM with programs such as e.g. games. These methods, however, are not suitable for preventing connection of hardware modules to e.g. an electronic apparatus.
Known are also electronic systems in which a code circuit on a module must apply a code word before the module will be accepted by the main system, as is known also from e.g. payment cards in financial systems.
When mechanical and electronic systems can be physically accessed, however, it will frequently be possible to expose details of the structure and thereby evade the methods which just permit combination with certain modules. In the case of the code word which has to be applied by the module, it will e.g. be possible to find the code word by outputting it in the same manner as is done in the original system. Thus, all that needs to be done is to obtain a sample of the original module, and then the code word of this module may be read and copy modules may be manufactured with the same code word.
From U.S. Pat. No. 4,851,653 a system in which a confidential code is introduced to a memory card to get access to the memory of the card is known. On the card the introduced code is compared to a reference code and only in case of a match between the introduced code and the reference code access is provided to the memory. A built-in time delay ensures that a certain time must pass between each attempt at introducing a code. In this manner it is ensured that an unauthorized user cannot just try with a high number of different codes in a short time. By systems of the above described type, in which modules are connected to an apparatus, this system does not, however, provide any security, because an unauthorized card can just read the code word used by an authorized card and subsequently use the same code word, since only one reference code is used. Therefore, the system can be cracked by a simple interception.
A similar system is used according to EP 379 333 in which a finger print of a person is compared with a reference finger print stored in digital form on a credit card. Also here, a single reference code that can be uncovered by interception is used, and therefore also this system does not provide sufficient security in the systems mentioned above.
WO 86/03864 discloses a system for establishing connection between a computer terminal and a main computer. Instead of a usual code word or pass word this system uses a new random code word each time a connection between a given terminal and the main computer is to be established. Before termination of a connection the terminal generates a new code word, which is sent to the main computer in which it is stored. It is also stored in the terminal itself. Next time this terminal wishes a connection to the main computer it must be able to provide exactly this code word to the main computer. In this way it is ensured that an unauthorized terminal cannot just intercept the code word from an authorized terminal and subsequently use the same code word itself. However, this system only ensures that the main computerxe2x80x94when the system has been initialed and is in normal usexe2x80x94only accepts communication with a terminal to which it has communicated before. When a terminal is connected to the computer for the first time the security procedure must be by-passed and, therefore, the security is totally dependent on the person taking care of the connection of new terminals to the system. Therefore, this principle cannot be used in the situations mentioned above and with which the present invention is concerned.
Another principle that attempts to overcome the risk of interception of a code word is known from DE 44 11 780. Here, the code word is changed dependent on the actual time. A user introduces on a terminal or a module a primary code word which is then converted into a corresponding secondary code word. This code word is combined with a time signal representing the actual time, which is received from a radio transmitter, and the result is used as address to a ROM device of e.g. 32 kbytes. The content of the selected address is transmitted to the receiver unit which has a similar ROM device and knows the correct secondary code word. Also here the known secondary code word is combined with the actual time signal to form an address to the ROM device and the resulting content must correspond to that received from the terminal. As the actual time signal is changed all the time a code word that is intercepted can only be used for a very short time, i.e. until the time signal is changed. This could e.g. happen every 6 minutes. However, this principle has the drawback that if an unauthorized user once knows the principle he only has to get access to an authorized unit and then copy the ROM device, which can be done in a very short time. With a copy of the original ROM device the unauthorized module can without any difficult generate correct code words. It is also a drawback with this principle that the central apparatus as well as each unit or module must be provided with a radio receiver for the time signals and also must be placed in a location where these signals can be received.
Accordingly, the object of the invention is to provide a method and a system which ensure that only modules of the specific type can be connected to the system, and in which the incorporated code circuits are impossible to copy with a reasonable period of time.
This is achieved according to the invention by a method wherein a large number of different code words is stored in the code circuit on modules of the specific type, and wherein the code circuit is moreover so adapted that a code word can be output correctly only after the lapse of a prefixed period of time, which is considerably longer than the normal output time determined by the implementation of the code circuit, after a previous output of a code word.
When ensuring on one hand that a large number of code words is present and on other hand that a considerable period of time has to elapse between each time a code word can be output, then it will take an extremely long time to output and thus copy the contents of the code circuit. Thus copying of the code circuit has been made impossible in practice.
In an expedient embodiment, the code circuit on each module comprises an addressable storage in which one of said code words is stored on each storage address.
The code word of a given storage address in said storage is allowed to be the same for all the modules, it is ensured that the same code circuit may be used on all the modules, and that it therefore suffices to store one set of reference code words in the apparatus. A particularly expedient embodiment is obtained when the reference code are formed by a code circuit like the code circuits arranged on the modules. It is hereby ensured in a simple manner that it will be just as different to copy the code words from the apparatus as for the individual modules.
When moreover, the apparatus is adapted to read code words from the same storage address or addresses on each module at start, it is ensured that the apparatus need only read code words from its own code circuit or its own reference table once, since the same answer is to come from all the modules. This will save some time particularly in the situation where the apparatus contains a code circuit like that of the modules, since, otherwise, the apparatus would have to wait said period of time between each output from its own code circuit.
As mentioned, the invention moreover concerns a module which may be used in a system and a method as described above.
Either, the code circuit of the module may comprise means for calculating code words from a bit pattern consisting of a plurality of digital input signals, or it may comprise an addressable storage in which one of said code words is stored on each storage address. In the latter case, the addressable storage may expediently be of ROM type.
The code circuit is adapted to receive an address consisting of a large number of bits and to calculate, from this, a modified address consisting of a smaller number of bits, and the number of storage addresses is adapted such that the smaller number of bits is just sufficient to address all the storage addresses, it is ensured that the copying time will be extremely great even with a storage of a limited size, since, seen from the outside, the storage appears to have a number of bit positions which corresponds to the large number of bits. Thus, if e.g. a 32-bit address is used, which is modified to a 16-bit address in the code circuit, a storage circuit of 64 kbytes will look like a storage circuit of 232 bytes, and, if the preselected period of time is e.g. one second, it will take 232 seconds, which corresponds to more than 136 years, to output and thereby to copy the contents of the code circuit.
In particular when the code circuit is adapted to receive an address consisting of a large number of bits, it may be advantageous to adapt the code circuit to receive said address in serial form.
The means necessary for determining the prefixed period of time may be positioned internally in the code circuit. This ensures that there is no possibility of affecting the period of time from the outside, nor is it thus possible to increase the output rate. On the other hand, the components required for this will take up space on the code circuit itself. Alternatively, the code circuit may comprises means for determining the prefixed period of time by counting a plurality of clock periods for a clock signal which is supplied to the code circuit. Component space may hereby be saved in the code circuit; but it will be possible to increase the output rate by increasing the frequency of the external clock signal. However, this may be counteracted in a simple manner by selecting a clock frequency which is close to the maximum clock frequency at which the circuit can operate. If it is attempted to output the code words with an even higher frequency, the circuit will merely stop operating. A lower frequency will correspondingly mean a lower output rate.
In an expedient embodiment, the code circuit is implemented as a customer-specified integrated circuit (ASIC), which comprises the addressable storage as well as the means for determining the prefixed period of time. This improves the possibility of preventing others from outputting and thereby copying the contents of the code circuit within a reasonable period of time.
Either the means ensuring that a code word can be output correctly only if a prefixed period of time after a previous output has elapsed, may be adapted simply not to apply a code word if output is requested before the lapse of said period of time, or where such output is requested, they may be adapted to output one or more wrong code words. The latter possibility makes it even more difficult to perform unauthorized output of the contents of the code circuit.
Further, the code circuit may be adapted such that a code word can be output correctly also only if said period of time has elapsed from the start of the module concerned. This ensures that also the first output can only take place after said time delay.
Finally, as mentioned, the invention also concerns a code circuit for the storage of a plurality of code words and a storage medium for the storage of data and for use in a system as well as a method as described above. Such a storage medium is adapted such that data can be output correctly from the storage medium only after the lapse of a predefined period of time, which is considerably longer than a normal output time determined by the implementation of the storage medium, after a previous output of data.