1. Field of the Invention
This invention relates to protection of electronically stored data from tampering and, in particular, to preventing ascertainment of the content of data stored in a data storage device situated in a secure environment.
2. Related Art
Computational devices and/or related peripheral devices often include a data storage device. In some situations, the content of the data stored in a data storage device may be particularly sensitive, so that the data storage device is situated within a secure environment, such as the enclosure within a mechanically sealed housing. (Such a data storage device is sometimes referred to herein as a "secure data storage device" and the device of which the data storage device is part is sometimes referred to herein as a "secure device.") However, even secure environments are susceptible to intrusion: it may be possible to pry open a mechanically sealed housing, for example. Thus, even when a secure environment has been provided for a data storage device that stores sensitive data, it can be desirable to provide additional security for the data storage device. Such additional security can comprise erasing or otherwise destroying the stored data when an intrusion into the secure environment is detected.
Generally, a data storage device can be either non-volatile (i.e., data continues to be stored in the data storage device even after the application of power to the data storage device is ceased) or volatile (i.e., data stored in the data storage device is lost after the application of power to the data storage device is ceased). Volatile data storage devices typically include a multiplicity of data storage elements (memory cells) that can each store one of two different values. The capacity of a volatile data storage device to store two different values in a memory cell (i.e., to store data) depends upon the maintenance of two distinct voltage levels within the volatile data storage device, which, in turn, requires a continual supply of power to the volatile data storage device, as indicated above.
It can be desirable to embody a secure data storage device with a volatile data storage device ("secure volatile data storage device"), such as a random access memory (RAM), because, as will be clear from the description below, when an intrusion into the secure environment is detected, data stored in a volatile data storage device can more easily be erased or otherwise destroyed than can data stored in a nonvolatile data storage device.
In some situations it can be desirable to make a volatile data storage device effectively non-volatile. This can be done by using a backup power supply (i.e., a power supply, such as a battery, to which the volatile data storage device can be connected when the device of which the volatile data storage device is part is not operating) to continue to supply power to the volatile data storage device after a primary power supply (i.e., a power supply to which the volatile data storage device is connected during operation of the device of which the volatile data storage device is part) has been disconnected from the volatile data storage device. In particular, in portable devices (which are frequently not connected to a primary power supply), it can be desirable to provide a backup power supply to enable a volatile data storage device of the portable device to be made non-volatile. The construction of a "non-volatile data storage device" by providing a backup power supply for a volatile data storage device can be desirable because, as made clearer by the description below, such construction enables non-volatilely stored data to be more easily erased or otherwise destroyed, if tampering with the data storage device is detected, than would be the case if the data storage device was embodied by a conventional non-volatile data storage device.
FIG. 1 is a block diagram illustrating the functional components of a previous system for protecting data stored in a volatile data storage device that is situated within a secure environment and connected to a power supply. A volatile data storage device 101 that is situated within a secure environment is initially electrically connected to a power supply 102 (i.e., a switch 104 is configured to make electrical connection between the nodes 105 and 106) so that data can be continually stored in the volatile data storage device 101. A detector 103 is adapted to detect an intrusion into the secure environment. When an intrusion is detected, the switch 104 changes configuration so that the power supply 102 is disconnected from the volatile data storage device 101 (as shown in FIG. 1). Since power is no longer supplied to the volatile data storage device 101, electrical charge within the volatile data storage device 101 gradually flows so that two distinct voltages are no longer present in the volatile data storage device 101, i.e., the data in the volatile data storage device 101 is lost. Erasure (sometimes referred to as "zeroization") in this manner of data stored in a volatile data storage device is generally referred to herein as "passive erasure" (or "passive zeroization").
If the volatile data storage device consumes relatively little power in operation (such as is often the case in small portable devices) and/or the volatile data storage device operates at voltage levels that differ in magnitude by a relatively large amount, passive erasure can take an undesirably long time (e.g., tens of seconds) to erase the data stored in the volatile data storage device. For example, portable digital assistants (PDAs) typically are constructed to be relatively low power devices such that passive erasure of the data stored in a volatile data storage device of the PDA would take about 30 seconds. This amount of time can enable a tamperer to re-establish the connection between the power supply and the volatile data storage device, or provide a substitute power supply, so that the data stored within the volatile data storage device is preserved. For example, a device can include a secure volatile data storage device situated in an enclosure within a mechanically sealed housing, the device constructed so that prying open the housing breaks electrical connection between the volatile data storage device and a power supply. A tamperer, after prying open the housing of such a device, may be able to, with sufficient familiarity with the device (which could be obtained, for example, from previous intrusions into one or more similar devices), attach jumpers to appropriate nodes of the device to re-establish the broken electrical connection or provide a substitute power supply, so that, from the perspective of the volatile data storage device, it appears that no intrusion has occurred. If the tamperer can accomplish this before the data has been erased from the volatile data storage device by passive erasure (e.g., within several seconds), the tamperer can then use known techniques to ascertain at his leisure the content of the data stored in the volatile data storage device. Thus, the use of passive erasure to protect data stored in a volatile data storage device situated within a secure environment may not be as effective as desired.
FIG. 2 is a block diagram illustrating the functional components of another previous system for protecting data stored in a volatile data storage device that is situated within a secure environment and connected to a power supply. As in the system depicted in FIG. 1, a volatile data storage device 201 that is situated within a secure environment is initially electrically connected to a power supply 202 so that data can be continually stored in the volatile data storage device 201, and a detector 203 is adapted to detect when an intrusion into the secure environment has occurred. When an intrusion is detected, a processor 204 causes data stored within the volatile data storage device 201 to be erased or changed so that the originally stored data cannot be ascertained. The processor 204 may also make use of other devices (not shown), as appropriate or necessary, to effect destruction of the data.
The system depicted in FIG. 2 suffers from disadvantages that may make that system impractical or insufficiently effective to protect data stored in a secure volatile data storage device. For example, the system of FIG. 2 requires maintenance of the power supply to the processor 204 to enable destruction of data within the volatile data storage device 201. However, an intrusion into the secure environment may break the electrical connection between the power supply 202 and the processor 204, thereby preventing the processor 204 from performing the data destruction operation. Even if the processor 204 is able to operate to destroy the data, such operation may take a sufficiently long time that a tamperer is able to disable operation of the processor 204 before the data is completely destroyed. Further, operation of the processor 204 (and, in some implementations of a system as in FIG. 2, other devices) to destroy data and operation of the volatile data storage device 201 to continue storing data may require a relatively large amount of power, such that it may be infeasible to ensure that the power supply 202 will always have enough power to effect the data destruction operation. This may particularly be so in devices which are constructed so that the power supply 202 cannot be replaced easily or at all. For example, in some portable devices, the backup power supply is also situated within the secure environment (e.g., located in an enclosure within a mechanically sealed housing) such that replacement or recharging of the backup power supply is impractical or impossible. Near the end of the useful life of the backup power supply of such a portable device, the backup power supply may not be able to provide sufficient power to enable the data destruction operation to take place. This may be true, in particular, for such portable devices that are also relatively small, since the backup power supply is often embodied by a small device that may, in a relatively short time, lose the capacity to generate the required power. Moreover, in some portable devices, it may not be possible to provide a backup power supply having sufficient power to operate a processor (and, if necessary, other devices) to effect a data destruction operation as described above.